diff --git a/class/defaults.yml b/class/defaults.yml index b5a7650b6..337a8644a 100644 --- a/class/defaults.yml +++ b/class/defaults.yml @@ -144,10 +144,10 @@ parameters: charts: cilium: source: https://helm.cilium.io - version: "1.16.4" + version: "1.17.10" cilium-enterprise: source: "" # Configure the Chart repository URL in your global defaults - version: "1.16.4" + version: "1.17.9" images: oc: diff --git a/docs/modules/ROOT/pages/references/parameters.adoc b/docs/modules/ROOT/pages/references/parameters.adoc index 665e88146..4314f1708 100644 --- a/docs/modules/ROOT/pages/references/parameters.adoc +++ b/docs/modules/ROOT/pages/references/parameters.adoc @@ -1,4 +1,4 @@ -:helm-minor-version: v1.16 +:current-minor-version: v1.17 = Parameters @@ -191,7 +191,7 @@ type:: object default:: https://github.com/projectsyn/component-cilium/blob/master/class/defaults.yml[See `class/defaults.yml`] The configuration values of the underlying Cilium helm chart. -See https://docs.cilium.io/en/{helm-minor-version}/helm-reference/[Opensource Cilium documentation] for supported values. +See https://docs.cilium.io/en/{current-minor-version}/helm-reference/[Opensource Cilium documentation] for supported values. The component will pre-process certain Helm values to allow users to more gracefully upgrade to newer Cilium versions which remove deprecated Helm values. @@ -268,7 +268,7 @@ l7Proxy: false ---- Notably, the L7 proxy feature is disabled by default when egress gateway policies are enabled. -This is recommended by the Cilium documentation, see also https://docs.cilium.io/en/{helm-minor-version}/network/egress-gateway/#incompatibility-with-other-features[the upstream documentation]. +This is recommended by the Cilium documentation, see also https://docs.cilium.io/en/{current-minor-version}/network/egress-gateway/#incompatibility-with-other-features[the upstream documentation]. Additionally, BPF masquerading can't be disabled when the egress gateway feature is enabled. @@ -441,7 +441,7 @@ The component's support for configuring BGP egress IPs through `egress_ip_ranges Announcing egress IPs via BGP is only supported in Isovalent Networking for Kubernetes. When the field is provided, and not an empty object, the component adds the contents as entries in `metadata.labels` of the resulting policies. -In this case, the component configures the egress policies with https://docs.isovalent.com/v1.16/configuration-guide/networking/egress-gateway/introduction.html#requirements-for-egress-ip-and-ipam-feature[Cilium's Egress Gateawy IPAM] and `maxGatewayNodes: 1` in the `spec.egressGroups` entry. +In this case, the component configures the egress policies with https://docs.isovalent.com/{current-minor-version}/configuration-guide/networking/egress-gateway/introduction.html#requirements-for-egress-ip-and-ipam-feature[Cilium's Egress Gateawy IPAM] and `maxGatewayNodes: 1` in the `spec.egressGroups` entry. Please note that policies which use EGW IPAM will ignore static routes on the active gateway node (as of Cilium 1.16.16 and Cilium 1.17.9). @@ -767,7 +767,7 @@ default:: `false` Whether to enable the BGP control plane feature in Cilium. -See the https://docs.cilium.io/en/{helm-minor-version}/network/bgp-control-plane/bgp-control-plane-v2/[upstream BGP control plane documentation] for details on the architecture and the individual custom resources mentioned in this section. +See the https://docs.cilium.io/en/{current-minor-version}/network/bgp-control-plane/bgp-control-plane-v2/[upstream BGP control plane documentation] for details on the architecture and the individual custom resources mentioned in this section. === `bgp.enterprise` @@ -816,7 +816,7 @@ Field `spec` is merged over the partial object generated from fields `nodeSelect The component validates that `CiliumBGPClusterConfig` resources only reference `CiliumBGPPeerConfig` resources which are defined in parameter `bgp.peer_configs`. -See the https://docs.cilium.io/en/{helm-minor-version}/network/bgp-control-plane/bgp-control-plane-v2/#bgp-cluster-configuration[upstream documentation] for all available configuration options. +See the https://docs.cilium.io/en/{current-minor-version}/network/bgp-control-plane/bgp-control-plane-v2/#bgp-cluster-configuration[upstream documentation] for all available configuration options. ==== Example @@ -898,7 +898,7 @@ Field `spec` is merged over the partial object created from field `families`. The component validates that `CiliumBGPPeerConfig` resources only reference BGP auth secret `Secret` resources which are defined in parameter `bgp.auth_secrets`. -See the https://docs.cilium.io/en/{helm-minor-version}/network/bgp-control-plane/bgp-control-plane-v2/#bgp-peer-configuration[upstream documentation] for details. +See the https://docs.cilium.io/en/{current-minor-version}/network/bgp-control-plane/bgp-control-plane-v2/#bgp-peer-configuration[upstream documentation] for details. ==== Example @@ -962,7 +962,7 @@ The namespace can be changed by setting Helm value `bgpControlPlane.secretsNames The component sets `metadata.namespace` to the configured `bgpControlPlane.secretsNamspace.name` for secrets defined through this parameter. -See the https://docs.cilium.io/en/v1.16/network/bgp-control-plane/bgp-control-plane-v2/#md5-password[upstream documentation] for details. +See the https://docs.cilium.io/en/{current-minor-version}/network/bgp-control-plane/bgp-control-plane-v2/#md5-password[upstream documentation] for details. === `bgp.node_config_overrides` @@ -978,7 +978,7 @@ The component creates one `CiliumBGPNodeConfigOverride` for each entry in this p The key is used as `metadata.name` of the resulting object. The component expects that each value in this parameter is a valid partial `CiliumBGPNodeConfigOverride` resource and doesn't apply any processing. -See the https://docs.cilium.io/en/v1.16/network/bgp-control-plane/bgp-control-plane-v2/#bgp-configuration-override[upstream documentation] for details. +See the https://docs.cilium.io/en/{current-minor-version}/network/bgp-control-plane/bgp-control-plane-v2/#bgp-configuration-override[upstream documentation] for details. NOTE: The resource name must match the Kubernetes node name of the node for which the configuration is intended. @@ -997,7 +997,7 @@ The component supports fields `metadata` and `advertisements` for each entry of Field `metadata` is added to the resulting resource as is. Field `advertisements` is expected to be an object, and the values of the object are used for field `spec.advertisements` in the resulting resource without further processing. -See the https://docs.cilium.io/en/v1.16/network/bgp-control-plane/bgp-control-plane-v2/#bgp-advertisements[upstream documentation] for details. +See the https://docs.cilium.io/en/{current-minor-version}/network/bgp-control-plane/bgp-control-plane-v2/#bgp-advertisements[upstream documentation] for details. NOTE: The resource name must match the Kubernetes node name of the node for which the configuration is intended. diff --git a/tests/golden/bgp-control-plane/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/daemonset.yaml b/tests/golden/bgp-control-plane/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/daemonset.yaml index 7d7504428..49005b75e 100644 --- a/tests/golden/bgp-control-plane/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/daemonset.yaml +++ b/tests/golden/bgp-control-plane/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/daemonset.yaml @@ -54,7 +54,7 @@ spec: resourceFieldRef: divisor: '1' resource: limits.memory - image: quay.io/cilium/cilium:v1.16.4@sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf + image: quay.io/cilium/cilium:v1.17.10@sha256:d93cda710570df64dcb849807bd163013903143d74d5a4ebf16e1a659146c0d3 imagePullPolicy: IfNotPresent lifecycle: postStart: @@ -93,6 +93,8 @@ spec: httpHeaders: - name: brief value: 'true' + - name: require-k8s-connectivity + value: 'false' path: /healthz port: 9879 scheme: HTTP @@ -109,14 +111,6 @@ spec: hostPort: 9962 name: prometheus protocol: TCP - - containerPort: 9964 - hostPort: 9964 - name: envoy-metrics - protocol: TCP - - containerPort: 9901 - hostPort: 9901 - name: envoy-admin - protocol: TCP - containerPort: 9965 hostPort: 9965 name: hubble-metrics @@ -169,6 +163,9 @@ spec: successThreshold: 1 terminationMessagePolicy: FallbackToLogsOnError volumeMounts: + - mountPath: /var/run/cilium/envoy/sockets + name: envoy-sockets + readOnly: false - mountPath: /host/proc/sys/net name: host-proc-sys-net - mountPath: /host/proc/sys/kernel @@ -178,6 +175,9 @@ spec: name: bpf-maps - mountPath: /var/run/cilium name: cilium-run + - mountPath: /var/run/cilium/netns + mountPropagation: HostToContainer + name: cilium-netns - mountPath: /host/etc/cni/net.d name: etc-cni-netd - mountPath: /var/lib/cilium/clustermesh @@ -206,7 +206,7 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.namespace - image: quay.io/cilium/cilium:v1.16.4@sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf + image: quay.io/cilium/cilium:v1.17.10@sha256:d93cda710570df64dcb849807bd163013903143d74d5a4ebf16e1a659146c0d3 imagePullPolicy: IfNotPresent name: config terminationMessagePolicy: FallbackToLogsOnError @@ -225,7 +225,7 @@ spec: value: /run/cilium/cgroupv2 - name: BIN_PATH value: /var/lib/cni/bin - image: quay.io/cilium/cilium:v1.16.4@sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf + image: quay.io/cilium/cilium:v1.17.10@sha256:d93cda710570df64dcb849807bd163013903143d74d5a4ebf16e1a659146c0d3 imagePullPolicy: IfNotPresent name: mount-cgroup securityContext: @@ -255,7 +255,7 @@ spec: env: - name: BIN_PATH value: /var/lib/cni/bin - image: quay.io/cilium/cilium:v1.16.4@sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf + image: quay.io/cilium/cilium:v1.17.10@sha256:d93cda710570df64dcb849807bd163013903143d74d5a4ebf16e1a659146c0d3 imagePullPolicy: IfNotPresent name: apply-sysctl-overwrites securityContext: @@ -281,7 +281,7 @@ spec: - /bin/bash - -c - -- - image: quay.io/cilium/cilium:v1.16.4@sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf + image: quay.io/cilium/cilium:v1.17.10@sha256:d93cda710570df64dcb849807bd163013903143d74d5a4ebf16e1a659146c0d3 imagePullPolicy: IfNotPresent name: mount-bpf-fs securityContext: @@ -312,7 +312,7 @@ spec: key: write-cni-conf-when-ready name: cilium-config optional: true - image: quay.io/cilium/cilium:v1.16.4@sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf + image: quay.io/cilium/cilium:v1.17.10@sha256:d93cda710570df64dcb849807bd163013903143d74d5a4ebf16e1a659146c0d3 imagePullPolicy: IfNotPresent name: clean-cilium-state securityContext: @@ -338,7 +338,7 @@ spec: name: cilium-run - command: - /install-plugin.sh - image: quay.io/cilium/cilium:v1.16.4@sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf + image: quay.io/cilium/cilium:v1.17.10@sha256:d93cda710570df64dcb849807bd163013903143d74d5a4ebf16e1a659146c0d3 imagePullPolicy: IfNotPresent name: install-cni-binaries resources: @@ -360,6 +360,9 @@ spec: kubernetes.io/os: linux priorityClassName: system-node-critical restartPolicy: Always + securityContext: + seccompProfile: + type: Unconfined serviceAccountName: cilium terminationGracePeriodSeconds: 1 tolerations: @@ -371,6 +374,10 @@ spec: path: /var/run/cilium type: DirectoryOrCreate name: cilium-run + - hostPath: + path: /var/run/netns + type: DirectoryOrCreate + name: cilium-netns - hostPath: path: /sys/fs/bpf type: DirectoryOrCreate @@ -398,6 +405,10 @@ spec: path: /run/xtables.lock type: FileOrCreate name: xtables-lock + - hostPath: + path: /var/run/cilium/envoy/sockets + type: DirectoryOrCreate + name: envoy-sockets - name: clustermesh-secrets projected: defaultMode: 256 diff --git a/tests/golden/bgp-control-plane/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/role.yaml b/tests/golden/bgp-control-plane/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/role.yaml index b1dce30cd..54b1c71a4 100644 --- a/tests/golden/bgp-control-plane/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/role.yaml +++ b/tests/golden/bgp-control-plane/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/role.yaml @@ -31,3 +31,20 @@ rules: - get - list - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + app.kubernetes.io/part-of: cilium + name: cilium-tlsinterception-secrets + namespace: cilium-secrets +rules: + - apiGroups: + - '' + resources: + - secrets + verbs: + - get + - list + - watch diff --git a/tests/golden/bgp-control-plane/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/rolebinding.yaml b/tests/golden/bgp-control-plane/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/rolebinding.yaml index ef881f81f..2aa84832f 100644 --- a/tests/golden/bgp-control-plane/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/rolebinding.yaml +++ b/tests/golden/bgp-control-plane/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/rolebinding.yaml @@ -29,3 +29,19 @@ subjects: - kind: ServiceAccount name: cilium namespace: cilium +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app.kubernetes.io/part-of: cilium + name: cilium-tlsinterception-secrets + namespace: cilium-secrets +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: cilium-tlsinterception-secrets +subjects: + - kind: ServiceAccount + name: cilium + namespace: cilium diff --git a/tests/golden/bgp-control-plane/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/service.yaml b/tests/golden/bgp-control-plane/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/service.yaml index fc9fa1ab3..fbab0df5d 100644 --- a/tests/golden/bgp-control-plane/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/service.yaml +++ b/tests/golden/bgp-control-plane/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/service.yaml @@ -14,10 +14,6 @@ spec: port: 9962 protocol: TCP targetPort: prometheus - - name: envoy-metrics - port: 9964 - protocol: TCP - targetPort: envoy-metrics selector: k8s-app: cilium type: ClusterIP diff --git a/tests/golden/bgp-control-plane/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/servicemonitor.yaml b/tests/golden/bgp-control-plane/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/servicemonitor.yaml index c22a31588..b8a21770a 100644 --- a/tests/golden/bgp-control-plane/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/servicemonitor.yaml +++ b/tests/golden/bgp-control-plane/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/servicemonitor.yaml @@ -21,6 +21,6 @@ spec: - cilium selector: matchLabels: - k8s-app: cilium + app.kubernetes.io/name: cilium-agent targetLabels: - k8s-app diff --git a/tests/golden/bgp-control-plane/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-configmap.yaml b/tests/golden/bgp-control-plane/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-configmap.yaml index be2ed3016..8f376bc2a 100644 --- a/tests/golden/bgp-control-plane/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-configmap.yaml +++ b/tests/golden/bgp-control-plane/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-configmap.yaml @@ -4,14 +4,17 @@ data: arping-refresh-period: 30s auto-direct-node-routes: 'false' bgp-secrets-namespace: cilium + bpf-distributed-lru: 'false' bpf-events-drop-enabled: 'true' bpf-events-policy-verdict-enabled: 'true' bpf-events-trace-enabled: 'true' bpf-lb-acceleration: disabled + bpf-lb-algorithm-annotation: 'false' bpf-lb-external-clusterip: 'false' bpf-lb-map-max: '65536' + bpf-lb-mode-annotation: 'false' bpf-lb-sock: 'false' - bpf-lb-sock-terminate-pod-connections: 'false' + bpf-lb-source-range-all-types: 'false' bpf-map-dynamic-size-ratio: '0.0025' bpf-policy-map-max: '16384' bpf-root: /sys/fs/bpf @@ -30,21 +33,26 @@ data: datapath-mode: veth debug: 'false' debug-verbose: '' + default-lb-service-ipam: lbipam direct-routing-skip-unreachable: 'false' dnsproxy-enable-transparent-mode: 'true' dnsproxy-socket-linger-timeout: '10' egress-gateway-reconciliation-trigger-interval: 1s enable-auto-protect-node-port-range: 'true' enable-bgp-control-plane: 'true' + enable-bgp-control-plane-status-report: 'true' enable-bpf-clock-probe: 'false' enable-bpf-masquerade: 'true' enable-endpoint-health-checking: 'true' + enable-endpoint-lockdown-on-policy-overflow: 'false' enable-endpoint-routes: 'true' + enable-experimental-lb: 'false' enable-health-check-loadbalancer-ip: 'false' enable-health-check-nodeport: 'true' enable-health-checking: 'true' enable-hubble: 'true' enable-hubble-open-metrics: 'false' + enable-internal-traffic-policy: 'true' enable-ipv4: 'true' enable-ipv4-big-tcp: 'false' enable-ipv4-masquerade: 'true' @@ -55,20 +63,27 @@ data: enable-k8s-terminating-endpoint: 'true' enable-l2-neigh-discovery: 'true' enable-l7-proxy: 'true' + enable-lb-ipam: 'true' enable-local-redirect-policy: 'false' enable-masquerade-to-route-source: 'false' enable-node-selector-labels: 'false' + enable-non-default-deny-policies: 'true' enable-policy: default + enable-policy-secrets-sync: 'true' enable-runtime-device-detection: 'true' enable-sctp: 'false' + enable-source-ip-verification: 'true' enable-svc-source-range-check: 'true' enable-tcx: 'true' enable-vtep: 'false' enable-well-known-identities: 'false' enable-xt-socket-fallback: 'true' + envoy-access-log-buffer-size: '4096' envoy-base-id: '0' envoy-keep-cap-netbindservice: 'false' - external-envoy-proxy: 'false' + external-envoy-proxy: 'true' + health-check-icmp-failure-threshold: '3' + http-retry-count: '3' hubble-disable-tls: 'true' hubble-export-file-max-backups: '5' hubble-export-file-max-size-mb: '10' @@ -85,6 +100,7 @@ data: install-no-conntrack-iptables-rules: 'false' ipam: cluster-pool ipam-cilium-node-update-rate: 15s + iptables-random-fully: 'false' k8s-client-burst: '30' k8s-client-qps: '15' k8s-require-ipv4-pod-cidr: 'false' @@ -106,15 +122,17 @@ data: nodes-gc-interval: 5m0s operator-api-serve-addr: 127.0.0.1:9234 policy-cidr-match-mode: '' + policy-secrets-namespace: cilium-secrets + policy-secrets-only-from-secrets-namespace: 'true' preallocate-bpf-maps: 'false' procfs: /host/proc prometheus-serve-addr: :9962 proxy-connect-timeout: '2' proxy-idle-timeout-seconds: '60' proxy-initial-fetch-timeout: '30' + proxy-max-concurrent-retries: '128' proxy-max-connection-duration-seconds: '0' proxy-max-requests-per-connection: '0' - proxy-prometheus-port: '9964' proxy-xff-num-trusted-hops-egress: '0' proxy-xff-num-trusted-hops-ingress: '0' remove-cilium-node-taints: 'true' @@ -125,11 +143,12 @@ data: synchronize-k8s-nodes: 'true' tofqdns-dns-reject-response-code: refused tofqdns-enable-dns-compression: 'true' - tofqdns-endpoint-max-ip-per-hostname: '50' + tofqdns-endpoint-max-ip-per-hostname: '1000' tofqdns-idle-connection-grace-period: 0s tofqdns-max-deferred-connection-deletes: '10000' tofqdns-proxy-response-max-delay: 100ms tunnel-protocol: vxlan + tunnel-source-port-range: 0-0 unmanaged-pod-watcher-interval: '15' vtep-cidr: '' vtep-endpoint: '' diff --git a/tests/golden/bgp-control-plane/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-envoy/configmap.yaml b/tests/golden/bgp-control-plane/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-envoy/configmap.yaml new file mode 100644 index 000000000..3b0fa62d3 --- /dev/null +++ b/tests/golden/bgp-control-plane/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-envoy/configmap.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +data: + bootstrap-config.json: | + {"admin":{"address":{"pipe":{"path":"/var/run/cilium/envoy/sockets/admin.sock"}}},"applicationLogConfig":{"logFormat":{"textFormat":"[%Y-%m-%d %T.%e][%t][%l][%n] [%g:%#] %v"}},"bootstrapExtensions":[{"name":"envoy.bootstrap.internal_listener","typedConfig":{"@type":"type.googleapis.com/envoy.extensions.bootstrap.internal_listener.v3.InternalListener"}}],"dynamicResources":{"cdsConfig":{"apiConfigSource":{"apiType":"GRPC","grpcServices":[{"envoyGrpc":{"clusterName":"xds-grpc-cilium"}}],"setNodeOnFirstMessageOnly":true,"transportApiVersion":"V3"},"initialFetchTimeout":"30s","resourceApiVersion":"V3"},"ldsConfig":{"apiConfigSource":{"apiType":"GRPC","grpcServices":[{"envoyGrpc":{"clusterName":"xds-grpc-cilium"}}],"setNodeOnFirstMessageOnly":true,"transportApiVersion":"V3"},"initialFetchTimeout":"30s","resourceApiVersion":"V3"}},"node":{"cluster":"ingress-cluster","id":"host~127.0.0.1~no-id~localdomain"},"overloadManager":{"resourceMonitors":[{"name":"envoy.resource_monitors.global_downstream_max_connections","typedConfig":{"@type":"type.googleapis.com/envoy.extensions.resource_monitors.downstream_connections.v3.DownstreamConnectionsConfig","max_active_downstream_connections":"50000"}}]},"staticResources":{"clusters":[{"circuitBreakers":{"thresholds":[{"maxRetries":128}]},"cleanupInterval":"2.500s","connectTimeout":"2s","lbPolicy":"CLUSTER_PROVIDED","name":"ingress-cluster","type":"ORIGINAL_DST","typedExtensionProtocolOptions":{"envoy.extensions.upstreams.http.v3.HttpProtocolOptions":{"@type":"type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions","commonHttpProtocolOptions":{"idleTimeout":"60s","maxConnectionDuration":"0s","maxRequestsPerConnection":0},"useDownstreamProtocolConfig":{}}}},{"circuitBreakers":{"thresholds":[{"maxRetries":128}]},"cleanupInterval":"2.500s","connectTimeout":"2s","lbPolicy":"CLUSTER_PROVIDED","name":"egress-cluster-tls","transportSocket":{"name":"cilium.tls_wrapper","typedConfig":{"@type":"type.googleapis.com/cilium.UpstreamTlsWrapperContext"}},"type":"ORIGINAL_DST","typedExtensionProtocolOptions":{"envoy.extensions.upstreams.http.v3.HttpProtocolOptions":{"@type":"type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions","commonHttpProtocolOptions":{"idleTimeout":"60s","maxConnectionDuration":"0s","maxRequestsPerConnection":0},"upstreamHttpProtocolOptions":{},"useDownstreamProtocolConfig":{}}}},{"circuitBreakers":{"thresholds":[{"maxRetries":128}]},"cleanupInterval":"2.500s","connectTimeout":"2s","lbPolicy":"CLUSTER_PROVIDED","name":"egress-cluster","type":"ORIGINAL_DST","typedExtensionProtocolOptions":{"envoy.extensions.upstreams.http.v3.HttpProtocolOptions":{"@type":"type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions","commonHttpProtocolOptions":{"idleTimeout":"60s","maxConnectionDuration":"0s","maxRequestsPerConnection":0},"useDownstreamProtocolConfig":{}}}},{"circuitBreakers":{"thresholds":[{"maxRetries":128}]},"cleanupInterval":"2.500s","connectTimeout":"2s","lbPolicy":"CLUSTER_PROVIDED","name":"ingress-cluster-tls","transportSocket":{"name":"cilium.tls_wrapper","typedConfig":{"@type":"type.googleapis.com/cilium.UpstreamTlsWrapperContext"}},"type":"ORIGINAL_DST","typedExtensionProtocolOptions":{"envoy.extensions.upstreams.http.v3.HttpProtocolOptions":{"@type":"type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions","commonHttpProtocolOptions":{"idleTimeout":"60s","maxConnectionDuration":"0s","maxRequestsPerConnection":0},"upstreamHttpProtocolOptions":{},"useDownstreamProtocolConfig":{}}}},{"connectTimeout":"2s","loadAssignment":{"clusterName":"xds-grpc-cilium","endpoints":[{"lbEndpoints":[{"endpoint":{"address":{"pipe":{"path":"/var/run/cilium/envoy/sockets/xds.sock"}}}}]}]},"name":"xds-grpc-cilium","type":"STATIC","typedExtensionProtocolOptions":{"envoy.extensions.upstreams.http.v3.HttpProtocolOptions":{"@type":"type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions","explicitHttpConfig":{"http2ProtocolOptions":{}}}}},{"connectTimeout":"2s","loadAssignment":{"clusterName":"/envoy-admin","endpoints":[{"lbEndpoints":[{"endpoint":{"address":{"pipe":{"path":"/var/run/cilium/envoy/sockets/admin.sock"}}}}]}]},"name":"/envoy-admin","type":"STATIC"}],"listeners":[{"address":{"socketAddress":{"address":"0.0.0.0","portValue":9964}},"filterChains":[{"filters":[{"name":"envoy.filters.network.http_connection_manager","typedConfig":{"@type":"type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager","httpFilters":[{"name":"envoy.filters.http.router","typedConfig":{"@type":"type.googleapis.com/envoy.extensions.filters.http.router.v3.Router"}}],"internalAddressConfig":{"cidrRanges":[{"addressPrefix":"10.0.0.0","prefixLen":8},{"addressPrefix":"172.16.0.0","prefixLen":12},{"addressPrefix":"192.168.0.0","prefixLen":16},{"addressPrefix":"127.0.0.1","prefixLen":32}]},"routeConfig":{"virtualHosts":[{"domains":["*"],"name":"prometheus_metrics_route","routes":[{"match":{"prefix":"/metrics"},"name":"prometheus_metrics_route","route":{"cluster":"/envoy-admin","prefixRewrite":"/stats/prometheus"}}]}]},"statPrefix":"envoy-prometheus-metrics-listener","streamIdleTimeout":"0s"}}]}],"name":"envoy-prometheus-metrics-listener"},{"address":{"socketAddress":{"address":"127.0.0.1","portValue":9878}},"filterChains":[{"filters":[{"name":"envoy.filters.network.http_connection_manager","typedConfig":{"@type":"type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager","httpFilters":[{"name":"envoy.filters.http.router","typedConfig":{"@type":"type.googleapis.com/envoy.extensions.filters.http.router.v3.Router"}}],"internalAddressConfig":{"cidrRanges":[{"addressPrefix":"10.0.0.0","prefixLen":8},{"addressPrefix":"172.16.0.0","prefixLen":12},{"addressPrefix":"192.168.0.0","prefixLen":16},{"addressPrefix":"127.0.0.1","prefixLen":32}]},"routeConfig":{"virtual_hosts":[{"domains":["*"],"name":"health","routes":[{"match":{"prefix":"/healthz"},"name":"health","route":{"cluster":"/envoy-admin","prefixRewrite":"/ready"}}]}]},"statPrefix":"envoy-health-listener","streamIdleTimeout":"0s"}}]}],"name":"envoy-health-listener"}]}} +kind: ConfigMap +metadata: + name: cilium-envoy-config + namespace: cilium diff --git a/tests/golden/bgp-control-plane/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-envoy/daemonset.yaml b/tests/golden/bgp-control-plane/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-envoy/daemonset.yaml new file mode 100644 index 000000000..bc2dbcdfc --- /dev/null +++ b/tests/golden/bgp-control-plane/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-envoy/daemonset.yaml @@ -0,0 +1,160 @@ +apiVersion: apps/v1 +kind: DaemonSet +metadata: + labels: + app.kubernetes.io/name: cilium-envoy + app.kubernetes.io/part-of: cilium + k8s-app: cilium-envoy + name: cilium-envoy + name: cilium-envoy + namespace: cilium +spec: + selector: + matchLabels: + k8s-app: cilium-envoy + template: + metadata: + annotations: + container.apparmor.security.beta.kubernetes.io/cilium-envoy: unconfined + labels: + app.kubernetes.io/name: cilium-envoy + app.kubernetes.io/part-of: cilium + k8s-app: cilium-envoy + name: cilium-envoy + spec: + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: cilium.io/no-schedule + operator: NotIn + values: + - 'true' + podAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: + k8s-app: cilium + topologyKey: kubernetes.io/hostname + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: + k8s-app: cilium-envoy + topologyKey: kubernetes.io/hostname + automountServiceAccountToken: true + containers: + - args: + - -- + - -c /var/run/cilium/envoy/bootstrap-config.json + - --base-id 0 + - --log-level info + command: + - /usr/bin/cilium-envoy-starter + env: + - name: K8S_NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + - name: CILIUM_K8S_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + image: quay.io/cilium/cilium-envoy:v1.34.10-1760767433-887ebe7d6ccc2a9dc8c73f6ae4927283283b507e@sha256:78a7c6ceb4135680eb94ed1ca80b1be00647878e6694522f8380cc2a8b99e434 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 10 + httpGet: + host: 127.0.0.1 + path: /healthz + port: 9878 + scheme: HTTP + periodSeconds: 30 + successThreshold: 1 + timeoutSeconds: 5 + name: cilium-envoy + ports: + - containerPort: 9964 + hostPort: 9964 + name: envoy-metrics + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + host: 127.0.0.1 + path: /healthz + port: 9878 + scheme: HTTP + periodSeconds: 30 + successThreshold: 1 + timeoutSeconds: 5 + securityContext: + capabilities: + add: + - NET_ADMIN + - SYS_ADMIN + drop: + - ALL + seLinuxOptions: + level: s0 + type: spc_t + startupProbe: + failureThreshold: 105 + httpGet: + host: 127.0.0.1 + path: /healthz + port: 9878 + scheme: HTTP + initialDelaySeconds: 5 + periodSeconds: 2 + successThreshold: 1 + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /var/run/cilium/envoy/sockets + name: envoy-sockets + readOnly: false + - mountPath: /var/run/cilium/envoy/artifacts + name: envoy-artifacts + readOnly: true + - mountPath: /var/run/cilium/envoy/ + name: envoy-config + readOnly: true + - mountPath: /sys/fs/bpf + mountPropagation: HostToContainer + name: bpf-maps + hostNetwork: true + nodeSelector: + kubernetes.io/os: linux + priorityClassName: system-node-critical + restartPolicy: Always + serviceAccountName: cilium-envoy + terminationGracePeriodSeconds: 1 + tolerations: + - operator: Exists + volumes: + - hostPath: + path: /var/run/cilium/envoy/sockets + type: DirectoryOrCreate + name: envoy-sockets + - hostPath: + path: /var/run/cilium/envoy/artifacts + type: DirectoryOrCreate + name: envoy-artifacts + - configMap: + defaultMode: 256 + items: + - key: bootstrap-config.json + path: bootstrap-config.json + name: cilium-envoy-config + name: envoy-config + - hostPath: + path: /sys/fs/bpf + type: DirectoryOrCreate + name: bpf-maps + updateStrategy: + rollingUpdate: + maxUnavailable: 2 + type: RollingUpdate diff --git a/tests/golden/bgp-control-plane/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-envoy/service.yaml b/tests/golden/bgp-control-plane/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-envoy/service.yaml new file mode 100644 index 000000000..6b6d6cd5f --- /dev/null +++ b/tests/golden/bgp-control-plane/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-envoy/service.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Service +metadata: + annotations: + prometheus.io/port: '9964' + prometheus.io/scrape: 'true' + labels: + app.kubernetes.io/name: cilium-envoy + app.kubernetes.io/part-of: cilium + io.cilium/app: proxy + k8s-app: cilium-envoy + name: cilium-envoy + namespace: cilium +spec: + clusterIP: None + ports: + - name: envoy-metrics + port: 9964 + protocol: TCP + targetPort: envoy-metrics + selector: + k8s-app: cilium-envoy + type: ClusterIP diff --git a/tests/golden/bgp-control-plane/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-envoy/serviceaccount.yaml b/tests/golden/bgp-control-plane/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-envoy/serviceaccount.yaml new file mode 100644 index 000000000..f2d7f618d --- /dev/null +++ b/tests/golden/bgp-control-plane/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-envoy/serviceaccount.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: cilium-envoy + namespace: cilium diff --git a/tests/golden/bgp-control-plane/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/clusterrole.yaml b/tests/golden/bgp-control-plane/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/clusterrole.yaml index cc748de66..9009493c9 100644 --- a/tests/golden/bgp-control-plane/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/clusterrole.yaml +++ b/tests/golden/bgp-control-plane/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/clusterrole.yaml @@ -55,6 +55,7 @@ rules: - '' resources: - namespaces + - secrets verbs: - get - list @@ -137,6 +138,13 @@ rules: - watch - delete - patch + - apiGroups: + - cilium.io + resources: + - ciliumbgpclusterconfigs/status + - ciliumbgppeerconfigs/status + verbs: + - update - apiGroups: - apiextensions.k8s.io resources: @@ -183,6 +191,7 @@ rules: - ciliumbgppeeringpolicies - ciliumbgpclusterconfigs - ciliumbgpnodeconfigoverrides + - ciliumbgppeerconfigs verbs: - get - list diff --git a/tests/golden/bgp-control-plane/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/deployment.yaml b/tests/golden/bgp-control-plane/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/deployment.yaml index ae3f1ce51..972dfccd9 100644 --- a/tests/golden/bgp-control-plane/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/deployment.yaml +++ b/tests/golden/bgp-control-plane/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/deployment.yaml @@ -59,7 +59,7 @@ spec: key: debug name: cilium-config optional: true - image: quay.io/cilium/operator-generic:v1.16.4@sha256:c55a7cbe19fe0b6b28903a085334edb586a3201add9db56d2122c8485f7a51c5 + image: quay.io/cilium/operator-generic:v1.17.10@sha256:09cee355c86b8c50d43ecc8f63cedc5d4a8597aa41be72a63ca4479c31c2f2be imagePullPolicy: IfNotPresent livenessProbe: httpGet: diff --git a/tests/golden/bgp-control-plane/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/role.yaml b/tests/golden/bgp-control-plane/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/role.yaml new file mode 100644 index 000000000..79fc907d3 --- /dev/null +++ b/tests/golden/bgp-control-plane/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/role.yaml @@ -0,0 +1,17 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + app.kubernetes.io/part-of: cilium + name: cilium-operator-tlsinterception-secrets + namespace: cilium-secrets +rules: + - apiGroups: + - '' + resources: + - secrets + verbs: + - create + - delete + - update + - patch diff --git a/tests/golden/bgp-control-plane/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/rolebinding.yaml b/tests/golden/bgp-control-plane/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/rolebinding.yaml new file mode 100644 index 000000000..cbde47327 --- /dev/null +++ b/tests/golden/bgp-control-plane/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/rolebinding.yaml @@ -0,0 +1,15 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app.kubernetes.io/part-of: cilium + name: cilium-operator-tlsinterception-secrets + namespace: cilium-secrets +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: cilium-operator-tlsinterception-secrets +subjects: + - kind: ServiceAccount + name: cilium-operator + namespace: cilium diff --git a/tests/golden/bgp-control-plane/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-secrets-namespace.yaml b/tests/golden/bgp-control-plane/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-secrets-namespace.yaml new file mode 100644 index 000000000..30f28d314 --- /dev/null +++ b/tests/golden/bgp-control-plane/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-secrets-namespace.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: Namespace +metadata: + labels: + app.kubernetes.io/part-of: cilium + name: cilium-secrets diff --git a/tests/golden/bgp-control-plane/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/configmap.yaml b/tests/golden/bgp-control-plane/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/configmap.yaml index 33125e408..4beca2cfc 100644 --- a/tests/golden/bgp-control-plane/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/configmap.yaml +++ b/tests/golden/bgp-control-plane/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/configmap.yaml @@ -1,9 +1,9 @@ apiVersion: v1 data: - config.yaml: "cluster-name: default\npeer-service: \"hubble-peer.cilium.svc.cluster.local:80\"\ - \nlisten-address: :4245\ngops: true\ngops-port: \"9893\"\ndial-timeout: \nretry-timeout:\ - \ \nsort-buffer-len-max: \nsort-buffer-drain-timeout: \ndisable-client-tls: true\n\ - \ndisable-server-tls: true\n" + config.yaml: "cluster-name: default\npeer-service: \"hubble-peer.cilium.svc.cluster.local.:80\"\ + \nlisten-address: :4245\ngops: true\ngops-port: \"9893\"\nretry-timeout: \nsort-buffer-len-max:\ + \ \nsort-buffer-drain-timeout: \ndisable-client-tls: true\n\ndisable-server-tls:\ + \ true\n" kind: ConfigMap metadata: name: hubble-relay-config diff --git a/tests/golden/bgp-control-plane/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/deployment.yaml b/tests/golden/bgp-control-plane/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/deployment.yaml index 32db1394b..ffcde1c3b 100644 --- a/tests/golden/bgp-control-plane/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/deployment.yaml +++ b/tests/golden/bgp-control-plane/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/deployment.yaml @@ -37,7 +37,7 @@ spec: - serve command: - hubble-relay - image: quay.io/cilium/hubble-relay:v1.16.4@sha256:fb2c7d127a1c809f6ba23c05973f3dd00f6b6a48e4aee2da95db925a4f0351d2 + image: quay.io/cilium/hubble-relay:v1.17.10@sha256:da6747dd2bccc2901693b49ed4a687723f8d5c1e37d40fb95ea04910d31eaab2 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 12 diff --git a/tests/golden/defaults/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/daemonset.yaml b/tests/golden/defaults/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/daemonset.yaml index 7d7504428..49005b75e 100644 --- a/tests/golden/defaults/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/daemonset.yaml +++ b/tests/golden/defaults/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/daemonset.yaml @@ -54,7 +54,7 @@ spec: resourceFieldRef: divisor: '1' resource: limits.memory - image: quay.io/cilium/cilium:v1.16.4@sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf + image: quay.io/cilium/cilium:v1.17.10@sha256:d93cda710570df64dcb849807bd163013903143d74d5a4ebf16e1a659146c0d3 imagePullPolicy: IfNotPresent lifecycle: postStart: @@ -93,6 +93,8 @@ spec: httpHeaders: - name: brief value: 'true' + - name: require-k8s-connectivity + value: 'false' path: /healthz port: 9879 scheme: HTTP @@ -109,14 +111,6 @@ spec: hostPort: 9962 name: prometheus protocol: TCP - - containerPort: 9964 - hostPort: 9964 - name: envoy-metrics - protocol: TCP - - containerPort: 9901 - hostPort: 9901 - name: envoy-admin - protocol: TCP - containerPort: 9965 hostPort: 9965 name: hubble-metrics @@ -169,6 +163,9 @@ spec: successThreshold: 1 terminationMessagePolicy: FallbackToLogsOnError volumeMounts: + - mountPath: /var/run/cilium/envoy/sockets + name: envoy-sockets + readOnly: false - mountPath: /host/proc/sys/net name: host-proc-sys-net - mountPath: /host/proc/sys/kernel @@ -178,6 +175,9 @@ spec: name: bpf-maps - mountPath: /var/run/cilium name: cilium-run + - mountPath: /var/run/cilium/netns + mountPropagation: HostToContainer + name: cilium-netns - mountPath: /host/etc/cni/net.d name: etc-cni-netd - mountPath: /var/lib/cilium/clustermesh @@ -206,7 +206,7 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.namespace - image: quay.io/cilium/cilium:v1.16.4@sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf + image: quay.io/cilium/cilium:v1.17.10@sha256:d93cda710570df64dcb849807bd163013903143d74d5a4ebf16e1a659146c0d3 imagePullPolicy: IfNotPresent name: config terminationMessagePolicy: FallbackToLogsOnError @@ -225,7 +225,7 @@ spec: value: /run/cilium/cgroupv2 - name: BIN_PATH value: /var/lib/cni/bin - image: quay.io/cilium/cilium:v1.16.4@sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf + image: quay.io/cilium/cilium:v1.17.10@sha256:d93cda710570df64dcb849807bd163013903143d74d5a4ebf16e1a659146c0d3 imagePullPolicy: IfNotPresent name: mount-cgroup securityContext: @@ -255,7 +255,7 @@ spec: env: - name: BIN_PATH value: /var/lib/cni/bin - image: quay.io/cilium/cilium:v1.16.4@sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf + image: quay.io/cilium/cilium:v1.17.10@sha256:d93cda710570df64dcb849807bd163013903143d74d5a4ebf16e1a659146c0d3 imagePullPolicy: IfNotPresent name: apply-sysctl-overwrites securityContext: @@ -281,7 +281,7 @@ spec: - /bin/bash - -c - -- - image: quay.io/cilium/cilium:v1.16.4@sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf + image: quay.io/cilium/cilium:v1.17.10@sha256:d93cda710570df64dcb849807bd163013903143d74d5a4ebf16e1a659146c0d3 imagePullPolicy: IfNotPresent name: mount-bpf-fs securityContext: @@ -312,7 +312,7 @@ spec: key: write-cni-conf-when-ready name: cilium-config optional: true - image: quay.io/cilium/cilium:v1.16.4@sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf + image: quay.io/cilium/cilium:v1.17.10@sha256:d93cda710570df64dcb849807bd163013903143d74d5a4ebf16e1a659146c0d3 imagePullPolicy: IfNotPresent name: clean-cilium-state securityContext: @@ -338,7 +338,7 @@ spec: name: cilium-run - command: - /install-plugin.sh - image: quay.io/cilium/cilium:v1.16.4@sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf + image: quay.io/cilium/cilium:v1.17.10@sha256:d93cda710570df64dcb849807bd163013903143d74d5a4ebf16e1a659146c0d3 imagePullPolicy: IfNotPresent name: install-cni-binaries resources: @@ -360,6 +360,9 @@ spec: kubernetes.io/os: linux priorityClassName: system-node-critical restartPolicy: Always + securityContext: + seccompProfile: + type: Unconfined serviceAccountName: cilium terminationGracePeriodSeconds: 1 tolerations: @@ -371,6 +374,10 @@ spec: path: /var/run/cilium type: DirectoryOrCreate name: cilium-run + - hostPath: + path: /var/run/netns + type: DirectoryOrCreate + name: cilium-netns - hostPath: path: /sys/fs/bpf type: DirectoryOrCreate @@ -398,6 +405,10 @@ spec: path: /run/xtables.lock type: FileOrCreate name: xtables-lock + - hostPath: + path: /var/run/cilium/envoy/sockets + type: DirectoryOrCreate + name: envoy-sockets - name: clustermesh-secrets projected: defaultMode: 256 diff --git a/tests/golden/defaults/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/role.yaml b/tests/golden/defaults/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/role.yaml index 6469cd598..eb921e499 100644 --- a/tests/golden/defaults/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/role.yaml +++ b/tests/golden/defaults/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/role.yaml @@ -14,3 +14,20 @@ rules: - get - list - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + app.kubernetes.io/part-of: cilium + name: cilium-tlsinterception-secrets + namespace: cilium-secrets +rules: + - apiGroups: + - '' + resources: + - secrets + verbs: + - get + - list + - watch diff --git a/tests/golden/defaults/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/rolebinding.yaml b/tests/golden/defaults/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/rolebinding.yaml index 1d47a92c5..8ec160c93 100644 --- a/tests/golden/defaults/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/rolebinding.yaml +++ b/tests/golden/defaults/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/rolebinding.yaml @@ -13,3 +13,19 @@ subjects: - kind: ServiceAccount name: cilium namespace: cilium +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app.kubernetes.io/part-of: cilium + name: cilium-tlsinterception-secrets + namespace: cilium-secrets +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: cilium-tlsinterception-secrets +subjects: + - kind: ServiceAccount + name: cilium + namespace: cilium diff --git a/tests/golden/defaults/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/service.yaml b/tests/golden/defaults/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/service.yaml index fc9fa1ab3..fbab0df5d 100644 --- a/tests/golden/defaults/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/service.yaml +++ b/tests/golden/defaults/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/service.yaml @@ -14,10 +14,6 @@ spec: port: 9962 protocol: TCP targetPort: prometheus - - name: envoy-metrics - port: 9964 - protocol: TCP - targetPort: envoy-metrics selector: k8s-app: cilium type: ClusterIP diff --git a/tests/golden/defaults/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/servicemonitor.yaml b/tests/golden/defaults/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/servicemonitor.yaml index c22a31588..b8a21770a 100644 --- a/tests/golden/defaults/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/servicemonitor.yaml +++ b/tests/golden/defaults/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/servicemonitor.yaml @@ -21,6 +21,6 @@ spec: - cilium selector: matchLabels: - k8s-app: cilium + app.kubernetes.io/name: cilium-agent targetLabels: - k8s-app diff --git a/tests/golden/defaults/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-configmap.yaml b/tests/golden/defaults/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-configmap.yaml index 80c961d15..6f3aa63fc 100644 --- a/tests/golden/defaults/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-configmap.yaml +++ b/tests/golden/defaults/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-configmap.yaml @@ -3,14 +3,17 @@ data: agent-not-ready-taint-key: node.cilium.io/agent-not-ready arping-refresh-period: 30s auto-direct-node-routes: 'false' + bpf-distributed-lru: 'false' bpf-events-drop-enabled: 'true' bpf-events-policy-verdict-enabled: 'true' bpf-events-trace-enabled: 'true' bpf-lb-acceleration: disabled + bpf-lb-algorithm-annotation: 'false' bpf-lb-external-clusterip: 'false' bpf-lb-map-max: '65536' + bpf-lb-mode-annotation: 'false' bpf-lb-sock: 'false' - bpf-lb-sock-terminate-pod-connections: 'false' + bpf-lb-source-range-all-types: 'false' bpf-map-dynamic-size-ratio: '0.0025' bpf-policy-map-max: '16384' bpf-root: /sys/fs/bpf @@ -29,6 +32,7 @@ data: datapath-mode: veth debug: 'false' debug-verbose: '' + default-lb-service-ipam: lbipam direct-routing-skip-unreachable: 'false' dnsproxy-enable-transparent-mode: 'true' dnsproxy-socket-linger-timeout: '10' @@ -37,12 +41,15 @@ data: enable-bpf-clock-probe: 'false' enable-bpf-masquerade: 'true' enable-endpoint-health-checking: 'true' + enable-endpoint-lockdown-on-policy-overflow: 'false' enable-endpoint-routes: 'true' + enable-experimental-lb: 'false' enable-health-check-loadbalancer-ip: 'false' enable-health-check-nodeport: 'true' enable-health-checking: 'true' enable-hubble: 'true' enable-hubble-open-metrics: 'false' + enable-internal-traffic-policy: 'true' enable-ipv4: 'true' enable-ipv4-big-tcp: 'false' enable-ipv4-masquerade: 'true' @@ -53,20 +60,27 @@ data: enable-k8s-terminating-endpoint: 'true' enable-l2-neigh-discovery: 'true' enable-l7-proxy: 'true' + enable-lb-ipam: 'true' enable-local-redirect-policy: 'false' enable-masquerade-to-route-source: 'false' enable-node-selector-labels: 'false' + enable-non-default-deny-policies: 'true' enable-policy: default + enable-policy-secrets-sync: 'true' enable-runtime-device-detection: 'true' enable-sctp: 'false' + enable-source-ip-verification: 'true' enable-svc-source-range-check: 'true' enable-tcx: 'true' enable-vtep: 'false' enable-well-known-identities: 'false' enable-xt-socket-fallback: 'true' + envoy-access-log-buffer-size: '4096' envoy-base-id: '0' envoy-keep-cap-netbindservice: 'false' - external-envoy-proxy: 'false' + external-envoy-proxy: 'true' + health-check-icmp-failure-threshold: '3' + http-retry-count: '3' hubble-disable-tls: 'true' hubble-export-file-max-backups: '5' hubble-export-file-max-size-mb: '10' @@ -83,6 +97,7 @@ data: install-no-conntrack-iptables-rules: 'false' ipam: cluster-pool ipam-cilium-node-update-rate: 15s + iptables-random-fully: 'false' k8s-client-burst: '30' k8s-client-qps: '15' k8s-require-ipv4-pod-cidr: 'false' @@ -104,15 +119,17 @@ data: nodes-gc-interval: 5m0s operator-api-serve-addr: 127.0.0.1:9234 policy-cidr-match-mode: '' + policy-secrets-namespace: cilium-secrets + policy-secrets-only-from-secrets-namespace: 'true' preallocate-bpf-maps: 'false' procfs: /host/proc prometheus-serve-addr: :9962 proxy-connect-timeout: '2' proxy-idle-timeout-seconds: '60' proxy-initial-fetch-timeout: '30' + proxy-max-concurrent-retries: '128' proxy-max-connection-duration-seconds: '0' proxy-max-requests-per-connection: '0' - proxy-prometheus-port: '9964' proxy-xff-num-trusted-hops-egress: '0' proxy-xff-num-trusted-hops-ingress: '0' remove-cilium-node-taints: 'true' @@ -123,11 +140,12 @@ data: synchronize-k8s-nodes: 'true' tofqdns-dns-reject-response-code: refused tofqdns-enable-dns-compression: 'true' - tofqdns-endpoint-max-ip-per-hostname: '50' + tofqdns-endpoint-max-ip-per-hostname: '1000' tofqdns-idle-connection-grace-period: 0s tofqdns-max-deferred-connection-deletes: '10000' tofqdns-proxy-response-max-delay: 100ms tunnel-protocol: vxlan + tunnel-source-port-range: 0-0 unmanaged-pod-watcher-interval: '15' vtep-cidr: '' vtep-endpoint: '' diff --git a/tests/golden/defaults/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-envoy/configmap.yaml b/tests/golden/defaults/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-envoy/configmap.yaml new file mode 100644 index 000000000..3b0fa62d3 --- /dev/null +++ b/tests/golden/defaults/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-envoy/configmap.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +data: + bootstrap-config.json: | + {"admin":{"address":{"pipe":{"path":"/var/run/cilium/envoy/sockets/admin.sock"}}},"applicationLogConfig":{"logFormat":{"textFormat":"[%Y-%m-%d %T.%e][%t][%l][%n] [%g:%#] %v"}},"bootstrapExtensions":[{"name":"envoy.bootstrap.internal_listener","typedConfig":{"@type":"type.googleapis.com/envoy.extensions.bootstrap.internal_listener.v3.InternalListener"}}],"dynamicResources":{"cdsConfig":{"apiConfigSource":{"apiType":"GRPC","grpcServices":[{"envoyGrpc":{"clusterName":"xds-grpc-cilium"}}],"setNodeOnFirstMessageOnly":true,"transportApiVersion":"V3"},"initialFetchTimeout":"30s","resourceApiVersion":"V3"},"ldsConfig":{"apiConfigSource":{"apiType":"GRPC","grpcServices":[{"envoyGrpc":{"clusterName":"xds-grpc-cilium"}}],"setNodeOnFirstMessageOnly":true,"transportApiVersion":"V3"},"initialFetchTimeout":"30s","resourceApiVersion":"V3"}},"node":{"cluster":"ingress-cluster","id":"host~127.0.0.1~no-id~localdomain"},"overloadManager":{"resourceMonitors":[{"name":"envoy.resource_monitors.global_downstream_max_connections","typedConfig":{"@type":"type.googleapis.com/envoy.extensions.resource_monitors.downstream_connections.v3.DownstreamConnectionsConfig","max_active_downstream_connections":"50000"}}]},"staticResources":{"clusters":[{"circuitBreakers":{"thresholds":[{"maxRetries":128}]},"cleanupInterval":"2.500s","connectTimeout":"2s","lbPolicy":"CLUSTER_PROVIDED","name":"ingress-cluster","type":"ORIGINAL_DST","typedExtensionProtocolOptions":{"envoy.extensions.upstreams.http.v3.HttpProtocolOptions":{"@type":"type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions","commonHttpProtocolOptions":{"idleTimeout":"60s","maxConnectionDuration":"0s","maxRequestsPerConnection":0},"useDownstreamProtocolConfig":{}}}},{"circuitBreakers":{"thresholds":[{"maxRetries":128}]},"cleanupInterval":"2.500s","connectTimeout":"2s","lbPolicy":"CLUSTER_PROVIDED","name":"egress-cluster-tls","transportSocket":{"name":"cilium.tls_wrapper","typedConfig":{"@type":"type.googleapis.com/cilium.UpstreamTlsWrapperContext"}},"type":"ORIGINAL_DST","typedExtensionProtocolOptions":{"envoy.extensions.upstreams.http.v3.HttpProtocolOptions":{"@type":"type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions","commonHttpProtocolOptions":{"idleTimeout":"60s","maxConnectionDuration":"0s","maxRequestsPerConnection":0},"upstreamHttpProtocolOptions":{},"useDownstreamProtocolConfig":{}}}},{"circuitBreakers":{"thresholds":[{"maxRetries":128}]},"cleanupInterval":"2.500s","connectTimeout":"2s","lbPolicy":"CLUSTER_PROVIDED","name":"egress-cluster","type":"ORIGINAL_DST","typedExtensionProtocolOptions":{"envoy.extensions.upstreams.http.v3.HttpProtocolOptions":{"@type":"type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions","commonHttpProtocolOptions":{"idleTimeout":"60s","maxConnectionDuration":"0s","maxRequestsPerConnection":0},"useDownstreamProtocolConfig":{}}}},{"circuitBreakers":{"thresholds":[{"maxRetries":128}]},"cleanupInterval":"2.500s","connectTimeout":"2s","lbPolicy":"CLUSTER_PROVIDED","name":"ingress-cluster-tls","transportSocket":{"name":"cilium.tls_wrapper","typedConfig":{"@type":"type.googleapis.com/cilium.UpstreamTlsWrapperContext"}},"type":"ORIGINAL_DST","typedExtensionProtocolOptions":{"envoy.extensions.upstreams.http.v3.HttpProtocolOptions":{"@type":"type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions","commonHttpProtocolOptions":{"idleTimeout":"60s","maxConnectionDuration":"0s","maxRequestsPerConnection":0},"upstreamHttpProtocolOptions":{},"useDownstreamProtocolConfig":{}}}},{"connectTimeout":"2s","loadAssignment":{"clusterName":"xds-grpc-cilium","endpoints":[{"lbEndpoints":[{"endpoint":{"address":{"pipe":{"path":"/var/run/cilium/envoy/sockets/xds.sock"}}}}]}]},"name":"xds-grpc-cilium","type":"STATIC","typedExtensionProtocolOptions":{"envoy.extensions.upstreams.http.v3.HttpProtocolOptions":{"@type":"type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions","explicitHttpConfig":{"http2ProtocolOptions":{}}}}},{"connectTimeout":"2s","loadAssignment":{"clusterName":"/envoy-admin","endpoints":[{"lbEndpoints":[{"endpoint":{"address":{"pipe":{"path":"/var/run/cilium/envoy/sockets/admin.sock"}}}}]}]},"name":"/envoy-admin","type":"STATIC"}],"listeners":[{"address":{"socketAddress":{"address":"0.0.0.0","portValue":9964}},"filterChains":[{"filters":[{"name":"envoy.filters.network.http_connection_manager","typedConfig":{"@type":"type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager","httpFilters":[{"name":"envoy.filters.http.router","typedConfig":{"@type":"type.googleapis.com/envoy.extensions.filters.http.router.v3.Router"}}],"internalAddressConfig":{"cidrRanges":[{"addressPrefix":"10.0.0.0","prefixLen":8},{"addressPrefix":"172.16.0.0","prefixLen":12},{"addressPrefix":"192.168.0.0","prefixLen":16},{"addressPrefix":"127.0.0.1","prefixLen":32}]},"routeConfig":{"virtualHosts":[{"domains":["*"],"name":"prometheus_metrics_route","routes":[{"match":{"prefix":"/metrics"},"name":"prometheus_metrics_route","route":{"cluster":"/envoy-admin","prefixRewrite":"/stats/prometheus"}}]}]},"statPrefix":"envoy-prometheus-metrics-listener","streamIdleTimeout":"0s"}}]}],"name":"envoy-prometheus-metrics-listener"},{"address":{"socketAddress":{"address":"127.0.0.1","portValue":9878}},"filterChains":[{"filters":[{"name":"envoy.filters.network.http_connection_manager","typedConfig":{"@type":"type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager","httpFilters":[{"name":"envoy.filters.http.router","typedConfig":{"@type":"type.googleapis.com/envoy.extensions.filters.http.router.v3.Router"}}],"internalAddressConfig":{"cidrRanges":[{"addressPrefix":"10.0.0.0","prefixLen":8},{"addressPrefix":"172.16.0.0","prefixLen":12},{"addressPrefix":"192.168.0.0","prefixLen":16},{"addressPrefix":"127.0.0.1","prefixLen":32}]},"routeConfig":{"virtual_hosts":[{"domains":["*"],"name":"health","routes":[{"match":{"prefix":"/healthz"},"name":"health","route":{"cluster":"/envoy-admin","prefixRewrite":"/ready"}}]}]},"statPrefix":"envoy-health-listener","streamIdleTimeout":"0s"}}]}],"name":"envoy-health-listener"}]}} +kind: ConfigMap +metadata: + name: cilium-envoy-config + namespace: cilium diff --git a/tests/golden/defaults/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-envoy/daemonset.yaml b/tests/golden/defaults/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-envoy/daemonset.yaml new file mode 100644 index 000000000..bc2dbcdfc --- /dev/null +++ b/tests/golden/defaults/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-envoy/daemonset.yaml @@ -0,0 +1,160 @@ +apiVersion: apps/v1 +kind: DaemonSet +metadata: + labels: + app.kubernetes.io/name: cilium-envoy + app.kubernetes.io/part-of: cilium + k8s-app: cilium-envoy + name: cilium-envoy + name: cilium-envoy + namespace: cilium +spec: + selector: + matchLabels: + k8s-app: cilium-envoy + template: + metadata: + annotations: + container.apparmor.security.beta.kubernetes.io/cilium-envoy: unconfined + labels: + app.kubernetes.io/name: cilium-envoy + app.kubernetes.io/part-of: cilium + k8s-app: cilium-envoy + name: cilium-envoy + spec: + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: cilium.io/no-schedule + operator: NotIn + values: + - 'true' + podAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: + k8s-app: cilium + topologyKey: kubernetes.io/hostname + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: + k8s-app: cilium-envoy + topologyKey: kubernetes.io/hostname + automountServiceAccountToken: true + containers: + - args: + - -- + - -c /var/run/cilium/envoy/bootstrap-config.json + - --base-id 0 + - --log-level info + command: + - /usr/bin/cilium-envoy-starter + env: + - name: K8S_NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + - name: CILIUM_K8S_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + image: quay.io/cilium/cilium-envoy:v1.34.10-1760767433-887ebe7d6ccc2a9dc8c73f6ae4927283283b507e@sha256:78a7c6ceb4135680eb94ed1ca80b1be00647878e6694522f8380cc2a8b99e434 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 10 + httpGet: + host: 127.0.0.1 + path: /healthz + port: 9878 + scheme: HTTP + periodSeconds: 30 + successThreshold: 1 + timeoutSeconds: 5 + name: cilium-envoy + ports: + - containerPort: 9964 + hostPort: 9964 + name: envoy-metrics + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + host: 127.0.0.1 + path: /healthz + port: 9878 + scheme: HTTP + periodSeconds: 30 + successThreshold: 1 + timeoutSeconds: 5 + securityContext: + capabilities: + add: + - NET_ADMIN + - SYS_ADMIN + drop: + - ALL + seLinuxOptions: + level: s0 + type: spc_t + startupProbe: + failureThreshold: 105 + httpGet: + host: 127.0.0.1 + path: /healthz + port: 9878 + scheme: HTTP + initialDelaySeconds: 5 + periodSeconds: 2 + successThreshold: 1 + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /var/run/cilium/envoy/sockets + name: envoy-sockets + readOnly: false + - mountPath: /var/run/cilium/envoy/artifacts + name: envoy-artifacts + readOnly: true + - mountPath: /var/run/cilium/envoy/ + name: envoy-config + readOnly: true + - mountPath: /sys/fs/bpf + mountPropagation: HostToContainer + name: bpf-maps + hostNetwork: true + nodeSelector: + kubernetes.io/os: linux + priorityClassName: system-node-critical + restartPolicy: Always + serviceAccountName: cilium-envoy + terminationGracePeriodSeconds: 1 + tolerations: + - operator: Exists + volumes: + - hostPath: + path: /var/run/cilium/envoy/sockets + type: DirectoryOrCreate + name: envoy-sockets + - hostPath: + path: /var/run/cilium/envoy/artifacts + type: DirectoryOrCreate + name: envoy-artifacts + - configMap: + defaultMode: 256 + items: + - key: bootstrap-config.json + path: bootstrap-config.json + name: cilium-envoy-config + name: envoy-config + - hostPath: + path: /sys/fs/bpf + type: DirectoryOrCreate + name: bpf-maps + updateStrategy: + rollingUpdate: + maxUnavailable: 2 + type: RollingUpdate diff --git a/tests/golden/defaults/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-envoy/service.yaml b/tests/golden/defaults/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-envoy/service.yaml new file mode 100644 index 000000000..6b6d6cd5f --- /dev/null +++ b/tests/golden/defaults/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-envoy/service.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Service +metadata: + annotations: + prometheus.io/port: '9964' + prometheus.io/scrape: 'true' + labels: + app.kubernetes.io/name: cilium-envoy + app.kubernetes.io/part-of: cilium + io.cilium/app: proxy + k8s-app: cilium-envoy + name: cilium-envoy + namespace: cilium +spec: + clusterIP: None + ports: + - name: envoy-metrics + port: 9964 + protocol: TCP + targetPort: envoy-metrics + selector: + k8s-app: cilium-envoy + type: ClusterIP diff --git a/tests/golden/defaults/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-envoy/serviceaccount.yaml b/tests/golden/defaults/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-envoy/serviceaccount.yaml new file mode 100644 index 000000000..f2d7f618d --- /dev/null +++ b/tests/golden/defaults/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-envoy/serviceaccount.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: cilium-envoy + namespace: cilium diff --git a/tests/golden/defaults/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/clusterrole.yaml b/tests/golden/defaults/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/clusterrole.yaml index cc748de66..9009493c9 100644 --- a/tests/golden/defaults/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/clusterrole.yaml +++ b/tests/golden/defaults/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/clusterrole.yaml @@ -55,6 +55,7 @@ rules: - '' resources: - namespaces + - secrets verbs: - get - list @@ -137,6 +138,13 @@ rules: - watch - delete - patch + - apiGroups: + - cilium.io + resources: + - ciliumbgpclusterconfigs/status + - ciliumbgppeerconfigs/status + verbs: + - update - apiGroups: - apiextensions.k8s.io resources: @@ -183,6 +191,7 @@ rules: - ciliumbgppeeringpolicies - ciliumbgpclusterconfigs - ciliumbgpnodeconfigoverrides + - ciliumbgppeerconfigs verbs: - get - list diff --git a/tests/golden/defaults/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/deployment.yaml b/tests/golden/defaults/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/deployment.yaml index ae3f1ce51..972dfccd9 100644 --- a/tests/golden/defaults/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/deployment.yaml +++ b/tests/golden/defaults/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/deployment.yaml @@ -59,7 +59,7 @@ spec: key: debug name: cilium-config optional: true - image: quay.io/cilium/operator-generic:v1.16.4@sha256:c55a7cbe19fe0b6b28903a085334edb586a3201add9db56d2122c8485f7a51c5 + image: quay.io/cilium/operator-generic:v1.17.10@sha256:09cee355c86b8c50d43ecc8f63cedc5d4a8597aa41be72a63ca4479c31c2f2be imagePullPolicy: IfNotPresent livenessProbe: httpGet: diff --git a/tests/golden/defaults/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/role.yaml b/tests/golden/defaults/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/role.yaml new file mode 100644 index 000000000..79fc907d3 --- /dev/null +++ b/tests/golden/defaults/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/role.yaml @@ -0,0 +1,17 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + app.kubernetes.io/part-of: cilium + name: cilium-operator-tlsinterception-secrets + namespace: cilium-secrets +rules: + - apiGroups: + - '' + resources: + - secrets + verbs: + - create + - delete + - update + - patch diff --git a/tests/golden/defaults/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/rolebinding.yaml b/tests/golden/defaults/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/rolebinding.yaml new file mode 100644 index 000000000..cbde47327 --- /dev/null +++ b/tests/golden/defaults/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/rolebinding.yaml @@ -0,0 +1,15 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app.kubernetes.io/part-of: cilium + name: cilium-operator-tlsinterception-secrets + namespace: cilium-secrets +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: cilium-operator-tlsinterception-secrets +subjects: + - kind: ServiceAccount + name: cilium-operator + namespace: cilium diff --git a/tests/golden/defaults/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-secrets-namespace.yaml b/tests/golden/defaults/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-secrets-namespace.yaml new file mode 100644 index 000000000..30f28d314 --- /dev/null +++ b/tests/golden/defaults/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-secrets-namespace.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: Namespace +metadata: + labels: + app.kubernetes.io/part-of: cilium + name: cilium-secrets diff --git a/tests/golden/defaults/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/configmap.yaml b/tests/golden/defaults/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/configmap.yaml index 33125e408..4beca2cfc 100644 --- a/tests/golden/defaults/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/configmap.yaml +++ b/tests/golden/defaults/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/configmap.yaml @@ -1,9 +1,9 @@ apiVersion: v1 data: - config.yaml: "cluster-name: default\npeer-service: \"hubble-peer.cilium.svc.cluster.local:80\"\ - \nlisten-address: :4245\ngops: true\ngops-port: \"9893\"\ndial-timeout: \nretry-timeout:\ - \ \nsort-buffer-len-max: \nsort-buffer-drain-timeout: \ndisable-client-tls: true\n\ - \ndisable-server-tls: true\n" + config.yaml: "cluster-name: default\npeer-service: \"hubble-peer.cilium.svc.cluster.local.:80\"\ + \nlisten-address: :4245\ngops: true\ngops-port: \"9893\"\nretry-timeout: \nsort-buffer-len-max:\ + \ \nsort-buffer-drain-timeout: \ndisable-client-tls: true\n\ndisable-server-tls:\ + \ true\n" kind: ConfigMap metadata: name: hubble-relay-config diff --git a/tests/golden/defaults/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/deployment.yaml b/tests/golden/defaults/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/deployment.yaml index 32db1394b..ffcde1c3b 100644 --- a/tests/golden/defaults/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/deployment.yaml +++ b/tests/golden/defaults/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/deployment.yaml @@ -37,7 +37,7 @@ spec: - serve command: - hubble-relay - image: quay.io/cilium/hubble-relay:v1.16.4@sha256:fb2c7d127a1c809f6ba23c05973f3dd00f6b6a48e4aee2da95db925a4f0351d2 + image: quay.io/cilium/hubble-relay:v1.17.10@sha256:da6747dd2bccc2901693b49ed4a687723f8d5c1e37d40fb95ea04910d31eaab2 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 12 diff --git a/tests/golden/egress-gateway/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/daemonset.yaml b/tests/golden/egress-gateway/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/daemonset.yaml index 7d7504428..17f226b08 100644 --- a/tests/golden/egress-gateway/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/daemonset.yaml +++ b/tests/golden/egress-gateway/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/daemonset.yaml @@ -54,7 +54,7 @@ spec: resourceFieldRef: divisor: '1' resource: limits.memory - image: quay.io/cilium/cilium:v1.16.4@sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf + image: quay.io/cilium/cilium:v1.17.10@sha256:d93cda710570df64dcb849807bd163013903143d74d5a4ebf16e1a659146c0d3 imagePullPolicy: IfNotPresent lifecycle: postStart: @@ -93,6 +93,8 @@ spec: httpHeaders: - name: brief value: 'true' + - name: require-k8s-connectivity + value: 'false' path: /healthz port: 9879 scheme: HTTP @@ -178,6 +180,9 @@ spec: name: bpf-maps - mountPath: /var/run/cilium name: cilium-run + - mountPath: /var/run/cilium/netns + mountPropagation: HostToContainer + name: cilium-netns - mountPath: /host/etc/cni/net.d name: etc-cni-netd - mountPath: /var/lib/cilium/clustermesh @@ -206,7 +211,7 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.namespace - image: quay.io/cilium/cilium:v1.16.4@sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf + image: quay.io/cilium/cilium:v1.17.10@sha256:d93cda710570df64dcb849807bd163013903143d74d5a4ebf16e1a659146c0d3 imagePullPolicy: IfNotPresent name: config terminationMessagePolicy: FallbackToLogsOnError @@ -225,7 +230,7 @@ spec: value: /run/cilium/cgroupv2 - name: BIN_PATH value: /var/lib/cni/bin - image: quay.io/cilium/cilium:v1.16.4@sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf + image: quay.io/cilium/cilium:v1.17.10@sha256:d93cda710570df64dcb849807bd163013903143d74d5a4ebf16e1a659146c0d3 imagePullPolicy: IfNotPresent name: mount-cgroup securityContext: @@ -255,7 +260,7 @@ spec: env: - name: BIN_PATH value: /var/lib/cni/bin - image: quay.io/cilium/cilium:v1.16.4@sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf + image: quay.io/cilium/cilium:v1.17.10@sha256:d93cda710570df64dcb849807bd163013903143d74d5a4ebf16e1a659146c0d3 imagePullPolicy: IfNotPresent name: apply-sysctl-overwrites securityContext: @@ -281,7 +286,7 @@ spec: - /bin/bash - -c - -- - image: quay.io/cilium/cilium:v1.16.4@sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf + image: quay.io/cilium/cilium:v1.17.10@sha256:d93cda710570df64dcb849807bd163013903143d74d5a4ebf16e1a659146c0d3 imagePullPolicy: IfNotPresent name: mount-bpf-fs securityContext: @@ -312,7 +317,7 @@ spec: key: write-cni-conf-when-ready name: cilium-config optional: true - image: quay.io/cilium/cilium:v1.16.4@sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf + image: quay.io/cilium/cilium:v1.17.10@sha256:d93cda710570df64dcb849807bd163013903143d74d5a4ebf16e1a659146c0d3 imagePullPolicy: IfNotPresent name: clean-cilium-state securityContext: @@ -338,7 +343,7 @@ spec: name: cilium-run - command: - /install-plugin.sh - image: quay.io/cilium/cilium:v1.16.4@sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf + image: quay.io/cilium/cilium:v1.17.10@sha256:d93cda710570df64dcb849807bd163013903143d74d5a4ebf16e1a659146c0d3 imagePullPolicy: IfNotPresent name: install-cni-binaries resources: @@ -360,6 +365,9 @@ spec: kubernetes.io/os: linux priorityClassName: system-node-critical restartPolicy: Always + securityContext: + seccompProfile: + type: Unconfined serviceAccountName: cilium terminationGracePeriodSeconds: 1 tolerations: @@ -371,6 +379,10 @@ spec: path: /var/run/cilium type: DirectoryOrCreate name: cilium-run + - hostPath: + path: /var/run/netns + type: DirectoryOrCreate + name: cilium-netns - hostPath: path: /sys/fs/bpf type: DirectoryOrCreate diff --git a/tests/golden/egress-gateway/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/role.yaml b/tests/golden/egress-gateway/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/role.yaml index 6469cd598..eb921e499 100644 --- a/tests/golden/egress-gateway/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/role.yaml +++ b/tests/golden/egress-gateway/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/role.yaml @@ -14,3 +14,20 @@ rules: - get - list - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + app.kubernetes.io/part-of: cilium + name: cilium-tlsinterception-secrets + namespace: cilium-secrets +rules: + - apiGroups: + - '' + resources: + - secrets + verbs: + - get + - list + - watch diff --git a/tests/golden/egress-gateway/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/rolebinding.yaml b/tests/golden/egress-gateway/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/rolebinding.yaml index 1d47a92c5..8ec160c93 100644 --- a/tests/golden/egress-gateway/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/rolebinding.yaml +++ b/tests/golden/egress-gateway/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/rolebinding.yaml @@ -13,3 +13,19 @@ subjects: - kind: ServiceAccount name: cilium namespace: cilium +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app.kubernetes.io/part-of: cilium + name: cilium-tlsinterception-secrets + namespace: cilium-secrets +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: cilium-tlsinterception-secrets +subjects: + - kind: ServiceAccount + name: cilium + namespace: cilium diff --git a/tests/golden/egress-gateway/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/servicemonitor.yaml b/tests/golden/egress-gateway/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/servicemonitor.yaml index c22a31588..b8a21770a 100644 --- a/tests/golden/egress-gateway/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/servicemonitor.yaml +++ b/tests/golden/egress-gateway/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/servicemonitor.yaml @@ -21,6 +21,6 @@ spec: - cilium selector: matchLabels: - k8s-app: cilium + app.kubernetes.io/name: cilium-agent targetLabels: - k8s-app diff --git a/tests/golden/egress-gateway/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-configmap.yaml b/tests/golden/egress-gateway/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-configmap.yaml index df15326f1..762c570bb 100644 --- a/tests/golden/egress-gateway/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-configmap.yaml +++ b/tests/golden/egress-gateway/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-configmap.yaml @@ -3,14 +3,17 @@ data: agent-not-ready-taint-key: node.cilium.io/agent-not-ready arping-refresh-period: 30s auto-direct-node-routes: 'false' + bpf-distributed-lru: 'false' bpf-events-drop-enabled: 'true' bpf-events-policy-verdict-enabled: 'true' bpf-events-trace-enabled: 'true' bpf-lb-acceleration: disabled + bpf-lb-algorithm-annotation: 'false' bpf-lb-external-clusterip: 'false' bpf-lb-map-max: '65536' + bpf-lb-mode-annotation: 'false' bpf-lb-sock: 'false' - bpf-lb-sock-terminate-pod-connections: 'false' + bpf-lb-source-range-all-types: 'false' bpf-map-dynamic-size-ratio: '0.0025' bpf-policy-map-max: '16384' bpf-root: /sys/fs/bpf @@ -29,6 +32,7 @@ data: datapath-mode: veth debug: 'false' debug-verbose: '' + default-lb-service-ipam: lbipam direct-routing-skip-unreachable: 'false' dnsproxy-enable-transparent-mode: 'true' dnsproxy-socket-linger-timeout: '10' @@ -37,12 +41,15 @@ data: enable-bpf-clock-probe: 'false' enable-bpf-masquerade: 'true' enable-endpoint-health-checking: 'true' + enable-endpoint-lockdown-on-policy-overflow: 'false' enable-endpoint-routes: 'true' + enable-experimental-lb: 'false' enable-health-check-loadbalancer-ip: 'false' enable-health-check-nodeport: 'true' enable-health-checking: 'true' enable-hubble: 'true' enable-hubble-open-metrics: 'false' + enable-internal-traffic-policy: 'true' enable-ipv4: 'true' enable-ipv4-big-tcp: 'false' enable-ipv4-egress-gateway: 'true' @@ -54,20 +61,27 @@ data: enable-k8s-terminating-endpoint: 'true' enable-l2-neigh-discovery: 'true' enable-l7-proxy: 'false' + enable-lb-ipam: 'true' enable-local-redirect-policy: 'false' enable-masquerade-to-route-source: 'false' enable-node-selector-labels: 'false' + enable-non-default-deny-policies: 'true' enable-policy: default + enable-policy-secrets-sync: 'true' enable-runtime-device-detection: 'true' enable-sctp: 'false' + enable-source-ip-verification: 'true' enable-svc-source-range-check: 'true' enable-tcx: 'true' enable-vtep: 'false' enable-well-known-identities: 'false' enable-xt-socket-fallback: 'true' + envoy-access-log-buffer-size: '4096' envoy-base-id: '0' envoy-keep-cap-netbindservice: 'false' external-envoy-proxy: 'false' + health-check-icmp-failure-threshold: '3' + http-retry-count: '3' hubble-disable-tls: 'true' hubble-export-file-max-backups: '5' hubble-export-file-max-size-mb: '10' @@ -84,6 +98,7 @@ data: install-no-conntrack-iptables-rules: 'false' ipam: cluster-pool ipam-cilium-node-update-rate: 15s + iptables-random-fully: 'false' k8s-client-burst: '30' k8s-client-qps: '15' k8s-require-ipv4-pod-cidr: 'false' @@ -105,12 +120,15 @@ data: nodes-gc-interval: 5m0s operator-api-serve-addr: 127.0.0.1:9234 policy-cidr-match-mode: '' + policy-secrets-namespace: cilium-secrets + policy-secrets-only-from-secrets-namespace: 'true' preallocate-bpf-maps: 'false' procfs: /host/proc prometheus-serve-addr: :9962 proxy-connect-timeout: '2' proxy-idle-timeout-seconds: '60' proxy-initial-fetch-timeout: '30' + proxy-max-concurrent-retries: '128' proxy-max-connection-duration-seconds: '0' proxy-max-requests-per-connection: '0' proxy-prometheus-port: '9964' @@ -124,11 +142,12 @@ data: synchronize-k8s-nodes: 'true' tofqdns-dns-reject-response-code: refused tofqdns-enable-dns-compression: 'true' - tofqdns-endpoint-max-ip-per-hostname: '50' + tofqdns-endpoint-max-ip-per-hostname: '1000' tofqdns-idle-connection-grace-period: 0s tofqdns-max-deferred-connection-deletes: '10000' tofqdns-proxy-response-max-delay: 100ms tunnel-protocol: vxlan + tunnel-source-port-range: 0-0 unmanaged-pod-watcher-interval: '15' vtep-cidr: '' vtep-endpoint: '' diff --git a/tests/golden/egress-gateway/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/clusterrole.yaml b/tests/golden/egress-gateway/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/clusterrole.yaml index cc748de66..9009493c9 100644 --- a/tests/golden/egress-gateway/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/clusterrole.yaml +++ b/tests/golden/egress-gateway/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/clusterrole.yaml @@ -55,6 +55,7 @@ rules: - '' resources: - namespaces + - secrets verbs: - get - list @@ -137,6 +138,13 @@ rules: - watch - delete - patch + - apiGroups: + - cilium.io + resources: + - ciliumbgpclusterconfigs/status + - ciliumbgppeerconfigs/status + verbs: + - update - apiGroups: - apiextensions.k8s.io resources: @@ -183,6 +191,7 @@ rules: - ciliumbgppeeringpolicies - ciliumbgpclusterconfigs - ciliumbgpnodeconfigoverrides + - ciliumbgppeerconfigs verbs: - get - list diff --git a/tests/golden/egress-gateway/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/deployment.yaml b/tests/golden/egress-gateway/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/deployment.yaml index ae3f1ce51..972dfccd9 100644 --- a/tests/golden/egress-gateway/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/deployment.yaml +++ b/tests/golden/egress-gateway/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/deployment.yaml @@ -59,7 +59,7 @@ spec: key: debug name: cilium-config optional: true - image: quay.io/cilium/operator-generic:v1.16.4@sha256:c55a7cbe19fe0b6b28903a085334edb586a3201add9db56d2122c8485f7a51c5 + image: quay.io/cilium/operator-generic:v1.17.10@sha256:09cee355c86b8c50d43ecc8f63cedc5d4a8597aa41be72a63ca4479c31c2f2be imagePullPolicy: IfNotPresent livenessProbe: httpGet: diff --git a/tests/golden/egress-gateway/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/role.yaml b/tests/golden/egress-gateway/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/role.yaml new file mode 100644 index 000000000..79fc907d3 --- /dev/null +++ b/tests/golden/egress-gateway/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/role.yaml @@ -0,0 +1,17 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + app.kubernetes.io/part-of: cilium + name: cilium-operator-tlsinterception-secrets + namespace: cilium-secrets +rules: + - apiGroups: + - '' + resources: + - secrets + verbs: + - create + - delete + - update + - patch diff --git a/tests/golden/egress-gateway/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/rolebinding.yaml b/tests/golden/egress-gateway/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/rolebinding.yaml new file mode 100644 index 000000000..cbde47327 --- /dev/null +++ b/tests/golden/egress-gateway/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/rolebinding.yaml @@ -0,0 +1,15 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app.kubernetes.io/part-of: cilium + name: cilium-operator-tlsinterception-secrets + namespace: cilium-secrets +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: cilium-operator-tlsinterception-secrets +subjects: + - kind: ServiceAccount + name: cilium-operator + namespace: cilium diff --git a/tests/golden/egress-gateway/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-secrets-namespace.yaml b/tests/golden/egress-gateway/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-secrets-namespace.yaml new file mode 100644 index 000000000..30f28d314 --- /dev/null +++ b/tests/golden/egress-gateway/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-secrets-namespace.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: Namespace +metadata: + labels: + app.kubernetes.io/part-of: cilium + name: cilium-secrets diff --git a/tests/golden/egress-gateway/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/configmap.yaml b/tests/golden/egress-gateway/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/configmap.yaml index 33125e408..4beca2cfc 100644 --- a/tests/golden/egress-gateway/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/configmap.yaml +++ b/tests/golden/egress-gateway/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/configmap.yaml @@ -1,9 +1,9 @@ apiVersion: v1 data: - config.yaml: "cluster-name: default\npeer-service: \"hubble-peer.cilium.svc.cluster.local:80\"\ - \nlisten-address: :4245\ngops: true\ngops-port: \"9893\"\ndial-timeout: \nretry-timeout:\ - \ \nsort-buffer-len-max: \nsort-buffer-drain-timeout: \ndisable-client-tls: true\n\ - \ndisable-server-tls: true\n" + config.yaml: "cluster-name: default\npeer-service: \"hubble-peer.cilium.svc.cluster.local.:80\"\ + \nlisten-address: :4245\ngops: true\ngops-port: \"9893\"\nretry-timeout: \nsort-buffer-len-max:\ + \ \nsort-buffer-drain-timeout: \ndisable-client-tls: true\n\ndisable-server-tls:\ + \ true\n" kind: ConfigMap metadata: name: hubble-relay-config diff --git a/tests/golden/egress-gateway/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/deployment.yaml b/tests/golden/egress-gateway/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/deployment.yaml index 32db1394b..ffcde1c3b 100644 --- a/tests/golden/egress-gateway/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/deployment.yaml +++ b/tests/golden/egress-gateway/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/deployment.yaml @@ -37,7 +37,7 @@ spec: - serve command: - hubble-relay - image: quay.io/cilium/hubble-relay:v1.16.4@sha256:fb2c7d127a1c809f6ba23c05973f3dd00f6b6a48e4aee2da95db925a4f0351d2 + image: quay.io/cilium/hubble-relay:v1.17.10@sha256:da6747dd2bccc2901693b49ed4a687723f8d5c1e37d40fb95ea04910d31eaab2 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 12 diff --git a/tests/golden/helm-opensource/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/daemonset.yaml b/tests/golden/helm-opensource/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/daemonset.yaml index 7d7504428..49005b75e 100644 --- a/tests/golden/helm-opensource/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/daemonset.yaml +++ b/tests/golden/helm-opensource/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/daemonset.yaml @@ -54,7 +54,7 @@ spec: resourceFieldRef: divisor: '1' resource: limits.memory - image: quay.io/cilium/cilium:v1.16.4@sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf + image: quay.io/cilium/cilium:v1.17.10@sha256:d93cda710570df64dcb849807bd163013903143d74d5a4ebf16e1a659146c0d3 imagePullPolicy: IfNotPresent lifecycle: postStart: @@ -93,6 +93,8 @@ spec: httpHeaders: - name: brief value: 'true' + - name: require-k8s-connectivity + value: 'false' path: /healthz port: 9879 scheme: HTTP @@ -109,14 +111,6 @@ spec: hostPort: 9962 name: prometheus protocol: TCP - - containerPort: 9964 - hostPort: 9964 - name: envoy-metrics - protocol: TCP - - containerPort: 9901 - hostPort: 9901 - name: envoy-admin - protocol: TCP - containerPort: 9965 hostPort: 9965 name: hubble-metrics @@ -169,6 +163,9 @@ spec: successThreshold: 1 terminationMessagePolicy: FallbackToLogsOnError volumeMounts: + - mountPath: /var/run/cilium/envoy/sockets + name: envoy-sockets + readOnly: false - mountPath: /host/proc/sys/net name: host-proc-sys-net - mountPath: /host/proc/sys/kernel @@ -178,6 +175,9 @@ spec: name: bpf-maps - mountPath: /var/run/cilium name: cilium-run + - mountPath: /var/run/cilium/netns + mountPropagation: HostToContainer + name: cilium-netns - mountPath: /host/etc/cni/net.d name: etc-cni-netd - mountPath: /var/lib/cilium/clustermesh @@ -206,7 +206,7 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.namespace - image: quay.io/cilium/cilium:v1.16.4@sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf + image: quay.io/cilium/cilium:v1.17.10@sha256:d93cda710570df64dcb849807bd163013903143d74d5a4ebf16e1a659146c0d3 imagePullPolicy: IfNotPresent name: config terminationMessagePolicy: FallbackToLogsOnError @@ -225,7 +225,7 @@ spec: value: /run/cilium/cgroupv2 - name: BIN_PATH value: /var/lib/cni/bin - image: quay.io/cilium/cilium:v1.16.4@sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf + image: quay.io/cilium/cilium:v1.17.10@sha256:d93cda710570df64dcb849807bd163013903143d74d5a4ebf16e1a659146c0d3 imagePullPolicy: IfNotPresent name: mount-cgroup securityContext: @@ -255,7 +255,7 @@ spec: env: - name: BIN_PATH value: /var/lib/cni/bin - image: quay.io/cilium/cilium:v1.16.4@sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf + image: quay.io/cilium/cilium:v1.17.10@sha256:d93cda710570df64dcb849807bd163013903143d74d5a4ebf16e1a659146c0d3 imagePullPolicy: IfNotPresent name: apply-sysctl-overwrites securityContext: @@ -281,7 +281,7 @@ spec: - /bin/bash - -c - -- - image: quay.io/cilium/cilium:v1.16.4@sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf + image: quay.io/cilium/cilium:v1.17.10@sha256:d93cda710570df64dcb849807bd163013903143d74d5a4ebf16e1a659146c0d3 imagePullPolicy: IfNotPresent name: mount-bpf-fs securityContext: @@ -312,7 +312,7 @@ spec: key: write-cni-conf-when-ready name: cilium-config optional: true - image: quay.io/cilium/cilium:v1.16.4@sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf + image: quay.io/cilium/cilium:v1.17.10@sha256:d93cda710570df64dcb849807bd163013903143d74d5a4ebf16e1a659146c0d3 imagePullPolicy: IfNotPresent name: clean-cilium-state securityContext: @@ -338,7 +338,7 @@ spec: name: cilium-run - command: - /install-plugin.sh - image: quay.io/cilium/cilium:v1.16.4@sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf + image: quay.io/cilium/cilium:v1.17.10@sha256:d93cda710570df64dcb849807bd163013903143d74d5a4ebf16e1a659146c0d3 imagePullPolicy: IfNotPresent name: install-cni-binaries resources: @@ -360,6 +360,9 @@ spec: kubernetes.io/os: linux priorityClassName: system-node-critical restartPolicy: Always + securityContext: + seccompProfile: + type: Unconfined serviceAccountName: cilium terminationGracePeriodSeconds: 1 tolerations: @@ -371,6 +374,10 @@ spec: path: /var/run/cilium type: DirectoryOrCreate name: cilium-run + - hostPath: + path: /var/run/netns + type: DirectoryOrCreate + name: cilium-netns - hostPath: path: /sys/fs/bpf type: DirectoryOrCreate @@ -398,6 +405,10 @@ spec: path: /run/xtables.lock type: FileOrCreate name: xtables-lock + - hostPath: + path: /var/run/cilium/envoy/sockets + type: DirectoryOrCreate + name: envoy-sockets - name: clustermesh-secrets projected: defaultMode: 256 diff --git a/tests/golden/helm-opensource/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/role.yaml b/tests/golden/helm-opensource/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/role.yaml index 6469cd598..eb921e499 100644 --- a/tests/golden/helm-opensource/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/role.yaml +++ b/tests/golden/helm-opensource/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/role.yaml @@ -14,3 +14,20 @@ rules: - get - list - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + app.kubernetes.io/part-of: cilium + name: cilium-tlsinterception-secrets + namespace: cilium-secrets +rules: + - apiGroups: + - '' + resources: + - secrets + verbs: + - get + - list + - watch diff --git a/tests/golden/helm-opensource/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/rolebinding.yaml b/tests/golden/helm-opensource/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/rolebinding.yaml index 1d47a92c5..8ec160c93 100644 --- a/tests/golden/helm-opensource/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/rolebinding.yaml +++ b/tests/golden/helm-opensource/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/rolebinding.yaml @@ -13,3 +13,19 @@ subjects: - kind: ServiceAccount name: cilium namespace: cilium +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app.kubernetes.io/part-of: cilium + name: cilium-tlsinterception-secrets + namespace: cilium-secrets +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: cilium-tlsinterception-secrets +subjects: + - kind: ServiceAccount + name: cilium + namespace: cilium diff --git a/tests/golden/helm-opensource/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/service.yaml b/tests/golden/helm-opensource/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/service.yaml index fc9fa1ab3..fbab0df5d 100644 --- a/tests/golden/helm-opensource/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/service.yaml +++ b/tests/golden/helm-opensource/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/service.yaml @@ -14,10 +14,6 @@ spec: port: 9962 protocol: TCP targetPort: prometheus - - name: envoy-metrics - port: 9964 - protocol: TCP - targetPort: envoy-metrics selector: k8s-app: cilium type: ClusterIP diff --git a/tests/golden/helm-opensource/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/servicemonitor.yaml b/tests/golden/helm-opensource/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/servicemonitor.yaml index c22a31588..b8a21770a 100644 --- a/tests/golden/helm-opensource/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/servicemonitor.yaml +++ b/tests/golden/helm-opensource/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/servicemonitor.yaml @@ -21,6 +21,6 @@ spec: - cilium selector: matchLabels: - k8s-app: cilium + app.kubernetes.io/name: cilium-agent targetLabels: - k8s-app diff --git a/tests/golden/helm-opensource/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-configmap.yaml b/tests/golden/helm-opensource/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-configmap.yaml index 80c961d15..6f3aa63fc 100644 --- a/tests/golden/helm-opensource/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-configmap.yaml +++ b/tests/golden/helm-opensource/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-configmap.yaml @@ -3,14 +3,17 @@ data: agent-not-ready-taint-key: node.cilium.io/agent-not-ready arping-refresh-period: 30s auto-direct-node-routes: 'false' + bpf-distributed-lru: 'false' bpf-events-drop-enabled: 'true' bpf-events-policy-verdict-enabled: 'true' bpf-events-trace-enabled: 'true' bpf-lb-acceleration: disabled + bpf-lb-algorithm-annotation: 'false' bpf-lb-external-clusterip: 'false' bpf-lb-map-max: '65536' + bpf-lb-mode-annotation: 'false' bpf-lb-sock: 'false' - bpf-lb-sock-terminate-pod-connections: 'false' + bpf-lb-source-range-all-types: 'false' bpf-map-dynamic-size-ratio: '0.0025' bpf-policy-map-max: '16384' bpf-root: /sys/fs/bpf @@ -29,6 +32,7 @@ data: datapath-mode: veth debug: 'false' debug-verbose: '' + default-lb-service-ipam: lbipam direct-routing-skip-unreachable: 'false' dnsproxy-enable-transparent-mode: 'true' dnsproxy-socket-linger-timeout: '10' @@ -37,12 +41,15 @@ data: enable-bpf-clock-probe: 'false' enable-bpf-masquerade: 'true' enable-endpoint-health-checking: 'true' + enable-endpoint-lockdown-on-policy-overflow: 'false' enable-endpoint-routes: 'true' + enable-experimental-lb: 'false' enable-health-check-loadbalancer-ip: 'false' enable-health-check-nodeport: 'true' enable-health-checking: 'true' enable-hubble: 'true' enable-hubble-open-metrics: 'false' + enable-internal-traffic-policy: 'true' enable-ipv4: 'true' enable-ipv4-big-tcp: 'false' enable-ipv4-masquerade: 'true' @@ -53,20 +60,27 @@ data: enable-k8s-terminating-endpoint: 'true' enable-l2-neigh-discovery: 'true' enable-l7-proxy: 'true' + enable-lb-ipam: 'true' enable-local-redirect-policy: 'false' enable-masquerade-to-route-source: 'false' enable-node-selector-labels: 'false' + enable-non-default-deny-policies: 'true' enable-policy: default + enable-policy-secrets-sync: 'true' enable-runtime-device-detection: 'true' enable-sctp: 'false' + enable-source-ip-verification: 'true' enable-svc-source-range-check: 'true' enable-tcx: 'true' enable-vtep: 'false' enable-well-known-identities: 'false' enable-xt-socket-fallback: 'true' + envoy-access-log-buffer-size: '4096' envoy-base-id: '0' envoy-keep-cap-netbindservice: 'false' - external-envoy-proxy: 'false' + external-envoy-proxy: 'true' + health-check-icmp-failure-threshold: '3' + http-retry-count: '3' hubble-disable-tls: 'true' hubble-export-file-max-backups: '5' hubble-export-file-max-size-mb: '10' @@ -83,6 +97,7 @@ data: install-no-conntrack-iptables-rules: 'false' ipam: cluster-pool ipam-cilium-node-update-rate: 15s + iptables-random-fully: 'false' k8s-client-burst: '30' k8s-client-qps: '15' k8s-require-ipv4-pod-cidr: 'false' @@ -104,15 +119,17 @@ data: nodes-gc-interval: 5m0s operator-api-serve-addr: 127.0.0.1:9234 policy-cidr-match-mode: '' + policy-secrets-namespace: cilium-secrets + policy-secrets-only-from-secrets-namespace: 'true' preallocate-bpf-maps: 'false' procfs: /host/proc prometheus-serve-addr: :9962 proxy-connect-timeout: '2' proxy-idle-timeout-seconds: '60' proxy-initial-fetch-timeout: '30' + proxy-max-concurrent-retries: '128' proxy-max-connection-duration-seconds: '0' proxy-max-requests-per-connection: '0' - proxy-prometheus-port: '9964' proxy-xff-num-trusted-hops-egress: '0' proxy-xff-num-trusted-hops-ingress: '0' remove-cilium-node-taints: 'true' @@ -123,11 +140,12 @@ data: synchronize-k8s-nodes: 'true' tofqdns-dns-reject-response-code: refused tofqdns-enable-dns-compression: 'true' - tofqdns-endpoint-max-ip-per-hostname: '50' + tofqdns-endpoint-max-ip-per-hostname: '1000' tofqdns-idle-connection-grace-period: 0s tofqdns-max-deferred-connection-deletes: '10000' tofqdns-proxy-response-max-delay: 100ms tunnel-protocol: vxlan + tunnel-source-port-range: 0-0 unmanaged-pod-watcher-interval: '15' vtep-cidr: '' vtep-endpoint: '' diff --git a/tests/golden/helm-opensource/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-envoy/configmap.yaml b/tests/golden/helm-opensource/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-envoy/configmap.yaml new file mode 100644 index 000000000..3b0fa62d3 --- /dev/null +++ b/tests/golden/helm-opensource/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-envoy/configmap.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +data: + bootstrap-config.json: | + {"admin":{"address":{"pipe":{"path":"/var/run/cilium/envoy/sockets/admin.sock"}}},"applicationLogConfig":{"logFormat":{"textFormat":"[%Y-%m-%d %T.%e][%t][%l][%n] [%g:%#] %v"}},"bootstrapExtensions":[{"name":"envoy.bootstrap.internal_listener","typedConfig":{"@type":"type.googleapis.com/envoy.extensions.bootstrap.internal_listener.v3.InternalListener"}}],"dynamicResources":{"cdsConfig":{"apiConfigSource":{"apiType":"GRPC","grpcServices":[{"envoyGrpc":{"clusterName":"xds-grpc-cilium"}}],"setNodeOnFirstMessageOnly":true,"transportApiVersion":"V3"},"initialFetchTimeout":"30s","resourceApiVersion":"V3"},"ldsConfig":{"apiConfigSource":{"apiType":"GRPC","grpcServices":[{"envoyGrpc":{"clusterName":"xds-grpc-cilium"}}],"setNodeOnFirstMessageOnly":true,"transportApiVersion":"V3"},"initialFetchTimeout":"30s","resourceApiVersion":"V3"}},"node":{"cluster":"ingress-cluster","id":"host~127.0.0.1~no-id~localdomain"},"overloadManager":{"resourceMonitors":[{"name":"envoy.resource_monitors.global_downstream_max_connections","typedConfig":{"@type":"type.googleapis.com/envoy.extensions.resource_monitors.downstream_connections.v3.DownstreamConnectionsConfig","max_active_downstream_connections":"50000"}}]},"staticResources":{"clusters":[{"circuitBreakers":{"thresholds":[{"maxRetries":128}]},"cleanupInterval":"2.500s","connectTimeout":"2s","lbPolicy":"CLUSTER_PROVIDED","name":"ingress-cluster","type":"ORIGINAL_DST","typedExtensionProtocolOptions":{"envoy.extensions.upstreams.http.v3.HttpProtocolOptions":{"@type":"type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions","commonHttpProtocolOptions":{"idleTimeout":"60s","maxConnectionDuration":"0s","maxRequestsPerConnection":0},"useDownstreamProtocolConfig":{}}}},{"circuitBreakers":{"thresholds":[{"maxRetries":128}]},"cleanupInterval":"2.500s","connectTimeout":"2s","lbPolicy":"CLUSTER_PROVIDED","name":"egress-cluster-tls","transportSocket":{"name":"cilium.tls_wrapper","typedConfig":{"@type":"type.googleapis.com/cilium.UpstreamTlsWrapperContext"}},"type":"ORIGINAL_DST","typedExtensionProtocolOptions":{"envoy.extensions.upstreams.http.v3.HttpProtocolOptions":{"@type":"type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions","commonHttpProtocolOptions":{"idleTimeout":"60s","maxConnectionDuration":"0s","maxRequestsPerConnection":0},"upstreamHttpProtocolOptions":{},"useDownstreamProtocolConfig":{}}}},{"circuitBreakers":{"thresholds":[{"maxRetries":128}]},"cleanupInterval":"2.500s","connectTimeout":"2s","lbPolicy":"CLUSTER_PROVIDED","name":"egress-cluster","type":"ORIGINAL_DST","typedExtensionProtocolOptions":{"envoy.extensions.upstreams.http.v3.HttpProtocolOptions":{"@type":"type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions","commonHttpProtocolOptions":{"idleTimeout":"60s","maxConnectionDuration":"0s","maxRequestsPerConnection":0},"useDownstreamProtocolConfig":{}}}},{"circuitBreakers":{"thresholds":[{"maxRetries":128}]},"cleanupInterval":"2.500s","connectTimeout":"2s","lbPolicy":"CLUSTER_PROVIDED","name":"ingress-cluster-tls","transportSocket":{"name":"cilium.tls_wrapper","typedConfig":{"@type":"type.googleapis.com/cilium.UpstreamTlsWrapperContext"}},"type":"ORIGINAL_DST","typedExtensionProtocolOptions":{"envoy.extensions.upstreams.http.v3.HttpProtocolOptions":{"@type":"type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions","commonHttpProtocolOptions":{"idleTimeout":"60s","maxConnectionDuration":"0s","maxRequestsPerConnection":0},"upstreamHttpProtocolOptions":{},"useDownstreamProtocolConfig":{}}}},{"connectTimeout":"2s","loadAssignment":{"clusterName":"xds-grpc-cilium","endpoints":[{"lbEndpoints":[{"endpoint":{"address":{"pipe":{"path":"/var/run/cilium/envoy/sockets/xds.sock"}}}}]}]},"name":"xds-grpc-cilium","type":"STATIC","typedExtensionProtocolOptions":{"envoy.extensions.upstreams.http.v3.HttpProtocolOptions":{"@type":"type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions","explicitHttpConfig":{"http2ProtocolOptions":{}}}}},{"connectTimeout":"2s","loadAssignment":{"clusterName":"/envoy-admin","endpoints":[{"lbEndpoints":[{"endpoint":{"address":{"pipe":{"path":"/var/run/cilium/envoy/sockets/admin.sock"}}}}]}]},"name":"/envoy-admin","type":"STATIC"}],"listeners":[{"address":{"socketAddress":{"address":"0.0.0.0","portValue":9964}},"filterChains":[{"filters":[{"name":"envoy.filters.network.http_connection_manager","typedConfig":{"@type":"type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager","httpFilters":[{"name":"envoy.filters.http.router","typedConfig":{"@type":"type.googleapis.com/envoy.extensions.filters.http.router.v3.Router"}}],"internalAddressConfig":{"cidrRanges":[{"addressPrefix":"10.0.0.0","prefixLen":8},{"addressPrefix":"172.16.0.0","prefixLen":12},{"addressPrefix":"192.168.0.0","prefixLen":16},{"addressPrefix":"127.0.0.1","prefixLen":32}]},"routeConfig":{"virtualHosts":[{"domains":["*"],"name":"prometheus_metrics_route","routes":[{"match":{"prefix":"/metrics"},"name":"prometheus_metrics_route","route":{"cluster":"/envoy-admin","prefixRewrite":"/stats/prometheus"}}]}]},"statPrefix":"envoy-prometheus-metrics-listener","streamIdleTimeout":"0s"}}]}],"name":"envoy-prometheus-metrics-listener"},{"address":{"socketAddress":{"address":"127.0.0.1","portValue":9878}},"filterChains":[{"filters":[{"name":"envoy.filters.network.http_connection_manager","typedConfig":{"@type":"type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager","httpFilters":[{"name":"envoy.filters.http.router","typedConfig":{"@type":"type.googleapis.com/envoy.extensions.filters.http.router.v3.Router"}}],"internalAddressConfig":{"cidrRanges":[{"addressPrefix":"10.0.0.0","prefixLen":8},{"addressPrefix":"172.16.0.0","prefixLen":12},{"addressPrefix":"192.168.0.0","prefixLen":16},{"addressPrefix":"127.0.0.1","prefixLen":32}]},"routeConfig":{"virtual_hosts":[{"domains":["*"],"name":"health","routes":[{"match":{"prefix":"/healthz"},"name":"health","route":{"cluster":"/envoy-admin","prefixRewrite":"/ready"}}]}]},"statPrefix":"envoy-health-listener","streamIdleTimeout":"0s"}}]}],"name":"envoy-health-listener"}]}} +kind: ConfigMap +metadata: + name: cilium-envoy-config + namespace: cilium diff --git a/tests/golden/helm-opensource/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-envoy/daemonset.yaml b/tests/golden/helm-opensource/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-envoy/daemonset.yaml new file mode 100644 index 000000000..bc2dbcdfc --- /dev/null +++ b/tests/golden/helm-opensource/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-envoy/daemonset.yaml @@ -0,0 +1,160 @@ +apiVersion: apps/v1 +kind: DaemonSet +metadata: + labels: + app.kubernetes.io/name: cilium-envoy + app.kubernetes.io/part-of: cilium + k8s-app: cilium-envoy + name: cilium-envoy + name: cilium-envoy + namespace: cilium +spec: + selector: + matchLabels: + k8s-app: cilium-envoy + template: + metadata: + annotations: + container.apparmor.security.beta.kubernetes.io/cilium-envoy: unconfined + labels: + app.kubernetes.io/name: cilium-envoy + app.kubernetes.io/part-of: cilium + k8s-app: cilium-envoy + name: cilium-envoy + spec: + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: cilium.io/no-schedule + operator: NotIn + values: + - 'true' + podAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: + k8s-app: cilium + topologyKey: kubernetes.io/hostname + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: + k8s-app: cilium-envoy + topologyKey: kubernetes.io/hostname + automountServiceAccountToken: true + containers: + - args: + - -- + - -c /var/run/cilium/envoy/bootstrap-config.json + - --base-id 0 + - --log-level info + command: + - /usr/bin/cilium-envoy-starter + env: + - name: K8S_NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + - name: CILIUM_K8S_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + image: quay.io/cilium/cilium-envoy:v1.34.10-1760767433-887ebe7d6ccc2a9dc8c73f6ae4927283283b507e@sha256:78a7c6ceb4135680eb94ed1ca80b1be00647878e6694522f8380cc2a8b99e434 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 10 + httpGet: + host: 127.0.0.1 + path: /healthz + port: 9878 + scheme: HTTP + periodSeconds: 30 + successThreshold: 1 + timeoutSeconds: 5 + name: cilium-envoy + ports: + - containerPort: 9964 + hostPort: 9964 + name: envoy-metrics + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + host: 127.0.0.1 + path: /healthz + port: 9878 + scheme: HTTP + periodSeconds: 30 + successThreshold: 1 + timeoutSeconds: 5 + securityContext: + capabilities: + add: + - NET_ADMIN + - SYS_ADMIN + drop: + - ALL + seLinuxOptions: + level: s0 + type: spc_t + startupProbe: + failureThreshold: 105 + httpGet: + host: 127.0.0.1 + path: /healthz + port: 9878 + scheme: HTTP + initialDelaySeconds: 5 + periodSeconds: 2 + successThreshold: 1 + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /var/run/cilium/envoy/sockets + name: envoy-sockets + readOnly: false + - mountPath: /var/run/cilium/envoy/artifacts + name: envoy-artifacts + readOnly: true + - mountPath: /var/run/cilium/envoy/ + name: envoy-config + readOnly: true + - mountPath: /sys/fs/bpf + mountPropagation: HostToContainer + name: bpf-maps + hostNetwork: true + nodeSelector: + kubernetes.io/os: linux + priorityClassName: system-node-critical + restartPolicy: Always + serviceAccountName: cilium-envoy + terminationGracePeriodSeconds: 1 + tolerations: + - operator: Exists + volumes: + - hostPath: + path: /var/run/cilium/envoy/sockets + type: DirectoryOrCreate + name: envoy-sockets + - hostPath: + path: /var/run/cilium/envoy/artifacts + type: DirectoryOrCreate + name: envoy-artifacts + - configMap: + defaultMode: 256 + items: + - key: bootstrap-config.json + path: bootstrap-config.json + name: cilium-envoy-config + name: envoy-config + - hostPath: + path: /sys/fs/bpf + type: DirectoryOrCreate + name: bpf-maps + updateStrategy: + rollingUpdate: + maxUnavailable: 2 + type: RollingUpdate diff --git a/tests/golden/helm-opensource/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-envoy/service.yaml b/tests/golden/helm-opensource/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-envoy/service.yaml new file mode 100644 index 000000000..6b6d6cd5f --- /dev/null +++ b/tests/golden/helm-opensource/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-envoy/service.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Service +metadata: + annotations: + prometheus.io/port: '9964' + prometheus.io/scrape: 'true' + labels: + app.kubernetes.io/name: cilium-envoy + app.kubernetes.io/part-of: cilium + io.cilium/app: proxy + k8s-app: cilium-envoy + name: cilium-envoy + namespace: cilium +spec: + clusterIP: None + ports: + - name: envoy-metrics + port: 9964 + protocol: TCP + targetPort: envoy-metrics + selector: + k8s-app: cilium-envoy + type: ClusterIP diff --git a/tests/golden/helm-opensource/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-envoy/serviceaccount.yaml b/tests/golden/helm-opensource/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-envoy/serviceaccount.yaml new file mode 100644 index 000000000..f2d7f618d --- /dev/null +++ b/tests/golden/helm-opensource/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-envoy/serviceaccount.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: cilium-envoy + namespace: cilium diff --git a/tests/golden/helm-opensource/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/clusterrole.yaml b/tests/golden/helm-opensource/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/clusterrole.yaml index cc748de66..9009493c9 100644 --- a/tests/golden/helm-opensource/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/clusterrole.yaml +++ b/tests/golden/helm-opensource/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/clusterrole.yaml @@ -55,6 +55,7 @@ rules: - '' resources: - namespaces + - secrets verbs: - get - list @@ -137,6 +138,13 @@ rules: - watch - delete - patch + - apiGroups: + - cilium.io + resources: + - ciliumbgpclusterconfigs/status + - ciliumbgppeerconfigs/status + verbs: + - update - apiGroups: - apiextensions.k8s.io resources: @@ -183,6 +191,7 @@ rules: - ciliumbgppeeringpolicies - ciliumbgpclusterconfigs - ciliumbgpnodeconfigoverrides + - ciliumbgppeerconfigs verbs: - get - list diff --git a/tests/golden/helm-opensource/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/deployment.yaml b/tests/golden/helm-opensource/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/deployment.yaml index ae3f1ce51..972dfccd9 100644 --- a/tests/golden/helm-opensource/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/deployment.yaml +++ b/tests/golden/helm-opensource/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/deployment.yaml @@ -59,7 +59,7 @@ spec: key: debug name: cilium-config optional: true - image: quay.io/cilium/operator-generic:v1.16.4@sha256:c55a7cbe19fe0b6b28903a085334edb586a3201add9db56d2122c8485f7a51c5 + image: quay.io/cilium/operator-generic:v1.17.10@sha256:09cee355c86b8c50d43ecc8f63cedc5d4a8597aa41be72a63ca4479c31c2f2be imagePullPolicy: IfNotPresent livenessProbe: httpGet: diff --git a/tests/golden/helm-opensource/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/role.yaml b/tests/golden/helm-opensource/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/role.yaml new file mode 100644 index 000000000..79fc907d3 --- /dev/null +++ b/tests/golden/helm-opensource/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/role.yaml @@ -0,0 +1,17 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + app.kubernetes.io/part-of: cilium + name: cilium-operator-tlsinterception-secrets + namespace: cilium-secrets +rules: + - apiGroups: + - '' + resources: + - secrets + verbs: + - create + - delete + - update + - patch diff --git a/tests/golden/helm-opensource/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/rolebinding.yaml b/tests/golden/helm-opensource/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/rolebinding.yaml new file mode 100644 index 000000000..cbde47327 --- /dev/null +++ b/tests/golden/helm-opensource/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/rolebinding.yaml @@ -0,0 +1,15 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app.kubernetes.io/part-of: cilium + name: cilium-operator-tlsinterception-secrets + namespace: cilium-secrets +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: cilium-operator-tlsinterception-secrets +subjects: + - kind: ServiceAccount + name: cilium-operator + namespace: cilium diff --git a/tests/golden/helm-opensource/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-secrets-namespace.yaml b/tests/golden/helm-opensource/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-secrets-namespace.yaml new file mode 100644 index 000000000..30f28d314 --- /dev/null +++ b/tests/golden/helm-opensource/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-secrets-namespace.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: Namespace +metadata: + labels: + app.kubernetes.io/part-of: cilium + name: cilium-secrets diff --git a/tests/golden/helm-opensource/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/configmap.yaml b/tests/golden/helm-opensource/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/configmap.yaml index 33125e408..4beca2cfc 100644 --- a/tests/golden/helm-opensource/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/configmap.yaml +++ b/tests/golden/helm-opensource/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/configmap.yaml @@ -1,9 +1,9 @@ apiVersion: v1 data: - config.yaml: "cluster-name: default\npeer-service: \"hubble-peer.cilium.svc.cluster.local:80\"\ - \nlisten-address: :4245\ngops: true\ngops-port: \"9893\"\ndial-timeout: \nretry-timeout:\ - \ \nsort-buffer-len-max: \nsort-buffer-drain-timeout: \ndisable-client-tls: true\n\ - \ndisable-server-tls: true\n" + config.yaml: "cluster-name: default\npeer-service: \"hubble-peer.cilium.svc.cluster.local.:80\"\ + \nlisten-address: :4245\ngops: true\ngops-port: \"9893\"\nretry-timeout: \nsort-buffer-len-max:\ + \ \nsort-buffer-drain-timeout: \ndisable-client-tls: true\n\ndisable-server-tls:\ + \ true\n" kind: ConfigMap metadata: name: hubble-relay-config diff --git a/tests/golden/helm-opensource/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/deployment.yaml b/tests/golden/helm-opensource/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/deployment.yaml index 32db1394b..ffcde1c3b 100644 --- a/tests/golden/helm-opensource/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/deployment.yaml +++ b/tests/golden/helm-opensource/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/deployment.yaml @@ -37,7 +37,7 @@ spec: - serve command: - hubble-relay - image: quay.io/cilium/hubble-relay:v1.16.4@sha256:fb2c7d127a1c809f6ba23c05973f3dd00f6b6a48e4aee2da95db925a4f0351d2 + image: quay.io/cilium/hubble-relay:v1.17.10@sha256:da6747dd2bccc2901693b49ed4a687723f8d5c1e37d40fb95ea04910d31eaab2 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 12 diff --git a/tests/golden/hubble-access/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/daemonset.yaml b/tests/golden/hubble-access/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/daemonset.yaml index 7d7504428..49005b75e 100644 --- a/tests/golden/hubble-access/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/daemonset.yaml +++ b/tests/golden/hubble-access/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/daemonset.yaml @@ -54,7 +54,7 @@ spec: resourceFieldRef: divisor: '1' resource: limits.memory - image: quay.io/cilium/cilium:v1.16.4@sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf + image: quay.io/cilium/cilium:v1.17.10@sha256:d93cda710570df64dcb849807bd163013903143d74d5a4ebf16e1a659146c0d3 imagePullPolicy: IfNotPresent lifecycle: postStart: @@ -93,6 +93,8 @@ spec: httpHeaders: - name: brief value: 'true' + - name: require-k8s-connectivity + value: 'false' path: /healthz port: 9879 scheme: HTTP @@ -109,14 +111,6 @@ spec: hostPort: 9962 name: prometheus protocol: TCP - - containerPort: 9964 - hostPort: 9964 - name: envoy-metrics - protocol: TCP - - containerPort: 9901 - hostPort: 9901 - name: envoy-admin - protocol: TCP - containerPort: 9965 hostPort: 9965 name: hubble-metrics @@ -169,6 +163,9 @@ spec: successThreshold: 1 terminationMessagePolicy: FallbackToLogsOnError volumeMounts: + - mountPath: /var/run/cilium/envoy/sockets + name: envoy-sockets + readOnly: false - mountPath: /host/proc/sys/net name: host-proc-sys-net - mountPath: /host/proc/sys/kernel @@ -178,6 +175,9 @@ spec: name: bpf-maps - mountPath: /var/run/cilium name: cilium-run + - mountPath: /var/run/cilium/netns + mountPropagation: HostToContainer + name: cilium-netns - mountPath: /host/etc/cni/net.d name: etc-cni-netd - mountPath: /var/lib/cilium/clustermesh @@ -206,7 +206,7 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.namespace - image: quay.io/cilium/cilium:v1.16.4@sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf + image: quay.io/cilium/cilium:v1.17.10@sha256:d93cda710570df64dcb849807bd163013903143d74d5a4ebf16e1a659146c0d3 imagePullPolicy: IfNotPresent name: config terminationMessagePolicy: FallbackToLogsOnError @@ -225,7 +225,7 @@ spec: value: /run/cilium/cgroupv2 - name: BIN_PATH value: /var/lib/cni/bin - image: quay.io/cilium/cilium:v1.16.4@sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf + image: quay.io/cilium/cilium:v1.17.10@sha256:d93cda710570df64dcb849807bd163013903143d74d5a4ebf16e1a659146c0d3 imagePullPolicy: IfNotPresent name: mount-cgroup securityContext: @@ -255,7 +255,7 @@ spec: env: - name: BIN_PATH value: /var/lib/cni/bin - image: quay.io/cilium/cilium:v1.16.4@sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf + image: quay.io/cilium/cilium:v1.17.10@sha256:d93cda710570df64dcb849807bd163013903143d74d5a4ebf16e1a659146c0d3 imagePullPolicy: IfNotPresent name: apply-sysctl-overwrites securityContext: @@ -281,7 +281,7 @@ spec: - /bin/bash - -c - -- - image: quay.io/cilium/cilium:v1.16.4@sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf + image: quay.io/cilium/cilium:v1.17.10@sha256:d93cda710570df64dcb849807bd163013903143d74d5a4ebf16e1a659146c0d3 imagePullPolicy: IfNotPresent name: mount-bpf-fs securityContext: @@ -312,7 +312,7 @@ spec: key: write-cni-conf-when-ready name: cilium-config optional: true - image: quay.io/cilium/cilium:v1.16.4@sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf + image: quay.io/cilium/cilium:v1.17.10@sha256:d93cda710570df64dcb849807bd163013903143d74d5a4ebf16e1a659146c0d3 imagePullPolicy: IfNotPresent name: clean-cilium-state securityContext: @@ -338,7 +338,7 @@ spec: name: cilium-run - command: - /install-plugin.sh - image: quay.io/cilium/cilium:v1.16.4@sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf + image: quay.io/cilium/cilium:v1.17.10@sha256:d93cda710570df64dcb849807bd163013903143d74d5a4ebf16e1a659146c0d3 imagePullPolicy: IfNotPresent name: install-cni-binaries resources: @@ -360,6 +360,9 @@ spec: kubernetes.io/os: linux priorityClassName: system-node-critical restartPolicy: Always + securityContext: + seccompProfile: + type: Unconfined serviceAccountName: cilium terminationGracePeriodSeconds: 1 tolerations: @@ -371,6 +374,10 @@ spec: path: /var/run/cilium type: DirectoryOrCreate name: cilium-run + - hostPath: + path: /var/run/netns + type: DirectoryOrCreate + name: cilium-netns - hostPath: path: /sys/fs/bpf type: DirectoryOrCreate @@ -398,6 +405,10 @@ spec: path: /run/xtables.lock type: FileOrCreate name: xtables-lock + - hostPath: + path: /var/run/cilium/envoy/sockets + type: DirectoryOrCreate + name: envoy-sockets - name: clustermesh-secrets projected: defaultMode: 256 diff --git a/tests/golden/hubble-access/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/role.yaml b/tests/golden/hubble-access/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/role.yaml index 6469cd598..eb921e499 100644 --- a/tests/golden/hubble-access/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/role.yaml +++ b/tests/golden/hubble-access/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/role.yaml @@ -14,3 +14,20 @@ rules: - get - list - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + app.kubernetes.io/part-of: cilium + name: cilium-tlsinterception-secrets + namespace: cilium-secrets +rules: + - apiGroups: + - '' + resources: + - secrets + verbs: + - get + - list + - watch diff --git a/tests/golden/hubble-access/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/rolebinding.yaml b/tests/golden/hubble-access/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/rolebinding.yaml index 1d47a92c5..8ec160c93 100644 --- a/tests/golden/hubble-access/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/rolebinding.yaml +++ b/tests/golden/hubble-access/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/rolebinding.yaml @@ -13,3 +13,19 @@ subjects: - kind: ServiceAccount name: cilium namespace: cilium +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app.kubernetes.io/part-of: cilium + name: cilium-tlsinterception-secrets + namespace: cilium-secrets +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: cilium-tlsinterception-secrets +subjects: + - kind: ServiceAccount + name: cilium + namespace: cilium diff --git a/tests/golden/hubble-access/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/service.yaml b/tests/golden/hubble-access/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/service.yaml index fc9fa1ab3..fbab0df5d 100644 --- a/tests/golden/hubble-access/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/service.yaml +++ b/tests/golden/hubble-access/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/service.yaml @@ -14,10 +14,6 @@ spec: port: 9962 protocol: TCP targetPort: prometheus - - name: envoy-metrics - port: 9964 - protocol: TCP - targetPort: envoy-metrics selector: k8s-app: cilium type: ClusterIP diff --git a/tests/golden/hubble-access/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/servicemonitor.yaml b/tests/golden/hubble-access/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/servicemonitor.yaml index c22a31588..b8a21770a 100644 --- a/tests/golden/hubble-access/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/servicemonitor.yaml +++ b/tests/golden/hubble-access/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/servicemonitor.yaml @@ -21,6 +21,6 @@ spec: - cilium selector: matchLabels: - k8s-app: cilium + app.kubernetes.io/name: cilium-agent targetLabels: - k8s-app diff --git a/tests/golden/hubble-access/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-configmap.yaml b/tests/golden/hubble-access/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-configmap.yaml index 80c961d15..6f3aa63fc 100644 --- a/tests/golden/hubble-access/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-configmap.yaml +++ b/tests/golden/hubble-access/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-configmap.yaml @@ -3,14 +3,17 @@ data: agent-not-ready-taint-key: node.cilium.io/agent-not-ready arping-refresh-period: 30s auto-direct-node-routes: 'false' + bpf-distributed-lru: 'false' bpf-events-drop-enabled: 'true' bpf-events-policy-verdict-enabled: 'true' bpf-events-trace-enabled: 'true' bpf-lb-acceleration: disabled + bpf-lb-algorithm-annotation: 'false' bpf-lb-external-clusterip: 'false' bpf-lb-map-max: '65536' + bpf-lb-mode-annotation: 'false' bpf-lb-sock: 'false' - bpf-lb-sock-terminate-pod-connections: 'false' + bpf-lb-source-range-all-types: 'false' bpf-map-dynamic-size-ratio: '0.0025' bpf-policy-map-max: '16384' bpf-root: /sys/fs/bpf @@ -29,6 +32,7 @@ data: datapath-mode: veth debug: 'false' debug-verbose: '' + default-lb-service-ipam: lbipam direct-routing-skip-unreachable: 'false' dnsproxy-enable-transparent-mode: 'true' dnsproxy-socket-linger-timeout: '10' @@ -37,12 +41,15 @@ data: enable-bpf-clock-probe: 'false' enable-bpf-masquerade: 'true' enable-endpoint-health-checking: 'true' + enable-endpoint-lockdown-on-policy-overflow: 'false' enable-endpoint-routes: 'true' + enable-experimental-lb: 'false' enable-health-check-loadbalancer-ip: 'false' enable-health-check-nodeport: 'true' enable-health-checking: 'true' enable-hubble: 'true' enable-hubble-open-metrics: 'false' + enable-internal-traffic-policy: 'true' enable-ipv4: 'true' enable-ipv4-big-tcp: 'false' enable-ipv4-masquerade: 'true' @@ -53,20 +60,27 @@ data: enable-k8s-terminating-endpoint: 'true' enable-l2-neigh-discovery: 'true' enable-l7-proxy: 'true' + enable-lb-ipam: 'true' enable-local-redirect-policy: 'false' enable-masquerade-to-route-source: 'false' enable-node-selector-labels: 'false' + enable-non-default-deny-policies: 'true' enable-policy: default + enable-policy-secrets-sync: 'true' enable-runtime-device-detection: 'true' enable-sctp: 'false' + enable-source-ip-verification: 'true' enable-svc-source-range-check: 'true' enable-tcx: 'true' enable-vtep: 'false' enable-well-known-identities: 'false' enable-xt-socket-fallback: 'true' + envoy-access-log-buffer-size: '4096' envoy-base-id: '0' envoy-keep-cap-netbindservice: 'false' - external-envoy-proxy: 'false' + external-envoy-proxy: 'true' + health-check-icmp-failure-threshold: '3' + http-retry-count: '3' hubble-disable-tls: 'true' hubble-export-file-max-backups: '5' hubble-export-file-max-size-mb: '10' @@ -83,6 +97,7 @@ data: install-no-conntrack-iptables-rules: 'false' ipam: cluster-pool ipam-cilium-node-update-rate: 15s + iptables-random-fully: 'false' k8s-client-burst: '30' k8s-client-qps: '15' k8s-require-ipv4-pod-cidr: 'false' @@ -104,15 +119,17 @@ data: nodes-gc-interval: 5m0s operator-api-serve-addr: 127.0.0.1:9234 policy-cidr-match-mode: '' + policy-secrets-namespace: cilium-secrets + policy-secrets-only-from-secrets-namespace: 'true' preallocate-bpf-maps: 'false' procfs: /host/proc prometheus-serve-addr: :9962 proxy-connect-timeout: '2' proxy-idle-timeout-seconds: '60' proxy-initial-fetch-timeout: '30' + proxy-max-concurrent-retries: '128' proxy-max-connection-duration-seconds: '0' proxy-max-requests-per-connection: '0' - proxy-prometheus-port: '9964' proxy-xff-num-trusted-hops-egress: '0' proxy-xff-num-trusted-hops-ingress: '0' remove-cilium-node-taints: 'true' @@ -123,11 +140,12 @@ data: synchronize-k8s-nodes: 'true' tofqdns-dns-reject-response-code: refused tofqdns-enable-dns-compression: 'true' - tofqdns-endpoint-max-ip-per-hostname: '50' + tofqdns-endpoint-max-ip-per-hostname: '1000' tofqdns-idle-connection-grace-period: 0s tofqdns-max-deferred-connection-deletes: '10000' tofqdns-proxy-response-max-delay: 100ms tunnel-protocol: vxlan + tunnel-source-port-range: 0-0 unmanaged-pod-watcher-interval: '15' vtep-cidr: '' vtep-endpoint: '' diff --git a/tests/golden/hubble-access/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-envoy/configmap.yaml b/tests/golden/hubble-access/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-envoy/configmap.yaml new file mode 100644 index 000000000..3b0fa62d3 --- /dev/null +++ b/tests/golden/hubble-access/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-envoy/configmap.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +data: + bootstrap-config.json: | + {"admin":{"address":{"pipe":{"path":"/var/run/cilium/envoy/sockets/admin.sock"}}},"applicationLogConfig":{"logFormat":{"textFormat":"[%Y-%m-%d %T.%e][%t][%l][%n] [%g:%#] %v"}},"bootstrapExtensions":[{"name":"envoy.bootstrap.internal_listener","typedConfig":{"@type":"type.googleapis.com/envoy.extensions.bootstrap.internal_listener.v3.InternalListener"}}],"dynamicResources":{"cdsConfig":{"apiConfigSource":{"apiType":"GRPC","grpcServices":[{"envoyGrpc":{"clusterName":"xds-grpc-cilium"}}],"setNodeOnFirstMessageOnly":true,"transportApiVersion":"V3"},"initialFetchTimeout":"30s","resourceApiVersion":"V3"},"ldsConfig":{"apiConfigSource":{"apiType":"GRPC","grpcServices":[{"envoyGrpc":{"clusterName":"xds-grpc-cilium"}}],"setNodeOnFirstMessageOnly":true,"transportApiVersion":"V3"},"initialFetchTimeout":"30s","resourceApiVersion":"V3"}},"node":{"cluster":"ingress-cluster","id":"host~127.0.0.1~no-id~localdomain"},"overloadManager":{"resourceMonitors":[{"name":"envoy.resource_monitors.global_downstream_max_connections","typedConfig":{"@type":"type.googleapis.com/envoy.extensions.resource_monitors.downstream_connections.v3.DownstreamConnectionsConfig","max_active_downstream_connections":"50000"}}]},"staticResources":{"clusters":[{"circuitBreakers":{"thresholds":[{"maxRetries":128}]},"cleanupInterval":"2.500s","connectTimeout":"2s","lbPolicy":"CLUSTER_PROVIDED","name":"ingress-cluster","type":"ORIGINAL_DST","typedExtensionProtocolOptions":{"envoy.extensions.upstreams.http.v3.HttpProtocolOptions":{"@type":"type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions","commonHttpProtocolOptions":{"idleTimeout":"60s","maxConnectionDuration":"0s","maxRequestsPerConnection":0},"useDownstreamProtocolConfig":{}}}},{"circuitBreakers":{"thresholds":[{"maxRetries":128}]},"cleanupInterval":"2.500s","connectTimeout":"2s","lbPolicy":"CLUSTER_PROVIDED","name":"egress-cluster-tls","transportSocket":{"name":"cilium.tls_wrapper","typedConfig":{"@type":"type.googleapis.com/cilium.UpstreamTlsWrapperContext"}},"type":"ORIGINAL_DST","typedExtensionProtocolOptions":{"envoy.extensions.upstreams.http.v3.HttpProtocolOptions":{"@type":"type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions","commonHttpProtocolOptions":{"idleTimeout":"60s","maxConnectionDuration":"0s","maxRequestsPerConnection":0},"upstreamHttpProtocolOptions":{},"useDownstreamProtocolConfig":{}}}},{"circuitBreakers":{"thresholds":[{"maxRetries":128}]},"cleanupInterval":"2.500s","connectTimeout":"2s","lbPolicy":"CLUSTER_PROVIDED","name":"egress-cluster","type":"ORIGINAL_DST","typedExtensionProtocolOptions":{"envoy.extensions.upstreams.http.v3.HttpProtocolOptions":{"@type":"type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions","commonHttpProtocolOptions":{"idleTimeout":"60s","maxConnectionDuration":"0s","maxRequestsPerConnection":0},"useDownstreamProtocolConfig":{}}}},{"circuitBreakers":{"thresholds":[{"maxRetries":128}]},"cleanupInterval":"2.500s","connectTimeout":"2s","lbPolicy":"CLUSTER_PROVIDED","name":"ingress-cluster-tls","transportSocket":{"name":"cilium.tls_wrapper","typedConfig":{"@type":"type.googleapis.com/cilium.UpstreamTlsWrapperContext"}},"type":"ORIGINAL_DST","typedExtensionProtocolOptions":{"envoy.extensions.upstreams.http.v3.HttpProtocolOptions":{"@type":"type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions","commonHttpProtocolOptions":{"idleTimeout":"60s","maxConnectionDuration":"0s","maxRequestsPerConnection":0},"upstreamHttpProtocolOptions":{},"useDownstreamProtocolConfig":{}}}},{"connectTimeout":"2s","loadAssignment":{"clusterName":"xds-grpc-cilium","endpoints":[{"lbEndpoints":[{"endpoint":{"address":{"pipe":{"path":"/var/run/cilium/envoy/sockets/xds.sock"}}}}]}]},"name":"xds-grpc-cilium","type":"STATIC","typedExtensionProtocolOptions":{"envoy.extensions.upstreams.http.v3.HttpProtocolOptions":{"@type":"type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions","explicitHttpConfig":{"http2ProtocolOptions":{}}}}},{"connectTimeout":"2s","loadAssignment":{"clusterName":"/envoy-admin","endpoints":[{"lbEndpoints":[{"endpoint":{"address":{"pipe":{"path":"/var/run/cilium/envoy/sockets/admin.sock"}}}}]}]},"name":"/envoy-admin","type":"STATIC"}],"listeners":[{"address":{"socketAddress":{"address":"0.0.0.0","portValue":9964}},"filterChains":[{"filters":[{"name":"envoy.filters.network.http_connection_manager","typedConfig":{"@type":"type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager","httpFilters":[{"name":"envoy.filters.http.router","typedConfig":{"@type":"type.googleapis.com/envoy.extensions.filters.http.router.v3.Router"}}],"internalAddressConfig":{"cidrRanges":[{"addressPrefix":"10.0.0.0","prefixLen":8},{"addressPrefix":"172.16.0.0","prefixLen":12},{"addressPrefix":"192.168.0.0","prefixLen":16},{"addressPrefix":"127.0.0.1","prefixLen":32}]},"routeConfig":{"virtualHosts":[{"domains":["*"],"name":"prometheus_metrics_route","routes":[{"match":{"prefix":"/metrics"},"name":"prometheus_metrics_route","route":{"cluster":"/envoy-admin","prefixRewrite":"/stats/prometheus"}}]}]},"statPrefix":"envoy-prometheus-metrics-listener","streamIdleTimeout":"0s"}}]}],"name":"envoy-prometheus-metrics-listener"},{"address":{"socketAddress":{"address":"127.0.0.1","portValue":9878}},"filterChains":[{"filters":[{"name":"envoy.filters.network.http_connection_manager","typedConfig":{"@type":"type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager","httpFilters":[{"name":"envoy.filters.http.router","typedConfig":{"@type":"type.googleapis.com/envoy.extensions.filters.http.router.v3.Router"}}],"internalAddressConfig":{"cidrRanges":[{"addressPrefix":"10.0.0.0","prefixLen":8},{"addressPrefix":"172.16.0.0","prefixLen":12},{"addressPrefix":"192.168.0.0","prefixLen":16},{"addressPrefix":"127.0.0.1","prefixLen":32}]},"routeConfig":{"virtual_hosts":[{"domains":["*"],"name":"health","routes":[{"match":{"prefix":"/healthz"},"name":"health","route":{"cluster":"/envoy-admin","prefixRewrite":"/ready"}}]}]},"statPrefix":"envoy-health-listener","streamIdleTimeout":"0s"}}]}],"name":"envoy-health-listener"}]}} +kind: ConfigMap +metadata: + name: cilium-envoy-config + namespace: cilium diff --git a/tests/golden/hubble-access/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-envoy/daemonset.yaml b/tests/golden/hubble-access/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-envoy/daemonset.yaml new file mode 100644 index 000000000..bc2dbcdfc --- /dev/null +++ b/tests/golden/hubble-access/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-envoy/daemonset.yaml @@ -0,0 +1,160 @@ +apiVersion: apps/v1 +kind: DaemonSet +metadata: + labels: + app.kubernetes.io/name: cilium-envoy + app.kubernetes.io/part-of: cilium + k8s-app: cilium-envoy + name: cilium-envoy + name: cilium-envoy + namespace: cilium +spec: + selector: + matchLabels: + k8s-app: cilium-envoy + template: + metadata: + annotations: + container.apparmor.security.beta.kubernetes.io/cilium-envoy: unconfined + labels: + app.kubernetes.io/name: cilium-envoy + app.kubernetes.io/part-of: cilium + k8s-app: cilium-envoy + name: cilium-envoy + spec: + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: cilium.io/no-schedule + operator: NotIn + values: + - 'true' + podAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: + k8s-app: cilium + topologyKey: kubernetes.io/hostname + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: + k8s-app: cilium-envoy + topologyKey: kubernetes.io/hostname + automountServiceAccountToken: true + containers: + - args: + - -- + - -c /var/run/cilium/envoy/bootstrap-config.json + - --base-id 0 + - --log-level info + command: + - /usr/bin/cilium-envoy-starter + env: + - name: K8S_NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + - name: CILIUM_K8S_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + image: quay.io/cilium/cilium-envoy:v1.34.10-1760767433-887ebe7d6ccc2a9dc8c73f6ae4927283283b507e@sha256:78a7c6ceb4135680eb94ed1ca80b1be00647878e6694522f8380cc2a8b99e434 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 10 + httpGet: + host: 127.0.0.1 + path: /healthz + port: 9878 + scheme: HTTP + periodSeconds: 30 + successThreshold: 1 + timeoutSeconds: 5 + name: cilium-envoy + ports: + - containerPort: 9964 + hostPort: 9964 + name: envoy-metrics + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + host: 127.0.0.1 + path: /healthz + port: 9878 + scheme: HTTP + periodSeconds: 30 + successThreshold: 1 + timeoutSeconds: 5 + securityContext: + capabilities: + add: + - NET_ADMIN + - SYS_ADMIN + drop: + - ALL + seLinuxOptions: + level: s0 + type: spc_t + startupProbe: + failureThreshold: 105 + httpGet: + host: 127.0.0.1 + path: /healthz + port: 9878 + scheme: HTTP + initialDelaySeconds: 5 + periodSeconds: 2 + successThreshold: 1 + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /var/run/cilium/envoy/sockets + name: envoy-sockets + readOnly: false + - mountPath: /var/run/cilium/envoy/artifacts + name: envoy-artifacts + readOnly: true + - mountPath: /var/run/cilium/envoy/ + name: envoy-config + readOnly: true + - mountPath: /sys/fs/bpf + mountPropagation: HostToContainer + name: bpf-maps + hostNetwork: true + nodeSelector: + kubernetes.io/os: linux + priorityClassName: system-node-critical + restartPolicy: Always + serviceAccountName: cilium-envoy + terminationGracePeriodSeconds: 1 + tolerations: + - operator: Exists + volumes: + - hostPath: + path: /var/run/cilium/envoy/sockets + type: DirectoryOrCreate + name: envoy-sockets + - hostPath: + path: /var/run/cilium/envoy/artifacts + type: DirectoryOrCreate + name: envoy-artifacts + - configMap: + defaultMode: 256 + items: + - key: bootstrap-config.json + path: bootstrap-config.json + name: cilium-envoy-config + name: envoy-config + - hostPath: + path: /sys/fs/bpf + type: DirectoryOrCreate + name: bpf-maps + updateStrategy: + rollingUpdate: + maxUnavailable: 2 + type: RollingUpdate diff --git a/tests/golden/hubble-access/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-envoy/service.yaml b/tests/golden/hubble-access/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-envoy/service.yaml new file mode 100644 index 000000000..6b6d6cd5f --- /dev/null +++ b/tests/golden/hubble-access/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-envoy/service.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Service +metadata: + annotations: + prometheus.io/port: '9964' + prometheus.io/scrape: 'true' + labels: + app.kubernetes.io/name: cilium-envoy + app.kubernetes.io/part-of: cilium + io.cilium/app: proxy + k8s-app: cilium-envoy + name: cilium-envoy + namespace: cilium +spec: + clusterIP: None + ports: + - name: envoy-metrics + port: 9964 + protocol: TCP + targetPort: envoy-metrics + selector: + k8s-app: cilium-envoy + type: ClusterIP diff --git a/tests/golden/hubble-access/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-envoy/serviceaccount.yaml b/tests/golden/hubble-access/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-envoy/serviceaccount.yaml new file mode 100644 index 000000000..f2d7f618d --- /dev/null +++ b/tests/golden/hubble-access/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-envoy/serviceaccount.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: cilium-envoy + namespace: cilium diff --git a/tests/golden/hubble-access/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/clusterrole.yaml b/tests/golden/hubble-access/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/clusterrole.yaml index cc748de66..9009493c9 100644 --- a/tests/golden/hubble-access/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/clusterrole.yaml +++ b/tests/golden/hubble-access/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/clusterrole.yaml @@ -55,6 +55,7 @@ rules: - '' resources: - namespaces + - secrets verbs: - get - list @@ -137,6 +138,13 @@ rules: - watch - delete - patch + - apiGroups: + - cilium.io + resources: + - ciliumbgpclusterconfigs/status + - ciliumbgppeerconfigs/status + verbs: + - update - apiGroups: - apiextensions.k8s.io resources: @@ -183,6 +191,7 @@ rules: - ciliumbgppeeringpolicies - ciliumbgpclusterconfigs - ciliumbgpnodeconfigoverrides + - ciliumbgppeerconfigs verbs: - get - list diff --git a/tests/golden/hubble-access/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/deployment.yaml b/tests/golden/hubble-access/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/deployment.yaml index ae3f1ce51..972dfccd9 100644 --- a/tests/golden/hubble-access/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/deployment.yaml +++ b/tests/golden/hubble-access/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/deployment.yaml @@ -59,7 +59,7 @@ spec: key: debug name: cilium-config optional: true - image: quay.io/cilium/operator-generic:v1.16.4@sha256:c55a7cbe19fe0b6b28903a085334edb586a3201add9db56d2122c8485f7a51c5 + image: quay.io/cilium/operator-generic:v1.17.10@sha256:09cee355c86b8c50d43ecc8f63cedc5d4a8597aa41be72a63ca4479c31c2f2be imagePullPolicy: IfNotPresent livenessProbe: httpGet: diff --git a/tests/golden/hubble-access/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/role.yaml b/tests/golden/hubble-access/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/role.yaml new file mode 100644 index 000000000..79fc907d3 --- /dev/null +++ b/tests/golden/hubble-access/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/role.yaml @@ -0,0 +1,17 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + app.kubernetes.io/part-of: cilium + name: cilium-operator-tlsinterception-secrets + namespace: cilium-secrets +rules: + - apiGroups: + - '' + resources: + - secrets + verbs: + - create + - delete + - update + - patch diff --git a/tests/golden/hubble-access/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/rolebinding.yaml b/tests/golden/hubble-access/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/rolebinding.yaml new file mode 100644 index 000000000..cbde47327 --- /dev/null +++ b/tests/golden/hubble-access/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/rolebinding.yaml @@ -0,0 +1,15 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app.kubernetes.io/part-of: cilium + name: cilium-operator-tlsinterception-secrets + namespace: cilium-secrets +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: cilium-operator-tlsinterception-secrets +subjects: + - kind: ServiceAccount + name: cilium-operator + namespace: cilium diff --git a/tests/golden/hubble-access/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-secrets-namespace.yaml b/tests/golden/hubble-access/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-secrets-namespace.yaml new file mode 100644 index 000000000..30f28d314 --- /dev/null +++ b/tests/golden/hubble-access/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-secrets-namespace.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: Namespace +metadata: + labels: + app.kubernetes.io/part-of: cilium + name: cilium-secrets diff --git a/tests/golden/hubble-access/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/configmap.yaml b/tests/golden/hubble-access/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/configmap.yaml index 33125e408..4beca2cfc 100644 --- a/tests/golden/hubble-access/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/configmap.yaml +++ b/tests/golden/hubble-access/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/configmap.yaml @@ -1,9 +1,9 @@ apiVersion: v1 data: - config.yaml: "cluster-name: default\npeer-service: \"hubble-peer.cilium.svc.cluster.local:80\"\ - \nlisten-address: :4245\ngops: true\ngops-port: \"9893\"\ndial-timeout: \nretry-timeout:\ - \ \nsort-buffer-len-max: \nsort-buffer-drain-timeout: \ndisable-client-tls: true\n\ - \ndisable-server-tls: true\n" + config.yaml: "cluster-name: default\npeer-service: \"hubble-peer.cilium.svc.cluster.local.:80\"\ + \nlisten-address: :4245\ngops: true\ngops-port: \"9893\"\nretry-timeout: \nsort-buffer-len-max:\ + \ \nsort-buffer-drain-timeout: \ndisable-client-tls: true\n\ndisable-server-tls:\ + \ true\n" kind: ConfigMap metadata: name: hubble-relay-config diff --git a/tests/golden/hubble-access/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/deployment.yaml b/tests/golden/hubble-access/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/deployment.yaml index 32db1394b..ffcde1c3b 100644 --- a/tests/golden/hubble-access/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/deployment.yaml +++ b/tests/golden/hubble-access/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/deployment.yaml @@ -37,7 +37,7 @@ spec: - serve command: - hubble-relay - image: quay.io/cilium/hubble-relay:v1.16.4@sha256:fb2c7d127a1c809f6ba23c05973f3dd00f6b6a48e4aee2da95db925a4f0351d2 + image: quay.io/cilium/hubble-relay:v1.17.10@sha256:da6747dd2bccc2901693b49ed4a687723f8d5c1e37d40fb95ea04910d31eaab2 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 12 diff --git a/tests/golden/kubeproxyreplacement-strict/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/daemonset.yaml b/tests/golden/kubeproxyreplacement-strict/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/daemonset.yaml index 7d7504428..49005b75e 100644 --- a/tests/golden/kubeproxyreplacement-strict/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/daemonset.yaml +++ b/tests/golden/kubeproxyreplacement-strict/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/daemonset.yaml @@ -54,7 +54,7 @@ spec: resourceFieldRef: divisor: '1' resource: limits.memory - image: quay.io/cilium/cilium:v1.16.4@sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf + image: quay.io/cilium/cilium:v1.17.10@sha256:d93cda710570df64dcb849807bd163013903143d74d5a4ebf16e1a659146c0d3 imagePullPolicy: IfNotPresent lifecycle: postStart: @@ -93,6 +93,8 @@ spec: httpHeaders: - name: brief value: 'true' + - name: require-k8s-connectivity + value: 'false' path: /healthz port: 9879 scheme: HTTP @@ -109,14 +111,6 @@ spec: hostPort: 9962 name: prometheus protocol: TCP - - containerPort: 9964 - hostPort: 9964 - name: envoy-metrics - protocol: TCP - - containerPort: 9901 - hostPort: 9901 - name: envoy-admin - protocol: TCP - containerPort: 9965 hostPort: 9965 name: hubble-metrics @@ -169,6 +163,9 @@ spec: successThreshold: 1 terminationMessagePolicy: FallbackToLogsOnError volumeMounts: + - mountPath: /var/run/cilium/envoy/sockets + name: envoy-sockets + readOnly: false - mountPath: /host/proc/sys/net name: host-proc-sys-net - mountPath: /host/proc/sys/kernel @@ -178,6 +175,9 @@ spec: name: bpf-maps - mountPath: /var/run/cilium name: cilium-run + - mountPath: /var/run/cilium/netns + mountPropagation: HostToContainer + name: cilium-netns - mountPath: /host/etc/cni/net.d name: etc-cni-netd - mountPath: /var/lib/cilium/clustermesh @@ -206,7 +206,7 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.namespace - image: quay.io/cilium/cilium:v1.16.4@sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf + image: quay.io/cilium/cilium:v1.17.10@sha256:d93cda710570df64dcb849807bd163013903143d74d5a4ebf16e1a659146c0d3 imagePullPolicy: IfNotPresent name: config terminationMessagePolicy: FallbackToLogsOnError @@ -225,7 +225,7 @@ spec: value: /run/cilium/cgroupv2 - name: BIN_PATH value: /var/lib/cni/bin - image: quay.io/cilium/cilium:v1.16.4@sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf + image: quay.io/cilium/cilium:v1.17.10@sha256:d93cda710570df64dcb849807bd163013903143d74d5a4ebf16e1a659146c0d3 imagePullPolicy: IfNotPresent name: mount-cgroup securityContext: @@ -255,7 +255,7 @@ spec: env: - name: BIN_PATH value: /var/lib/cni/bin - image: quay.io/cilium/cilium:v1.16.4@sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf + image: quay.io/cilium/cilium:v1.17.10@sha256:d93cda710570df64dcb849807bd163013903143d74d5a4ebf16e1a659146c0d3 imagePullPolicy: IfNotPresent name: apply-sysctl-overwrites securityContext: @@ -281,7 +281,7 @@ spec: - /bin/bash - -c - -- - image: quay.io/cilium/cilium:v1.16.4@sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf + image: quay.io/cilium/cilium:v1.17.10@sha256:d93cda710570df64dcb849807bd163013903143d74d5a4ebf16e1a659146c0d3 imagePullPolicy: IfNotPresent name: mount-bpf-fs securityContext: @@ -312,7 +312,7 @@ spec: key: write-cni-conf-when-ready name: cilium-config optional: true - image: quay.io/cilium/cilium:v1.16.4@sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf + image: quay.io/cilium/cilium:v1.17.10@sha256:d93cda710570df64dcb849807bd163013903143d74d5a4ebf16e1a659146c0d3 imagePullPolicy: IfNotPresent name: clean-cilium-state securityContext: @@ -338,7 +338,7 @@ spec: name: cilium-run - command: - /install-plugin.sh - image: quay.io/cilium/cilium:v1.16.4@sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf + image: quay.io/cilium/cilium:v1.17.10@sha256:d93cda710570df64dcb849807bd163013903143d74d5a4ebf16e1a659146c0d3 imagePullPolicy: IfNotPresent name: install-cni-binaries resources: @@ -360,6 +360,9 @@ spec: kubernetes.io/os: linux priorityClassName: system-node-critical restartPolicy: Always + securityContext: + seccompProfile: + type: Unconfined serviceAccountName: cilium terminationGracePeriodSeconds: 1 tolerations: @@ -371,6 +374,10 @@ spec: path: /var/run/cilium type: DirectoryOrCreate name: cilium-run + - hostPath: + path: /var/run/netns + type: DirectoryOrCreate + name: cilium-netns - hostPath: path: /sys/fs/bpf type: DirectoryOrCreate @@ -398,6 +405,10 @@ spec: path: /run/xtables.lock type: FileOrCreate name: xtables-lock + - hostPath: + path: /var/run/cilium/envoy/sockets + type: DirectoryOrCreate + name: envoy-sockets - name: clustermesh-secrets projected: defaultMode: 256 diff --git a/tests/golden/kubeproxyreplacement-strict/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/role.yaml b/tests/golden/kubeproxyreplacement-strict/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/role.yaml index 6469cd598..eb921e499 100644 --- a/tests/golden/kubeproxyreplacement-strict/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/role.yaml +++ b/tests/golden/kubeproxyreplacement-strict/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/role.yaml @@ -14,3 +14,20 @@ rules: - get - list - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + app.kubernetes.io/part-of: cilium + name: cilium-tlsinterception-secrets + namespace: cilium-secrets +rules: + - apiGroups: + - '' + resources: + - secrets + verbs: + - get + - list + - watch diff --git a/tests/golden/kubeproxyreplacement-strict/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/rolebinding.yaml b/tests/golden/kubeproxyreplacement-strict/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/rolebinding.yaml index 1d47a92c5..8ec160c93 100644 --- a/tests/golden/kubeproxyreplacement-strict/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/rolebinding.yaml +++ b/tests/golden/kubeproxyreplacement-strict/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/rolebinding.yaml @@ -13,3 +13,19 @@ subjects: - kind: ServiceAccount name: cilium namespace: cilium +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app.kubernetes.io/part-of: cilium + name: cilium-tlsinterception-secrets + namespace: cilium-secrets +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: cilium-tlsinterception-secrets +subjects: + - kind: ServiceAccount + name: cilium + namespace: cilium diff --git a/tests/golden/kubeproxyreplacement-strict/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/service.yaml b/tests/golden/kubeproxyreplacement-strict/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/service.yaml index fc9fa1ab3..fbab0df5d 100644 --- a/tests/golden/kubeproxyreplacement-strict/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/service.yaml +++ b/tests/golden/kubeproxyreplacement-strict/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/service.yaml @@ -14,10 +14,6 @@ spec: port: 9962 protocol: TCP targetPort: prometheus - - name: envoy-metrics - port: 9964 - protocol: TCP - targetPort: envoy-metrics selector: k8s-app: cilium type: ClusterIP diff --git a/tests/golden/kubeproxyreplacement-strict/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/servicemonitor.yaml b/tests/golden/kubeproxyreplacement-strict/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/servicemonitor.yaml index c22a31588..b8a21770a 100644 --- a/tests/golden/kubeproxyreplacement-strict/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/servicemonitor.yaml +++ b/tests/golden/kubeproxyreplacement-strict/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/servicemonitor.yaml @@ -21,6 +21,6 @@ spec: - cilium selector: matchLabels: - k8s-app: cilium + app.kubernetes.io/name: cilium-agent targetLabels: - k8s-app diff --git a/tests/golden/kubeproxyreplacement-strict/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-configmap.yaml b/tests/golden/kubeproxyreplacement-strict/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-configmap.yaml index 80c961d15..6f3aa63fc 100644 --- a/tests/golden/kubeproxyreplacement-strict/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-configmap.yaml +++ b/tests/golden/kubeproxyreplacement-strict/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-configmap.yaml @@ -3,14 +3,17 @@ data: agent-not-ready-taint-key: node.cilium.io/agent-not-ready arping-refresh-period: 30s auto-direct-node-routes: 'false' + bpf-distributed-lru: 'false' bpf-events-drop-enabled: 'true' bpf-events-policy-verdict-enabled: 'true' bpf-events-trace-enabled: 'true' bpf-lb-acceleration: disabled + bpf-lb-algorithm-annotation: 'false' bpf-lb-external-clusterip: 'false' bpf-lb-map-max: '65536' + bpf-lb-mode-annotation: 'false' bpf-lb-sock: 'false' - bpf-lb-sock-terminate-pod-connections: 'false' + bpf-lb-source-range-all-types: 'false' bpf-map-dynamic-size-ratio: '0.0025' bpf-policy-map-max: '16384' bpf-root: /sys/fs/bpf @@ -29,6 +32,7 @@ data: datapath-mode: veth debug: 'false' debug-verbose: '' + default-lb-service-ipam: lbipam direct-routing-skip-unreachable: 'false' dnsproxy-enable-transparent-mode: 'true' dnsproxy-socket-linger-timeout: '10' @@ -37,12 +41,15 @@ data: enable-bpf-clock-probe: 'false' enable-bpf-masquerade: 'true' enable-endpoint-health-checking: 'true' + enable-endpoint-lockdown-on-policy-overflow: 'false' enable-endpoint-routes: 'true' + enable-experimental-lb: 'false' enable-health-check-loadbalancer-ip: 'false' enable-health-check-nodeport: 'true' enable-health-checking: 'true' enable-hubble: 'true' enable-hubble-open-metrics: 'false' + enable-internal-traffic-policy: 'true' enable-ipv4: 'true' enable-ipv4-big-tcp: 'false' enable-ipv4-masquerade: 'true' @@ -53,20 +60,27 @@ data: enable-k8s-terminating-endpoint: 'true' enable-l2-neigh-discovery: 'true' enable-l7-proxy: 'true' + enable-lb-ipam: 'true' enable-local-redirect-policy: 'false' enable-masquerade-to-route-source: 'false' enable-node-selector-labels: 'false' + enable-non-default-deny-policies: 'true' enable-policy: default + enable-policy-secrets-sync: 'true' enable-runtime-device-detection: 'true' enable-sctp: 'false' + enable-source-ip-verification: 'true' enable-svc-source-range-check: 'true' enable-tcx: 'true' enable-vtep: 'false' enable-well-known-identities: 'false' enable-xt-socket-fallback: 'true' + envoy-access-log-buffer-size: '4096' envoy-base-id: '0' envoy-keep-cap-netbindservice: 'false' - external-envoy-proxy: 'false' + external-envoy-proxy: 'true' + health-check-icmp-failure-threshold: '3' + http-retry-count: '3' hubble-disable-tls: 'true' hubble-export-file-max-backups: '5' hubble-export-file-max-size-mb: '10' @@ -83,6 +97,7 @@ data: install-no-conntrack-iptables-rules: 'false' ipam: cluster-pool ipam-cilium-node-update-rate: 15s + iptables-random-fully: 'false' k8s-client-burst: '30' k8s-client-qps: '15' k8s-require-ipv4-pod-cidr: 'false' @@ -104,15 +119,17 @@ data: nodes-gc-interval: 5m0s operator-api-serve-addr: 127.0.0.1:9234 policy-cidr-match-mode: '' + policy-secrets-namespace: cilium-secrets + policy-secrets-only-from-secrets-namespace: 'true' preallocate-bpf-maps: 'false' procfs: /host/proc prometheus-serve-addr: :9962 proxy-connect-timeout: '2' proxy-idle-timeout-seconds: '60' proxy-initial-fetch-timeout: '30' + proxy-max-concurrent-retries: '128' proxy-max-connection-duration-seconds: '0' proxy-max-requests-per-connection: '0' - proxy-prometheus-port: '9964' proxy-xff-num-trusted-hops-egress: '0' proxy-xff-num-trusted-hops-ingress: '0' remove-cilium-node-taints: 'true' @@ -123,11 +140,12 @@ data: synchronize-k8s-nodes: 'true' tofqdns-dns-reject-response-code: refused tofqdns-enable-dns-compression: 'true' - tofqdns-endpoint-max-ip-per-hostname: '50' + tofqdns-endpoint-max-ip-per-hostname: '1000' tofqdns-idle-connection-grace-period: 0s tofqdns-max-deferred-connection-deletes: '10000' tofqdns-proxy-response-max-delay: 100ms tunnel-protocol: vxlan + tunnel-source-port-range: 0-0 unmanaged-pod-watcher-interval: '15' vtep-cidr: '' vtep-endpoint: '' diff --git a/tests/golden/kubeproxyreplacement-strict/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-envoy/configmap.yaml b/tests/golden/kubeproxyreplacement-strict/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-envoy/configmap.yaml new file mode 100644 index 000000000..3b0fa62d3 --- /dev/null +++ b/tests/golden/kubeproxyreplacement-strict/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-envoy/configmap.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +data: + bootstrap-config.json: | + {"admin":{"address":{"pipe":{"path":"/var/run/cilium/envoy/sockets/admin.sock"}}},"applicationLogConfig":{"logFormat":{"textFormat":"[%Y-%m-%d %T.%e][%t][%l][%n] [%g:%#] %v"}},"bootstrapExtensions":[{"name":"envoy.bootstrap.internal_listener","typedConfig":{"@type":"type.googleapis.com/envoy.extensions.bootstrap.internal_listener.v3.InternalListener"}}],"dynamicResources":{"cdsConfig":{"apiConfigSource":{"apiType":"GRPC","grpcServices":[{"envoyGrpc":{"clusterName":"xds-grpc-cilium"}}],"setNodeOnFirstMessageOnly":true,"transportApiVersion":"V3"},"initialFetchTimeout":"30s","resourceApiVersion":"V3"},"ldsConfig":{"apiConfigSource":{"apiType":"GRPC","grpcServices":[{"envoyGrpc":{"clusterName":"xds-grpc-cilium"}}],"setNodeOnFirstMessageOnly":true,"transportApiVersion":"V3"},"initialFetchTimeout":"30s","resourceApiVersion":"V3"}},"node":{"cluster":"ingress-cluster","id":"host~127.0.0.1~no-id~localdomain"},"overloadManager":{"resourceMonitors":[{"name":"envoy.resource_monitors.global_downstream_max_connections","typedConfig":{"@type":"type.googleapis.com/envoy.extensions.resource_monitors.downstream_connections.v3.DownstreamConnectionsConfig","max_active_downstream_connections":"50000"}}]},"staticResources":{"clusters":[{"circuitBreakers":{"thresholds":[{"maxRetries":128}]},"cleanupInterval":"2.500s","connectTimeout":"2s","lbPolicy":"CLUSTER_PROVIDED","name":"ingress-cluster","type":"ORIGINAL_DST","typedExtensionProtocolOptions":{"envoy.extensions.upstreams.http.v3.HttpProtocolOptions":{"@type":"type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions","commonHttpProtocolOptions":{"idleTimeout":"60s","maxConnectionDuration":"0s","maxRequestsPerConnection":0},"useDownstreamProtocolConfig":{}}}},{"circuitBreakers":{"thresholds":[{"maxRetries":128}]},"cleanupInterval":"2.500s","connectTimeout":"2s","lbPolicy":"CLUSTER_PROVIDED","name":"egress-cluster-tls","transportSocket":{"name":"cilium.tls_wrapper","typedConfig":{"@type":"type.googleapis.com/cilium.UpstreamTlsWrapperContext"}},"type":"ORIGINAL_DST","typedExtensionProtocolOptions":{"envoy.extensions.upstreams.http.v3.HttpProtocolOptions":{"@type":"type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions","commonHttpProtocolOptions":{"idleTimeout":"60s","maxConnectionDuration":"0s","maxRequestsPerConnection":0},"upstreamHttpProtocolOptions":{},"useDownstreamProtocolConfig":{}}}},{"circuitBreakers":{"thresholds":[{"maxRetries":128}]},"cleanupInterval":"2.500s","connectTimeout":"2s","lbPolicy":"CLUSTER_PROVIDED","name":"egress-cluster","type":"ORIGINAL_DST","typedExtensionProtocolOptions":{"envoy.extensions.upstreams.http.v3.HttpProtocolOptions":{"@type":"type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions","commonHttpProtocolOptions":{"idleTimeout":"60s","maxConnectionDuration":"0s","maxRequestsPerConnection":0},"useDownstreamProtocolConfig":{}}}},{"circuitBreakers":{"thresholds":[{"maxRetries":128}]},"cleanupInterval":"2.500s","connectTimeout":"2s","lbPolicy":"CLUSTER_PROVIDED","name":"ingress-cluster-tls","transportSocket":{"name":"cilium.tls_wrapper","typedConfig":{"@type":"type.googleapis.com/cilium.UpstreamTlsWrapperContext"}},"type":"ORIGINAL_DST","typedExtensionProtocolOptions":{"envoy.extensions.upstreams.http.v3.HttpProtocolOptions":{"@type":"type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions","commonHttpProtocolOptions":{"idleTimeout":"60s","maxConnectionDuration":"0s","maxRequestsPerConnection":0},"upstreamHttpProtocolOptions":{},"useDownstreamProtocolConfig":{}}}},{"connectTimeout":"2s","loadAssignment":{"clusterName":"xds-grpc-cilium","endpoints":[{"lbEndpoints":[{"endpoint":{"address":{"pipe":{"path":"/var/run/cilium/envoy/sockets/xds.sock"}}}}]}]},"name":"xds-grpc-cilium","type":"STATIC","typedExtensionProtocolOptions":{"envoy.extensions.upstreams.http.v3.HttpProtocolOptions":{"@type":"type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions","explicitHttpConfig":{"http2ProtocolOptions":{}}}}},{"connectTimeout":"2s","loadAssignment":{"clusterName":"/envoy-admin","endpoints":[{"lbEndpoints":[{"endpoint":{"address":{"pipe":{"path":"/var/run/cilium/envoy/sockets/admin.sock"}}}}]}]},"name":"/envoy-admin","type":"STATIC"}],"listeners":[{"address":{"socketAddress":{"address":"0.0.0.0","portValue":9964}},"filterChains":[{"filters":[{"name":"envoy.filters.network.http_connection_manager","typedConfig":{"@type":"type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager","httpFilters":[{"name":"envoy.filters.http.router","typedConfig":{"@type":"type.googleapis.com/envoy.extensions.filters.http.router.v3.Router"}}],"internalAddressConfig":{"cidrRanges":[{"addressPrefix":"10.0.0.0","prefixLen":8},{"addressPrefix":"172.16.0.0","prefixLen":12},{"addressPrefix":"192.168.0.0","prefixLen":16},{"addressPrefix":"127.0.0.1","prefixLen":32}]},"routeConfig":{"virtualHosts":[{"domains":["*"],"name":"prometheus_metrics_route","routes":[{"match":{"prefix":"/metrics"},"name":"prometheus_metrics_route","route":{"cluster":"/envoy-admin","prefixRewrite":"/stats/prometheus"}}]}]},"statPrefix":"envoy-prometheus-metrics-listener","streamIdleTimeout":"0s"}}]}],"name":"envoy-prometheus-metrics-listener"},{"address":{"socketAddress":{"address":"127.0.0.1","portValue":9878}},"filterChains":[{"filters":[{"name":"envoy.filters.network.http_connection_manager","typedConfig":{"@type":"type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager","httpFilters":[{"name":"envoy.filters.http.router","typedConfig":{"@type":"type.googleapis.com/envoy.extensions.filters.http.router.v3.Router"}}],"internalAddressConfig":{"cidrRanges":[{"addressPrefix":"10.0.0.0","prefixLen":8},{"addressPrefix":"172.16.0.0","prefixLen":12},{"addressPrefix":"192.168.0.0","prefixLen":16},{"addressPrefix":"127.0.0.1","prefixLen":32}]},"routeConfig":{"virtual_hosts":[{"domains":["*"],"name":"health","routes":[{"match":{"prefix":"/healthz"},"name":"health","route":{"cluster":"/envoy-admin","prefixRewrite":"/ready"}}]}]},"statPrefix":"envoy-health-listener","streamIdleTimeout":"0s"}}]}],"name":"envoy-health-listener"}]}} +kind: ConfigMap +metadata: + name: cilium-envoy-config + namespace: cilium diff --git a/tests/golden/kubeproxyreplacement-strict/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-envoy/daemonset.yaml b/tests/golden/kubeproxyreplacement-strict/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-envoy/daemonset.yaml new file mode 100644 index 000000000..bc2dbcdfc --- /dev/null +++ b/tests/golden/kubeproxyreplacement-strict/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-envoy/daemonset.yaml @@ -0,0 +1,160 @@ +apiVersion: apps/v1 +kind: DaemonSet +metadata: + labels: + app.kubernetes.io/name: cilium-envoy + app.kubernetes.io/part-of: cilium + k8s-app: cilium-envoy + name: cilium-envoy + name: cilium-envoy + namespace: cilium +spec: + selector: + matchLabels: + k8s-app: cilium-envoy + template: + metadata: + annotations: + container.apparmor.security.beta.kubernetes.io/cilium-envoy: unconfined + labels: + app.kubernetes.io/name: cilium-envoy + app.kubernetes.io/part-of: cilium + k8s-app: cilium-envoy + name: cilium-envoy + spec: + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: cilium.io/no-schedule + operator: NotIn + values: + - 'true' + podAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: + k8s-app: cilium + topologyKey: kubernetes.io/hostname + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: + k8s-app: cilium-envoy + topologyKey: kubernetes.io/hostname + automountServiceAccountToken: true + containers: + - args: + - -- + - -c /var/run/cilium/envoy/bootstrap-config.json + - --base-id 0 + - --log-level info + command: + - /usr/bin/cilium-envoy-starter + env: + - name: K8S_NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + - name: CILIUM_K8S_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + image: quay.io/cilium/cilium-envoy:v1.34.10-1760767433-887ebe7d6ccc2a9dc8c73f6ae4927283283b507e@sha256:78a7c6ceb4135680eb94ed1ca80b1be00647878e6694522f8380cc2a8b99e434 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 10 + httpGet: + host: 127.0.0.1 + path: /healthz + port: 9878 + scheme: HTTP + periodSeconds: 30 + successThreshold: 1 + timeoutSeconds: 5 + name: cilium-envoy + ports: + - containerPort: 9964 + hostPort: 9964 + name: envoy-metrics + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + host: 127.0.0.1 + path: /healthz + port: 9878 + scheme: HTTP + periodSeconds: 30 + successThreshold: 1 + timeoutSeconds: 5 + securityContext: + capabilities: + add: + - NET_ADMIN + - SYS_ADMIN + drop: + - ALL + seLinuxOptions: + level: s0 + type: spc_t + startupProbe: + failureThreshold: 105 + httpGet: + host: 127.0.0.1 + path: /healthz + port: 9878 + scheme: HTTP + initialDelaySeconds: 5 + periodSeconds: 2 + successThreshold: 1 + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /var/run/cilium/envoy/sockets + name: envoy-sockets + readOnly: false + - mountPath: /var/run/cilium/envoy/artifacts + name: envoy-artifacts + readOnly: true + - mountPath: /var/run/cilium/envoy/ + name: envoy-config + readOnly: true + - mountPath: /sys/fs/bpf + mountPropagation: HostToContainer + name: bpf-maps + hostNetwork: true + nodeSelector: + kubernetes.io/os: linux + priorityClassName: system-node-critical + restartPolicy: Always + serviceAccountName: cilium-envoy + terminationGracePeriodSeconds: 1 + tolerations: + - operator: Exists + volumes: + - hostPath: + path: /var/run/cilium/envoy/sockets + type: DirectoryOrCreate + name: envoy-sockets + - hostPath: + path: /var/run/cilium/envoy/artifacts + type: DirectoryOrCreate + name: envoy-artifacts + - configMap: + defaultMode: 256 + items: + - key: bootstrap-config.json + path: bootstrap-config.json + name: cilium-envoy-config + name: envoy-config + - hostPath: + path: /sys/fs/bpf + type: DirectoryOrCreate + name: bpf-maps + updateStrategy: + rollingUpdate: + maxUnavailable: 2 + type: RollingUpdate diff --git a/tests/golden/kubeproxyreplacement-strict/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-envoy/service.yaml b/tests/golden/kubeproxyreplacement-strict/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-envoy/service.yaml new file mode 100644 index 000000000..6b6d6cd5f --- /dev/null +++ b/tests/golden/kubeproxyreplacement-strict/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-envoy/service.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Service +metadata: + annotations: + prometheus.io/port: '9964' + prometheus.io/scrape: 'true' + labels: + app.kubernetes.io/name: cilium-envoy + app.kubernetes.io/part-of: cilium + io.cilium/app: proxy + k8s-app: cilium-envoy + name: cilium-envoy + namespace: cilium +spec: + clusterIP: None + ports: + - name: envoy-metrics + port: 9964 + protocol: TCP + targetPort: envoy-metrics + selector: + k8s-app: cilium-envoy + type: ClusterIP diff --git a/tests/golden/kubeproxyreplacement-strict/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-envoy/serviceaccount.yaml b/tests/golden/kubeproxyreplacement-strict/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-envoy/serviceaccount.yaml new file mode 100644 index 000000000..f2d7f618d --- /dev/null +++ b/tests/golden/kubeproxyreplacement-strict/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-envoy/serviceaccount.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: cilium-envoy + namespace: cilium diff --git a/tests/golden/kubeproxyreplacement-strict/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/clusterrole.yaml b/tests/golden/kubeproxyreplacement-strict/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/clusterrole.yaml index cc748de66..9009493c9 100644 --- a/tests/golden/kubeproxyreplacement-strict/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/clusterrole.yaml +++ b/tests/golden/kubeproxyreplacement-strict/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/clusterrole.yaml @@ -55,6 +55,7 @@ rules: - '' resources: - namespaces + - secrets verbs: - get - list @@ -137,6 +138,13 @@ rules: - watch - delete - patch + - apiGroups: + - cilium.io + resources: + - ciliumbgpclusterconfigs/status + - ciliumbgppeerconfigs/status + verbs: + - update - apiGroups: - apiextensions.k8s.io resources: @@ -183,6 +191,7 @@ rules: - ciliumbgppeeringpolicies - ciliumbgpclusterconfigs - ciliumbgpnodeconfigoverrides + - ciliumbgppeerconfigs verbs: - get - list diff --git a/tests/golden/kubeproxyreplacement-strict/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/deployment.yaml b/tests/golden/kubeproxyreplacement-strict/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/deployment.yaml index ae3f1ce51..972dfccd9 100644 --- a/tests/golden/kubeproxyreplacement-strict/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/deployment.yaml +++ b/tests/golden/kubeproxyreplacement-strict/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/deployment.yaml @@ -59,7 +59,7 @@ spec: key: debug name: cilium-config optional: true - image: quay.io/cilium/operator-generic:v1.16.4@sha256:c55a7cbe19fe0b6b28903a085334edb586a3201add9db56d2122c8485f7a51c5 + image: quay.io/cilium/operator-generic:v1.17.10@sha256:09cee355c86b8c50d43ecc8f63cedc5d4a8597aa41be72a63ca4479c31c2f2be imagePullPolicy: IfNotPresent livenessProbe: httpGet: diff --git a/tests/golden/kubeproxyreplacement-strict/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/role.yaml b/tests/golden/kubeproxyreplacement-strict/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/role.yaml new file mode 100644 index 000000000..79fc907d3 --- /dev/null +++ b/tests/golden/kubeproxyreplacement-strict/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/role.yaml @@ -0,0 +1,17 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + app.kubernetes.io/part-of: cilium + name: cilium-operator-tlsinterception-secrets + namespace: cilium-secrets +rules: + - apiGroups: + - '' + resources: + - secrets + verbs: + - create + - delete + - update + - patch diff --git a/tests/golden/kubeproxyreplacement-strict/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/rolebinding.yaml b/tests/golden/kubeproxyreplacement-strict/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/rolebinding.yaml new file mode 100644 index 000000000..cbde47327 --- /dev/null +++ b/tests/golden/kubeproxyreplacement-strict/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/rolebinding.yaml @@ -0,0 +1,15 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app.kubernetes.io/part-of: cilium + name: cilium-operator-tlsinterception-secrets + namespace: cilium-secrets +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: cilium-operator-tlsinterception-secrets +subjects: + - kind: ServiceAccount + name: cilium-operator + namespace: cilium diff --git a/tests/golden/kubeproxyreplacement-strict/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-secrets-namespace.yaml b/tests/golden/kubeproxyreplacement-strict/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-secrets-namespace.yaml new file mode 100644 index 000000000..30f28d314 --- /dev/null +++ b/tests/golden/kubeproxyreplacement-strict/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-secrets-namespace.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: Namespace +metadata: + labels: + app.kubernetes.io/part-of: cilium + name: cilium-secrets diff --git a/tests/golden/kubeproxyreplacement-strict/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/configmap.yaml b/tests/golden/kubeproxyreplacement-strict/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/configmap.yaml index 33125e408..4beca2cfc 100644 --- a/tests/golden/kubeproxyreplacement-strict/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/configmap.yaml +++ b/tests/golden/kubeproxyreplacement-strict/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/configmap.yaml @@ -1,9 +1,9 @@ apiVersion: v1 data: - config.yaml: "cluster-name: default\npeer-service: \"hubble-peer.cilium.svc.cluster.local:80\"\ - \nlisten-address: :4245\ngops: true\ngops-port: \"9893\"\ndial-timeout: \nretry-timeout:\ - \ \nsort-buffer-len-max: \nsort-buffer-drain-timeout: \ndisable-client-tls: true\n\ - \ndisable-server-tls: true\n" + config.yaml: "cluster-name: default\npeer-service: \"hubble-peer.cilium.svc.cluster.local.:80\"\ + \nlisten-address: :4245\ngops: true\ngops-port: \"9893\"\nretry-timeout: \nsort-buffer-len-max:\ + \ \nsort-buffer-drain-timeout: \ndisable-client-tls: true\n\ndisable-server-tls:\ + \ true\n" kind: ConfigMap metadata: name: hubble-relay-config diff --git a/tests/golden/kubeproxyreplacement-strict/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/deployment.yaml b/tests/golden/kubeproxyreplacement-strict/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/deployment.yaml index 32db1394b..ffcde1c3b 100644 --- a/tests/golden/kubeproxyreplacement-strict/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/deployment.yaml +++ b/tests/golden/kubeproxyreplacement-strict/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/deployment.yaml @@ -37,7 +37,7 @@ spec: - serve command: - hubble-relay - image: quay.io/cilium/hubble-relay:v1.16.4@sha256:fb2c7d127a1c809f6ba23c05973f3dd00f6b6a48e4aee2da95db925a4f0351d2 + image: quay.io/cilium/hubble-relay:v1.17.10@sha256:da6747dd2bccc2901693b49ed4a687723f8d5c1e37d40fb95ea04910d31eaab2 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 12 diff --git a/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/daemonset.yaml b/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/daemonset.yaml index 7d7504428..49005b75e 100644 --- a/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/daemonset.yaml +++ b/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/daemonset.yaml @@ -54,7 +54,7 @@ spec: resourceFieldRef: divisor: '1' resource: limits.memory - image: quay.io/cilium/cilium:v1.16.4@sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf + image: quay.io/cilium/cilium:v1.17.10@sha256:d93cda710570df64dcb849807bd163013903143d74d5a4ebf16e1a659146c0d3 imagePullPolicy: IfNotPresent lifecycle: postStart: @@ -93,6 +93,8 @@ spec: httpHeaders: - name: brief value: 'true' + - name: require-k8s-connectivity + value: 'false' path: /healthz port: 9879 scheme: HTTP @@ -109,14 +111,6 @@ spec: hostPort: 9962 name: prometheus protocol: TCP - - containerPort: 9964 - hostPort: 9964 - name: envoy-metrics - protocol: TCP - - containerPort: 9901 - hostPort: 9901 - name: envoy-admin - protocol: TCP - containerPort: 9965 hostPort: 9965 name: hubble-metrics @@ -169,6 +163,9 @@ spec: successThreshold: 1 terminationMessagePolicy: FallbackToLogsOnError volumeMounts: + - mountPath: /var/run/cilium/envoy/sockets + name: envoy-sockets + readOnly: false - mountPath: /host/proc/sys/net name: host-proc-sys-net - mountPath: /host/proc/sys/kernel @@ -178,6 +175,9 @@ spec: name: bpf-maps - mountPath: /var/run/cilium name: cilium-run + - mountPath: /var/run/cilium/netns + mountPropagation: HostToContainer + name: cilium-netns - mountPath: /host/etc/cni/net.d name: etc-cni-netd - mountPath: /var/lib/cilium/clustermesh @@ -206,7 +206,7 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.namespace - image: quay.io/cilium/cilium:v1.16.4@sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf + image: quay.io/cilium/cilium:v1.17.10@sha256:d93cda710570df64dcb849807bd163013903143d74d5a4ebf16e1a659146c0d3 imagePullPolicy: IfNotPresent name: config terminationMessagePolicy: FallbackToLogsOnError @@ -225,7 +225,7 @@ spec: value: /run/cilium/cgroupv2 - name: BIN_PATH value: /var/lib/cni/bin - image: quay.io/cilium/cilium:v1.16.4@sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf + image: quay.io/cilium/cilium:v1.17.10@sha256:d93cda710570df64dcb849807bd163013903143d74d5a4ebf16e1a659146c0d3 imagePullPolicy: IfNotPresent name: mount-cgroup securityContext: @@ -255,7 +255,7 @@ spec: env: - name: BIN_PATH value: /var/lib/cni/bin - image: quay.io/cilium/cilium:v1.16.4@sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf + image: quay.io/cilium/cilium:v1.17.10@sha256:d93cda710570df64dcb849807bd163013903143d74d5a4ebf16e1a659146c0d3 imagePullPolicy: IfNotPresent name: apply-sysctl-overwrites securityContext: @@ -281,7 +281,7 @@ spec: - /bin/bash - -c - -- - image: quay.io/cilium/cilium:v1.16.4@sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf + image: quay.io/cilium/cilium:v1.17.10@sha256:d93cda710570df64dcb849807bd163013903143d74d5a4ebf16e1a659146c0d3 imagePullPolicy: IfNotPresent name: mount-bpf-fs securityContext: @@ -312,7 +312,7 @@ spec: key: write-cni-conf-when-ready name: cilium-config optional: true - image: quay.io/cilium/cilium:v1.16.4@sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf + image: quay.io/cilium/cilium:v1.17.10@sha256:d93cda710570df64dcb849807bd163013903143d74d5a4ebf16e1a659146c0d3 imagePullPolicy: IfNotPresent name: clean-cilium-state securityContext: @@ -338,7 +338,7 @@ spec: name: cilium-run - command: - /install-plugin.sh - image: quay.io/cilium/cilium:v1.16.4@sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf + image: quay.io/cilium/cilium:v1.17.10@sha256:d93cda710570df64dcb849807bd163013903143d74d5a4ebf16e1a659146c0d3 imagePullPolicy: IfNotPresent name: install-cni-binaries resources: @@ -360,6 +360,9 @@ spec: kubernetes.io/os: linux priorityClassName: system-node-critical restartPolicy: Always + securityContext: + seccompProfile: + type: Unconfined serviceAccountName: cilium terminationGracePeriodSeconds: 1 tolerations: @@ -371,6 +374,10 @@ spec: path: /var/run/cilium type: DirectoryOrCreate name: cilium-run + - hostPath: + path: /var/run/netns + type: DirectoryOrCreate + name: cilium-netns - hostPath: path: /sys/fs/bpf type: DirectoryOrCreate @@ -398,6 +405,10 @@ spec: path: /run/xtables.lock type: FileOrCreate name: xtables-lock + - hostPath: + path: /var/run/cilium/envoy/sockets + type: DirectoryOrCreate + name: envoy-sockets - name: clustermesh-secrets projected: defaultMode: 256 diff --git a/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/role.yaml b/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/role.yaml index 6469cd598..eb921e499 100644 --- a/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/role.yaml +++ b/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/role.yaml @@ -14,3 +14,20 @@ rules: - get - list - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + app.kubernetes.io/part-of: cilium + name: cilium-tlsinterception-secrets + namespace: cilium-secrets +rules: + - apiGroups: + - '' + resources: + - secrets + verbs: + - get + - list + - watch diff --git a/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/rolebinding.yaml b/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/rolebinding.yaml index 1d47a92c5..8ec160c93 100644 --- a/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/rolebinding.yaml +++ b/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/rolebinding.yaml @@ -13,3 +13,19 @@ subjects: - kind: ServiceAccount name: cilium namespace: cilium +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app.kubernetes.io/part-of: cilium + name: cilium-tlsinterception-secrets + namespace: cilium-secrets +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: cilium-tlsinterception-secrets +subjects: + - kind: ServiceAccount + name: cilium + namespace: cilium diff --git a/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/service.yaml b/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/service.yaml index fc9fa1ab3..fbab0df5d 100644 --- a/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/service.yaml +++ b/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/service.yaml @@ -14,10 +14,6 @@ spec: port: 9962 protocol: TCP targetPort: prometheus - - name: envoy-metrics - port: 9964 - protocol: TCP - targetPort: envoy-metrics selector: k8s-app: cilium type: ClusterIP diff --git a/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/servicemonitor.yaml b/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/servicemonitor.yaml index c22a31588..b8a21770a 100644 --- a/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/servicemonitor.yaml +++ b/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/servicemonitor.yaml @@ -21,6 +21,6 @@ spec: - cilium selector: matchLabels: - k8s-app: cilium + app.kubernetes.io/name: cilium-agent targetLabels: - k8s-app diff --git a/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-configmap.yaml b/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-configmap.yaml index fe9bb00c5..9d3f3975b 100644 --- a/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-configmap.yaml +++ b/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-configmap.yaml @@ -3,14 +3,17 @@ data: agent-not-ready-taint-key: node.cilium.io/agent-not-ready arping-refresh-period: 30s auto-direct-node-routes: 'false' + bpf-distributed-lru: 'false' bpf-events-drop-enabled: 'true' bpf-events-policy-verdict-enabled: 'true' bpf-events-trace-enabled: 'true' bpf-lb-acceleration: disabled + bpf-lb-algorithm-annotation: 'false' bpf-lb-external-clusterip: 'false' bpf-lb-map-max: '65536' + bpf-lb-mode-annotation: 'false' bpf-lb-sock: 'false' - bpf-lb-sock-terminate-pod-connections: 'false' + bpf-lb-source-range-all-types: 'false' bpf-map-dynamic-size-ratio: '0.0025' bpf-policy-map-max: '16384' bpf-root: /sys/fs/bpf @@ -29,6 +32,7 @@ data: datapath-mode: veth debug: 'false' debug-verbose: '' + default-lb-service-ipam: lbipam direct-routing-skip-unreachable: 'false' dnsproxy-enable-transparent-mode: 'true' dnsproxy-socket-linger-timeout: '10' @@ -37,12 +41,15 @@ data: enable-bpf-clock-probe: 'false' enable-bpf-masquerade: 'true' enable-endpoint-health-checking: 'true' + enable-endpoint-lockdown-on-policy-overflow: 'false' enable-endpoint-routes: 'true' + enable-experimental-lb: 'false' enable-health-check-loadbalancer-ip: 'false' enable-health-check-nodeport: 'true' enable-health-checking: 'true' enable-hubble: 'true' enable-hubble-open-metrics: 'false' + enable-internal-traffic-policy: 'true' enable-ipv4: 'true' enable-ipv4-big-tcp: 'false' enable-ipv4-masquerade: 'true' @@ -54,20 +61,27 @@ data: enable-l2-announcements: 'true' enable-l2-neigh-discovery: 'true' enable-l7-proxy: 'true' + enable-lb-ipam: 'true' enable-local-redirect-policy: 'false' enable-masquerade-to-route-source: 'false' enable-node-selector-labels: 'false' + enable-non-default-deny-policies: 'true' enable-policy: default + enable-policy-secrets-sync: 'true' enable-runtime-device-detection: 'true' enable-sctp: 'false' + enable-source-ip-verification: 'true' enable-svc-source-range-check: 'true' enable-tcx: 'true' enable-vtep: 'false' enable-well-known-identities: 'false' enable-xt-socket-fallback: 'true' + envoy-access-log-buffer-size: '4096' envoy-base-id: '0' envoy-keep-cap-netbindservice: 'false' - external-envoy-proxy: 'false' + external-envoy-proxy: 'true' + health-check-icmp-failure-threshold: '3' + http-retry-count: '3' hubble-disable-tls: 'true' hubble-export-file-max-backups: '5' hubble-export-file-max-size-mb: '10' @@ -84,6 +98,7 @@ data: install-no-conntrack-iptables-rules: 'false' ipam: cluster-pool ipam-cilium-node-update-rate: 15s + iptables-random-fully: 'false' k8s-client-burst: '45' k8s-client-qps: '35' k8s-require-ipv4-pod-cidr: 'false' @@ -105,15 +120,17 @@ data: nodes-gc-interval: 5m0s operator-api-serve-addr: 127.0.0.1:9234 policy-cidr-match-mode: '' + policy-secrets-namespace: cilium-secrets + policy-secrets-only-from-secrets-namespace: 'true' preallocate-bpf-maps: 'false' procfs: /host/proc prometheus-serve-addr: :9962 proxy-connect-timeout: '2' proxy-idle-timeout-seconds: '60' proxy-initial-fetch-timeout: '30' + proxy-max-concurrent-retries: '128' proxy-max-connection-duration-seconds: '0' proxy-max-requests-per-connection: '0' - proxy-prometheus-port: '9964' proxy-xff-num-trusted-hops-egress: '0' proxy-xff-num-trusted-hops-ingress: '0' remove-cilium-node-taints: 'true' @@ -124,11 +141,12 @@ data: synchronize-k8s-nodes: 'true' tofqdns-dns-reject-response-code: refused tofqdns-enable-dns-compression: 'true' - tofqdns-endpoint-max-ip-per-hostname: '50' + tofqdns-endpoint-max-ip-per-hostname: '1000' tofqdns-idle-connection-grace-period: 0s tofqdns-max-deferred-connection-deletes: '10000' tofqdns-proxy-response-max-delay: 100ms tunnel-protocol: vxlan + tunnel-source-port-range: 0-0 unmanaged-pod-watcher-interval: '15' vtep-cidr: '' vtep-endpoint: '' diff --git a/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-envoy/configmap.yaml b/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-envoy/configmap.yaml new file mode 100644 index 000000000..3b0fa62d3 --- /dev/null +++ b/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-envoy/configmap.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +data: + bootstrap-config.json: | + {"admin":{"address":{"pipe":{"path":"/var/run/cilium/envoy/sockets/admin.sock"}}},"applicationLogConfig":{"logFormat":{"textFormat":"[%Y-%m-%d %T.%e][%t][%l][%n] [%g:%#] %v"}},"bootstrapExtensions":[{"name":"envoy.bootstrap.internal_listener","typedConfig":{"@type":"type.googleapis.com/envoy.extensions.bootstrap.internal_listener.v3.InternalListener"}}],"dynamicResources":{"cdsConfig":{"apiConfigSource":{"apiType":"GRPC","grpcServices":[{"envoyGrpc":{"clusterName":"xds-grpc-cilium"}}],"setNodeOnFirstMessageOnly":true,"transportApiVersion":"V3"},"initialFetchTimeout":"30s","resourceApiVersion":"V3"},"ldsConfig":{"apiConfigSource":{"apiType":"GRPC","grpcServices":[{"envoyGrpc":{"clusterName":"xds-grpc-cilium"}}],"setNodeOnFirstMessageOnly":true,"transportApiVersion":"V3"},"initialFetchTimeout":"30s","resourceApiVersion":"V3"}},"node":{"cluster":"ingress-cluster","id":"host~127.0.0.1~no-id~localdomain"},"overloadManager":{"resourceMonitors":[{"name":"envoy.resource_monitors.global_downstream_max_connections","typedConfig":{"@type":"type.googleapis.com/envoy.extensions.resource_monitors.downstream_connections.v3.DownstreamConnectionsConfig","max_active_downstream_connections":"50000"}}]},"staticResources":{"clusters":[{"circuitBreakers":{"thresholds":[{"maxRetries":128}]},"cleanupInterval":"2.500s","connectTimeout":"2s","lbPolicy":"CLUSTER_PROVIDED","name":"ingress-cluster","type":"ORIGINAL_DST","typedExtensionProtocolOptions":{"envoy.extensions.upstreams.http.v3.HttpProtocolOptions":{"@type":"type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions","commonHttpProtocolOptions":{"idleTimeout":"60s","maxConnectionDuration":"0s","maxRequestsPerConnection":0},"useDownstreamProtocolConfig":{}}}},{"circuitBreakers":{"thresholds":[{"maxRetries":128}]},"cleanupInterval":"2.500s","connectTimeout":"2s","lbPolicy":"CLUSTER_PROVIDED","name":"egress-cluster-tls","transportSocket":{"name":"cilium.tls_wrapper","typedConfig":{"@type":"type.googleapis.com/cilium.UpstreamTlsWrapperContext"}},"type":"ORIGINAL_DST","typedExtensionProtocolOptions":{"envoy.extensions.upstreams.http.v3.HttpProtocolOptions":{"@type":"type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions","commonHttpProtocolOptions":{"idleTimeout":"60s","maxConnectionDuration":"0s","maxRequestsPerConnection":0},"upstreamHttpProtocolOptions":{},"useDownstreamProtocolConfig":{}}}},{"circuitBreakers":{"thresholds":[{"maxRetries":128}]},"cleanupInterval":"2.500s","connectTimeout":"2s","lbPolicy":"CLUSTER_PROVIDED","name":"egress-cluster","type":"ORIGINAL_DST","typedExtensionProtocolOptions":{"envoy.extensions.upstreams.http.v3.HttpProtocolOptions":{"@type":"type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions","commonHttpProtocolOptions":{"idleTimeout":"60s","maxConnectionDuration":"0s","maxRequestsPerConnection":0},"useDownstreamProtocolConfig":{}}}},{"circuitBreakers":{"thresholds":[{"maxRetries":128}]},"cleanupInterval":"2.500s","connectTimeout":"2s","lbPolicy":"CLUSTER_PROVIDED","name":"ingress-cluster-tls","transportSocket":{"name":"cilium.tls_wrapper","typedConfig":{"@type":"type.googleapis.com/cilium.UpstreamTlsWrapperContext"}},"type":"ORIGINAL_DST","typedExtensionProtocolOptions":{"envoy.extensions.upstreams.http.v3.HttpProtocolOptions":{"@type":"type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions","commonHttpProtocolOptions":{"idleTimeout":"60s","maxConnectionDuration":"0s","maxRequestsPerConnection":0},"upstreamHttpProtocolOptions":{},"useDownstreamProtocolConfig":{}}}},{"connectTimeout":"2s","loadAssignment":{"clusterName":"xds-grpc-cilium","endpoints":[{"lbEndpoints":[{"endpoint":{"address":{"pipe":{"path":"/var/run/cilium/envoy/sockets/xds.sock"}}}}]}]},"name":"xds-grpc-cilium","type":"STATIC","typedExtensionProtocolOptions":{"envoy.extensions.upstreams.http.v3.HttpProtocolOptions":{"@type":"type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions","explicitHttpConfig":{"http2ProtocolOptions":{}}}}},{"connectTimeout":"2s","loadAssignment":{"clusterName":"/envoy-admin","endpoints":[{"lbEndpoints":[{"endpoint":{"address":{"pipe":{"path":"/var/run/cilium/envoy/sockets/admin.sock"}}}}]}]},"name":"/envoy-admin","type":"STATIC"}],"listeners":[{"address":{"socketAddress":{"address":"0.0.0.0","portValue":9964}},"filterChains":[{"filters":[{"name":"envoy.filters.network.http_connection_manager","typedConfig":{"@type":"type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager","httpFilters":[{"name":"envoy.filters.http.router","typedConfig":{"@type":"type.googleapis.com/envoy.extensions.filters.http.router.v3.Router"}}],"internalAddressConfig":{"cidrRanges":[{"addressPrefix":"10.0.0.0","prefixLen":8},{"addressPrefix":"172.16.0.0","prefixLen":12},{"addressPrefix":"192.168.0.0","prefixLen":16},{"addressPrefix":"127.0.0.1","prefixLen":32}]},"routeConfig":{"virtualHosts":[{"domains":["*"],"name":"prometheus_metrics_route","routes":[{"match":{"prefix":"/metrics"},"name":"prometheus_metrics_route","route":{"cluster":"/envoy-admin","prefixRewrite":"/stats/prometheus"}}]}]},"statPrefix":"envoy-prometheus-metrics-listener","streamIdleTimeout":"0s"}}]}],"name":"envoy-prometheus-metrics-listener"},{"address":{"socketAddress":{"address":"127.0.0.1","portValue":9878}},"filterChains":[{"filters":[{"name":"envoy.filters.network.http_connection_manager","typedConfig":{"@type":"type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager","httpFilters":[{"name":"envoy.filters.http.router","typedConfig":{"@type":"type.googleapis.com/envoy.extensions.filters.http.router.v3.Router"}}],"internalAddressConfig":{"cidrRanges":[{"addressPrefix":"10.0.0.0","prefixLen":8},{"addressPrefix":"172.16.0.0","prefixLen":12},{"addressPrefix":"192.168.0.0","prefixLen":16},{"addressPrefix":"127.0.0.1","prefixLen":32}]},"routeConfig":{"virtual_hosts":[{"domains":["*"],"name":"health","routes":[{"match":{"prefix":"/healthz"},"name":"health","route":{"cluster":"/envoy-admin","prefixRewrite":"/ready"}}]}]},"statPrefix":"envoy-health-listener","streamIdleTimeout":"0s"}}]}],"name":"envoy-health-listener"}]}} +kind: ConfigMap +metadata: + name: cilium-envoy-config + namespace: cilium diff --git a/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-envoy/daemonset.yaml b/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-envoy/daemonset.yaml new file mode 100644 index 000000000..bc2dbcdfc --- /dev/null +++ b/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-envoy/daemonset.yaml @@ -0,0 +1,160 @@ +apiVersion: apps/v1 +kind: DaemonSet +metadata: + labels: + app.kubernetes.io/name: cilium-envoy + app.kubernetes.io/part-of: cilium + k8s-app: cilium-envoy + name: cilium-envoy + name: cilium-envoy + namespace: cilium +spec: + selector: + matchLabels: + k8s-app: cilium-envoy + template: + metadata: + annotations: + container.apparmor.security.beta.kubernetes.io/cilium-envoy: unconfined + labels: + app.kubernetes.io/name: cilium-envoy + app.kubernetes.io/part-of: cilium + k8s-app: cilium-envoy + name: cilium-envoy + spec: + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: cilium.io/no-schedule + operator: NotIn + values: + - 'true' + podAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: + k8s-app: cilium + topologyKey: kubernetes.io/hostname + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: + k8s-app: cilium-envoy + topologyKey: kubernetes.io/hostname + automountServiceAccountToken: true + containers: + - args: + - -- + - -c /var/run/cilium/envoy/bootstrap-config.json + - --base-id 0 + - --log-level info + command: + - /usr/bin/cilium-envoy-starter + env: + - name: K8S_NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + - name: CILIUM_K8S_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + image: quay.io/cilium/cilium-envoy:v1.34.10-1760767433-887ebe7d6ccc2a9dc8c73f6ae4927283283b507e@sha256:78a7c6ceb4135680eb94ed1ca80b1be00647878e6694522f8380cc2a8b99e434 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 10 + httpGet: + host: 127.0.0.1 + path: /healthz + port: 9878 + scheme: HTTP + periodSeconds: 30 + successThreshold: 1 + timeoutSeconds: 5 + name: cilium-envoy + ports: + - containerPort: 9964 + hostPort: 9964 + name: envoy-metrics + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + host: 127.0.0.1 + path: /healthz + port: 9878 + scheme: HTTP + periodSeconds: 30 + successThreshold: 1 + timeoutSeconds: 5 + securityContext: + capabilities: + add: + - NET_ADMIN + - SYS_ADMIN + drop: + - ALL + seLinuxOptions: + level: s0 + type: spc_t + startupProbe: + failureThreshold: 105 + httpGet: + host: 127.0.0.1 + path: /healthz + port: 9878 + scheme: HTTP + initialDelaySeconds: 5 + periodSeconds: 2 + successThreshold: 1 + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /var/run/cilium/envoy/sockets + name: envoy-sockets + readOnly: false + - mountPath: /var/run/cilium/envoy/artifacts + name: envoy-artifacts + readOnly: true + - mountPath: /var/run/cilium/envoy/ + name: envoy-config + readOnly: true + - mountPath: /sys/fs/bpf + mountPropagation: HostToContainer + name: bpf-maps + hostNetwork: true + nodeSelector: + kubernetes.io/os: linux + priorityClassName: system-node-critical + restartPolicy: Always + serviceAccountName: cilium-envoy + terminationGracePeriodSeconds: 1 + tolerations: + - operator: Exists + volumes: + - hostPath: + path: /var/run/cilium/envoy/sockets + type: DirectoryOrCreate + name: envoy-sockets + - hostPath: + path: /var/run/cilium/envoy/artifacts + type: DirectoryOrCreate + name: envoy-artifacts + - configMap: + defaultMode: 256 + items: + - key: bootstrap-config.json + path: bootstrap-config.json + name: cilium-envoy-config + name: envoy-config + - hostPath: + path: /sys/fs/bpf + type: DirectoryOrCreate + name: bpf-maps + updateStrategy: + rollingUpdate: + maxUnavailable: 2 + type: RollingUpdate diff --git a/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-envoy/service.yaml b/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-envoy/service.yaml new file mode 100644 index 000000000..6b6d6cd5f --- /dev/null +++ b/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-envoy/service.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Service +metadata: + annotations: + prometheus.io/port: '9964' + prometheus.io/scrape: 'true' + labels: + app.kubernetes.io/name: cilium-envoy + app.kubernetes.io/part-of: cilium + io.cilium/app: proxy + k8s-app: cilium-envoy + name: cilium-envoy + namespace: cilium +spec: + clusterIP: None + ports: + - name: envoy-metrics + port: 9964 + protocol: TCP + targetPort: envoy-metrics + selector: + k8s-app: cilium-envoy + type: ClusterIP diff --git a/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-envoy/serviceaccount.yaml b/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-envoy/serviceaccount.yaml new file mode 100644 index 000000000..f2d7f618d --- /dev/null +++ b/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-envoy/serviceaccount.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: cilium-envoy + namespace: cilium diff --git a/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/clusterrole.yaml b/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/clusterrole.yaml index cc748de66..9009493c9 100644 --- a/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/clusterrole.yaml +++ b/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/clusterrole.yaml @@ -55,6 +55,7 @@ rules: - '' resources: - namespaces + - secrets verbs: - get - list @@ -137,6 +138,13 @@ rules: - watch - delete - patch + - apiGroups: + - cilium.io + resources: + - ciliumbgpclusterconfigs/status + - ciliumbgppeerconfigs/status + verbs: + - update - apiGroups: - apiextensions.k8s.io resources: @@ -183,6 +191,7 @@ rules: - ciliumbgppeeringpolicies - ciliumbgpclusterconfigs - ciliumbgpnodeconfigoverrides + - ciliumbgppeerconfigs verbs: - get - list diff --git a/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/deployment.yaml b/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/deployment.yaml index ae3f1ce51..972dfccd9 100644 --- a/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/deployment.yaml +++ b/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/deployment.yaml @@ -59,7 +59,7 @@ spec: key: debug name: cilium-config optional: true - image: quay.io/cilium/operator-generic:v1.16.4@sha256:c55a7cbe19fe0b6b28903a085334edb586a3201add9db56d2122c8485f7a51c5 + image: quay.io/cilium/operator-generic:v1.17.10@sha256:09cee355c86b8c50d43ecc8f63cedc5d4a8597aa41be72a63ca4479c31c2f2be imagePullPolicy: IfNotPresent livenessProbe: httpGet: diff --git a/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/role.yaml b/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/role.yaml new file mode 100644 index 000000000..79fc907d3 --- /dev/null +++ b/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/role.yaml @@ -0,0 +1,17 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + app.kubernetes.io/part-of: cilium + name: cilium-operator-tlsinterception-secrets + namespace: cilium-secrets +rules: + - apiGroups: + - '' + resources: + - secrets + verbs: + - create + - delete + - update + - patch diff --git a/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/rolebinding.yaml b/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/rolebinding.yaml new file mode 100644 index 000000000..cbde47327 --- /dev/null +++ b/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/rolebinding.yaml @@ -0,0 +1,15 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app.kubernetes.io/part-of: cilium + name: cilium-operator-tlsinterception-secrets + namespace: cilium-secrets +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: cilium-operator-tlsinterception-secrets +subjects: + - kind: ServiceAccount + name: cilium-operator + namespace: cilium diff --git a/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-secrets-namespace.yaml b/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-secrets-namespace.yaml new file mode 100644 index 000000000..30f28d314 --- /dev/null +++ b/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-secrets-namespace.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: Namespace +metadata: + labels: + app.kubernetes.io/part-of: cilium + name: cilium-secrets diff --git a/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/configmap.yaml b/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/configmap.yaml index 33125e408..4beca2cfc 100644 --- a/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/configmap.yaml +++ b/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/configmap.yaml @@ -1,9 +1,9 @@ apiVersion: v1 data: - config.yaml: "cluster-name: default\npeer-service: \"hubble-peer.cilium.svc.cluster.local:80\"\ - \nlisten-address: :4245\ngops: true\ngops-port: \"9893\"\ndial-timeout: \nretry-timeout:\ - \ \nsort-buffer-len-max: \nsort-buffer-drain-timeout: \ndisable-client-tls: true\n\ - \ndisable-server-tls: true\n" + config.yaml: "cluster-name: default\npeer-service: \"hubble-peer.cilium.svc.cluster.local.:80\"\ + \nlisten-address: :4245\ngops: true\ngops-port: \"9893\"\nretry-timeout: \nsort-buffer-len-max:\ + \ \nsort-buffer-drain-timeout: \ndisable-client-tls: true\n\ndisable-server-tls:\ + \ true\n" kind: ConfigMap metadata: name: hubble-relay-config diff --git a/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/deployment.yaml b/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/deployment.yaml index 32db1394b..ffcde1c3b 100644 --- a/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/deployment.yaml +++ b/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/deployment.yaml @@ -37,7 +37,7 @@ spec: - serve command: - hubble-relay - image: quay.io/cilium/hubble-relay:v1.16.4@sha256:fb2c7d127a1c809f6ba23c05973f3dd00f6b6a48e4aee2da95db925a4f0351d2 + image: quay.io/cilium/hubble-relay:v1.17.10@sha256:da6747dd2bccc2901693b49ed4a687723f8d5c1e37d40fb95ea04910d31eaab2 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 12