alexlebens/infrastructure
1
0
Fork 0
Code Issues 1 Pull Requests 1 Actions 1 Activity

Automated Manifest Update (#3741)

Browse Source 
This PR contains newly rendered Kubernetes manifests automatically generated by the CI workflow.

Reviewed-on: #3741
Co-authored-by: gitea-bot <gitea-bot@alexlebens.net>
Co-committed-by: gitea-bot <gitea-bot@alexlebens.net>
This commit was merged in pull request #3741.
This commit is contained in:
gitea-bot
2026-02-05 18:29:41 +00:00
committed by Alex Lebens
parent cdea8999c1
commit f8a652bc25
14 changed files with 57 additions and 106 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
clusters/cl01tl/manifests/cilium/ClusterRole-cilium-operator.yaml
View File

@@ -73,18 +73,6 @@ rules:
- update
- delete
- patch
- apiGroups:
- "discovery.k8s.io"
resources:
- endpointslices
verbs:
- get
- list
- watch
- create
- update
- delete
- patch
- apiGroups:
- cilium.io
resources:
@@ -178,6 +166,7 @@ rules:
- update
resourceNames:
- ciliumloadbalancerippools.cilium.io
- ciliumbgppeeringpolicies.cilium.io
- ciliumbgpclusterconfigs.cilium.io
- ciliumbgppeerconfigs.cilium.io
- ciliumbgpadvertisements.cilium.io
@@ -203,6 +192,7 @@ rules:
resources:
- ciliumloadbalancerippools
- ciliumpodippools
- ciliumbgppeeringpolicies
- ciliumbgpclusterconfigs
- ciliumbgpnodeconfigoverrides
- ciliumbgppeerconfigs
@@ -284,9 +274,3 @@ rules:
- get
- list
- watch
- apiGroups:
- cilium.io
resources:
- ciliumendpointslices
verbs:
- deletecollection

1
clusters/cl01tl/manifests/cilium/ClusterRole-cilium.yaml
View File

@@ -45,6 +45,7 @@ rules:
- cilium.io
resources:
- ciliumloadbalancerippools
- ciliumbgppeeringpolicies
- ciliumbgpnodeconfigs
- ciliumbgpadvertisements
- ciliumbgppeerconfigs

16
clusters/cl01tl/manifests/cilium/ClusterRole-hubble-ui.yaml
View File

@@ -5,6 +5,14 @@ metadata:
labels:
app.kubernetes.io/part-of: cilium
rules:
- apiGroups:
- networking.k8s.io
resources:
- networkpolicies
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
@@ -26,3 +34,11 @@ rules:
- get
- list
- watch
- apiGroups:
- cilium.io
resources:
- "*"
verbs:
- get
- list
- watch

19
clusters/cl01tl/manifests/cilium/ConfigMap-cilium-config.yaml
View File

@@ -58,13 +58,11 @@ data:
tunnel-protocol: "vxlan"
tunnel-source-port-range: "0-0"
service-no-backend-response: "reject"
policy-deny-response: "none"
enable-l7-proxy: "true"
enable-ipv4-masquerade: "true"
enable-ipv4-big-tcp: "false"
enable-ipv6-big-tcp: "false"
enable-ipv6-masquerade: "true"
enable-tunnel-big-tcp: "false"
enable-tcx: "true"
datapath-mode: "veth"
enable-masquerade-to-route-source: "false"
@@ -76,7 +74,6 @@ data:
devices: "end0 enp6s0"
kube-proxy-replacement: "true"
kube-proxy-replacement-healthz-bind-address: ""
enable-no-service-endpoints-routable: "true"
bpf-lb-sock: "true"
bpf-lb-sock-hostns-only: "true"
enable-health-check-nodeport: "true"
@@ -84,6 +81,7 @@ data:
node-port-bind-protection: "true"
enable-auto-protect-node-port-range: "true"
bpf-lb-acceleration: "disabled"
enable-svc-source-range-check: "true"
enable-l2-neigh-discovery: "false"
k8s-require-ipv4-pod-cidr: "false"
k8s-require-ipv6-pod-cidr: "false"
@@ -116,7 +114,7 @@ data:
vtep-cidr: ""
vtep-mask: ""
vtep-mac: ""
packetization-layer-pmtud-mode: "blackhole"
enable-k8s-endpoint-slice: "true"
procfs: "/host/proc"
bpf-root: "/sys/fs/bpf"
cgroup-root: "/sys/fs/cgroup"
@@ -129,7 +127,7 @@ data:
remove-cilium-node-taints: "true"
set-cilium-node-taints: "true"
set-cilium-is-up-condition: "true"
unmanaged-pod-watcher-interval: "15s"
unmanaged-pod-watcher-interval: "15"
dnsproxy-enable-transparent-mode: "true"
dnsproxy-socket-linger-timeout: "10"
tofqdns-dns-reject-response-code: "refused"
@@ -140,7 +138,7 @@ data:
tofqdns-proxy-response-max-delay: "100ms"
tofqdns-preallocate-identities: "true"
agent-not-ready-taint-key: "node.cilium.io/agent-not-ready"
mesh-auth-enabled: "false"
mesh-auth-enabled: "true"
mesh-auth-queue-size: "1024"
mesh-auth-rotated-identities-queue-size: "1024"
mesh-auth-gc-interval: "5m0s"
@@ -148,14 +146,10 @@ data:
proxy-xff-num-trusted-hops-egress: "0"
proxy-connect-timeout: "2"
proxy-initial-fetch-timeout: "30"
proxy-max-active-downstream-connections: "50000"
proxy-max-requests-per-connection: "0"
proxy-max-connection-duration-seconds: "0"
proxy-idle-timeout-seconds: "60"
proxy-max-concurrent-retries: "128"
proxy-use-original-source-address: "true"
proxy-cluster-max-connections: "1024"
proxy-cluster-max-requests: "1024"
http-retry-count: "3"
http-stream-idle-timeout: "300"
external-envoy-proxy: "true"
@@ -163,13 +157,12 @@ data:
envoy-access-log-buffer-size: "4096"
envoy-keep-cap-netbindservice: "true"
max-connected-clusters: "255"
clustermesh-cache-ttl: "0s"
clustermesh-enable-endpoint-sync: "false"
clustermesh-enable-mcs-api: "false"
clustermesh-mcs-api-install-crds: "true"
policy-default-local-cluster: "true"
policy-default-local-cluster: "false"
nat-map-stats-entries: "32"
nat-map-stats-interval: "30s"
enable-internal-traffic-policy: "true"
enable-lb-ipam: "true"
enable-non-default-deny-policies: "true"
enable-source-ip-verification: "true"

7
clusters/cl01tl/manifests/cilium/CronJob-hubble-generate-certs.yaml
View File

@@ -9,8 +9,6 @@ metadata:
app.kubernetes.io/part-of: cilium
spec:
schedule: "0 0 1 */4 *"
successfulJobsHistoryLimit: 3
failedJobsHistoryLimit: 1
concurrencyPolicy: Forbid
jobTemplate:
spec:
@@ -24,7 +22,7 @@ spec:
type: RuntimeDefault
containers:
- name: certgen
image: "quay.io/cilium/certgen:v0.3.2@sha256:19921f48ee7e2295ea4dca955878a6cd8d70e6d4219d08f688e866ece9d95d4d"
image: "quay.io/cilium/certgen:v0.3.1@sha256:2825dbfa6f89cbed882fd1d81e46a56c087e35885825139923aa29eb8aec47a9"
imagePullPolicy: IfNotPresent
securityContext:
capabilities:
@@ -65,6 +63,9 @@ spec:
- client auth
validity: 8760h
hostNetwork: false
serviceAccount: "hubble-generate-certs"
serviceAccountName: "hubble-generate-certs"
automountServiceAccountToken: true
restartPolicy: OnFailure
affinity:
ttlSecondsAfterFinished: 1800

2
clusters/cl01tl/manifests/cilium/DaemonSet-cilium-envoy.yaml
View File

@@ -30,7 +30,7 @@ spec:
type: Unconfined
containers:
- name: cilium-envoy
image: "quay.io/cilium/cilium-envoy:v1.35.9-1768828720-c6e4827ebca9c47af2a3a6540c563c30947bae29@sha256:696582a3391ce05a62edb4140e6a99f774351f363f5b5d7f1581f3a244430249"
image: "quay.io/cilium/cilium-envoy:v1.35.9-1767794330-db497dd19e346b39d81d7b5c0dedf6c812bcc5c9@sha256:81398e449f2d3d0a6a70527e4f641aaa685d3156bea0bb30712fae3fd8822b86"
imagePullPolicy: IfNotPresent
command:
- /usr/bin/cilium-envoy-starter

33
clusters/cl01tl/manifests/cilium/DaemonSet-cilium.yaml
View File

@@ -18,7 +18,7 @@ spec:
template:
metadata:
annotations:
cilium.io/cilium-configmap-checksum: "4eee6b83c252f1939319a9a6b7c1f70e207fbd0285735985db7b2470bcfdd91c"
cilium.io/cilium-configmap-checksum: "9f67de7f01bb2bf87c953f3042be7aa5cb195bedc250957e485cd90aeb6c80ea"
kubectl.kubernetes.io/default-container: cilium-agent
labels:
k8s-app: cilium
@@ -32,7 +32,7 @@ spec:
type: Unconfined
containers:
- name: cilium-agent
image: "quay.io/cilium/cilium:v1.19.0@sha256:be9f8571c2e114b3e12e41f785f2356ade703b2eac936aa878805565f0468c60"
image: "quay.io/cilium/cilium:v1.18.6@sha256:42ec562a5ff6c8a860c0639f5a7611685e253fd9eb2d2fcdade693724c9166a4"
imagePullPolicy: IfNotPresent
command:
- cilium-agent
@@ -42,7 +42,7 @@ spec:
httpGet:
host: "127.0.0.1"
path: /healthz
port: health
port: 9879
scheme: HTTP
httpHeaders:
- name: "brief"
@@ -55,7 +55,7 @@ spec:
httpGet:
host: "127.0.0.1"
path: /healthz
port: health
port: 9879
scheme: HTTP
httpHeaders:
- name: "brief"
@@ -70,7 +70,7 @@ spec:
httpGet:
host: "127.0.0.1"
path: /healthz
port: health
port: 9879
scheme: HTTP
httpHeaders:
- name: "brief"
@@ -136,10 +136,6 @@ spec:
command:
- /cni-uninstall.sh
ports:
- name: health
containerPort: 9879
hostPort: 9879
protocol: TCP
- name: peer-service
containerPort: 4244
hostPort: 4244
@@ -205,7 +201,7 @@ spec:
mountPath: /tmp
initContainers:
- name: config
image: "quay.io/cilium/cilium:v1.19.0@sha256:be9f8571c2e114b3e12e41f785f2356ade703b2eac936aa878805565f0468c60"
image: "quay.io/cilium/cilium:v1.18.6@sha256:42ec562a5ff6c8a860c0639f5a7611685e253fd9eb2d2fcdade693724c9166a4"
imagePullPolicy: IfNotPresent
command:
- cilium-dbg
@@ -229,14 +225,8 @@ spec:
- name: tmp
mountPath: /tmp
terminationMessagePolicy: FallbackToLogsOnError
securityContext:
capabilities:
add:
- NET_ADMIN
drop:
- ALL
- name: apply-sysctl-overwrites
image: "quay.io/cilium/cilium:v1.19.0@sha256:be9f8571c2e114b3e12e41f785f2356ade703b2eac936aa878805565f0468c60"
image: "quay.io/cilium/cilium:v1.18.6@sha256:42ec562a5ff6c8a860c0639f5a7611685e253fd9eb2d2fcdade693724c9166a4"
imagePullPolicy: IfNotPresent
env:
- name: BIN_PATH
@@ -266,7 +256,7 @@ spec:
drop:
- ALL
- name: mount-bpf-fs
image: "quay.io/cilium/cilium:v1.19.0@sha256:be9f8571c2e114b3e12e41f785f2356ade703b2eac936aa878805565f0468c60"
image: "quay.io/cilium/cilium:v1.18.6@sha256:42ec562a5ff6c8a860c0639f5a7611685e253fd9eb2d2fcdade693724c9166a4"
imagePullPolicy: IfNotPresent
args:
- 'mount | grep "/sys/fs/bpf type bpf" || mount -t bpf bpf /sys/fs/bpf'
@@ -282,7 +272,7 @@ spec:
mountPath: /sys/fs/bpf
mountPropagation: Bidirectional
- name: clean-cilium-state
image: "quay.io/cilium/cilium:v1.19.0@sha256:be9f8571c2e114b3e12e41f785f2356ade703b2eac936aa878805565f0468c60"
image: "quay.io/cilium/cilium:v1.18.6@sha256:42ec562a5ff6c8a860c0639f5a7611685e253fd9eb2d2fcdade693724c9166a4"
imagePullPolicy: IfNotPresent
command:
- /init-container.sh
@@ -330,14 +320,11 @@ spec:
- name: cilium-run
mountPath: /var/run/cilium
- name: install-cni-binaries
image: "quay.io/cilium/cilium:v1.19.0@sha256:be9f8571c2e114b3e12e41f785f2356ade703b2eac936aa878805565f0468c60"
image: "quay.io/cilium/cilium:v1.18.6@sha256:42ec562a5ff6c8a860c0639f5a7611685e253fd9eb2d2fcdade693724c9166a4"
imagePullPolicy: IfNotPresent
command:
- "/install-plugin.sh"
resources:
limits:
cpu: 1
memory: 1Gi
requests:
cpu: 100m
memory: 10Mi

11
clusters/cl01tl/manifests/cilium/Deployment-cilium-operator.yaml
View File

@@ -22,7 +22,7 @@ spec:
template:
metadata:
annotations:
cilium.io/cilium-configmap-checksum: "4eee6b83c252f1939319a9a6b7c1f70e207fbd0285735985db7b2470bcfdd91c"
cilium.io/cilium-configmap-checksum: "9f67de7f01bb2bf87c953f3042be7aa5cb195bedc250957e485cd90aeb6c80ea"
labels:
io.cilium/app: operator
name: cilium-operator
@@ -34,7 +34,7 @@ spec:
type: RuntimeDefault
containers:
- name: cilium-operator
image: "quay.io/cilium/operator-generic:v1.19.0@sha256:5b04006015e5800307dc6314676edc4c0bb7ac2fc7848be2b94b43bb030ab648"
image: "quay.io/cilium/operator-generic:v1.18.6@sha256:34a827ce9ed021c8adf8f0feca131f53b3c54a3ef529053d871d0347ec4d69af"
imagePullPolicy: IfNotPresent
command:
- cilium-operator-generic
@@ -63,9 +63,6 @@ spec:
- name: KUBERNETES_SERVICE_PORT
value: "7445"
ports:
- name: health
containerPort: 9234
hostPort: 9234
- name: prometheus
containerPort: 9963
hostPort: 9963
@@ -74,7 +71,7 @@ spec:
httpGet:
host: "127.0.0.1"
path: /healthz
port: health
port: 9234
scheme: HTTP
initialDelaySeconds: 60
periodSeconds: 10
@@ -83,7 +80,7 @@ spec:
httpGet:
host: "127.0.0.1"
path: /healthz
port: health
port: 9234
scheme: HTTP
initialDelaySeconds: 0
periodSeconds: 5

2
clusters/cl01tl/manifests/cilium/Deployment-hubble-relay.yaml
View File

@@ -40,7 +40,7 @@ spec:
runAsUser: 65532
seccompProfile:
type: RuntimeDefault
image: "quay.io/cilium/hubble-relay:v1.19.0@sha256:7f17e5bb51a9f35bbc8e7a9ad5e347f03ff8003c2e5cc81171e8727a10bf03b4"
image: "quay.io/cilium/hubble-relay:v1.18.6@sha256:fb6135e34c31e5f175cb5e75f86cea52ef2ff12b49bcefb7088ed93f5009eb8e"
imagePullPolicy: IfNotPresent
command:
- hubble-relay

8
clusters/cl01tl/manifests/cilium/Deployment-hubble-ui.yaml
View File

@@ -41,11 +41,11 @@ spec:
livenessProbe:
httpGet:
path: /healthz
port: http
port: 8081
readinessProbe:
httpGet:
path: /
port: http
port: 8081
volumeMounts:
- name: hubble-ui-nginx-conf
mountPath: /etc/nginx/conf.d/default.conf
@@ -77,5 +77,5 @@ spec:
defaultMode: 420
name: hubble-ui-nginx
name: hubble-ui-nginx-conf
- name: tmp-dir
emptyDir: {}
- emptyDir: {}
name: tmp-dir

9
clusters/cl01tl/manifests/cilium/Job-hubble-generate-certs-e8c5d08cb8.yaml → clusters/cl01tl/manifests/cilium/Job-hubble-generate-certs.yaml
View File

@@ -1,12 +1,14 @@
apiVersion: batch/v1
kind: Job
metadata:
name: hubble-generate-certs-e8c5d08cb8
name: hubble-generate-certs
namespace: kube-system
labels:
k8s-app: hubble-generate-certs
app.kubernetes.io/name: hubble-generate-certs
app.kubernetes.io/part-of: cilium
annotations:
"helm.sh/hook": post-install,post-upgrade
spec:
template:
metadata:
@@ -18,7 +20,7 @@ spec:
type: RuntimeDefault
containers:
- name: certgen
image: "quay.io/cilium/certgen:v0.3.2@sha256:19921f48ee7e2295ea4dca955878a6cd8d70e6d4219d08f688e866ece9d95d4d"
image: "quay.io/cilium/certgen:v0.3.1@sha256:2825dbfa6f89cbed882fd1d81e46a56c087e35885825139923aa29eb8aec47a9"
imagePullPolicy: IfNotPresent
securityContext:
capabilities:
@@ -59,6 +61,9 @@ spec:
- client auth
validity: 8760h
hostNetwork: false
serviceAccount: "hubble-generate-certs"
serviceAccountName: "hubble-generate-certs"
automountServiceAccountToken: true
restartPolicy: OnFailure
affinity:
ttlSecondsAfterFinished: 1800

18
clusters/cl01tl/manifests/cilium/Role-cilium-operator-ztunnel.yaml
View File

@@ -1,18 +0,0 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: cilium-operator-ztunnel
namespace: kube-system
labels:
app.kubernetes.io/part-of: cilium
rules:
- apiGroups:
- apps
resources:
- daemonsets
verbs:
- create
- delete
- get
- list
- watch

15
clusters/cl01tl/manifests/cilium/RoleBinding-cilium-operator-ztunnel.yaml
View File

@@ -1,15 +0,0 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: cilium-operator-ztunnel
namespace: kube-system
labels:
app.kubernetes.io/part-of: cilium
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: cilium-operator-ztunnel
subjects:
- kind: ServiceAccount
name: "cilium-operator"
namespace: kube-system

2
clusters/cl01tl/manifests/cilium/Service-cilium-envoy.yaml
View File

@@ -17,4 +17,4 @@ spec:
- name: envoy-metrics
port: 9964
protocol: TCP
targetPort: 9964
targetPort: envoy-metrics