diff --git a/clusters/cl01tl/manifests/cilium/Certificate-hubble-relay-client-certs.yaml b/clusters/cl01tl/manifests/cilium/Certificate-hubble-relay-client-certs.yaml deleted file mode 100644 index 33bafd6e9..000000000 --- a/clusters/cl01tl/manifests/cilium/Certificate-hubble-relay-client-certs.yaml +++ /dev/null @@ -1,22 +0,0 @@ -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: hubble-relay-client-certs - namespace: kube-system -spec: - issuerRef: - group: cert-manager.io - kind: ClusterIssuer - name: ca-issuer - secretName: hubble-relay-client-certs - commonName: "*.hubble-relay.cilium.io" - dnsNames: - - "*.hubble-relay.cilium.io" - duration: 8760h0m0s - privateKey: - rotationPolicy: Always - isCA: false - usages: - - signing - - key encipherment - - client auth diff --git a/clusters/cl01tl/manifests/cilium/Certificate-hubble-server-certs.yaml b/clusters/cl01tl/manifests/cilium/Certificate-hubble-server-certs.yaml deleted file mode 100644 index 1ccf2a719..000000000 --- a/clusters/cl01tl/manifests/cilium/Certificate-hubble-server-certs.yaml +++ /dev/null @@ -1,23 +0,0 @@ -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: hubble-server-certs - namespace: kube-system -spec: - issuerRef: - group: cert-manager.io - kind: ClusterIssuer - name: ca-issuer - secretName: hubble-server-certs - commonName: "*.default.hubble-grpc.cilium.io" - dnsNames: - - "*.default.hubble-grpc.cilium.io" - duration: 8760h0m0s - privateKey: - rotationPolicy: Always - isCA: false - usages: - - signing - - key encipherment - - server auth - - client auth diff --git a/clusters/cl01tl/manifests/cilium/CronJob-hubble-generate-certs.yaml b/clusters/cl01tl/manifests/cilium/CronJob-hubble-generate-certs.yaml new file mode 100644 index 000000000..67c1b52b0 --- /dev/null +++ b/clusters/cl01tl/manifests/cilium/CronJob-hubble-generate-certs.yaml @@ -0,0 +1,71 @@ +apiVersion: batch/v1 +kind: CronJob +metadata: + name: hubble-generate-certs + namespace: kube-system + labels: + k8s-app: hubble-generate-certs + app.kubernetes.io/name: hubble-generate-certs + app.kubernetes.io/part-of: cilium +spec: + schedule: "0 0 1 */4 *" + concurrencyPolicy: Forbid + jobTemplate: + spec: + template: + metadata: + labels: + k8s-app: hubble-generate-certs + spec: + securityContext: + seccompProfile: + type: RuntimeDefault + containers: + - name: certgen + image: "quay.io/cilium/certgen:v0.2.4@sha256:de7b97b1d19a34b674d0c4bc1da4db999f04ae355923a9a994ac3a81e1a1b5ff" + imagePullPolicy: IfNotPresent + securityContext: + capabilities: + drop: + - ALL + allowPrivilegeEscalation: false + command: + - "/usr/bin/cilium-certgen" + args: + - "--ca-generate=true" + - "--ca-reuse-secret" + - "--ca-secret-namespace=kube-system" + - "--ca-secret-name=cilium-ca" + - "--ca-common-name=Cilium CA" + env: + - name: CILIUM_CERTGEN_CONFIG + value: | + certs: + - name: hubble-server-certs + namespace: kube-system + commonName: "*.default.hubble-grpc.cilium.io" + hosts: + - "*.default.hubble-grpc.cilium.io" + usage: + - signing + - key encipherment + - server auth + - client auth + validity: 8760h + - name: hubble-relay-client-certs + namespace: kube-system + commonName: "*.hubble-relay.cilium.io" + hosts: + - "*.hubble-relay.cilium.io" + usage: + - signing + - key encipherment + - client auth + validity: 8760h + hostNetwork: false + serviceAccount: "hubble-generate-certs" + serviceAccountName: "hubble-generate-certs" + automountServiceAccountToken: true + restartPolicy: OnFailure + affinity: + ttlSecondsAfterFinished: 1800 diff --git a/clusters/cl01tl/manifests/cilium/Job-hubble-generate-certs.yaml b/clusters/cl01tl/manifests/cilium/Job-hubble-generate-certs.yaml new file mode 100644 index 000000000..3be9a1e5d --- /dev/null +++ b/clusters/cl01tl/manifests/cilium/Job-hubble-generate-certs.yaml @@ -0,0 +1,69 @@ +apiVersion: batch/v1 +kind: Job +metadata: + name: hubble-generate-certs + namespace: kube-system + labels: + k8s-app: hubble-generate-certs + app.kubernetes.io/name: hubble-generate-certs + app.kubernetes.io/part-of: cilium + annotations: + "helm.sh/hook": post-install,post-upgrade +spec: + template: + metadata: + labels: + k8s-app: hubble-generate-certs + spec: + securityContext: + seccompProfile: + type: RuntimeDefault + containers: + - name: certgen + image: "quay.io/cilium/certgen:v0.2.4@sha256:de7b97b1d19a34b674d0c4bc1da4db999f04ae355923a9a994ac3a81e1a1b5ff" + imagePullPolicy: IfNotPresent + securityContext: + capabilities: + drop: + - ALL + allowPrivilegeEscalation: false + command: + - "/usr/bin/cilium-certgen" + args: + - "--ca-generate=true" + - "--ca-reuse-secret" + - "--ca-secret-namespace=kube-system" + - "--ca-secret-name=cilium-ca" + - "--ca-common-name=Cilium CA" + env: + - name: CILIUM_CERTGEN_CONFIG + value: | + certs: + - name: hubble-server-certs + namespace: kube-system + commonName: "*.default.hubble-grpc.cilium.io" + hosts: + - "*.default.hubble-grpc.cilium.io" + usage: + - signing + - key encipherment + - server auth + - client auth + validity: 8760h + - name: hubble-relay-client-certs + namespace: kube-system + commonName: "*.hubble-relay.cilium.io" + hosts: + - "*.hubble-relay.cilium.io" + usage: + - signing + - key encipherment + - client auth + validity: 8760h + hostNetwork: false + serviceAccount: "hubble-generate-certs" + serviceAccountName: "hubble-generate-certs" + automountServiceAccountToken: true + restartPolicy: OnFailure + affinity: + ttlSecondsAfterFinished: 1800 diff --git a/clusters/cl01tl/manifests/cilium/Role-hubble-generate-certs.yaml b/clusters/cl01tl/manifests/cilium/Role-hubble-generate-certs.yaml new file mode 100644 index 000000000..811755bef --- /dev/null +++ b/clusters/cl01tl/manifests/cilium/Role-hubble-generate-certs.yaml @@ -0,0 +1,35 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: hubble-generate-certs + namespace: kube-system + labels: + app.kubernetes.io/part-of: cilium +rules: + - apiGroups: + - "" + resources: + - secrets + verbs: + - create + - apiGroups: + - "" + resources: + - secrets + resourceNames: + - hubble-server-certs + - hubble-relay-client-certs + - hubble-relay-server-certs + - hubble-metrics-server-certs + - hubble-ui-client-certs + verbs: + - update + - apiGroups: + - "" + resources: + - secrets + resourceNames: + - cilium-ca + verbs: + - get + - update diff --git a/clusters/cl01tl/manifests/cilium/RoleBinding-hubble-generate-certs.yaml b/clusters/cl01tl/manifests/cilium/RoleBinding-hubble-generate-certs.yaml new file mode 100644 index 000000000..de124e3cf --- /dev/null +++ b/clusters/cl01tl/manifests/cilium/RoleBinding-hubble-generate-certs.yaml @@ -0,0 +1,15 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: hubble-generate-certs + namespace: kube-system + labels: + app.kubernetes.io/part-of: cilium +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: hubble-generate-certs +subjects: + - kind: ServiceAccount + name: "hubble-generate-certs" + namespace: kube-system diff --git a/clusters/cl01tl/manifests/cilium/ServiceAccount-hubble-generate-certs.yaml b/clusters/cl01tl/manifests/cilium/ServiceAccount-hubble-generate-certs.yaml new file mode 100644 index 000000000..9e64dedd9 --- /dev/null +++ b/clusters/cl01tl/manifests/cilium/ServiceAccount-hubble-generate-certs.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: "hubble-generate-certs" + namespace: kube-system diff --git a/clusters/cl01tl/manifests/grafana-operator/RedisReplication-redis-replication-remote-cache.yaml b/clusters/cl01tl/manifests/grafana-operator/RedisReplication-redis-replication-remote-cache.yaml index d63e1fcea..2336c91ac 100644 --- a/clusters/cl01tl/manifests/grafana-operator/RedisReplication-redis-replication-remote-cache.yaml +++ b/clusters/cl01tl/manifests/grafana-operator/RedisReplication-redis-replication-remote-cache.yaml @@ -13,7 +13,7 @@ spec: runAsUser: 1000 fsGroup: 1000 kubernetesConfig: - image: quay.io/opstree/redis:v8.0.3 + image: quay.io/opstree/redis:v8.4.0 imagePullPolicy: IfNotPresent resources: requests: @@ -29,4 +29,4 @@ spec: storage: 1Gi redisExporter: enabled: true - image: quay.io/opstree/redis-exporter:v1.48.0 + image: quay.io/opstree/redis-exporter:v1.80.1 diff --git a/clusters/cl01tl/manifests/grafana-operator/RedisReplication-redis-replication-unified-alerting.yaml b/clusters/cl01tl/manifests/grafana-operator/RedisReplication-redis-replication-unified-alerting.yaml index 8952d40f4..2faa26f2e 100644 --- a/clusters/cl01tl/manifests/grafana-operator/RedisReplication-redis-replication-unified-alerting.yaml +++ b/clusters/cl01tl/manifests/grafana-operator/RedisReplication-redis-replication-unified-alerting.yaml @@ -13,7 +13,7 @@ spec: runAsUser: 1000 fsGroup: 1000 kubernetesConfig: - image: quay.io/opstree/redis:v8.0.3 + image: quay.io/opstree/redis:v8.4.0 imagePullPolicy: IfNotPresent resources: requests: @@ -29,4 +29,4 @@ spec: storage: 1Gi redisExporter: enabled: true - image: quay.io/opstree/redis-exporter:v1.48.0 + image: quay.io/opstree/redis-exporter:v1.80.1