chore: Update manifests after change

clusters/cl01tl/manifests/cilium/CiliumLoadBalancerIPPool-bgp-ip-pool.yaml

@@ -1,14 +0,0 @@
-apiVersion: cilium.io/v2
-kind: CiliumLoadBalancerIPPool
-metadata:
-  name: bgp-ip-pool
-  namespace: kube-system
-  labels:
-    app.kubernetes.io/name: bgp-ip-pool
-    app.kubernetes.io/instance: cilium
-    app.kubernetes.io/part-of: cilium
-spec:
-  blocks:
-    - start: "10.232.2.100"
-      stop: "10.232.2.200"
-  disabled: true

clusters/cl01tl/manifests/cilium/ClusterRole-cilium-operator.yaml

@@ -69,22 +69,6 @@ rules:
       - get
       - list
       - watch
-      - create
-      - update
-      - delete
-      - patch
-  - apiGroups:
-      - "discovery.k8s.io"
-    resources:
-      - endpointslices
-    verbs:
-      - get
-      - list
-      - watch
-      - create
-      - update
-      - delete
-      - patch
   - apiGroups:
       - cilium.io
     resources:
@@ -178,6 +162,7 @@ rules:
       - update
     resourceNames:
       - ciliumloadbalancerippools.cilium.io
+      - ciliumbgppeeringpolicies.cilium.io
       - ciliumbgpclusterconfigs.cilium.io
       - ciliumbgppeerconfigs.cilium.io
       - ciliumbgpadvertisements.cilium.io
@@ -203,6 +188,7 @@ rules:
     resources:
       - ciliumloadbalancerippools
       - ciliumpodippools
+      - ciliumbgppeeringpolicies
       - ciliumbgpclusterconfigs
       - ciliumbgpnodeconfigoverrides
       - ciliumbgppeerconfigs
@@ -230,63 +216,3 @@ rules:
       - create
       - get
       - update
-  - apiGroups:
-      - gateway.networking.k8s.io
-    resources:
-      - gatewayclasses
-      - gateways
-      - tlsroutes
-      - httproutes
-      - grpcroutes
-      - referencegrants
-      - referencepolicies
-    verbs:
-      - get
-      - list
-      - watch
-  - apiGroups:
-      - gateway.networking.k8s.io
-    resources:
-      - gatewayclasses
-    verbs:
-      - patch
-  - apiGroups:
-      - gateway.networking.k8s.io
-    resources:
-      - gatewayclasses/status
-      - gateways/status
-      - httproutes/status
-      - grpcroutes/status
-      - tlsroutes/status
-    verbs:
-      - update
-      - patch
-  - apiGroups:
-      - cilium.io
-    resources:
-      - ciliumgatewayclassconfigs
-    verbs:
-      - get
-      - list
-      - watch
-  - apiGroups:
-      - cilium.io
-    resources:
-      - ciliumgatewayclassconfigs/status
-    verbs:
-      - update
-      - patch
-  - apiGroups:
-      - multicluster.x-k8s.io
-    resources:
-      - serviceimports
-    verbs:
-      - get
-      - list
-      - watch
-  - apiGroups:
-      - cilium.io
-    resources:
-      - ciliumendpointslices
-    verbs:
-      - deletecollection

clusters/cl01tl/manifests/cilium/ClusterRole-cilium.yaml

@@ -45,6 +45,7 @@ rules:
       - cilium.io
     resources:
       - ciliumloadbalancerippools
+      - ciliumbgppeeringpolicies
       - ciliumbgpnodeconfigs
       - ciliumbgpadvertisements
       - ciliumbgppeerconfigs

clusters/cl01tl/manifests/cilium/ClusterRole-hubble-ui.yaml

@@ -5,6 +5,14 @@ metadata:
   labels:
     app.kubernetes.io/part-of: cilium
 rules:
+  - apiGroups:
+      - networking.k8s.io
+    resources:
+      - networkpolicies
+    verbs:
+      - get
+      - list
+      - watch
   - apiGroups:
       - ""
     resources:
@@ -26,3 +34,11 @@ rules:
       - get
       - list
       - watch
+  - apiGroups:
+      - cilium.io
+    resources:
+      - "*"
+    verbs:
+      - get
+      - list
+      - watch

clusters/cl01tl/manifests/cilium/ConfigMap-cilium-config.yaml

@@ -16,18 +16,6 @@ data:
   controller-group-metrics: write-cni-file sync-host-ips sync-lb-maps-with-k8s-services
   operator-prometheus-serve-addr: ":9963"
   enable-metrics: "true"
-  enable-envoy-config: "true"
-  envoy-config-retry-interval: "15s"
-  enable-gateway-api: "true"
-  enable-gateway-api-secrets-sync: "true"
-  enable-gateway-api-proxy-protocol: "false"
-  enable-gateway-api-app-protocol: "true"
-  enable-gateway-api-alpn: "true"
-  gateway-api-xff-num-trusted-hops: "0"
-  gateway-api-service-externaltrafficpolicy: "Cluster"
-  gateway-api-secrets-namespace: "cilium-secrets"
-  gateway-api-hostnetwork-enabled: "false"
-  gateway-api-hostnetwork-nodelabelselector: ""
   enable-policy-secrets-sync: "true"
   policy-secrets-only-from-secrets-namespace: "true"
   policy-secrets-namespace: "cilium-secrets"
@@ -58,7 +46,6 @@ data:
   tunnel-protocol: "vxlan"
   tunnel-source-port-range: "0-0"
   service-no-backend-response: "reject"
-  policy-deny-response: "none"
   enable-l7-proxy: "true"
   enable-ipv4-masquerade: "true"
   enable-ipv4-big-tcp: "false"
@@ -66,6 +53,7 @@ data:
   enable-ipv6-masquerade: "true"
   enable-tcx: "true"
   datapath-mode: "veth"
+  enable-bpf-masquerade: "false"
   enable-masquerade-to-route-source: "false"
   enable-xt-socket-fallback: "true"
   install-no-conntrack-iptables-rules: "false"
@@ -75,7 +63,6 @@ data:
   devices: "end0 enp6s0"
   kube-proxy-replacement: "true"
   kube-proxy-replacement-healthz-bind-address: ""
-  enable-no-service-endpoints-routable: "true"
   bpf-lb-sock: "true"
   bpf-lb-sock-hostns-only: "true"
   enable-health-check-nodeport: "true"
@@ -83,7 +70,7 @@ data:
   node-port-bind-protection: "true"
   enable-auto-protect-node-port-range: "true"
   bpf-lb-acceleration: "disabled"
-  enable-service-topology: "false"
+  enable-svc-source-range-check: "true"
   enable-l2-neigh-discovery: "false"
   k8s-require-ipv4-pod-cidr: "false"
   k8s-require-ipv6-pod-cidr: "false"
@@ -116,7 +103,6 @@ data:
   vtep-cidr: ""
   vtep-mask: ""
   vtep-mac: ""
-  packetization-layer-pmtud-mode: "blackhole"
   procfs: "/host/proc"
   bpf-root: "/sys/fs/bpf"
   cgroup-root: "/sys/fs/cgroup"
@@ -129,7 +115,7 @@ data:
   remove-cilium-node-taints: "true"
   set-cilium-node-taints: "true"
   set-cilium-is-up-condition: "true"
-  unmanaged-pod-watcher-interval: "15s"
+  unmanaged-pod-watcher-interval: "15"
   dnsproxy-enable-transparent-mode: "true"
   dnsproxy-socket-linger-timeout: "10"
   tofqdns-dns-reject-response-code: "refused"
@@ -140,7 +126,7 @@ data:
   tofqdns-proxy-response-max-delay: "100ms"
   tofqdns-preallocate-identities: "true"
   agent-not-ready-taint-key: "node.cilium.io/agent-not-ready"
-  mesh-auth-enabled: "false"
+  mesh-auth-enabled: "true"
   mesh-auth-queue-size: "1024"
   mesh-auth-rotated-identities-queue-size: "1024"
   mesh-auth-gc-interval: "5m0s"
@@ -148,14 +134,10 @@ data:
   proxy-xff-num-trusted-hops-egress: "0"
   proxy-connect-timeout: "2"
   proxy-initial-fetch-timeout: "30"
-  proxy-max-active-downstream-connections: "50000"
   proxy-max-requests-per-connection: "0"
   proxy-max-connection-duration-seconds: "0"
   proxy-idle-timeout-seconds: "60"
   proxy-max-concurrent-retries: "128"
-  proxy-use-original-source-address: "true"
-  proxy-cluster-max-connections: "1024"
-  proxy-cluster-max-requests: "1024"
   http-retry-count: "3"
   http-stream-idle-timeout: "300"
   external-envoy-proxy: "true"
@@ -163,13 +145,12 @@ data:
   envoy-access-log-buffer-size: "4096"
   envoy-keep-cap-netbindservice: "true"
   max-connected-clusters: "255"
-  clustermesh-cache-ttl: "0s"
   clustermesh-enable-endpoint-sync: "false"
   clustermesh-enable-mcs-api: "false"
-  clustermesh-mcs-api-install-crds: "true"
-  policy-default-local-cluster: "true"
+  policy-default-local-cluster: "false"
   nat-map-stats-entries: "32"
   nat-map-stats-interval: "30s"
+  enable-internal-traffic-policy: "true"
   enable-lb-ipam: "true"
   enable-non-default-deny-policies: "true"
   enable-source-ip-verification: "true"

clusters/cl01tl/manifests/cilium/CronJob-hubble-generate-certs.yaml

@@ -9,8 +9,6 @@ metadata:
     app.kubernetes.io/part-of: cilium
 spec:
   schedule: "0 0 1 */4 *"
-  successfulJobsHistoryLimit: 3
-  failedJobsHistoryLimit: 1
   concurrencyPolicy: Forbid
   jobTemplate:
     spec:
@@ -65,6 +63,9 @@ spec:
                       - client auth
                       validity: 8760h
           hostNetwork: false
+          serviceAccount: "hubble-generate-certs"
           serviceAccountName: "hubble-generate-certs"
           automountServiceAccountToken: true
           restartPolicy: OnFailure
+          affinity:
+      ttlSecondsAfterFinished: 1800

clusters/cl01tl/manifests/cilium/DaemonSet-cilium.yaml

@@ -18,7 +18,7 @@ spec:
   template:
     metadata:
       annotations:
-        cilium.io/cilium-configmap-checksum: "501f8d2dbdd40925853054c7e3add60e203bb04219e79fec25ccf1a4cbc0e5d5"
+        cilium.io/cilium-configmap-checksum: "619a91acd09daa2a43c4527f44e518e8d59309e1f1f7f107b2c997a4e0eb681d"
         kubectl.kubernetes.io/default-container: cilium-agent
       labels:
         k8s-app: cilium
@@ -32,7 +32,7 @@ spec:
           type: Unconfined
       containers:
         - name: cilium-agent
-          image: "quay.io/cilium/cilium:v1.19.3@sha256:2e61680593cddca8b6c055f6d4c849d87a26a1c91c7e3b8b56c7fb76ab7b7b10"
+          image: "quay.io/cilium/cilium:v1.18.9@sha256:c9140c2ebcc636ba346a4152fb28d616a4a51586c22c72dcd6f273bed41053c0"
           imagePullPolicy: IfNotPresent
           command:
             - cilium-agent
@@ -42,7 +42,7 @@ spec:
             httpGet:
               host: "127.0.0.1"
               path: /healthz
-              port: health
+              port: 9879
               scheme: HTTP
               httpHeaders:
                 - name: "brief"
@@ -55,7 +55,7 @@ spec:
             httpGet:
               host: "127.0.0.1"
               path: /healthz
-              port: health
+              port: 9879
               scheme: HTTP
               httpHeaders:
                 - name: "brief"
@@ -70,7 +70,7 @@ spec:
             httpGet:
               host: "127.0.0.1"
               path: /healthz
-              port: health
+              port: 9879
               scheme: HTTP
               httpHeaders:
                 - name: "brief"
@@ -136,10 +136,6 @@ spec:
                 command:
                   - /cni-uninstall.sh
           ports:
-            - name: health
-              containerPort: 9879
-              hostPort: 9879
-              protocol: TCP
             - name: peer-service
               containerPort: 4244
               hostPort: 4244
@@ -205,7 +201,7 @@ spec:
               mountPath: /tmp
       initContainers:
         - name: config
-          image: "quay.io/cilium/cilium:v1.19.3@sha256:2e61680593cddca8b6c055f6d4c849d87a26a1c91c7e3b8b56c7fb76ab7b7b10"
+          image: "quay.io/cilium/cilium:v1.18.9@sha256:c9140c2ebcc636ba346a4152fb28d616a4a51586c22c72dcd6f273bed41053c0"
           imagePullPolicy: IfNotPresent
           command:
             - cilium-dbg
@@ -229,20 +225,14 @@ spec:
             - name: tmp
               mountPath: /tmp
           terminationMessagePolicy: FallbackToLogsOnError
-          securityContext:
-            capabilities:
-              add:
-                - NET_ADMIN
-              drop:
-                - ALL
         - name: apply-sysctl-overwrites
-          image: "quay.io/cilium/cilium:v1.19.3@sha256:2e61680593cddca8b6c055f6d4c849d87a26a1c91c7e3b8b56c7fb76ab7b7b10"
+          image: "quay.io/cilium/cilium:v1.18.9@sha256:c9140c2ebcc636ba346a4152fb28d616a4a51586c22c72dcd6f273bed41053c0"
           imagePullPolicy: IfNotPresent
           env:
             - name: BIN_PATH
               value: /opt/cni/bin
           command:
-            - bash
+            - sh
             - -ec
             - |
               cp /usr/bin/cilium-sysctlfix /hostbin/cilium-sysctlfix;
@@ -266,7 +256,7 @@ spec:
               drop:
                 - ALL
         - name: mount-bpf-fs
-          image: "quay.io/cilium/cilium:v1.19.3@sha256:2e61680593cddca8b6c055f6d4c849d87a26a1c91c7e3b8b56c7fb76ab7b7b10"
+          image: "quay.io/cilium/cilium:v1.18.9@sha256:c9140c2ebcc636ba346a4152fb28d616a4a51586c22c72dcd6f273bed41053c0"
           imagePullPolicy: IfNotPresent
           args:
             - 'mount | grep "/sys/fs/bpf type bpf" || mount -t bpf bpf /sys/fs/bpf'
@@ -282,7 +272,7 @@ spec:
               mountPath: /sys/fs/bpf
               mountPropagation: Bidirectional
         - name: clean-cilium-state
-          image: "quay.io/cilium/cilium:v1.19.3@sha256:2e61680593cddca8b6c055f6d4c849d87a26a1c91c7e3b8b56c7fb76ab7b7b10"
+          image: "quay.io/cilium/cilium:v1.18.9@sha256:c9140c2ebcc636ba346a4152fb28d616a4a51586c22c72dcd6f273bed41053c0"
           imagePullPolicy: IfNotPresent
           command:
             - /init-container.sh
@@ -330,14 +320,11 @@ spec:
             - name: cilium-run
               mountPath: /var/run/cilium
         - name: install-cni-binaries
-          image: "quay.io/cilium/cilium:v1.19.3@sha256:2e61680593cddca8b6c055f6d4c849d87a26a1c91c7e3b8b56c7fb76ab7b7b10"
+          image: "quay.io/cilium/cilium:v1.18.9@sha256:c9140c2ebcc636ba346a4152fb28d616a4a51586c22c72dcd6f273bed41053c0"
           imagePullPolicy: IfNotPresent
           command:
             - "/install-plugin.sh"
           resources:
-            limits:
-              cpu: 1
-              memory: 1Gi
             requests:
               cpu: 100m
               memory: 10Mi

clusters/cl01tl/manifests/cilium/Deployment-cilium-operator.yaml

@@ -22,7 +22,7 @@ spec:
   template:
     metadata:
       annotations:
-        cilium.io/cilium-configmap-checksum: "501f8d2dbdd40925853054c7e3add60e203bb04219e79fec25ccf1a4cbc0e5d5"
+        cilium.io/cilium-configmap-checksum: "619a91acd09daa2a43c4527f44e518e8d59309e1f1f7f107b2c997a4e0eb681d"
       labels:
         io.cilium/app: operator
         name: cilium-operator
@@ -34,7 +34,7 @@ spec:
           type: RuntimeDefault
       containers:
         - name: cilium-operator
-          image: "quay.io/cilium/operator-generic:v1.19.3@sha256:205b09b0ed6accbf9fe688d312a9f0fcfc6a316fc081c23fbffb472af5dd62cd"
+          image: "quay.io/cilium/operator-generic:v1.18.9@sha256:9094fe19965c558bc9361aa4f0d19fcc48f7377f835dc70f138bf4dc1db48ca4"
           imagePullPolicy: IfNotPresent
           command:
             - cilium-operator-generic
@@ -63,9 +63,6 @@ spec:
             - name: KUBERNETES_SERVICE_PORT
               value: "7445"
           ports:
-            - name: health
-              containerPort: 9234
-              hostPort: 9234
             - name: prometheus
               containerPort: 9963
               hostPort: 9963
@@ -74,7 +71,7 @@ spec:
             httpGet:
               host: "127.0.0.1"
               path: /healthz
-              port: health
+              port: 9234
               scheme: HTTP
             initialDelaySeconds: 60
             periodSeconds: 10
@@ -83,7 +80,7 @@ spec:
             httpGet:
               host: "127.0.0.1"
               path: /healthz
-              port: health
+              port: 9234
               scheme: HTTP
             initialDelaySeconds: 0
             periodSeconds: 5

clusters/cl01tl/manifests/cilium/Deployment-hubble-relay.yaml

@@ -40,7 +40,7 @@ spec:
             runAsUser: 65532
             seccompProfile:
               type: RuntimeDefault
-          image: "quay.io/cilium/hubble-relay:v1.19.3@sha256:5ee21d57b6ef2aa6db67e603a735fdceb162454b352b7335b651456e308f681b"
+          image: "quay.io/cilium/hubble-relay:v1.18.9@sha256:031288422f2b0bfff3372fba9812d2867dd9262a6f12c6e6282cfebe54e5efe1"
           imagePullPolicy: IfNotPresent
           command:
             - hubble-relay

clusters/cl01tl/manifests/cilium/Deployment-hubble-ui.yaml

@@ -41,11 +41,11 @@ spec:
           livenessProbe:
             httpGet:
               path: /healthz
-              port: http
+              port: 8081
           readinessProbe:
             httpGet:
               path: /
-              port: http
+              port: 8081
           volumeMounts:
             - name: hubble-ui-nginx-conf
               mountPath: /etc/nginx/conf.d/default.conf
@@ -77,5 +77,5 @@ spec:
             defaultMode: 420
             name: hubble-ui-nginx
           name: hubble-ui-nginx-conf
-        - name: tmp-dir
-          emptyDir: {}
+        - emptyDir: {}
+          name: tmp-dir

clusters/cl01tl/manifests/cilium/Job-hubble-generate-certs.yaml

@@ -1,12 +1,14 @@
 apiVersion: batch/v1
 kind: Job
 metadata:
-  name: hubble-generate-certs-b36ef54b9b
+  name: hubble-generate-certs
   namespace: kube-system
   labels:
     k8s-app: hubble-generate-certs
     app.kubernetes.io/name: hubble-generate-certs
     app.kubernetes.io/part-of: cilium
+  annotations:
+    "helm.sh/hook": post-install,post-upgrade
 spec:
   template:
     metadata:
@@ -59,6 +61,9 @@ spec:
                   - client auth
                   validity: 8760h
       hostNetwork: false
+      serviceAccount: "hubble-generate-certs"
       serviceAccountName: "hubble-generate-certs"
       automountServiceAccountToken: true
       restartPolicy: OnFailure
+      affinity:
+  ttlSecondsAfterFinished: 1800

clusters/cl01tl/manifests/cilium/Role-cilium-gateway-secrets.yaml

@@ -1,16 +0,0 @@
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: cilium-gateway-secrets
-  namespace: "cilium-secrets"
-  labels:
-    app.kubernetes.io/part-of: cilium
-rules:
-  - apiGroups:
-      - ""
-    resources:
-      - secrets
-    verbs:
-      - get
-      - list
-      - watch

clusters/cl01tl/manifests/cilium/Role-cilium-operator-gateway-secrets.yaml

@@ -1,17 +0,0 @@
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: cilium-operator-gateway-secrets
-  namespace: "cilium-secrets"
-  labels:
-    app.kubernetes.io/part-of: cilium
-rules:
-  - apiGroups:
-      - ""
-    resources:
-      - secrets
-    verbs:
-      - create
-      - delete
-      - update
-      - patch

clusters/cl01tl/manifests/cilium/Role-cilium-operator-ztunnel.yaml

@@ -1,18 +0,0 @@
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: cilium-operator-ztunnel
-  namespace: kube-system
-  labels:
-    app.kubernetes.io/part-of: cilium
-rules:
-  - apiGroups:
-      - apps
-    resources:
-      - daemonsets
-    verbs:
-      - create
-      - delete
-      - get
-      - list
-      - watch

clusters/cl01tl/manifests/cilium/RoleBinding-cilium-gateway-secrets.yaml

@@ -1,15 +0,0 @@
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: cilium-gateway-secrets
-  namespace: "cilium-secrets"
-  labels:
-    app.kubernetes.io/part-of: cilium
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: cilium-gateway-secrets
-subjects:
-  - kind: ServiceAccount
-    name: "cilium"
-    namespace: kube-system

clusters/cl01tl/manifests/cilium/RoleBinding-cilium-operator-gateway-secrets.yaml

@@ -1,15 +0,0 @@
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: cilium-operator-gateway-secrets
-  namespace: "cilium-secrets"
-  labels:
-    app.kubernetes.io/part-of: cilium
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: cilium-operator-gateway-secrets
-subjects:
-  - kind: ServiceAccount
-    name: "cilium-operator"
-    namespace: kube-system

clusters/cl01tl/manifests/cilium/RoleBinding-cilium-operator-ztunnel.yaml

@@ -1,15 +0,0 @@
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: cilium-operator-ztunnel
-  namespace: kube-system
-  labels:
-    app.kubernetes.io/part-of: cilium
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: cilium-operator-ztunnel
-subjects:
-  - kind: ServiceAccount
-    name: "cilium-operator"
-    namespace: kube-system

clusters/cl01tl/manifests/cilium/Service-cilium-envoy.yaml

@@ -17,4 +17,4 @@ spec:
     - name: envoy-metrics
       port: 9964
       protocol: TCP
-      targetPort: 9964
+      targetPort: envoy-metrics