From 3d08ee2f4b9a3a28d19a5423cc30426ddb5ddc06 Mon Sep 17 00:00:00 2001 From: gitea-bot Date: Mon, 11 May 2026 01:03:54 +0000 Subject: [PATCH] chore: Update manifests after change --- .../CiliumLoadBalancerIPPool-bgp-ip-pool.yaml | 14 ---- .../cilium/ClusterRole-cilium-operator.yaml | 78 +------------------ .../manifests/cilium/ClusterRole-cilium.yaml | 1 + .../cilium/ClusterRole-hubble-ui.yaml | 16 ++++ .../cilium/ConfigMap-cilium-config.yaml | 31 ++------ .../cilium/ConfigMap-cilium-envoy-config.yaml | 2 +- .../cilium/CronJob-hubble-generate-certs.yaml | 5 +- .../manifests/cilium/DaemonSet-cilium.yaml | 35 +++------ .../cilium/Deployment-cilium-operator.yaml | 11 +-- .../cilium/Deployment-hubble-relay.yaml | 2 +- .../cilium/Deployment-hubble-ui.yaml | 8 +- ...9b.yaml => Job-hubble-generate-certs.yaml} | 7 +- .../cilium/Role-cilium-gateway-secrets.yaml | 16 ---- .../Role-cilium-operator-gateway-secrets.yaml | 17 ---- .../cilium/Role-cilium-operator-ztunnel.yaml | 18 ----- .../RoleBinding-cilium-gateway-secrets.yaml | 15 ---- ...nding-cilium-operator-gateway-secrets.yaml | 15 ---- .../RoleBinding-cilium-operator-ztunnel.yaml | 15 ---- .../cilium/Service-cilium-envoy.yaml | 2 +- 19 files changed, 56 insertions(+), 252 deletions(-) delete mode 100644 clusters/cl01tl/manifests/cilium/CiliumLoadBalancerIPPool-bgp-ip-pool.yaml rename clusters/cl01tl/manifests/cilium/{Job-hubble-generate-certs-b36ef54b9b.yaml => Job-hubble-generate-certs.yaml} (91%) delete mode 100644 clusters/cl01tl/manifests/cilium/Role-cilium-gateway-secrets.yaml delete mode 100644 clusters/cl01tl/manifests/cilium/Role-cilium-operator-gateway-secrets.yaml delete mode 100644 clusters/cl01tl/manifests/cilium/Role-cilium-operator-ztunnel.yaml delete mode 100644 clusters/cl01tl/manifests/cilium/RoleBinding-cilium-gateway-secrets.yaml delete mode 100644 clusters/cl01tl/manifests/cilium/RoleBinding-cilium-operator-gateway-secrets.yaml delete mode 100644 clusters/cl01tl/manifests/cilium/RoleBinding-cilium-operator-ztunnel.yaml diff --git a/clusters/cl01tl/manifests/cilium/CiliumLoadBalancerIPPool-bgp-ip-pool.yaml b/clusters/cl01tl/manifests/cilium/CiliumLoadBalancerIPPool-bgp-ip-pool.yaml deleted file mode 100644 index 03b4c5df8..000000000 --- a/clusters/cl01tl/manifests/cilium/CiliumLoadBalancerIPPool-bgp-ip-pool.yaml +++ /dev/null @@ -1,14 +0,0 @@ -apiVersion: cilium.io/v2 -kind: CiliumLoadBalancerIPPool -metadata: - name: bgp-ip-pool - namespace: kube-system - labels: - app.kubernetes.io/name: bgp-ip-pool - app.kubernetes.io/instance: cilium - app.kubernetes.io/part-of: cilium -spec: - blocks: - - start: "10.232.2.100" - stop: "10.232.2.200" - disabled: true diff --git a/clusters/cl01tl/manifests/cilium/ClusterRole-cilium-operator.yaml b/clusters/cl01tl/manifests/cilium/ClusterRole-cilium-operator.yaml index 59686cae3..0327f318b 100644 --- a/clusters/cl01tl/manifests/cilium/ClusterRole-cilium-operator.yaml +++ b/clusters/cl01tl/manifests/cilium/ClusterRole-cilium-operator.yaml @@ -69,22 +69,6 @@ rules: - get - list - watch - - create - - update - - delete - - patch - - apiGroups: - - "discovery.k8s.io" - resources: - - endpointslices - verbs: - - get - - list - - watch - - create - - update - - delete - - patch - apiGroups: - cilium.io resources: @@ -178,6 +162,7 @@ rules: - update resourceNames: - ciliumloadbalancerippools.cilium.io + - ciliumbgppeeringpolicies.cilium.io - ciliumbgpclusterconfigs.cilium.io - ciliumbgppeerconfigs.cilium.io - ciliumbgpadvertisements.cilium.io @@ -203,6 +188,7 @@ rules: resources: - ciliumloadbalancerippools - ciliumpodippools + - ciliumbgppeeringpolicies - ciliumbgpclusterconfigs - ciliumbgpnodeconfigoverrides - ciliumbgppeerconfigs @@ -230,63 +216,3 @@ rules: - create - get - update - - apiGroups: - - gateway.networking.k8s.io - resources: - - gatewayclasses - - gateways - - tlsroutes - - httproutes - - grpcroutes - - referencegrants - - referencepolicies - verbs: - - get - - list - - watch - - apiGroups: - - gateway.networking.k8s.io - resources: - - gatewayclasses - verbs: - - patch - - apiGroups: - - gateway.networking.k8s.io - resources: - - gatewayclasses/status - - gateways/status - - httproutes/status - - grpcroutes/status - - tlsroutes/status - verbs: - - update - - patch - - apiGroups: - - cilium.io - resources: - - ciliumgatewayclassconfigs - verbs: - - get - - list - - watch - - apiGroups: - - cilium.io - resources: - - ciliumgatewayclassconfigs/status - verbs: - - update - - patch - - apiGroups: - - multicluster.x-k8s.io - resources: - - serviceimports - verbs: - - get - - list - - watch - - apiGroups: - - cilium.io - resources: - - ciliumendpointslices - verbs: - - deletecollection diff --git a/clusters/cl01tl/manifests/cilium/ClusterRole-cilium.yaml b/clusters/cl01tl/manifests/cilium/ClusterRole-cilium.yaml index b57ca9706..92b76c741 100644 --- a/clusters/cl01tl/manifests/cilium/ClusterRole-cilium.yaml +++ b/clusters/cl01tl/manifests/cilium/ClusterRole-cilium.yaml @@ -45,6 +45,7 @@ rules: - cilium.io resources: - ciliumloadbalancerippools + - ciliumbgppeeringpolicies - ciliumbgpnodeconfigs - ciliumbgpadvertisements - ciliumbgppeerconfigs diff --git a/clusters/cl01tl/manifests/cilium/ClusterRole-hubble-ui.yaml b/clusters/cl01tl/manifests/cilium/ClusterRole-hubble-ui.yaml index 722067efd..8d8d0f775 100644 --- a/clusters/cl01tl/manifests/cilium/ClusterRole-hubble-ui.yaml +++ b/clusters/cl01tl/manifests/cilium/ClusterRole-hubble-ui.yaml @@ -5,6 +5,14 @@ metadata: labels: app.kubernetes.io/part-of: cilium rules: + - apiGroups: + - networking.k8s.io + resources: + - networkpolicies + verbs: + - get + - list + - watch - apiGroups: - "" resources: @@ -26,3 +34,11 @@ rules: - get - list - watch + - apiGroups: + - cilium.io + resources: + - "*" + verbs: + - get + - list + - watch diff --git a/clusters/cl01tl/manifests/cilium/ConfigMap-cilium-config.yaml b/clusters/cl01tl/manifests/cilium/ConfigMap-cilium-config.yaml index d166498f8..68687474b 100644 --- a/clusters/cl01tl/manifests/cilium/ConfigMap-cilium-config.yaml +++ b/clusters/cl01tl/manifests/cilium/ConfigMap-cilium-config.yaml @@ -16,18 +16,6 @@ data: controller-group-metrics: write-cni-file sync-host-ips sync-lb-maps-with-k8s-services operator-prometheus-serve-addr: ":9963" enable-metrics: "true" - enable-envoy-config: "true" - envoy-config-retry-interval: "15s" - enable-gateway-api: "true" - enable-gateway-api-secrets-sync: "true" - enable-gateway-api-proxy-protocol: "false" - enable-gateway-api-app-protocol: "true" - enable-gateway-api-alpn: "true" - gateway-api-xff-num-trusted-hops: "0" - gateway-api-service-externaltrafficpolicy: "Cluster" - gateway-api-secrets-namespace: "cilium-secrets" - gateway-api-hostnetwork-enabled: "false" - gateway-api-hostnetwork-nodelabelselector: "" enable-policy-secrets-sync: "true" policy-secrets-only-from-secrets-namespace: "true" policy-secrets-namespace: "cilium-secrets" @@ -58,7 +46,6 @@ data: tunnel-protocol: "vxlan" tunnel-source-port-range: "0-0" service-no-backend-response: "reject" - policy-deny-response: "none" enable-l7-proxy: "true" enable-ipv4-masquerade: "true" enable-ipv4-big-tcp: "false" @@ -66,6 +53,7 @@ data: enable-ipv6-masquerade: "true" enable-tcx: "true" datapath-mode: "veth" + enable-bpf-masquerade: "false" enable-masquerade-to-route-source: "false" enable-xt-socket-fallback: "true" install-no-conntrack-iptables-rules: "false" @@ -75,7 +63,6 @@ data: devices: "end0 enp6s0" kube-proxy-replacement: "true" kube-proxy-replacement-healthz-bind-address: "" - enable-no-service-endpoints-routable: "true" bpf-lb-sock: "true" bpf-lb-sock-hostns-only: "true" enable-health-check-nodeport: "true" @@ -83,7 +70,7 @@ data: node-port-bind-protection: "true" enable-auto-protect-node-port-range: "true" bpf-lb-acceleration: "disabled" - enable-service-topology: "false" + enable-svc-source-range-check: "true" enable-l2-neigh-discovery: "false" k8s-require-ipv4-pod-cidr: "false" k8s-require-ipv6-pod-cidr: "false" @@ -116,7 +103,6 @@ data: vtep-cidr: "" vtep-mask: "" vtep-mac: "" - packetization-layer-pmtud-mode: "blackhole" procfs: "/host/proc" bpf-root: "/sys/fs/bpf" cgroup-root: "/sys/fs/cgroup" @@ -129,7 +115,7 @@ data: remove-cilium-node-taints: "true" set-cilium-node-taints: "true" set-cilium-is-up-condition: "true" - unmanaged-pod-watcher-interval: "15s" + unmanaged-pod-watcher-interval: "15" dnsproxy-enable-transparent-mode: "true" dnsproxy-socket-linger-timeout: "10" tofqdns-dns-reject-response-code: "refused" @@ -140,7 +126,7 @@ data: tofqdns-proxy-response-max-delay: "100ms" tofqdns-preallocate-identities: "true" agent-not-ready-taint-key: "node.cilium.io/agent-not-ready" - mesh-auth-enabled: "false" + mesh-auth-enabled: "true" mesh-auth-queue-size: "1024" mesh-auth-rotated-identities-queue-size: "1024" mesh-auth-gc-interval: "5m0s" @@ -148,14 +134,10 @@ data: proxy-xff-num-trusted-hops-egress: "0" proxy-connect-timeout: "2" proxy-initial-fetch-timeout: "30" - proxy-max-active-downstream-connections: "50000" proxy-max-requests-per-connection: "0" proxy-max-connection-duration-seconds: "0" proxy-idle-timeout-seconds: "60" proxy-max-concurrent-retries: "128" - proxy-use-original-source-address: "true" - proxy-cluster-max-connections: "1024" - proxy-cluster-max-requests: "1024" http-retry-count: "3" http-stream-idle-timeout: "300" external-envoy-proxy: "true" @@ -163,13 +145,12 @@ data: envoy-access-log-buffer-size: "4096" envoy-keep-cap-netbindservice: "true" max-connected-clusters: "255" - clustermesh-cache-ttl: "0s" clustermesh-enable-endpoint-sync: "false" clustermesh-enable-mcs-api: "false" - clustermesh-mcs-api-install-crds: "true" - policy-default-local-cluster: "true" + policy-default-local-cluster: "false" nat-map-stats-entries: "32" nat-map-stats-interval: "30s" + enable-internal-traffic-policy: "true" enable-lb-ipam: "true" enable-non-default-deny-policies: "true" enable-source-ip-verification: "true" diff --git a/clusters/cl01tl/manifests/cilium/ConfigMap-cilium-envoy-config.yaml b/clusters/cl01tl/manifests/cilium/ConfigMap-cilium-envoy-config.yaml index c40c79c25..df6703552 100644 --- a/clusters/cl01tl/manifests/cilium/ConfigMap-cilium-envoy-config.yaml +++ b/clusters/cl01tl/manifests/cilium/ConfigMap-cilium-envoy-config.yaml @@ -5,4 +5,4 @@ metadata: namespace: kube-system data: bootstrap-config.json: | - {"admin":{"address":{"pipe":{"mode":432,"path":"/var/run/cilium/envoy/sockets/admin.sock"}}},"applicationLogConfig":{"logFormat":{"textFormat":"[%Y-%m-%d %T.%e][%t][%l][%n] [%g:%#] %v"}},"bootstrapExtensions":[{"name":"envoy.bootstrap.internal_listener","typedConfig":{"@type":"type.googleapis.com/envoy.extensions.bootstrap.internal_listener.v3.InternalListener"}}],"dynamicResources":{"cdsConfig":{"apiConfigSource":{"apiType":"GRPC","grpcServices":[{"envoyGrpc":{"clusterName":"xds-grpc-cilium"}}],"setNodeOnFirstMessageOnly":true,"transportApiVersion":"V3"},"initialFetchTimeout":"30s","resourceApiVersion":"V3"},"ldsConfig":{"apiConfigSource":{"apiType":"GRPC","grpcServices":[{"envoyGrpc":{"clusterName":"xds-grpc-cilium"}}],"setNodeOnFirstMessageOnly":true,"transportApiVersion":"V3"},"initialFetchTimeout":"30s","resourceApiVersion":"V3"}},"node":{"cluster":"ingress-cluster","id":"host~127.0.0.1~no-id~localdomain"},"overloadManager":{"resourceMonitors":[{"name":"envoy.resource_monitors.global_downstream_max_connections","typedConfig":{"@type":"type.googleapis.com/envoy.extensions.resource_monitors.downstream_connections.v3.DownstreamConnectionsConfig","max_active_downstream_connections":"50000"}}]},"staticResources":{"clusters":[{"circuitBreakers":{"thresholds":[{"maxConnections":1024,"maxRequests":1024,"maxRetries":128}]},"cleanupInterval":"2.500s","connectTimeout":"2s","lbPolicy":"CLUSTER_PROVIDED","name":"ingress-cluster","type":"ORIGINAL_DST","typedExtensionProtocolOptions":{"envoy.extensions.upstreams.http.v3.HttpProtocolOptions":{"@type":"type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions","commonHttpProtocolOptions":{"idleTimeout":"60s","maxConnectionDuration":"0s","maxRequestsPerConnection":0},"useDownstreamProtocolConfig":{}}}},{"circuitBreakers":{"thresholds":[{"maxConnections":1024,"maxRequests":1024,"maxRetries":128}]},"cleanupInterval":"2.500s","connectTimeout":"2s","lbPolicy":"CLUSTER_PROVIDED","name":"egress-cluster-tls","transportSocket":{"name":"cilium.tls_wrapper","typedConfig":{"@type":"type.googleapis.com/cilium.UpstreamTlsWrapperContext"}},"type":"ORIGINAL_DST","typedExtensionProtocolOptions":{"envoy.extensions.upstreams.http.v3.HttpProtocolOptions":{"@type":"type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions","commonHttpProtocolOptions":{"idleTimeout":"60s","maxConnectionDuration":"0s","maxRequestsPerConnection":0},"upstreamHttpProtocolOptions":{},"useDownstreamProtocolConfig":{}}}},{"circuitBreakers":{"thresholds":[{"maxConnections":1024,"maxRequests":1024,"maxRetries":128}]},"cleanupInterval":"2.500s","connectTimeout":"2s","lbPolicy":"CLUSTER_PROVIDED","name":"egress-cluster","type":"ORIGINAL_DST","typedExtensionProtocolOptions":{"envoy.extensions.upstreams.http.v3.HttpProtocolOptions":{"@type":"type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions","commonHttpProtocolOptions":{"idleTimeout":"60s","maxConnectionDuration":"0s","maxRequestsPerConnection":0},"useDownstreamProtocolConfig":{}}}},{"circuitBreakers":{"thresholds":[{"maxConnections":1024,"maxRequests":1024,"maxRetries":128}]},"cleanupInterval":"2.500s","connectTimeout":"2s","lbPolicy":"CLUSTER_PROVIDED","name":"ingress-cluster-tls","transportSocket":{"name":"cilium.tls_wrapper","typedConfig":{"@type":"type.googleapis.com/cilium.UpstreamTlsWrapperContext"}},"type":"ORIGINAL_DST","typedExtensionProtocolOptions":{"envoy.extensions.upstreams.http.v3.HttpProtocolOptions":{"@type":"type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions","commonHttpProtocolOptions":{"idleTimeout":"60s","maxConnectionDuration":"0s","maxRequestsPerConnection":0},"upstreamHttpProtocolOptions":{},"useDownstreamProtocolConfig":{}}}},{"connectTimeout":"2s","loadAssignment":{"clusterName":"xds-grpc-cilium","endpoints":[{"lbEndpoints":[{"endpoint":{"address":{"pipe":{"path":"/var/run/cilium/envoy/sockets/xds.sock"}}}}]}]},"name":"xds-grpc-cilium","type":"STATIC","typedExtensionProtocolOptions":{"envoy.extensions.upstreams.http.v3.HttpProtocolOptions":{"@type":"type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions","explicitHttpConfig":{"http2ProtocolOptions":{}}}}},{"connectTimeout":"2s","loadAssignment":{"clusterName":"/envoy-admin","endpoints":[{"lbEndpoints":[{"endpoint":{"address":{"pipe":{"path":"/var/run/cilium/envoy/sockets/admin.sock"}}}}]}]},"name":"/envoy-admin","type":"STATIC"}],"listeners":[{"address":{"socketAddress":{"address":"0.0.0.0","portValue":9964}},"filterChains":[{"filters":[{"name":"envoy.filters.network.http_connection_manager","typedConfig":{"@type":"type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager","httpFilters":[{"name":"envoy.filters.http.router","typedConfig":{"@type":"type.googleapis.com/envoy.extensions.filters.http.router.v3.Router"}}],"internalAddressConfig":{"cidrRanges":[{"addressPrefix":"10.0.0.0","prefixLen":8},{"addressPrefix":"172.16.0.0","prefixLen":12},{"addressPrefix":"192.168.0.0","prefixLen":16},{"addressPrefix":"127.0.0.1","prefixLen":32}]},"routeConfig":{"virtualHosts":[{"domains":["*"],"name":"prometheus_metrics_route","routes":[{"match":{"prefix":"/metrics"},"name":"prometheus_metrics_route","route":{"cluster":"/envoy-admin","prefixRewrite":"/stats/prometheus"}}]}]},"statPrefix":"envoy-prometheus-metrics-listener","streamIdleTimeout":"300s"}}]}],"name":"envoy-prometheus-metrics-listener"},{"address":{"socketAddress":{"address":"127.0.0.1","portValue":9878}},"filterChains":[{"filters":[{"name":"envoy.filters.network.http_connection_manager","typedConfig":{"@type":"type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager","httpFilters":[{"name":"envoy.filters.http.router","typedConfig":{"@type":"type.googleapis.com/envoy.extensions.filters.http.router.v3.Router"}}],"internalAddressConfig":{"cidrRanges":[{"addressPrefix":"10.0.0.0","prefixLen":8},{"addressPrefix":"172.16.0.0","prefixLen":12},{"addressPrefix":"192.168.0.0","prefixLen":16},{"addressPrefix":"127.0.0.1","prefixLen":32}]},"routeConfig":{"virtual_hosts":[{"domains":["*"],"name":"health","routes":[{"match":{"prefix":"/healthz"},"name":"health","route":{"cluster":"/envoy-admin","prefixRewrite":"/ready"}}]}]},"statPrefix":"envoy-health-listener","streamIdleTimeout":"300s"}}]}],"name":"envoy-health-listener"}]}} + {"admin":{"address":{"pipe":{"mode":432,"path":"/var/run/cilium/envoy/sockets/admin.sock"}}},"applicationLogConfig":{"logFormat":{"textFormat":"[%Y-%m-%d %T.%e][%t][%l][%n] [%g:%#] %v"}},"bootstrapExtensions":[{"name":"envoy.bootstrap.internal_listener","typedConfig":{"@type":"type.googleapis.com/envoy.extensions.bootstrap.internal_listener.v3.InternalListener"}}],"dynamicResources":{"cdsConfig":{"apiConfigSource":{"apiType":"GRPC","grpcServices":[{"envoyGrpc":{"clusterName":"xds-grpc-cilium"}}],"setNodeOnFirstMessageOnly":true,"transportApiVersion":"V3"},"initialFetchTimeout":"30s","resourceApiVersion":"V3"},"ldsConfig":{"apiConfigSource":{"apiType":"GRPC","grpcServices":[{"envoyGrpc":{"clusterName":"xds-grpc-cilium"}}],"setNodeOnFirstMessageOnly":true,"transportApiVersion":"V3"},"initialFetchTimeout":"30s","resourceApiVersion":"V3"}},"node":{"cluster":"ingress-cluster","id":"host~127.0.0.1~no-id~localdomain"},"overloadManager":{"resourceMonitors":[{"name":"envoy.resource_monitors.global_downstream_max_connections","typedConfig":{"@type":"type.googleapis.com/envoy.extensions.resource_monitors.downstream_connections.v3.DownstreamConnectionsConfig","max_active_downstream_connections":"50000"}}]},"staticResources":{"clusters":[{"circuitBreakers":{"thresholds":[{"maxRetries":128}]},"cleanupInterval":"2.500s","connectTimeout":"2s","lbPolicy":"CLUSTER_PROVIDED","name":"ingress-cluster","type":"ORIGINAL_DST","typedExtensionProtocolOptions":{"envoy.extensions.upstreams.http.v3.HttpProtocolOptions":{"@type":"type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions","commonHttpProtocolOptions":{"idleTimeout":"60s","maxConnectionDuration":"0s","maxRequestsPerConnection":0},"useDownstreamProtocolConfig":{}}}},{"circuitBreakers":{"thresholds":[{"maxRetries":128}]},"cleanupInterval":"2.500s","connectTimeout":"2s","lbPolicy":"CLUSTER_PROVIDED","name":"egress-cluster-tls","transportSocket":{"name":"cilium.tls_wrapper","typedConfig":{"@type":"type.googleapis.com/cilium.UpstreamTlsWrapperContext"}},"type":"ORIGINAL_DST","typedExtensionProtocolOptions":{"envoy.extensions.upstreams.http.v3.HttpProtocolOptions":{"@type":"type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions","commonHttpProtocolOptions":{"idleTimeout":"60s","maxConnectionDuration":"0s","maxRequestsPerConnection":0},"upstreamHttpProtocolOptions":{},"useDownstreamProtocolConfig":{}}}},{"circuitBreakers":{"thresholds":[{"maxRetries":128}]},"cleanupInterval":"2.500s","connectTimeout":"2s","lbPolicy":"CLUSTER_PROVIDED","name":"egress-cluster","type":"ORIGINAL_DST","typedExtensionProtocolOptions":{"envoy.extensions.upstreams.http.v3.HttpProtocolOptions":{"@type":"type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions","commonHttpProtocolOptions":{"idleTimeout":"60s","maxConnectionDuration":"0s","maxRequestsPerConnection":0},"useDownstreamProtocolConfig":{}}}},{"circuitBreakers":{"thresholds":[{"maxRetries":128}]},"cleanupInterval":"2.500s","connectTimeout":"2s","lbPolicy":"CLUSTER_PROVIDED","name":"ingress-cluster-tls","transportSocket":{"name":"cilium.tls_wrapper","typedConfig":{"@type":"type.googleapis.com/cilium.UpstreamTlsWrapperContext"}},"type":"ORIGINAL_DST","typedExtensionProtocolOptions":{"envoy.extensions.upstreams.http.v3.HttpProtocolOptions":{"@type":"type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions","commonHttpProtocolOptions":{"idleTimeout":"60s","maxConnectionDuration":"0s","maxRequestsPerConnection":0},"upstreamHttpProtocolOptions":{},"useDownstreamProtocolConfig":{}}}},{"connectTimeout":"2s","loadAssignment":{"clusterName":"xds-grpc-cilium","endpoints":[{"lbEndpoints":[{"endpoint":{"address":{"pipe":{"path":"/var/run/cilium/envoy/sockets/xds.sock"}}}}]}]},"name":"xds-grpc-cilium","type":"STATIC","typedExtensionProtocolOptions":{"envoy.extensions.upstreams.http.v3.HttpProtocolOptions":{"@type":"type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions","explicitHttpConfig":{"http2ProtocolOptions":{}}}}},{"connectTimeout":"2s","loadAssignment":{"clusterName":"/envoy-admin","endpoints":[{"lbEndpoints":[{"endpoint":{"address":{"pipe":{"path":"/var/run/cilium/envoy/sockets/admin.sock"}}}}]}]},"name":"/envoy-admin","type":"STATIC"}],"listeners":[{"address":{"socketAddress":{"address":"0.0.0.0","portValue":9964}},"filterChains":[{"filters":[{"name":"envoy.filters.network.http_connection_manager","typedConfig":{"@type":"type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager","httpFilters":[{"name":"envoy.filters.http.router","typedConfig":{"@type":"type.googleapis.com/envoy.extensions.filters.http.router.v3.Router"}}],"internalAddressConfig":{"cidrRanges":[{"addressPrefix":"10.0.0.0","prefixLen":8},{"addressPrefix":"172.16.0.0","prefixLen":12},{"addressPrefix":"192.168.0.0","prefixLen":16},{"addressPrefix":"127.0.0.1","prefixLen":32}]},"routeConfig":{"virtualHosts":[{"domains":["*"],"name":"prometheus_metrics_route","routes":[{"match":{"prefix":"/metrics"},"name":"prometheus_metrics_route","route":{"cluster":"/envoy-admin","prefixRewrite":"/stats/prometheus"}}]}]},"statPrefix":"envoy-prometheus-metrics-listener","streamIdleTimeout":"300s"}}]}],"name":"envoy-prometheus-metrics-listener"},{"address":{"socketAddress":{"address":"127.0.0.1","portValue":9878}},"filterChains":[{"filters":[{"name":"envoy.filters.network.http_connection_manager","typedConfig":{"@type":"type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager","httpFilters":[{"name":"envoy.filters.http.router","typedConfig":{"@type":"type.googleapis.com/envoy.extensions.filters.http.router.v3.Router"}}],"internalAddressConfig":{"cidrRanges":[{"addressPrefix":"10.0.0.0","prefixLen":8},{"addressPrefix":"172.16.0.0","prefixLen":12},{"addressPrefix":"192.168.0.0","prefixLen":16},{"addressPrefix":"127.0.0.1","prefixLen":32}]},"routeConfig":{"virtual_hosts":[{"domains":["*"],"name":"health","routes":[{"match":{"prefix":"/healthz"},"name":"health","route":{"cluster":"/envoy-admin","prefixRewrite":"/ready"}}]}]},"statPrefix":"envoy-health-listener","streamIdleTimeout":"300s"}}]}],"name":"envoy-health-listener"}]}} diff --git a/clusters/cl01tl/manifests/cilium/CronJob-hubble-generate-certs.yaml b/clusters/cl01tl/manifests/cilium/CronJob-hubble-generate-certs.yaml index ced0b7a5e..6eb13e19e 100644 --- a/clusters/cl01tl/manifests/cilium/CronJob-hubble-generate-certs.yaml +++ b/clusters/cl01tl/manifests/cilium/CronJob-hubble-generate-certs.yaml @@ -9,8 +9,6 @@ metadata: app.kubernetes.io/part-of: cilium spec: schedule: "0 0 1 */4 *" - successfulJobsHistoryLimit: 3 - failedJobsHistoryLimit: 1 concurrencyPolicy: Forbid jobTemplate: spec: @@ -65,6 +63,9 @@ spec: - client auth validity: 8760h hostNetwork: false + serviceAccount: "hubble-generate-certs" serviceAccountName: "hubble-generate-certs" automountServiceAccountToken: true restartPolicy: OnFailure + affinity: + ttlSecondsAfterFinished: 1800 diff --git a/clusters/cl01tl/manifests/cilium/DaemonSet-cilium.yaml b/clusters/cl01tl/manifests/cilium/DaemonSet-cilium.yaml index 811e55731..0e2262d53 100644 --- a/clusters/cl01tl/manifests/cilium/DaemonSet-cilium.yaml +++ b/clusters/cl01tl/manifests/cilium/DaemonSet-cilium.yaml @@ -18,7 +18,7 @@ spec: template: metadata: annotations: - cilium.io/cilium-configmap-checksum: "501f8d2dbdd40925853054c7e3add60e203bb04219e79fec25ccf1a4cbc0e5d5" + cilium.io/cilium-configmap-checksum: "619a91acd09daa2a43c4527f44e518e8d59309e1f1f7f107b2c997a4e0eb681d" kubectl.kubernetes.io/default-container: cilium-agent labels: k8s-app: cilium @@ -32,7 +32,7 @@ spec: type: Unconfined containers: - name: cilium-agent - image: "quay.io/cilium/cilium:v1.19.3@sha256:2e61680593cddca8b6c055f6d4c849d87a26a1c91c7e3b8b56c7fb76ab7b7b10" + image: "quay.io/cilium/cilium:v1.18.9@sha256:c9140c2ebcc636ba346a4152fb28d616a4a51586c22c72dcd6f273bed41053c0" imagePullPolicy: IfNotPresent command: - cilium-agent @@ -42,7 +42,7 @@ spec: httpGet: host: "127.0.0.1" path: /healthz - port: health + port: 9879 scheme: HTTP httpHeaders: - name: "brief" @@ -55,7 +55,7 @@ spec: httpGet: host: "127.0.0.1" path: /healthz - port: health + port: 9879 scheme: HTTP httpHeaders: - name: "brief" @@ -70,7 +70,7 @@ spec: httpGet: host: "127.0.0.1" path: /healthz - port: health + port: 9879 scheme: HTTP httpHeaders: - name: "brief" @@ -136,10 +136,6 @@ spec: command: - /cni-uninstall.sh ports: - - name: health - containerPort: 9879 - hostPort: 9879 - protocol: TCP - name: peer-service containerPort: 4244 hostPort: 4244 @@ -205,7 +201,7 @@ spec: mountPath: /tmp initContainers: - name: config - image: "quay.io/cilium/cilium:v1.19.3@sha256:2e61680593cddca8b6c055f6d4c849d87a26a1c91c7e3b8b56c7fb76ab7b7b10" + image: "quay.io/cilium/cilium:v1.18.9@sha256:c9140c2ebcc636ba346a4152fb28d616a4a51586c22c72dcd6f273bed41053c0" imagePullPolicy: IfNotPresent command: - cilium-dbg @@ -229,20 +225,14 @@ spec: - name: tmp mountPath: /tmp terminationMessagePolicy: FallbackToLogsOnError - securityContext: - capabilities: - add: - - NET_ADMIN - drop: - - ALL - name: apply-sysctl-overwrites - image: "quay.io/cilium/cilium:v1.19.3@sha256:2e61680593cddca8b6c055f6d4c849d87a26a1c91c7e3b8b56c7fb76ab7b7b10" + image: "quay.io/cilium/cilium:v1.18.9@sha256:c9140c2ebcc636ba346a4152fb28d616a4a51586c22c72dcd6f273bed41053c0" imagePullPolicy: IfNotPresent env: - name: BIN_PATH value: /opt/cni/bin command: - - bash + - sh - -ec - | cp /usr/bin/cilium-sysctlfix /hostbin/cilium-sysctlfix; @@ -266,7 +256,7 @@ spec: drop: - ALL - name: mount-bpf-fs - image: "quay.io/cilium/cilium:v1.19.3@sha256:2e61680593cddca8b6c055f6d4c849d87a26a1c91c7e3b8b56c7fb76ab7b7b10" + image: "quay.io/cilium/cilium:v1.18.9@sha256:c9140c2ebcc636ba346a4152fb28d616a4a51586c22c72dcd6f273bed41053c0" imagePullPolicy: IfNotPresent args: - 'mount | grep "/sys/fs/bpf type bpf" || mount -t bpf bpf /sys/fs/bpf' @@ -282,7 +272,7 @@ spec: mountPath: /sys/fs/bpf mountPropagation: Bidirectional - name: clean-cilium-state - image: "quay.io/cilium/cilium:v1.19.3@sha256:2e61680593cddca8b6c055f6d4c849d87a26a1c91c7e3b8b56c7fb76ab7b7b10" + image: "quay.io/cilium/cilium:v1.18.9@sha256:c9140c2ebcc636ba346a4152fb28d616a4a51586c22c72dcd6f273bed41053c0" imagePullPolicy: IfNotPresent command: - /init-container.sh @@ -330,14 +320,11 @@ spec: - name: cilium-run mountPath: /var/run/cilium - name: install-cni-binaries - image: "quay.io/cilium/cilium:v1.19.3@sha256:2e61680593cddca8b6c055f6d4c849d87a26a1c91c7e3b8b56c7fb76ab7b7b10" + image: "quay.io/cilium/cilium:v1.18.9@sha256:c9140c2ebcc636ba346a4152fb28d616a4a51586c22c72dcd6f273bed41053c0" imagePullPolicy: IfNotPresent command: - "/install-plugin.sh" resources: - limits: - cpu: 1 - memory: 1Gi requests: cpu: 100m memory: 10Mi diff --git a/clusters/cl01tl/manifests/cilium/Deployment-cilium-operator.yaml b/clusters/cl01tl/manifests/cilium/Deployment-cilium-operator.yaml index 16335c827..4a5fd5c5e 100644 --- a/clusters/cl01tl/manifests/cilium/Deployment-cilium-operator.yaml +++ b/clusters/cl01tl/manifests/cilium/Deployment-cilium-operator.yaml @@ -22,7 +22,7 @@ spec: template: metadata: annotations: - cilium.io/cilium-configmap-checksum: "501f8d2dbdd40925853054c7e3add60e203bb04219e79fec25ccf1a4cbc0e5d5" + cilium.io/cilium-configmap-checksum: "619a91acd09daa2a43c4527f44e518e8d59309e1f1f7f107b2c997a4e0eb681d" labels: io.cilium/app: operator name: cilium-operator @@ -34,7 +34,7 @@ spec: type: RuntimeDefault containers: - name: cilium-operator - image: "quay.io/cilium/operator-generic:v1.19.3@sha256:205b09b0ed6accbf9fe688d312a9f0fcfc6a316fc081c23fbffb472af5dd62cd" + image: "quay.io/cilium/operator-generic:v1.18.9@sha256:9094fe19965c558bc9361aa4f0d19fcc48f7377f835dc70f138bf4dc1db48ca4" imagePullPolicy: IfNotPresent command: - cilium-operator-generic @@ -63,9 +63,6 @@ spec: - name: KUBERNETES_SERVICE_PORT value: "7445" ports: - - name: health - containerPort: 9234 - hostPort: 9234 - name: prometheus containerPort: 9963 hostPort: 9963 @@ -74,7 +71,7 @@ spec: httpGet: host: "127.0.0.1" path: /healthz - port: health + port: 9234 scheme: HTTP initialDelaySeconds: 60 periodSeconds: 10 @@ -83,7 +80,7 @@ spec: httpGet: host: "127.0.0.1" path: /healthz - port: health + port: 9234 scheme: HTTP initialDelaySeconds: 0 periodSeconds: 5 diff --git a/clusters/cl01tl/manifests/cilium/Deployment-hubble-relay.yaml b/clusters/cl01tl/manifests/cilium/Deployment-hubble-relay.yaml index 770871429..89da21100 100644 --- a/clusters/cl01tl/manifests/cilium/Deployment-hubble-relay.yaml +++ b/clusters/cl01tl/manifests/cilium/Deployment-hubble-relay.yaml @@ -40,7 +40,7 @@ spec: runAsUser: 65532 seccompProfile: type: RuntimeDefault - image: "quay.io/cilium/hubble-relay:v1.19.3@sha256:5ee21d57b6ef2aa6db67e603a735fdceb162454b352b7335b651456e308f681b" + image: "quay.io/cilium/hubble-relay:v1.18.9@sha256:031288422f2b0bfff3372fba9812d2867dd9262a6f12c6e6282cfebe54e5efe1" imagePullPolicy: IfNotPresent command: - hubble-relay diff --git a/clusters/cl01tl/manifests/cilium/Deployment-hubble-ui.yaml b/clusters/cl01tl/manifests/cilium/Deployment-hubble-ui.yaml index 30534a15f..462ab14ad 100644 --- a/clusters/cl01tl/manifests/cilium/Deployment-hubble-ui.yaml +++ b/clusters/cl01tl/manifests/cilium/Deployment-hubble-ui.yaml @@ -41,11 +41,11 @@ spec: livenessProbe: httpGet: path: /healthz - port: http + port: 8081 readinessProbe: httpGet: path: / - port: http + port: 8081 volumeMounts: - name: hubble-ui-nginx-conf mountPath: /etc/nginx/conf.d/default.conf @@ -77,5 +77,5 @@ spec: defaultMode: 420 name: hubble-ui-nginx name: hubble-ui-nginx-conf - - name: tmp-dir - emptyDir: {} + - emptyDir: {} + name: tmp-dir diff --git a/clusters/cl01tl/manifests/cilium/Job-hubble-generate-certs-b36ef54b9b.yaml b/clusters/cl01tl/manifests/cilium/Job-hubble-generate-certs.yaml similarity index 91% rename from clusters/cl01tl/manifests/cilium/Job-hubble-generate-certs-b36ef54b9b.yaml rename to clusters/cl01tl/manifests/cilium/Job-hubble-generate-certs.yaml index 131721271..c609f634a 100644 --- a/clusters/cl01tl/manifests/cilium/Job-hubble-generate-certs-b36ef54b9b.yaml +++ b/clusters/cl01tl/manifests/cilium/Job-hubble-generate-certs.yaml @@ -1,12 +1,14 @@ apiVersion: batch/v1 kind: Job metadata: - name: hubble-generate-certs-b36ef54b9b + name: hubble-generate-certs namespace: kube-system labels: k8s-app: hubble-generate-certs app.kubernetes.io/name: hubble-generate-certs app.kubernetes.io/part-of: cilium + annotations: + "helm.sh/hook": post-install,post-upgrade spec: template: metadata: @@ -59,6 +61,9 @@ spec: - client auth validity: 8760h hostNetwork: false + serviceAccount: "hubble-generate-certs" serviceAccountName: "hubble-generate-certs" automountServiceAccountToken: true restartPolicy: OnFailure + affinity: + ttlSecondsAfterFinished: 1800 diff --git a/clusters/cl01tl/manifests/cilium/Role-cilium-gateway-secrets.yaml b/clusters/cl01tl/manifests/cilium/Role-cilium-gateway-secrets.yaml deleted file mode 100644 index 5ba0f73b9..000000000 --- a/clusters/cl01tl/manifests/cilium/Role-cilium-gateway-secrets.yaml +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: cilium-gateway-secrets - namespace: "cilium-secrets" - labels: - app.kubernetes.io/part-of: cilium -rules: - - apiGroups: - - "" - resources: - - secrets - verbs: - - get - - list - - watch diff --git a/clusters/cl01tl/manifests/cilium/Role-cilium-operator-gateway-secrets.yaml b/clusters/cl01tl/manifests/cilium/Role-cilium-operator-gateway-secrets.yaml deleted file mode 100644 index 7649b8aa0..000000000 --- a/clusters/cl01tl/manifests/cilium/Role-cilium-operator-gateway-secrets.yaml +++ /dev/null @@ -1,17 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: cilium-operator-gateway-secrets - namespace: "cilium-secrets" - labels: - app.kubernetes.io/part-of: cilium -rules: - - apiGroups: - - "" - resources: - - secrets - verbs: - - create - - delete - - update - - patch diff --git a/clusters/cl01tl/manifests/cilium/Role-cilium-operator-ztunnel.yaml b/clusters/cl01tl/manifests/cilium/Role-cilium-operator-ztunnel.yaml deleted file mode 100644 index 043bbdec2..000000000 --- a/clusters/cl01tl/manifests/cilium/Role-cilium-operator-ztunnel.yaml +++ /dev/null @@ -1,18 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: cilium-operator-ztunnel - namespace: kube-system - labels: - app.kubernetes.io/part-of: cilium -rules: - - apiGroups: - - apps - resources: - - daemonsets - verbs: - - create - - delete - - get - - list - - watch diff --git a/clusters/cl01tl/manifests/cilium/RoleBinding-cilium-gateway-secrets.yaml b/clusters/cl01tl/manifests/cilium/RoleBinding-cilium-gateway-secrets.yaml deleted file mode 100644 index a386746d1..000000000 --- a/clusters/cl01tl/manifests/cilium/RoleBinding-cilium-gateway-secrets.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: cilium-gateway-secrets - namespace: "cilium-secrets" - labels: - app.kubernetes.io/part-of: cilium -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: cilium-gateway-secrets -subjects: - - kind: ServiceAccount - name: "cilium" - namespace: kube-system diff --git a/clusters/cl01tl/manifests/cilium/RoleBinding-cilium-operator-gateway-secrets.yaml b/clusters/cl01tl/manifests/cilium/RoleBinding-cilium-operator-gateway-secrets.yaml deleted file mode 100644 index 35c2b1607..000000000 --- a/clusters/cl01tl/manifests/cilium/RoleBinding-cilium-operator-gateway-secrets.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: cilium-operator-gateway-secrets - namespace: "cilium-secrets" - labels: - app.kubernetes.io/part-of: cilium -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: cilium-operator-gateway-secrets -subjects: - - kind: ServiceAccount - name: "cilium-operator" - namespace: kube-system diff --git a/clusters/cl01tl/manifests/cilium/RoleBinding-cilium-operator-ztunnel.yaml b/clusters/cl01tl/manifests/cilium/RoleBinding-cilium-operator-ztunnel.yaml deleted file mode 100644 index 0911f31b6..000000000 --- a/clusters/cl01tl/manifests/cilium/RoleBinding-cilium-operator-ztunnel.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: cilium-operator-ztunnel - namespace: kube-system - labels: - app.kubernetes.io/part-of: cilium -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: cilium-operator-ztunnel -subjects: - - kind: ServiceAccount - name: "cilium-operator" - namespace: kube-system diff --git a/clusters/cl01tl/manifests/cilium/Service-cilium-envoy.yaml b/clusters/cl01tl/manifests/cilium/Service-cilium-envoy.yaml index 5113391a4..8b56e9ecd 100644 --- a/clusters/cl01tl/manifests/cilium/Service-cilium-envoy.yaml +++ b/clusters/cl01tl/manifests/cilium/Service-cilium-envoy.yaml @@ -17,4 +17,4 @@ spec: - name: envoy-metrics port: 9964 protocol: TCP - targetPort: 9964 + targetPort: envoy-metrics