Automated Manifest Update #2342
@@ -1,5 +1,4 @@
|
||||
---
|
||||
# Source: actual/charts/actual/templates/common.yaml
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
|
||||
@@ -1,5 +1,4 @@
|
||||
---
|
||||
# Source: actual/templates/external-secret.yaml
|
||||
apiVersion: external-secrets.io/v1
|
||||
kind: ExternalSecret
|
||||
metadata:
|
||||
|
||||
@@ -1,5 +1,4 @@
|
||||
---
|
||||
# Source: actual/templates/http-route.yaml
|
||||
apiVersion: gateway.networking.k8s.io/v1
|
||||
kind: HTTPRoute
|
||||
metadata:
|
||||
|
||||
@@ -1,6 +1,3 @@
|
||||
---
|
||||
# Source: actual/charts/actual/templates/common.yaml
|
||||
---
|
||||
kind: PersistentVolumeClaim
|
||||
apiVersion: v1
|
||||
metadata:
|
||||
|
||||
@@ -1,5 +1,4 @@
|
||||
---
|
||||
# Source: actual/templates/replication-source.yaml
|
||||
apiVersion: volsync.backube/v1alpha1
|
||||
kind: ReplicationSource
|
||||
metadata:
|
||||
|
||||
@@ -1,5 +1,4 @@
|
||||
---
|
||||
# Source: actual/charts/actual/templates/common.yaml
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
|
||||
@@ -1,5 +1,4 @@
|
||||
---
|
||||
# Source: audiobookshelf/charts/audiobookshelf/templates/common.yaml
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
|
||||
@@ -1,5 +1,4 @@
|
||||
---
|
||||
# Source: audiobookshelf/templates/external-secret.yaml
|
||||
apiVersion: external-secrets.io/v1
|
||||
kind: ExternalSecret
|
||||
metadata:
|
||||
|
||||
@@ -1,5 +1,4 @@
|
||||
---
|
||||
# Source: audiobookshelf/templates/external-secret.yaml
|
||||
apiVersion: external-secrets.io/v1
|
||||
kind: ExternalSecret
|
||||
metadata:
|
||||
|
||||
@@ -1,5 +1,4 @@
|
||||
---
|
||||
# Source: audiobookshelf/templates/external-secret.yaml
|
||||
apiVersion: external-secrets.io/v1
|
||||
kind: ExternalSecret
|
||||
metadata:
|
||||
|
||||
@@ -1,5 +1,4 @@
|
||||
---
|
||||
# Source: audiobookshelf/templates/http-route.yaml
|
||||
apiVersion: gateway.networking.k8s.io/v1
|
||||
kind: HTTPRoute
|
||||
metadata:
|
||||
|
||||
@@ -1,5 +1,3 @@
|
||||
---
|
||||
# Source: audiobookshelf/templates/persistent-volume.yaml
|
||||
apiVersion: v1
|
||||
kind: PersistentVolume
|
||||
metadata:
|
||||
|
||||
@@ -1,5 +1,4 @@
|
||||
---
|
||||
# Source: audiobookshelf/charts/audiobookshelf/templates/common.yaml
|
||||
kind: PersistentVolumeClaim
|
||||
apiVersion: v1
|
||||
metadata:
|
||||
|
||||
@@ -1,5 +1,4 @@
|
||||
---
|
||||
# Source: audiobookshelf/templates/persistent-volume-claim.yaml
|
||||
apiVersion: v1
|
||||
kind: PersistentVolumeClaim
|
||||
metadata:
|
||||
|
||||
@@ -1,5 +1,4 @@
|
||||
---
|
||||
# Source: audiobookshelf/templates/persistent-volume-claim.yaml
|
||||
apiVersion: v1
|
||||
kind: PersistentVolumeClaim
|
||||
metadata:
|
||||
|
||||
@@ -1,5 +1,4 @@
|
||||
---
|
||||
# Source: audiobookshelf/templates/replication-source.yaml
|
||||
apiVersion: volsync.backube/v1alpha1
|
||||
kind: ReplicationSource
|
||||
metadata:
|
||||
|
||||
@@ -1,5 +1,4 @@
|
||||
---
|
||||
# Source: audiobookshelf/templates/replication-source.yaml
|
||||
apiVersion: volsync.backube/v1alpha1
|
||||
kind: ReplicationSource
|
||||
metadata:
|
||||
|
||||
@@ -1,5 +1,4 @@
|
||||
---
|
||||
# Source: audiobookshelf/charts/audiobookshelf/templates/common.yaml
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
|
||||
@@ -1,5 +1,4 @@
|
||||
---
|
||||
# Source: audiobookshelf/templates/service-monitor.yaml
|
||||
apiVersion: monitoring.coreos.com/v1
|
||||
kind: ServiceMonitor
|
||||
metadata:
|
||||
|
||||
@@ -1,5 +1,4 @@
|
||||
---
|
||||
# Source: backrest/charts/backrest/templates/common.yaml
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
|
||||
@@ -1,5 +1,4 @@
|
||||
---
|
||||
# Source: backrest/templates/http-route.yaml
|
||||
apiVersion: gateway.networking.k8s.io/v1
|
||||
kind: HTTPRoute
|
||||
metadata:
|
||||
|
||||
@@ -1,5 +1,4 @@
|
||||
---
|
||||
# Source: backrest/templates/persistent-volume.yaml
|
||||
apiVersion: v1
|
||||
kind: PersistentVolume
|
||||
metadata:
|
||||
|
||||
@@ -1,5 +1,3 @@
|
||||
---
|
||||
# Source: backrest/templates/persistent-volume.yaml
|
||||
apiVersion: v1
|
||||
kind: PersistentVolume
|
||||
metadata:
|
||||
|
||||
@@ -1,5 +1,4 @@
|
||||
---
|
||||
# Source: backrest/charts/backrest/templates/common.yaml
|
||||
kind: PersistentVolumeClaim
|
||||
apiVersion: v1
|
||||
metadata:
|
||||
|
||||
@@ -1,5 +1,4 @@
|
||||
---
|
||||
# Source: backrest/templates/persistent-volume-claim.yaml
|
||||
apiVersion: v1
|
||||
kind: PersistentVolumeClaim
|
||||
metadata:
|
||||
|
||||
@@ -1,5 +1,4 @@
|
||||
---
|
||||
# Source: backrest/templates/persistent-volume-claim.yaml
|
||||
apiVersion: v1
|
||||
kind: PersistentVolumeClaim
|
||||
metadata:
|
||||
|
||||
@@ -1,5 +1,4 @@
|
||||
---
|
||||
# Source: backrest/charts/backrest/templates/common.yaml
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
|
||||
@@ -1,5 +1,4 @@
|
||||
---
|
||||
# Source: backrest/templates/service.yaml
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
|
||||
@@ -1,5 +1,4 @@
|
||||
---
|
||||
# Source: cert-manager/templates/cluster-issuer.yaml
|
||||
apiVersion: cert-manager.io/v1
|
||||
kind: ClusterIssuer
|
||||
metadata:
|
||||
|
||||
@@ -1,5 +1,4 @@
|
||||
---
|
||||
# Source: cert-manager/charts/cert-manager/templates/cainjector-rbac.yaml
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
|
||||
@@ -1,5 +1,4 @@
|
||||
---
|
||||
# Source: cert-manager/charts/cert-manager/templates/rbac.yaml
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
|
||||
@@ -1,6 +1,4 @@
|
||||
---
|
||||
# Source: cert-manager/charts/cert-manager/templates/rbac.yaml
|
||||
# Permission to approve CertificateRequests referencing cert-manager.io Issuers and ClusterIssuers
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
|
||||
@@ -1,6 +1,4 @@
|
||||
---
|
||||
# Source: cert-manager/charts/cert-manager/templates/rbac.yaml
|
||||
# Certificates controller role
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
@@ -20,9 +18,6 @@ rules:
|
||||
- apiGroups: ["cert-manager.io"]
|
||||
resources: ["certificates", "certificaterequests", "clusterissuers", "issuers"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
# We require these rules to support users with the OwnerReferencesPermissionEnforcement
|
||||
# admission controller enabled:
|
||||
# https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
|
||||
- apiGroups: ["cert-manager.io"]
|
||||
resources: ["certificates/finalizers", "certificaterequests/finalizers"]
|
||||
verbs: ["update"]
|
||||
|
||||
@@ -1,8 +1,4 @@
|
||||
---
|
||||
# Source: cert-manager/charts/cert-manager/templates/rbac.yaml
|
||||
# Permission to:
|
||||
# - Update and sign CertificateSigningRequests referencing cert-manager.io Issuers and ClusterIssuers
|
||||
# - Perform SubjectAccessReviews to test whether users are able to reference Namespaced Issuers
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
|
||||
@@ -1,6 +1,4 @@
|
||||
---
|
||||
# Source: cert-manager/charts/cert-manager/templates/rbac.yaml
|
||||
# Challenges controller role
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
@@ -14,27 +12,21 @@ metadata:
|
||||
app.kubernetes.io/managed-by: Helm
|
||||
helm.sh/chart: cert-manager-v1.19.1
|
||||
rules:
|
||||
# Use to update challenge resource status
|
||||
- apiGroups: ["acme.cert-manager.io"]
|
||||
resources: ["challenges", "challenges/status"]
|
||||
verbs: ["update", "patch"]
|
||||
# Used to watch challenge resources
|
||||
- apiGroups: ["acme.cert-manager.io"]
|
||||
resources: ["challenges"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
# Used to watch challenges, issuer and clusterissuer resources
|
||||
- apiGroups: ["cert-manager.io"]
|
||||
resources: ["issuers", "clusterissuers"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
# Need to be able to retrieve ACME account private key to complete challenges
|
||||
- apiGroups: [""]
|
||||
resources: ["secrets"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
# Used to create events
|
||||
- apiGroups: [""]
|
||||
resources: ["events"]
|
||||
verbs: ["create", "patch"]
|
||||
# HTTP01 rules
|
||||
- apiGroups: [""]
|
||||
resources: ["pods", "services"]
|
||||
verbs: ["get", "list", "watch", "create", "delete"]
|
||||
@@ -44,19 +36,12 @@ rules:
|
||||
- apiGroups: ["gateway.networking.k8s.io"]
|
||||
resources: ["httproutes"]
|
||||
verbs: ["get", "list", "watch", "create", "delete", "update"]
|
||||
# We require the ability to specify a custom hostname when we are creating
|
||||
# new ingress resources.
|
||||
# See: https://github.com/openshift/origin/blob/21f191775636f9acadb44fa42beeb4f75b255532/pkg/route/apiserver/admission/ingress_admission.go#L84-L148
|
||||
- apiGroups: ["route.openshift.io"]
|
||||
resources: ["routes/custom-host"]
|
||||
verbs: ["create"]
|
||||
# We require these rules to support users with the OwnerReferencesPermissionEnforcement
|
||||
# admission controller enabled:
|
||||
# https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
|
||||
- apiGroups: ["acme.cert-manager.io"]
|
||||
resources: ["challenges/finalizers"]
|
||||
verbs: ["update"]
|
||||
# DNS01 rules (duplicated above)
|
||||
- apiGroups: [""]
|
||||
resources: ["secrets"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
|
||||
@@ -1,6 +1,4 @@
|
||||
---
|
||||
# Source: cert-manager/charts/cert-manager/templates/rbac.yaml
|
||||
# ClusterIssuer controller role
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
|
||||
@@ -1,6 +1,4 @@
|
||||
---
|
||||
# Source: cert-manager/charts/cert-manager/templates/rbac.yaml
|
||||
# ingress-shim controller role
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
@@ -23,9 +21,6 @@ rules:
|
||||
- apiGroups: ["networking.k8s.io"]
|
||||
resources: ["ingresses"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
# We require these rules to support users with the OwnerReferencesPermissionEnforcement
|
||||
# admission controller enabled:
|
||||
# https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
|
||||
- apiGroups: ["networking.k8s.io"]
|
||||
resources: ["ingresses/finalizers"]
|
||||
verbs: ["update"]
|
||||
|
||||
@@ -1,6 +1,4 @@
|
||||
---
|
||||
# Source: cert-manager/charts/cert-manager/templates/rbac.yaml
|
||||
# Issuer controller role
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
|
||||
@@ -1,6 +1,4 @@
|
||||
---
|
||||
# Source: cert-manager/charts/cert-manager/templates/rbac.yaml
|
||||
# Orders controller role
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
@@ -26,9 +24,6 @@ rules:
|
||||
- apiGroups: ["acme.cert-manager.io"]
|
||||
resources: ["challenges"]
|
||||
verbs: ["create", "delete"]
|
||||
# We require these rules to support users with the OwnerReferencesPermissionEnforcement
|
||||
# admission controller enabled:
|
||||
# https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
|
||||
- apiGroups: ["acme.cert-manager.io"]
|
||||
resources: ["orders/finalizers"]
|
||||
verbs: ["update"]
|
||||
|
||||
@@ -1,5 +1,4 @@
|
||||
---
|
||||
# Source: cert-manager/charts/cert-manager/templates/rbac.yaml
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
|
||||
@@ -1,5 +1,4 @@
|
||||
---
|
||||
# Source: cert-manager/charts/cert-manager/templates/rbac.yaml
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
|
||||
@@ -1,5 +1,4 @@
|
||||
---
|
||||
# Source: cert-manager/charts/cert-manager/templates/webhook-rbac.yaml
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
|
||||
@@ -1,5 +1,4 @@
|
||||
---
|
||||
# Source: cert-manager/charts/cert-manager/templates/cainjector-rbac.yaml
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
|
||||
@@ -1,5 +1,4 @@
|
||||
---
|
||||
# Source: cert-manager/charts/cert-manager/templates/rbac.yaml
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
|
||||
@@ -1,5 +1,4 @@
|
||||
---
|
||||
# Source: cert-manager/charts/cert-manager/templates/rbac.yaml
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
|
||||
@@ -1,5 +1,4 @@
|
||||
---
|
||||
# Source: cert-manager/charts/cert-manager/templates/rbac.yaml
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
|
||||
@@ -1,5 +1,4 @@
|
||||
---
|
||||
# Source: cert-manager/charts/cert-manager/templates/rbac.yaml
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
|
||||
@@ -1,5 +1,4 @@
|
||||
---
|
||||
# Source: cert-manager/charts/cert-manager/templates/rbac.yaml
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
|
||||
@@ -1,5 +1,4 @@
|
||||
---
|
||||
# Source: cert-manager/charts/cert-manager/templates/rbac.yaml
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
|
||||
@@ -1,5 +1,4 @@
|
||||
---
|
||||
# Source: cert-manager/charts/cert-manager/templates/rbac.yaml
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
|
||||
@@ -1,5 +1,4 @@
|
||||
---
|
||||
# Source: cert-manager/charts/cert-manager/templates/rbac.yaml
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
|
||||
@@ -1,5 +1,4 @@
|
||||
---
|
||||
# Source: cert-manager/charts/cert-manager/templates/webhook-rbac.yaml
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
|
||||
@@ -1,5 +1,4 @@
|
||||
---
|
||||
# Source: cert-manager/charts/cert-manager/templates/crd-cert-manager.io_certificaterequests.yaml
|
||||
apiVersion: apiextensions.k8s.io/v1
|
||||
kind: CustomResourceDefinition
|
||||
metadata:
|
||||
|
||||
@@ -1,5 +1,4 @@
|
||||
---
|
||||
# Source: cert-manager/charts/cert-manager/templates/crd-cert-manager.io_certificates.yaml
|
||||
apiVersion: apiextensions.k8s.io/v1
|
||||
kind: CustomResourceDefinition
|
||||
metadata:
|
||||
|
||||
@@ -1,5 +1,4 @@
|
||||
---
|
||||
# Source: cert-manager/charts/cert-manager/templates/crd-acme.cert-manager.io_challenges.yaml
|
||||
apiVersion: apiextensions.k8s.io/v1
|
||||
kind: CustomResourceDefinition
|
||||
metadata:
|
||||
|
||||
@@ -1,5 +1,4 @@
|
||||
---
|
||||
# Source: cert-manager/charts/cert-manager/templates/crd-cert-manager.io_clusterissuers.yaml
|
||||
apiVersion: apiextensions.k8s.io/v1
|
||||
kind: CustomResourceDefinition
|
||||
metadata:
|
||||
|
||||
@@ -1,5 +1,4 @@
|
||||
---
|
||||
# Source: cert-manager/charts/cert-manager/templates/crd-cert-manager.io_issuers.yaml
|
||||
apiVersion: apiextensions.k8s.io/v1
|
||||
kind: CustomResourceDefinition
|
||||
metadata:
|
||||
|
||||
@@ -1,5 +1,4 @@
|
||||
---
|
||||
# Source: cert-manager/charts/cert-manager/templates/crd-acme.cert-manager.io_orders.yaml
|
||||
apiVersion: apiextensions.k8s.io/v1
|
||||
kind: CustomResourceDefinition
|
||||
metadata:
|
||||
|
||||
@@ -1,5 +1,4 @@
|
||||
---
|
||||
# Source: cert-manager/charts/cert-manager/templates/cainjector-deployment.yaml
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
|
||||
@@ -1,5 +1,4 @@
|
||||
---
|
||||
# Source: cert-manager/charts/cert-manager/templates/webhook-deployment.yaml
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
|
||||
@@ -1,5 +1,4 @@
|
||||
---
|
||||
# Source: cert-manager/charts/cert-manager/templates/deployment.yaml
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
@@ -66,9 +65,6 @@ spec:
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: metadata.namespace
|
||||
# LivenessProbe settings are based on those used for the Kubernetes
|
||||
# controller-manager. See:
|
||||
# https://github.com/kubernetes/kubernetes/blob/806b30170c61a38fedd54cc9ede4cd6275a1ad3b/cmd/kubeadm/app/util/staticpod/utils.go#L241-L245
|
||||
livenessProbe:
|
||||
httpGet:
|
||||
port: http-healthz
|
||||
|
||||
@@ -1,5 +1,4 @@
|
||||
---
|
||||
# Source: cert-manager/templates/external-secret.yaml
|
||||
apiVersion: external-secrets.io/v1
|
||||
kind: ExternalSecret
|
||||
metadata:
|
||||
|
||||
@@ -1,5 +1,4 @@
|
||||
---
|
||||
# Source: cert-manager/charts/cert-manager/templates/startupapicheck-job.yaml
|
||||
apiVersion: batch/v1
|
||||
kind: Job
|
||||
metadata:
|
||||
|
||||
@@ -1,5 +1,4 @@
|
||||
---
|
||||
# Source: cert-manager/charts/cert-manager/templates/webhook-mutating-webhook.yaml
|
||||
apiVersion: admissionregistration.k8s.io/v1
|
||||
kind: MutatingWebhookConfiguration
|
||||
metadata:
|
||||
@@ -26,13 +25,9 @@ webhooks:
|
||||
resources:
|
||||
- "certificaterequests"
|
||||
admissionReviewVersions: ["v1"]
|
||||
# This webhook only accepts v1 cert-manager resources.
|
||||
# Equivalent matchPolicy ensures that non-v1 resource requests are sent to
|
||||
# this webhook (after the resources have been converted to v1).
|
||||
matchPolicy: Equivalent
|
||||
timeoutSeconds: 30
|
||||
failurePolicy: Fail
|
||||
# Only include 'sideEffects' field in Kubernetes 1.12+
|
||||
sideEffects: None
|
||||
clientConfig:
|
||||
service:
|
||||
|
||||
@@ -1,6 +1,4 @@
|
||||
---
|
||||
# Source: cert-manager/charts/cert-manager/templates/cainjector-rbac.yaml
|
||||
# leader election rules
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: Role
|
||||
metadata:
|
||||
@@ -15,11 +13,6 @@ metadata:
|
||||
app.kubernetes.io/managed-by: Helm
|
||||
helm.sh/chart: cert-manager-v1.19.1
|
||||
rules:
|
||||
# Used for leader election by the controller
|
||||
# cert-manager-cainjector-leader-election is used by the CertificateBased injector controller
|
||||
# see cmd/cainjector/start.go#L113
|
||||
# cert-manager-cainjector-leader-election-core is used by the SecretBased injector controller
|
||||
# see cmd/cainjector/start.go#L137
|
||||
- apiGroups: ["coordination.k8s.io"]
|
||||
resources: ["leases"]
|
||||
resourceNames: ["cert-manager-cainjector-leader-election", "cert-manager-cainjector-leader-election-core"]
|
||||
|
||||
@@ -1,6 +1,4 @@
|
||||
---
|
||||
# Source: cert-manager/charts/cert-manager/templates/startupapicheck-rbac.yaml
|
||||
# create certificate role
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: Role
|
||||
metadata:
|
||||
|
||||
@@ -1,5 +1,4 @@
|
||||
---
|
||||
# Source: cert-manager/charts/cert-manager/templates/rbac.yaml
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: Role
|
||||
metadata:
|
||||
|
||||
@@ -1,5 +1,4 @@
|
||||
---
|
||||
# Source: cert-manager/charts/cert-manager/templates/webhook-rbac.yaml
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: Role
|
||||
metadata:
|
||||
@@ -19,7 +18,6 @@ rules:
|
||||
resourceNames:
|
||||
- 'cert-manager-webhook-ca'
|
||||
verbs: ["get", "list", "watch", "update"]
|
||||
# It's not possible to grant CREATE permission on a single resourceName.
|
||||
- apiGroups: [""]
|
||||
resources: ["secrets"]
|
||||
verbs: ["create"]
|
||||
|
||||
@@ -1,5 +1,4 @@
|
||||
---
|
||||
# Source: cert-manager/charts/cert-manager/templates/rbac.yaml
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: Role
|
||||
metadata:
|
||||
|
||||
@@ -1,7 +1,4 @@
|
||||
---
|
||||
# Source: cert-manager/charts/cert-manager/templates/cainjector-rbac.yaml
|
||||
# grant cert-manager permission to manage the leaderelection configmap in the
|
||||
# leader election namespace
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: RoleBinding
|
||||
metadata:
|
||||
|
||||
@@ -1,5 +1,4 @@
|
||||
---
|
||||
# Source: cert-manager/charts/cert-manager/templates/startupapicheck-rbac.yaml
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: RoleBinding
|
||||
metadata:
|
||||
|
||||
@@ -1,6 +1,4 @@
|
||||
---
|
||||
# Source: cert-manager/charts/cert-manager/templates/rbac.yaml
|
||||
# grant cert-manager permission to create tokens for the serviceaccount
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: RoleBinding
|
||||
metadata:
|
||||
|
||||
@@ -1,5 +1,4 @@
|
||||
---
|
||||
# Source: cert-manager/charts/cert-manager/templates/webhook-rbac.yaml
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: RoleBinding
|
||||
metadata:
|
||||
|
||||
@@ -1,7 +1,4 @@
|
||||
---
|
||||
# Source: cert-manager/charts/cert-manager/templates/rbac.yaml
|
||||
# grant cert-manager permission to manage the leaderelection configmap in the
|
||||
# leader election namespace
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: RoleBinding
|
||||
metadata:
|
||||
|
||||
@@ -1,5 +1,4 @@
|
||||
---
|
||||
# Source: cert-manager/charts/cert-manager/templates/cainjector-service.yaml
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
|
||||
@@ -1,5 +1,4 @@
|
||||
---
|
||||
# Source: cert-manager/charts/cert-manager/templates/webhook-service.yaml
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
|
||||
@@ -1,5 +1,4 @@
|
||||
---
|
||||
# Source: cert-manager/charts/cert-manager/templates/service.yaml
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
|
||||
@@ -1,5 +1,3 @@
|
||||
---
|
||||
# Source: cert-manager/charts/cert-manager/templates/cainjector-serviceaccount.yaml
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
automountServiceAccountToken: true
|
||||
|
||||
@@ -1,5 +1,4 @@
|
||||
---
|
||||
# Source: cert-manager/charts/cert-manager/templates/startupapicheck-serviceaccount.yaml
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
automountServiceAccountToken: true
|
||||
|
||||
@@ -1,5 +1,4 @@
|
||||
---
|
||||
# Source: cert-manager/charts/cert-manager/templates/webhook-serviceaccount.yaml
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
automountServiceAccountToken: true
|
||||
|
||||
@@ -1,5 +1,4 @@
|
||||
---
|
||||
# Source: cert-manager/charts/cert-manager/templates/serviceaccount.yaml
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
automountServiceAccountToken: true
|
||||
|
||||
@@ -1,5 +1,4 @@
|
||||
---
|
||||
# Source: cert-manager/charts/cert-manager/templates/servicemonitor.yaml
|
||||
apiVersion: monitoring.coreos.com/v1
|
||||
kind: ServiceMonitor
|
||||
metadata:
|
||||
|
||||
@@ -1,5 +1,4 @@
|
||||
---
|
||||
# Source: cert-manager/charts/cert-manager/templates/webhook-validating-webhook.yaml
|
||||
apiVersion: admissionregistration.k8s.io/v1
|
||||
kind: ValidatingWebhookConfiguration
|
||||
metadata:
|
||||
@@ -34,9 +33,6 @@ webhooks:
|
||||
resources:
|
||||
- "*/*"
|
||||
admissionReviewVersions: ["v1"]
|
||||
# This webhook only accepts v1 cert-manager resources.
|
||||
# Equivalent matchPolicy ensures that non-v1 resource requests are sent to
|
||||
# this webhook (after the resources have been converted to v1).
|
||||
matchPolicy: Equivalent
|
||||
timeoutSeconds: 30
|
||||
failurePolicy: Fail
|
||||
|
||||
@@ -1,5 +1,4 @@
|
||||
---
|
||||
# Source: cilium/templates/cilium-load-balancer-ip-pool.yaml
|
||||
apiVersion: "cilium.io/v2alpha1"
|
||||
kind: CiliumLoadBalancerIPPool
|
||||
metadata:
|
||||
|
||||
@@ -1,5 +1,4 @@
|
||||
---
|
||||
# Source: cilium/templates/cilium-load-balancer-ip-pool.yaml
|
||||
apiVersion: "cilium.io/v2alpha1"
|
||||
kind: CiliumLoadBalancerIPPool
|
||||
metadata:
|
||||
|
||||
@@ -1,5 +1,4 @@
|
||||
---
|
||||
# Source: cilium/charts/cilium/templates/cilium-operator/clusterrole.yaml
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
@@ -15,8 +14,6 @@ rules:
|
||||
- get
|
||||
- list
|
||||
- watch
|
||||
# to automatically delete [core|kube]dns pods so that are starting to being
|
||||
# managed by Cilium
|
||||
- delete
|
||||
- apiGroups:
|
||||
- ""
|
||||
@@ -25,7 +22,6 @@ rules:
|
||||
resourceNames:
|
||||
- cilium-config
|
||||
verbs:
|
||||
# allow patching of the configmap to set annotations
|
||||
- patch
|
||||
- apiGroups:
|
||||
- ""
|
||||
@@ -37,9 +33,7 @@ rules:
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
# To remove node taints
|
||||
- nodes
|
||||
# To set NetworkUnavailable false on startup
|
||||
- nodes/status
|
||||
verbs:
|
||||
- patch
|
||||
@@ -54,7 +48,6 @@ rules:
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
# to perform LB IP allocation for BGP
|
||||
- services/status
|
||||
verbs:
|
||||
- update
|
||||
@@ -62,7 +55,6 @@ rules:
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
# to check apiserver connectivity
|
||||
- namespaces
|
||||
- secrets
|
||||
verbs:
|
||||
@@ -72,7 +64,6 @@ rules:
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
# to perform the translation of a CNP that contains `ToGroup` to its endpoints
|
||||
- services
|
||||
- endpoints
|
||||
verbs:
|
||||
@@ -89,11 +80,9 @@ rules:
|
||||
- ciliumnetworkpolicies
|
||||
- ciliumclusterwidenetworkpolicies
|
||||
verbs:
|
||||
# Create auto-generated CNPs and CCNPs from Policies that have 'toGroups'
|
||||
- create
|
||||
- update
|
||||
- deletecollection
|
||||
# To update the status of the CNPs and CCNPs
|
||||
- patch
|
||||
- get
|
||||
- list
|
||||
@@ -104,7 +93,6 @@ rules:
|
||||
- ciliumnetworkpolicies/status
|
||||
- ciliumclusterwidenetworkpolicies/status
|
||||
verbs:
|
||||
# Update the auto-generated CNPs and CCNPs status.
|
||||
- patch
|
||||
- update
|
||||
- apiGroups:
|
||||
@@ -113,7 +101,6 @@ rules:
|
||||
- ciliumendpoints
|
||||
- ciliumidentities
|
||||
verbs:
|
||||
# To perform garbage collection of such resources
|
||||
- delete
|
||||
- list
|
||||
- watch
|
||||
@@ -122,7 +109,6 @@ rules:
|
||||
resources:
|
||||
- ciliumidentities
|
||||
verbs:
|
||||
# To synchronize garbage collection of such resources
|
||||
- update
|
||||
- apiGroups:
|
||||
- cilium.io
|
||||
@@ -134,7 +120,6 @@ rules:
|
||||
- get
|
||||
- list
|
||||
- watch
|
||||
# To perform CiliumNode garbage collector
|
||||
- delete
|
||||
- apiGroups:
|
||||
- cilium.io
|
||||
@@ -228,12 +213,6 @@ rules:
|
||||
- ciliumloadbalancerippools/status
|
||||
verbs:
|
||||
- patch
|
||||
# For cilium-operator running in HA mode.
|
||||
#
|
||||
# Cilium operator running in HA mode requires the use of ResourceLock for Leader Election
|
||||
# between multiple running instances.
|
||||
# The preferred way of doing this is to use LeasesResourceLock as edits to Leases are less
|
||||
# common and fewer objects in the cluster watch "all Leases".
|
||||
- apiGroups:
|
||||
- coordination.k8s.io
|
||||
resources:
|
||||
|
||||
@@ -1,5 +1,4 @@
|
||||
---
|
||||
# Source: cilium/charts/cilium/templates/cilium-agent/clusterrole.yaml
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
@@ -42,9 +41,6 @@ rules:
|
||||
verbs:
|
||||
- list
|
||||
- watch
|
||||
# This is used when validating policies in preflight. This will need to stay
|
||||
# until we figure out how to avoid "get" inside the preflight, and then
|
||||
# should be removed ideally.
|
||||
- get
|
||||
- apiGroups:
|
||||
- cilium.io
|
||||
@@ -81,7 +77,6 @@ rules:
|
||||
- create
|
||||
- apiGroups:
|
||||
- cilium.io
|
||||
# To synchronize garbage collection of such resources
|
||||
resources:
|
||||
- ciliumidentities
|
||||
verbs:
|
||||
|
||||
@@ -1,5 +1,4 @@
|
||||
---
|
||||
# Source: cilium/charts/cilium/templates/hubble-ui/clusterrole.yaml
|
||||
kind: ClusterRole
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
metadata:
|
||||
|
||||
@@ -1,5 +1,4 @@
|
||||
---
|
||||
# Source: cilium/charts/cilium/templates/cilium-operator/clusterrolebinding.yaml
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
|
||||
@@ -1,5 +1,4 @@
|
||||
---
|
||||
# Source: cilium/charts/cilium/templates/cilium-agent/clusterrolebinding.yaml
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
|
||||
@@ -1,5 +1,4 @@
|
||||
---
|
||||
# Source: cilium/charts/cilium/templates/hubble-ui/clusterrolebinding.yaml
|
||||
kind: ClusterRoleBinding
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
metadata:
|
||||
|
||||
@@ -1,51 +1,20 @@
|
||||
---
|
||||
# Source: cilium/charts/cilium/templates/cilium-configmap.yaml
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: cilium-config
|
||||
namespace: kube-system
|
||||
data:
|
||||
# Identity allocation mode selects how identities are shared between cilium
|
||||
# nodes by setting how they are stored. The options are "crd", "kvstore" or
|
||||
# "doublewrite-readkvstore" / "doublewrite-readcrd".
|
||||
# - "crd" stores identities in kubernetes as CRDs (custom resource definition).
|
||||
# These can be queried with:
|
||||
# kubectl get ciliumid
|
||||
# - "kvstore" stores identities in an etcd kvstore, that is
|
||||
# configured below. Cilium versions before 1.6 supported only the kvstore
|
||||
# backend. Upgrades from these older cilium versions should continue using
|
||||
# the kvstore by commenting out the identity-allocation-mode below, or
|
||||
# setting it to "kvstore".
|
||||
# - "doublewrite" modes store identities in both the kvstore and CRDs. This is useful
|
||||
# for seamless migrations from the kvstore mode to the crd mode. Consult the
|
||||
# documentation for more information on how to perform the migration.
|
||||
identity-allocation-mode: crd
|
||||
identity-heartbeat-timeout: "30m0s"
|
||||
identity-gc-interval: "15m0s"
|
||||
cilium-endpoint-gc-interval: "5m0s"
|
||||
nodes-gc-interval: "5m0s"
|
||||
# If you want to run cilium in debug mode change this value to true
|
||||
debug: "false"
|
||||
metrics-sampling-interval: "5m"
|
||||
# The agent can be put into the following three policy enforcement modes
|
||||
# default, always and never.
|
||||
# https://docs.cilium.io/en/latest/security/policy/intro/#policy-enforcement-modes
|
||||
enable-policy: "default"
|
||||
# If you want metrics enabled in all of your Cilium agents, set the port for
|
||||
# which the Cilium agents will have their metrics exposed.
|
||||
# This option deprecates the "prometheus-serve-addr" in the
|
||||
# "cilium-metrics-config" ConfigMap
|
||||
# NOTE that this will open the port on ALL nodes where Cilium pods are
|
||||
# scheduled.
|
||||
prometheus-serve-addr: ":9962"
|
||||
# A space-separated list of controller groups for which to enable metrics.
|
||||
# The special values of "all" and "none" are supported.
|
||||
controller-group-metrics: write-cni-file sync-host-ips sync-lb-maps-with-k8s-services
|
||||
# If you want metrics enabled in cilium-operator, set the port for
|
||||
# which the Cilium Operator will have their metrics exposed.
|
||||
# NOTE that this will open the port on the nodes where Cilium operator pod
|
||||
# is scheduled.
|
||||
operator-prometheus-serve-addr: ":9963"
|
||||
enable-metrics: "true"
|
||||
enable-envoy-config: "true"
|
||||
@@ -63,41 +32,16 @@ data:
|
||||
enable-policy-secrets-sync: "true"
|
||||
policy-secrets-only-from-secrets-namespace: "true"
|
||||
policy-secrets-namespace: "cilium-secrets"
|
||||
# Enable IPv4 addressing. If enabled, all endpoints are allocated an IPv4
|
||||
# address.
|
||||
enable-ipv4: "true"
|
||||
# Enable IPv6 addressing. If enabled, all endpoints are allocated an IPv6
|
||||
# address.
|
||||
enable-ipv6: "false"
|
||||
# Users who wish to specify their own custom CNI configuration file must set
|
||||
# custom-cni-conf to "true", otherwise Cilium may overwrite the configuration.
|
||||
custom-cni-conf: "false"
|
||||
enable-bpf-clock-probe: "false"
|
||||
# If you want cilium monitor to aggregate tracing for packets, set this level
|
||||
# to "low", "medium", or "maximum". The higher the level, the less packets
|
||||
# that will be seen in monitor output.
|
||||
monitor-aggregation: medium
|
||||
# The monitor aggregation interval governs the typical time between monitor
|
||||
# notification events for each allowed connection.
|
||||
#
|
||||
# Only effective when monitor aggregation is set to "medium" or higher.
|
||||
monitor-aggregation-interval: "5s"
|
||||
# The monitor aggregation flags determine which TCP flags which, upon the
|
||||
# first observation, cause monitor notifications to be generated.
|
||||
#
|
||||
# Only effective when monitor aggregation is set to "medium" or higher.
|
||||
monitor-aggregation-flags: all
|
||||
# Specifies the ratio (0.0-1.0] of total system memory to use for dynamic
|
||||
# sizing of the TCP CT, non-TCP CT, NAT and policy BPF maps.
|
||||
bpf-map-dynamic-size-ratio: "0.0025"
|
||||
# bpf-policy-map-max specifies the maximum number of entries in endpoint
|
||||
# policy map (per endpoint)
|
||||
bpf-policy-map-max: "16384"
|
||||
# bpf-policy-stats-map-max specifies the maximum number of entries in global
|
||||
# policy stats map
|
||||
bpf-policy-stats-map-max: "65536"
|
||||
# bpf-lb-map-max specifies the maximum number of entries in bpf lb service,
|
||||
# backend and affinity maps.
|
||||
bpf-lb-map-max: "65536"
|
||||
bpf-lb-external-clusterip: "false"
|
||||
bpf-lb-source-range-all-types: "false"
|
||||
@@ -107,37 +51,13 @@ data:
|
||||
bpf-events-drop-enabled: "true"
|
||||
bpf-events-policy-verdict-enabled: "true"
|
||||
bpf-events-trace-enabled: "true"
|
||||
# Pre-allocation of map entries allows per-packet latency to be reduced, at
|
||||
# the expense of up-front memory allocation for the entries in the maps. The
|
||||
# default value below will minimize memory usage in the default installation;
|
||||
# users who are sensitive to latency may consider setting this to "true".
|
||||
#
|
||||
# This option was introduced in Cilium 1.4. Cilium 1.3 and earlier ignore
|
||||
# this option and behave as though it is set to "true".
|
||||
#
|
||||
# If this value is modified, then during the next Cilium startup the restore
|
||||
# of existing endpoints and tracking of ongoing connections may be disrupted.
|
||||
# As a result, reply packets may be dropped and the load-balancing decisions
|
||||
# for established connections may change.
|
||||
#
|
||||
# If this option is set to "false" during an upgrade from 1.3 or earlier to
|
||||
# 1.4 or later, then it may cause one-time disruptions during the upgrade.
|
||||
preallocate-bpf-maps: "false"
|
||||
# Name of the cluster. Only relevant when building a mesh of clusters.
|
||||
cluster-name: "default"
|
||||
# Unique ID of the cluster. Must be unique across all conneted clusters and
|
||||
# in the range of 1 and 255. Only relevant when building a mesh of clusters.
|
||||
cluster-id: "0"
|
||||
# Encapsulation mode for communication between nodes
|
||||
# Possible values:
|
||||
# - disabled
|
||||
# - vxlan (default)
|
||||
# - geneve
|
||||
routing-mode: "tunnel"
|
||||
tunnel-protocol: "vxlan"
|
||||
tunnel-source-port-range: "0-0"
|
||||
service-no-backend-response: "reject"
|
||||
# Enables L7 proxy for L7 policy enforcement and visibility
|
||||
enable-l7-proxy: "true"
|
||||
enable-ipv4-masquerade: "true"
|
||||
enable-ipv4-big-tcp: "false"
|
||||
@@ -151,8 +71,6 @@ data:
|
||||
iptables-random-fully: "false"
|
||||
auto-direct-node-routes: "false"
|
||||
direct-routing-skip-unreachable: "false"
|
||||
# List of devices used to attach bpf_host.o (implements BPF NodePort,
|
||||
# host-firewall and BPF masquerading)
|
||||
devices: "end0 enp6s0"
|
||||
kube-proxy-replacement: "true"
|
||||
kube-proxy-replacement-healthz-bind-address: ""
|
||||
@@ -169,7 +87,6 @@ data:
|
||||
k8s-require-ipv6-pod-cidr: "false"
|
||||
enable-k8s-networkpolicy: "true"
|
||||
enable-endpoint-lockdown-on-policy-overflow: "false"
|
||||
# Tell the agent to generate and write a CNI configuration file
|
||||
write-cni-conf-when-ready: /host/etc/cni/net.d/05-cilium.conflist
|
||||
cni-exclusive: "true"
|
||||
cni-log-file: "/var/run/cilium/cilium-cni.log"
|
||||
@@ -181,10 +98,8 @@ data:
|
||||
synchronize-k8s-nodes: "true"
|
||||
operator-api-serve-addr: "127.0.0.1:9234"
|
||||
enable-hubble: "true"
|
||||
# UNIX domain socket for Hubble server to listen to.
|
||||
hubble-socket-path: "/var/run/cilium/hubble.sock"
|
||||
hubble-network-policy-correlation-enabled: "true"
|
||||
# An additional address for Hubble server to listen to (e.g. ":4244").
|
||||
hubble-listen-address: ":4244"
|
||||
hubble-disable-tls: "false"
|
||||
hubble-tls-cert-file: /var/lib/cilium/tls/hubble/server.crt
|
||||
@@ -213,7 +128,6 @@ data:
|
||||
set-cilium-node-taints: "true"
|
||||
set-cilium-is-up-condition: "true"
|
||||
unmanaged-pod-watcher-interval: "15"
|
||||
# default DNS proxy to transparent mode in non-chaining modes
|
||||
dnsproxy-enable-transparent-mode: "true"
|
||||
dnsproxy-socket-linger-timeout: "10"
|
||||
tofqdns-dns-reject-response-code: "refused"
|
||||
@@ -252,5 +166,3 @@ data:
|
||||
enable-lb-ipam: "true"
|
||||
enable-non-default-deny-policies: "true"
|
||||
enable-source-ip-verification: "true"
|
||||
# Extra config allows adding arbitrary properties to the cilium config.
|
||||
# By putting it at the end of the ConfigMap, it's also possible to override existing properties.
|
||||
|
||||
File diff suppressed because one or more lines are too long
@@ -1,5 +1,4 @@
|
||||
---
|
||||
# Source: cilium/charts/cilium/templates/hubble-relay/configmap.yaml
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
|
||||
@@ -1,5 +1,4 @@
|
||||
---
|
||||
# Source: cilium/charts/cilium/templates/hubble-ui/configmap.yaml
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
|
||||
@@ -1,5 +1,4 @@
|
||||
---
|
||||
# Source: cilium/charts/cilium/templates/cilium-envoy/daemonset.yaml
|
||||
apiVersion: apps/v1
|
||||
kind: DaemonSet
|
||||
metadata:
|
||||
@@ -161,13 +160,10 @@ spec:
|
||||
- name: envoy-config
|
||||
configMap:
|
||||
name: "cilium-envoy-config"
|
||||
# note: the leading zero means this number is in octal representation: do not remove it
|
||||
defaultMode: 0400
|
||||
items:
|
||||
- key: bootstrap-config.json
|
||||
path: bootstrap-config.json
|
||||
# To keep state between restarts / upgrades
|
||||
# To keep state between restarts / upgrades for bpf maps
|
||||
- name: bpf-maps
|
||||
hostPath:
|
||||
path: /sys/fs/bpf
|
||||
|
||||
@@ -1,5 +1,4 @@
|
||||
---
|
||||
# Source: cilium/charts/cilium/templates/cilium-agent/daemonset.yaml
|
||||
apiVersion: apps/v1
|
||||
kind: DaemonSet
|
||||
metadata:
|
||||
@@ -20,7 +19,6 @@ spec:
|
||||
template:
|
||||
metadata:
|
||||
annotations:
|
||||
# ensure pods roll when configmap updates
|
||||
cilium.io/cilium-configmap-checksum: "31ad7748e0aefe75b6436d96c8c85754e0b44e68e6012fa188bc5bcd66085828"
|
||||
kubectl.kubernetes.io/default-container: cilium-agent
|
||||
labels:
|
||||
@@ -173,22 +171,13 @@ spec:
|
||||
- name: envoy-sockets
|
||||
mountPath: /var/run/cilium/envoy/sockets
|
||||
readOnly: false
|
||||
# Unprivileged containers need to mount /proc/sys/net from the host
|
||||
# to have write access
|
||||
- mountPath: /host/proc/sys/net
|
||||
name: host-proc-sys-net
|
||||
# Unprivileged containers need to mount /proc/sys/kernel from the host
|
||||
# to have write access
|
||||
- mountPath: /host/proc/sys/kernel
|
||||
name: host-proc-sys-kernel
|
||||
- name: bpf-maps
|
||||
mountPath: /sys/fs/bpf
|
||||
# Unprivileged containers can't set mount propagation to bidirectional
|
||||
# in this case we will mount the bpf fs from an init container that
|
||||
# is privileged and set the mount propagation from host to container
|
||||
# in Cilium.
|
||||
mountPropagation: HostToContainer
|
||||
# Check for duplicate mounts before mounting
|
||||
- name: cilium-cgroup
|
||||
mountPath: /sys/fs/cgroup
|
||||
- name: cilium-run
|
||||
@@ -201,7 +190,6 @@ spec:
|
||||
- name: clustermesh-secrets
|
||||
mountPath: /var/lib/cilium/clustermesh
|
||||
readOnly: true
|
||||
# Needed to be able to load kernel modules
|
||||
- name: lib-modules
|
||||
mountPath: /lib/modules
|
||||
readOnly: true
|
||||
@@ -247,11 +235,6 @@ spec:
|
||||
command:
|
||||
- sh
|
||||
- -ec
|
||||
# The statically linked Go program binary is invoked to avoid any
|
||||
# dependency on utilities like sh that can be missing on certain
|
||||
# distros installed on the underlying host. Copy the binary to the
|
||||
# same directory where we install cilium cni plugin so that exec permissions
|
||||
# are available.
|
||||
- |
|
||||
cp /usr/bin/cilium-sysctlfix /hostbin/cilium-sysctlfix;
|
||||
nsenter --mount=/hostproc/1/ns/mnt "${BIN_PATH}/cilium-sysctlfix";
|
||||
@@ -273,9 +256,6 @@ spec:
|
||||
- SYS_PTRACE
|
||||
drop:
|
||||
- ALL
|
||||
# Mount the bpf fs if it is not mounted. We will perform this task
|
||||
# from a privileged container because the mount propagation bidirectional
|
||||
# only works from privileged containers.
|
||||
- name: mount-bpf-fs
|
||||
image: "quay.io/cilium/cilium:v1.18.4@sha256:49d87af187eeeb9e9e3ec2bc6bd372261a0b5cb2d845659463ba7cc10fe9e45f"
|
||||
imagePullPolicy: IfNotPresent
|
||||
@@ -335,13 +315,11 @@ spec:
|
||||
volumeMounts:
|
||||
- name: bpf-maps
|
||||
mountPath: /sys/fs/bpf
|
||||
# Required to mount cgroup filesystem from the host to cilium agent pod
|
||||
- name: cilium-cgroup
|
||||
mountPath: /sys/fs/cgroup
|
||||
mountPropagation: HostToContainer
|
||||
- name: cilium-run
|
||||
mountPath: /var/run/cilium # wait-for-kube-proxy
|
||||
# Install the CNI binaries in an InitContainer so we don't have a writable host mount in the agent
|
||||
mountPath: /var/run/cilium
|
||||
- name: install-cni-binaries
|
||||
image: "quay.io/cilium/cilium:v1.18.4@sha256:49d87af187eeeb9e9e3ec2bc6bd372261a0b5cb2d845659463ba7cc10fe9e45f"
|
||||
imagePullPolicy: IfNotPresent
|
||||
@@ -361,7 +339,7 @@ spec:
|
||||
terminationMessagePolicy: FallbackToLogsOnError
|
||||
volumeMounts:
|
||||
- name: cni-path
|
||||
mountPath: /host/opt/cni/bin # .Values.cni.install
|
||||
mountPath: /host/opt/cni/bin
|
||||
restartPolicy: Always
|
||||
priorityClassName: system-node-critical
|
||||
serviceAccountName: "cilium"
|
||||
@@ -380,71 +358,54 @@ spec:
|
||||
tolerations:
|
||||
- operator: Exists
|
||||
volumes:
|
||||
# For sharing configuration between the "config" initContainer and the agent
|
||||
- name: tmp
|
||||
emptyDir: {}
|
||||
# To keep state between restarts / upgrades
|
||||
- name: cilium-run
|
||||
hostPath:
|
||||
path: /var/run/cilium
|
||||
type: DirectoryOrCreate
|
||||
# To exec into pod network namespaces
|
||||
- name: cilium-netns
|
||||
hostPath:
|
||||
path: /var/run/netns
|
||||
type: DirectoryOrCreate
|
||||
# To keep state between restarts / upgrades for bpf maps
|
||||
- name: bpf-maps
|
||||
hostPath:
|
||||
path: /sys/fs/bpf
|
||||
type: DirectoryOrCreate
|
||||
# To mount cgroup2 filesystem on the host or apply sysctlfix
|
||||
- name: hostproc
|
||||
hostPath:
|
||||
path: /proc
|
||||
type: Directory
|
||||
# To keep state between restarts / upgrades for cgroup2 filesystem
|
||||
- name: cilium-cgroup
|
||||
hostPath:
|
||||
path: /sys/fs/cgroup
|
||||
type: DirectoryOrCreate
|
||||
# To install cilium cni plugin in the host
|
||||
- name: cni-path
|
||||
hostPath:
|
||||
path: /opt/cni/bin
|
||||
type: DirectoryOrCreate
|
||||
# To install cilium cni configuration in the host
|
||||
- name: etc-cni-netd
|
||||
hostPath:
|
||||
path: /etc/cni/net.d
|
||||
type: DirectoryOrCreate
|
||||
# To be able to load kernel modules
|
||||
- name: lib-modules
|
||||
hostPath:
|
||||
path: /lib/modules
|
||||
# To access iptables concurrently with other processes (e.g. kube-proxy)
|
||||
- name: xtables-lock
|
||||
hostPath:
|
||||
path: /run/xtables.lock
|
||||
type: FileOrCreate
|
||||
# Sharing socket with Cilium Envoy on the same node by using a host path
|
||||
- name: envoy-sockets
|
||||
hostPath:
|
||||
path: "/var/run/cilium/envoy/sockets"
|
||||
type: DirectoryOrCreate
|
||||
# To read the clustermesh configuration
|
||||
- name: clustermesh-secrets
|
||||
projected:
|
||||
# note: the leading zero means this number is in octal representation: do not remove it
|
||||
defaultMode: 0400
|
||||
sources:
|
||||
- secret:
|
||||
name: cilium-clustermesh
|
||||
optional: true
|
||||
# note: items are not explicitly listed here, since the entries of this secret
|
||||
# depend on the peers configured, and that would cause a restart of all agents
|
||||
# at every addition/removal. Leaving the field empty makes each secret entry
|
||||
# to be automatically projected into the volume as a file whose name is the key.
|
||||
- secret:
|
||||
name: clustermesh-apiserver-remote-cert
|
||||
optional: true
|
||||
@@ -455,10 +416,6 @@ spec:
|
||||
path: common-etcd-client.crt
|
||||
- key: ca.crt
|
||||
path: common-etcd-client-ca.crt
|
||||
# note: we configure the volume for the kvstoremesh-specific certificate
|
||||
# regardless of whether KVStoreMesh is enabled or not, so that it can be
|
||||
# automatically mounted in case KVStoreMesh gets subsequently enabled,
|
||||
# without requiring an agent restart.
|
||||
- secret:
|
||||
name: clustermesh-apiserver-local-cert
|
||||
optional: true
|
||||
@@ -479,7 +436,6 @@ spec:
|
||||
type: Directory
|
||||
- name: hubble-tls
|
||||
projected:
|
||||
# note: the leading zero means this number is in octal representation: do not remove it
|
||||
defaultMode: 0400
|
||||
sources:
|
||||
- secret:
|
||||
|
||||
@@ -1,5 +1,4 @@
|
||||
---
|
||||
# Source: cilium/charts/cilium/templates/cilium-operator/deployment.yaml
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
@@ -11,17 +10,11 @@ metadata:
|
||||
app.kubernetes.io/part-of: cilium
|
||||
app.kubernetes.io/name: cilium-operator
|
||||
spec:
|
||||
# See docs on ServerCapabilities.LeasesResourceLock in file pkg/k8s/version/version.go
|
||||
# for more details.
|
||||
replicas: 2
|
||||
selector:
|
||||
matchLabels:
|
||||
io.cilium/app: operator
|
||||
name: cilium-operator
|
||||
# ensure operator update on single node k8s clusters, by using rolling update with maxUnavailable=100% in case
|
||||
# of one replica and no user configured Recreate strategy.
|
||||
# otherwise an update might get stuck due to the default maxUnavailable=50% in combination with the
|
||||
# podAntiAffinity which prevents deployments of multiple operator replicas on the same node.
|
||||
strategy:
|
||||
rollingUpdate:
|
||||
maxSurge: 25%
|
||||
@@ -30,7 +23,6 @@ spec:
|
||||
template:
|
||||
metadata:
|
||||
annotations:
|
||||
# ensure pods roll when configmap updates
|
||||
cilium.io/cilium-configmap-checksum: "31ad7748e0aefe75b6436d96c8c85754e0b44e68e6012fa188bc5bcd66085828"
|
||||
labels:
|
||||
io.cilium/app: operator
|
||||
@@ -110,8 +102,6 @@ spec:
|
||||
priorityClassName: system-cluster-critical
|
||||
serviceAccountName: "cilium-operator"
|
||||
automountServiceAccountToken: true
|
||||
# In HA mode, cilium-operator pods must not be scheduled on the same
|
||||
# node as they will clash with each other.
|
||||
affinity:
|
||||
podAntiAffinity:
|
||||
requiredDuringSchedulingIgnoredDuringExecution:
|
||||
@@ -133,7 +123,6 @@ spec:
|
||||
- key: node.cilium.io/agent-not-ready
|
||||
operator: Exists
|
||||
volumes:
|
||||
# To read the configuration from the config map
|
||||
- name: cilium-config-path
|
||||
configMap:
|
||||
name: cilium-config
|
||||
|
||||
@@ -1,5 +1,4 @@
|
||||
---
|
||||
# Source: cilium/charts/cilium/templates/hubble-relay/deployment.yaml
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
@@ -55,33 +54,18 @@ spec:
|
||||
grpc:
|
||||
port: 4222
|
||||
timeoutSeconds: 3
|
||||
# livenessProbe will kill the pod, we should be very conservative
|
||||
# here on failures since killing the pod should be a last resort, and
|
||||
# we should provide enough time for relay to retry before killing it.
|
||||
livenessProbe:
|
||||
grpc:
|
||||
port: 4222
|
||||
timeoutSeconds: 10
|
||||
# Give relay time to establish connections and make a few retries
|
||||
# before starting livenessProbes.
|
||||
initialDelaySeconds: 10
|
||||
# 10 second * 12 failures = 2 minutes of failure.
|
||||
# If relay cannot become healthy after 2 minutes, then killing it
|
||||
# might resolve whatever issue is occurring.
|
||||
#
|
||||
# 10 seconds is a reasonable retry period so we can see if it's
|
||||
# failing regularly or only sporadically.
|
||||
periodSeconds: 10
|
||||
failureThreshold: 12
|
||||
startupProbe:
|
||||
grpc:
|
||||
port: 4222
|
||||
# Give relay time to get it's certs and establish connections and
|
||||
# make a few retries before starting startupProbes.
|
||||
initialDelaySeconds: 10
|
||||
# 20 * 3 seconds = 1 minute of failure before we consider startup as failed.
|
||||
failureThreshold: 20
|
||||
# Retry more frequently at startup so that it can be considered started more quickly.
|
||||
periodSeconds: 3
|
||||
volumeMounts:
|
||||
- name: config
|
||||
@@ -114,7 +98,6 @@ spec:
|
||||
path: config.yaml
|
||||
- name: tls
|
||||
projected:
|
||||
# note: the leading zero means this number is in octal representation: do not remove it
|
||||
defaultMode: 0400
|
||||
sources:
|
||||
- secret:
|
||||
|
||||
@@ -1,5 +1,4 @@
|
||||
---
|
||||
# Source: cilium/charts/cilium/templates/hubble-ui/deployment.yaml
|
||||
kind: Deployment
|
||||
apiVersion: apps/v1
|
||||
metadata:
|
||||
|
||||
Some files were not shown because too many files have changed in this diff Show More
Reference in New Issue
Block a user