From 41664cb970a40dbd6c2aeed0eabbd1e73c3fdc72 Mon Sep 17 00:00:00 2001 From: gitea-bot Date: Thu, 5 Feb 2026 04:09:43 +0000 Subject: [PATCH] Automated Manifest Update (#3731) This PR contains newly rendered Kubernetes manifests automatically generated by the CI workflow. Reviewed-on: https://gitea.alexlebens.dev/alexlebens/infrastructure/pulls/3731 Co-authored-by: gitea-bot Co-committed-by: gitea-bot --- .../cilium/ClusterRole-cilium-operator.yaml | 20 +++++++++-- .../manifests/cilium/ClusterRole-cilium.yaml | 1 - .../cilium/ClusterRole-hubble-ui.yaml | 16 --------- .../cilium/ConfigMap-cilium-config.yaml | 19 +++++++---- .../cilium/CronJob-hubble-generate-certs.yaml | 7 ++-- .../cilium/DaemonSet-cilium-envoy.yaml | 2 +- .../manifests/cilium/DaemonSet-cilium.yaml | 33 +++++++++++++------ .../cilium/Deployment-cilium-operator.yaml | 11 ++++--- .../cilium/Deployment-hubble-relay.yaml | 2 +- .../cilium/Deployment-hubble-ui.yaml | 8 ++--- ...Job-hubble-generate-certs-e8c5d08cb8.yaml} | 9 ++--- .../cilium/Role-cilium-operator-ztunnel.yaml | 18 ++++++++++ .../RoleBinding-cilium-operator-ztunnel.yaml | 15 +++++++++ .../cilium/Service-cilium-envoy.yaml | 2 +- 14 files changed, 106 insertions(+), 57 deletions(-) rename clusters/cl01tl/manifests/cilium/{Job-hubble-generate-certs.yaml => Job-hubble-generate-certs-e8c5d08cb8.yaml} (86%) create mode 100644 clusters/cl01tl/manifests/cilium/Role-cilium-operator-ztunnel.yaml create mode 100644 clusters/cl01tl/manifests/cilium/RoleBinding-cilium-operator-ztunnel.yaml diff --git a/clusters/cl01tl/manifests/cilium/ClusterRole-cilium-operator.yaml b/clusters/cl01tl/manifests/cilium/ClusterRole-cilium-operator.yaml index f7e07eb33..59686cae3 100644 --- a/clusters/cl01tl/manifests/cilium/ClusterRole-cilium-operator.yaml +++ b/clusters/cl01tl/manifests/cilium/ClusterRole-cilium-operator.yaml @@ -73,6 +73,18 @@ rules: - update - delete - patch + - apiGroups: + - "discovery.k8s.io" + resources: + - endpointslices + verbs: + - get + - list + - watch + - create + - update + - delete + - patch - apiGroups: - cilium.io resources: @@ -166,7 +178,6 @@ rules: - update resourceNames: - ciliumloadbalancerippools.cilium.io - - ciliumbgppeeringpolicies.cilium.io - ciliumbgpclusterconfigs.cilium.io - ciliumbgppeerconfigs.cilium.io - ciliumbgpadvertisements.cilium.io @@ -192,7 +203,6 @@ rules: resources: - ciliumloadbalancerippools - ciliumpodippools - - ciliumbgppeeringpolicies - ciliumbgpclusterconfigs - ciliumbgpnodeconfigoverrides - ciliumbgppeerconfigs @@ -274,3 +284,9 @@ rules: - get - list - watch + - apiGroups: + - cilium.io + resources: + - ciliumendpointslices + verbs: + - deletecollection diff --git a/clusters/cl01tl/manifests/cilium/ClusterRole-cilium.yaml b/clusters/cl01tl/manifests/cilium/ClusterRole-cilium.yaml index 92b76c741..b57ca9706 100644 --- a/clusters/cl01tl/manifests/cilium/ClusterRole-cilium.yaml +++ b/clusters/cl01tl/manifests/cilium/ClusterRole-cilium.yaml @@ -45,7 +45,6 @@ rules: - cilium.io resources: - ciliumloadbalancerippools - - ciliumbgppeeringpolicies - ciliumbgpnodeconfigs - ciliumbgpadvertisements - ciliumbgppeerconfigs diff --git a/clusters/cl01tl/manifests/cilium/ClusterRole-hubble-ui.yaml b/clusters/cl01tl/manifests/cilium/ClusterRole-hubble-ui.yaml index 8d8d0f775..722067efd 100644 --- a/clusters/cl01tl/manifests/cilium/ClusterRole-hubble-ui.yaml +++ b/clusters/cl01tl/manifests/cilium/ClusterRole-hubble-ui.yaml @@ -5,14 +5,6 @@ metadata: labels: app.kubernetes.io/part-of: cilium rules: - - apiGroups: - - networking.k8s.io - resources: - - networkpolicies - verbs: - - get - - list - - watch - apiGroups: - "" resources: @@ -34,11 +26,3 @@ rules: - get - list - watch - - apiGroups: - - cilium.io - resources: - - "*" - verbs: - - get - - list - - watch diff --git a/clusters/cl01tl/manifests/cilium/ConfigMap-cilium-config.yaml b/clusters/cl01tl/manifests/cilium/ConfigMap-cilium-config.yaml index c9160598b..f7c7addd0 100644 --- a/clusters/cl01tl/manifests/cilium/ConfigMap-cilium-config.yaml +++ b/clusters/cl01tl/manifests/cilium/ConfigMap-cilium-config.yaml @@ -57,11 +57,13 @@ data: tunnel-protocol: "vxlan" tunnel-source-port-range: "0-0" service-no-backend-response: "reject" + policy-deny-response: "none" enable-l7-proxy: "true" enable-ipv4-masquerade: "true" enable-ipv4-big-tcp: "false" enable-ipv6-big-tcp: "false" enable-ipv6-masquerade: "true" + enable-tunnel-big-tcp: "false" enable-tcx: "true" datapath-mode: "veth" enable-masquerade-to-route-source: "false" @@ -73,6 +75,7 @@ data: devices: "end0 enp6s0" kube-proxy-replacement: "true" kube-proxy-replacement-healthz-bind-address: "" + enable-no-service-endpoints-routable: "true" bpf-lb-sock: "true" bpf-lb-sock-hostns-only: "true" enable-health-check-nodeport: "true" @@ -80,7 +83,6 @@ data: node-port-bind-protection: "true" enable-auto-protect-node-port-range: "true" bpf-lb-acceleration: "disabled" - enable-svc-source-range-check: "true" enable-l2-neigh-discovery: "false" k8s-require-ipv4-pod-cidr: "false" k8s-require-ipv6-pod-cidr: "false" @@ -113,7 +115,7 @@ data: vtep-cidr: "" vtep-mask: "" vtep-mac: "" - enable-k8s-endpoint-slice: "true" + packetization-layer-pmtud-mode: "blackhole" procfs: "/host/proc" bpf-root: "/sys/fs/bpf" cgroup-root: "/sys/fs/cgroup" @@ -126,7 +128,7 @@ data: remove-cilium-node-taints: "true" set-cilium-node-taints: "true" set-cilium-is-up-condition: "true" - unmanaged-pod-watcher-interval: "15" + unmanaged-pod-watcher-interval: "15s" dnsproxy-enable-transparent-mode: "true" dnsproxy-socket-linger-timeout: "10" tofqdns-dns-reject-response-code: "refused" @@ -137,7 +139,7 @@ data: tofqdns-proxy-response-max-delay: "100ms" tofqdns-preallocate-identities: "true" agent-not-ready-taint-key: "node.cilium.io/agent-not-ready" - mesh-auth-enabled: "true" + mesh-auth-enabled: "false" mesh-auth-queue-size: "1024" mesh-auth-rotated-identities-queue-size: "1024" mesh-auth-gc-interval: "5m0s" @@ -145,10 +147,14 @@ data: proxy-xff-num-trusted-hops-egress: "0" proxy-connect-timeout: "2" proxy-initial-fetch-timeout: "30" + proxy-max-active-downstream-connections: "50000" proxy-max-requests-per-connection: "0" proxy-max-connection-duration-seconds: "0" proxy-idle-timeout-seconds: "60" proxy-max-concurrent-retries: "128" + proxy-use-original-source-address: "true" + proxy-cluster-max-connections: "1024" + proxy-cluster-max-requests: "1024" http-retry-count: "3" http-stream-idle-timeout: "300" external-envoy-proxy: "true" @@ -156,12 +162,13 @@ data: envoy-access-log-buffer-size: "4096" envoy-keep-cap-netbindservice: "true" max-connected-clusters: "255" + clustermesh-cache-ttl: "0s" clustermesh-enable-endpoint-sync: "false" clustermesh-enable-mcs-api: "false" - policy-default-local-cluster: "false" + clustermesh-mcs-api-install-crds: "true" + policy-default-local-cluster: "true" nat-map-stats-entries: "32" nat-map-stats-interval: "30s" - enable-internal-traffic-policy: "true" enable-lb-ipam: "true" enable-non-default-deny-policies: "true" enable-source-ip-verification: "true" diff --git a/clusters/cl01tl/manifests/cilium/CronJob-hubble-generate-certs.yaml b/clusters/cl01tl/manifests/cilium/CronJob-hubble-generate-certs.yaml index 02432a5d9..d0b5d05cc 100644 --- a/clusters/cl01tl/manifests/cilium/CronJob-hubble-generate-certs.yaml +++ b/clusters/cl01tl/manifests/cilium/CronJob-hubble-generate-certs.yaml @@ -9,6 +9,8 @@ metadata: app.kubernetes.io/part-of: cilium spec: schedule: "0 0 1 */4 *" + successfulJobsHistoryLimit: 3 + failedJobsHistoryLimit: 1 concurrencyPolicy: Forbid jobTemplate: spec: @@ -22,7 +24,7 @@ spec: type: RuntimeDefault containers: - name: certgen - image: "quay.io/cilium/certgen:v0.3.1@sha256:2825dbfa6f89cbed882fd1d81e46a56c087e35885825139923aa29eb8aec47a9" + image: "quay.io/cilium/certgen:v0.3.2@sha256:19921f48ee7e2295ea4dca955878a6cd8d70e6d4219d08f688e866ece9d95d4d" imagePullPolicy: IfNotPresent securityContext: capabilities: @@ -63,9 +65,6 @@ spec: - client auth validity: 8760h hostNetwork: false - serviceAccount: "hubble-generate-certs" serviceAccountName: "hubble-generate-certs" automountServiceAccountToken: true restartPolicy: OnFailure - affinity: - ttlSecondsAfterFinished: 1800 diff --git a/clusters/cl01tl/manifests/cilium/DaemonSet-cilium-envoy.yaml b/clusters/cl01tl/manifests/cilium/DaemonSet-cilium-envoy.yaml index 5e7fc72c8..7847840a5 100644 --- a/clusters/cl01tl/manifests/cilium/DaemonSet-cilium-envoy.yaml +++ b/clusters/cl01tl/manifests/cilium/DaemonSet-cilium-envoy.yaml @@ -30,7 +30,7 @@ spec: type: Unconfined containers: - name: cilium-envoy - image: "quay.io/cilium/cilium-envoy:v1.35.9-1767794330-db497dd19e346b39d81d7b5c0dedf6c812bcc5c9@sha256:81398e449f2d3d0a6a70527e4f641aaa685d3156bea0bb30712fae3fd8822b86" + image: "quay.io/cilium/cilium-envoy:v1.35.9-1768828720-c6e4827ebca9c47af2a3a6540c563c30947bae29@sha256:696582a3391ce05a62edb4140e6a99f774351f363f5b5d7f1581f3a244430249" imagePullPolicy: IfNotPresent command: - /usr/bin/cilium-envoy-starter diff --git a/clusters/cl01tl/manifests/cilium/DaemonSet-cilium.yaml b/clusters/cl01tl/manifests/cilium/DaemonSet-cilium.yaml index ddb17c491..22bd86c51 100644 --- a/clusters/cl01tl/manifests/cilium/DaemonSet-cilium.yaml +++ b/clusters/cl01tl/manifests/cilium/DaemonSet-cilium.yaml @@ -18,7 +18,7 @@ spec: template: metadata: annotations: - cilium.io/cilium-configmap-checksum: "31ad7748e0aefe75b6436d96c8c85754e0b44e68e6012fa188bc5bcd66085828" + cilium.io/cilium-configmap-checksum: "9353df2d60b1fc5f552e5a2b44bb26b18afa3934939b033438f85fb57e1a0b50" kubectl.kubernetes.io/default-container: cilium-agent labels: k8s-app: cilium @@ -32,7 +32,7 @@ spec: type: Unconfined containers: - name: cilium-agent - image: "quay.io/cilium/cilium:v1.18.6@sha256:42ec562a5ff6c8a860c0639f5a7611685e253fd9eb2d2fcdade693724c9166a4" + image: "quay.io/cilium/cilium:v1.19.0@sha256:be9f8571c2e114b3e12e41f785f2356ade703b2eac936aa878805565f0468c60" imagePullPolicy: IfNotPresent command: - cilium-agent @@ -42,7 +42,7 @@ spec: httpGet: host: "127.0.0.1" path: /healthz - port: 9879 + port: health scheme: HTTP httpHeaders: - name: "brief" @@ -55,7 +55,7 @@ spec: httpGet: host: "127.0.0.1" path: /healthz - port: 9879 + port: health scheme: HTTP httpHeaders: - name: "brief" @@ -70,7 +70,7 @@ spec: httpGet: host: "127.0.0.1" path: /healthz - port: 9879 + port: health scheme: HTTP httpHeaders: - name: "brief" @@ -136,6 +136,10 @@ spec: command: - /cni-uninstall.sh ports: + - name: health + containerPort: 9879 + hostPort: 9879 + protocol: TCP - name: peer-service containerPort: 4244 hostPort: 4244 @@ -201,7 +205,7 @@ spec: mountPath: /tmp initContainers: - name: config - image: "quay.io/cilium/cilium:v1.18.6@sha256:42ec562a5ff6c8a860c0639f5a7611685e253fd9eb2d2fcdade693724c9166a4" + image: "quay.io/cilium/cilium:v1.19.0@sha256:be9f8571c2e114b3e12e41f785f2356ade703b2eac936aa878805565f0468c60" imagePullPolicy: IfNotPresent command: - cilium-dbg @@ -225,8 +229,14 @@ spec: - name: tmp mountPath: /tmp terminationMessagePolicy: FallbackToLogsOnError + securityContext: + capabilities: + add: + - NET_ADMIN + drop: + - ALL - name: apply-sysctl-overwrites - image: "quay.io/cilium/cilium:v1.18.6@sha256:42ec562a5ff6c8a860c0639f5a7611685e253fd9eb2d2fcdade693724c9166a4" + image: "quay.io/cilium/cilium:v1.19.0@sha256:be9f8571c2e114b3e12e41f785f2356ade703b2eac936aa878805565f0468c60" imagePullPolicy: IfNotPresent env: - name: BIN_PATH @@ -256,7 +266,7 @@ spec: drop: - ALL - name: mount-bpf-fs - image: "quay.io/cilium/cilium:v1.18.6@sha256:42ec562a5ff6c8a860c0639f5a7611685e253fd9eb2d2fcdade693724c9166a4" + image: "quay.io/cilium/cilium:v1.19.0@sha256:be9f8571c2e114b3e12e41f785f2356ade703b2eac936aa878805565f0468c60" imagePullPolicy: IfNotPresent args: - 'mount | grep "/sys/fs/bpf type bpf" || mount -t bpf bpf /sys/fs/bpf' @@ -272,7 +282,7 @@ spec: mountPath: /sys/fs/bpf mountPropagation: Bidirectional - name: clean-cilium-state - image: "quay.io/cilium/cilium:v1.18.6@sha256:42ec562a5ff6c8a860c0639f5a7611685e253fd9eb2d2fcdade693724c9166a4" + image: "quay.io/cilium/cilium:v1.19.0@sha256:be9f8571c2e114b3e12e41f785f2356ade703b2eac936aa878805565f0468c60" imagePullPolicy: IfNotPresent command: - /init-container.sh @@ -320,11 +330,14 @@ spec: - name: cilium-run mountPath: /var/run/cilium - name: install-cni-binaries - image: "quay.io/cilium/cilium:v1.18.6@sha256:42ec562a5ff6c8a860c0639f5a7611685e253fd9eb2d2fcdade693724c9166a4" + image: "quay.io/cilium/cilium:v1.19.0@sha256:be9f8571c2e114b3e12e41f785f2356ade703b2eac936aa878805565f0468c60" imagePullPolicy: IfNotPresent command: - "/install-plugin.sh" resources: + limits: + cpu: 1 + memory: 1Gi requests: cpu: 100m memory: 10Mi diff --git a/clusters/cl01tl/manifests/cilium/Deployment-cilium-operator.yaml b/clusters/cl01tl/manifests/cilium/Deployment-cilium-operator.yaml index 0b7b32206..019c852e3 100644 --- a/clusters/cl01tl/manifests/cilium/Deployment-cilium-operator.yaml +++ b/clusters/cl01tl/manifests/cilium/Deployment-cilium-operator.yaml @@ -22,7 +22,7 @@ spec: template: metadata: annotations: - cilium.io/cilium-configmap-checksum: "31ad7748e0aefe75b6436d96c8c85754e0b44e68e6012fa188bc5bcd66085828" + cilium.io/cilium-configmap-checksum: "9353df2d60b1fc5f552e5a2b44bb26b18afa3934939b033438f85fb57e1a0b50" labels: io.cilium/app: operator name: cilium-operator @@ -34,7 +34,7 @@ spec: type: RuntimeDefault containers: - name: cilium-operator - image: "quay.io/cilium/operator-generic:v1.18.6@sha256:34a827ce9ed021c8adf8f0feca131f53b3c54a3ef529053d871d0347ec4d69af" + image: "quay.io/cilium/operator-generic:v1.19.0@sha256:5b04006015e5800307dc6314676edc4c0bb7ac2fc7848be2b94b43bb030ab648" imagePullPolicy: IfNotPresent command: - cilium-operator-generic @@ -63,6 +63,9 @@ spec: - name: KUBERNETES_SERVICE_PORT value: "7445" ports: + - name: health + containerPort: 9234 + hostPort: 9234 - name: prometheus containerPort: 9963 hostPort: 9963 @@ -71,7 +74,7 @@ spec: httpGet: host: "127.0.0.1" path: /healthz - port: 9234 + port: health scheme: HTTP initialDelaySeconds: 60 periodSeconds: 10 @@ -80,7 +83,7 @@ spec: httpGet: host: "127.0.0.1" path: /healthz - port: 9234 + port: health scheme: HTTP initialDelaySeconds: 0 periodSeconds: 5 diff --git a/clusters/cl01tl/manifests/cilium/Deployment-hubble-relay.yaml b/clusters/cl01tl/manifests/cilium/Deployment-hubble-relay.yaml index 98982dc55..abeb57bbd 100644 --- a/clusters/cl01tl/manifests/cilium/Deployment-hubble-relay.yaml +++ b/clusters/cl01tl/manifests/cilium/Deployment-hubble-relay.yaml @@ -40,7 +40,7 @@ spec: runAsUser: 65532 seccompProfile: type: RuntimeDefault - image: "quay.io/cilium/hubble-relay:v1.18.6@sha256:fb6135e34c31e5f175cb5e75f86cea52ef2ff12b49bcefb7088ed93f5009eb8e" + image: "quay.io/cilium/hubble-relay:v1.19.0@sha256:7f17e5bb51a9f35bbc8e7a9ad5e347f03ff8003c2e5cc81171e8727a10bf03b4" imagePullPolicy: IfNotPresent command: - hubble-relay diff --git a/clusters/cl01tl/manifests/cilium/Deployment-hubble-ui.yaml b/clusters/cl01tl/manifests/cilium/Deployment-hubble-ui.yaml index 462ab14ad..30534a15f 100644 --- a/clusters/cl01tl/manifests/cilium/Deployment-hubble-ui.yaml +++ b/clusters/cl01tl/manifests/cilium/Deployment-hubble-ui.yaml @@ -41,11 +41,11 @@ spec: livenessProbe: httpGet: path: /healthz - port: 8081 + port: http readinessProbe: httpGet: path: / - port: 8081 + port: http volumeMounts: - name: hubble-ui-nginx-conf mountPath: /etc/nginx/conf.d/default.conf @@ -77,5 +77,5 @@ spec: defaultMode: 420 name: hubble-ui-nginx name: hubble-ui-nginx-conf - - emptyDir: {} - name: tmp-dir + - name: tmp-dir + emptyDir: {} diff --git a/clusters/cl01tl/manifests/cilium/Job-hubble-generate-certs.yaml b/clusters/cl01tl/manifests/cilium/Job-hubble-generate-certs-e8c5d08cb8.yaml similarity index 86% rename from clusters/cl01tl/manifests/cilium/Job-hubble-generate-certs.yaml rename to clusters/cl01tl/manifests/cilium/Job-hubble-generate-certs-e8c5d08cb8.yaml index f86c46f73..a37b3dc62 100644 --- a/clusters/cl01tl/manifests/cilium/Job-hubble-generate-certs.yaml +++ b/clusters/cl01tl/manifests/cilium/Job-hubble-generate-certs-e8c5d08cb8.yaml @@ -1,14 +1,12 @@ apiVersion: batch/v1 kind: Job metadata: - name: hubble-generate-certs + name: hubble-generate-certs-e8c5d08cb8 namespace: kube-system labels: k8s-app: hubble-generate-certs app.kubernetes.io/name: hubble-generate-certs app.kubernetes.io/part-of: cilium - annotations: - "helm.sh/hook": post-install,post-upgrade spec: template: metadata: @@ -20,7 +18,7 @@ spec: type: RuntimeDefault containers: - name: certgen - image: "quay.io/cilium/certgen:v0.3.1@sha256:2825dbfa6f89cbed882fd1d81e46a56c087e35885825139923aa29eb8aec47a9" + image: "quay.io/cilium/certgen:v0.3.2@sha256:19921f48ee7e2295ea4dca955878a6cd8d70e6d4219d08f688e866ece9d95d4d" imagePullPolicy: IfNotPresent securityContext: capabilities: @@ -61,9 +59,6 @@ spec: - client auth validity: 8760h hostNetwork: false - serviceAccount: "hubble-generate-certs" serviceAccountName: "hubble-generate-certs" automountServiceAccountToken: true restartPolicy: OnFailure - affinity: - ttlSecondsAfterFinished: 1800 diff --git a/clusters/cl01tl/manifests/cilium/Role-cilium-operator-ztunnel.yaml b/clusters/cl01tl/manifests/cilium/Role-cilium-operator-ztunnel.yaml new file mode 100644 index 000000000..043bbdec2 --- /dev/null +++ b/clusters/cl01tl/manifests/cilium/Role-cilium-operator-ztunnel.yaml @@ -0,0 +1,18 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: cilium-operator-ztunnel + namespace: kube-system + labels: + app.kubernetes.io/part-of: cilium +rules: + - apiGroups: + - apps + resources: + - daemonsets + verbs: + - create + - delete + - get + - list + - watch diff --git a/clusters/cl01tl/manifests/cilium/RoleBinding-cilium-operator-ztunnel.yaml b/clusters/cl01tl/manifests/cilium/RoleBinding-cilium-operator-ztunnel.yaml new file mode 100644 index 000000000..0911f31b6 --- /dev/null +++ b/clusters/cl01tl/manifests/cilium/RoleBinding-cilium-operator-ztunnel.yaml @@ -0,0 +1,15 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: cilium-operator-ztunnel + namespace: kube-system + labels: + app.kubernetes.io/part-of: cilium +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: cilium-operator-ztunnel +subjects: + - kind: ServiceAccount + name: "cilium-operator" + namespace: kube-system diff --git a/clusters/cl01tl/manifests/cilium/Service-cilium-envoy.yaml b/clusters/cl01tl/manifests/cilium/Service-cilium-envoy.yaml index 8b56e9ecd..5113391a4 100644 --- a/clusters/cl01tl/manifests/cilium/Service-cilium-envoy.yaml +++ b/clusters/cl01tl/manifests/cilium/Service-cilium-envoy.yaml @@ -17,4 +17,4 @@ spec: - name: envoy-metrics port: 9964 protocol: TCP - targetPort: envoy-metrics + targetPort: 9964