alexlebens/infrastructure
1
0
Fork 0
Code Issues 1 Pull Requests 3 Actions 2 Activity

chore: Update manifests after change

Browse Source
This commit is contained in:
Gitea
2026-05-10 22:18:28 +00:00
parent 3381451977
commit 4b5c394d28
19 changed files with 118 additions and 65 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
clusters/cl01tl/manifests/cilium/ClusterRole-cilium-operator.yaml
View File

@@ -73,6 +73,18 @@ rules:
- update - update
- delete - delete
- patch - patch
- apiGroups:
- "discovery.k8s.io"
resources:
- endpointslices
verbs:
- get
- list
- watch
- create
- update
- delete
- patch
- apiGroups: - apiGroups:
- cilium.io - cilium.io
resources: resources:
@@ -166,7 +178,6 @@ rules:
- update - update
resourceNames: resourceNames:
- ciliumloadbalancerippools.cilium.io - ciliumloadbalancerippools.cilium.io
- ciliumbgppeeringpolicies.cilium.io
- ciliumbgpclusterconfigs.cilium.io - ciliumbgpclusterconfigs.cilium.io
- ciliumbgppeerconfigs.cilium.io - ciliumbgppeerconfigs.cilium.io
- ciliumbgpadvertisements.cilium.io - ciliumbgpadvertisements.cilium.io
@@ -192,7 +203,6 @@ rules:
resources: resources:
- ciliumloadbalancerippools - ciliumloadbalancerippools
- ciliumpodippools - ciliumpodippools
- ciliumbgppeeringpolicies
- ciliumbgpclusterconfigs - ciliumbgpclusterconfigs
- ciliumbgpnodeconfigoverrides - ciliumbgpnodeconfigoverrides
- ciliumbgppeerconfigs - ciliumbgppeerconfigs
@@ -274,3 +284,9 @@ rules:
- get - get
- list - list
- watch - watch
- apiGroups:
- cilium.io
resources:
- ciliumendpointslices
verbs:
- deletecollection

1
clusters/cl01tl/manifests/cilium/ClusterRole-cilium.yaml
View File

@@ -45,7 +45,6 @@ rules:
- cilium.io - cilium.io
resources: resources:
- ciliumloadbalancerippools - ciliumloadbalancerippools
- ciliumbgppeeringpolicies
- ciliumbgpnodeconfigs - ciliumbgpnodeconfigs
- ciliumbgpadvertisements - ciliumbgpadvertisements
- ciliumbgppeerconfigs - ciliumbgppeerconfigs

16
clusters/cl01tl/manifests/cilium/ClusterRole-hubble-ui.yaml
View File

@@ -5,14 +5,6 @@ metadata:
labels: labels:
app.kubernetes.io/part-of: cilium app.kubernetes.io/part-of: cilium
rules: rules:
- apiGroups:
- networking.k8s.io
resources:
- networkpolicies
verbs:
- get
- list
- watch
- apiGroups: - apiGroups:
- "" - ""
resources: resources:
@@ -34,11 +26,3 @@ rules:
- get - get
- list - list
- watch - watch
- apiGroups:
- cilium.io
resources:
- "*"
verbs:
- get
- list
- watch

22
clusters/cl01tl/manifests/cilium/ConfigMap-cilium-config.yaml
View File

@@ -25,7 +25,7 @@ data:
enable-gateway-api-alpn: "true" enable-gateway-api-alpn: "true"
gateway-api-xff-num-trusted-hops: "0" gateway-api-xff-num-trusted-hops: "0"
gateway-api-service-externaltrafficpolicy: "Cluster" gateway-api-service-externaltrafficpolicy: "Cluster"
gateway-api-secrets-namespace: "kube-system" gateway-api-secrets-namespace: "cilium-secrets"
gateway-api-hostnetwork-enabled: "false" gateway-api-hostnetwork-enabled: "false"
gateway-api-hostnetwork-nodelabelselector: "" gateway-api-hostnetwork-nodelabelselector: ""
enable-policy-secrets-sync: "true" enable-policy-secrets-sync: "true"
@@ -58,6 +58,7 @@ data:
tunnel-protocol: "vxlan" tunnel-protocol: "vxlan"
tunnel-source-port-range: "0-0" tunnel-source-port-range: "0-0"
service-no-backend-response: "reject" service-no-backend-response: "reject"
policy-deny-response: "none"
enable-l7-proxy: "true" enable-l7-proxy: "true"
enable-ipv4-masquerade: "true" enable-ipv4-masquerade: "true"
enable-ipv4-big-tcp: "false" enable-ipv4-big-tcp: "false"
@@ -74,6 +75,7 @@ data:
devices: "end0 enp6s0" devices: "end0 enp6s0"
kube-proxy-replacement: "true" kube-proxy-replacement: "true"
kube-proxy-replacement-healthz-bind-address: "" kube-proxy-replacement-healthz-bind-address: ""
enable-no-service-endpoints-routable: "true"
bpf-lb-sock: "true" bpf-lb-sock: "true"
bpf-lb-sock-hostns-only: "true" bpf-lb-sock-hostns-only: "true"
enable-health-check-nodeport: "true" enable-health-check-nodeport: "true"
@@ -81,7 +83,7 @@ data:
node-port-bind-protection: "true" node-port-bind-protection: "true"
enable-auto-protect-node-port-range: "true" enable-auto-protect-node-port-range: "true"
bpf-lb-acceleration: "disabled" bpf-lb-acceleration: "disabled"
enable-svc-source-range-check: "true" enable-service-topology: "false"
enable-l2-neigh-discovery: "false" enable-l2-neigh-discovery: "false"
k8s-require-ipv4-pod-cidr: "false" k8s-require-ipv4-pod-cidr: "false"
k8s-require-ipv6-pod-cidr: "false" k8s-require-ipv6-pod-cidr: "false"
@@ -114,6 +116,7 @@ data:
vtep-cidr: "" vtep-cidr: ""
vtep-mask: "" vtep-mask: ""
vtep-mac: "" vtep-mac: ""
packetization-layer-pmtud-mode: "blackhole"
procfs: "/host/proc" procfs: "/host/proc"
bpf-root: "/sys/fs/bpf" bpf-root: "/sys/fs/bpf"
cgroup-root: "/sys/fs/cgroup" cgroup-root: "/sys/fs/cgroup"
@@ -126,7 +129,7 @@ data:
remove-cilium-node-taints: "true" remove-cilium-node-taints: "true"
set-cilium-node-taints: "true" set-cilium-node-taints: "true"
set-cilium-is-up-condition: "true" set-cilium-is-up-condition: "true"
unmanaged-pod-watcher-interval: "15" unmanaged-pod-watcher-interval: "15s"
dnsproxy-enable-transparent-mode: "true" dnsproxy-enable-transparent-mode: "true"
dnsproxy-socket-linger-timeout: "10" dnsproxy-socket-linger-timeout: "10"
tofqdns-dns-reject-response-code: "refused" tofqdns-dns-reject-response-code: "refused"
@@ -137,7 +140,7 @@ data:
tofqdns-proxy-response-max-delay: "100ms" tofqdns-proxy-response-max-delay: "100ms"
tofqdns-preallocate-identities: "true" tofqdns-preallocate-identities: "true"
agent-not-ready-taint-key: "node.cilium.io/agent-not-ready" agent-not-ready-taint-key: "node.cilium.io/agent-not-ready"
mesh-auth-enabled: "true" mesh-auth-enabled: "false"
mesh-auth-queue-size: "1024" mesh-auth-queue-size: "1024"
mesh-auth-rotated-identities-queue-size: "1024" mesh-auth-rotated-identities-queue-size: "1024"
mesh-auth-gc-interval: "5m0s" mesh-auth-gc-interval: "5m0s"
@@ -145,10 +148,14 @@ data:
proxy-xff-num-trusted-hops-egress: "0" proxy-xff-num-trusted-hops-egress: "0"
proxy-connect-timeout: "2" proxy-connect-timeout: "2"
proxy-initial-fetch-timeout: "30" proxy-initial-fetch-timeout: "30"
proxy-max-active-downstream-connections: "50000"
proxy-max-requests-per-connection: "0" proxy-max-requests-per-connection: "0"
proxy-max-connection-duration-seconds: "0" proxy-max-connection-duration-seconds: "0"
proxy-idle-timeout-seconds: "60" proxy-idle-timeout-seconds: "60"
proxy-max-concurrent-retries: "128" proxy-max-concurrent-retries: "128"
proxy-use-original-source-address: "true"
proxy-cluster-max-connections: "1024"
proxy-cluster-max-requests: "1024"
http-retry-count: "3" http-retry-count: "3"
http-stream-idle-timeout: "300" http-stream-idle-timeout: "300"
external-envoy-proxy: "true" external-envoy-proxy: "true"
@@ -156,12 +163,15 @@ data:
envoy-access-log-buffer-size: "4096" envoy-access-log-buffer-size: "4096"
envoy-keep-cap-netbindservice: "true" envoy-keep-cap-netbindservice: "true"
max-connected-clusters: "255" max-connected-clusters: "255"
clustermesh-cache-ttl: "0s"
clustermesh-enable-endpoint-sync: "false" clustermesh-enable-endpoint-sync: "false"
clustermesh-enable-mcs-api: "false" clustermesh-enable-mcs-api: "false"
policy-default-local-cluster: "false" clustermesh-mcs-api-install-crds: "true"
policy-default-local-cluster: "true"
nat-map-stats-entries: "32" nat-map-stats-entries: "32"
nat-map-stats-interval: "30s" nat-map-stats-interval: "30s"
enable-internal-traffic-policy: "true"
enable-lb-ipam: "true" enable-lb-ipam: "true"
enable-non-default-deny-policies: "true" enable-non-default-deny-policies: "true"
enable-source-ip-verification: "true" enable-source-ip-verification: "true"
enable-dynamic-config: "true"
enable-drift-checker: "true"

2
clusters/cl01tl/manifests/cilium/ConfigMap-cilium-envoy-config.yaml
View File

File diff suppressed because one or more lines are too long

7
clusters/cl01tl/manifests/cilium/CronJob-hubble-generate-certs.yaml
View File

@@ -9,6 +9,8 @@ metadata:
app.kubernetes.io/part-of: cilium app.kubernetes.io/part-of: cilium
spec: spec:
schedule: "0 0 1 */4 *" schedule: "0 0 1 */4 *"
successfulJobsHistoryLimit: 3
failedJobsHistoryLimit: 1
concurrencyPolicy: Forbid concurrencyPolicy: Forbid
jobTemplate: jobTemplate:
spec: spec:
@@ -22,7 +24,7 @@ spec:
type: RuntimeDefault type: RuntimeDefault
containers: containers:
- name: certgen - name: certgen
image: "quay.io/cilium/certgen:v0.3.1@sha256:2825dbfa6f89cbed882fd1d81e46a56c087e35885825139923aa29eb8aec47a9" image: "quay.io/cilium/certgen:v0.4.1@sha256:f0c656830e856d26b24b0e144df1f8b327d3b46748d76a630514111fc365b697"
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
securityContext: securityContext:
capabilities: capabilities:
@@ -63,9 +65,6 @@ spec:
- client auth - client auth
validity: 8760h validity: 8760h
hostNetwork: false hostNetwork: false
serviceAccount: "hubble-generate-certs"
serviceAccountName: "hubble-generate-certs" serviceAccountName: "hubble-generate-certs"
automountServiceAccountToken: true automountServiceAccountToken: true
restartPolicy: OnFailure restartPolicy: OnFailure
affinity:
ttlSecondsAfterFinished: 1800

2
clusters/cl01tl/manifests/cilium/DaemonSet-cilium-envoy.yaml
View File

@@ -30,7 +30,7 @@ spec:
type: Unconfined type: Unconfined
containers: containers:
- name: cilium-envoy - name: cilium-envoy
image: "quay.io/cilium/cilium-envoy:v1.35.9-1767794330-db497dd19e346b39d81d7b5c0dedf6c812bcc5c9@sha256:81398e449f2d3d0a6a70527e4f641aaa685d3156bea0bb30712fae3fd8822b86" image: "quay.io/cilium/cilium-envoy:v1.36.6-1776000132-2437d2edeaf4d9b56ef279bd0d71127440c067aa@sha256:ba0ab8adac082d50d525fd2c5ba096c8facea3a471561b7c61c7a5b9c2e0de0d"
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
command: command:
- /usr/bin/cilium-envoy-starter - /usr/bin/cilium-envoy-starter

40
clusters/cl01tl/manifests/cilium/DaemonSet-cilium.yaml
View File

@@ -18,7 +18,7 @@ spec:
template: template:
metadata: metadata:
annotations: annotations:
cilium.io/cilium-configmap-checksum: "6c5e6123b63f6fc449922e9eb9bd248afa8fd228d8083cc40c920fff386079bb" cilium.io/cilium-configmap-checksum: "501f8d2dbdd40925853054c7e3add60e203bb04219e79fec25ccf1a4cbc0e5d5"
kubectl.kubernetes.io/default-container: cilium-agent kubectl.kubernetes.io/default-container: cilium-agent
labels: labels:
k8s-app: cilium k8s-app: cilium
@@ -32,7 +32,7 @@ spec:
type: Unconfined type: Unconfined
containers: containers:
- name: cilium-agent - name: cilium-agent
image: "quay.io/cilium/cilium:v1.18.6@sha256:42ec562a5ff6c8a860c0639f5a7611685e253fd9eb2d2fcdade693724c9166a4" image: "quay.io/cilium/cilium:v1.19.3@sha256:2e61680593cddca8b6c055f6d4c849d87a26a1c91c7e3b8b56c7fb76ab7b7b10"
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
command: command:
- cilium-agent - cilium-agent
@@ -42,7 +42,7 @@ spec:
httpGet: httpGet:
host: "127.0.0.1" host: "127.0.0.1"
path: /healthz path: /healthz
port: 9879 port: health
scheme: HTTP scheme: HTTP
httpHeaders: httpHeaders:
- name: "brief" - name: "brief"
@@ -55,7 +55,7 @@ spec:
httpGet: httpGet:
host: "127.0.0.1" host: "127.0.0.1"
path: /healthz path: /healthz
port: 9879 port: health
scheme: HTTP scheme: HTTP
httpHeaders: httpHeaders:
- name: "brief" - name: "brief"
@@ -70,7 +70,7 @@ spec:
httpGet: httpGet:
host: "127.0.0.1" host: "127.0.0.1"
path: /healthz path: /healthz
port: 9879 port: health
scheme: HTTP scheme: HTTP
httpHeaders: httpHeaders:
- name: "brief" - name: "brief"
@@ -136,6 +136,10 @@ spec:
command: command:
- /cni-uninstall.sh - /cni-uninstall.sh
ports: ports:
- name: health
containerPort: 9879
hostPort: 9879
protocol: TCP
- name: peer-service - name: peer-service
containerPort: 4244 containerPort: 4244
hostPort: 4244 hostPort: 4244
@@ -155,14 +159,14 @@ spec:
- NET_ADMIN - NET_ADMIN
- NET_RAW - NET_RAW
- IPC_LOCK - IPC_LOCK
- SYS_MODULE
- SYS_ADMIN - SYS_ADMIN
- SYS_RESOURCE - SYS_RESOURCE
- DAC_OVERRIDE - DAC_OVERRIDE
- FOWNER - FOWNER
- SETGID - SETGID
- SETUID - SETUID
- PERFMON - SYSLOG
- BPF
drop: drop:
- ALL - ALL
terminationMessagePolicy: FallbackToLogsOnError terminationMessagePolicy: FallbackToLogsOnError
@@ -201,7 +205,7 @@ spec:
mountPath: /tmp mountPath: /tmp
initContainers: initContainers:
- name: config - name: config
image: "quay.io/cilium/cilium:v1.18.6@sha256:42ec562a5ff6c8a860c0639f5a7611685e253fd9eb2d2fcdade693724c9166a4" image: "quay.io/cilium/cilium:v1.19.3@sha256:2e61680593cddca8b6c055f6d4c849d87a26a1c91c7e3b8b56c7fb76ab7b7b10"
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
command: command:
- cilium-dbg - cilium-dbg
@@ -225,14 +229,20 @@ spec:
- name: tmp - name: tmp
mountPath: /tmp mountPath: /tmp
terminationMessagePolicy: FallbackToLogsOnError terminationMessagePolicy: FallbackToLogsOnError
securityContext:
capabilities:
add:
- NET_ADMIN
drop:
- ALL
- name: apply-sysctl-overwrites - name: apply-sysctl-overwrites
image: "quay.io/cilium/cilium:v1.18.6@sha256:42ec562a5ff6c8a860c0639f5a7611685e253fd9eb2d2fcdade693724c9166a4" image: "quay.io/cilium/cilium:v1.19.3@sha256:2e61680593cddca8b6c055f6d4c849d87a26a1c91c7e3b8b56c7fb76ab7b7b10"
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
env: env:
- name: BIN_PATH - name: BIN_PATH
value: /opt/cni/bin value: /opt/cni/bin
command: command:
- sh - bash
- -ec - -ec
- | - |
cp /usr/bin/cilium-sysctlfix /hostbin/cilium-sysctlfix; cp /usr/bin/cilium-sysctlfix /hostbin/cilium-sysctlfix;
@@ -256,7 +266,7 @@ spec:
drop: drop:
- ALL - ALL
- name: mount-bpf-fs - name: mount-bpf-fs
image: "quay.io/cilium/cilium:v1.18.6@sha256:42ec562a5ff6c8a860c0639f5a7611685e253fd9eb2d2fcdade693724c9166a4" image: "quay.io/cilium/cilium:v1.19.3@sha256:2e61680593cddca8b6c055f6d4c849d87a26a1c91c7e3b8b56c7fb76ab7b7b10"
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
args: args:
- 'mount | grep "/sys/fs/bpf type bpf" || mount -t bpf bpf /sys/fs/bpf' - 'mount | grep "/sys/fs/bpf type bpf" || mount -t bpf bpf /sys/fs/bpf'
@@ -272,7 +282,7 @@ spec:
mountPath: /sys/fs/bpf mountPath: /sys/fs/bpf
mountPropagation: Bidirectional mountPropagation: Bidirectional
- name: clean-cilium-state - name: clean-cilium-state
image: "quay.io/cilium/cilium:v1.18.6@sha256:42ec562a5ff6c8a860c0639f5a7611685e253fd9eb2d2fcdade693724c9166a4" image: "quay.io/cilium/cilium:v1.19.3@sha256:2e61680593cddca8b6c055f6d4c849d87a26a1c91c7e3b8b56c7fb76ab7b7b10"
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
command: command:
- /init-container.sh - /init-container.sh
@@ -307,6 +317,7 @@ spec:
capabilities: capabilities:
add: add:
- NET_ADMIN - NET_ADMIN
- SYS_MODULE
- SYS_ADMIN - SYS_ADMIN
- SYS_RESOURCE - SYS_RESOURCE
drop: drop:
@@ -320,11 +331,14 @@ spec:
- name: cilium-run - name: cilium-run
mountPath: /var/run/cilium mountPath: /var/run/cilium
- name: install-cni-binaries - name: install-cni-binaries
image: "quay.io/cilium/cilium:v1.18.6@sha256:42ec562a5ff6c8a860c0639f5a7611685e253fd9eb2d2fcdade693724c9166a4" image: "quay.io/cilium/cilium:v1.19.3@sha256:2e61680593cddca8b6c055f6d4c849d87a26a1c91c7e3b8b56c7fb76ab7b7b10"
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
command: command:
- "/install-plugin.sh" - "/install-plugin.sh"
resources: resources:
limits:
cpu: 1
memory: 1Gi
requests: requests:
cpu: 100m cpu: 100m
memory: 10Mi memory: 10Mi

11
clusters/cl01tl/manifests/cilium/Deployment-cilium-operator.yaml
View File

@@ -22,7 +22,7 @@ spec:
template: template:
metadata: metadata:
annotations: annotations:
cilium.io/cilium-configmap-checksum: "6c5e6123b63f6fc449922e9eb9bd248afa8fd228d8083cc40c920fff386079bb" cilium.io/cilium-configmap-checksum: "501f8d2dbdd40925853054c7e3add60e203bb04219e79fec25ccf1a4cbc0e5d5"
labels: labels:
io.cilium/app: operator io.cilium/app: operator
name: cilium-operator name: cilium-operator
@@ -34,7 +34,7 @@ spec:
type: RuntimeDefault type: RuntimeDefault
containers: containers:
- name: cilium-operator - name: cilium-operator
image: "quay.io/cilium/operator-generic:v1.18.6@sha256:34a827ce9ed021c8adf8f0feca131f53b3c54a3ef529053d871d0347ec4d69af" image: "quay.io/cilium/operator-generic:v1.19.3@sha256:205b09b0ed6accbf9fe688d312a9f0fcfc6a316fc081c23fbffb472af5dd62cd"
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
command: command:
- cilium-operator-generic - cilium-operator-generic
@@ -63,6 +63,9 @@ spec:
- name: KUBERNETES_SERVICE_PORT - name: KUBERNETES_SERVICE_PORT
value: "7445" value: "7445"
ports: ports:
- name: health
containerPort: 9234
hostPort: 9234
- name: prometheus - name: prometheus
containerPort: 9963 containerPort: 9963
hostPort: 9963 hostPort: 9963
@@ -71,7 +74,7 @@ spec:
httpGet: httpGet:
host: "127.0.0.1" host: "127.0.0.1"
path: /healthz path: /healthz
port: 9234 port: health
scheme: HTTP scheme: HTTP
initialDelaySeconds: 60 initialDelaySeconds: 60
periodSeconds: 10 periodSeconds: 10
@@ -80,7 +83,7 @@ spec:
httpGet: httpGet:
host: "127.0.0.1" host: "127.0.0.1"
path: /healthz path: /healthz
port: 9234 port: health
scheme: HTTP scheme: HTTP
initialDelaySeconds: 0 initialDelaySeconds: 0
periodSeconds: 5 periodSeconds: 5

2
clusters/cl01tl/manifests/cilium/Deployment-hubble-relay.yaml
View File

@@ -40,7 +40,7 @@ spec:
runAsUser: 65532 runAsUser: 65532
seccompProfile: seccompProfile:
type: RuntimeDefault type: RuntimeDefault
image: "quay.io/cilium/hubble-relay:v1.18.6@sha256:fb6135e34c31e5f175cb5e75f86cea52ef2ff12b49bcefb7088ed93f5009eb8e" image: "quay.io/cilium/hubble-relay:v1.19.3@sha256:5ee21d57b6ef2aa6db67e603a735fdceb162454b352b7335b651456e308f681b"
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
command: command:
- hubble-relay - hubble-relay

8
clusters/cl01tl/manifests/cilium/Deployment-hubble-ui.yaml
View File

@@ -41,11 +41,11 @@ spec:
livenessProbe: livenessProbe:
httpGet: httpGet:
path: /healthz path: /healthz
port: 8081 port: http
readinessProbe: readinessProbe:
httpGet: httpGet:
path: / path: /
port: 8081 port: http
volumeMounts: volumeMounts:
- name: hubble-ui-nginx-conf - name: hubble-ui-nginx-conf
mountPath: /etc/nginx/conf.d/default.conf mountPath: /etc/nginx/conf.d/default.conf
@@ -77,5 +77,5 @@ spec:
defaultMode: 420 defaultMode: 420
name: hubble-ui-nginx name: hubble-ui-nginx
name: hubble-ui-nginx-conf name: hubble-ui-nginx-conf
- emptyDir: {} - name: tmp-dir
name: tmp-dir emptyDir: {}

9
clusters/cl01tl/manifests/cilium/Job-hubble-generate-certs.yaml → clusters/cl01tl/manifests/cilium/Job-hubble-generate-certs-b36ef54b9b.yaml
View File

@@ -1,14 +1,12 @@
apiVersion: batch/v1 apiVersion: batch/v1
kind: Job kind: Job
metadata: metadata:
name: hubble-generate-certs name: hubble-generate-certs-b36ef54b9b
namespace: kube-system namespace: kube-system
labels: labels:
k8s-app: hubble-generate-certs k8s-app: hubble-generate-certs
app.kubernetes.io/name: hubble-generate-certs app.kubernetes.io/name: hubble-generate-certs
app.kubernetes.io/part-of: cilium app.kubernetes.io/part-of: cilium
annotations:
"helm.sh/hook": post-install,post-upgrade
spec: spec:
template: template:
metadata: metadata:
@@ -20,7 +18,7 @@ spec:
type: RuntimeDefault type: RuntimeDefault
containers: containers:
- name: certgen - name: certgen
image: "quay.io/cilium/certgen:v0.3.1@sha256:2825dbfa6f89cbed882fd1d81e46a56c087e35885825139923aa29eb8aec47a9" image: "quay.io/cilium/certgen:v0.4.1@sha256:f0c656830e856d26b24b0e144df1f8b327d3b46748d76a630514111fc365b697"
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
securityContext: securityContext:
capabilities: capabilities:
@@ -61,9 +59,6 @@ spec:
- client auth - client auth
validity: 8760h validity: 8760h
hostNetwork: false hostNetwork: false
serviceAccount: "hubble-generate-certs"
serviceAccountName: "hubble-generate-certs" serviceAccountName: "hubble-generate-certs"
automountServiceAccountToken: true automountServiceAccountToken: true
restartPolicy: OnFailure restartPolicy: OnFailure
affinity:
ttlSecondsAfterFinished: 1800

2
clusters/cl01tl/manifests/cilium/Role-cilium-gateway-secrets.yaml
View File

@@ -2,7 +2,7 @@ apiVersion: rbac.authorization.k8s.io/v1
kind: Role kind: Role
metadata: metadata:
name: cilium-gateway-secrets name: cilium-gateway-secrets
namespace: "kube-system" namespace: "cilium-secrets"
labels: labels:
app.kubernetes.io/part-of: cilium app.kubernetes.io/part-of: cilium
rules: rules:

2
clusters/cl01tl/manifests/cilium/Role-cilium-operator-gateway-secrets.yaml
View File

@@ -2,7 +2,7 @@ apiVersion: rbac.authorization.k8s.io/v1
kind: Role kind: Role
metadata: metadata:
name: cilium-operator-gateway-secrets name: cilium-operator-gateway-secrets
namespace: "kube-system" namespace: "cilium-secrets"
labels: labels:
app.kubernetes.io/part-of: cilium app.kubernetes.io/part-of: cilium
rules: rules:

18
clusters/cl01tl/manifests/cilium/Role-cilium-operator-ztunnel.yaml Normal file
View File

@@ -0,0 +1,18 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: cilium-operator-ztunnel
namespace: kube-system
labels:
app.kubernetes.io/part-of: cilium
rules:
- apiGroups:
- apps
resources:
- daemonsets
verbs:
- create
- delete
- get
- list
- watch

2
clusters/cl01tl/manifests/cilium/RoleBinding-cilium-gateway-secrets.yaml
View File

@@ -2,7 +2,7 @@ apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding kind: RoleBinding
metadata: metadata:
name: cilium-gateway-secrets name: cilium-gateway-secrets
namespace: "kube-system" namespace: "cilium-secrets"
labels: labels:
app.kubernetes.io/part-of: cilium app.kubernetes.io/part-of: cilium
roleRef: roleRef:

2
clusters/cl01tl/manifests/cilium/RoleBinding-cilium-operator-gateway-secrets.yaml
View File

@@ -2,7 +2,7 @@ apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding kind: RoleBinding
metadata: metadata:
name: cilium-operator-gateway-secrets name: cilium-operator-gateway-secrets
namespace: "kube-system" namespace: "cilium-secrets"
labels: labels:
app.kubernetes.io/part-of: cilium app.kubernetes.io/part-of: cilium
roleRef: roleRef:

15
clusters/cl01tl/manifests/cilium/RoleBinding-cilium-operator-ztunnel.yaml Normal file
View File

@@ -0,0 +1,15 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: cilium-operator-ztunnel
namespace: kube-system
labels:
app.kubernetes.io/part-of: cilium
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: cilium-operator-ztunnel
subjects:
- kind: ServiceAccount
name: "cilium-operator"
namespace: kube-system

2
clusters/cl01tl/manifests/cilium/Service-cilium-envoy.yaml
View File

@@ -17,4 +17,4 @@ spec:
- name: envoy-metrics - name: envoy-metrics
port: 9964 port: 9964
protocol: TCP protocol: TCP
targetPort: envoy-metrics targetPort: 9964