Automated Manifest Update (#2409)

This PR contains newly rendered Kubernetes manifests automatically generated by the CI workflow. Reviewed-on: #2409 Co-authored-by: gitea-bot <gitea-bot@alexlebens.net> Co-committed-by: gitea-bot <gitea-bot@alexlebens.net>
2025-12-12 01:28:41 +00:00
parent 7eca992b27
commit 25e5e6db68
9 changed files with 199 additions and 49 deletions
--- a/clusters/cl01tl/manifests/cilium/Certificate-hubble-relay-client-certs.yaml
+++ b/clusters/cl01tl/manifests/cilium/Certificate-hubble-relay-client-certs.yaml
@@ -1,22 +0,0 @@
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: hubble-relay-client-certs
-  namespace: kube-system
-spec:
-  issuerRef:
-    group: cert-manager.io
-    kind: ClusterIssuer
-    name: ca-issuer
-  secretName: hubble-relay-client-certs
-  commonName: "*.hubble-relay.cilium.io"
-  dnsNames:
-    - "*.hubble-relay.cilium.io"
-  duration: 8760h0m0s
-  privateKey:
-    rotationPolicy: Always
-  isCA: false
-  usages:
-    - signing
-    - key encipherment
-    - client auth
--- a/clusters/cl01tl/manifests/cilium/Certificate-hubble-server-certs.yaml
+++ b/clusters/cl01tl/manifests/cilium/Certificate-hubble-server-certs.yaml
@@ -1,23 +0,0 @@
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: hubble-server-certs
-  namespace: kube-system
-spec:
-  issuerRef:
-    group: cert-manager.io
-    kind: ClusterIssuer
-    name: ca-issuer
-  secretName: hubble-server-certs
-  commonName: "*.default.hubble-grpc.cilium.io"
-  dnsNames:
-    - "*.default.hubble-grpc.cilium.io"
-  duration: 8760h0m0s
-  privateKey:
-    rotationPolicy: Always
-  isCA: false
-  usages:
-    - signing
-    - key encipherment
-    - server auth
-    - client auth
--- a/clusters/cl01tl/manifests/cilium/CronJob-hubble-generate-certs.yaml
+++ b/clusters/cl01tl/manifests/cilium/CronJob-hubble-generate-certs.yaml
@@ -0,0 +1,71 @@
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: hubble-generate-certs
+  namespace: kube-system
+  labels:
+    k8s-app: hubble-generate-certs
+    app.kubernetes.io/name: hubble-generate-certs
+    app.kubernetes.io/part-of: cilium
+spec:
+  schedule: "0 0 1 */4 *"
+  concurrencyPolicy: Forbid
+  jobTemplate:
+    spec:
+      template:
+        metadata:
+          labels:
+            k8s-app: hubble-generate-certs
+        spec:
+          securityContext:
+            seccompProfile:
+              type: RuntimeDefault
+          containers:
+            - name: certgen
+              image: "quay.io/cilium/certgen:v0.2.4@sha256:de7b97b1d19a34b674d0c4bc1da4db999f04ae355923a9a994ac3a81e1a1b5ff"
+              imagePullPolicy: IfNotPresent
+              securityContext:
+                capabilities:
+                  drop:
+                    - ALL
+                allowPrivilegeEscalation: false
+              command:
+                - "/usr/bin/cilium-certgen"
+              args:
+                - "--ca-generate=true"
+                - "--ca-reuse-secret"
+                - "--ca-secret-namespace=kube-system"
+                - "--ca-secret-name=cilium-ca"
+                - "--ca-common-name=Cilium CA"
+              env:
+                - name: CILIUM_CERTGEN_CONFIG
+                  value: |
+                    certs:
+                    - name: hubble-server-certs
+                      namespace: kube-system
+                      commonName: "*.default.hubble-grpc.cilium.io"
+                      hosts:
+                      - "*.default.hubble-grpc.cilium.io"
+                      usage:
+                      - signing
+                      - key encipherment
+                      - server auth
+                      - client auth
+                      validity: 8760h
+                    - name: hubble-relay-client-certs
+                      namespace: kube-system
+                      commonName: "*.hubble-relay.cilium.io"
+                      hosts:
+                      - "*.hubble-relay.cilium.io"
+                      usage:
+                      - signing
+                      - key encipherment
+                      - client auth
+                      validity: 8760h
+          hostNetwork: false
+          serviceAccount: "hubble-generate-certs"
+          serviceAccountName: "hubble-generate-certs"
+          automountServiceAccountToken: true
+          restartPolicy: OnFailure
+          affinity:
+      ttlSecondsAfterFinished: 1800
--- a/clusters/cl01tl/manifests/cilium/Job-hubble-generate-certs.yaml
+++ b/clusters/cl01tl/manifests/cilium/Job-hubble-generate-certs.yaml
@@ -0,0 +1,69 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: hubble-generate-certs
+  namespace: kube-system
+  labels:
+    k8s-app: hubble-generate-certs
+    app.kubernetes.io/name: hubble-generate-certs
+    app.kubernetes.io/part-of: cilium
+  annotations:
+    "helm.sh/hook": post-install,post-upgrade
+spec:
+  template:
+    metadata:
+      labels:
+        k8s-app: hubble-generate-certs
+    spec:
+      securityContext:
+        seccompProfile:
+          type: RuntimeDefault
+      containers:
+        - name: certgen
+          image: "quay.io/cilium/certgen:v0.2.4@sha256:de7b97b1d19a34b674d0c4bc1da4db999f04ae355923a9a994ac3a81e1a1b5ff"
+          imagePullPolicy: IfNotPresent
+          securityContext:
+            capabilities:
+              drop:
+                - ALL
+            allowPrivilegeEscalation: false
+          command:
+            - "/usr/bin/cilium-certgen"
+          args:
+            - "--ca-generate=true"
+            - "--ca-reuse-secret"
+            - "--ca-secret-namespace=kube-system"
+            - "--ca-secret-name=cilium-ca"
+            - "--ca-common-name=Cilium CA"
+          env:
+            - name: CILIUM_CERTGEN_CONFIG
+              value: |
+                certs:
+                - name: hubble-server-certs
+                  namespace: kube-system
+                  commonName: "*.default.hubble-grpc.cilium.io"
+                  hosts:
+                  - "*.default.hubble-grpc.cilium.io"
+                  usage:
+                  - signing
+                  - key encipherment
+                  - server auth
+                  - client auth
+                  validity: 8760h
+                - name: hubble-relay-client-certs
+                  namespace: kube-system
+                  commonName: "*.hubble-relay.cilium.io"
+                  hosts:
+                  - "*.hubble-relay.cilium.io"
+                  usage:
+                  - signing
+                  - key encipherment
+                  - client auth
+                  validity: 8760h
+      hostNetwork: false
+      serviceAccount: "hubble-generate-certs"
+      serviceAccountName: "hubble-generate-certs"
+      automountServiceAccountToken: true
+      restartPolicy: OnFailure
+      affinity:
+  ttlSecondsAfterFinished: 1800
--- a/clusters/cl01tl/manifests/cilium/Role-hubble-generate-certs.yaml
+++ b/clusters/cl01tl/manifests/cilium/Role-hubble-generate-certs.yaml
@@ -0,0 +1,35 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: hubble-generate-certs
+  namespace: kube-system
+  labels:
+    app.kubernetes.io/part-of: cilium
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+    verbs:
+      - create
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+    resourceNames:
+      - hubble-server-certs
+      - hubble-relay-client-certs
+      - hubble-relay-server-certs
+      - hubble-metrics-server-certs
+      - hubble-ui-client-certs
+    verbs:
+      - update
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+    resourceNames:
+      - cilium-ca
+    verbs:
+      - get
+      - update
--- a/clusters/cl01tl/manifests/cilium/RoleBinding-hubble-generate-certs.yaml
+++ b/clusters/cl01tl/manifests/cilium/RoleBinding-hubble-generate-certs.yaml
@@ -0,0 +1,15 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: hubble-generate-certs
+  namespace: kube-system
+  labels:
+    app.kubernetes.io/part-of: cilium
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: hubble-generate-certs
+subjects:
+  - kind: ServiceAccount
+    name: "hubble-generate-certs"
+    namespace: kube-system
--- a/clusters/cl01tl/manifests/cilium/ServiceAccount-hubble-generate-certs.yaml
+++ b/clusters/cl01tl/manifests/cilium/ServiceAccount-hubble-generate-certs.yaml
@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: "hubble-generate-certs"
+  namespace: kube-system
--- a/clusters/cl01tl/manifests/grafana-operator/RedisReplication-redis-replication-remote-cache.yaml
+++ b/clusters/cl01tl/manifests/grafana-operator/RedisReplication-redis-replication-remote-cache.yaml
@@ -13,7 +13,7 @@ spec:
    runAsUser: 1000
    fsGroup: 1000
  kubernetesConfig:
-    image: quay.io/opstree/redis:v8.0.3
+    image: quay.io/opstree/redis:v8.4.0
    imagePullPolicy: IfNotPresent
    resources:
      requests:
@@ -29,4 +29,4 @@ spec:
            storage: 1Gi
  redisExporter:
    enabled: true
-    image: quay.io/opstree/redis-exporter:v1.48.0
+    image: quay.io/opstree/redis-exporter:v1.80.1
--- a/clusters/cl01tl/manifests/grafana-operator/RedisReplication-redis-replication-unified-alerting.yaml
+++ b/clusters/cl01tl/manifests/grafana-operator/RedisReplication-redis-replication-unified-alerting.yaml
@@ -13,7 +13,7 @@ spec:
    runAsUser: 1000
    fsGroup: 1000
  kubernetesConfig:
-    image: quay.io/opstree/redis:v8.0.3
+    image: quay.io/opstree/redis:v8.4.0
    imagePullPolicy: IfNotPresent
    resources:
      requests:
@@ -29,4 +29,4 @@ spec:
            storage: 1Gi
  redisExporter:
    enabled: true
-    image: quay.io/opstree/redis-exporter:v1.48.0
+    image: quay.io/opstree/redis-exporter:v1.80.1