cilium · brb · Jul 28, 2021 · Jul 15, 2021 · Jul 21, 2021
diff --git a/.github/workflows/conformance-k8s-network-policies.yaml b/.github/workflows/conformance-k8s-network-policies.yaml
@@ -27,7 +27,7 @@ jobs:
           echo "Checking for differences between preflight and agent clusterrole"
           diff \
              -I '^[ ]\{2\}name: cilium.*' \
-             -I '^Keep file in synced with.*' \
+             -I '^Keep file in sync with.*' \
              -I '{{- if.*' \
              cilium-agent/clusterrole.yaml \
              cilium-preflight/clusterrole.yaml

diff --git a/.github/workflows/tests-smoke.yaml b/.github/workflows/tests-smoke.yaml
@@ -53,7 +53,7 @@ jobs:
           echo "Checking for differences between preflight and agent clusterrole"
           diff \
              -I '^[ ]\{2\}name: cilium.*' \
-             -I '^Keep file in synced with.*' \
+             -I '^Keep file in sync with.*' \
              -I '{{- if.*' \
              cilium-agent/clusterrole.yaml \
              cilium-preflight/clusterrole.yaml

diff --git a/Documentation/helm-values.rst b/Documentation/helm-values.rst
diff --git a/Documentation/operations/upgrade.rst b/Documentation/operations/upgrade.rst
@@ -324,6 +324,9 @@ Removed Options
   and is now removed.
 * ``hubble-flow-buffer-size``: This option was deprecated in 1.10 in favor
   of ``hubble-event-buffer-capacity``. It is now removed.
+* The ``Capabilities`` Helm value has been removed. When using ``helm template``
+  to generate the Kubernetes manifest for a specific Kubernetes version,
+  please use the ``--kube-version`` flag (introduced in Helm 3.6.0) instead.
 
 Deprecated Options
 ~~~~~~~~~~~~~~~~~~

diff --git a/install/kubernetes/cilium/README.md b/install/kubernetes/cilium/README.md
@@ -86,6 +86,7 @@ contributors across the globe, there is almost always someone available to help.
 | clustermesh.apiserver.nodeSelector | object | `{}` | Node labels for pod assignment ref: https://kubernetes.io/docs/user-guide/node-selection/ |
 | clustermesh.apiserver.podAnnotations | object | `{}` | Annotations to be added to clustermesh-apiserver pods |
 | clustermesh.apiserver.podLabels | object | `{}` | Labels to be added to clustermesh-apiserver pods |
+| clustermesh.apiserver.priorityClassName | string | `""` | The priority class to use for clustermesh-apiserver |
 | clustermesh.apiserver.replicas | int | `1` | Number of replicas run for the clustermesh-apiserver deployment. |
 | clustermesh.apiserver.resources | object | `{}` | Resource requests and limits for the clustermesh-apiserver container of the clustermesh-apiserver deployment, such as     resources:       limits:         cpu: 1000m         memory: 1024M       requests:         cpu: 100m         memory: 64Mi |
 | clustermesh.apiserver.service.annotations | object | `{}` | Annotations for the clustermesh-apiserver For GKE LoadBalancer, use annotation cloud.google.com/load-balancer-type: "Internal" For EKS LoadBalancer, use annotation service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0 |
@@ -163,7 +164,7 @@ contributors across the globe, there is almost always someone available to help.
 | etcd.podAnnotations | object | `{}` | Annotations to be added to cilium-etcd-operator pods |
 | etcd.podDisruptionBudget | object | `{"enabled":true,"maxUnavailable":2}` | PodDisruptionBudget settings ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ |
 | etcd.podLabels | object | `{}` | Labels to be added to cilium-etcd-operator pods |
-| etcd.priorityClassName | string | `""` | cilium-etcd-operator priorityClassName |
+| etcd.priorityClassName | string | `""` | The priority class to use for cilium-etcd-operator |
 | etcd.resources | object | `{}` | cilium-etcd-operator resource limits & requests ref: https://kubernetes.io/docs/user-guide/compute-resources/ |
 | etcd.securityContext | object | `{}` | Security context to be added to cilium-etcd-operator pods |
 | etcd.ssl | bool | `false` | Enable use of TLS/SSL for connectivity to etcd. (auto-enabled if managed=true) |
@@ -200,6 +201,7 @@ contributors across the globe, there is almost always someone available to help.
 | hubble.relay.nodeSelector | object | `{}` | Node labels for pod assignment ref: https://kubernetes.io/docs/user-guide/node-selection/ |
 | hubble.relay.podAnnotations | object | `{}` | Annotations to be added to hubble-relay pods |
 | hubble.relay.podLabels | object | `{}` | Labels to be added to hubble-relay pods |
+| hubble.relay.priorityClassName | string | `""` | The priority class to use for hubble-relay |
 | hubble.relay.replicas | int | `1` | Number of replicas run for the hubble-relay deployment. |
 | hubble.relay.resources | object | `{}` | Specifies the resources for the hubble-relay pods |
 | hubble.relay.retryTimeout | string | `nil` | Backoff duration to retry connecting to the local hubble instance in case of failure (e.g. "30s"). |
@@ -231,6 +233,7 @@ contributors across the globe, there is almost always someone available to help.
 | hubble.ui.nodeSelector | object | `{}` | Node labels for pod assignment ref: https://kubernetes.io/docs/user-guide/node-selection/ |
 | hubble.ui.podAnnotations | object | `{}` | Annotations to be added to hubble-ui pods |
 | hubble.ui.podLabels | object | `{}` | Labels to be added to hubble-ui pods |
+| hubble.ui.priorityClassName | string | `""` | The priority class to use for hubble-ui |
 | hubble.ui.proxy.image | object | `{"pullPolicy":"Always","repository":"docker.io/envoyproxy/envoy","tag":"v1.18.2@sha256:e8b37c1d75787dd1e712ff389b0d37337dc8a174a63bed9c34ba73359dc67da7"}` | Hubble-ui ingress proxy image. |
 | hubble.ui.proxy.resources | object | `{}` | Resource requests and limits for the 'proxy' container of the 'hubble-ui' deployment. |
 | hubble.ui.replicas | int | `1` | The number of replicas of Hubble UI to deploy. |
@@ -302,7 +305,7 @@ contributors across the globe, there is almost always someone available to help.
 | operator.podAnnotations | object | `{}` | Annotations to be added to cilium-operator pods |
 | operator.podDisruptionBudget | object | `{"enabled":false,"maxUnavailable":1}` | PodDisruptionBudget settings ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ |
 | operator.podLabels | object | `{}` | Labels to be added to cilium-operator pods |
-| operator.priorityClassName | string | `""` | cilium-operator priorityClassName |
+| operator.priorityClassName | string | `""` | The priority class to use for cilium-operator |
 | operator.prometheus | object | `{"enabled":false,"port":6942,"serviceMonitor":{"enabled":false}}` | Enable prometheus metrics for cilium-operator on the configured port at /metrics |
 | operator.prometheus.serviceMonitor.enabled | bool | `false` | Enable service monitors. This requires the prometheus CRDs to be available (see https://github.com/prometheus-operator/prometheus-operator/blob/master/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml) |
 | operator.replicas | int | `2` | Number of replicas to run for the cilium-operator deployment |

diff --git a/install/kubernetes/cilium/templates/_helpers.tpl b/install/kubernetes/cilium/templates/_helpers.tpl
@@ -5,6 +5,48 @@ Create chart name and version as used by the chart label.
 {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
 {{- end }}
 
+{{/*
+Render full image name from given values, e.g:
+```
+image:
+  repository: quay.io/cilium/cilium
+  tag: v1.10.1
+  useDigest: true
+  digest: abcdefgh
+```
+then `include "cilium.image" .Values.image`
+will return `quay.io/cilium/cilium:v1.10.1@abcdefgh`
+*/}}
+{{- define "cilium.image" -}}
+{{- $digest := (.useDigest | default false) | ternary (printf "@%s" .digest) "" -}}
+{{- printf "%s:%s%s" .repository .tag $digest -}}
+{{- end -}}
+
+{{/*
+Return user specify priorityClass or default criticalPriorityClass
+Usage:
+  include "cilium.priorityClass" (list $ <priorityClass> <criticalPriorityClass>)
+where:
+* `priorityClass`: is user specify priorityClass e.g `.Values.operator.priorityClassName`
+* `criticalPriorityClass`: default criticalPriorityClass, e.g `"system-cluster-critical"`
+  This value is used when `priorityClass` is `nil` and 
+  `.Values.enableCriticalPriorityClass=true` and kubernetes supported it.
+*/}}
+{{- define "cilium.priorityClass" -}}
+{{- $root := index . 0 -}}
+{{- $priorityClass := index . 1 -}}
+{{- $criticalPriorityClass := index . 2 -}}
+{{- if $priorityClass }}
+  {{- $priorityClass }}
+{{- else if and $root.Values.enableCriticalPriorityClass $criticalPriorityClass -}}
+  {{- if and (eq $root.Release.Namespace "kube-system") (semverCompare ">=1.10-0" $root.Capabilities.KubeVersion.Version) -}}
+    {{- $criticalPriorityClass }}
+  {{- else if semverCompare ">=1.17-0" $root.Capabilities.KubeVersion.Version -}}
+    {{- $criticalPriorityClass }}
+  {{- end -}}
+{{- end -}}
+{{- end -}}
+
 {{/*
 Return the appropriate apiVersion for ingress.
 */}}

diff --git a/install/kubernetes/cilium/templates/cilium-agent/clusterrole.yaml b/install/kubernetes/cilium/templates/cilium-agent/clusterrole.yaml
@@ -1,6 +1,6 @@
-{{- if and (.Values.agent) (not .Values.preflight.enabled) }}
+{{- if and .Values.agent (not .Values.preflight.enabled) }}
 {{- /*
-Keep file in synced with cilium-preflight-clusterrole.yaml
+Keep file in sync with cilium-preflight/clusterrole.yaml
 */ -}}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole

diff --git a/install/kubernetes/cilium/templates/cilium-agent/clusterrolebinding.yaml b/install/kubernetes/cilium/templates/cilium-agent/clusterrolebinding.yaml
@@ -1,4 +1,4 @@
-{{- if and (.Values.agent) (not .Values.preflight.enabled) .Values.serviceAccounts.cilium.create }}
+{{- if and .Values.agent (not .Values.preflight.enabled) .Values.serviceAccounts.cilium.create }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata: