From 0f050925d2dfd7a6a5707c1cce5d5544eb724ef9 Mon Sep 17 00:00:00 2001 From: Olga Mirensky <5200844+olga-mir@users.noreply.github.com> Date: Sat, 23 Mar 2024 12:47:16 +1100 Subject: [PATCH 01/28] Remove FluxCD v2.1.1 --- .../cluster-mgmt/cluster-01/platform.yaml | 2 +- .../flux-system/kustomization.yaml | 2 +- .../tmp-mgmt/flux-system/kustomization.yaml | 2 +- config/README.md | 9 - config/cluster-mgmt.env | 3 - config/shared.env | 1 - go/Taskfile.yaml | 18 +- k8s-platform/flux/v2.1.1/gotk-components.yaml | 8029 ----------------- k8s-platform/flux/v2.1.1/kustomization.yaml | 4 - scripts/deploy.sh | 2 + 10 files changed, 19 insertions(+), 8053 deletions(-) delete mode 100644 config/README.md delete mode 100644 k8s-platform/flux/v2.1.1/gotk-components.yaml delete mode 100644 k8s-platform/flux/v2.1.1/kustomization.yaml diff --git a/clusters/cluster-mgmt/cluster-01/platform.yaml b/clusters/cluster-mgmt/cluster-01/platform.yaml index c47e2f9..507f71d 100644 --- a/clusters/cluster-mgmt/cluster-01/platform.yaml +++ b/clusters/cluster-mgmt/cluster-01/platform.yaml @@ -10,7 +10,7 @@ spec: kind: GitRepository name: flux-system namespace: flux-system - path: ./k8s-platform/flux/v2.1.1 + path: ./k8s-platform/flux/v2.2.2 prune: true kubeConfig: secretRef: diff --git a/clusters/cluster-mgmt/flux-system/kustomization.yaml b/clusters/cluster-mgmt/flux-system/kustomization.yaml index 6f156fa..61fa51f 100644 --- a/clusters/cluster-mgmt/flux-system/kustomization.yaml +++ b/clusters/cluster-mgmt/flux-system/kustomization.yaml @@ -1,5 +1,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - ../../../k8s-platform/flux/v2.1.1 + - ../../../k8s-platform/flux/v2.2.2 - ./gotk-sync.yaml diff --git a/clusters/tmp-mgmt/flux-system/kustomization.yaml b/clusters/tmp-mgmt/flux-system/kustomization.yaml index 6f156fa..61fa51f 100644 --- a/clusters/tmp-mgmt/flux-system/kustomization.yaml +++ b/clusters/tmp-mgmt/flux-system/kustomization.yaml @@ -1,5 +1,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - ../../../k8s-platform/flux/v2.1.1 + - ../../../k8s-platform/flux/v2.2.2 - ./gotk-sync.yaml diff --git a/config/README.md b/config/README.md deleted file mode 100644 index 2992fcd..0000000 --- a/config/README.md +++ /dev/null @@ -1,9 +0,0 @@ -# Config - -This folder contains all required config for all clusters and components. The config is stored as a shell script that exports settings as envirionment variables. Deploy script will source relevant file before installing components on a given cluster. - -Some tools, like cluster-api, accept config as an yaml [init file](https://cluster-api.sigs.k8s.io/clusterctl/configuration.html) (in addition to env var option). This is far better than env vars, but the drawbacks compared to unified env var config is that they are separate files and some settings could be re-used across different components. This may feel as abuse of a variable name, but it helps to keep settings consistent for each cluster, e.g. both CAPI and Cilium need pod CIDR value. -Another issue with init files is that it is hard to find the schema for them. CAPI documentation doesn't provide easy way to understand the file schema: https://cluster-api.sigs.k8s.io/clusterctl/configuration.html nor it is very clear from source code or the https://pkg.go.dev. Finding an env variable name on the other hand is much easier. - -Previously this project was setup using CAPI config file: https://github.com/olga-mir/k8s-multi-cluster/blob/91ea9747b55833970fecd70c44d33ed938a5084a/mgmt-cluster/init-config-mgmt.yaml#L1-L7 -However deploy script was polluted with the config data and cluster templates were hardcoded without option to re-generate them. diff --git a/config/cluster-mgmt.env b/config/cluster-mgmt.env index 1cea596..dc76a1f 100644 --- a/config/cluster-mgmt.env +++ b/config/cluster-mgmt.env @@ -19,6 +19,3 @@ export WORKER_MACHINE_COUNT="1" unset CLUSTER_INT_ID export NODE_MASK_SIZE="24" export MESH_LABEL_SELECTOR="none" - -# Flux -export FLUXCD_VERSION="2.1.1" diff --git a/config/shared.env b/config/shared.env index 912589f..71d9fee 100644 --- a/config/shared.env +++ b/config/shared.env @@ -4,7 +4,6 @@ # 'shared' is sourced first, then cluster settings. export FLUX_KEY_PATH="$HOME/.ssh/flux-github-key-2" -export FLUXCD_VERSION="2.2.2" export CAPI_VERSION="v1.6.0" export CILIUM_VERSION="1.12.3" diff --git a/go/Taskfile.yaml b/go/Taskfile.yaml index 196f946..ed5c341 100644 --- a/go/Taskfile.yaml +++ b/go/Taskfile.yaml @@ -2,17 +2,19 @@ version: '3' tasks: build-app: + desc: Build the multicluster-demo application + cmds: - go build -v ./cmd/multicluster-demo - desc: Build the multicluster-demo application generates: - multicluster-demo run-deploy: + desc: Deploys a multi-cluster setup in a cloud provider of choice by using Cluster API or CrossPlane according to specification provided in config file + deps: [build-app] cmds: - ./multicluster-demo deploy --config . - desc: Deploys a multi-cluster setup in a cloud provider of choice by using Cluster API or CrossPlane according to specification provided in config file sources: - "**/*.go" - go.mod @@ -20,17 +22,25 @@ tasks: method: checksum run-uninstall: + desc: Uninstalls all project resources + deps: [build-app] cmds: - ./multicluster-demo uninstall --config . - desc: Uninstalls all project resources sources: - "**/*.go" - go.mod - go.sum test: + desc: Run all tests in the pkg directory + cmds: - go test -v ./pkg/... - desc: Run all tests in the pkg directory + + help: + desc: Prints help for this applicataion + + cmds: + - echo "Run 'task -a' for list of available commands" diff --git a/k8s-platform/flux/v2.1.1/gotk-components.yaml b/k8s-platform/flux/v2.1.1/gotk-components.yaml deleted file mode 100644 index 1d5c44b..0000000 --- a/k8s-platform/flux/v2.1.1/gotk-components.yaml +++ /dev/null @@ -1,8029 +0,0 @@ ---- -# This manifest was generated by flux. DO NOT EDIT. -# Flux Version: v2.1.1 -# Components: source-controller,kustomize-controller,helm-controller,notification-controller -apiVersion: v1 -kind: Namespace -metadata: - labels: - app.kubernetes.io/instance: flux-system - app.kubernetes.io/part-of: flux - app.kubernetes.io/version: v2.1.1 - pod-security.kubernetes.io/warn: restricted - pod-security.kubernetes.io/warn-version: latest - name: flux-system ---- -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - labels: - app.kubernetes.io/instance: flux-system - app.kubernetes.io/part-of: flux - app.kubernetes.io/version: v2.1.1 - name: allow-egress - namespace: flux-system -spec: - egress: - - {} - ingress: - - from: - - podSelector: {} - podSelector: {} - policyTypes: - - Ingress - - Egress ---- -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - labels: - app.kubernetes.io/instance: flux-system - app.kubernetes.io/part-of: flux - app.kubernetes.io/version: v2.1.1 - name: allow-scraping - namespace: flux-system -spec: - ingress: - - from: - - namespaceSelector: {} - ports: - - port: 8080 - protocol: TCP - podSelector: {} - policyTypes: - - Ingress ---- -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - labels: - app.kubernetes.io/instance: flux-system - app.kubernetes.io/part-of: flux - app.kubernetes.io/version: v2.1.1 - name: allow-webhooks - namespace: flux-system -spec: - ingress: - - from: - - namespaceSelector: {} - podSelector: - matchLabels: - app: notification-controller - policyTypes: - - Ingress ---- -apiVersion: v1 -kind: ResourceQuota -metadata: - labels: - app.kubernetes.io/instance: flux-system - app.kubernetes.io/part-of: flux - app.kubernetes.io/version: v2.1.1 - name: critical-pods-flux-system - namespace: flux-system -spec: - hard: - pods: "1000" - scopeSelector: - matchExpressions: - - operator: In - scopeName: PriorityClass - values: - - system-node-critical - - system-cluster-critical ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app.kubernetes.io/instance: flux-system - app.kubernetes.io/part-of: flux - app.kubernetes.io/version: v2.1.1 - name: crd-controller-flux-system -rules: -- apiGroups: - - source.toolkit.fluxcd.io - resources: - - '*' - verbs: - - '*' -- apiGroups: - - kustomize.toolkit.fluxcd.io - resources: - - '*' - verbs: - - '*' -- apiGroups: - - helm.toolkit.fluxcd.io - resources: - - '*' - verbs: - - '*' -- apiGroups: - - notification.toolkit.fluxcd.io - resources: - - '*' - verbs: - - '*' -- apiGroups: - - image.toolkit.fluxcd.io - resources: - - '*' - verbs: - - '*' -- apiGroups: - - "" - resources: - - namespaces - - secrets - - configmaps - - serviceaccounts - verbs: - - get - - list - - watch -- apiGroups: - - "" - resources: - - events - verbs: - - create - - patch -- apiGroups: - - "" - resources: - - configmaps - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -- apiGroups: - - "" - resources: - - configmaps/status - verbs: - - get - - update - - patch -- apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - get - - list - - watch - - create - - update - - patch - - delete ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app.kubernetes.io/instance: flux-system - app.kubernetes.io/part-of: flux - app.kubernetes.io/version: v2.1.1 - rbac.authorization.k8s.io/aggregate-to-admin: "true" - rbac.authorization.k8s.io/aggregate-to-edit: "true" - name: flux-edit-flux-system -rules: -- apiGroups: - - notification.toolkit.fluxcd.io - - source.toolkit.fluxcd.io - - helm.toolkit.fluxcd.io - - image.toolkit.fluxcd.io - - kustomize.toolkit.fluxcd.io - resources: - - '*' - verbs: - - create - - delete - - deletecollection - - patch - - update ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app.kubernetes.io/instance: flux-system - app.kubernetes.io/part-of: flux - app.kubernetes.io/version: v2.1.1 - rbac.authorization.k8s.io/aggregate-to-admin: "true" - rbac.authorization.k8s.io/aggregate-to-edit: "true" - rbac.authorization.k8s.io/aggregate-to-view: "true" - name: flux-view-flux-system -rules: -- apiGroups: - - notification.toolkit.fluxcd.io - - source.toolkit.fluxcd.io - - helm.toolkit.fluxcd.io - - image.toolkit.fluxcd.io - - kustomize.toolkit.fluxcd.io - resources: - - '*' - verbs: - - get - - list - - watch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - labels: - app.kubernetes.io/instance: flux-system - app.kubernetes.io/part-of: flux - app.kubernetes.io/version: v2.1.1 - name: cluster-reconciler-flux-system -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cluster-admin -subjects: -- kind: ServiceAccount - name: kustomize-controller - namespace: flux-system -- kind: ServiceAccount - name: helm-controller - namespace: flux-system ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - labels: - app.kubernetes.io/instance: flux-system - app.kubernetes.io/part-of: flux - app.kubernetes.io/version: v2.1.1 - name: crd-controller-flux-system -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: crd-controller-flux-system -subjects: -- kind: ServiceAccount - name: kustomize-controller - namespace: flux-system -- kind: ServiceAccount - name: helm-controller - namespace: flux-system -- kind: ServiceAccount - name: source-controller - namespace: flux-system -- kind: ServiceAccount - name: notification-controller - namespace: flux-system -- kind: ServiceAccount - name: image-reflector-controller - namespace: flux-system -- kind: ServiceAccount - name: image-automation-controller - namespace: flux-system ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.12.0 - labels: - app.kubernetes.io/component: source-controller - app.kubernetes.io/instance: flux-system - app.kubernetes.io/part-of: flux - app.kubernetes.io/version: v2.1.1 - name: buckets.source.toolkit.fluxcd.io -spec: - group: source.toolkit.fluxcd.io - names: - kind: Bucket - listKind: BucketList - plural: buckets - singular: bucket - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .spec.endpoint - name: Endpoint - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].message - name: Status - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1beta1 - schema: - openAPIV3Schema: - description: Bucket is the Schema for the buckets API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: BucketSpec defines the desired state of an S3 compatible - bucket - properties: - accessFrom: - description: AccessFrom defines an Access Control List for allowing - cross-namespace references to this object. - properties: - namespaceSelectors: - description: NamespaceSelectors is the list of namespace selectors - to which this ACL applies. Items in this list are evaluated - using a logical OR operation. - items: - description: NamespaceSelector selects the namespaces to which - this ACL applies. An empty map of MatchLabels matches all - namespaces in a cluster. - properties: - matchLabels: - additionalProperties: - type: string - description: MatchLabels is a map of {key,value} pairs. - A single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is - "key", the operator is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - type: array - required: - - namespaceSelectors - type: object - bucketName: - description: The bucket name. - type: string - endpoint: - description: The bucket endpoint address. - type: string - ignore: - description: Ignore overrides the set of excluded patterns in the - .sourceignore format (which is the same as .gitignore). If not provided, - a default will be used, consult the documentation for your version - to find out what those are. - type: string - insecure: - description: Insecure allows connecting to a non-TLS S3 HTTP endpoint. - type: boolean - interval: - description: The interval at which to check for bucket updates. - type: string - provider: - default: generic - description: The S3 compatible storage provider name, default ('generic'). - enum: - - generic - - aws - - gcp - type: string - region: - description: The bucket region. - type: string - secretRef: - description: The name of the secret containing authentication credentials - for the Bucket. - properties: - name: - description: Name of the referent. - type: string - required: - - name - type: object - suspend: - description: This flag tells the controller to suspend the reconciliation - of this source. - type: boolean - timeout: - default: 60s - description: The timeout for download operations, defaults to 60s. - type: string - required: - - bucketName - - endpoint - - interval - type: object - status: - default: - observedGeneration: -1 - description: BucketStatus defines the observed state of a bucket - properties: - artifact: - description: Artifact represents the output of the last successful - Bucket sync. - properties: - checksum: - description: Checksum is the SHA256 checksum of the artifact. - type: string - lastUpdateTime: - description: LastUpdateTime is the timestamp corresponding to - the last update of this artifact. - format: date-time - type: string - path: - description: Path is the relative file path of this artifact. - type: string - revision: - description: Revision is a human readable identifier traceable - in the origin source system. It can be a Git commit SHA, Git - tag, a Helm index timestamp, a Helm chart version, etc. - type: string - url: - description: URL is the HTTP address of this artifact. - type: string - required: - - path - - url - type: object - conditions: - description: Conditions holds the conditions for the Bucket. - items: - description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" - properties: - lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - lastHandledReconcileAt: - description: LastHandledReconcileAt holds the value of the most recent - reconcile request value, so a change of the annotation value can - be detected. - type: string - observedGeneration: - description: ObservedGeneration is the last observed generation. - format: int64 - type: integer - url: - description: URL is the download link for the artifact output of the - last Bucket sync. - type: string - type: object - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - jsonPath: .spec.endpoint - name: Endpoint - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].message - name: Status - type: string - name: v1beta2 - schema: - openAPIV3Schema: - description: Bucket is the Schema for the buckets API. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: BucketSpec specifies the required configuration to produce - an Artifact for an object storage bucket. - properties: - accessFrom: - description: 'AccessFrom specifies an Access Control List for allowing - cross-namespace references to this object. NOTE: Not implemented, - provisional as of https://github.com/fluxcd/flux2/pull/2092' - properties: - namespaceSelectors: - description: NamespaceSelectors is the list of namespace selectors - to which this ACL applies. Items in this list are evaluated - using a logical OR operation. - items: - description: NamespaceSelector selects the namespaces to which - this ACL applies. An empty map of MatchLabels matches all - namespaces in a cluster. - properties: - matchLabels: - additionalProperties: - type: string - description: MatchLabels is a map of {key,value} pairs. - A single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is - "key", the operator is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - type: array - required: - - namespaceSelectors - type: object - bucketName: - description: BucketName is the name of the object storage bucket. - type: string - endpoint: - description: Endpoint is the object storage address the BucketName - is located at. - type: string - ignore: - description: Ignore overrides the set of excluded patterns in the - .sourceignore format (which is the same as .gitignore). If not provided, - a default will be used, consult the documentation for your version - to find out what those are. - type: string - insecure: - description: Insecure allows connecting to a non-TLS HTTP Endpoint. - type: boolean - interval: - description: Interval at which the Bucket Endpoint is checked for - updates. This interval is approximate and may be subject to jitter - to ensure efficient use of resources. - pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ - type: string - provider: - default: generic - description: Provider of the object storage bucket. Defaults to 'generic', - which expects an S3 (API) compatible object storage. - enum: - - generic - - aws - - gcp - - azure - type: string - region: - description: Region of the Endpoint where the BucketName is located - in. - type: string - secretRef: - description: SecretRef specifies the Secret containing authentication - credentials for the Bucket. - properties: - name: - description: Name of the referent. - type: string - required: - - name - type: object - suspend: - description: Suspend tells the controller to suspend the reconciliation - of this Bucket. - type: boolean - timeout: - default: 60s - description: Timeout for fetch operations, defaults to 60s. - pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m))+$ - type: string - required: - - bucketName - - endpoint - - interval - type: object - status: - default: - observedGeneration: -1 - description: BucketStatus records the observed state of a Bucket. - properties: - artifact: - description: Artifact represents the last successful Bucket reconciliation. - properties: - digest: - description: Digest is the digest of the file in the form of ':'. - pattern: ^[a-z0-9]+(?:[.+_-][a-z0-9]+)*:[a-zA-Z0-9=_-]+$ - type: string - lastUpdateTime: - description: LastUpdateTime is the timestamp corresponding to - the last update of the Artifact. - format: date-time - type: string - metadata: - additionalProperties: - type: string - description: Metadata holds upstream information such as OCI annotations. - type: object - path: - description: Path is the relative file path of the Artifact. It - can be used to locate the file in the root of the Artifact storage - on the local file system of the controller managing the Source. - type: string - revision: - description: Revision is a human-readable identifier traceable - in the origin source system. It can be a Git commit SHA, Git - tag, a Helm chart version, etc. - type: string - size: - description: Size is the number of bytes in the file. - format: int64 - type: integer - url: - description: URL is the HTTP address of the Artifact as exposed - by the controller managing the Source. It can be used to retrieve - the Artifact for consumption, e.g. by another controller applying - the Artifact contents. - type: string - required: - - lastUpdateTime - - path - - revision - - url - type: object - conditions: - description: Conditions holds the conditions for the Bucket. - items: - description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" - properties: - lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - lastHandledReconcileAt: - description: LastHandledReconcileAt holds the value of the most recent - reconcile request value, so a change of the annotation value can - be detected. - type: string - observedGeneration: - description: ObservedGeneration is the last observed generation of - the Bucket object. - format: int64 - type: integer - observedIgnore: - description: ObservedIgnore is the observed exclusion patterns used - for constructing the source artifact. - type: string - url: - description: URL is the dynamic fetch link for the latest Artifact. - It is provided on a "best effort" basis, and using the precise BucketStatus.Artifact - data is recommended. - type: string - type: object - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.12.0 - labels: - app.kubernetes.io/component: source-controller - app.kubernetes.io/instance: flux-system - app.kubernetes.io/part-of: flux - app.kubernetes.io/version: v2.1.1 - name: gitrepositories.source.toolkit.fluxcd.io -spec: - group: source.toolkit.fluxcd.io - names: - kind: GitRepository - listKind: GitRepositoryList - plural: gitrepositories - shortNames: - - gitrepo - singular: gitrepository - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .spec.url - name: URL - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].message - name: Status - type: string - name: v1 - schema: - openAPIV3Schema: - description: GitRepository is the Schema for the gitrepositories API. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: GitRepositorySpec specifies the required configuration to - produce an Artifact for a Git repository. - properties: - ignore: - description: Ignore overrides the set of excluded patterns in the - .sourceignore format (which is the same as .gitignore). If not provided, - a default will be used, consult the documentation for your version - to find out what those are. - type: string - include: - description: Include specifies a list of GitRepository resources which - Artifacts should be included in the Artifact produced for this GitRepository. - items: - description: GitRepositoryInclude specifies a local reference to - a GitRepository which Artifact (sub-)contents must be included, - and where they should be placed. - properties: - fromPath: - description: FromPath specifies the path to copy contents from, - defaults to the root of the Artifact. - type: string - repository: - description: GitRepositoryRef specifies the GitRepository which - Artifact contents must be included. - properties: - name: - description: Name of the referent. - type: string - required: - - name - type: object - toPath: - description: ToPath specifies the path to copy contents to, - defaults to the name of the GitRepositoryRef. - type: string - required: - - repository - type: object - type: array - interval: - description: Interval at which the GitRepository URL is checked for - updates. This interval is approximate and may be subject to jitter - to ensure efficient use of resources. - pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ - type: string - proxySecretRef: - description: ProxySecretRef specifies the Secret containing the proxy - configuration to use while communicating with the Git server. - properties: - name: - description: Name of the referent. - type: string - required: - - name - type: object - recurseSubmodules: - description: RecurseSubmodules enables the initialization of all submodules - within the GitRepository as cloned from the URL, using their default - settings. - type: boolean - ref: - description: Reference specifies the Git reference to resolve and - monitor for changes, defaults to the 'master' branch. - properties: - branch: - description: Branch to check out, defaults to 'master' if no other - field is defined. - type: string - commit: - description: "Commit SHA to check out, takes precedence over all - reference fields. \n This can be combined with Branch to shallow - clone the branch, in which the commit is expected to exist." - type: string - name: - description: "Name of the reference to check out; takes precedence - over Branch, Tag and SemVer. \n It must be a valid Git reference: - https://git-scm.com/docs/git-check-ref-format#_description Examples: - \"refs/heads/main\", \"refs/tags/v0.1.0\", \"refs/pull/420/head\", - \"refs/merge-requests/1/head\"" - type: string - semver: - description: SemVer tag expression to check out, takes precedence - over Tag. - type: string - tag: - description: Tag to check out, takes precedence over Branch. - type: string - type: object - secretRef: - description: SecretRef specifies the Secret containing authentication - credentials for the GitRepository. For HTTPS repositories the Secret - must contain 'username' and 'password' fields for basic auth or - 'bearerToken' field for token auth. For SSH repositories the Secret - must contain 'identity' and 'known_hosts' fields. - properties: - name: - description: Name of the referent. - type: string - required: - - name - type: object - suspend: - description: Suspend tells the controller to suspend the reconciliation - of this GitRepository. - type: boolean - timeout: - default: 60s - description: Timeout for Git operations like cloning, defaults to - 60s. - pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m))+$ - type: string - url: - description: URL specifies the Git repository URL, it can be an HTTP/S - or SSH address. - pattern: ^(http|https|ssh)://.*$ - type: string - verify: - description: Verification specifies the configuration to verify the - Git commit signature(s). - properties: - mode: - default: HEAD - description: "Mode specifies which Git object(s) should be verified. - \n The variants \"head\" and \"HEAD\" both imply the same thing, - i.e. verify the commit that the HEAD of the Git repository points - to. The variant \"head\" solely exists to ensure backwards compatibility." - enum: - - head - - HEAD - - Tag - - TagAndHEAD - type: string - secretRef: - description: SecretRef specifies the Secret containing the public - keys of trusted Git authors. - properties: - name: - description: Name of the referent. - type: string - required: - - name - type: object - required: - - secretRef - type: object - required: - - interval - - url - type: object - status: - default: - observedGeneration: -1 - description: GitRepositoryStatus records the observed state of a Git repository. - properties: - artifact: - description: Artifact represents the last successful GitRepository - reconciliation. - properties: - digest: - description: Digest is the digest of the file in the form of ':'. - pattern: ^[a-z0-9]+(?:[.+_-][a-z0-9]+)*:[a-zA-Z0-9=_-]+$ - type: string - lastUpdateTime: - description: LastUpdateTime is the timestamp corresponding to - the last update of the Artifact. - format: date-time - type: string - metadata: - additionalProperties: - type: string - description: Metadata holds upstream information such as OCI annotations. - type: object - path: - description: Path is the relative file path of the Artifact. It - can be used to locate the file in the root of the Artifact storage - on the local file system of the controller managing the Source. - type: string - revision: - description: Revision is a human-readable identifier traceable - in the origin source system. It can be a Git commit SHA, Git - tag, a Helm chart version, etc. - type: string - size: - description: Size is the number of bytes in the file. - format: int64 - type: integer - url: - description: URL is the HTTP address of the Artifact as exposed - by the controller managing the Source. It can be used to retrieve - the Artifact for consumption, e.g. by another controller applying - the Artifact contents. - type: string - required: - - lastUpdateTime - - path - - revision - - url - type: object - conditions: - description: Conditions holds the conditions for the GitRepository. - items: - description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" - properties: - lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - includedArtifacts: - description: IncludedArtifacts contains a list of the last successfully - included Artifacts as instructed by GitRepositorySpec.Include. - items: - description: Artifact represents the output of a Source reconciliation. - properties: - digest: - description: Digest is the digest of the file in the form of - ':'. - pattern: ^[a-z0-9]+(?:[.+_-][a-z0-9]+)*:[a-zA-Z0-9=_-]+$ - type: string - lastUpdateTime: - description: LastUpdateTime is the timestamp corresponding to - the last update of the Artifact. - format: date-time - type: string - metadata: - additionalProperties: - type: string - description: Metadata holds upstream information such as OCI - annotations. - type: object - path: - description: Path is the relative file path of the Artifact. - It can be used to locate the file in the root of the Artifact - storage on the local file system of the controller managing - the Source. - type: string - revision: - description: Revision is a human-readable identifier traceable - in the origin source system. It can be a Git commit SHA, Git - tag, a Helm chart version, etc. - type: string - size: - description: Size is the number of bytes in the file. - format: int64 - type: integer - url: - description: URL is the HTTP address of the Artifact as exposed - by the controller managing the Source. It can be used to retrieve - the Artifact for consumption, e.g. by another controller applying - the Artifact contents. - type: string - required: - - lastUpdateTime - - path - - revision - - url - type: object - type: array - lastHandledReconcileAt: - description: LastHandledReconcileAt holds the value of the most recent - reconcile request value, so a change of the annotation value can - be detected. - type: string - observedGeneration: - description: ObservedGeneration is the last observed generation of - the GitRepository object. - format: int64 - type: integer - observedIgnore: - description: ObservedIgnore is the observed exclusion patterns used - for constructing the source artifact. - type: string - observedInclude: - description: ObservedInclude is the observed list of GitRepository - resources used to produce the current Artifact. - items: - description: GitRepositoryInclude specifies a local reference to - a GitRepository which Artifact (sub-)contents must be included, - and where they should be placed. - properties: - fromPath: - description: FromPath specifies the path to copy contents from, - defaults to the root of the Artifact. - type: string - repository: - description: GitRepositoryRef specifies the GitRepository which - Artifact contents must be included. - properties: - name: - description: Name of the referent. - type: string - required: - - name - type: object - toPath: - description: ToPath specifies the path to copy contents to, - defaults to the name of the GitRepositoryRef. - type: string - required: - - repository - type: object - type: array - observedRecurseSubmodules: - description: ObservedRecurseSubmodules is the observed resource submodules - configuration used to produce the current Artifact. - type: boolean - sourceVerificationMode: - description: SourceVerificationMode is the last used verification - mode indicating which Git object(s) have been verified. - type: string - type: object - type: object - served: true - storage: true - subresources: - status: {} - - additionalPrinterColumns: - - jsonPath: .spec.url - name: URL - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].message - name: Status - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - deprecated: true - deprecationWarning: v1beta1 GitRepository is deprecated, upgrade to v1 - name: v1beta1 - schema: - openAPIV3Schema: - description: GitRepository is the Schema for the gitrepositories API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: GitRepositorySpec defines the desired state of a Git repository. - properties: - accessFrom: - description: AccessFrom defines an Access Control List for allowing - cross-namespace references to this object. - properties: - namespaceSelectors: - description: NamespaceSelectors is the list of namespace selectors - to which this ACL applies. Items in this list are evaluated - using a logical OR operation. - items: - description: NamespaceSelector selects the namespaces to which - this ACL applies. An empty map of MatchLabels matches all - namespaces in a cluster. - properties: - matchLabels: - additionalProperties: - type: string - description: MatchLabels is a map of {key,value} pairs. - A single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is - "key", the operator is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - type: array - required: - - namespaceSelectors - type: object - gitImplementation: - default: go-git - description: Determines which git client library to use. Defaults - to go-git, valid values are ('go-git', 'libgit2'). - enum: - - go-git - - libgit2 - type: string - ignore: - description: Ignore overrides the set of excluded patterns in the - .sourceignore format (which is the same as .gitignore). If not provided, - a default will be used, consult the documentation for your version - to find out what those are. - type: string - include: - description: Extra git repositories to map into the repository - items: - description: GitRepositoryInclude defines a source with a from and - to path. - properties: - fromPath: - description: The path to copy contents from, defaults to the - root directory. - type: string - repository: - description: Reference to a GitRepository to include. - properties: - name: - description: Name of the referent. - type: string - required: - - name - type: object - toPath: - description: The path to copy contents to, defaults to the name - of the source ref. - type: string - required: - - repository - type: object - type: array - interval: - description: The interval at which to check for repository updates. - type: string - recurseSubmodules: - description: When enabled, after the clone is created, initializes - all submodules within, using their default settings. This option - is available only when using the 'go-git' GitImplementation. - type: boolean - ref: - description: The Git reference to checkout and monitor for changes, - defaults to master branch. - properties: - branch: - description: The Git branch to checkout, defaults to master. - type: string - commit: - description: The Git commit SHA to checkout, if specified Tag - filters will be ignored. - type: string - semver: - description: The Git tag semver expression, takes precedence over - Tag. - type: string - tag: - description: The Git tag to checkout, takes precedence over Branch. - type: string - type: object - secretRef: - description: The secret name containing the Git credentials. For HTTPS - repositories the secret must contain username and password fields. - For SSH repositories the secret must contain identity and known_hosts - fields. - properties: - name: - description: Name of the referent. - type: string - required: - - name - type: object - suspend: - description: This flag tells the controller to suspend the reconciliation - of this source. - type: boolean - timeout: - default: 60s - description: The timeout for remote Git operations like cloning, defaults - to 60s. - type: string - url: - description: The repository URL, can be a HTTP/S or SSH address. - pattern: ^(http|https|ssh)://.*$ - type: string - verify: - description: Verify OpenPGP signature for the Git commit HEAD points - to. - properties: - mode: - description: Mode describes what git object should be verified, - currently ('head'). - enum: - - head - type: string - secretRef: - description: The secret name containing the public keys of all - trusted Git authors. - properties: - name: - description: Name of the referent. - type: string - required: - - name - type: object - required: - - mode - type: object - required: - - interval - - url - type: object - status: - default: - observedGeneration: -1 - description: GitRepositoryStatus defines the observed state of a Git repository. - properties: - artifact: - description: Artifact represents the output of the last successful - repository sync. - properties: - checksum: - description: Checksum is the SHA256 checksum of the artifact. - type: string - lastUpdateTime: - description: LastUpdateTime is the timestamp corresponding to - the last update of this artifact. - format: date-time - type: string - path: - description: Path is the relative file path of this artifact. - type: string - revision: - description: Revision is a human readable identifier traceable - in the origin source system. It can be a Git commit SHA, Git - tag, a Helm index timestamp, a Helm chart version, etc. - type: string - url: - description: URL is the HTTP address of this artifact. - type: string - required: - - path - - url - type: object - conditions: - description: Conditions holds the conditions for the GitRepository. - items: - description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" - properties: - lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - includedArtifacts: - description: IncludedArtifacts represents the included artifacts from - the last successful repository sync. - items: - description: Artifact represents the output of a source synchronisation. - properties: - checksum: - description: Checksum is the SHA256 checksum of the artifact. - type: string - lastUpdateTime: - description: LastUpdateTime is the timestamp corresponding to - the last update of this artifact. - format: date-time - type: string - path: - description: Path is the relative file path of this artifact. - type: string - revision: - description: Revision is a human readable identifier traceable - in the origin source system. It can be a Git commit SHA, Git - tag, a Helm index timestamp, a Helm chart version, etc. - type: string - url: - description: URL is the HTTP address of this artifact. - type: string - required: - - path - - url - type: object - type: array - lastHandledReconcileAt: - description: LastHandledReconcileAt holds the value of the most recent - reconcile request value, so a change of the annotation value can - be detected. - type: string - observedGeneration: - description: ObservedGeneration is the last observed generation. - format: int64 - type: integer - url: - description: URL is the download link for the artifact output of the - last repository sync. - type: string - type: object - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - jsonPath: .spec.url - name: URL - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].message - name: Status - type: string - deprecated: true - deprecationWarning: v1beta2 GitRepository is deprecated, upgrade to v1 - name: v1beta2 - schema: - openAPIV3Schema: - description: GitRepository is the Schema for the gitrepositories API. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: GitRepositorySpec specifies the required configuration to - produce an Artifact for a Git repository. - properties: - accessFrom: - description: 'AccessFrom specifies an Access Control List for allowing - cross-namespace references to this object. NOTE: Not implemented, - provisional as of https://github.com/fluxcd/flux2/pull/2092' - properties: - namespaceSelectors: - description: NamespaceSelectors is the list of namespace selectors - to which this ACL applies. Items in this list are evaluated - using a logical OR operation. - items: - description: NamespaceSelector selects the namespaces to which - this ACL applies. An empty map of MatchLabels matches all - namespaces in a cluster. - properties: - matchLabels: - additionalProperties: - type: string - description: MatchLabels is a map of {key,value} pairs. - A single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is - "key", the operator is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - type: array - required: - - namespaceSelectors - type: object - gitImplementation: - default: go-git - description: 'GitImplementation specifies which Git client library - implementation to use. Defaults to ''go-git'', valid values are - (''go-git'', ''libgit2''). Deprecated: gitImplementation is deprecated - now that ''go-git'' is the only supported implementation.' - enum: - - go-git - - libgit2 - type: string - ignore: - description: Ignore overrides the set of excluded patterns in the - .sourceignore format (which is the same as .gitignore). If not provided, - a default will be used, consult the documentation for your version - to find out what those are. - type: string - include: - description: Include specifies a list of GitRepository resources which - Artifacts should be included in the Artifact produced for this GitRepository. - items: - description: GitRepositoryInclude specifies a local reference to - a GitRepository which Artifact (sub-)contents must be included, - and where they should be placed. - properties: - fromPath: - description: FromPath specifies the path to copy contents from, - defaults to the root of the Artifact. - type: string - repository: - description: GitRepositoryRef specifies the GitRepository which - Artifact contents must be included. - properties: - name: - description: Name of the referent. - type: string - required: - - name - type: object - toPath: - description: ToPath specifies the path to copy contents to, - defaults to the name of the GitRepositoryRef. - type: string - required: - - repository - type: object - type: array - interval: - description: Interval at which to check the GitRepository for updates. - pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ - type: string - recurseSubmodules: - description: RecurseSubmodules enables the initialization of all submodules - within the GitRepository as cloned from the URL, using their default - settings. - type: boolean - ref: - description: Reference specifies the Git reference to resolve and - monitor for changes, defaults to the 'master' branch. - properties: - branch: - description: Branch to check out, defaults to 'master' if no other - field is defined. - type: string - commit: - description: "Commit SHA to check out, takes precedence over all - reference fields. \n This can be combined with Branch to shallow - clone the branch, in which the commit is expected to exist." - type: string - name: - description: "Name of the reference to check out; takes precedence - over Branch, Tag and SemVer. \n It must be a valid Git reference: - https://git-scm.com/docs/git-check-ref-format#_description Examples: - \"refs/heads/main\", \"refs/tags/v0.1.0\", \"refs/pull/420/head\", - \"refs/merge-requests/1/head\"" - type: string - semver: - description: SemVer tag expression to check out, takes precedence - over Tag. - type: string - tag: - description: Tag to check out, takes precedence over Branch. - type: string - type: object - secretRef: - description: SecretRef specifies the Secret containing authentication - credentials for the GitRepository. For HTTPS repositories the Secret - must contain 'username' and 'password' fields for basic auth or - 'bearerToken' field for token auth. For SSH repositories the Secret - must contain 'identity' and 'known_hosts' fields. - properties: - name: - description: Name of the referent. - type: string - required: - - name - type: object - suspend: - description: Suspend tells the controller to suspend the reconciliation - of this GitRepository. - type: boolean - timeout: - default: 60s - description: Timeout for Git operations like cloning, defaults to - 60s. - pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m))+$ - type: string - url: - description: URL specifies the Git repository URL, it can be an HTTP/S - or SSH address. - pattern: ^(http|https|ssh)://.*$ - type: string - verify: - description: Verification specifies the configuration to verify the - Git commit signature(s). - properties: - mode: - description: Mode specifies what Git object should be verified, - currently ('head'). - enum: - - head - type: string - secretRef: - description: SecretRef specifies the Secret containing the public - keys of trusted Git authors. - properties: - name: - description: Name of the referent. - type: string - required: - - name - type: object - required: - - mode - - secretRef - type: object - required: - - interval - - url - type: object - status: - default: - observedGeneration: -1 - description: GitRepositoryStatus records the observed state of a Git repository. - properties: - artifact: - description: Artifact represents the last successful GitRepository - reconciliation. - properties: - digest: - description: Digest is the digest of the file in the form of ':'. - pattern: ^[a-z0-9]+(?:[.+_-][a-z0-9]+)*:[a-zA-Z0-9=_-]+$ - type: string - lastUpdateTime: - description: LastUpdateTime is the timestamp corresponding to - the last update of the Artifact. - format: date-time - type: string - metadata: - additionalProperties: - type: string - description: Metadata holds upstream information such as OCI annotations. - type: object - path: - description: Path is the relative file path of the Artifact. It - can be used to locate the file in the root of the Artifact storage - on the local file system of the controller managing the Source. - type: string - revision: - description: Revision is a human-readable identifier traceable - in the origin source system. It can be a Git commit SHA, Git - tag, a Helm chart version, etc. - type: string - size: - description: Size is the number of bytes in the file. - format: int64 - type: integer - url: - description: URL is the HTTP address of the Artifact as exposed - by the controller managing the Source. It can be used to retrieve - the Artifact for consumption, e.g. by another controller applying - the Artifact contents. - type: string - required: - - lastUpdateTime - - path - - revision - - url - type: object - conditions: - description: Conditions holds the conditions for the GitRepository. - items: - description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" - properties: - lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - contentConfigChecksum: - description: "ContentConfigChecksum is a checksum of all the configurations - related to the content of the source artifact: - .spec.ignore - - .spec.recurseSubmodules - .spec.included and the checksum of the - included artifacts observed in .status.observedGeneration version - of the object. This can be used to determine if the content of the - included repository has changed. It has the format of `:`, - for example: `sha256:`. \n Deprecated: Replaced with explicit - fields for observed artifact content config in the status." - type: string - includedArtifacts: - description: IncludedArtifacts contains a list of the last successfully - included Artifacts as instructed by GitRepositorySpec.Include. - items: - description: Artifact represents the output of a Source reconciliation. - properties: - digest: - description: Digest is the digest of the file in the form of - ':'. - pattern: ^[a-z0-9]+(?:[.+_-][a-z0-9]+)*:[a-zA-Z0-9=_-]+$ - type: string - lastUpdateTime: - description: LastUpdateTime is the timestamp corresponding to - the last update of the Artifact. - format: date-time - type: string - metadata: - additionalProperties: - type: string - description: Metadata holds upstream information such as OCI - annotations. - type: object - path: - description: Path is the relative file path of the Artifact. - It can be used to locate the file in the root of the Artifact - storage on the local file system of the controller managing - the Source. - type: string - revision: - description: Revision is a human-readable identifier traceable - in the origin source system. It can be a Git commit SHA, Git - tag, a Helm chart version, etc. - type: string - size: - description: Size is the number of bytes in the file. - format: int64 - type: integer - url: - description: URL is the HTTP address of the Artifact as exposed - by the controller managing the Source. It can be used to retrieve - the Artifact for consumption, e.g. by another controller applying - the Artifact contents. - type: string - required: - - lastUpdateTime - - path - - revision - - url - type: object - type: array - lastHandledReconcileAt: - description: LastHandledReconcileAt holds the value of the most recent - reconcile request value, so a change of the annotation value can - be detected. - type: string - observedGeneration: - description: ObservedGeneration is the last observed generation of - the GitRepository object. - format: int64 - type: integer - observedIgnore: - description: ObservedIgnore is the observed exclusion patterns used - for constructing the source artifact. - type: string - observedInclude: - description: ObservedInclude is the observed list of GitRepository - resources used to to produce the current Artifact. - items: - description: GitRepositoryInclude specifies a local reference to - a GitRepository which Artifact (sub-)contents must be included, - and where they should be placed. - properties: - fromPath: - description: FromPath specifies the path to copy contents from, - defaults to the root of the Artifact. - type: string - repository: - description: GitRepositoryRef specifies the GitRepository which - Artifact contents must be included. - properties: - name: - description: Name of the referent. - type: string - required: - - name - type: object - toPath: - description: ToPath specifies the path to copy contents to, - defaults to the name of the GitRepositoryRef. - type: string - required: - - repository - type: object - type: array - observedRecurseSubmodules: - description: ObservedRecurseSubmodules is the observed resource submodules - configuration used to produce the current Artifact. - type: boolean - url: - description: URL is the dynamic fetch link for the latest Artifact. - It is provided on a "best effort" basis, and using the precise GitRepositoryStatus.Artifact - data is recommended. - type: string - type: object - type: object - served: true - storage: false - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.12.0 - labels: - app.kubernetes.io/component: source-controller - app.kubernetes.io/instance: flux-system - app.kubernetes.io/part-of: flux - app.kubernetes.io/version: v2.1.1 - name: helmcharts.source.toolkit.fluxcd.io -spec: - group: source.toolkit.fluxcd.io - names: - kind: HelmChart - listKind: HelmChartList - plural: helmcharts - shortNames: - - hc - singular: helmchart - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .spec.chart - name: Chart - type: string - - jsonPath: .spec.version - name: Version - type: string - - jsonPath: .spec.sourceRef.kind - name: Source Kind - type: string - - jsonPath: .spec.sourceRef.name - name: Source Name - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].message - name: Status - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1beta1 - schema: - openAPIV3Schema: - description: HelmChart is the Schema for the helmcharts API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: HelmChartSpec defines the desired state of a Helm chart. - properties: - accessFrom: - description: AccessFrom defines an Access Control List for allowing - cross-namespace references to this object. - properties: - namespaceSelectors: - description: NamespaceSelectors is the list of namespace selectors - to which this ACL applies. Items in this list are evaluated - using a logical OR operation. - items: - description: NamespaceSelector selects the namespaces to which - this ACL applies. An empty map of MatchLabels matches all - namespaces in a cluster. - properties: - matchLabels: - additionalProperties: - type: string - description: MatchLabels is a map of {key,value} pairs. - A single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is - "key", the operator is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - type: array - required: - - namespaceSelectors - type: object - chart: - description: The name or path the Helm chart is available at in the - SourceRef. - type: string - interval: - description: The interval at which to check the Source for updates. - type: string - reconcileStrategy: - default: ChartVersion - description: Determines what enables the creation of a new artifact. - Valid values are ('ChartVersion', 'Revision'). See the documentation - of the values for an explanation on their behavior. Defaults to - ChartVersion when omitted. - enum: - - ChartVersion - - Revision - type: string - sourceRef: - description: The reference to the Source the chart is available at. - properties: - apiVersion: - description: APIVersion of the referent. - type: string - kind: - description: Kind of the referent, valid values are ('HelmRepository', - 'GitRepository', 'Bucket'). - enum: - - HelmRepository - - GitRepository - - Bucket - type: string - name: - description: Name of the referent. - type: string - required: - - kind - - name - type: object - suspend: - description: This flag tells the controller to suspend the reconciliation - of this source. - type: boolean - valuesFile: - description: Alternative values file to use as the default chart values, - expected to be a relative path in the SourceRef. Deprecated in favor - of ValuesFiles, for backwards compatibility the file defined here - is merged before the ValuesFiles items. Ignored when omitted. - type: string - valuesFiles: - description: Alternative list of values files to use as the chart - values (values.yaml is not included by default), expected to be - a relative path in the SourceRef. Values files are merged in the - order of this list with the last file overriding the first. Ignored - when omitted. - items: - type: string - type: array - version: - default: '*' - description: The chart version semver expression, ignored for charts - from GitRepository and Bucket sources. Defaults to latest when omitted. - type: string - required: - - chart - - interval - - sourceRef - type: object - status: - default: - observedGeneration: -1 - description: HelmChartStatus defines the observed state of the HelmChart. - properties: - artifact: - description: Artifact represents the output of the last successful - chart sync. - properties: - checksum: - description: Checksum is the SHA256 checksum of the artifact. - type: string - lastUpdateTime: - description: LastUpdateTime is the timestamp corresponding to - the last update of this artifact. - format: date-time - type: string - path: - description: Path is the relative file path of this artifact. - type: string - revision: - description: Revision is a human readable identifier traceable - in the origin source system. It can be a Git commit SHA, Git - tag, a Helm index timestamp, a Helm chart version, etc. - type: string - url: - description: URL is the HTTP address of this artifact. - type: string - required: - - path - - url - type: object - conditions: - description: Conditions holds the conditions for the HelmChart. - items: - description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" - properties: - lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - lastHandledReconcileAt: - description: LastHandledReconcileAt holds the value of the most recent - reconcile request value, so a change of the annotation value can - be detected. - type: string - observedGeneration: - description: ObservedGeneration is the last observed generation. - format: int64 - type: integer - url: - description: URL is the download link for the last chart pulled. - type: string - type: object - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - jsonPath: .spec.chart - name: Chart - type: string - - jsonPath: .spec.version - name: Version - type: string - - jsonPath: .spec.sourceRef.kind - name: Source Kind - type: string - - jsonPath: .spec.sourceRef.name - name: Source Name - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].message - name: Status - type: string - name: v1beta2 - schema: - openAPIV3Schema: - description: HelmChart is the Schema for the helmcharts API. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: HelmChartSpec specifies the desired state of a Helm chart. - properties: - accessFrom: - description: 'AccessFrom specifies an Access Control List for allowing - cross-namespace references to this object. NOTE: Not implemented, - provisional as of https://github.com/fluxcd/flux2/pull/2092' - properties: - namespaceSelectors: - description: NamespaceSelectors is the list of namespace selectors - to which this ACL applies. Items in this list are evaluated - using a logical OR operation. - items: - description: NamespaceSelector selects the namespaces to which - this ACL applies. An empty map of MatchLabels matches all - namespaces in a cluster. - properties: - matchLabels: - additionalProperties: - type: string - description: MatchLabels is a map of {key,value} pairs. - A single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is - "key", the operator is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - type: array - required: - - namespaceSelectors - type: object - chart: - description: Chart is the name or path the Helm chart is available - at in the SourceRef. - type: string - interval: - description: Interval at which the HelmChart SourceRef is checked - for updates. This interval is approximate and may be subject to - jitter to ensure efficient use of resources. - pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ - type: string - reconcileStrategy: - default: ChartVersion - description: ReconcileStrategy determines what enables the creation - of a new artifact. Valid values are ('ChartVersion', 'Revision'). - See the documentation of the values for an explanation on their - behavior. Defaults to ChartVersion when omitted. - enum: - - ChartVersion - - Revision - type: string - sourceRef: - description: SourceRef is the reference to the Source the chart is - available at. - properties: - apiVersion: - description: APIVersion of the referent. - type: string - kind: - description: Kind of the referent, valid values are ('HelmRepository', - 'GitRepository', 'Bucket'). - enum: - - HelmRepository - - GitRepository - - Bucket - type: string - name: - description: Name of the referent. - type: string - required: - - kind - - name - type: object - suspend: - description: Suspend tells the controller to suspend the reconciliation - of this source. - type: boolean - valuesFile: - description: ValuesFile is an alternative values file to use as the - default chart values, expected to be a relative path in the SourceRef. - Deprecated in favor of ValuesFiles, for backwards compatibility - the file specified here is merged before the ValuesFiles items. - Ignored when omitted. - type: string - valuesFiles: - description: ValuesFiles is an alternative list of values files to - use as the chart values (values.yaml is not included by default), - expected to be a relative path in the SourceRef. Values files are - merged in the order of this list with the last file overriding the - first. Ignored when omitted. - items: - type: string - type: array - verify: - description: Verify contains the secret name containing the trusted - public keys used to verify the signature and specifies which provider - to use to check whether OCI image is authentic. This field is only - supported when using HelmRepository source with spec.type 'oci'. - Chart dependencies, which are not bundled in the umbrella chart - artifact, are not verified. - properties: - provider: - default: cosign - description: Provider specifies the technology used to sign the - OCI Artifact. - enum: - - cosign - type: string - secretRef: - description: SecretRef specifies the Kubernetes Secret containing - the trusted public keys. - properties: - name: - description: Name of the referent. - type: string - required: - - name - type: object - required: - - provider - type: object - version: - default: '*' - description: Version is the chart version semver expression, ignored - for charts from GitRepository and Bucket sources. Defaults to latest - when omitted. - type: string - required: - - chart - - interval - - sourceRef - type: object - status: - default: - observedGeneration: -1 - description: HelmChartStatus records the observed state of the HelmChart. - properties: - artifact: - description: Artifact represents the output of the last successful - reconciliation. - properties: - digest: - description: Digest is the digest of the file in the form of ':'. - pattern: ^[a-z0-9]+(?:[.+_-][a-z0-9]+)*:[a-zA-Z0-9=_-]+$ - type: string - lastUpdateTime: - description: LastUpdateTime is the timestamp corresponding to - the last update of the Artifact. - format: date-time - type: string - metadata: - additionalProperties: - type: string - description: Metadata holds upstream information such as OCI annotations. - type: object - path: - description: Path is the relative file path of the Artifact. It - can be used to locate the file in the root of the Artifact storage - on the local file system of the controller managing the Source. - type: string - revision: - description: Revision is a human-readable identifier traceable - in the origin source system. It can be a Git commit SHA, Git - tag, a Helm chart version, etc. - type: string - size: - description: Size is the number of bytes in the file. - format: int64 - type: integer - url: - description: URL is the HTTP address of the Artifact as exposed - by the controller managing the Source. It can be used to retrieve - the Artifact for consumption, e.g. by another controller applying - the Artifact contents. - type: string - required: - - lastUpdateTime - - path - - revision - - url - type: object - conditions: - description: Conditions holds the conditions for the HelmChart. - items: - description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" - properties: - lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - lastHandledReconcileAt: - description: LastHandledReconcileAt holds the value of the most recent - reconcile request value, so a change of the annotation value can - be detected. - type: string - observedChartName: - description: ObservedChartName is the last observed chart name as - specified by the resolved chart reference. - type: string - observedGeneration: - description: ObservedGeneration is the last observed generation of - the HelmChart object. - format: int64 - type: integer - observedSourceArtifactRevision: - description: ObservedSourceArtifactRevision is the last observed Artifact.Revision - of the HelmChartSpec.SourceRef. - type: string - url: - description: URL is the dynamic fetch link for the latest Artifact. - It is provided on a "best effort" basis, and using the precise BucketStatus.Artifact - data is recommended. - type: string - type: object - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.12.0 - labels: - app.kubernetes.io/component: source-controller - app.kubernetes.io/instance: flux-system - app.kubernetes.io/part-of: flux - app.kubernetes.io/version: v2.1.1 - name: helmrepositories.source.toolkit.fluxcd.io -spec: - group: source.toolkit.fluxcd.io - names: - kind: HelmRepository - listKind: HelmRepositoryList - plural: helmrepositories - shortNames: - - helmrepo - singular: helmrepository - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .spec.url - name: URL - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].message - name: Status - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1beta1 - schema: - openAPIV3Schema: - description: HelmRepository is the Schema for the helmrepositories API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: HelmRepositorySpec defines the reference to a Helm repository. - properties: - accessFrom: - description: AccessFrom defines an Access Control List for allowing - cross-namespace references to this object. - properties: - namespaceSelectors: - description: NamespaceSelectors is the list of namespace selectors - to which this ACL applies. Items in this list are evaluated - using a logical OR operation. - items: - description: NamespaceSelector selects the namespaces to which - this ACL applies. An empty map of MatchLabels matches all - namespaces in a cluster. - properties: - matchLabels: - additionalProperties: - type: string - description: MatchLabels is a map of {key,value} pairs. - A single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is - "key", the operator is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - type: array - required: - - namespaceSelectors - type: object - interval: - description: The interval at which to check the upstream for updates. - type: string - passCredentials: - description: PassCredentials allows the credentials from the SecretRef - to be passed on to a host that does not match the host as defined - in URL. This may be required if the host of the advertised chart - URLs in the index differ from the defined URL. Enabling this should - be done with caution, as it can potentially result in credentials - getting stolen in a MITM-attack. - type: boolean - secretRef: - description: The name of the secret containing authentication credentials - for the Helm repository. For HTTP/S basic auth the secret must contain - username and password fields. For TLS the secret must contain a - certFile and keyFile, and/or caFile fields. - properties: - name: - description: Name of the referent. - type: string - required: - - name - type: object - suspend: - description: This flag tells the controller to suspend the reconciliation - of this source. - type: boolean - timeout: - default: 60s - description: The timeout of index downloading, defaults to 60s. - type: string - url: - description: The Helm repository URL, a valid URL contains at least - a protocol and host. - type: string - required: - - interval - - url - type: object - status: - default: - observedGeneration: -1 - description: HelmRepositoryStatus defines the observed state of the HelmRepository. - properties: - artifact: - description: Artifact represents the output of the last successful - repository sync. - properties: - checksum: - description: Checksum is the SHA256 checksum of the artifact. - type: string - lastUpdateTime: - description: LastUpdateTime is the timestamp corresponding to - the last update of this artifact. - format: date-time - type: string - path: - description: Path is the relative file path of this artifact. - type: string - revision: - description: Revision is a human readable identifier traceable - in the origin source system. It can be a Git commit SHA, Git - tag, a Helm index timestamp, a Helm chart version, etc. - type: string - url: - description: URL is the HTTP address of this artifact. - type: string - required: - - path - - url - type: object - conditions: - description: Conditions holds the conditions for the HelmRepository. - items: - description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" - properties: - lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - lastHandledReconcileAt: - description: LastHandledReconcileAt holds the value of the most recent - reconcile request value, so a change of the annotation value can - be detected. - type: string - observedGeneration: - description: ObservedGeneration is the last observed generation. - format: int64 - type: integer - url: - description: URL is the download link for the last index fetched. - type: string - type: object - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - jsonPath: .spec.url - name: URL - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].message - name: Status - type: string - name: v1beta2 - schema: - openAPIV3Schema: - description: HelmRepository is the Schema for the helmrepositories API. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: HelmRepositorySpec specifies the required configuration to - produce an Artifact for a Helm repository index YAML. - properties: - accessFrom: - description: 'AccessFrom specifies an Access Control List for allowing - cross-namespace references to this object. NOTE: Not implemented, - provisional as of https://github.com/fluxcd/flux2/pull/2092' - properties: - namespaceSelectors: - description: NamespaceSelectors is the list of namespace selectors - to which this ACL applies. Items in this list are evaluated - using a logical OR operation. - items: - description: NamespaceSelector selects the namespaces to which - this ACL applies. An empty map of MatchLabels matches all - namespaces in a cluster. - properties: - matchLabels: - additionalProperties: - type: string - description: MatchLabels is a map of {key,value} pairs. - A single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is - "key", the operator is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - type: array - required: - - namespaceSelectors - type: object - certSecretRef: - description: "CertSecretRef can be given the name of a Secret containing - either or both of \n - a PEM-encoded client certificate (`tls.crt`) - and private key (`tls.key`); - a PEM-encoded CA certificate (`ca.crt`) - \n and whichever are supplied, will be used for connecting to the - registry. The client cert and key are useful if you are authenticating - with a certificate; the CA cert is useful if you are using a self-signed - server certificate. The Secret must be of type `Opaque` or `kubernetes.io/tls`. - \n It takes precedence over the values specified in the Secret referred - to by `.spec.secretRef`." - properties: - name: - description: Name of the referent. - type: string - required: - - name - type: object - interval: - description: Interval at which the HelmRepository URL is checked for - updates. This interval is approximate and may be subject to jitter - to ensure efficient use of resources. - pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ - type: string - passCredentials: - description: PassCredentials allows the credentials from the SecretRef - to be passed on to a host that does not match the host as defined - in URL. This may be required if the host of the advertised chart - URLs in the index differ from the defined URL. Enabling this should - be done with caution, as it can potentially result in credentials - getting stolen in a MITM-attack. - type: boolean - provider: - default: generic - description: Provider used for authentication, can be 'aws', 'azure', - 'gcp' or 'generic'. This field is optional, and only taken into - account if the .spec.type field is set to 'oci'. When not specified, - defaults to 'generic'. - enum: - - generic - - aws - - azure - - gcp - type: string - secretRef: - description: SecretRef specifies the Secret containing authentication - credentials for the HelmRepository. For HTTP/S basic auth the secret - must contain 'username' and 'password' fields. Support for TLS auth - using the 'certFile' and 'keyFile', and/or 'caFile' keys is deprecated. - Please use `.spec.certSecretRef` instead. - properties: - name: - description: Name of the referent. - type: string - required: - - name - type: object - suspend: - description: Suspend tells the controller to suspend the reconciliation - of this HelmRepository. - type: boolean - timeout: - default: 60s - description: Timeout is used for the index fetch operation for an - HTTPS helm repository, and for remote OCI Repository operations - like pulling for an OCI helm repository. Its default value is 60s. - pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m))+$ - type: string - type: - description: Type of the HelmRepository. When this field is set to "oci", - the URL field value must be prefixed with "oci://". - enum: - - default - - oci - type: string - url: - description: URL of the Helm repository, a valid URL contains at least - a protocol and host. - type: string - required: - - interval - - url - type: object - status: - default: - observedGeneration: -1 - description: HelmRepositoryStatus records the observed state of the HelmRepository. - properties: - artifact: - description: Artifact represents the last successful HelmRepository - reconciliation. - properties: - digest: - description: Digest is the digest of the file in the form of ':'. - pattern: ^[a-z0-9]+(?:[.+_-][a-z0-9]+)*:[a-zA-Z0-9=_-]+$ - type: string - lastUpdateTime: - description: LastUpdateTime is the timestamp corresponding to - the last update of the Artifact. - format: date-time - type: string - metadata: - additionalProperties: - type: string - description: Metadata holds upstream information such as OCI annotations. - type: object - path: - description: Path is the relative file path of the Artifact. It - can be used to locate the file in the root of the Artifact storage - on the local file system of the controller managing the Source. - type: string - revision: - description: Revision is a human-readable identifier traceable - in the origin source system. It can be a Git commit SHA, Git - tag, a Helm chart version, etc. - type: string - size: - description: Size is the number of bytes in the file. - format: int64 - type: integer - url: - description: URL is the HTTP address of the Artifact as exposed - by the controller managing the Source. It can be used to retrieve - the Artifact for consumption, e.g. by another controller applying - the Artifact contents. - type: string - required: - - lastUpdateTime - - path - - revision - - url - type: object - conditions: - description: Conditions holds the conditions for the HelmRepository. - items: - description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" - properties: - lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - lastHandledReconcileAt: - description: LastHandledReconcileAt holds the value of the most recent - reconcile request value, so a change of the annotation value can - be detected. - type: string - observedGeneration: - description: ObservedGeneration is the last observed generation of - the HelmRepository object. - format: int64 - type: integer - url: - description: URL is the dynamic fetch link for the latest Artifact. - It is provided on a "best effort" basis, and using the precise HelmRepositoryStatus.Artifact - data is recommended. - type: string - type: object - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.12.0 - labels: - app.kubernetes.io/component: source-controller - app.kubernetes.io/instance: flux-system - app.kubernetes.io/part-of: flux - app.kubernetes.io/version: v2.1.1 - name: ocirepositories.source.toolkit.fluxcd.io -spec: - group: source.toolkit.fluxcd.io - names: - kind: OCIRepository - listKind: OCIRepositoryList - plural: ocirepositories - shortNames: - - ocirepo - singular: ocirepository - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .spec.url - name: URL - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].message - name: Status - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1beta2 - schema: - openAPIV3Schema: - description: OCIRepository is the Schema for the ocirepositories API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: OCIRepositorySpec defines the desired state of OCIRepository - properties: - certSecretRef: - description: "CertSecretRef can be given the name of a Secret containing - either or both of \n - a PEM-encoded client certificate (`tls.crt`) - and private key (`tls.key`); - a PEM-encoded CA certificate (`ca.crt`) - \n and whichever are supplied, will be used for connecting to the - registry. The client cert and key are useful if you are authenticating - with a certificate; the CA cert is useful if you are using a self-signed - server certificate. The Secret must be of type `Opaque` or `kubernetes.io/tls`. - \n Note: Support for the `caFile`, `certFile` and `keyFile` keys - have been deprecated." - properties: - name: - description: Name of the referent. - type: string - required: - - name - type: object - ignore: - description: Ignore overrides the set of excluded patterns in the - .sourceignore format (which is the same as .gitignore). If not provided, - a default will be used, consult the documentation for your version - to find out what those are. - type: string - insecure: - description: Insecure allows connecting to a non-TLS HTTP container - registry. - type: boolean - interval: - description: Interval at which the OCIRepository URL is checked for - updates. This interval is approximate and may be subject to jitter - to ensure efficient use of resources. - pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ - type: string - layerSelector: - description: LayerSelector specifies which layer should be extracted - from the OCI artifact. When not specified, the first layer found - in the artifact is selected. - properties: - mediaType: - description: MediaType specifies the OCI media type of the layer - which should be extracted from the OCI Artifact. The first layer - matching this type is selected. - type: string - operation: - description: Operation specifies how the selected layer should - be processed. By default, the layer compressed content is extracted - to storage. When the operation is set to 'copy', the layer compressed - content is persisted to storage as it is. - enum: - - extract - - copy - type: string - type: object - provider: - default: generic - description: The provider used for authentication, can be 'aws', 'azure', - 'gcp' or 'generic'. When not specified, defaults to 'generic'. - enum: - - generic - - aws - - azure - - gcp - type: string - ref: - description: The OCI reference to pull and monitor for changes, defaults - to the latest tag. - properties: - digest: - description: Digest is the image digest to pull, takes precedence - over SemVer. The value should be in the format 'sha256:'. - type: string - semver: - description: SemVer is the range of tags to pull selecting the - latest within the range, takes precedence over Tag. - type: string - tag: - description: Tag is the image tag to pull, defaults to latest. - type: string - type: object - secretRef: - description: SecretRef contains the secret name containing the registry - login credentials to resolve image metadata. The secret must be - of type kubernetes.io/dockerconfigjson. - properties: - name: - description: Name of the referent. - type: string - required: - - name - type: object - serviceAccountName: - description: 'ServiceAccountName is the name of the Kubernetes ServiceAccount - used to authenticate the image pull if the service account has attached - pull secrets. For more information: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#add-imagepullsecrets-to-a-service-account' - type: string - suspend: - description: This flag tells the controller to suspend the reconciliation - of this source. - type: boolean - timeout: - default: 60s - description: The timeout for remote OCI Repository operations like - pulling, defaults to 60s. - pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m))+$ - type: string - url: - description: URL is a reference to an OCI artifact repository hosted - on a remote container registry. - pattern: ^oci://.*$ - type: string - verify: - description: Verify contains the secret name containing the trusted - public keys used to verify the signature and specifies which provider - to use to check whether OCI image is authentic. - properties: - provider: - default: cosign - description: Provider specifies the technology used to sign the - OCI Artifact. - enum: - - cosign - type: string - secretRef: - description: SecretRef specifies the Kubernetes Secret containing - the trusted public keys. - properties: - name: - description: Name of the referent. - type: string - required: - - name - type: object - required: - - provider - type: object - required: - - interval - - url - type: object - status: - default: - observedGeneration: -1 - description: OCIRepositoryStatus defines the observed state of OCIRepository - properties: - artifact: - description: Artifact represents the output of the last successful - OCI Repository sync. - properties: - digest: - description: Digest is the digest of the file in the form of ':'. - pattern: ^[a-z0-9]+(?:[.+_-][a-z0-9]+)*:[a-zA-Z0-9=_-]+$ - type: string - lastUpdateTime: - description: LastUpdateTime is the timestamp corresponding to - the last update of the Artifact. - format: date-time - type: string - metadata: - additionalProperties: - type: string - description: Metadata holds upstream information such as OCI annotations. - type: object - path: - description: Path is the relative file path of the Artifact. It - can be used to locate the file in the root of the Artifact storage - on the local file system of the controller managing the Source. - type: string - revision: - description: Revision is a human-readable identifier traceable - in the origin source system. It can be a Git commit SHA, Git - tag, a Helm chart version, etc. - type: string - size: - description: Size is the number of bytes in the file. - format: int64 - type: integer - url: - description: URL is the HTTP address of the Artifact as exposed - by the controller managing the Source. It can be used to retrieve - the Artifact for consumption, e.g. by another controller applying - the Artifact contents. - type: string - required: - - lastUpdateTime - - path - - revision - - url - type: object - conditions: - description: Conditions holds the conditions for the OCIRepository. - items: - description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" - properties: - lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - contentConfigChecksum: - description: "ContentConfigChecksum is a checksum of all the configurations - related to the content of the source artifact: - .spec.ignore - - .spec.layerSelector observed in .status.observedGeneration version - of the object. This can be used to determine if the content configuration - has changed and the artifact needs to be rebuilt. It has the format - of `:`, for example: `sha256:`. \n Deprecated: - Replaced with explicit fields for observed artifact content config - in the status." - type: string - lastHandledReconcileAt: - description: LastHandledReconcileAt holds the value of the most recent - reconcile request value, so a change of the annotation value can - be detected. - type: string - observedGeneration: - description: ObservedGeneration is the last observed generation. - format: int64 - type: integer - observedIgnore: - description: ObservedIgnore is the observed exclusion patterns used - for constructing the source artifact. - type: string - observedLayerSelector: - description: ObservedLayerSelector is the observed layer selector - used for constructing the source artifact. - properties: - mediaType: - description: MediaType specifies the OCI media type of the layer - which should be extracted from the OCI Artifact. The first layer - matching this type is selected. - type: string - operation: - description: Operation specifies how the selected layer should - be processed. By default, the layer compressed content is extracted - to storage. When the operation is set to 'copy', the layer compressed - content is persisted to storage as it is. - enum: - - extract - - copy - type: string - type: object - url: - description: URL is the download link for the artifact output of the - last OCI Repository sync. - type: string - type: object - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - labels: - app.kubernetes.io/component: source-controller - app.kubernetes.io/instance: flux-system - app.kubernetes.io/part-of: flux - app.kubernetes.io/version: v2.1.1 - name: source-controller - namespace: flux-system ---- -apiVersion: v1 -kind: Service -metadata: - labels: - app.kubernetes.io/component: source-controller - app.kubernetes.io/instance: flux-system - app.kubernetes.io/part-of: flux - app.kubernetes.io/version: v2.1.1 - control-plane: controller - name: source-controller - namespace: flux-system -spec: - ports: - - name: http - port: 80 - protocol: TCP - targetPort: http - selector: - app: source-controller - type: ClusterIP ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app.kubernetes.io/component: source-controller - app.kubernetes.io/instance: flux-system - app.kubernetes.io/part-of: flux - app.kubernetes.io/version: v2.1.1 - control-plane: controller - name: source-controller - namespace: flux-system -spec: - replicas: 1 - selector: - matchLabels: - app: source-controller - strategy: - type: Recreate - template: - metadata: - annotations: - prometheus.io/port: "8080" - prometheus.io/scrape: "true" - labels: - app: source-controller - spec: - containers: - - args: - - --events-addr=http://notification-controller.flux-system.svc.cluster.local./ - - --watch-all-namespaces=true - - --log-level=info - - --log-encoding=json - - --enable-leader-election - - --storage-path=/data - - --storage-adv-addr=source-controller.$(RUNTIME_NAMESPACE).svc.cluster.local. - env: - - name: RUNTIME_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: TUF_ROOT - value: /tmp/.sigstore - image: ghcr.io/fluxcd/source-controller:v1.1.1 - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /healthz - port: healthz - name: manager - ports: - - containerPort: 9090 - name: http - protocol: TCP - - containerPort: 8080 - name: http-prom - protocol: TCP - - containerPort: 9440 - name: healthz - protocol: TCP - readinessProbe: - httpGet: - path: / - port: http - resources: - limits: - cpu: 1000m - memory: 1Gi - requests: - cpu: 50m - memory: 64Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true - seccompProfile: - type: RuntimeDefault - volumeMounts: - - mountPath: /data - name: data - - mountPath: /tmp - name: tmp - nodeSelector: - kubernetes.io/os: linux - priorityClassName: system-cluster-critical - securityContext: - fsGroup: 1337 - serviceAccountName: source-controller - terminationGracePeriodSeconds: 10 - volumes: - - emptyDir: {} - name: data - - emptyDir: {} - name: tmp ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.12.0 - labels: - app.kubernetes.io/component: kustomize-controller - app.kubernetes.io/instance: flux-system - app.kubernetes.io/part-of: flux - app.kubernetes.io/version: v2.1.1 - name: kustomizations.kustomize.toolkit.fluxcd.io -spec: - group: kustomize.toolkit.fluxcd.io - names: - kind: Kustomization - listKind: KustomizationList - plural: kustomizations - shortNames: - - ks - singular: kustomization - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].message - name: Status - type: string - name: v1 - schema: - openAPIV3Schema: - description: Kustomization is the Schema for the kustomizations API. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: KustomizationSpec defines the configuration to calculate - the desired state from a Source using Kustomize. - properties: - commonMetadata: - description: CommonMetadata specifies the common labels and annotations - that are applied to all resources. Any existing label or annotation - will be overridden if its key matches a common one. - properties: - annotations: - additionalProperties: - type: string - description: Annotations to be added to the object's metadata. - type: object - labels: - additionalProperties: - type: string - description: Labels to be added to the object's metadata. - type: object - type: object - components: - description: Components specifies relative paths to specifications - of other Components. - items: - type: string - type: array - decryption: - description: Decrypt Kubernetes secrets before applying them on the - cluster. - properties: - provider: - description: Provider is the name of the decryption engine. - enum: - - sops - type: string - secretRef: - description: The secret name containing the private OpenPGP keys - used for decryption. - properties: - name: - description: Name of the referent. - type: string - required: - - name - type: object - required: - - provider - type: object - dependsOn: - description: DependsOn may contain a meta.NamespacedObjectReference - slice with references to Kustomization resources that must be ready - before this Kustomization can be reconciled. - items: - description: NamespacedObjectReference contains enough information - to locate the referenced Kubernetes resource object in any namespace. - properties: - name: - description: Name of the referent. - type: string - namespace: - description: Namespace of the referent, when not specified it - acts as LocalObjectReference. - type: string - required: - - name - type: object - type: array - force: - default: false - description: Force instructs the controller to recreate resources - when patching fails due to an immutable field change. - type: boolean - healthChecks: - description: A list of resources to be included in the health assessment. - items: - description: NamespacedObjectKindReference contains enough information - to locate the typed referenced Kubernetes resource object in any - namespace. - properties: - apiVersion: - description: API version of the referent, if not specified the - Kubernetes preferred version will be used. - type: string - kind: - description: Kind of the referent. - type: string - name: - description: Name of the referent. - type: string - namespace: - description: Namespace of the referent, when not specified it - acts as LocalObjectReference. - type: string - required: - - kind - - name - type: object - type: array - images: - description: Images is a list of (image name, new name, new tag or - digest) for changing image names, tags or digests. This can also - be achieved with a patch, but this operator is simpler to specify. - items: - description: Image contains an image name, a new name, a new tag - or digest, which will replace the original name and tag. - properties: - digest: - description: Digest is the value used to replace the original - image tag. If digest is present NewTag value is ignored. - type: string - name: - description: Name is a tag-less image name. - type: string - newName: - description: NewName is the value used to replace the original - name. - type: string - newTag: - description: NewTag is the value used to replace the original - tag. - type: string - required: - - name - type: object - type: array - interval: - description: The interval at which to reconcile the Kustomization. - This interval is approximate and may be subject to jitter to ensure - efficient use of resources. - pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ - type: string - kubeConfig: - description: The KubeConfig for reconciling the Kustomization on a - remote cluster. When used in combination with KustomizationSpec.ServiceAccountName, - forces the controller to act on behalf of that Service Account at - the target cluster. If the --default-service-account flag is set, - its value will be used as a controller level fallback for when KustomizationSpec.ServiceAccountName - is empty. - properties: - secretRef: - description: SecretRef holds the name of a secret that contains - a key with the kubeconfig file as the value. If no key is set, - the key will default to 'value'. It is recommended that the - kubeconfig is self-contained, and the secret is regularly updated - if credentials such as a cloud-access-token expire. Cloud specific - `cmd-path` auth helpers will not function without adding binaries - and credentials to the Pod that is responsible for reconciling - Kubernetes resources. - properties: - key: - description: Key in the Secret, when not specified an implementation-specific - default key is used. - type: string - name: - description: Name of the Secret. - type: string - required: - - name - type: object - required: - - secretRef - type: object - patches: - description: Strategic merge and JSON patches, defined as inline YAML - objects, capable of targeting objects based on kind, label and annotation - selectors. - items: - description: Patch contains an inline StrategicMerge or JSON6902 - patch, and the target the patch should be applied to. - properties: - patch: - description: Patch contains an inline StrategicMerge patch or - an inline JSON6902 patch with an array of operation objects. - type: string - target: - description: Target points to the resources that the patch document - should be applied to. - properties: - annotationSelector: - description: AnnotationSelector is a string that follows - the label selection expression https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api - It matches with the resource annotations. - type: string - group: - description: Group is the API group to select resources - from. Together with Version and Kind it is capable of - unambiguously identifying and/or selecting resources. - https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md - type: string - kind: - description: Kind of the API Group to select resources from. - Together with Group and Version it is capable of unambiguously - identifying and/or selecting resources. https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md - type: string - labelSelector: - description: LabelSelector is a string that follows the - label selection expression https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api - It matches with the resource labels. - type: string - name: - description: Name to match resources with. - type: string - namespace: - description: Namespace to select resources from. - type: string - version: - description: Version of the API Group to select resources - from. Together with Group and Kind it is capable of unambiguously - identifying and/or selecting resources. https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md - type: string - type: object - required: - - patch - type: object - type: array - path: - description: Path to the directory containing the kustomization.yaml - file, or the set of plain YAMLs a kustomization.yaml should be generated - for. Defaults to 'None', which translates to the root path of the - SourceRef. - type: string - postBuild: - description: PostBuild describes which actions to perform on the YAML - manifest generated by building the kustomize overlay. - properties: - substitute: - additionalProperties: - type: string - description: Substitute holds a map of key/value pairs. The variables - defined in your YAML manifests that match any of the keys defined - in the map will be substituted with the set value. Includes - support for bash string replacement functions e.g. ${var:=default}, - ${var:position} and ${var/substring/replacement}. - type: object - substituteFrom: - description: SubstituteFrom holds references to ConfigMaps and - Secrets containing the variables and their values to be substituted - in the YAML manifests. The ConfigMap and the Secret data keys - represent the var names, and they must match the vars declared - in the manifests for the substitution to happen. - items: - description: SubstituteReference contains a reference to a resource - containing the variables name and value. - properties: - kind: - description: Kind of the values referent, valid values are - ('Secret', 'ConfigMap'). - enum: - - Secret - - ConfigMap - type: string - name: - description: Name of the values referent. Should reside - in the same namespace as the referring resource. - maxLength: 253 - minLength: 1 - type: string - optional: - default: false - description: Optional indicates whether the referenced resource - must exist, or whether to tolerate its absence. If true - and the referenced resource is absent, proceed as if the - resource was present but empty, without any variables - defined. - type: boolean - required: - - kind - - name - type: object - type: array - type: object - prune: - description: Prune enables garbage collection. - type: boolean - retryInterval: - description: The interval at which to retry a previously failed reconciliation. - When not specified, the controller uses the KustomizationSpec.Interval - value to retry failures. - pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ - type: string - serviceAccountName: - description: The name of the Kubernetes service account to impersonate - when reconciling this Kustomization. - type: string - sourceRef: - description: Reference of the source where the kustomization file - is. - properties: - apiVersion: - description: API version of the referent. - type: string - kind: - description: Kind of the referent. - enum: - - OCIRepository - - GitRepository - - Bucket - type: string - name: - description: Name of the referent. - type: string - namespace: - description: Namespace of the referent, defaults to the namespace - of the Kubernetes resource object that contains the reference. - type: string - required: - - kind - - name - type: object - suspend: - description: This flag tells the controller to suspend subsequent - kustomize executions, it does not apply to already started executions. - Defaults to false. - type: boolean - targetNamespace: - description: TargetNamespace sets or overrides the namespace in the - kustomization.yaml file. - maxLength: 63 - minLength: 1 - type: string - timeout: - description: Timeout for validation, apply and health checking operations. - Defaults to 'Interval' duration. - pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ - type: string - wait: - description: Wait instructs the controller to check the health of - all the reconciled resources. When enabled, the HealthChecks are - ignored. Defaults to false. - type: boolean - required: - - interval - - prune - - sourceRef - type: object - status: - default: - observedGeneration: -1 - description: KustomizationStatus defines the observed state of a kustomization. - properties: - conditions: - items: - description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" - properties: - lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - inventory: - description: Inventory contains the list of Kubernetes resource object - references that have been successfully applied. - properties: - entries: - description: Entries of Kubernetes resource object references. - items: - description: ResourceRef contains the information necessary - to locate a resource within a cluster. - properties: - id: - description: ID is the string representation of the Kubernetes - resource object's metadata, in the format '___'. - type: string - v: - description: Version is the API version of the Kubernetes - resource object's kind. - type: string - required: - - id - - v - type: object - type: array - required: - - entries - type: object - lastAppliedRevision: - description: The last successfully applied revision. Equals the Revision - of the applied Artifact from the referenced Source. - type: string - lastAttemptedRevision: - description: LastAttemptedRevision is the revision of the last reconciliation - attempt. - type: string - lastHandledReconcileAt: - description: LastHandledReconcileAt holds the value of the most recent - reconcile request value, so a change of the annotation value can - be detected. - type: string - observedGeneration: - description: ObservedGeneration is the last reconciled generation. - format: int64 - type: integer - type: object - type: object - served: true - storage: true - subresources: - status: {} - - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].message - name: Status - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - deprecated: true - deprecationWarning: v1beta1 Kustomization is deprecated, upgrade to v1 - name: v1beta1 - schema: - openAPIV3Schema: - description: Kustomization is the Schema for the kustomizations API. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: KustomizationSpec defines the desired state of a kustomization. - properties: - decryption: - description: Decrypt Kubernetes secrets before applying them on the - cluster. - properties: - provider: - description: Provider is the name of the decryption engine. - enum: - - sops - type: string - secretRef: - description: The secret name containing the private OpenPGP keys - used for decryption. - properties: - name: - description: Name of the referent. - type: string - required: - - name - type: object - required: - - provider - type: object - dependsOn: - description: DependsOn may contain a meta.NamespacedObjectReference - slice with references to Kustomization resources that must be ready - before this Kustomization can be reconciled. - items: - description: NamespacedObjectReference contains enough information - to locate the referenced Kubernetes resource object in any namespace. - properties: - name: - description: Name of the referent. - type: string - namespace: - description: Namespace of the referent, when not specified it - acts as LocalObjectReference. - type: string - required: - - name - type: object - type: array - force: - default: false - description: Force instructs the controller to recreate resources - when patching fails due to an immutable field change. - type: boolean - healthChecks: - description: A list of resources to be included in the health assessment. - items: - description: NamespacedObjectKindReference contains enough information - to locate the typed referenced Kubernetes resource object in any - namespace. - properties: - apiVersion: - description: API version of the referent, if not specified the - Kubernetes preferred version will be used. - type: string - kind: - description: Kind of the referent. - type: string - name: - description: Name of the referent. - type: string - namespace: - description: Namespace of the referent, when not specified it - acts as LocalObjectReference. - type: string - required: - - kind - - name - type: object - type: array - images: - description: Images is a list of (image name, new name, new tag or - digest) for changing image names, tags or digests. This can also - be achieved with a patch, but this operator is simpler to specify. - items: - description: Image contains an image name, a new name, a new tag - or digest, which will replace the original name and tag. - properties: - digest: - description: Digest is the value used to replace the original - image tag. If digest is present NewTag value is ignored. - type: string - name: - description: Name is a tag-less image name. - type: string - newName: - description: NewName is the value used to replace the original - name. - type: string - newTag: - description: NewTag is the value used to replace the original - tag. - type: string - required: - - name - type: object - type: array - interval: - description: The interval at which to reconcile the Kustomization. - type: string - kubeConfig: - description: The KubeConfig for reconciling the Kustomization on a - remote cluster. When specified, KubeConfig takes precedence over - ServiceAccountName. - properties: - secretRef: - description: SecretRef holds the name to a secret that contains - a 'value' key with the kubeconfig file as the value. It must - be in the same namespace as the Kustomization. It is recommended - that the kubeconfig is self-contained, and the secret is regularly - updated if credentials such as a cloud-access-token expire. - Cloud specific `cmd-path` auth helpers will not function without - adding binaries and credentials to the Pod that is responsible - for reconciling the Kustomization. - properties: - name: - description: Name of the referent. - type: string - required: - - name - type: object - type: object - patches: - description: Strategic merge and JSON patches, defined as inline YAML - objects, capable of targeting objects based on kind, label and annotation - selectors. - items: - description: Patch contains an inline StrategicMerge or JSON6902 - patch, and the target the patch should be applied to. - properties: - patch: - description: Patch contains an inline StrategicMerge patch or - an inline JSON6902 patch with an array of operation objects. - type: string - target: - description: Target points to the resources that the patch document - should be applied to. - properties: - annotationSelector: - description: AnnotationSelector is a string that follows - the label selection expression https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api - It matches with the resource annotations. - type: string - group: - description: Group is the API group to select resources - from. Together with Version and Kind it is capable of - unambiguously identifying and/or selecting resources. - https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md - type: string - kind: - description: Kind of the API Group to select resources from. - Together with Group and Version it is capable of unambiguously - identifying and/or selecting resources. https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md - type: string - labelSelector: - description: LabelSelector is a string that follows the - label selection expression https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api - It matches with the resource labels. - type: string - name: - description: Name to match resources with. - type: string - namespace: - description: Namespace to select resources from. - type: string - version: - description: Version of the API Group to select resources - from. Together with Group and Kind it is capable of unambiguously - identifying and/or selecting resources. https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md - type: string - type: object - required: - - patch - type: object - type: array - patchesJson6902: - description: JSON 6902 patches, defined as inline YAML objects. - items: - description: JSON6902Patch contains a JSON6902 patch and the target - the patch should be applied to. - properties: - patch: - description: Patch contains the JSON6902 patch document with - an array of operation objects. - items: - description: JSON6902 is a JSON6902 operation object. https://datatracker.ietf.org/doc/html/rfc6902#section-4 - properties: - from: - description: From contains a JSON-pointer value that references - a location within the target document where the operation - is performed. The meaning of the value depends on the - value of Op, and is NOT taken into account by all operations. - type: string - op: - description: Op indicates the operation to perform. Its - value MUST be one of "add", "remove", "replace", "move", - "copy", or "test". https://datatracker.ietf.org/doc/html/rfc6902#section-4 - enum: - - test - - remove - - add - - replace - - move - - copy - type: string - path: - description: Path contains the JSON-pointer value that - references a location within the target document where - the operation is performed. The meaning of the value - depends on the value of Op. - type: string - value: - description: Value contains a valid JSON structure. The - meaning of the value depends on the value of Op, and - is NOT taken into account by all operations. - x-kubernetes-preserve-unknown-fields: true - required: - - op - - path - type: object - type: array - target: - description: Target points to the resources that the patch document - should be applied to. - properties: - annotationSelector: - description: AnnotationSelector is a string that follows - the label selection expression https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api - It matches with the resource annotations. - type: string - group: - description: Group is the API group to select resources - from. Together with Version and Kind it is capable of - unambiguously identifying and/or selecting resources. - https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md - type: string - kind: - description: Kind of the API Group to select resources from. - Together with Group and Version it is capable of unambiguously - identifying and/or selecting resources. https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md - type: string - labelSelector: - description: LabelSelector is a string that follows the - label selection expression https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api - It matches with the resource labels. - type: string - name: - description: Name to match resources with. - type: string - namespace: - description: Namespace to select resources from. - type: string - version: - description: Version of the API Group to select resources - from. Together with Group and Kind it is capable of unambiguously - identifying and/or selecting resources. https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md - type: string - type: object - required: - - patch - - target - type: object - type: array - patchesStrategicMerge: - description: Strategic merge patches, defined as inline YAML objects. - items: - x-kubernetes-preserve-unknown-fields: true - type: array - path: - description: Path to the directory containing the kustomization.yaml - file, or the set of plain YAMLs a kustomization.yaml should be generated - for. Defaults to 'None', which translates to the root path of the - SourceRef. - type: string - postBuild: - description: PostBuild describes which actions to perform on the YAML - manifest generated by building the kustomize overlay. - properties: - substitute: - additionalProperties: - type: string - description: Substitute holds a map of key/value pairs. The variables - defined in your YAML manifests that match any of the keys defined - in the map will be substituted with the set value. Includes - support for bash string replacement functions e.g. ${var:=default}, - ${var:position} and ${var/substring/replacement}. - type: object - substituteFrom: - description: SubstituteFrom holds references to ConfigMaps and - Secrets containing the variables and their values to be substituted - in the YAML manifests. The ConfigMap and the Secret data keys - represent the var names and they must match the vars declared - in the manifests for the substitution to happen. - items: - description: SubstituteReference contains a reference to a resource - containing the variables name and value. - properties: - kind: - description: Kind of the values referent, valid values are - ('Secret', 'ConfigMap'). - enum: - - Secret - - ConfigMap - type: string - name: - description: Name of the values referent. Should reside - in the same namespace as the referring resource. - maxLength: 253 - minLength: 1 - type: string - required: - - kind - - name - type: object - type: array - type: object - prune: - description: Prune enables garbage collection. - type: boolean - retryInterval: - description: The interval at which to retry a previously failed reconciliation. - When not specified, the controller uses the KustomizationSpec.Interval - value to retry failures. - type: string - serviceAccountName: - description: The name of the Kubernetes service account to impersonate - when reconciling this Kustomization. - type: string - sourceRef: - description: Reference of the source where the kustomization file - is. - properties: - apiVersion: - description: API version of the referent - type: string - kind: - description: Kind of the referent - enum: - - GitRepository - - Bucket - type: string - name: - description: Name of the referent - type: string - namespace: - description: Namespace of the referent, defaults to the Kustomization - namespace - type: string - required: - - kind - - name - type: object - suspend: - description: This flag tells the controller to suspend subsequent - kustomize executions, it does not apply to already started executions. - Defaults to false. - type: boolean - targetNamespace: - description: TargetNamespace sets or overrides the namespace in the - kustomization.yaml file. - maxLength: 63 - minLength: 1 - type: string - timeout: - description: Timeout for validation, apply and health checking operations. - Defaults to 'Interval' duration. - type: string - validation: - description: Validate the Kubernetes objects before applying them - on the cluster. The validation strategy can be 'client' (local dry-run), - 'server' (APIServer dry-run) or 'none'. When 'Force' is 'true', - validation will fallback to 'client' if set to 'server' because - server-side validation is not supported in this scenario. - enum: - - none - - client - - server - type: string - required: - - interval - - prune - - sourceRef - type: object - status: - default: - observedGeneration: -1 - description: KustomizationStatus defines the observed state of a kustomization. - properties: - conditions: - items: - description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" - properties: - lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - lastAppliedRevision: - description: The last successfully applied revision. The revision - format for Git sources is /. - type: string - lastAttemptedRevision: - description: LastAttemptedRevision is the revision of the last reconciliation - attempt. - type: string - lastHandledReconcileAt: - description: LastHandledReconcileAt holds the value of the most recent - reconcile request value, so a change of the annotation value can - be detected. - type: string - observedGeneration: - description: ObservedGeneration is the last reconciled generation. - format: int64 - type: integer - snapshot: - description: The last successfully applied revision metadata. - properties: - checksum: - description: The manifests sha1 checksum. - type: string - entries: - description: A list of Kubernetes kinds grouped by namespace. - items: - description: Snapshot holds the metadata of namespaced Kubernetes - objects - properties: - kinds: - additionalProperties: - type: string - description: The list of Kubernetes kinds. - type: object - namespace: - description: The namespace of this entry. - type: string - required: - - kinds - type: object - type: array - required: - - checksum - - entries - type: object - type: object - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].message - name: Status - type: string - deprecated: true - deprecationWarning: v1beta2 Kustomization is deprecated, upgrade to v1 - name: v1beta2 - schema: - openAPIV3Schema: - description: Kustomization is the Schema for the kustomizations API. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: KustomizationSpec defines the configuration to calculate - the desired state from a Source using Kustomize. - properties: - commonMetadata: - description: CommonMetadata specifies the common labels and annotations - that are applied to all resources. Any existing label or annotation - will be overridden if its key matches a common one. - properties: - annotations: - additionalProperties: - type: string - description: Annotations to be added to the object's metadata. - type: object - labels: - additionalProperties: - type: string - description: Labels to be added to the object's metadata. - type: object - type: object - components: - description: Components specifies relative paths to specifications - of other Components. - items: - type: string - type: array - decryption: - description: Decrypt Kubernetes secrets before applying them on the - cluster. - properties: - provider: - description: Provider is the name of the decryption engine. - enum: - - sops - type: string - secretRef: - description: The secret name containing the private OpenPGP keys - used for decryption. - properties: - name: - description: Name of the referent. - type: string - required: - - name - type: object - required: - - provider - type: object - dependsOn: - description: DependsOn may contain a meta.NamespacedObjectReference - slice with references to Kustomization resources that must be ready - before this Kustomization can be reconciled. - items: - description: NamespacedObjectReference contains enough information - to locate the referenced Kubernetes resource object in any namespace. - properties: - name: - description: Name of the referent. - type: string - namespace: - description: Namespace of the referent, when not specified it - acts as LocalObjectReference. - type: string - required: - - name - type: object - type: array - force: - default: false - description: Force instructs the controller to recreate resources - when patching fails due to an immutable field change. - type: boolean - healthChecks: - description: A list of resources to be included in the health assessment. - items: - description: NamespacedObjectKindReference contains enough information - to locate the typed referenced Kubernetes resource object in any - namespace. - properties: - apiVersion: - description: API version of the referent, if not specified the - Kubernetes preferred version will be used. - type: string - kind: - description: Kind of the referent. - type: string - name: - description: Name of the referent. - type: string - namespace: - description: Namespace of the referent, when not specified it - acts as LocalObjectReference. - type: string - required: - - kind - - name - type: object - type: array - images: - description: Images is a list of (image name, new name, new tag or - digest) for changing image names, tags or digests. This can also - be achieved with a patch, but this operator is simpler to specify. - items: - description: Image contains an image name, a new name, a new tag - or digest, which will replace the original name and tag. - properties: - digest: - description: Digest is the value used to replace the original - image tag. If digest is present NewTag value is ignored. - type: string - name: - description: Name is a tag-less image name. - type: string - newName: - description: NewName is the value used to replace the original - name. - type: string - newTag: - description: NewTag is the value used to replace the original - tag. - type: string - required: - - name - type: object - type: array - interval: - description: The interval at which to reconcile the Kustomization. - pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ - type: string - kubeConfig: - description: The KubeConfig for reconciling the Kustomization on a - remote cluster. When used in combination with KustomizationSpec.ServiceAccountName, - forces the controller to act on behalf of that Service Account at - the target cluster. If the --default-service-account flag is set, - its value will be used as a controller level fallback for when KustomizationSpec.ServiceAccountName - is empty. - properties: - secretRef: - description: SecretRef holds the name of a secret that contains - a key with the kubeconfig file as the value. If no key is set, - the key will default to 'value'. It is recommended that the - kubeconfig is self-contained, and the secret is regularly updated - if credentials such as a cloud-access-token expire. Cloud specific - `cmd-path` auth helpers will not function without adding binaries - and credentials to the Pod that is responsible for reconciling - Kubernetes resources. - properties: - key: - description: Key in the Secret, when not specified an implementation-specific - default key is used. - type: string - name: - description: Name of the Secret. - type: string - required: - - name - type: object - required: - - secretRef - type: object - patches: - description: Strategic merge and JSON patches, defined as inline YAML - objects, capable of targeting objects based on kind, label and annotation - selectors. - items: - description: Patch contains an inline StrategicMerge or JSON6902 - patch, and the target the patch should be applied to. - properties: - patch: - description: Patch contains an inline StrategicMerge patch or - an inline JSON6902 patch with an array of operation objects. - type: string - target: - description: Target points to the resources that the patch document - should be applied to. - properties: - annotationSelector: - description: AnnotationSelector is a string that follows - the label selection expression https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api - It matches with the resource annotations. - type: string - group: - description: Group is the API group to select resources - from. Together with Version and Kind it is capable of - unambiguously identifying and/or selecting resources. - https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md - type: string - kind: - description: Kind of the API Group to select resources from. - Together with Group and Version it is capable of unambiguously - identifying and/or selecting resources. https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md - type: string - labelSelector: - description: LabelSelector is a string that follows the - label selection expression https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api - It matches with the resource labels. - type: string - name: - description: Name to match resources with. - type: string - namespace: - description: Namespace to select resources from. - type: string - version: - description: Version of the API Group to select resources - from. Together with Group and Kind it is capable of unambiguously - identifying and/or selecting resources. https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md - type: string - type: object - required: - - patch - type: object - type: array - patchesJson6902: - description: 'JSON 6902 patches, defined as inline YAML objects. Deprecated: - Use Patches instead.' - items: - description: JSON6902Patch contains a JSON6902 patch and the target - the patch should be applied to. - properties: - patch: - description: Patch contains the JSON6902 patch document with - an array of operation objects. - items: - description: JSON6902 is a JSON6902 operation object. https://datatracker.ietf.org/doc/html/rfc6902#section-4 - properties: - from: - description: From contains a JSON-pointer value that references - a location within the target document where the operation - is performed. The meaning of the value depends on the - value of Op, and is NOT taken into account by all operations. - type: string - op: - description: Op indicates the operation to perform. Its - value MUST be one of "add", "remove", "replace", "move", - "copy", or "test". https://datatracker.ietf.org/doc/html/rfc6902#section-4 - enum: - - test - - remove - - add - - replace - - move - - copy - type: string - path: - description: Path contains the JSON-pointer value that - references a location within the target document where - the operation is performed. The meaning of the value - depends on the value of Op. - type: string - value: - description: Value contains a valid JSON structure. The - meaning of the value depends on the value of Op, and - is NOT taken into account by all operations. - x-kubernetes-preserve-unknown-fields: true - required: - - op - - path - type: object - type: array - target: - description: Target points to the resources that the patch document - should be applied to. - properties: - annotationSelector: - description: AnnotationSelector is a string that follows - the label selection expression https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api - It matches with the resource annotations. - type: string - group: - description: Group is the API group to select resources - from. Together with Version and Kind it is capable of - unambiguously identifying and/or selecting resources. - https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md - type: string - kind: - description: Kind of the API Group to select resources from. - Together with Group and Version it is capable of unambiguously - identifying and/or selecting resources. https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md - type: string - labelSelector: - description: LabelSelector is a string that follows the - label selection expression https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api - It matches with the resource labels. - type: string - name: - description: Name to match resources with. - type: string - namespace: - description: Namespace to select resources from. - type: string - version: - description: Version of the API Group to select resources - from. Together with Group and Kind it is capable of unambiguously - identifying and/or selecting resources. https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md - type: string - type: object - required: - - patch - - target - type: object - type: array - patchesStrategicMerge: - description: 'Strategic merge patches, defined as inline YAML objects. - Deprecated: Use Patches instead.' - items: - x-kubernetes-preserve-unknown-fields: true - type: array - path: - description: Path to the directory containing the kustomization.yaml - file, or the set of plain YAMLs a kustomization.yaml should be generated - for. Defaults to 'None', which translates to the root path of the - SourceRef. - type: string - postBuild: - description: PostBuild describes which actions to perform on the YAML - manifest generated by building the kustomize overlay. - properties: - substitute: - additionalProperties: - type: string - description: Substitute holds a map of key/value pairs. The variables - defined in your YAML manifests that match any of the keys defined - in the map will be substituted with the set value. Includes - support for bash string replacement functions e.g. ${var:=default}, - ${var:position} and ${var/substring/replacement}. - type: object - substituteFrom: - description: SubstituteFrom holds references to ConfigMaps and - Secrets containing the variables and their values to be substituted - in the YAML manifests. The ConfigMap and the Secret data keys - represent the var names and they must match the vars declared - in the manifests for the substitution to happen. - items: - description: SubstituteReference contains a reference to a resource - containing the variables name and value. - properties: - kind: - description: Kind of the values referent, valid values are - ('Secret', 'ConfigMap'). - enum: - - Secret - - ConfigMap - type: string - name: - description: Name of the values referent. Should reside - in the same namespace as the referring resource. - maxLength: 253 - minLength: 1 - type: string - optional: - default: false - description: Optional indicates whether the referenced resource - must exist, or whether to tolerate its absence. If true - and the referenced resource is absent, proceed as if the - resource was present but empty, without any variables - defined. - type: boolean - required: - - kind - - name - type: object - type: array - type: object - prune: - description: Prune enables garbage collection. - type: boolean - retryInterval: - description: The interval at which to retry a previously failed reconciliation. - When not specified, the controller uses the KustomizationSpec.Interval - value to retry failures. - pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ - type: string - serviceAccountName: - description: The name of the Kubernetes service account to impersonate - when reconciling this Kustomization. - type: string - sourceRef: - description: Reference of the source where the kustomization file - is. - properties: - apiVersion: - description: API version of the referent. - type: string - kind: - description: Kind of the referent. - enum: - - OCIRepository - - GitRepository - - Bucket - type: string - name: - description: Name of the referent. - type: string - namespace: - description: Namespace of the referent, defaults to the namespace - of the Kubernetes resource object that contains the reference. - type: string - required: - - kind - - name - type: object - suspend: - description: This flag tells the controller to suspend subsequent - kustomize executions, it does not apply to already started executions. - Defaults to false. - type: boolean - targetNamespace: - description: TargetNamespace sets or overrides the namespace in the - kustomization.yaml file. - maxLength: 63 - minLength: 1 - type: string - timeout: - description: Timeout for validation, apply and health checking operations. - Defaults to 'Interval' duration. - pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ - type: string - validation: - description: 'Deprecated: Not used in v1beta2.' - enum: - - none - - client - - server - type: string - wait: - description: Wait instructs the controller to check the health of - all the reconciled resources. When enabled, the HealthChecks are - ignored. Defaults to false. - type: boolean - required: - - interval - - prune - - sourceRef - type: object - status: - default: - observedGeneration: -1 - description: KustomizationStatus defines the observed state of a kustomization. - properties: - conditions: - items: - description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" - properties: - lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - inventory: - description: Inventory contains the list of Kubernetes resource object - references that have been successfully applied. - properties: - entries: - description: Entries of Kubernetes resource object references. - items: - description: ResourceRef contains the information necessary - to locate a resource within a cluster. - properties: - id: - description: ID is the string representation of the Kubernetes - resource object's metadata, in the format '___'. - type: string - v: - description: Version is the API version of the Kubernetes - resource object's kind. - type: string - required: - - id - - v - type: object - type: array - required: - - entries - type: object - lastAppliedRevision: - description: The last successfully applied revision. Equals the Revision - of the applied Artifact from the referenced Source. - type: string - lastAttemptedRevision: - description: LastAttemptedRevision is the revision of the last reconciliation - attempt. - type: string - lastHandledReconcileAt: - description: LastHandledReconcileAt holds the value of the most recent - reconcile request value, so a change of the annotation value can - be detected. - type: string - observedGeneration: - description: ObservedGeneration is the last reconciled generation. - format: int64 - type: integer - type: object - type: object - served: true - storage: false - subresources: - status: {} ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - labels: - app.kubernetes.io/component: kustomize-controller - app.kubernetes.io/instance: flux-system - app.kubernetes.io/part-of: flux - app.kubernetes.io/version: v2.1.1 - name: kustomize-controller - namespace: flux-system ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app.kubernetes.io/component: kustomize-controller - app.kubernetes.io/instance: flux-system - app.kubernetes.io/part-of: flux - app.kubernetes.io/version: v2.1.1 - control-plane: controller - name: kustomize-controller - namespace: flux-system -spec: - replicas: 1 - selector: - matchLabels: - app: kustomize-controller - template: - metadata: - annotations: - prometheus.io/port: "8080" - prometheus.io/scrape: "true" - labels: - app: kustomize-controller - spec: - containers: - - args: - - --events-addr=http://notification-controller.flux-system.svc.cluster.local./ - - --watch-all-namespaces=true - - --log-level=info - - --log-encoding=json - - --enable-leader-election - env: - - name: RUNTIME_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - image: ghcr.io/fluxcd/kustomize-controller:v1.1.0 - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /healthz - port: healthz - name: manager - ports: - - containerPort: 8080 - name: http-prom - protocol: TCP - - containerPort: 9440 - name: healthz - protocol: TCP - readinessProbe: - httpGet: - path: /readyz - port: healthz - resources: - limits: - cpu: 1000m - memory: 1Gi - requests: - cpu: 100m - memory: 64Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true - seccompProfile: - type: RuntimeDefault - volumeMounts: - - mountPath: /tmp - name: temp - nodeSelector: - kubernetes.io/os: linux - priorityClassName: system-cluster-critical - securityContext: - fsGroup: 1337 - serviceAccountName: kustomize-controller - terminationGracePeriodSeconds: 60 - volumes: - - emptyDir: {} - name: temp ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.12.0 - labels: - app.kubernetes.io/component: helm-controller - app.kubernetes.io/instance: flux-system - app.kubernetes.io/part-of: flux - app.kubernetes.io/version: v2.1.1 - name: helmreleases.helm.toolkit.fluxcd.io -spec: - group: helm.toolkit.fluxcd.io - names: - kind: HelmRelease - listKind: HelmReleaseList - plural: helmreleases - shortNames: - - hr - singular: helmrelease - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].message - name: Status - type: string - name: v2beta1 - schema: - openAPIV3Schema: - description: HelmRelease is the Schema for the helmreleases API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: HelmReleaseSpec defines the desired state of a Helm release. - properties: - chart: - description: Chart defines the template of the v1beta2.HelmChart that - should be created for this HelmRelease. - properties: - metadata: - description: ObjectMeta holds the template for metadata like labels - and annotations. - properties: - annotations: - additionalProperties: - type: string - description: 'Annotations is an unstructured key value map - stored with a resource that may be set by external tools - to store and retrieve arbitrary metadata. They are not queryable - and should be preserved when modifying objects. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/' - type: object - labels: - additionalProperties: - type: string - description: 'Map of string keys and values that can be used - to organize and categorize (scope and select) objects. More - info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/' - type: object - type: object - spec: - description: Spec holds the template for the v1beta2.HelmChartSpec - for this HelmRelease. - properties: - chart: - description: The name or path the Helm chart is available - at in the SourceRef. - type: string - interval: - description: Interval at which to check the v1beta2.Source - for updates. Defaults to 'HelmReleaseSpec.Interval'. - pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ - type: string - reconcileStrategy: - default: ChartVersion - description: Determines what enables the creation of a new - artifact. Valid values are ('ChartVersion', 'Revision'). - See the documentation of the values for an explanation on - their behavior. Defaults to ChartVersion when omitted. - enum: - - ChartVersion - - Revision - type: string - sourceRef: - description: The name and namespace of the v1beta2.Source - the chart is available at. - properties: - apiVersion: - description: APIVersion of the referent. - type: string - kind: - description: Kind of the referent. - enum: - - HelmRepository - - GitRepository - - Bucket - type: string - name: - description: Name of the referent. - maxLength: 253 - minLength: 1 - type: string - namespace: - description: Namespace of the referent. - maxLength: 63 - minLength: 1 - type: string - required: - - name - type: object - valuesFile: - description: Alternative values file to use as the default - chart values, expected to be a relative path in the SourceRef. - Deprecated in favor of ValuesFiles, for backwards compatibility - the file defined here is merged before the ValuesFiles items. - Ignored when omitted. - type: string - valuesFiles: - description: Alternative list of values files to use as the - chart values (values.yaml is not included by default), expected - to be a relative path in the SourceRef. Values files are - merged in the order of this list with the last file overriding - the first. Ignored when omitted. - items: - type: string - type: array - verify: - description: Verify contains the secret name containing the - trusted public keys used to verify the signature and specifies - which provider to use to check whether OCI image is authentic. - This field is only supported for OCI sources. Chart dependencies, - which are not bundled in the umbrella chart artifact, are - not verified. - properties: - provider: - default: cosign - description: Provider specifies the technology used to - sign the OCI Helm chart. - enum: - - cosign - type: string - secretRef: - description: SecretRef specifies the Kubernetes Secret - containing the trusted public keys. - properties: - name: - description: Name of the referent. - type: string - required: - - name - type: object - required: - - provider - type: object - version: - default: '*' - description: Version semver expression, ignored for charts - from v1beta2.GitRepository and v1beta2.Bucket sources. Defaults - to latest when omitted. - type: string - required: - - chart - - sourceRef - type: object - required: - - spec - type: object - dependsOn: - description: DependsOn may contain a meta.NamespacedObjectReference - slice with references to HelmRelease resources that must be ready - before this HelmRelease can be reconciled. - items: - description: NamespacedObjectReference contains enough information - to locate the referenced Kubernetes resource object in any namespace. - properties: - name: - description: Name of the referent. - type: string - namespace: - description: Namespace of the referent, when not specified it - acts as LocalObjectReference. - type: string - required: - - name - type: object - type: array - install: - description: Install holds the configuration for Helm install actions - for this HelmRelease. - properties: - crds: - description: "CRDs upgrade CRDs from the Helm Chart's crds directory - according to the CRD upgrade policy provided here. Valid values - are `Skip`, `Create` or `CreateReplace`. Default is `Create` - and if omitted CRDs are installed but not updated. \n Skip: - do neither install nor replace (update) any CRDs. \n Create: - new CRDs are created, existing CRDs are neither updated nor - deleted. \n CreateReplace: new CRDs are created, existing CRDs - are updated (replaced) but not deleted. \n By default, CRDs - are applied (installed) during Helm install action. With this - option users can opt-in to CRD replace existing CRDs on Helm - install actions, which is not (yet) natively supported by Helm. - https://helm.sh/docs/chart_best_practices/custom_resource_definitions." - enum: - - Skip - - Create - - CreateReplace - type: string - createNamespace: - description: CreateNamespace tells the Helm install action to - create the HelmReleaseSpec.TargetNamespace if it does not exist - yet. On uninstall, the namespace will not be garbage collected. - type: boolean - disableHooks: - description: DisableHooks prevents hooks from running during the - Helm install action. - type: boolean - disableOpenAPIValidation: - description: DisableOpenAPIValidation prevents the Helm install - action from validating rendered templates against the Kubernetes - OpenAPI Schema. - type: boolean - disableWait: - description: DisableWait disables the waiting for resources to - be ready after a Helm install has been performed. - type: boolean - disableWaitForJobs: - description: DisableWaitForJobs disables waiting for jobs to complete - after a Helm install has been performed. - type: boolean - remediation: - description: Remediation holds the remediation configuration for - when the Helm install action for the HelmRelease fails. The - default is to not perform any action. - properties: - ignoreTestFailures: - description: IgnoreTestFailures tells the controller to skip - remediation when the Helm tests are run after an install - action but fail. Defaults to 'Test.IgnoreFailures'. - type: boolean - remediateLastFailure: - description: RemediateLastFailure tells the controller to - remediate the last failure, when no retries remain. Defaults - to 'false'. - type: boolean - retries: - description: Retries is the number of retries that should - be attempted on failures before bailing. Remediation, using - an uninstall, is performed between each attempt. Defaults - to '0', a negative integer equals to unlimited retries. - type: integer - type: object - replace: - description: Replace tells the Helm install action to re-use the - 'ReleaseName', but only if that name is a deleted release which - remains in the history. - type: boolean - skipCRDs: - description: "SkipCRDs tells the Helm install action to not install - any CRDs. By default, CRDs are installed if not already present. - \n Deprecated use CRD policy (`crds`) attribute with value `Skip` - instead." - type: boolean - timeout: - description: Timeout is the time to wait for any individual Kubernetes - operation (like Jobs for hooks) during the performance of a - Helm install action. Defaults to 'HelmReleaseSpec.Timeout'. - pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ - type: string - type: object - interval: - description: Interval at which to reconcile the Helm release. This - interval is approximate and may be subject to jitter to ensure efficient - use of resources. - pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ - type: string - kubeConfig: - description: KubeConfig for reconciling the HelmRelease on a remote - cluster. When used in combination with HelmReleaseSpec.ServiceAccountName, - forces the controller to act on behalf of that Service Account at - the target cluster. If the --default-service-account flag is set, - its value will be used as a controller level fallback for when HelmReleaseSpec.ServiceAccountName - is empty. - properties: - secretRef: - description: SecretRef holds the name of a secret that contains - a key with the kubeconfig file as the value. If no key is set, - the key will default to 'value'. It is recommended that the - kubeconfig is self-contained, and the secret is regularly updated - if credentials such as a cloud-access-token expire. Cloud specific - `cmd-path` auth helpers will not function without adding binaries - and credentials to the Pod that is responsible for reconciling - Kubernetes resources. - properties: - key: - description: Key in the Secret, when not specified an implementation-specific - default key is used. - type: string - name: - description: Name of the Secret. - type: string - required: - - name - type: object - required: - - secretRef - type: object - maxHistory: - description: MaxHistory is the number of revisions saved by Helm for - this HelmRelease. Use '0' for an unlimited number of revisions; - defaults to '10'. - type: integer - persistentClient: - description: "PersistentClient tells the controller to use a persistent - Kubernetes client for this release. When enabled, the client will - be reused for the duration of the reconciliation, instead of being - created and destroyed for each (step of a) Helm action. \n This - can improve performance, but may cause issues with some Helm charts - that for example do create Custom Resource Definitions during installation - outside Helm's CRD lifecycle hooks, which are then not observed - to be available by e.g. post-install hooks. \n If not set, it defaults - to true." - type: boolean - postRenderers: - description: PostRenderers holds an array of Helm PostRenderers, which - will be applied in order of their definition. - items: - description: PostRenderer contains a Helm PostRenderer specification. - properties: - kustomize: - description: Kustomization to apply as PostRenderer. - properties: - images: - description: Images is a list of (image name, new name, - new tag or digest) for changing image names, tags or digests. - This can also be achieved with a patch, but this operator - is simpler to specify. - items: - description: Image contains an image name, a new name, - a new tag or digest, which will replace the original - name and tag. - properties: - digest: - description: Digest is the value used to replace the - original image tag. If digest is present NewTag - value is ignored. - type: string - name: - description: Name is a tag-less image name. - type: string - newName: - description: NewName is the value used to replace - the original name. - type: string - newTag: - description: NewTag is the value used to replace the - original tag. - type: string - required: - - name - type: object - type: array - patches: - description: Strategic merge and JSON patches, defined as - inline YAML objects, capable of targeting objects based - on kind, label and annotation selectors. - items: - description: Patch contains an inline StrategicMerge or - JSON6902 patch, and the target the patch should be applied - to. - properties: - patch: - description: Patch contains an inline StrategicMerge - patch or an inline JSON6902 patch with an array - of operation objects. - type: string - target: - description: Target points to the resources that the - patch document should be applied to. - properties: - annotationSelector: - description: AnnotationSelector is a string that - follows the label selection expression https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api - It matches with the resource annotations. - type: string - group: - description: Group is the API group to select - resources from. Together with Version and Kind - it is capable of unambiguously identifying and/or - selecting resources. https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md - type: string - kind: - description: Kind of the API Group to select resources - from. Together with Group and Version it is - capable of unambiguously identifying and/or - selecting resources. https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md - type: string - labelSelector: - description: LabelSelector is a string that follows - the label selection expression https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api - It matches with the resource labels. - type: string - name: - description: Name to match resources with. - type: string - namespace: - description: Namespace to select resources from. - type: string - version: - description: Version of the API Group to select - resources from. Together with Group and Kind - it is capable of unambiguously identifying and/or - selecting resources. https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md - type: string - type: object - required: - - patch - type: object - type: array - patchesJson6902: - description: JSON 6902 patches, defined as inline YAML objects. - items: - description: JSON6902Patch contains a JSON6902 patch and - the target the patch should be applied to. - properties: - patch: - description: Patch contains the JSON6902 patch document - with an array of operation objects. - items: - description: JSON6902 is a JSON6902 operation object. - https://datatracker.ietf.org/doc/html/rfc6902#section-4 - properties: - from: - description: From contains a JSON-pointer value - that references a location within the target - document where the operation is performed. - The meaning of the value depends on the value - of Op, and is NOT taken into account by all - operations. - type: string - op: - description: Op indicates the operation to perform. - Its value MUST be one of "add", "remove", - "replace", "move", "copy", or "test". https://datatracker.ietf.org/doc/html/rfc6902#section-4 - enum: - - test - - remove - - add - - replace - - move - - copy - type: string - path: - description: Path contains the JSON-pointer - value that references a location within the - target document where the operation is performed. - The meaning of the value depends on the value - of Op. - type: string - value: - description: Value contains a valid JSON structure. - The meaning of the value depends on the value - of Op, and is NOT taken into account by all - operations. - x-kubernetes-preserve-unknown-fields: true - required: - - op - - path - type: object - type: array - target: - description: Target points to the resources that the - patch document should be applied to. - properties: - annotationSelector: - description: AnnotationSelector is a string that - follows the label selection expression https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api - It matches with the resource annotations. - type: string - group: - description: Group is the API group to select - resources from. Together with Version and Kind - it is capable of unambiguously identifying and/or - selecting resources. https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md - type: string - kind: - description: Kind of the API Group to select resources - from. Together with Group and Version it is - capable of unambiguously identifying and/or - selecting resources. https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md - type: string - labelSelector: - description: LabelSelector is a string that follows - the label selection expression https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api - It matches with the resource labels. - type: string - name: - description: Name to match resources with. - type: string - namespace: - description: Namespace to select resources from. - type: string - version: - description: Version of the API Group to select - resources from. Together with Group and Kind - it is capable of unambiguously identifying and/or - selecting resources. https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md - type: string - type: object - required: - - patch - - target - type: object - type: array - patchesStrategicMerge: - description: Strategic merge patches, defined as inline - YAML objects. - items: - x-kubernetes-preserve-unknown-fields: true - type: array - type: object - type: object - type: array - releaseName: - description: ReleaseName used for the Helm release. Defaults to a - composition of '[TargetNamespace-]Name'. - maxLength: 53 - minLength: 1 - type: string - rollback: - description: Rollback holds the configuration for Helm rollback actions - for this HelmRelease. - properties: - cleanupOnFail: - description: CleanupOnFail allows deletion of new resources created - during the Helm rollback action when it fails. - type: boolean - disableHooks: - description: DisableHooks prevents hooks from running during the - Helm rollback action. - type: boolean - disableWait: - description: DisableWait disables the waiting for resources to - be ready after a Helm rollback has been performed. - type: boolean - disableWaitForJobs: - description: DisableWaitForJobs disables waiting for jobs to complete - after a Helm rollback has been performed. - type: boolean - force: - description: Force forces resource updates through a replacement - strategy. - type: boolean - recreate: - description: Recreate performs pod restarts for the resource if - applicable. - type: boolean - timeout: - description: Timeout is the time to wait for any individual Kubernetes - operation (like Jobs for hooks) during the performance of a - Helm rollback action. Defaults to 'HelmReleaseSpec.Timeout'. - pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ - type: string - type: object - serviceAccountName: - description: The name of the Kubernetes service account to impersonate - when reconciling this HelmRelease. - type: string - storageNamespace: - description: StorageNamespace used for the Helm storage. Defaults - to the namespace of the HelmRelease. - maxLength: 63 - minLength: 1 - type: string - suspend: - description: Suspend tells the controller to suspend reconciliation - for this HelmRelease, it does not apply to already started reconciliations. - Defaults to false. - type: boolean - targetNamespace: - description: TargetNamespace to target when performing operations - for the HelmRelease. Defaults to the namespace of the HelmRelease. - maxLength: 63 - minLength: 1 - type: string - test: - description: Test holds the configuration for Helm test actions for - this HelmRelease. - properties: - enable: - description: Enable enables Helm test actions for this HelmRelease - after an Helm install or upgrade action has been performed. - type: boolean - ignoreFailures: - description: IgnoreFailures tells the controller to skip remediation - when the Helm tests are run but fail. Can be overwritten for - tests run after install or upgrade actions in 'Install.IgnoreTestFailures' - and 'Upgrade.IgnoreTestFailures'. - type: boolean - timeout: - description: Timeout is the time to wait for any individual Kubernetes - operation during the performance of a Helm test action. Defaults - to 'HelmReleaseSpec.Timeout'. - pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ - type: string - type: object - timeout: - description: Timeout is the time to wait for any individual Kubernetes - operation (like Jobs for hooks) during the performance of a Helm - action. Defaults to '5m0s'. - pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ - type: string - uninstall: - description: Uninstall holds the configuration for Helm uninstall - actions for this HelmRelease. - properties: - deletionPropagation: - default: background - description: DeletionPropagation specifies the deletion propagation - policy when a Helm uninstall is performed. - enum: - - background - - foreground - - orphan - type: string - disableHooks: - description: DisableHooks prevents hooks from running during the - Helm rollback action. - type: boolean - disableWait: - description: DisableWait disables waiting for all the resources - to be deleted after a Helm uninstall is performed. - type: boolean - keepHistory: - description: KeepHistory tells Helm to remove all associated resources - and mark the release as deleted, but retain the release history. - type: boolean - timeout: - description: Timeout is the time to wait for any individual Kubernetes - operation (like Jobs for hooks) during the performance of a - Helm uninstall action. Defaults to 'HelmReleaseSpec.Timeout'. - pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ - type: string - type: object - upgrade: - description: Upgrade holds the configuration for Helm upgrade actions - for this HelmRelease. - properties: - cleanupOnFail: - description: CleanupOnFail allows deletion of new resources created - during the Helm upgrade action when it fails. - type: boolean - crds: - description: "CRDs upgrade CRDs from the Helm Chart's crds directory - according to the CRD upgrade policy provided here. Valid values - are `Skip`, `Create` or `CreateReplace`. Default is `Skip` and - if omitted CRDs are neither installed nor upgraded. \n Skip: - do neither install nor replace (update) any CRDs. \n Create: - new CRDs are created, existing CRDs are neither updated nor - deleted. \n CreateReplace: new CRDs are created, existing CRDs - are updated (replaced) but not deleted. \n By default, CRDs - are not applied during Helm upgrade action. With this option - users can opt-in to CRD upgrade, which is not (yet) natively - supported by Helm. https://helm.sh/docs/chart_best_practices/custom_resource_definitions." - enum: - - Skip - - Create - - CreateReplace - type: string - disableHooks: - description: DisableHooks prevents hooks from running during the - Helm upgrade action. - type: boolean - disableOpenAPIValidation: - description: DisableOpenAPIValidation prevents the Helm upgrade - action from validating rendered templates against the Kubernetes - OpenAPI Schema. - type: boolean - disableWait: - description: DisableWait disables the waiting for resources to - be ready after a Helm upgrade has been performed. - type: boolean - disableWaitForJobs: - description: DisableWaitForJobs disables waiting for jobs to complete - after a Helm upgrade has been performed. - type: boolean - force: - description: Force forces resource updates through a replacement - strategy. - type: boolean - preserveValues: - description: PreserveValues will make Helm reuse the last release's - values and merge in overrides from 'Values'. Setting this flag - makes the HelmRelease non-declarative. - type: boolean - remediation: - description: Remediation holds the remediation configuration for - when the Helm upgrade action for the HelmRelease fails. The - default is to not perform any action. - properties: - ignoreTestFailures: - description: IgnoreTestFailures tells the controller to skip - remediation when the Helm tests are run after an upgrade - action but fail. Defaults to 'Test.IgnoreFailures'. - type: boolean - remediateLastFailure: - description: RemediateLastFailure tells the controller to - remediate the last failure, when no retries remain. Defaults - to 'false' unless 'Retries' is greater than 0. - type: boolean - retries: - description: Retries is the number of retries that should - be attempted on failures before bailing. Remediation, using - 'Strategy', is performed between each attempt. Defaults - to '0', a negative integer equals to unlimited retries. - type: integer - strategy: - description: Strategy to use for failure remediation. Defaults - to 'rollback'. - enum: - - rollback - - uninstall - type: string - type: object - timeout: - description: Timeout is the time to wait for any individual Kubernetes - operation (like Jobs for hooks) during the performance of a - Helm upgrade action. Defaults to 'HelmReleaseSpec.Timeout'. - pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ - type: string - type: object - values: - description: Values holds the values for this Helm release. - x-kubernetes-preserve-unknown-fields: true - valuesFrom: - description: ValuesFrom holds references to resources containing Helm - values for this HelmRelease, and information about how they should - be merged. - items: - description: ValuesReference contains a reference to a resource - containing Helm values, and optionally the key they can be found - at. - properties: - kind: - description: Kind of the values referent, valid values are ('Secret', - 'ConfigMap'). - enum: - - Secret - - ConfigMap - type: string - name: - description: Name of the values referent. Should reside in the - same namespace as the referring resource. - maxLength: 253 - minLength: 1 - type: string - optional: - description: Optional marks this ValuesReference as optional. - When set, a not found error for the values reference is ignored, - but any ValuesKey, TargetPath or transient error will still - result in a reconciliation failure. - type: boolean - targetPath: - description: TargetPath is the YAML dot notation path the value - should be merged at. When set, the ValuesKey is expected to - be a single flat value. Defaults to 'None', which results - in the values getting merged at the root. - maxLength: 250 - pattern: ^([a-zA-Z0-9_\-.\\\/]|\[[0-9]{1,5}\])+$ - type: string - valuesKey: - description: ValuesKey is the data key where the values.yaml - or a specific value can be found at. Defaults to 'values.yaml'. - When set, must be a valid Data Key, consisting of alphanumeric - characters, '-', '_' or '.'. - maxLength: 253 - pattern: ^[\-._a-zA-Z0-9]+$ - type: string - required: - - kind - - name - type: object - type: array - required: - - chart - - interval - type: object - status: - default: - observedGeneration: -1 - description: HelmReleaseStatus defines the observed state of a HelmRelease. - properties: - conditions: - description: Conditions holds the conditions for the HelmRelease. - items: - description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" - properties: - lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - failures: - description: Failures is the reconciliation failure count against - the latest desired state. It is reset after a successful reconciliation. - format: int64 - type: integer - helmChart: - description: HelmChart is the namespaced name of the HelmChart resource - created by the controller for the HelmRelease. - type: string - installFailures: - description: InstallFailures is the install failure count against - the latest desired state. It is reset after a successful reconciliation. - format: int64 - type: integer - lastAppliedRevision: - description: LastAppliedRevision is the revision of the last successfully - applied source. - type: string - lastAttemptedRevision: - description: LastAttemptedRevision is the revision of the last reconciliation - attempt. - type: string - lastAttemptedValuesChecksum: - description: LastAttemptedValuesChecksum is the SHA1 checksum of the - values of the last reconciliation attempt. - type: string - lastHandledReconcileAt: - description: LastHandledReconcileAt holds the value of the most recent - reconcile request value, so a change of the annotation value can - be detected. - type: string - lastReleaseRevision: - description: LastReleaseRevision is the revision of the last successful - Helm release. - type: integer - observedGeneration: - description: ObservedGeneration is the last observed generation. - format: int64 - type: integer - upgradeFailures: - description: UpgradeFailures is the upgrade failure count against - the latest desired state. It is reset after a successful reconciliation. - format: int64 - type: integer - type: object - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - labels: - app.kubernetes.io/component: helm-controller - app.kubernetes.io/instance: flux-system - app.kubernetes.io/part-of: flux - app.kubernetes.io/version: v2.1.1 - name: helm-controller - namespace: flux-system ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app.kubernetes.io/component: helm-controller - app.kubernetes.io/instance: flux-system - app.kubernetes.io/part-of: flux - app.kubernetes.io/version: v2.1.1 - control-plane: controller - name: helm-controller - namespace: flux-system -spec: - replicas: 1 - selector: - matchLabels: - app: helm-controller - template: - metadata: - annotations: - prometheus.io/port: "8080" - prometheus.io/scrape: "true" - labels: - app: helm-controller - spec: - containers: - - args: - - --events-addr=http://notification-controller.flux-system.svc.cluster.local./ - - --watch-all-namespaces=true - - --log-level=info - - --log-encoding=json - - --enable-leader-election - env: - - name: RUNTIME_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - image: ghcr.io/fluxcd/helm-controller:v0.36.1 - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /healthz - port: healthz - name: manager - ports: - - containerPort: 8080 - name: http-prom - protocol: TCP - - containerPort: 9440 - name: healthz - protocol: TCP - readinessProbe: - httpGet: - path: /readyz - port: healthz - resources: - limits: - cpu: 1000m - memory: 1Gi - requests: - cpu: 100m - memory: 64Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true - seccompProfile: - type: RuntimeDefault - volumeMounts: - - mountPath: /tmp - name: temp - nodeSelector: - kubernetes.io/os: linux - priorityClassName: system-cluster-critical - securityContext: - fsGroup: 1337 - serviceAccountName: helm-controller - terminationGracePeriodSeconds: 600 - volumes: - - emptyDir: {} - name: temp ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.12.0 - labels: - app.kubernetes.io/component: notification-controller - app.kubernetes.io/instance: flux-system - app.kubernetes.io/part-of: flux - app.kubernetes.io/version: v2.1.1 - name: alerts.notification.toolkit.fluxcd.io -spec: - group: notification.toolkit.fluxcd.io - names: - kind: Alert - listKind: AlertList - plural: alerts - singular: alert - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].message - name: Status - type: string - name: v1beta1 - schema: - openAPIV3Schema: - description: Alert is the Schema for the alerts API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: AlertSpec defines an alerting rule for events involving a - list of objects - properties: - eventSeverity: - default: info - description: Filter events based on severity, defaults to ('info'). - If set to 'info' no events will be filtered. - enum: - - info - - error - type: string - eventSources: - description: Filter events based on the involved objects. - items: - description: CrossNamespaceObjectReference contains enough information - to let you locate the typed referenced object at cluster level - properties: - apiVersion: - description: API version of the referent - type: string - kind: - description: Kind of the referent - enum: - - Bucket - - GitRepository - - Kustomization - - HelmRelease - - HelmChart - - HelmRepository - - ImageRepository - - ImagePolicy - - ImageUpdateAutomation - - OCIRepository - type: string - matchLabels: - additionalProperties: - type: string - description: MatchLabels is a map of {key,value} pairs. A single - {key,value} in the matchLabels map is equivalent to an element - of matchExpressions, whose key field is "key", the operator - is "In", and the values array contains only "value". The requirements - are ANDed. - type: object - name: - description: Name of the referent - maxLength: 53 - minLength: 1 - type: string - namespace: - description: Namespace of the referent - maxLength: 53 - minLength: 1 - type: string - required: - - name - type: object - type: array - exclusionList: - description: A list of Golang regular expressions to be used for excluding - messages. - items: - type: string - type: array - providerRef: - description: Send events using this provider. - properties: - name: - description: Name of the referent. - type: string - required: - - name - type: object - summary: - description: Short description of the impact and affected cluster. - type: string - suspend: - description: This flag tells the controller to suspend subsequent - events dispatching. Defaults to false. - type: boolean - required: - - eventSources - - providerRef - type: object - status: - default: - observedGeneration: -1 - description: AlertStatus defines the observed state of Alert - properties: - conditions: - items: - description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" - properties: - lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - observedGeneration: - description: ObservedGeneration is the last observed generation. - format: int64 - type: integer - type: object - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].message - name: Status - type: string - name: v1beta2 - schema: - openAPIV3Schema: - description: Alert is the Schema for the alerts API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: AlertSpec defines an alerting rule for events involving a - list of objects. - properties: - eventMetadata: - additionalProperties: - type: string - description: EventMetadata is an optional field for adding metadata - to events dispatched by the controller. This can be used for enhancing - the context of the event. If a field would override one already - present on the original event as generated by the emitter, then - the override doesn't happen, i.e. the original value is preserved, - and an info log is printed. - type: object - eventSeverity: - default: info - description: EventSeverity specifies how to filter events based on - severity. If set to 'info' no events will be filtered. - enum: - - info - - error - type: string - eventSources: - description: EventSources specifies how to filter events based on - the involved object kind, name and namespace. - items: - description: CrossNamespaceObjectReference contains enough information - to let you locate the typed referenced object at cluster level - properties: - apiVersion: - description: API version of the referent - type: string - kind: - description: Kind of the referent - enum: - - Bucket - - GitRepository - - Kustomization - - HelmRelease - - HelmChart - - HelmRepository - - ImageRepository - - ImagePolicy - - ImageUpdateAutomation - - OCIRepository - type: string - matchLabels: - additionalProperties: - type: string - description: MatchLabels is a map of {key,value} pairs. A single - {key,value} in the matchLabels map is equivalent to an element - of matchExpressions, whose key field is "key", the operator - is "In", and the values array contains only "value". The requirements - are ANDed. MatchLabels requires the name to be set to `*`. - type: object - name: - description: Name of the referent If multiple resources are - targeted `*` may be set. - maxLength: 53 - minLength: 1 - type: string - namespace: - description: Namespace of the referent - maxLength: 53 - minLength: 1 - type: string - required: - - kind - - name - type: object - type: array - exclusionList: - description: ExclusionList specifies a list of Golang regular expressions - to be used for excluding messages. - items: - type: string - type: array - inclusionList: - description: InclusionList specifies a list of Golang regular expressions - to be used for including messages. - items: - type: string - type: array - providerRef: - description: ProviderRef specifies which Provider this Alert should - use. - properties: - name: - description: Name of the referent. - type: string - required: - - name - type: object - summary: - description: Summary holds a short description of the impact and affected - cluster. - maxLength: 255 - type: string - suspend: - description: Suspend tells the controller to suspend subsequent events - handling for this Alert. - type: boolean - required: - - eventSources - - providerRef - type: object - status: - default: - observedGeneration: -1 - description: AlertStatus defines the observed state of the Alert. - properties: - conditions: - description: Conditions holds the conditions for the Alert. - items: - description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" - properties: - lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - lastHandledReconcileAt: - description: LastHandledReconcileAt holds the value of the most recent - reconcile request value, so a change of the annotation value can - be detected. - type: string - observedGeneration: - description: ObservedGeneration is the last observed generation. - format: int64 - type: integer - type: object - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.12.0 - labels: - app.kubernetes.io/component: notification-controller - app.kubernetes.io/instance: flux-system - app.kubernetes.io/part-of: flux - app.kubernetes.io/version: v2.1.1 - name: providers.notification.toolkit.fluxcd.io -spec: - group: notification.toolkit.fluxcd.io - names: - kind: Provider - listKind: ProviderList - plural: providers - singular: provider - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].message - name: Status - type: string - name: v1beta1 - schema: - openAPIV3Schema: - description: Provider is the Schema for the providers API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: ProviderSpec defines the desired state of Provider - properties: - address: - description: HTTP/S webhook address of this provider - pattern: ^(http|https):// - type: string - certSecretRef: - description: CertSecretRef can be given the name of a secret containing - a PEM-encoded CA certificate (`caFile`) - properties: - name: - description: Name of the referent. - type: string - required: - - name - type: object - channel: - description: Alert channel for this provider - type: string - proxy: - description: HTTP/S address of the proxy - pattern: ^(http|https):// - type: string - secretRef: - description: Secret reference containing the provider webhook URL - using "address" as data key - properties: - name: - description: Name of the referent. - type: string - required: - - name - type: object - suspend: - description: This flag tells the controller to suspend subsequent - events handling. Defaults to false. - type: boolean - timeout: - description: Timeout for sending alerts to the provider. - pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m))+$ - type: string - type: - description: Type of provider - enum: - - slack - - discord - - msteams - - rocket - - generic - - generic-hmac - - github - - gitlab - - bitbucket - - azuredevops - - googlechat - - webex - - sentry - - azureeventhub - - telegram - - lark - - matrix - - opsgenie - - alertmanager - - grafana - - githubdispatch - type: string - username: - description: Bot username for this provider - type: string - required: - - type - type: object - status: - default: - observedGeneration: -1 - description: ProviderStatus defines the observed state of Provider - properties: - conditions: - items: - description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" - properties: - lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - observedGeneration: - description: ObservedGeneration is the last reconciled generation. - format: int64 - type: integer - type: object - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].message - name: Status - type: string - name: v1beta2 - schema: - openAPIV3Schema: - description: Provider is the Schema for the providers API. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: ProviderSpec defines the desired state of the Provider. - properties: - address: - description: Address specifies the endpoint, in a generic sense, to - where alerts are sent. What kind of endpoint depends on the specific - Provider type being used. For the generic Provider, for example, - this is an HTTP/S address. For other Provider types this could be - a project ID or a namespace. - maxLength: 2048 - type: string - certSecretRef: - description: "CertSecretRef specifies the Secret containing a PEM-encoded - CA certificate (in the `ca.crt` key). \n Note: Support for the `caFile` - key has been deprecated." - properties: - name: - description: Name of the referent. - type: string - required: - - name - type: object - channel: - description: Channel specifies the destination channel where events - should be posted. - maxLength: 2048 - type: string - interval: - description: Interval at which to reconcile the Provider with its - Secret references. - pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ - type: string - proxy: - description: Proxy the HTTP/S address of the proxy server. - maxLength: 2048 - pattern: ^(http|https)://.*$ - type: string - secretRef: - description: SecretRef specifies the Secret containing the authentication - credentials for this Provider. - properties: - name: - description: Name of the referent. - type: string - required: - - name - type: object - suspend: - description: Suspend tells the controller to suspend subsequent events - handling for this Provider. - type: boolean - timeout: - description: Timeout for sending alerts to the Provider. - pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m))+$ - type: string - type: - description: Type specifies which Provider implementation to use. - enum: - - slack - - discord - - msteams - - rocket - - generic - - generic-hmac - - github - - gitlab - - gitea - - bitbucket - - azuredevops - - googlechat - - googlepubsub - - webex - - sentry - - azureeventhub - - telegram - - lark - - matrix - - opsgenie - - alertmanager - - grafana - - githubdispatch - - pagerduty - - datadog - type: string - username: - description: Username specifies the name under which events are posted. - maxLength: 2048 - type: string - required: - - type - type: object - status: - default: - observedGeneration: -1 - description: ProviderStatus defines the observed state of the Provider. - properties: - conditions: - description: Conditions holds the conditions for the Provider. - items: - description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" - properties: - lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - lastHandledReconcileAt: - description: LastHandledReconcileAt holds the value of the most recent - reconcile request value, so a change of the annotation value can - be detected. - type: string - observedGeneration: - description: ObservedGeneration is the last reconciled generation. - format: int64 - type: integer - type: object - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.12.0 - labels: - app.kubernetes.io/component: notification-controller - app.kubernetes.io/instance: flux-system - app.kubernetes.io/part-of: flux - app.kubernetes.io/version: v2.1.1 - name: receivers.notification.toolkit.fluxcd.io -spec: - group: notification.toolkit.fluxcd.io - names: - kind: Receiver - listKind: ReceiverList - plural: receivers - singular: receiver - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].message - name: Status - type: string - name: v1 - schema: - openAPIV3Schema: - description: Receiver is the Schema for the receivers API. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: ReceiverSpec defines the desired state of the Receiver. - properties: - events: - description: Events specifies the list of event types to handle, e.g. - 'push' for GitHub or 'Push Hook' for GitLab. - items: - type: string - type: array - interval: - default: 10m - description: Interval at which to reconcile the Receiver with its - Secret references. - pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ - type: string - resources: - description: A list of resources to be notified about changes. - items: - description: CrossNamespaceObjectReference contains enough information - to let you locate the typed referenced object at cluster level - properties: - apiVersion: - description: API version of the referent - type: string - kind: - description: Kind of the referent - enum: - - Bucket - - GitRepository - - Kustomization - - HelmRelease - - HelmChart - - HelmRepository - - ImageRepository - - ImagePolicy - - ImageUpdateAutomation - - OCIRepository - type: string - matchLabels: - additionalProperties: - type: string - description: MatchLabels is a map of {key,value} pairs. A single - {key,value} in the matchLabels map is equivalent to an element - of matchExpressions, whose key field is "key", the operator - is "In", and the values array contains only "value". The requirements - are ANDed. MatchLabels requires the name to be set to `*`. - type: object - name: - description: Name of the referent If multiple resources are - targeted `*` may be set. - maxLength: 53 - minLength: 1 - type: string - namespace: - description: Namespace of the referent - maxLength: 53 - minLength: 1 - type: string - required: - - kind - - name - type: object - type: array - secretRef: - description: SecretRef specifies the Secret containing the token used - to validate the payload authenticity. - properties: - name: - description: Name of the referent. - type: string - required: - - name - type: object - suspend: - description: Suspend tells the controller to suspend subsequent events - handling for this receiver. - type: boolean - type: - description: Type of webhook sender, used to determine the validation - procedure and payload deserialization. - enum: - - generic - - generic-hmac - - github - - gitlab - - bitbucket - - harbor - - dockerhub - - quay - - gcr - - nexus - - acr - type: string - required: - - resources - - secretRef - - type - type: object - status: - default: - observedGeneration: -1 - description: ReceiverStatus defines the observed state of the Receiver. - properties: - conditions: - description: Conditions holds the conditions for the Receiver. - items: - description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" - properties: - lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - lastHandledReconcileAt: - description: LastHandledReconcileAt holds the value of the most recent - reconcile request value, so a change of the annotation value can - be detected. - type: string - observedGeneration: - description: ObservedGeneration is the last observed generation of - the Receiver object. - format: int64 - type: integer - webhookPath: - description: WebhookPath is the generated incoming webhook address - in the format of '/hook/sha256sum(token+name+namespace)'. - type: string - type: object - type: object - served: true - storage: true - subresources: - status: {} - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].message - name: Status - type: string - deprecated: true - deprecationWarning: v1beta1 Receiver is deprecated, upgrade to v1 - name: v1beta1 - schema: - openAPIV3Schema: - description: Receiver is the Schema for the receivers API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: ReceiverSpec defines the desired state of Receiver - properties: - events: - description: A list of events to handle, e.g. 'push' for GitHub or - 'Push Hook' for GitLab. - items: - type: string - type: array - resources: - description: A list of resources to be notified about changes. - items: - description: CrossNamespaceObjectReference contains enough information - to let you locate the typed referenced object at cluster level - properties: - apiVersion: - description: API version of the referent - type: string - kind: - description: Kind of the referent - enum: - - Bucket - - GitRepository - - Kustomization - - HelmRelease - - HelmChart - - HelmRepository - - ImageRepository - - ImagePolicy - - ImageUpdateAutomation - - OCIRepository - type: string - matchLabels: - additionalProperties: - type: string - description: MatchLabels is a map of {key,value} pairs. A single - {key,value} in the matchLabels map is equivalent to an element - of matchExpressions, whose key field is "key", the operator - is "In", and the values array contains only "value". The requirements - are ANDed. - type: object - name: - description: Name of the referent - maxLength: 53 - minLength: 1 - type: string - namespace: - description: Namespace of the referent - maxLength: 53 - minLength: 1 - type: string - required: - - name - type: object - type: array - secretRef: - description: Secret reference containing the token used to validate - the payload authenticity - properties: - name: - description: Name of the referent. - type: string - required: - - name - type: object - suspend: - description: This flag tells the controller to suspend subsequent - events handling. Defaults to false. - type: boolean - type: - description: Type of webhook sender, used to determine the validation - procedure and payload deserialization. - enum: - - generic - - generic-hmac - - github - - gitlab - - bitbucket - - harbor - - dockerhub - - quay - - gcr - - nexus - - acr - type: string - required: - - resources - - type - type: object - status: - default: - observedGeneration: -1 - description: ReceiverStatus defines the observed state of Receiver - properties: - conditions: - items: - description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" - properties: - lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - observedGeneration: - description: ObservedGeneration is the last observed generation. - format: int64 - type: integer - url: - description: Generated webhook URL in the format of '/hook/sha256sum(token+name+namespace)'. - type: string - type: object - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].message - name: Status - type: string - deprecated: true - deprecationWarning: v1beta2 Receiver is deprecated, upgrade to v1 - name: v1beta2 - schema: - openAPIV3Schema: - description: Receiver is the Schema for the receivers API. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: ReceiverSpec defines the desired state of the Receiver. - properties: - events: - description: Events specifies the list of event types to handle, e.g. - 'push' for GitHub or 'Push Hook' for GitLab. - items: - type: string - type: array - interval: - description: Interval at which to reconcile the Receiver with its - Secret references. - pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ - type: string - resources: - description: A list of resources to be notified about changes. - items: - description: CrossNamespaceObjectReference contains enough information - to let you locate the typed referenced object at cluster level - properties: - apiVersion: - description: API version of the referent - type: string - kind: - description: Kind of the referent - enum: - - Bucket - - GitRepository - - Kustomization - - HelmRelease - - HelmChart - - HelmRepository - - ImageRepository - - ImagePolicy - - ImageUpdateAutomation - - OCIRepository - type: string - matchLabels: - additionalProperties: - type: string - description: MatchLabels is a map of {key,value} pairs. A single - {key,value} in the matchLabels map is equivalent to an element - of matchExpressions, whose key field is "key", the operator - is "In", and the values array contains only "value". The requirements - are ANDed. MatchLabels requires the name to be set to `*`. - type: object - name: - description: Name of the referent If multiple resources are - targeted `*` may be set. - maxLength: 53 - minLength: 1 - type: string - namespace: - description: Namespace of the referent - maxLength: 53 - minLength: 1 - type: string - required: - - kind - - name - type: object - type: array - secretRef: - description: SecretRef specifies the Secret containing the token used - to validate the payload authenticity. - properties: - name: - description: Name of the referent. - type: string - required: - - name - type: object - suspend: - description: Suspend tells the controller to suspend subsequent events - handling for this receiver. - type: boolean - type: - description: Type of webhook sender, used to determine the validation - procedure and payload deserialization. - enum: - - generic - - generic-hmac - - github - - gitlab - - bitbucket - - harbor - - dockerhub - - quay - - gcr - - nexus - - acr - type: string - required: - - resources - - type - type: object - status: - default: - observedGeneration: -1 - description: ReceiverStatus defines the observed state of the Receiver. - properties: - conditions: - description: Conditions holds the conditions for the Receiver. - items: - description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" - properties: - lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - lastHandledReconcileAt: - description: LastHandledReconcileAt holds the value of the most recent - reconcile request value, so a change of the annotation value can - be detected. - type: string - observedGeneration: - description: ObservedGeneration is the last observed generation of - the Receiver object. - format: int64 - type: integer - url: - description: 'URL is the generated incoming webhook address in the - format of ''/hook/sha256sum(token+name+namespace)''. Deprecated: - Replaced by WebhookPath.' - type: string - webhookPath: - description: WebhookPath is the generated incoming webhook address - in the format of '/hook/sha256sum(token+name+namespace)'. - type: string - type: object - type: object - served: true - storage: false - subresources: - status: {} ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - labels: - app.kubernetes.io/component: notification-controller - app.kubernetes.io/instance: flux-system - app.kubernetes.io/part-of: flux - app.kubernetes.io/version: v2.1.1 - name: notification-controller - namespace: flux-system ---- -apiVersion: v1 -kind: Service -metadata: - labels: - app.kubernetes.io/component: notification-controller - app.kubernetes.io/instance: flux-system - app.kubernetes.io/part-of: flux - app.kubernetes.io/version: v2.1.1 - control-plane: controller - name: notification-controller - namespace: flux-system -spec: - ports: - - name: http - port: 80 - protocol: TCP - targetPort: http - selector: - app: notification-controller - type: ClusterIP ---- -apiVersion: v1 -kind: Service -metadata: - labels: - app.kubernetes.io/component: notification-controller - app.kubernetes.io/instance: flux-system - app.kubernetes.io/part-of: flux - app.kubernetes.io/version: v2.1.1 - control-plane: controller - name: webhook-receiver - namespace: flux-system -spec: - ports: - - name: http - port: 80 - protocol: TCP - targetPort: http-webhook - selector: - app: notification-controller - type: ClusterIP ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app.kubernetes.io/component: notification-controller - app.kubernetes.io/instance: flux-system - app.kubernetes.io/part-of: flux - app.kubernetes.io/version: v2.1.1 - control-plane: controller - name: notification-controller - namespace: flux-system -spec: - replicas: 1 - selector: - matchLabels: - app: notification-controller - template: - metadata: - annotations: - prometheus.io/port: "8080" - prometheus.io/scrape: "true" - labels: - app: notification-controller - spec: - containers: - - args: - - --watch-all-namespaces=true - - --log-level=info - - --log-encoding=json - - --enable-leader-election - env: - - name: RUNTIME_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - image: ghcr.io/fluxcd/notification-controller:v1.1.0 - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /healthz - port: healthz - name: manager - ports: - - containerPort: 9090 - name: http - protocol: TCP - - containerPort: 9292 - name: http-webhook - protocol: TCP - - containerPort: 8080 - name: http-prom - protocol: TCP - - containerPort: 9440 - name: healthz - protocol: TCP - readinessProbe: - httpGet: - path: /readyz - port: healthz - resources: - limits: - cpu: 1000m - memory: 1Gi - requests: - cpu: 100m - memory: 64Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true - seccompProfile: - type: RuntimeDefault - volumeMounts: - - mountPath: /tmp - name: temp - nodeSelector: - kubernetes.io/os: linux - securityContext: - fsGroup: 1337 - serviceAccountName: notification-controller - terminationGracePeriodSeconds: 10 - volumes: - - emptyDir: {} - name: temp diff --git a/k8s-platform/flux/v2.1.1/kustomization.yaml b/k8s-platform/flux/v2.1.1/kustomization.yaml deleted file mode 100644 index 41a0d7f..0000000 --- a/k8s-platform/flux/v2.1.1/kustomization.yaml +++ /dev/null @@ -1,4 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - gotk-components.yaml diff --git a/scripts/deploy.sh b/scripts/deploy.sh index baca935..9ced29f 100755 --- a/scripts/deploy.sh +++ b/scripts/deploy.sh @@ -1,5 +1,7 @@ #!/bin/bash +echo THIS IS LEGACY DEPLOYMENT WAY. NEW PROCESS IS DESCRIBED IN `go/README.md` + REPO_ROOT=$(git rev-parse --show-toplevel) # User must explicitely provide their kubeconfig and accept that it can be changed by the script From 3805e79b004d3d97f93a36fa0bd8d59a7d288ea5 Mon Sep 17 00:00:00 2001 From: Olga Mirensky <5200844+olga-mir@users.noreply.github.com> Date: Sat, 23 Mar 2024 19:42:17 +1100 Subject: [PATCH 02/28] paste cilium v1.15.2 values file to caaph resource --- config/shared.env | 2 - .../cilium/v1.15.2/helm-chart-proxy.yaml | 3518 +++++++++++++++++ 2 files changed, 3518 insertions(+), 2 deletions(-) create mode 100644 k8s-platform/cni-caaph-resource/cilium/v1.15.2/helm-chart-proxy.yaml diff --git a/config/shared.env b/config/shared.env index 71d9fee..2f80f78 100644 --- a/config/shared.env +++ b/config/shared.env @@ -4,8 +4,6 @@ # 'shared' is sourced first, then cluster settings. export FLUX_KEY_PATH="$HOME/.ssh/flux-github-key-2" -export CAPI_VERSION="v1.6.0" -export CILIUM_VERSION="1.12.3" # Cluster Resource Set (CRS), disabled by default in CAPI and removed from this project. # it is replaced now by CAAPH diff --git a/k8s-platform/cni-caaph-resource/cilium/v1.15.2/helm-chart-proxy.yaml b/k8s-platform/cni-caaph-resource/cilium/v1.15.2/helm-chart-proxy.yaml new file mode 100644 index 0000000..3683eda --- /dev/null +++ b/k8s-platform/cni-caaph-resource/cilium/v1.15.2/helm-chart-proxy.yaml @@ -0,0 +1,3518 @@ +apiVersion: addons.cluster.x-k8s.io/v1alpha1 +kind: HelmChartProxy +metadata: + name: cilium +spec: + clusterSelector: + matchLabels: + cilium-mesh: main + repoURL: https://helm.cilium.io/ + chartName: cilium + namespace: cilium + version: "1.15.2" + valuesTemplate: | + # https://github.com/cilium/cilium/blob/v1.15.2/install/kubernetes/cilium/values.yaml + + # File generated by install/kubernetes/Makefile; DO NOT EDIT. + # This file is based on install/kubernetes/cilium/*values.yaml.tmpl. + + + # upgradeCompatibility helps users upgrading to ensure that the configMap for + # Cilium will not change critical values to ensure continued operation + # This flag is not required for new installations. + # For example: 1.7, 1.8, 1.9 + # upgradeCompatibility: '1.8' + + debug: + # -- Enable debug logging + enabled: false + # -- Configure verbosity levels for debug logging + # This option is used to enable debug messages for operations related to such + # sub-system such as (e.g. kvstore, envoy, datapath or policy), and flow is + # for enabling debug messages emitted per request, message and connection. + # Multiple values can be set via a space-separated string (e.g. "datapath envoy"). + # + # Applicable values: + # - flow + # - kvstore + # - envoy + # - datapath + # - policy + verbose: ~ + + rbac: + # -- Enable creation of Resource-Based Access Control configuration. + create: true + + # -- Configure image pull secrets for pulling container images + imagePullSecrets: + # - name: "image-pull-secret" + + # -- (string) Kubernetes config path + # @default -- `"~/.kube/config"` + kubeConfigPath: "" + # -- (string) Kubernetes service host + k8sServiceHost: "" + # -- (string) Kubernetes service port + k8sServicePort: "" + + # -- Configure the client side rate limit for the agent and operator + # + # If the amount of requests to the Kubernetes API server exceeds the configured + # rate limit, the agent and operator will start to throttle requests by delaying + # them until there is budget or the request times out. + k8sClientRateLimit: + # -- (int) The sustained request rate in requests per second. + # @default -- 5 for k8s up to 1.26. 10 for k8s version 1.27+ + qps: + # -- (int) The burst request rate in requests per second. + # The rate limiter will allow short bursts with a higher rate. + # @default -- 10 for k8s up to 1.26. 20 for k8s version 1.27+ + burst: + + cluster: + # -- Name of the cluster. Only required for Cluster Mesh and mutual authentication with SPIRE. + name: default + # -- (int) Unique ID of the cluster. Must be unique across all connected + # clusters and in the range of 1 to 255. Only required for Cluster Mesh, + # may be 0 if Cluster Mesh is not used. + id: 0 + + # -- Define serviceAccount names for components. + # @default -- Component's fully qualified name. + serviceAccounts: + cilium: + create: true + name: cilium + automount: true + annotations: {} + nodeinit: + create: true + # -- Enabled is temporary until https://github.com/cilium/cilium-cli/issues/1396 is implemented. + # Cilium CLI doesn't create the SAs for node-init, thus the workaround. Helm is not affected by + # this issue. Name and automount can be configured, if enabled is set to true. + # Otherwise, they are ignored. Enabled can be removed once the issue is fixed. + # Cilium-nodeinit DS must also be fixed. + enabled: false + name: cilium-nodeinit + automount: true + annotations: {} + envoy: + create: true + name: cilium-envoy + automount: true + annotations: {} + etcd: + create: true + name: cilium-etcd-operator + automount: true + annotations: {} + operator: + create: true + name: cilium-operator + automount: true + annotations: {} + preflight: + create: true + name: cilium-pre-flight + automount: true + annotations: {} + relay: + create: true + name: hubble-relay + automount: false + annotations: {} + ui: + create: true + name: hubble-ui + automount: true + annotations: {} + clustermeshApiserver: + create: true + name: clustermesh-apiserver + automount: true + annotations: {} + # -- Clustermeshcertgen is used if clustermesh.apiserver.tls.auto.method=cronJob + clustermeshcertgen: + create: true + name: clustermesh-apiserver-generate-certs + automount: true + annotations: {} + # -- Hubblecertgen is used if hubble.tls.auto.method=cronJob + hubblecertgen: + create: true + name: hubble-generate-certs + automount: true + annotations: {} + + # -- Configure termination grace period for cilium-agent DaemonSet. + terminationGracePeriodSeconds: 1 + + # -- Install the cilium agent resources. + agent: true + + # -- Agent container name. + name: cilium + + # -- Roll out cilium agent pods automatically when configmap is updated. + rollOutCiliumPods: false + + # -- Agent container image. + image: + override: ~ + repository: "quay.io/cilium/cilium" + tag: "v1.15.2" + pullPolicy: "IfNotPresent" + # cilium-digest + digest: "" + useDigest: false + + # -- Affinity for cilium-agent. + affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - topologyKey: kubernetes.io/hostname + labelSelector: + matchLabels: + k8s-app: cilium + + # -- Node selector for cilium-agent. + nodeSelector: + kubernetes.io/os: linux + + # -- Node tolerations for agent scheduling to nodes with taints + # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ + tolerations: + - operator: Exists + # - key: "key" + # operator: "Equal|Exists" + # value: "value" + # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" + + # -- The priority class to use for cilium-agent. + priorityClassName: "" + + # -- DNS policy for Cilium agent pods. + # Ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy + dnsPolicy: "" + + # -- Additional containers added to the cilium DaemonSet. + extraContainers: [] + + # -- Additional agent container arguments. + extraArgs: [] + + # -- Additional agent container environment variables. + extraEnv: [] + + # -- Additional agent hostPath mounts. + extraHostPathMounts: [] + # - name: host-mnt-data + # mountPath: /host/mnt/data + # hostPath: /mnt/data + # hostPathType: Directory + # readOnly: true + # mountPropagation: HostToContainer + + # -- Additional agent volumes. + extraVolumes: [] + + # -- Additional agent volumeMounts. + extraVolumeMounts: [] + + # -- extraConfig allows you to specify additional configuration parameters to be + # included in the cilium-config configmap. + extraConfig: {} + # my-config-a: "1234" + # my-config-b: |- + # test 1 + # test 2 + # test 3 + + # -- Annotations to be added to all top-level cilium-agent objects (resources under templates/cilium-agent) + annotations: {} + + # -- Security Context for cilium-agent pods. + podSecurityContext: {} + + # -- Annotations to be added to agent pods + podAnnotations: {} + + # -- Labels to be added to agent pods + podLabels: {} + + # -- Agent resource limits & requests + # ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + resources: {} + # limits: + # cpu: 4000m + # memory: 4Gi + # requests: + # cpu: 100m + # memory: 512Mi + + # -- resources & limits for the agent init containers + initResources: {} + + securityContext: + # -- User to run the pod with + # runAsUser: 0 + # -- Run the pod with elevated privileges + privileged: false + # -- SELinux options for the `cilium-agent` and init containers + seLinuxOptions: + level: 's0' + # Running with spc_t since we have removed the privileged mode. + # Users can change it to a different type as long as they have the + # type available on the system. + type: 'spc_t' + capabilities: + # -- Capabilities for the `cilium-agent` container + ciliumAgent: + # Use to set socket permission + - CHOWN + # Used to terminate envoy child process + - KILL + # Used since cilium modifies routing tables, etc... + - NET_ADMIN + # Used since cilium creates raw sockets, etc... + - NET_RAW + # Used since cilium monitor uses mmap + - IPC_LOCK + # Used in iptables. Consider removing once we are iptables-free + - SYS_MODULE + # We need it for now but might not need it for >= 5.11 specially + # for the 'SYS_RESOURCE'. + # In >= 5.8 there's already BPF and PERMON capabilities + - SYS_ADMIN + # Could be an alternative for the SYS_ADMIN for the RLIMIT_NPROC + - SYS_RESOURCE + # Both PERFMON and BPF requires kernel 5.8, container runtime + # cri-o >= v1.22.0 or containerd >= v1.5.0. + # If available, SYS_ADMIN can be removed. + #- PERFMON + #- BPF + # Allow discretionary access control (e.g. required for package installation) + - DAC_OVERRIDE + # Allow to set Access Control Lists (ACLs) on arbitrary files (e.g. required for package installation) + - FOWNER + # Allow to execute program that changes GID (e.g. required for package installation) + - SETGID + # Allow to execute program that changes UID (e.g. required for package installation) + - SETUID + # -- Capabilities for the `mount-cgroup` init container + mountCgroup: + # Only used for 'mount' cgroup + - SYS_ADMIN + # Used for nsenter + - SYS_CHROOT + - SYS_PTRACE + # -- capabilities for the `apply-sysctl-overwrites` init container + applySysctlOverwrites: + # Required in order to access host's /etc/sysctl.d dir + - SYS_ADMIN + # Used for nsenter + - SYS_CHROOT + - SYS_PTRACE + # -- Capabilities for the `clean-cilium-state` init container + cleanCiliumState: + # Most of the capabilities here are the same ones used in the + # cilium-agent's container because this container can be used to + # uninstall all Cilium resources, and therefore it is likely that + # will need the same capabilities. + # Used since cilium modifies routing tables, etc... + - NET_ADMIN + # Used in iptables. Consider removing once we are iptables-free + - SYS_MODULE + # We need it for now but might not need it for >= 5.11 specially + # for the 'SYS_RESOURCE'. + # In >= 5.8 there's already BPF and PERMON capabilities + - SYS_ADMIN + # Could be an alternative for the SYS_ADMIN for the RLIMIT_NPROC + - SYS_RESOURCE + # Both PERFMON and BPF requires kernel 5.8, container runtime + # cri-o >= v1.22.0 or containerd >= v1.5.0. + # If available, SYS_ADMIN can be removed. + #- PERFMON + #- BPF + + # -- Cilium agent update strategy + updateStrategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 2 + + # Configuration Values for cilium-agent + + aksbyocni: + # -- Enable AKS BYOCNI integration. + # Note that this is incompatible with AKS clusters not created in BYOCNI mode: + # use Azure integration (`azure.enabled`) instead. + enabled: false + + # -- Enable installation of PodCIDR routes between worker + # nodes if worker nodes share a common L2 network segment. + autoDirectNodeRoutes: false + + # -- Annotate k8s node upon initialization with Cilium's metadata. + annotateK8sNode: false + + azure: + # -- Enable Azure integration. + # Note that this is incompatible with AKS clusters created in BYOCNI mode: use + # AKS BYOCNI integration (`aksbyocni.enabled`) instead. + enabled: false + # usePrimaryAddress: false + # resourceGroup: group1 + # subscriptionID: 00000000-0000-0000-0000-000000000000 + # tenantID: 00000000-0000-0000-0000-000000000000 + # clientID: 00000000-0000-0000-0000-000000000000 + # clientSecret: 00000000-0000-0000-0000-000000000000 + # userAssignedIdentityID: 00000000-0000-0000-0000-000000000000 + + alibabacloud: + # -- Enable AlibabaCloud ENI integration + enabled: false + + # -- Enable bandwidth manager to optimize TCP and UDP workloads and allow + # for rate-limiting traffic from individual Pods with EDT (Earliest Departure + # Time) through the "kubernetes.io/egress-bandwidth" Pod annotation. + bandwidthManager: + # -- Enable bandwidth manager infrastructure (also prerequirement for BBR) + enabled: false + # -- Activate BBR TCP congestion control for Pods + bbr: false + + # -- Configure standalone NAT46/NAT64 gateway + nat46x64Gateway: + # -- Enable RFC8215-prefixed translation + enabled: false + + # -- EnableHighScaleIPcache enables the special ipcache mode for high scale + # clusters. The ipcache content will be reduced to the strict minimum and + # traffic will be encapsulated to carry security identities. + highScaleIPcache: + # -- Enable the high scale mode for the ipcache. + enabled: false + + # -- Configure L2 announcements + l2announcements: + # -- Enable L2 announcements + enabled: false + # -- If a lease is not renewed for X duration, the current leader is considered dead, a new leader is picked + # leaseDuration: 15s + # -- The interval at which the leader will renew the lease + # leaseRenewDeadline: 5s + # -- The timeout between retries if renewal fails + # leaseRetryPeriod: 2s + + # -- Configure L2 pod announcements + l2podAnnouncements: + # -- Enable L2 pod announcements + enabled: false + # -- Interface used for sending Gratuitous ARP pod announcements + interface: "eth0" + + # -- Configure BGP + bgp: + # -- Enable BGP support inside Cilium; embeds a new ConfigMap for BGP inside + # cilium-agent and cilium-operator + enabled: false + announce: + # -- Enable allocation and announcement of service LoadBalancer IPs + loadbalancerIP: false + # -- Enable announcement of node pod CIDR + podCIDR: false + + # -- This feature set enables virtual BGP routers to be created via + # CiliumBGPPeeringPolicy CRDs. + bgpControlPlane: + # -- Enables the BGP control plane. + enabled: false + # -- SecretsNamespace is the namespace which BGP support will retrieve secrets from. + secretsNamespace: + # -- Create secrets namespace for BGP secrets. + create: false + # -- The name of the secret namespace to which Cilium agents are given read access + name: kube-system + + pmtuDiscovery: + # -- Enable path MTU discovery to send ICMP fragmentation-needed replies to + # the client. + enabled: false + + bpf: + autoMount: + # -- Enable automatic mount of BPF filesystem + # When `autoMount` is enabled, the BPF filesystem is mounted at + # `bpf.root` path on the underlying host and inside the cilium agent pod. + # If users disable `autoMount`, it's expected that users have mounted + # bpffs filesystem at the specified `bpf.root` volume, and then the + # volume will be mounted inside the cilium agent pod at the same path. + enabled: true + # -- Configure the mount point for the BPF filesystem + root: /sys/fs/bpf + + # -- Enables pre-allocation of eBPF map values. This increases + # memory usage but can reduce latency. + preallocateMaps: false + + # -- (int) Configure the maximum number of entries in auth map. + # @default -- `524288` + authMapMax: ~ + + # -- (int) Configure the maximum number of entries in the TCP connection tracking + # table. + # @default -- `524288` + ctTcpMax: ~ + + # -- (int) Configure the maximum number of entries for the non-TCP connection + # tracking table. + # @default -- `262144` + ctAnyMax: ~ + + # -- Configure the maximum number of service entries in the + # load balancer maps. + lbMapMax: 65536 + + # -- (int) Configure the maximum number of entries for the NAT table. + # @default -- `524288` + natMax: ~ + + # -- (int) Configure the maximum number of entries for the neighbor table. + # @default -- `524288` + neighMax: ~ + + # -- Configure the maximum number of entries in endpoint policy map (per endpoint). + policyMapMax: 16384 + + # -- (float64) Configure auto-sizing for all BPF maps based on available memory. + # ref: https://docs.cilium.io/en/stable/network/ebpf/maps/ + # @default -- `0.0025` + mapDynamicSizeRatio: ~ + + # -- Configure the level of aggregation for monitor notifications. + # Valid options are none, low, medium, maximum. + monitorAggregation: medium + + # -- Configure the typical time between monitor notifications for + # active connections. + monitorInterval: "5s" + + # -- Configure which TCP flags trigger notifications when seen for the + # first time in a connection. + monitorFlags: "all" + + # -- Allow cluster external access to ClusterIP services. + lbExternalClusterIP: false + + # -- (bool) Enable native IP masquerade support in eBPF + # @default -- `false` + masquerade: ~ + + # -- (bool) Configure whether direct routing mode should route traffic via + # host stack (true) or directly and more efficiently out of BPF (false) if + # the kernel supports it. The latter has the implication that it will also + # bypass netfilter in the host namespace. + # @default -- `false` + hostLegacyRouting: ~ + + # -- (bool) Configure the eBPF-based TPROXY to reduce reliance on iptables rules + # for implementing Layer 7 policy. + # @default -- `false` + tproxy: ~ + + # -- (list) Configure explicitly allowed VLAN id's for bpf logic bypass. + # [0] will allow all VLAN id's without any filtering. + # @default -- `[]` + vlanBypass: ~ + + # -- Enable BPF clock source probing for more efficient tick retrieval. + bpfClockProbe: false + + # -- Clean all eBPF datapath state from the initContainer of the cilium-agent + # DaemonSet. + # + # WARNING: Use with care! + cleanBpfState: false + + # -- Clean all local Cilium state from the initContainer of the cilium-agent + # DaemonSet. Implies cleanBpfState: true. + # + # WARNING: Use with care! + cleanState: false + + # -- Wait for KUBE-PROXY-CANARY iptables rule to appear in "wait-for-kube-proxy" + # init container before launching cilium-agent. + # More context can be found in the commit message of below PR + # https://github.com/cilium/cilium/pull/20123 + waitForKubeProxy: false + + cni: + # -- Install the CNI configuration and binary files into the filesystem. + install: true + + # -- Remove the CNI configuration and binary files on agent shutdown. Enable this + # if you're removing Cilium from the cluster. Disable this to prevent the CNI + # configuration file from being removed during agent upgrade, which can cause + # nodes to go unmanageable. + uninstall: false + + # -- Configure chaining on top of other CNI plugins. Possible values: + # - none + # - aws-cni + # - flannel + # - generic-veth + # - portmap + chainingMode: ~ + + # -- A CNI network name in to which the Cilium plugin should be added as a chained plugin. + # This will cause the agent to watch for a CNI network with this network name. When it is + # found, this will be used as the basis for Cilium's CNI configuration file. If this is + # set, it assumes a chaining mode of generic-veth. As a special case, a chaining mode + # of aws-cni implies a chainingTarget of aws-cni. + chainingTarget: ~ + + # -- Make Cilium take ownership over the `/etc/cni/net.d` directory on the + # node, renaming all non-Cilium CNI configurations to `*.cilium_bak`. + # This ensures no Pods can be scheduled using other CNI plugins during Cilium + # agent downtime. + exclusive: true + + # -- Configure the log file for CNI logging with retention policy of 7 days. + # Disable CNI file logging by setting this field to empty explicitly. + logFile: /var/run/cilium/cilium-cni.log + + # -- Skip writing of the CNI configuration. This can be used if + # writing of the CNI configuration is performed by external automation. + customConf: false + + # -- Configure the path to the CNI configuration directory on the host. + confPath: /etc/cni/net.d + + # -- Configure the path to the CNI binary directory on the host. + binPath: /opt/cni/bin + + # -- Specify the path to a CNI config to read from on agent start. + # This can be useful if you want to manage your CNI + # configuration outside of a Kubernetes environment. This parameter is + # mutually exclusive with the 'cni.configMap' parameter. The agent will + # write this to 05-cilium.conflist on startup. + # readCniConf: /host/etc/cni/net.d/05-sample.conflist.input + + # -- When defined, configMap will mount the provided value as ConfigMap and + # interpret the cniConf variable as CNI configuration file and write it + # when the agent starts up + # configMap: cni-configuration + + # -- Configure the key in the CNI ConfigMap to read the contents of + # the CNI configuration from. + configMapKey: cni-config + + # -- Configure the path to where to mount the ConfigMap inside the agent pod. + confFileMountPath: /tmp/cni-configuration + + # -- Configure the path to where the CNI configuration directory is mounted + # inside the agent pod. + hostConfDirMountPath: /host/etc/cni/net.d + + # -- Specifies the resources for the cni initContainer + resources: + requests: + cpu: 100m + memory: 10Mi + + # -- (string) Configure how frequently garbage collection should occur for the datapath + # connection tracking table. + # @default -- `"0s"` + conntrackGCInterval: "" + + # -- (string) Configure the maximum frequency for the garbage collection of the + # connection tracking table. Only affects the automatic computation for the frequency + # and has no effect when 'conntrackGCInterval' is set. This can be set to more frequently + # clean up unused identities created from ToFQDN policies. + conntrackGCMaxInterval: "" + + # -- Configure container runtime specific integration. + # Deprecated in favor of bpf.autoMount.enabled. To be removed in 1.15. + containerRuntime: + # -- Enables specific integrations for container runtimes. + # Supported values: + # - crio + # - none + integration: none + + # -- (string) Configure timeout in which Cilium will exit if CRDs are not available + # @default -- `"5m"` + crdWaitTimeout: "" + + # -- Tail call hooks for custom eBPF programs. + customCalls: + # -- Enable tail call hooks for custom eBPF programs. + enabled: false + + daemon: + # -- Configure where Cilium runtime state should be stored. + runPath: "/var/run/cilium" + + # -- Configure a custom list of possible configuration override sources + # The default is "config-map:cilium-config,cilium-node-config". For supported + # values, see the help text for the build-config subcommand. + # Note that this value should be a comma-separated string. + configSources: ~ + + # -- allowedConfigOverrides is a list of config-map keys that can be overridden. + # That is to say, if this value is set, config sources (excepting the first one) can + # only override keys in this list. + # + # This takes precedence over blockedConfigOverrides. + # + # By default, all keys may be overridden. To disable overrides, set this to "none" or + # change the configSources variable. + allowedConfigOverrides: ~ + + # -- blockedConfigOverrides is a list of config-map keys that may not be overridden. + # In other words, if any of these keys appear in a configuration source excepting the + # first one, they will be ignored + # + # This is ignored if allowedConfigOverrides is set. + # + # By default, all keys may be overridden. + blockedConfigOverrides: ~ + + # -- Specify which network interfaces can run the eBPF datapath. This means + # that a packet sent from a pod to a destination outside the cluster will be + # masqueraded (to an output device IPv4 address), if the output device runs the + # program. When not specified, probing will automatically detect devices that have + # a non-local route. This should be used only when autodetection is not suitable. + # devices: "" + + # -- Enables experimental support for the detection of new and removed datapath + # devices. When devices change the eBPF datapath is reloaded and services updated. + # If "devices" is set then only those devices, or devices matching a wildcard will + # be considered. + enableRuntimeDeviceDetection: false + + # -- Chains to ignore when installing feeder rules. + # disableIptablesFeederRules: "" + + # -- Limit iptables-based egress masquerading to interface selector. + # egressMasqueradeInterfaces: "" + + # -- Enable setting identity mark for local traffic. + # enableIdentityMark: true + + # -- Enable Kubernetes EndpointSlice feature in Cilium if the cluster supports it. + # enableK8sEndpointSlice: true + + # -- Enable CiliumEndpointSlice feature. + enableCiliumEndpointSlice: false + + envoyConfig: + # -- Enable CiliumEnvoyConfig CRD + # CiliumEnvoyConfig CRD can also be implicitly enabled by other options. + enabled: false + + # -- SecretsNamespace is the namespace in which envoy SDS will retrieve secrets from. + secretsNamespace: + # -- Create secrets namespace for CiliumEnvoyConfig CRDs. + create: true + + # -- The name of the secret namespace to which Cilium agents are given read access. + name: cilium-secrets + + ingressController: + # -- Enable cilium ingress controller + # This will automatically set enable-envoy-config as well. + enabled: false + + # -- Set cilium ingress controller to be the default ingress controller + # This will let cilium ingress controller route entries without ingress class set + default: false + + # -- Default ingress load balancer mode + # Supported values: shared, dedicated + # For granular control, use the following annotations on the ingress resource + # ingress.cilium.io/loadbalancer-mode: shared|dedicated, + loadbalancerMode: dedicated + + # -- Enforce https for host having matching TLS host in Ingress. + # Incoming traffic to http listener will return 308 http error code with respective location in header. + enforceHttps: true + + # -- Enable proxy protocol for all Ingress listeners. Note that _only_ Proxy protocol traffic will be accepted once this is enabled. + enableProxyProtocol: false + + # -- IngressLBAnnotations are the annotation and label prefixes, which are used to filter annotations and/or labels to propagate from Ingress to the Load Balancer service + ingressLBAnnotationPrefixes: ['service.beta.kubernetes.io', 'service.kubernetes.io', 'cloud.google.com'] + + # -- Default secret namespace for ingresses without .spec.tls[].secretName set. + defaultSecretNamespace: + + # -- Default secret name for ingresses without .spec.tls[].secretName set. + defaultSecretName: + + # -- SecretsNamespace is the namespace in which envoy SDS will retrieve TLS secrets from. + secretsNamespace: + # -- Create secrets namespace for Ingress. + create: true + + # -- Name of Ingress secret namespace. + name: cilium-secrets + + # -- Enable secret sync, which will make sure all TLS secrets used by Ingress are synced to secretsNamespace.name. + # If disabled, TLS secrets must be maintained externally. + sync: true + + # -- Load-balancer service in shared mode. + # This is a single load-balancer service for all Ingress resources. + service: + # -- Service name + name: cilium-ingress + # -- Labels to be added for the shared LB service + labels: {} + # -- Annotations to be added for the shared LB service + annotations: {} + # -- Service type for the shared LB service + type: LoadBalancer + # -- Configure a specific nodePort for insecure HTTP traffic on the shared LB service + insecureNodePort: ~ + # -- Configure a specific nodePort for secure HTTPS traffic on the shared LB service + secureNodePort : ~ + # -- Configure a specific loadBalancerClass on the shared LB service (requires Kubernetes 1.24+) + loadBalancerClass: ~ + # -- Configure a specific loadBalancerIP on the shared LB service + loadBalancerIP : ~ + # -- Configure if node port allocation is required for LB service + # ref: https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-nodeport-allocation + allocateLoadBalancerNodePorts: ~ + + gatewayAPI: + # -- Enable support for Gateway API in cilium + # This will automatically set enable-envoy-config as well. + enabled: false + + # -- SecretsNamespace is the namespace in which envoy SDS will retrieve TLS secrets from. + secretsNamespace: + # -- Create secrets namespace for Gateway API. + create: true + + # -- Name of Gateway API secret namespace. + name: cilium-secrets + + # -- Enable secret sync, which will make sure all TLS secrets used by Ingress are synced to secretsNamespace.name. + # If disabled, TLS secrets must be maintained externally. + sync: true + + # -- Enables the fallback compatibility solution for when the xt_socket kernel + # module is missing and it is needed for the datapath L7 redirection to work + # properly. See documentation for details on when this can be disabled: + # https://docs.cilium.io/en/stable/operations/system_requirements/#linux-kernel. + enableXTSocketFallback: true + + encryption: + # -- Enable transparent network encryption. + enabled: false + + # -- Encryption method. Can be either ipsec or wireguard. + type: ipsec + + # -- Enable encryption for pure node to node traffic. + # This option is only effective when encryption.type is set to "wireguard". + nodeEncryption: false + + # -- Configure the WireGuard Pod2Pod strict mode. + strictMode: + # -- Enable WireGuard Pod2Pod strict mode. + enabled: false + + # -- CIDR for the WireGuard Pod2Pod strict mode. + cidr: "" + + # -- Allow dynamic lookup of remote node identities. + # This is required when tunneling is used or direct routing is used and the node CIDR and pod CIDR overlap. + allowRemoteNodeIdentities: false + + ipsec: + # -- Name of the key file inside the Kubernetes secret configured via secretName. + keyFile: "" + + # -- Path to mount the secret inside the Cilium pod. + mountPath: "" + + # -- Name of the Kubernetes secret containing the encryption keys. + secretName: "" + + # -- The interface to use for encrypted traffic. + interface: "" + + # -- Enable the key watcher. If disabled, a restart of the agent will be + # necessary on key rotations. + keyWatcher: true + + # -- Maximum duration of the IPsec key rotation. The previous key will be + # removed after that delay. + keyRotationDuration: "5m" + + wireguard: + # -- Enables the fallback to the user-space implementation. + userspaceFallback: false + # -- Controls Wireguard PersistentKeepalive option. Set 0s to disable. + persistentKeepalive: 0s + + # -- Deprecated in favor of encryption.ipsec.keyFile. To be removed in 1.15. + # Name of the key file inside the Kubernetes secret configured via secretName. + # This option is only effective when encryption.type is set to ipsec. + keyFile: keys + + # -- Deprecated in favor of encryption.ipsec.mountPath. To be removed in 1.15. + # Path to mount the secret inside the Cilium pod. + # This option is only effective when encryption.type is set to ipsec. + mountPath: /etc/ipsec + + # -- Deprecated in favor of encryption.ipsec.secretName. To be removed in 1.15. + # Name of the Kubernetes secret containing the encryption keys. + # This option is only effective when encryption.type is set to ipsec. + secretName: cilium-ipsec-keys + + # -- Deprecated in favor of encryption.ipsec.interface. To be removed in 1.15. + # The interface to use for encrypted traffic. + # This option is only effective when encryption.type is set to ipsec. + interface: "" + + endpointHealthChecking: + # -- Enable connectivity health checking between virtual endpoints. + enabled: true + + # -- Enable endpoint status. + # Status can be: policy, health, controllers, log and / or state. For 2 or more options use a space. + endpointStatus: + enabled: false + status: "" + + endpointRoutes: + # -- Enable use of per endpoint routes instead of routing via + # the cilium_host interface. + enabled: false + + k8sNetworkPolicy: + # -- Enable support for K8s NetworkPolicy + enabled: true + + eni: + # -- Enable Elastic Network Interface (ENI) integration. + enabled: false + # -- Update ENI Adapter limits from the EC2 API + updateEC2AdapterLimitViaAPI: true + # -- Release IPs not used from the ENI + awsReleaseExcessIPs: false + # -- Enable ENI prefix delegation + awsEnablePrefixDelegation: false + # -- EC2 API endpoint to use + ec2APIEndpoint: "" + # -- Tags to apply to the newly created ENIs + eniTags: {} + # -- Interval for garbage collection of unattached ENIs. Set to "0s" to disable. + # @default -- `"5m"` + gcInterval: "" + # -- Additional tags attached to ENIs created by Cilium. + # Dangling ENIs with this tag will be garbage collected + # @default -- `{"io.cilium/cilium-managed":"true,"io.cilium/cluster-name":""}` + gcTags: {} + # -- If using IAM role for Service Accounts will not try to + # inject identity values from cilium-aws kubernetes secret. + # Adds annotation to service account if managed by Helm. + # See https://github.com/aws/amazon-eks-pod-identity-webhook + iamRole: "" + # -- Filter via subnet IDs which will dictate which subnets are going to be used to create new ENIs + # Important note: This requires that each instance has an ENI with a matching subnet attached + # when Cilium is deployed. If you only want to control subnets for ENIs attached by Cilium, + # use the CNI configuration file settings (cni.customConf) instead. + subnetIDsFilter: [] + # -- Filter via tags (k=v) which will dictate which subnets are going to be used to create new ENIs + # Important note: This requires that each instance has an ENI with a matching subnet attached + # when Cilium is deployed. If you only want to control subnets for ENIs attached by Cilium, + # use the CNI configuration file settings (cni.customConf) instead. + subnetTagsFilter: [] + # -- Filter via AWS EC2 Instance tags (k=v) which will dictate which AWS EC2 Instances + # are going to be used to create new ENIs + instanceTagsFilter: [] + + externalIPs: + # -- Enable ExternalIPs service support. + enabled: false + + # fragmentTracking enables IPv4 fragment tracking support in the datapath. + # fragmentTracking: true + + gke: + # -- Enable Google Kubernetes Engine integration + enabled: false + + # -- Enable connectivity health checking. + healthChecking: true + + # -- TCP port for the agent health API. This is not the port for cilium-health. + healthPort: 9879 + + # -- Configure the host firewall. + hostFirewall: + # -- Enables the enforcement of host policies in the eBPF datapath. + enabled: false + + hostPort: + # -- Enable hostPort service support. + enabled: false + + # -- Configure socket LB + socketLB: + # -- Enable socket LB + enabled: false + + # -- Disable socket lb for non-root ns. This is used to enable Istio routing rules. + # hostNamespaceOnly: false + + # -- Configure certificate generation for Hubble integration. + # If hubble.tls.auto.method=cronJob, these values are used + # for the Kubernetes CronJob which will be scheduled regularly to + # (re)generate any certificates not provided manually. + certgen: + image: + override: ~ + repository: "quay.io/cilium/certgen" + tag: "v0.1.9" + digest: "sha256:89a0847753686444daabde9474b48340993bd19c7bea66a46e45b2974b82041f" + useDigest: true + pullPolicy: "IfNotPresent" + # -- Seconds after which the completed job pod will be deleted + ttlSecondsAfterFinished: 1800 + # -- Labels to be added to hubble-certgen pods + podLabels: {} + # -- Annotations to be added to the hubble-certgen initial Job and CronJob + annotations: + job: {} + cronJob: {} + # -- Node tolerations for pod assignment on nodes with taints + # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ + tolerations: [] + + # -- Additional certgen volumes. + extraVolumes: [] + + # -- Additional certgen volumeMounts. + extraVolumeMounts: [] + + # -- Affinity for certgen + affinity: {} + + hubble: + # -- Enable Hubble (true by default). + enabled: true + + # -- Annotations to be added to all top-level hubble objects (resources under templates/hubble) + annotations: {} + + # -- Buffer size of the channel Hubble uses to receive monitor events. If this + # value is not set, the queue size is set to the default monitor queue size. + # eventQueueSize: "" + + # -- Number of recent flows for Hubble to cache. Defaults to 4095. + # Possible values are: + # 1, 3, 7, 15, 31, 63, 127, 255, 511, 1023, + # 2047, 4095, 8191, 16383, 32767, 65535 + # eventBufferCapacity: "4095" + + # -- Hubble metrics configuration. + # See https://docs.cilium.io/en/stable/observability/metrics/#hubble-metrics + # for more comprehensive documentation about Hubble metrics. + metrics: + # -- Configures the list of metrics to collect. If empty or null, metrics + # are disabled. + # Example: + # + # enabled: + # - dns:query;ignoreAAAA + # - drop + # - tcp + # - flow + # - icmp + # - http + # + # You can specify the list of metrics from the helm CLI: + # + # --set hubble.metrics.enabled="{dns:query;ignoreAAAA,drop,tcp,flow,icmp,http}" + # + enabled: ~ + # -- Enables exporting hubble metrics in OpenMetrics format. + enableOpenMetrics: false + # -- Configure the port the hubble metric server listens on. + port: 9965 + # -- Annotations to be added to hubble-metrics service. + serviceAnnotations: {} + serviceMonitor: + # -- Create ServiceMonitor resources for Prometheus Operator. + # This requires the prometheus CRDs to be available. + # ref: https://github.com/prometheus-operator/prometheus-operator/blob/main/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml) + enabled: false + # -- Labels to add to ServiceMonitor hubble + labels: {} + # -- Annotations to add to ServiceMonitor hubble + annotations: {} + # -- jobLabel to add for ServiceMonitor hubble + jobLabel: "" + # -- Interval for scrape metrics. + interval: "10s" + # -- Relabeling configs for the ServiceMonitor hubble + relabelings: + - sourceLabels: + - __meta_kubernetes_pod_node_name + targetLabel: node + replacement: ${1} + # -- Metrics relabeling configs for the ServiceMonitor hubble + metricRelabelings: ~ + # -- Grafana dashboards for hubble + # grafana can import dashboards based on the label and value + # ref: https://github.com/grafana/helm-charts/tree/main/charts/grafana#sidecar-for-dashboards + dashboards: + enabled: false + label: grafana_dashboard + namespace: ~ + labelValue: "1" + annotations: {} + + # -- Unix domain socket path to listen to when Hubble is enabled. + socketPath: /var/run/cilium/hubble.sock + + # -- Enables redacting sensitive information present in Layer 7 flows. + redact: + enabled: false + http: + # -- Enables redacting URL query (GET) parameters. + # Example: + # + # redact: + # enabled: true + # http: + # urlQuery: true + # + # You can specify the options from the helm CLI: + # + # --set hubble.redact.enabled="true" + # --set hubble.redact.http.urlQuery="true" + urlQuery: false + # -- Enables redacting user info, e.g., password when basic auth is used. + # Example: + # + # redact: + # enabled: true + # http: + # userInfo: true + # + # You can specify the options from the helm CLI: + # + # --set hubble.redact.enabled="true" + # --set hubble.redact.http.userInfo="true" + userInfo: true + headers: + # -- List of HTTP headers to allow: headers not matching will be redacted. Note: `allow` and `deny` lists cannot be used both at the same time, only one can be present. + # Example: + # redact: + # enabled: true + # http: + # headers: + # allow: + # - traceparent + # - tracestate + # - Cache-Control + # + # You can specify the options from the helm CLI: + # --set hubble.redact.enabled="true" + # --set hubble.redact.http.headers.allow="traceparent,tracestate,Cache-Control" + allow: [] + # -- List of HTTP headers to deny: matching headers will be redacted. Note: `allow` and `deny` lists cannot be used both at the same time, only one can be present. + # Example: + # redact: + # enabled: true + # http: + # headers: + # deny: + # - Authorization + # - Proxy-Authorization + # + # You can specify the options from the helm CLI: + # --set hubble.redact.enabled="true" + # --set hubble.redact.http.headers.deny="Authorization,Proxy-Authorization" + deny: [] + kafka: + # -- Enables redacting Kafka's API key. + # Example: + # + # redact: + # enabled: true + # kafka: + # apiKey: true + # + # You can specify the options from the helm CLI: + # + # --set hubble.redact.enabled="true" + # --set hubble.redact.kafka.apiKey="true" + apiKey: false + + # -- An additional address for Hubble to listen to. + # Set this field ":4244" if you are enabling Hubble Relay, as it assumes that + # Hubble is listening on port 4244. + listenAddress: ":4244" + # -- Whether Hubble should prefer to announce IPv6 or IPv4 addresses if both are available. + preferIpv6: false + # -- (bool) Skip Hubble events with unknown cgroup ids + # @default -- `true` + skipUnknownCGroupIDs: ~ + + peerService: + # -- Service Port for the Peer service. + # If not set, it is dynamically assigned to port 443 if TLS is enabled and to + # port 80 if not. + # servicePort: 80 + # -- Target Port for the Peer service, must match the hubble.listenAddress' + # port. + targetPort: 4244 + # -- The cluster domain to use to query the Hubble Peer service. It should + # be the local cluster. + clusterDomain: cluster.local + # -- TLS configuration for Hubble + tls: + # -- Enable mutual TLS for listenAddress. Setting this value to false is + # highly discouraged as the Hubble API provides access to potentially + # sensitive network flow metadata and is exposed on the host network. + enabled: true + # -- Configure automatic TLS certificates generation. + auto: + # -- Auto-generate certificates. + # When set to true, automatically generate a CA and certificates to + # enable mTLS between Hubble server and Hubble Relay instances. If set to + # false, the certs for Hubble server need to be provided by setting + # appropriate values below. + enabled: true + # -- Set the method to auto-generate certificates. Supported values: + # - helm: This method uses Helm to generate all certificates. + # - cronJob: This method uses a Kubernetes CronJob the generate any + # certificates not provided by the user at installation + # time. + # - certmanager: This method use cert-manager to generate & rotate certificates. + method: helm + # -- Generated certificates validity duration in days. + certValidityDuration: 1095 + # -- Schedule for certificates regeneration (regardless of their expiration date). + # Only used if method is "cronJob". If nil, then no recurring job will be created. + # Instead, only the one-shot job is deployed to generate the certificates at + # installation time. + # + # Defaults to midnight of the first day of every fourth month. For syntax, see + # https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/#schedule-syntax + schedule: "0 0 1 */4 *" + + # [Example] + # certManagerIssuerRef: + # group: cert-manager.io + # kind: ClusterIssuer + # name: ca-issuer + # -- certmanager issuer used when hubble.tls.auto.method=certmanager. + certManagerIssuerRef: {} + + # -- base64 encoded PEM values for the Hubble server certificate and private key + server: + cert: "" + key: "" + # -- Extra DNS names added to certificate when it's auto generated + extraDnsNames: [] + # -- Extra IP addresses added to certificate when it's auto generated + extraIpAddresses: [] + + relay: + # -- Enable Hubble Relay (requires hubble.enabled=true) + enabled: false + + # -- Roll out Hubble Relay pods automatically when configmap is updated. + rollOutPods: false + + # -- Hubble-relay container image. + image: + override: ~ + repository: "quay.io/cilium/hubble-relay" + tag: "v1.15.2" + # hubble-relay-digest + digest: "" + useDigest: false + pullPolicy: "IfNotPresent" + + # -- Specifies the resources for the hubble-relay pods + resources: {} + + # -- Number of replicas run for the hubble-relay deployment. + replicas: 1 + + # -- Affinity for hubble-replay + affinity: + podAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - topologyKey: kubernetes.io/hostname + labelSelector: + matchLabels: + k8s-app: cilium + + # -- Pod topology spread constraints for hubble-relay + topologySpreadConstraints: [] + # - maxSkew: 1 + # topologyKey: topology.kubernetes.io/zone + # whenUnsatisfiable: DoNotSchedule + + # -- Node labels for pod assignment + # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector + nodeSelector: + kubernetes.io/os: linux + + # -- Node tolerations for pod assignment on nodes with taints + # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ + tolerations: [] + + # -- Additional hubble-relay environment variables. + extraEnv: [] + + # -- Annotations to be added to all top-level hubble-relay objects (resources under templates/hubble-relay) + annotations: {} + + # -- Annotations to be added to hubble-relay pods + podAnnotations: {} + + # -- Labels to be added to hubble-relay pods + podLabels: {} + + # PodDisruptionBudget settings + podDisruptionBudget: + # -- enable PodDisruptionBudget + # ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ + enabled: false + # -- Minimum number/percentage of pods that should remain scheduled. + # When it's set, maxUnavailable must be disabled by `maxUnavailable: null` + minAvailable: null + # -- Maximum number/percentage of pods that may be made unavailable + maxUnavailable: 1 + + # -- The priority class to use for hubble-relay + priorityClassName: "" + + # -- Configure termination grace period for hubble relay Deployment. + terminationGracePeriodSeconds: 1 + + # -- hubble-relay update strategy + updateStrategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 1 + + # -- Additional hubble-relay volumes. + extraVolumes: [] + + # -- Additional hubble-relay volumeMounts. + extraVolumeMounts: [] + + # -- hubble-relay pod security context + podSecurityContext: + fsGroup: 65532 + + # -- hubble-relay container security context + securityContext: + # readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 65532 + runAsGroup: 65532 + capabilities: + drop: + - ALL + + # -- hubble-relay service configuration. + service: + # --- The type of service used for Hubble Relay access, either ClusterIP or NodePort. + type: ClusterIP + # --- The port to use when the service type is set to NodePort. + nodePort: 31234 + + # -- Host to listen to. Specify an empty string to bind to all the interfaces. + listenHost: "" + + # -- Port to listen to. + listenPort: "4245" + + # -- TLS configuration for Hubble Relay + tls: + # -- base64 encoded PEM values for the hubble-relay client certificate and private key + # This keypair is presented to Hubble server instances for mTLS + # authentication and is required when hubble.tls.enabled is true. + # These values need to be set manually if hubble.tls.auto.enabled is false. + client: + cert: "" + key: "" + # -- base64 encoded PEM values for the hubble-relay server certificate and private key + server: + # When set to true, enable TLS on for Hubble Relay server + # (ie: for clients connecting to the Hubble Relay API). + enabled: false + # When set to true enforces mutual TLS between Hubble Relay server and its clients. + # False allow non-mutual TLS connections. + # This option has no effect when TLS is disabled. + mtls: false + # These values need to be set manually if hubble.tls.auto.enabled is false. + cert: "" + key: "" + # -- extra DNS names added to certificate when its auto gen + extraDnsNames: [] + # -- extra IP addresses added to certificate when its auto gen + extraIpAddresses: [] + # DNS name used by the backend to connect to the relay + # This is a simple workaround as the relay certificates are currently hardcoded to + # *.hubble-relay.cilium.io + # See https://github.com/cilium/cilium/pull/28709#discussion_r1371792546 + # For GKE Dataplane V2 this should be set to relay.kube-system.svc.cluster.local + relayName: "ui.hubble-relay.cilium.io" + + # -- Dial timeout to connect to the local hubble instance to receive peer information (e.g. "30s"). + dialTimeout: ~ + + # -- Backoff duration to retry connecting to the local hubble instance in case of failure (e.g. "30s"). + retryTimeout: ~ + + # -- Max number of flows that can be buffered for sorting before being sent to the + # client (per request) (e.g. 100). + sortBufferLenMax: ~ + + # -- When the per-request flows sort buffer is not full, a flow is drained every + # time this timeout is reached (only affects requests in follow-mode) (e.g. "1s"). + sortBufferDrainTimeout: ~ + + # -- Port to use for the k8s service backed by hubble-relay pods. + # If not set, it is dynamically assigned to port 443 if TLS is enabled and to + # port 80 if not. + # servicePort: 80 + + # -- Enable prometheus metrics for hubble-relay on the configured port at + # /metrics + prometheus: + enabled: false + port: 9966 + serviceMonitor: + # -- Enable service monitors. + # This requires the prometheus CRDs to be available (see https://github.com/prometheus-operator/prometheus-operator/blob/main/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml) + enabled: false + # -- Labels to add to ServiceMonitor hubble-relay + labels: {} + # -- Annotations to add to ServiceMonitor hubble-relay + annotations: {} + # -- Interval for scrape metrics. + interval: "10s" + # -- Specify the Kubernetes namespace where Prometheus expects to find + # service monitors configured. + # namespace: "" + # -- Relabeling configs for the ServiceMonitor hubble-relay + relabelings: ~ + # -- Metrics relabeling configs for the ServiceMonitor hubble-relay + metricRelabelings: ~ + + gops: + # -- Enable gops for hubble-relay + enabled: true + # -- Configure gops listen port for hubble-relay + port: 9893 + + pprof: + # -- Enable pprof for hubble-relay + enabled: false + # -- Configure pprof listen address for hubble-relay + address: localhost + # -- Configure pprof listen port for hubble-relay + port: 6062 + + ui: + # -- Whether to enable the Hubble UI. + enabled: false + + standalone: + # -- When true, it will allow installing the Hubble UI only, without checking dependencies. + # It is useful if a cluster already has cilium and Hubble relay installed and you just + # want Hubble UI to be deployed. + # When installed via helm, installing UI should be done via `helm upgrade` and when installed via the cilium cli, then `cilium hubble enable --ui` + enabled: false + + tls: + # -- When deploying Hubble UI in standalone, with tls enabled for Hubble relay, it is required + # to provide a volume for mounting the client certificates. + certsVolume: {} + # projected: + # defaultMode: 0400 + # sources: + # - secret: + # name: hubble-ui-client-certs + # items: + # - key: tls.crt + # path: client.crt + # - key: tls.key + # path: client.key + # - key: ca.crt + # path: hubble-relay-ca.crt + + # -- Roll out Hubble-ui pods automatically when configmap is updated. + rollOutPods: false + + tls: + # -- base64 encoded PEM values used to connect to hubble-relay + # This keypair is presented to Hubble Relay instances for mTLS + # authentication and is required when hubble.relay.tls.server.enabled is true. + # These values need to be set manually if hubble.tls.auto.enabled is false. + client: + cert: "" + key: "" + + backend: + # -- Hubble-ui backend image. + image: + override: ~ + repository: "quay.io/cilium/hubble-ui-backend" + tag: "v0.13.0" + digest: "sha256:1e7657d997c5a48253bb8dc91ecee75b63018d16ff5e5797e5af367336bc8803" + useDigest: true + pullPolicy: "IfNotPresent" + + # -- Hubble-ui backend security context. + securityContext: {} + + # -- Additional hubble-ui backend environment variables. + extraEnv: [] + + # -- Additional hubble-ui backend volumes. + extraVolumes: [] + + # -- Additional hubble-ui backend volumeMounts. + extraVolumeMounts: [] + + livenessProbe: + # -- Enable liveness probe for Hubble-ui backend (requires Hubble-ui 0.12+) + enabled: false + + readinessProbe: + # -- Enable readiness probe for Hubble-ui backend (requires Hubble-ui 0.12+) + enabled: false + + # -- Resource requests and limits for the 'backend' container of the 'hubble-ui' deployment. + resources: {} + # limits: + # cpu: 1000m + # memory: 1024M + # requests: + # cpu: 100m + # memory: 64Mi + + frontend: + # -- Hubble-ui frontend image. + image: + override: ~ + repository: "quay.io/cilium/hubble-ui" + tag: "v0.13.0" + digest: "sha256:7d663dc16538dd6e29061abd1047013a645e6e69c115e008bee9ea9fef9a6666" + useDigest: true + pullPolicy: "IfNotPresent" + + # -- Hubble-ui frontend security context. + securityContext: {} + + # -- Additional hubble-ui frontend environment variables. + extraEnv: [] + + # -- Additional hubble-ui frontend volumes. + extraVolumes: [] + + # -- Additional hubble-ui frontend volumeMounts. + extraVolumeMounts: [] + + # -- Resource requests and limits for the 'frontend' container of the 'hubble-ui' deployment. + resources: {} + # limits: + # cpu: 1000m + # memory: 1024M + # requests: + # cpu: 100m + # memory: 64Mi + server: + # -- Controls server listener for ipv6 + ipv6: + enabled: true + + # -- The number of replicas of Hubble UI to deploy. + replicas: 1 + + # -- Annotations to be added to all top-level hubble-ui objects (resources under templates/hubble-ui) + annotations: {} + + # -- Annotations to be added to hubble-ui pods + podAnnotations: {} + + # -- Labels to be added to hubble-ui pods + podLabels: {} + + # PodDisruptionBudget settings + podDisruptionBudget: + # -- enable PodDisruptionBudget + # ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ + enabled: false + # -- Minimum number/percentage of pods that should remain scheduled. + # When it's set, maxUnavailable must be disabled by `maxUnavailable: null` + minAvailable: null + # -- Maximum number/percentage of pods that may be made unavailable + maxUnavailable: 1 + + # -- Affinity for hubble-ui + affinity: {} + + # -- Pod topology spread constraints for hubble-ui + topologySpreadConstraints: [] + # - maxSkew: 1 + # topologyKey: topology.kubernetes.io/zone + # whenUnsatisfiable: DoNotSchedule + + # -- Node labels for pod assignment + # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector + nodeSelector: + kubernetes.io/os: linux + + # -- Node tolerations for pod assignment on nodes with taints + # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ + tolerations: [] + + # -- The priority class to use for hubble-ui + priorityClassName: "" + + # -- hubble-ui update strategy. + updateStrategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 1 + + # -- Security context to be added to Hubble UI pods + securityContext: + runAsUser: 1001 + runAsGroup: 1001 + fsGroup: 1001 + + # -- hubble-ui service configuration. + service: + # -- Annotations to be added for the Hubble UI service + annotations: {} + # --- The type of service used for Hubble UI access, either ClusterIP or NodePort. + type: ClusterIP + # --- The port to use when the service type is set to NodePort. + nodePort: 31235 + + # -- Defines base url prefix for all hubble-ui http requests. + # It needs to be changed in case if ingress for hubble-ui is configured under some sub-path. + # Trailing `/` is required for custom path, ex. `/service-map/` + baseUrl: "/" + + # -- hubble-ui ingress configuration. + ingress: + enabled: false + annotations: {} + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + className: "" + hosts: + - chart-example.local + labels: {} + tls: [] + # - secretName: chart-example-tls + # hosts: + # - chart-example.local + + # -- Hubble flows export. + export: + # --- Defines max file size of output file before it gets rotated. + fileMaxSizeMb: 10 + # --- Defines max number of backup/rotated files. + fileMaxBackups: 5 + # --- Static exporter configuration. + # Static exporter is bound to agent lifecycle. + static: + enabled: false + filePath: /var/run/cilium/hubble/events.log + fieldMask: [] + # - time + # - source + # - destination + # - verdict + allowList: [] + # - '{"verdict":["DROPPED","ERROR"]}' + denyList: [] + # - '{"source_pod":["kube-system/"]}' + # - '{"destination_pod":["kube-system/"]}' + # --- Dynamic exporters configuration. + # Dynamic exporters may be reconfigured without a need of agent restarts. + dynamic: + enabled: false + config: + # ---- Name of configmap with configuration that may be altered to reconfigure exporters within a running agents. + configMapName: cilium-flowlog-config + # ---- True if helm installer should create config map. + # Switch to false if you want to self maintain the file content. + createConfigMap: true + # ---- Exporters configuration in YAML format. + content: + - name: all + fieldMask: [] + includeFilters: [] + excludeFilters: [] + filePath: "/var/run/cilium/hubble/events.log" + #- name: "test002" + # filePath: "/var/log/network/flow-log/pa/test002.log" + # fieldMask: ["source.namespace", "source.pod_name", "destination.namespace", "destination.pod_name", "verdict"] + # includeFilters: + # - source_pod: ["default/"] + # event_type: + # - type: 1 + # - destination_pod: ["frontend/nginx-975996d4c-7hhgt"] + # excludeFilters: [] + # end: "2023-10-09T23:59:59-07:00" + + # -- Method to use for identity allocation (`crd` or `kvstore`). + identityAllocationMode: "crd" + + # -- (string) Time to wait before using new identity on endpoint identity change. + # @default -- `"5s"` + identityChangeGracePeriod: "" + + # -- Install Iptables rules to skip netfilter connection tracking on all pod + # traffic. This option is only effective when Cilium is running in direct + # routing and full KPR mode. Moreover, this option cannot be enabled when Cilium + # is running in a managed Kubernetes environment or in a chained CNI setup. + installNoConntrackIptablesRules: false + + ipam: + # -- Configure IP Address Management mode. + # ref: https://docs.cilium.io/en/stable/network/concepts/ipam/ + mode: "cluster-pool" + # -- Maximum rate at which the CiliumNode custom resource is updated. + ciliumNodeUpdateRate: "15s" + operator: + # -- IPv4 CIDR list range to delegate to individual nodes for IPAM. + clusterPoolIPv4PodCIDRList: ["10.0.0.0/8"] + # -- IPv4 CIDR mask size to delegate to individual nodes for IPAM. + clusterPoolIPv4MaskSize: 24 + # -- IPv6 CIDR list range to delegate to individual nodes for IPAM. + clusterPoolIPv6PodCIDRList: ["fd00::/104"] + # -- IPv6 CIDR mask size to delegate to individual nodes for IPAM. + clusterPoolIPv6MaskSize: 120 + # -- IP pools to auto-create in multi-pool IPAM mode. + autoCreateCiliumPodIPPools: {} + # default: + # ipv4: + # cidrs: + # - 10.10.0.0/8 + # maskSize: 24 + # other: + # ipv6: + # cidrs: + # - fd00:100::/80 + # maskSize: 96 + # -- The maximum burst size when rate limiting access to external APIs. + # Also known as the token bucket capacity. + # @default -- `20` + externalAPILimitBurstSize: ~ + # -- The maximum queries per second when rate limiting access to + # external APIs. Also known as the bucket refill rate, which is used to + # refill the bucket up to the burst size capacity. + # @default -- `4.0` + externalAPILimitQPS: ~ + + # -- The api-rate-limit option can be used to overwrite individual settings of the default configuration for rate limiting calls to the Cilium Agent API + apiRateLimit: ~ + + # -- Configure the eBPF-based ip-masq-agent + ipMasqAgent: + enabled: false + # the config of nonMasqueradeCIDRs + # config: + # nonMasqueradeCIDRs: [] + # masqLinkLocal: false + # masqLinkLocalIPv6: false + + # iptablesLockTimeout defines the iptables "--wait" option when invoked from Cilium. + # iptablesLockTimeout: "5s" + + ipv4: + # -- Enable IPv4 support. + enabled: true + + ipv6: + # -- Enable IPv6 support. + enabled: false + + # -- Configure Kubernetes specific configuration + k8s: {} + # -- requireIPv4PodCIDR enables waiting for Kubernetes to provide the PodCIDR + # range via the Kubernetes node resource + # requireIPv4PodCIDR: false + + # -- requireIPv6PodCIDR enables waiting for Kubernetes to provide the PodCIDR + # range via the Kubernetes node resource + # requireIPv6PodCIDR: false + + # -- Keep the deprecated selector labels when deploying Cilium DaemonSet. + keepDeprecatedLabels: false + + # -- Keep the deprecated probes when deploying Cilium DaemonSet + keepDeprecatedProbes: false + + startupProbe: + # -- failure threshold of startup probe. + # 105 x 2s translates to the old behaviour of the readiness probe (120s delay + 30 x 3s) + failureThreshold: 105 + # -- interval between checks of the startup probe + periodSeconds: 2 + livenessProbe: + # -- failure threshold of liveness probe + failureThreshold: 10 + # -- interval between checks of the liveness probe + periodSeconds: 30 + readinessProbe: + # -- failure threshold of readiness probe + failureThreshold: 3 + # -- interval between checks of the readiness probe + periodSeconds: 30 + + # -- Configure the kube-proxy replacement in Cilium BPF datapath + # Valid options are "true", "false", "disabled" (deprecated), "partial" (deprecated), "strict" (deprecated). + # ref: https://docs.cilium.io/en/stable/network/kubernetes/kubeproxy-free/ + #kubeProxyReplacement: "false" + + # -- healthz server bind address for the kube-proxy replacement. + # To enable set the value to '0.0.0.0:10256' for all ipv4 + # addresses and this '[::]:10256' for all ipv6 addresses. + # By default it is disabled. + kubeProxyReplacementHealthzBindAddr: "" + + l2NeighDiscovery: + # -- Enable L2 neighbor discovery in the agent + enabled: true + # -- Override the agent's default neighbor resolution refresh period. + refreshPeriod: "30s" + + # -- Enable Layer 7 network policy. + l7Proxy: true + + # -- Enable Local Redirect Policy. + localRedirectPolicy: false + + # To include or exclude matched resources from cilium identity evaluation + # labels: "" + + # logOptions allows you to define logging options. eg: + # logOptions: + # format: json + + # -- Enables periodic logging of system load + logSystemLoad: false + + # -- Configure maglev consistent hashing + maglev: {} + # -- tableSize is the size (parameter M) for the backend table of one + # service entry + # tableSize: + + # -- hashSeed is the cluster-wide base64 encoded seed for the hashing + # hashSeed: + + # -- Enables masquerading of IPv4 traffic leaving the node from endpoints. + enableIPv4Masquerade: true + + # -- Enables masquerading of IPv6 traffic leaving the node from endpoints. + enableIPv6Masquerade: true + + # -- Enables masquerading to the source of the route for traffic leaving the node from endpoints. + enableMasqueradeRouteSource: false + + # -- Enables IPv4 BIG TCP support which increases maximum IPv4 GSO/GRO limits for nodes and pods + enableIPv4BIGTCP: false + + # -- Enables IPv6 BIG TCP support which increases maximum IPv6 GSO/GRO limits for nodes and pods + enableIPv6BIGTCP: false + + egressGateway: + # -- Enables egress gateway to redirect and SNAT the traffic that leaves the + # cluster. + enabled: false + # -- Deprecated without a replacement necessary. + installRoutes: false + # -- Time between triggers of egress gateway state reconciliations + reconciliationTriggerInterval: 1s + # -- Maximum number of entries in egress gateway policy map + # maxPolicyEntries: 16384 + + vtep: + # -- Enables VXLAN Tunnel Endpoint (VTEP) Integration (beta) to allow + # Cilium-managed pods to talk to third party VTEP devices over Cilium tunnel. + enabled: false + + # -- A space separated list of VTEP device endpoint IPs, for example "1.1.1.1 1.1.2.1" + endpoint: "" + # -- A space separated list of VTEP device CIDRs, for example "1.1.1.0/24 1.1.2.0/24" + cidr: "" + # -- VTEP CIDRs Mask that applies to all VTEP CIDRs, for example "255.255.255.0" + mask: "" + # -- A space separated list of VTEP device MAC addresses (VTEP MAC), for example "x:x:x:x:x:x y:y:y:y:y:y:y" + mac: "" + + # -- (string) Allows to explicitly specify the IPv4 CIDR for native routing. + # When specified, Cilium assumes networking for this CIDR is preconfigured and + # hands traffic destined for that range to the Linux network stack without + # applying any SNAT. + # Generally speaking, specifying a native routing CIDR implies that Cilium can + # depend on the underlying networking stack to route packets to their + # destination. To offer a concrete example, if Cilium is configured to use + # direct routing and the Kubernetes CIDR is included in the native routing CIDR, + # the user must configure the routes to reach pods, either manually or by + # setting the auto-direct-node-routes flag. + ipv4NativeRoutingCIDR: "" + + # -- (string) Allows to explicitly specify the IPv6 CIDR for native routing. + # When specified, Cilium assumes networking for this CIDR is preconfigured and + # hands traffic destined for that range to the Linux network stack without + # applying any SNAT. + # Generally speaking, specifying a native routing CIDR implies that Cilium can + # depend on the underlying networking stack to route packets to their + # destination. To offer a concrete example, if Cilium is configured to use + # direct routing and the Kubernetes CIDR is included in the native routing CIDR, + # the user must configure the routes to reach pods, either manually or by + # setting the auto-direct-node-routes flag. + ipv6NativeRoutingCIDR: "" + + # -- cilium-monitor sidecar. + monitor: + # -- Enable the cilium-monitor sidecar. + enabled: false + + # -- Configure service load balancing + loadBalancer: + # -- standalone enables the standalone L4LB which does not connect to + # kube-apiserver. + # standalone: false + + # -- algorithm is the name of the load balancing algorithm for backend + # selection e.g. random or maglev + # algorithm: random + + # -- mode is the operation mode of load balancing for remote backends + # e.g. snat, dsr, hybrid + # mode: snat + + # -- acceleration is the option to accelerate service handling via XDP + # Applicable values can be: disabled (do not use XDP), native (XDP BPF + # program is run directly out of the networking driver's early receive + # path), or best-effort (use native mode XDP acceleration on devices + # that support it). + acceleration: disabled + + # -- dsrDispatch configures whether IP option or IPIP encapsulation is + # used to pass a service IP and port to remote backend + # dsrDispatch: opt + + # -- serviceTopology enables K8s Topology Aware Hints -based service + # endpoints filtering + # serviceTopology: false + + # -- L7 LoadBalancer + l7: + # -- Enable L7 service load balancing via envoy proxy. + # The request to a k8s service, which has specific annotation e.g. service.cilium.io/lb-l7, + # will be forwarded to the local backend proxy to be load balanced to the service endpoints. + # Please refer to docs for supported annotations for more configuration. + # + # Applicable values: + # - envoy: Enable L7 load balancing via envoy proxy. This will automatically set enable-envoy-config as well. + # - disabled: Disable L7 load balancing by way of service annotation. + backend: disabled + # -- List of ports from service to be automatically redirected to above backend. + # Any service exposing one of these ports will be automatically redirected. + # Fine-grained control can be achieved by using the service annotation. + ports: [] + # -- Default LB algorithm + # The default LB algorithm to be used for services, which can be overridden by the + # service annotation (e.g. service.cilium.io/lb-l7-algorithm) + # Applicable values: round_robin, least_request, random + algorithm: round_robin + + # -- Configure N-S k8s service loadbalancing + nodePort: + # -- Enable the Cilium NodePort service implementation. + enabled: false + + # -- Port range to use for NodePort services. + # range: "30000,32767" + + # -- Set to true to prevent applications binding to service ports. + bindProtection: true + + # -- Append NodePort range to ip_local_reserved_ports if clash with ephemeral + # ports is detected. + autoProtectPortRange: true + + # -- Enable healthcheck nodePort server for NodePort services + enableHealthCheck: true + + # -- Enable access of the healthcheck nodePort on the LoadBalancerIP. Needs + # EnableHealthCheck to be enabled + enableHealthCheckLoadBalancerIP: false + + # policyAuditMode: false + + # -- The agent can be put into one of the three policy enforcement modes: + # default, always and never. + # ref: https://docs.cilium.io/en/stable/security/policy/intro/#policy-enforcement-modes + policyEnforcementMode: "default" + + # -- policyCIDRMatchMode is a list of entities that may be selected by CIDR selector. + # The possible value is "nodes". + policyCIDRMatchMode: + + pprof: + # -- Enable pprof for cilium-agent + enabled: false + # -- Configure pprof listen address for cilium-agent + address: localhost + # -- Configure pprof listen port for cilium-agent + port: 6060 + + # -- Configure prometheus metrics on the configured port at /metrics + prometheus: + enabled: false + port: 9962 + serviceMonitor: + # -- Enable service monitors. + # This requires the prometheus CRDs to be available (see https://github.com/prometheus-operator/prometheus-operator/blob/main/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml) + enabled: false + # -- Labels to add to ServiceMonitor cilium-agent + labels: {} + # -- Annotations to add to ServiceMonitor cilium-agent + annotations: {} + # -- jobLabel to add for ServiceMonitor cilium-agent + jobLabel: "" + # -- Interval for scrape metrics. + interval: "10s" + # -- Specify the Kubernetes namespace where Prometheus expects to find + # service monitors configured. + # namespace: "" + # -- Relabeling configs for the ServiceMonitor cilium-agent + relabelings: + - sourceLabels: + - __meta_kubernetes_pod_node_name + targetLabel: node + replacement: ${1} + # -- Metrics relabeling configs for the ServiceMonitor cilium-agent + metricRelabelings: ~ + # -- Set to `true` and helm will not check for monitoring.coreos.com/v1 CRDs before deploying + trustCRDsExist: false + + # -- Metrics that should be enabled or disabled from the default metric list. + # The list is expected to be separated by a space. (+metric_foo to enable + # metric_foo , -metric_bar to disable metric_bar). + # ref: https://docs.cilium.io/en/stable/observability/metrics/ + metrics: ~ + + # --- Enable controller group metrics for monitoring specific Cilium + # subsystems. The list is a list of controller group names. The special + # values of "all" and "none" are supported. The set of controller + # group names is not guaranteed to be stable between Cilium versions. + controllerGroupMetrics: + - write-cni-file + - sync-host-ips + - sync-lb-maps-with-k8s-services + + # -- Grafana dashboards for cilium-agent + # grafana can import dashboards based on the label and value + # ref: https://github.com/grafana/helm-charts/tree/main/charts/grafana#sidecar-for-dashboards + dashboards: + enabled: false + label: grafana_dashboard + namespace: ~ + labelValue: "1" + annotations: {} + + # -- Configure Istio proxy options. + proxy: + + prometheus: + # -- Deprecated in favor of envoy.prometheus.enabled + enabled: true + # -- Deprecated in favor of envoy.prometheus.port + port: ~ + # -- Regular expression matching compatible Istio sidecar istio-proxy + # container image names + sidecarImageRegex: "cilium/istio_proxy" + + # Configure Cilium Envoy options. + envoy: + # -- Enable Envoy Proxy in standalone DaemonSet. + enabled: false + + log: + # -- The format string to use for laying out the log message metadata of Envoy. + format: "[%Y-%m-%d %T.%e][%t][%l][%n] [%g:%#] %v" + # -- Path to a separate Envoy log file, if any. Defaults to /dev/stdout. + path: "" + + # -- Time in seconds after which a TCP connection attempt times out + connectTimeoutSeconds: 2 + # -- ProxyMaxRequestsPerConnection specifies the max_requests_per_connection setting for Envoy + maxRequestsPerConnection: 0 + # -- Set Envoy HTTP option max_connection_duration seconds. Default 0 (disable) + maxConnectionDurationSeconds: 0 + # -- Set Envoy upstream HTTP idle connection timeout seconds. + # Does not apply to connections with pending requests. Default 60s + idleTimeoutDurationSeconds: 60 + + # -- Envoy container image. + image: + override: ~ + repository: "quay.io/cilium/cilium-envoy" + tag: "v1.27.3-99c1c8f42c8de70fc8f6dd594f4a425cd38b6688" + pullPolicy: "IfNotPresent" + digest: "sha256:877ead12d08d4c04a9f67f86d3c6e542aeb7bf97e1e401aee74de456f496ac30" + useDigest: true + + # -- Additional containers added to the cilium Envoy DaemonSet. + extraContainers: [] + + # -- Additional envoy container arguments. + extraArgs: [] + + # -- Additional envoy container environment variables. + extraEnv: [] + + # -- Additional envoy hostPath mounts. + extraHostPathMounts: [] + # - name: host-mnt-data + # mountPath: /host/mnt/data + # hostPath: /mnt/data + # hostPathType: Directory + # readOnly: true + # mountPropagation: HostToContainer + + # -- Additional envoy volumes. + extraVolumes: [] + + # -- Additional envoy volumeMounts. + extraVolumeMounts: [] + + # -- Configure termination grace period for cilium-envoy DaemonSet. + terminationGracePeriodSeconds: 1 + + # -- TCP port for the health API. + healthPort: 9878 + + # -- cilium-envoy update strategy + # ref: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/#updating-a-daemonset + updateStrategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 2 + # -- Roll out cilium envoy pods automatically when configmap is updated. + rollOutPods: false + + # -- Annotations to be added to all top-level cilium-envoy objects (resources under templates/cilium-envoy) + annotations: {} + + # -- Security Context for cilium-envoy pods. + podSecurityContext: {} + + # -- Annotations to be added to envoy pods + podAnnotations: {} + + # -- Labels to be added to envoy pods + podLabels: {} + + # -- Envoy resource limits & requests + # ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + resources: {} + # limits: + # cpu: 4000m + # memory: 4Gi + # requests: + # cpu: 100m + # memory: 512Mi + + startupProbe: + # -- failure threshold of startup probe. + # 105 x 2s translates to the old behaviour of the readiness probe (120s delay + 30 x 3s) + failureThreshold: 105 + # -- interval between checks of the startup probe + periodSeconds: 2 + livenessProbe: + # -- failure threshold of liveness probe + failureThreshold: 10 + # -- interval between checks of the liveness probe + periodSeconds: 30 + readinessProbe: + # -- failure threshold of readiness probe + failureThreshold: 3 + # -- interval between checks of the readiness probe + periodSeconds: 30 + + securityContext: + # -- User to run the pod with + # runAsUser: 0 + # -- Run the pod with elevated privileges + privileged: false + # -- SELinux options for the `cilium-envoy` container + seLinuxOptions: + level: 's0' + # Running with spc_t since we have removed the privileged mode. + # Users can change it to a different type as long as they have the + # type available on the system. + type: 'spc_t' + capabilities: + # -- Capabilities for the `cilium-envoy` container + envoy: + # Used since cilium proxy uses setting IPPROTO_IP/IP_TRANSPARENT + - NET_ADMIN + # We need it for now but might not need it for >= 5.11 specially + # for the 'SYS_RESOURCE'. + # In >= 5.8 there's already BPF and PERMON capabilities + - SYS_ADMIN + # Both PERFMON and BPF requires kernel 5.8, container runtime + # cri-o >= v1.22.0 or containerd >= v1.5.0. + # If available, SYS_ADMIN can be removed. + #- PERFMON + #- BPF + + # -- Affinity for cilium-envoy. + affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - topologyKey: kubernetes.io/hostname + labelSelector: + matchLabels: + k8s-app: cilium-envoy + + # -- Node selector for cilium-envoy. + nodeSelector: + kubernetes.io/os: linux + + # -- Node tolerations for envoy scheduling to nodes with taints + # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ + tolerations: + - operator: Exists + # - key: "key" + # operator: "Equal|Exists" + # value: "value" + # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" + + # -- The priority class to use for cilium-envoy. + priorityClassName: ~ + + # -- DNS policy for Cilium envoy pods. + # Ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy + dnsPolicy: ~ + + # -- Configure Cilium Envoy Prometheus options. + # Note that some of these apply to either cilium-agent or cilium-envoy. + prometheus: + # -- Enable prometheus metrics for cilium-envoy + enabled: true + serviceMonitor: + # -- Enable service monitors. + # This requires the prometheus CRDs to be available (see https://github.com/prometheus-operator/prometheus-operator/blob/main/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml) + # Note that this setting applies to both cilium-envoy _and_ cilium-agent + # with Envoy enabled. + enabled: false + # -- Labels to add to ServiceMonitor cilium-envoy + labels: {} + # -- Annotations to add to ServiceMonitor cilium-envoy + annotations: {} + # -- Interval for scrape metrics. + interval: "10s" + # -- Specify the Kubernetes namespace where Prometheus expects to find + # service monitors configured. + # namespace: "" + # -- Relabeling configs for the ServiceMonitor cilium-envoy + # or for cilium-agent with Envoy configured. + relabelings: + - sourceLabels: + - __meta_kubernetes_pod_node_name + targetLabel: node + replacement: ${1} + # -- Metrics relabeling configs for the ServiceMonitor cilium-envoy + # or for cilium-agent with Envoy configured. + metricRelabelings: ~ + # -- Serve prometheus metrics for cilium-envoy on the configured port + port: "9964" + + # -- Enable use of the remote node identity. + # ref: https://docs.cilium.io/en/v1.7/install/upgrade/#configmap-remote-node-identity + # Deprecated without replacement in 1.15. To be removed in 1.16. + remoteNodeIdentity: true + + # -- Enable resource quotas for priority classes used in the cluster. + resourceQuotas: + enabled: false + cilium: + hard: + # 5k nodes * 2 DaemonSets (Cilium and cilium node init) + pods: "10k" + operator: + hard: + # 15 "clusterwide" Cilium Operator pods for HA + pods: "15" + + # Need to document default + ################## + #sessionAffinity: false + + # -- Do not run Cilium agent when running with clean mode. Useful to completely + # uninstall Cilium as it will stop Cilium from starting and create artifacts + # in the node. + sleepAfterInit: false + + # -- Enable check of service source ranges (currently, only for LoadBalancer). + svcSourceRangeCheck: true + + # -- Synchronize Kubernetes nodes to kvstore and perform CNP GC. + synchronizeK8sNodes: true + + # -- Configure TLS configuration in the agent. + tls: + # -- This configures how the Cilium agent loads the secrets used TLS-aware CiliumNetworkPolicies + # (namely the secrets referenced by terminatingTLS and originatingTLS). + # Possible values: + # - local + # - k8s + secretsBackend: local + + # -- Base64 encoded PEM values for the CA certificate and private key. + # This can be used as common CA to generate certificates used by hubble and clustermesh components. + # It is neither required nor used when cert-manager is used to generate the certificates. + ca: + # -- Optional CA cert. If it is provided, it will be used by cilium to + # generate all other certificates. Otherwise, an ephemeral CA is generated. + cert: "" + + # -- Optional CA private key. If it is provided, it will be used by cilium to + # generate all other certificates. Otherwise, an ephemeral CA is generated. + key: "" + + # -- Generated certificates validity duration in days. This will be used for auto generated CA. + certValidityDuration: 1095 + + # -- Configure the CA trust bundle used for the validation of the certificates + # leveraged by hubble and clustermesh. When enabled, it overrides the content of the + # 'ca.crt' field of the respective certificates, allowing for CA rotation with no down-time. + caBundle: + # -- Enable the use of the CA trust bundle. + enabled: false + + # -- Name of the ConfigMap containing the CA trust bundle. + name: cilium-root-ca.crt + + # -- Entry of the ConfigMap containing the CA trust bundle. + key: ca.crt + + # -- Use a Secret instead of a ConfigMap. + useSecret: false + + # If uncommented, creates the ConfigMap and fills it with the specified content. + # Otherwise, the ConfigMap is assumed to be already present in .Release.Namespace. + # + # content: | + # -----BEGIN CERTIFICATE----- + # ... + # -----END CERTIFICATE----- + # -----BEGIN CERTIFICATE----- + # ... + # -----END CERTIFICATE----- + + # -- Tunneling protocol to use in tunneling mode and for ad-hoc tunnels. + # Possible values: + # - "" + # - vxlan + # - geneve + # @default -- `"vxlan"` + tunnelProtocol: "" + + # -- Enable native-routing mode or tunneling mode. + # Possible values: + # - "" + # - native + # - tunnel + # @default -- `"tunnel"` + routingMode: "" + + # -- Configure VXLAN and Geneve tunnel port. + # @default -- Port 8472 for VXLAN, Port 6081 for Geneve + tunnelPort: 0 + + # -- Configure what the response should be to traffic for a service without backends. + # "reject" only works on kernels >= 5.10, on lower kernels we fallback to "drop". + # Possible values: + # - reject (default) + # - drop + serviceNoBackendResponse: reject + + # -- Configure the underlying network MTU to overwrite auto-detected MTU. + MTU: 0 + + # -- Disable the usage of CiliumEndpoint CRD. + disableEndpointCRD: false + + wellKnownIdentities: + # -- Enable the use of well-known identities. + enabled: false + + etcd: + # -- Enable etcd mode for the agent. + enabled: false + + # -- cilium-etcd-operator image. + image: + override: ~ + repository: "quay.io/cilium/cilium-etcd-operator" + tag: "v2.0.7" + digest: "sha256:04b8327f7f992693c2cb483b999041ed8f92efc8e14f2a5f3ab95574a65ea2dc" + useDigest: true + pullPolicy: "IfNotPresent" + + # -- The priority class to use for cilium-etcd-operator + priorityClassName: "" + + # -- Additional cilium-etcd-operator container arguments. + extraArgs: [] + + # -- Additional cilium-etcd-operator volumes. + extraVolumes: [] + + # -- Additional cilium-etcd-operator volumeMounts. + extraVolumeMounts: [] + + # -- Node tolerations for cilium-etcd-operator scheduling to nodes with taints + # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ + tolerations: + - operator: Exists + # - key: "key" + # operator: "Equal|Exists" + # value: "value" + # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" + + # -- Pod topology spread constraints for cilium-etcd-operator + topologySpreadConstraints: [] + # - maxSkew: 1 + # topologyKey: topology.kubernetes.io/zone + # whenUnsatisfiable: DoNotSchedule + + # -- Node labels for cilium-etcd-operator pod assignment + # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector + nodeSelector: + kubernetes.io/os: linux + + # -- Annotations to be added to all top-level etcd-operator objects (resources under templates/etcd-operator) + annotations: {} + + # -- Security context to be added to cilium-etcd-operator pods + podSecurityContext: {} + + # -- Annotations to be added to cilium-etcd-operator pods + podAnnotations: {} + + # -- Labels to be added to cilium-etcd-operator pods + podLabels: {} + + # PodDisruptionBudget settings + podDisruptionBudget: + # -- enable PodDisruptionBudget + # ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ + enabled: false + # -- Minimum number/percentage of pods that should remain scheduled. + # When it's set, maxUnavailable must be disabled by `maxUnavailable: null` + minAvailable: null + # -- Maximum number/percentage of pods that may be made unavailable + maxUnavailable: 1 + + # -- cilium-etcd-operator resource limits & requests + # ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + resources: {} + # limits: + # cpu: 4000m + # memory: 4Gi + # requests: + # cpu: 100m + # memory: 512Mi + + # -- Security context to be added to cilium-etcd-operator pods + securityContext: {} + # runAsUser: 0 + + # -- cilium-etcd-operator update strategy + updateStrategy: + type: RollingUpdate + rollingUpdate: + maxSurge: 1 + maxUnavailable: 1 + + # -- If etcd is behind a k8s service set this option to true so that Cilium + # does the service translation automatically without requiring a DNS to be + # running. + k8sService: false + + # -- Cluster domain for cilium-etcd-operator. + clusterDomain: cluster.local + + # -- List of etcd endpoints (not needed when using managed=true). + endpoints: + - https://CHANGE-ME:2379 + + # -- Enable use of TLS/SSL for connectivity to etcd. (auto-enabled if + # managed=true) + ssl: false + + operator: + # -- Enable the cilium-operator component (required). + enabled: true + + # -- Roll out cilium-operator pods automatically when configmap is updated. + rollOutPods: false + + # -- cilium-operator image. + image: + override: ~ + repository: "quay.io/cilium/operator" + tag: "v1.15.2" + # operator-generic-digest + genericDigest: "" + # operator-azure-digest + azureDigest: "" + # operator-aws-digest + awsDigest: "" + # operator-alibabacloud-digest + alibabacloudDigest: "" + useDigest: false + pullPolicy: "IfNotPresent" + suffix: "" + + # -- Number of replicas to run for the cilium-operator deployment + replicas: 2 + + # -- The priority class to use for cilium-operator + priorityClassName: "" + + # -- DNS policy for Cilium operator pods. + # Ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy + dnsPolicy: "" + + # -- cilium-operator update strategy + updateStrategy: + type: RollingUpdate + rollingUpdate: + maxSurge: 25% + maxUnavailable: 50% + + # -- Affinity for cilium-operator + affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - topologyKey: kubernetes.io/hostname + labelSelector: + matchLabels: + io.cilium/app: operator + + # -- Pod topology spread constraints for cilium-operator + topologySpreadConstraints: [] + # - maxSkew: 1 + # topologyKey: topology.kubernetes.io/zone + # whenUnsatisfiable: DoNotSchedule + + # -- Node labels for cilium-operator pod assignment + # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector + nodeSelector: + kubernetes.io/os: linux + + # -- Node tolerations for cilium-operator scheduling to nodes with taints + # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ + tolerations: + - operator: Exists + # - key: "key" + # operator: "Equal|Exists" + # value: "value" + # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" + + # -- Additional cilium-operator container arguments. + extraArgs: [] + + # -- Additional cilium-operator environment variables. + extraEnv: [] + + # -- Additional cilium-operator hostPath mounts. + extraHostPathMounts: [] + # - name: host-mnt-data + # mountPath: /host/mnt/data + # hostPath: /mnt/data + # hostPathType: Directory + # readOnly: true + # mountPropagation: HostToContainer + + # -- Additional cilium-operator volumes. + extraVolumes: [] + + # -- Additional cilium-operator volumeMounts. + extraVolumeMounts: [] + + # -- Annotations to be added to all top-level cilium-operator objects (resources under templates/cilium-operator) + annotations: {} + + # -- Security context to be added to cilium-operator pods + podSecurityContext: {} + + # -- Annotations to be added to cilium-operator pods + podAnnotations: {} + + # -- Labels to be added to cilium-operator pods + podLabels: {} + + # PodDisruptionBudget settings + podDisruptionBudget: + # -- enable PodDisruptionBudget + # ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ + enabled: false + # -- Minimum number/percentage of pods that should remain scheduled. + # When it's set, maxUnavailable must be disabled by `maxUnavailable: null` + minAvailable: null + # -- Maximum number/percentage of pods that may be made unavailable + maxUnavailable: 1 + + # -- cilium-operator resource limits & requests + # ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + resources: {} + # limits: + # cpu: 1000m + # memory: 1Gi + # requests: + # cpu: 100m + # memory: 128Mi + + # -- Security context to be added to cilium-operator pods + securityContext: {} + # runAsUser: 0 + + # -- Interval for endpoint garbage collection. + endpointGCInterval: "5m0s" + + # -- Interval for cilium node garbage collection. + nodeGCInterval: "5m0s" + + # -- Skip CNP node status clean up at operator startup. + skipCNPStatusStartupClean: false + + # -- Interval for identity garbage collection. + identityGCInterval: "15m0s" + + # -- Timeout for identity heartbeats. + identityHeartbeatTimeout: "30m0s" + + pprof: + # -- Enable pprof for cilium-operator + enabled: false + # -- Configure pprof listen address for cilium-operator + address: localhost + # -- Configure pprof listen port for cilium-operator + port: 6061 + + # -- Enable prometheus metrics for cilium-operator on the configured port at + # /metrics + prometheus: + enabled: true + port: 9963 + serviceMonitor: + # -- Enable service monitors. + # This requires the prometheus CRDs to be available (see https://github.com/prometheus-operator/prometheus-operator/blob/main/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml) + enabled: false + # -- Labels to add to ServiceMonitor cilium-operator + labels: {} + # -- Annotations to add to ServiceMonitor cilium-operator + annotations: {} + # -- jobLabel to add for ServiceMonitor cilium-operator + jobLabel: "" + # -- Interval for scrape metrics. + interval: "10s" + # -- Relabeling configs for the ServiceMonitor cilium-operator + relabelings: ~ + # -- Metrics relabeling configs for the ServiceMonitor cilium-operator + metricRelabelings: ~ + + # -- Grafana dashboards for cilium-operator + # grafana can import dashboards based on the label and value + # ref: https://github.com/grafana/helm-charts/tree/main/charts/grafana#sidecar-for-dashboards + dashboards: + enabled: false + label: grafana_dashboard + namespace: ~ + labelValue: "1" + annotations: {} + + # -- Skip CRDs creation for cilium-operator + skipCRDCreation: false + + # -- Remove Cilium node taint from Kubernetes nodes that have a healthy Cilium + # pod running. + removeNodeTaints: true + + # -- Taint nodes where Cilium is scheduled but not running. This prevents pods + # from being scheduled to nodes where Cilium is not the default CNI provider. + # @default -- same as removeNodeTaints + setNodeTaints: ~ + + # -- Set Node condition NetworkUnavailable to 'false' with the reason + # 'CiliumIsUp' for nodes that have a healthy Cilium pod. + setNodeNetworkStatus: true + + unmanagedPodWatcher: + # -- Restart any pod that are not managed by Cilium. + restart: true + # -- Interval, in seconds, to check if there are any pods that are not + # managed by Cilium. + intervalSeconds: 15 + + nodeinit: + # -- Enable the node initialization DaemonSet + enabled: false + + # -- node-init image. + image: + override: ~ + repository: "quay.io/cilium/startup-script" + tag: "62093c5c233ea914bfa26a10ba41f8780d9b737f" + pullPolicy: "IfNotPresent" + + # -- The priority class to use for the nodeinit pod. + priorityClassName: "" + + # -- node-init update strategy + updateStrategy: + type: RollingUpdate + + # -- Additional nodeinit environment variables. + extraEnv: [] + + # -- Additional nodeinit volumes. + extraVolumes: [] + + # -- Additional nodeinit volumeMounts. + extraVolumeMounts: [] + + # -- Affinity for cilium-nodeinit + affinity: {} + + # -- Node labels for nodeinit pod assignment + # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector + nodeSelector: + kubernetes.io/os: linux + + # -- Node tolerations for nodeinit scheduling to nodes with taints + # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ + tolerations: + - operator: Exists + # - key: "key" + # operator: "Equal|Exists" + # value: "value" + # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" + + # -- Annotations to be added to all top-level nodeinit objects (resources under templates/cilium-nodeinit) + annotations: {} + + # -- Annotations to be added to node-init pods. + podAnnotations: {} + + # -- Labels to be added to node-init pods. + podLabels: {} + + # -- nodeinit resource limits & requests + # ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + resources: + requests: + cpu: 100m + memory: 100Mi + + # -- Security context to be added to nodeinit pods. + securityContext: + privileged: false + seLinuxOptions: + level: 's0' + # Running with spc_t since we have removed the privileged mode. + # Users can change it to a different type as long as they have the + # type available on the system. + type: 'spc_t' + capabilities: + add: + # Used in iptables. Consider removing once we are iptables-free + - SYS_MODULE + # Used for nsenter + - NET_ADMIN + - SYS_ADMIN + - SYS_CHROOT + - SYS_PTRACE + + # -- bootstrapFile is the location of the file where the bootstrap timestamp is + # written by the node-init DaemonSet + bootstrapFile: "/tmp/cilium-bootstrap.d/cilium-bootstrap-time" + + # -- startup offers way to customize startup nodeinit script (pre and post position) + startup: + preScript: "" + postScript: "" + # -- prestop offers way to customize prestop nodeinit script (pre and post position) + prestop: + preScript: "" + postScript: "" + + preflight: + # -- Enable Cilium pre-flight resources (required for upgrade) + enabled: false + + # -- Cilium pre-flight image. + image: + override: ~ + repository: "quay.io/cilium/cilium" + tag: "v1.15.2" + # cilium-digest + digest: "" + useDigest: false + pullPolicy: "IfNotPresent" + + # -- The priority class to use for the preflight pod. + priorityClassName: "" + + # -- preflight update strategy + updateStrategy: + type: RollingUpdate + + # -- Additional preflight environment variables. + extraEnv: [] + + # -- Additional preflight volumes. + extraVolumes: [] + + # -- Additional preflight volumeMounts. + extraVolumeMounts: [] + + # -- Affinity for cilium-preflight + affinity: + podAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - topologyKey: kubernetes.io/hostname + labelSelector: + matchLabels: + k8s-app: cilium + + # -- Node labels for preflight pod assignment + # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector + nodeSelector: + kubernetes.io/os: linux + + # -- Node tolerations for preflight scheduling to nodes with taints + # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ + tolerations: + - key: node.kubernetes.io/not-ready + effect: NoSchedule + - key: node-role.kubernetes.io/master + effect: NoSchedule + - key: node-role.kubernetes.io/control-plane + effect: NoSchedule + - key: node.cloudprovider.kubernetes.io/uninitialized + effect: NoSchedule + value: "true" + - key: CriticalAddonsOnly + operator: "Exists" + # - key: "key" + # operator: "Equal|Exists" + # value: "value" + # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" + + # -- Annotations to be added to all top-level preflight objects (resources under templates/cilium-preflight) + annotations: {} + + # -- Security context to be added to preflight pods. + podSecurityContext: {} + + # -- Annotations to be added to preflight pods + podAnnotations: {} + + # -- Labels to be added to the preflight pod. + podLabels: {} + + # PodDisruptionBudget settings + podDisruptionBudget: + # -- enable PodDisruptionBudget + # ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ + enabled: false + # -- Minimum number/percentage of pods that should remain scheduled. + # When it's set, maxUnavailable must be disabled by `maxUnavailable: null` + minAvailable: null + # -- Maximum number/percentage of pods that may be made unavailable + maxUnavailable: 1 + + # -- preflight resource limits & requests + # ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + resources: {} + # limits: + # cpu: 4000m + # memory: 4Gi + # requests: + # cpu: 100m + # memory: 512Mi + + # -- Security context to be added to preflight pods + securityContext: {} + # runAsUser: 0 + + # -- Path to write the `--tofqdns-pre-cache` file to. + tofqdnsPreCache: "" + + # -- Configure termination grace period for preflight Deployment and DaemonSet. + terminationGracePeriodSeconds: 1 + + # -- By default we should always validate the installed CNPs before upgrading + # Cilium. This will make sure the user will have the policies deployed in the + # cluster with the right schema. + validateCNPs: true + + # -- Explicitly enable or disable priority class. + # .Capabilities.KubeVersion is unsettable in `helm template` calls, + # it depends on k8s libraries version that Helm was compiled against. + # This option allows to explicitly disable setting the priority class, which + # is useful for rendering charts for gke clusters in advance. + enableCriticalPriorityClass: true + + # disableEnvoyVersionCheck removes the check for Envoy, which can be useful + # on AArch64 as the images do not currently ship a version of Envoy. + #disableEnvoyVersionCheck: false + + clustermesh: + # -- Deploy clustermesh-apiserver for clustermesh + useAPIServer: false + # -- The maximum number of clusters to support in a ClusterMesh. This value + # cannot be changed on running clusters, and all clusters in a ClusterMesh + # must be configured with the same value. Values > 255 will decrease the + # maximum allocatable cluster-local identities. + # Supported values are 255 and 511. + maxConnectedClusters: 255 + + # -- Annotations to be added to all top-level clustermesh objects (resources under templates/clustermesh-apiserver and templates/clustermesh-config) + annotations: {} + + # -- Clustermesh explicit configuration. + config: + # -- Enable the Clustermesh explicit configuration. + enabled: false + # -- Default dns domain for the Clustermesh API servers + # This is used in the case cluster addresses are not provided + # and IPs are used. + domain: mesh.cilium.io + # -- List of clusters to be peered in the mesh. + clusters: [] + # clusters: + # # -- Name of the cluster + # - name: cluster1 + # # -- Address of the cluster, use this if you created DNS records for + # # the cluster Clustermesh API server. + # address: cluster1.mesh.cilium.io + # # -- Port of the cluster Clustermesh API server. + # port: 2379 + # # -- IPs of the cluster Clustermesh API server, use multiple ones when + # # you have multiple IPs to access the Clustermesh API server. + # ips: + # - 172.18.255.201 + # # -- base64 encoded PEM values for the cluster client certificate, private key and certificate authority. + # # These fields can (and should) be omitted in case the CA is shared across clusters. In that case, the + # # "remote" private key and certificate available in the local cluster are automatically used instead. + # tls: + # cert: "" + # key: "" + # caCert: "" + + apiserver: + # -- Clustermesh API server image. + image: + override: ~ + repository: "quay.io/cilium/clustermesh-apiserver" + tag: "v1.15.2" + # clustermesh-apiserver-digest + digest: "" + useDigest: false + pullPolicy: "IfNotPresent" + + etcd: + # The etcd binary is included in the clustermesh API server image, so the same image from above is reused. + # Independent override isn't supported, because clustermesh-apiserver is tested against the etcd version it is + # built with. + + # -- Specifies the resources for etcd container in the apiserver + resources: {} + # requests: + # cpu: 200m + # memory: 256Mi + # limits: + # cpu: 1000m + # memory: 256Mi + + # -- Security context to be added to clustermesh-apiserver etcd containers + securityContext: {} + + # -- lifecycle setting for the etcd container + lifecycle: {} + + init: + # -- Specifies the resources for etcd init container in the apiserver + resources: {} + # requests: + # cpu: 100m + # memory: 100Mi + # limits: + # cpu: 100m + # memory: 100Mi + + # -- Additional arguments to `clustermesh-apiserver etcdinit`. + extraArgs: [] + + # -- Additional environment variables to `clustermesh-apiserver etcdinit`. + extraEnv: [] + + kvstoremesh: + # -- Enable KVStoreMesh. KVStoreMesh caches the information retrieved + # from the remote clusters in the local etcd instance. + enabled: false + + # -- Additional KVStoreMesh arguments. + extraArgs: [] + + # -- Additional KVStoreMesh environment variables. + extraEnv: [] + + # -- Resource requests and limits for the KVStoreMesh container + resources: {} + # requests: + # cpu: 100m + # memory: 64Mi + # limits: + # cpu: 1000m + # memory: 1024M + + # -- Additional KVStoreMesh volumeMounts. + extraVolumeMounts: [] + + # -- KVStoreMesh Security context + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + + # -- lifecycle setting for the KVStoreMesh container + lifecycle: {} + + service: + # -- The type of service used for apiserver access. + type: NodePort + # -- Optional port to use as the node port for apiserver access. + # + # WARNING: make sure to configure a different NodePort in each cluster if + # kube-proxy replacement is enabled, as Cilium is currently affected by a known + # bug (#24692) when NodePorts are handled by the KPR implementation. If a service + # with the same NodePort exists both in the local and the remote cluster, all + # traffic originating from inside the cluster and targeting the corresponding + # NodePort will be redirected to a local backend, regardless of whether the + # destination node belongs to the local or the remote cluster. + nodePort: 32379 + # -- Optional loadBalancer IP address to use with type LoadBalancer. + # loadBalancerIP: + + # -- Annotations for the clustermesh-apiserver + # For GKE LoadBalancer, use annotation cloud.google.com/load-balancer-type: "Internal" + # For EKS LoadBalancer, use annotation service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0 + annotations: {} + + # -- The externalTrafficPolicy of service used for apiserver access. + externalTrafficPolicy: + + # -- The internalTrafficPolicy of service used for apiserver access. + internalTrafficPolicy: + + # -- Number of replicas run for the clustermesh-apiserver deployment. + replicas: 1 + + # -- lifecycle setting for the apiserver container + lifecycle: {} + + # -- terminationGracePeriodSeconds for the clustermesh-apiserver deployment + terminationGracePeriodSeconds: 30 + + # -- Additional clustermesh-apiserver arguments. + extraArgs: [] + + # -- Additional clustermesh-apiserver environment variables. + extraEnv: [] + + # -- Additional clustermesh-apiserver volumes. + extraVolumes: [] + + # -- Additional clustermesh-apiserver volumeMounts. + extraVolumeMounts: [] + + # -- Security context to be added to clustermesh-apiserver containers + securityContext: {} + + # -- Security context to be added to clustermesh-apiserver pods + podSecurityContext: {} + + # -- Annotations to be added to clustermesh-apiserver pods + podAnnotations: {} + + # -- Labels to be added to clustermesh-apiserver pods + podLabels: {} + + # PodDisruptionBudget settings + podDisruptionBudget: + # -- enable PodDisruptionBudget + # ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ + enabled: false + # -- Minimum number/percentage of pods that should remain scheduled. + # When it's set, maxUnavailable must be disabled by `maxUnavailable: null` + minAvailable: null + # -- Maximum number/percentage of pods that may be made unavailable + maxUnavailable: 1 + + # -- Resource requests and limits for the clustermesh-apiserver container of the clustermesh-apiserver deployment, such as + # resources: + # limits: + # cpu: 1000m + # memory: 1024M + # requests: + # cpu: 100m + # memory: 64Mi + # -- Resource requests and limits for the clustermesh-apiserver + resources: {} + # requests: + # cpu: 100m + # memory: 64Mi + # limits: + # cpu: 1000m + # memory: 1024M + + # -- Affinity for clustermesh.apiserver + affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - topologyKey: kubernetes.io/hostname + labelSelector: + matchLabels: + k8s-app: clustermesh-apiserver + + # -- Pod topology spread constraints for clustermesh-apiserver + topologySpreadConstraints: [] + # - maxSkew: 1 + # topologyKey: topology.kubernetes.io/zone + # whenUnsatisfiable: DoNotSchedule + + # -- Node labels for pod assignment + # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector + nodeSelector: + kubernetes.io/os: linux + + # -- Node tolerations for pod assignment on nodes with taints + # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ + tolerations: [] + + # -- clustermesh-apiserver update strategy + updateStrategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 1 + + # -- The priority class to use for clustermesh-apiserver + priorityClassName: "" + + tls: + # -- Configure the clustermesh authentication mode. + # Supported values: + # - legacy: All clusters access remote clustermesh instances with the same + # username (i.e., remote). The "remote" certificate must be + # generated with CN=remote if provided manually. + # - migration: Intermediate mode required to upgrade from legacy to cluster + # (and vice versa) with no disruption. Specifically, it enables + # the creation of the per-cluster usernames, while still using + # the common one for authentication. The "remote" certificate must + # be generated with CN=remote if provided manually (same as legacy). + # - cluster: Each cluster accesses remote etcd instances with a username + # depending on the local cluster name (i.e., remote-). + # The "remote" certificate must be generated with CN=remote- + # if provided manually. Cluster mode is meaningful only when the same + # CA is shared across all clusters part of the mesh. + authMode: legacy + + # -- Configure automatic TLS certificates generation. + # A Kubernetes CronJob is used the generate any + # certificates not provided by the user at installation + # time. + auto: + # -- When set to true, automatically generate a CA and certificates to + # enable mTLS between clustermesh-apiserver and external workload instances. + # If set to false, the certs to be provided by setting appropriate values below. + enabled: true + # Sets the method to auto-generate certificates. Supported values: + # - helm: This method uses Helm to generate all certificates. + # - cronJob: This method uses a Kubernetes CronJob the generate any + # certificates not provided by the user at installation + # time. + # - certmanager: This method use cert-manager to generate & rotate certificates. + method: helm + # -- Generated certificates validity duration in days. + certValidityDuration: 1095 + # -- Schedule for certificates regeneration (regardless of their expiration date). + # Only used if method is "cronJob". If nil, then no recurring job will be created. + # Instead, only the one-shot job is deployed to generate the certificates at + # installation time. + # + # Due to the out-of-band distribution of client certs to external workloads the + # CA is (re)regenerated only if it is not provided as a helm value and the k8s + # secret is manually deleted. + # + # Defaults to none. Commented syntax gives midnight of the first day of every + # fourth month. For syntax, see + # https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/#schedule-syntax + # schedule: "0 0 1 */4 *" + + # [Example] + # certManagerIssuerRef: + # group: cert-manager.io + # kind: ClusterIssuer + # name: ca-issuer + # -- certmanager issuer used when clustermesh.apiserver.tls.auto.method=certmanager. + certManagerIssuerRef: {} + # -- base64 encoded PEM values for the clustermesh-apiserver server certificate and private key. + # Used if 'auto' is not enabled. + server: + cert: "" + key: "" + # -- Extra DNS names added to certificate when it's auto generated + extraDnsNames: [] + # -- Extra IP addresses added to certificate when it's auto generated + extraIpAddresses: [] + # -- base64 encoded PEM values for the clustermesh-apiserver admin certificate and private key. + # Used if 'auto' is not enabled. + admin: + cert: "" + key: "" + # -- base64 encoded PEM values for the clustermesh-apiserver client certificate and private key. + # Used if 'auto' is not enabled. + client: + cert: "" + key: "" + # -- base64 encoded PEM values for the clustermesh-apiserver remote cluster certificate and private key. + # Used if 'auto' is not enabled. + remote: + cert: "" + key: "" + + # clustermesh-apiserver Prometheus metrics configuration + metrics: + # -- Enables exporting apiserver metrics in OpenMetrics format. + enabled: true + # -- Configure the port the apiserver metric server listens on. + port: 9962 + + kvstoremesh: + # -- Enables exporting KVStoreMesh metrics in OpenMetrics format. + enabled: true + # -- Configure the port the KVStoreMesh metric server listens on. + port: 9964 + + etcd: + # -- Enables exporting etcd metrics in OpenMetrics format. + enabled: true + # -- Set level of detail for etcd metrics; specify 'extensive' to include server side gRPC histogram metrics. + mode: basic + # -- Configure the port the etcd metric server listens on. + port: 9963 + + serviceMonitor: + # -- Enable service monitor. + # This requires the prometheus CRDs to be available (see https://github.com/prometheus-operator/prometheus-operator/blob/main/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml) + enabled: false + # -- Labels to add to ServiceMonitor clustermesh-apiserver + labels: {} + # -- Annotations to add to ServiceMonitor clustermesh-apiserver + annotations: {} + # -- Specify the Kubernetes namespace where Prometheus expects to find + # service monitors configured. + # namespace: "" + + # -- Interval for scrape metrics (apiserver metrics) + interval: "10s" + # -- Relabeling configs for the ServiceMonitor clustermesh-apiserver (apiserver metrics) + relabelings: ~ + # -- Metrics relabeling configs for the ServiceMonitor clustermesh-apiserver (apiserver metrics) + metricRelabelings: ~ + + kvstoremesh: + # -- Interval for scrape metrics (KVStoreMesh metrics) + interval: "10s" + # -- Relabeling configs for the ServiceMonitor clustermesh-apiserver (KVStoreMesh metrics) + relabelings: ~ + # -- Metrics relabeling configs for the ServiceMonitor clustermesh-apiserver (KVStoreMesh metrics) + metricRelabelings: ~ + + etcd: + # -- Interval for scrape metrics (etcd metrics) + interval: "10s" + # -- Relabeling configs for the ServiceMonitor clustermesh-apiserver (etcd metrics) + relabelings: ~ + # -- Metrics relabeling configs for the ServiceMonitor clustermesh-apiserver (etcd metrics) + metricRelabelings: ~ + + # -- Configure external workloads support + externalWorkloads: + # -- Enable support for external workloads, such as VMs (false by default). + enabled: false + + # -- Configure cgroup related configuration + cgroup: + autoMount: + # -- Enable auto mount of cgroup2 filesystem. + # When `autoMount` is enabled, cgroup2 filesystem is mounted at + # `cgroup.hostRoot` path on the underlying host and inside the cilium agent pod. + # If users disable `autoMount`, it's expected that users have mounted + # cgroup2 filesystem at the specified `cgroup.hostRoot` volume, and then the + # volume will be mounted inside the cilium agent pod at the same path. + enabled: true + # -- Init Container Cgroup Automount resource limits & requests + resources: {} + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + # -- Configure cgroup root where cgroup2 filesystem is mounted on the host (see also: `cgroup.autoMount`) + hostRoot: /run/cilium/cgroupv2 + + # -- Configure whether to enable auto detect of terminating state for endpoints + # in order to support graceful termination. + enableK8sTerminatingEndpoint: true + + # -- Configure whether to unload DNS policy rules on graceful shutdown + # dnsPolicyUnloadOnShutdown: false + + # -- Configure the key of the taint indicating that Cilium is not ready on the node. + # When set to a value starting with `ignore-taint.cluster-autoscaler.kubernetes.io/`, the Cluster Autoscaler will ignore the taint on its decisions, allowing the cluster to scale up. + agentNotReadyTaintKey: "node.cilium.io/agent-not-ready" + + dnsProxy: + # -- DNS response code for rejecting DNS requests, available options are '[nameError refused]'. + dnsRejectResponseCode: refused + # -- Allow the DNS proxy to compress responses to endpoints that are larger than 512 Bytes or the EDNS0 option, if present. + enableDnsCompression: true + # -- Maximum number of IPs to maintain per FQDN name for each endpoint. + endpointMaxIpPerHostname: 50 + # -- Time during which idle but previously active connections with expired DNS lookups are still considered alive. + idleConnectionGracePeriod: 0s + # -- Maximum number of IPs to retain for expired DNS lookups with still-active connections. + maxDeferredConnectionDeletes: 10000 + # -- The minimum time, in seconds, to use DNS data for toFQDNs policies. If + # the upstream DNS server returns a DNS record with a shorter TTL, Cilium + # overwrites the TTL with this value. Setting this value to zero means that + # Cilium will honor the TTLs returned by the upstream DNS server. + minTtl: 0 + # -- DNS cache data at this path is preloaded on agent startup. + preCache: "" + # -- Global port on which the in-agent DNS proxy should listen. Default 0 is a OS-assigned port. + proxyPort: 0 + # -- The maximum time the DNS proxy holds an allowed DNS response before sending it along. Responses are sent as soon as the datapath is updated with the new IP information. + proxyResponseMaxDelay: 100ms + # -- DNS proxy operation mode (true/false, or unset to use version dependent defaults) + # enableTransparentMode: true + + # -- SCTP Configuration Values + sctp: + # -- Enable SCTP support. NOTE: Currently, SCTP support does not support rewriting ports or multihoming. + enabled: false + + # Configuration for types of authentication for Cilium (beta) + authentication: + # -- Enable authentication processing and garbage collection. + # Note that if disabled, policy enforcement will still block requests that require authentication. + # But the resulting authentication requests for these requests will not be processed, therefore the requests not be allowed. + enabled: true + # -- Buffer size of the channel Cilium uses to receive authentication events from the signal map. + queueSize: 1024 + # -- Buffer size of the channel Cilium uses to receive certificate expiration events from auth handlers. + rotatedIdentitiesQueueSize: 1024 + # -- Interval for garbage collection of auth map entries. + gcInterval: "5m0s" + # Configuration for Cilium's service-to-service mutual authentication using TLS handshakes. + # Note that this is not full mTLS support without also enabling encryption of some form. + # Current encryption options are Wireguard or IPSec, configured in encryption block above. + mutual: + # -- Port on the agent where mutual authentication handshakes between agents will be performed + port: 4250 + # -- Timeout for connecting to the remote node TCP socket + connectTimeout: 5s + # Settings for SPIRE + spire: + # -- Enable SPIRE integration (beta) + enabled: false + # -- Annotations to be added to all top-level spire objects (resources under templates/spire) + annotations: {} + # Settings to control the SPIRE installation and configuration + install: + # -- Enable SPIRE installation. + # This will only take effect only if authentication.mutual.spire.enabled is true + enabled: true + # -- SPIRE namespace to install into + namespace: cilium-spire + # -- SPIRE namespace already exists. Set to true if Helm should not create, manage, and import the SPIRE namespace. + existingNamespace: false + # -- init container image of SPIRE agent and server + initImage: + override: ~ + repository: "docker.io/library/busybox" + tag: "1.36.1" + digest: "sha256:223ae047b1065bd069aac01ae3ac8088b3ca4a527827e283b85112f29385fb1b" + useDigest: true + pullPolicy: "IfNotPresent" + # SPIRE agent configuration + agent: + # -- SPIRE agent image + image: + override: ~ + repository: "ghcr.io/spiffe/spire-agent" + tag: "1.8.5" + digest: "sha256:99405637647968245ff9fe215f8bd2bd0ea9807be9725f8bf19fe1b21471e52b" + useDigest: true + pullPolicy: "IfNotPresent" + # -- SPIRE agent service account + serviceAccount: + create: true + name: spire-agent + # -- SPIRE agent annotations + annotations: {} + # -- SPIRE agent labels + labels: {} + # -- SPIRE Workload Attestor kubelet verification. + skipKubeletVerification: true + # -- SPIRE agent tolerations configuration + # By default it follows the same tolerations as the agent itself + # to allow the Cilium agent on this node to connect to SPIRE. + # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ + tolerations: + - key: node.kubernetes.io/not-ready + effect: NoSchedule + - key: node-role.kubernetes.io/master + effect: NoSchedule + - key: node-role.kubernetes.io/control-plane + effect: NoSchedule + - key: node.cloudprovider.kubernetes.io/uninitialized + effect: NoSchedule + value: "true" + - key: CriticalAddonsOnly + operator: "Exists" + # -- SPIRE agent affinity configuration + affinity: {} + # -- SPIRE agent nodeSelector configuration + # ref: ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector + nodeSelector: {} + # -- Security context to be added to spire agent pods. + # SecurityContext holds pod-level security attributes and common container settings. + # ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + podSecurityContext: {} + # -- Security context to be added to spire agent containers. + # SecurityContext holds pod-level security attributes and common container settings. + # ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + securityContext: {} + server: + # -- SPIRE server image + image: + override: ~ + repository: "ghcr.io/spiffe/spire-server" + tag: "1.8.5" + digest: "sha256:28269265882048dcf0fed32fe47663cd98613727210b8d1a55618826f9bf5428" + useDigest: true + pullPolicy: "IfNotPresent" + # -- SPIRE server service account + serviceAccount: + create: true + name: spire-server + # -- SPIRE server init containers + initContainers: [] + # -- SPIRE server annotations + annotations: {} + # -- SPIRE server labels + labels: {} + # SPIRE server service configuration + service: + # -- Service type for the SPIRE server service + type: ClusterIP + # -- Annotations to be added to the SPIRE server service + annotations: {} + # -- Labels to be added to the SPIRE server service + labels: {} + # -- SPIRE server affinity configuration + affinity: {} + # -- SPIRE server nodeSelector configuration + # ref: ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector + nodeSelector: {} + # -- SPIRE server tolerations configuration + # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ + tolerations: [] + # SPIRE server datastorage configuration + dataStorage: + # -- Enable SPIRE server data storage + enabled: true + # -- Size of the SPIRE server data storage + size: 1Gi + # -- Access mode of the SPIRE server data storage + accessMode: ReadWriteOnce + # -- StorageClass of the SPIRE server data storage + storageClass: null + # -- Security context to be added to spire server pods. + # SecurityContext holds pod-level security attributes and common container settings. + # ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + podSecurityContext: {} + # -- Security context to be added to spire server containers. + # SecurityContext holds pod-level security attributes and common container settings. + # ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + securityContext: {} + # SPIRE CA configuration + ca: + # -- SPIRE CA key type + # AWS requires the use of RSA. EC cryptography is not supported + keyType: "rsa-4096" + # -- SPIRE CA Subject + subject: + country: "US" + organization: "SPIRE" + commonName: "Cilium SPIRE CA" + # -- SPIRE server address used by Cilium Operator + # + # If k8s Service DNS along with port number is used (e.g. ..svc(.*): format), + # Cilium Operator will resolve its address by looking up the clusterIP from Service resource. + # + # Example values: 10.0.0.1:8081, spire-server.cilium-spire.svc:8081 + serverAddress: ~ + # -- SPIFFE trust domain to use for fetching certificates + trustDomain: spiffe.cilium + # -- SPIRE socket path where the SPIRE delegated api agent is listening + adminSocketPath: /run/spire/sockets/admin.sock + # -- SPIRE socket path where the SPIRE workload agent is listening. + # Applies to both the Cilium Agent and Operator + agentSocketPath: /run/spire/sockets/agent/agent.sock + # -- SPIRE connection timeout + connectionTimeout: 30s \ No newline at end of file From 2985d5da4052b0352bc917c194d78751c13a5323 Mon Sep 17 00:00:00 2001 From: Olga Mirensky <5200844+olga-mir@users.noreply.github.com> Date: Sat, 23 Mar 2024 19:46:25 +1100 Subject: [PATCH 03/28] embed templating in cilium caaph values --- .../cilium/v1.15.2/helm-chart-proxy.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/k8s-platform/cni-caaph-resource/cilium/v1.15.2/helm-chart-proxy.yaml b/k8s-platform/cni-caaph-resource/cilium/v1.15.2/helm-chart-proxy.yaml index 3683eda..2c69f7e 100644 --- a/k8s-platform/cni-caaph-resource/cilium/v1.15.2/helm-chart-proxy.yaml +++ b/k8s-platform/cni-caaph-resource/cilium/v1.15.2/helm-chart-proxy.yaml @@ -52,9 +52,9 @@ spec: # @default -- `"~/.kube/config"` kubeConfigPath: "" # -- (string) Kubernetes service host - k8sServiceHost: "" + k8sServiceHost: {{ .Cluster.spec.controlPlaneEndpoint.host }} # -- (string) Kubernetes service port - k8sServicePort: "" + k8sServicePort: {{ .Cluster.spec.controlPlaneEndpoint.port }} # -- Configure the client side rate limit for the agent and operator # @@ -72,7 +72,7 @@ spec: cluster: # -- Name of the cluster. Only required for Cluster Mesh and mutual authentication with SPIRE. - name: default + name: {{ .ControlPlane.metadata.name }} # -- (int) Unique ID of the cluster. Must be unique across all connected # clusters and in the range of 1 to 255. Only required for Cluster Mesh, # may be 0 if Cluster Mesh is not used. @@ -1700,7 +1700,7 @@ spec: ciliumNodeUpdateRate: "15s" operator: # -- IPv4 CIDR list range to delegate to individual nodes for IPAM. - clusterPoolIPv4PodCIDRList: ["10.0.0.0/8"] + clusterPoolIPv4PodCIDRList: {{ index .Cluster.spec.clusterNetwork.pods.cidrBlocks 0 }} # -- IPv4 CIDR mask size to delegate to individual nodes for IPAM. clusterPoolIPv4MaskSize: 24 # -- IPv6 CIDR list range to delegate to individual nodes for IPAM. From faf9c7dbd602c2f0b893ac6fbf9a57f8aac3620a Mon Sep 17 00:00:00 2001 From: Olga Mirensky <5200844+olga-mir@users.noreply.github.com> Date: Sat, 23 Mar 2024 19:47:55 +1100 Subject: [PATCH 04/28] upgrade cilium version to 1.15.2 --- clusters/cluster-mgmt/cluster-01/platform.yaml | 2 +- clusters/tmp-mgmt/cluster-mgmt/platform.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/clusters/cluster-mgmt/cluster-01/platform.yaml b/clusters/cluster-mgmt/cluster-01/platform.yaml index 507f71d..24898cc 100644 --- a/clusters/cluster-mgmt/cluster-01/platform.yaml +++ b/clusters/cluster-mgmt/cluster-01/platform.yaml @@ -27,7 +27,7 @@ spec: kind: GitRepository name: flux-system namespace: flux-system - path: ./k8s-platform/cni-caaph-resource/cilium/v1.12.3 + path: ./k8s-platform/cni-caaph-resource/cilium/v1.15.2 targetNamespace: cluster-01 prune: true dependsOn: diff --git a/clusters/tmp-mgmt/cluster-mgmt/platform.yaml b/clusters/tmp-mgmt/cluster-mgmt/platform.yaml index 309f1d9..8e9479e 100644 --- a/clusters/tmp-mgmt/cluster-mgmt/platform.yaml +++ b/clusters/tmp-mgmt/cluster-mgmt/platform.yaml @@ -26,7 +26,7 @@ spec: sourceRef: kind: GitRepository name: flux-system - path: ./k8s-platform/cni-caaph-resource/cilium/v1.12.3 + path: ./k8s-platform/cni-caaph-resource/cilium/v1.15.2 targetNamespace: cluster-mgmt prune: true dependsOn: From b833cc9372c884f0028eb23dec3e7bfa4d9db783 Mon Sep 17 00:00:00 2001 From: Olga Mirensky <5200844+olga-mir@users.noreply.github.com> Date: Sat, 23 Mar 2024 20:10:17 +1100 Subject: [PATCH 05/28] update cluster tag for the caaph to pick up --- go/Taskfile.yaml | 2 +- .../cni-caaph-resource/cilium/v1.15.2/helm-chart-proxy.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/go/Taskfile.yaml b/go/Taskfile.yaml index ed5c341..fa53460 100644 --- a/go/Taskfile.yaml +++ b/go/Taskfile.yaml @@ -5,7 +5,7 @@ tasks: desc: Build the multicluster-demo application cmds: - - go build -v ./cmd/multicluster-demo + - go build ./cmd/multicluster-demo generates: - multicluster-demo diff --git a/k8s-platform/cni-caaph-resource/cilium/v1.15.2/helm-chart-proxy.yaml b/k8s-platform/cni-caaph-resource/cilium/v1.15.2/helm-chart-proxy.yaml index 2c69f7e..7bb72e0 100644 --- a/k8s-platform/cni-caaph-resource/cilium/v1.15.2/helm-chart-proxy.yaml +++ b/k8s-platform/cni-caaph-resource/cilium/v1.15.2/helm-chart-proxy.yaml @@ -1,7 +1,7 @@ apiVersion: addons.cluster.x-k8s.io/v1alpha1 kind: HelmChartProxy metadata: - name: cilium + name: cilium-no-mesh spec: clusterSelector: matchLabels: From dcdde7dfb942fdbecfb7b6f5a2dd21686c7ac819 Mon Sep 17 00:00:00 2001 From: Olga Mirensky <5200844+olga-mir@users.noreply.github.com> Date: Sat, 23 Mar 2024 20:13:06 +1100 Subject: [PATCH 06/28] fix match labels to no-mesh --- .../cni-caaph-resource/cilium/v1.15.2/helm-chart-proxy.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/k8s-platform/cni-caaph-resource/cilium/v1.15.2/helm-chart-proxy.yaml b/k8s-platform/cni-caaph-resource/cilium/v1.15.2/helm-chart-proxy.yaml index 7bb72e0..d92d472 100644 --- a/k8s-platform/cni-caaph-resource/cilium/v1.15.2/helm-chart-proxy.yaml +++ b/k8s-platform/cni-caaph-resource/cilium/v1.15.2/helm-chart-proxy.yaml @@ -5,7 +5,7 @@ metadata: spec: clusterSelector: matchLabels: - cilium-mesh: main + cilium-mesh: none repoURL: https://helm.cilium.io/ chartName: cilium namespace: cilium From f12b6fd2bd36000cefc2e9d1d993a65114300baf Mon Sep 17 00:00:00 2001 From: Olga Mirensky <5200844+olga-mir@users.noreply.github.com> Date: Sat, 23 Mar 2024 20:27:15 +1100 Subject: [PATCH 07/28] fix cleanup script --- scripts/brutal-aws-cleanup.sh | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/scripts/brutal-aws-cleanup.sh b/scripts/brutal-aws-cleanup.sh index 697e6ee..cbbcb23 100755 --- a/scripts/brutal-aws-cleanup.sh +++ b/scripts/brutal-aws-cleanup.sh @@ -150,18 +150,18 @@ release_ips() { } retry() { - local n=1 + local count=1 local max=5 local delay=10 set +e while true; do "$@" && break || { - if [[ $n -lt $max ]]; then - ((n++)) - echo "Command failed. Attempt $n/$max:" + if [[ $count -lt $max ]]; then + ((count++)) + echo "Command failed. Attempt $count/$max:" sleep $delay; else - echo "The command has failed after $n attempts." + echo "The command has failed after $count attempts." return 1 fi } From 01261f8b49a48e6f730a51b8510d2bece22bbcbe Mon Sep 17 00:00:00 2001 From: Olga Mirensky <5200844+olga-mir@users.noreply.github.com> Date: Sun, 24 Mar 2024 07:13:57 +1100 Subject: [PATCH 08/28] Generate cluster files in Golang implementation start --- .../cluster-mgmt/cluster-01/capi-cluster.yaml | 1 + clusters/cluster-mgmt/kustomization.yaml | 1 + go/config.yaml | 30 ++++++++++++--- go/pkg/generate/generate.go | 27 +++++++++++++ go/pkg/utils/utils.go | 18 +++++++++ ...oxy.yaml => helm-chart-proxy-no-mesh.yaml} | 0 templates-go/platform.gotmpl | 38 +++++++++++++++++++ 7 files changed, 110 insertions(+), 5 deletions(-) create mode 100644 go/pkg/generate/generate.go rename k8s-platform/cni-caaph-resource/cilium/v1.15.2/{helm-chart-proxy.yaml => helm-chart-proxy-no-mesh.yaml} (100%) create mode 100644 templates-go/platform.gotmpl diff --git a/clusters/cluster-mgmt/cluster-01/capi-cluster.yaml b/clusters/cluster-mgmt/cluster-01/capi-cluster.yaml index 146260a..290e1c3 100644 --- a/clusters/cluster-mgmt/cluster-01/capi-cluster.yaml +++ b/clusters/cluster-mgmt/cluster-01/capi-cluster.yaml @@ -7,6 +7,7 @@ metadata: labels: cluster.x-k8s.io/cluster-name: "cluster-01" cilium-mesh: "main" + cilium-mesh-index: 1 spec: clusterNetwork: pods: diff --git a/clusters/cluster-mgmt/kustomization.yaml b/clusters/cluster-mgmt/kustomization.yaml index 02893cd..0247d60 100644 --- a/clusters/cluster-mgmt/kustomization.yaml +++ b/clusters/cluster-mgmt/kustomization.yaml @@ -3,3 +3,4 @@ kind: Kustomization resources: - platform.yaml - cluster-01 + - cluster-02 diff --git a/go/config.yaml b/go/config.yaml index 81de15f..11a0e1e 100644 --- a/go/config.yaml +++ b/go/config.yaml @@ -9,7 +9,8 @@ clusters: version: "2.2.2" cni: name: "cilium" - config: "TODO" + config: + version: "1.15.2" aws: sshKeyName: "aws" region: "ap-southeast-2" @@ -24,11 +25,29 @@ clusters: version: "2.2.2" cni: name: "cilium" - config: "TODO" + config: + version: "1.15.2" aws: sshKeyName: "aws" region: "us-west-2" + - name: "cluster-02" + provider: "aws" + kubernetesVersion: "1.28.5" + podCIDR: "192.168.48.0/20" + managementCluster: "cluster-mgmt" + flux: + keyPath: "$HOME/.ssh/flux-github-key-2" + version: "2.2.2" + cni: + name: "cilium" + config: + version: "1.15.2" + aws: + sshKeyName: "aws" + region: "us-west-2" + + github: user: "olga-mir" branch: "develop" @@ -38,8 +57,9 @@ github: kubeconfigPath: "$HOME/.kube/config" -# following ranges -# 192.168.32.0/20 -# 192.168.48.0/20 +# podCIDR ranges +# 192.168.32.0/20 - cluster-mgmt +# 192.168.16.0/20 - cluster-01 +# 192.168.48.0/20 - cluster-02 # 192.168.64.0/20 # 192.168.80.0/20 diff --git a/go/pkg/generate/generate.go b/go/pkg/generate/generate.go new file mode 100644 index 0000000..77329d9 --- /dev/null +++ b/go/pkg/generate/generate.go @@ -0,0 +1,27 @@ +package generate + +import ( + "os" + + "github.com/go-logr/logr" + "github.com/olga-mir/k8s-multi-cluster/go/pkg/config" + "github.com/olga-mir/k8s-multi-cluster/go/pkg/utils" +) + +func Generate(log logr.Logger, cfg *config.Config) error { + + templateDir := utils.RepoRoot() + "/templates-go" + + for _, cluster := range cfg.Clusters { + clusterPath := utils.RepoRoot() + "/clusters/cluster-mgmt/" + cluster.Name + err := os.MkdirAll(clusterPath, os.ModePerm) + if err != nil { + return err + } + + // generate platform.yaml - this file speicifies what platform components should be installed + // and what version of them + utils.RenderTemplateToFile(templateDir+"/platform.gotmpl", clusterPath+"platform.yaml", cluster) + } + return nil +} diff --git a/go/pkg/utils/utils.go b/go/pkg/utils/utils.go index 1766ac6..b424de0 100644 --- a/go/pkg/utils/utils.go +++ b/go/pkg/utils/utils.go @@ -335,3 +335,21 @@ func MergeKubeconfigs(srcKubeconfig, dstKubeconfigPath string) error { return nil } + +func RenderTemplateToFile(inputFilePath, outputFilePath string, data interface{}) error { + // Parse the template from the input file + tmpl, err := template.ParseFiles(inputFilePath) + if err != nil { + return err + } + + // Create the output file + outputFile, err := os.Create(outputFilePath) + if err != nil { + return err + } + defer outputFile.Close() + + // Execute the template, substituting the data + return tmpl.Execute(outputFile, data) +} diff --git a/k8s-platform/cni-caaph-resource/cilium/v1.15.2/helm-chart-proxy.yaml b/k8s-platform/cni-caaph-resource/cilium/v1.15.2/helm-chart-proxy-no-mesh.yaml similarity index 100% rename from k8s-platform/cni-caaph-resource/cilium/v1.15.2/helm-chart-proxy.yaml rename to k8s-platform/cni-caaph-resource/cilium/v1.15.2/helm-chart-proxy-no-mesh.yaml diff --git a/templates-go/platform.gotmpl b/templates-go/platform.gotmpl new file mode 100644 index 0000000..0241b52 --- /dev/null +++ b/templates-go/platform.gotmpl @@ -0,0 +1,38 @@ +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: flux-remote + namespace: {{.Name}} +spec: + interval: 1m + sourceRef: + kind: GitRepository + name: flux-system + namespace: flux-system + path: ./k8s-platform/flux/v{{.Flux.Version}} + prune: true + kubeConfig: + secretRef: + name: {{.Name}}-kubeconfig +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: caaph-cni + namespace: {{.Name}} +spec: + interval: 1m + sourceRef: + kind: GitRepository + name: flux-system + namespace: flux-system + {{/* + path: ./k8s-platform/cni-caaph-resource/cilium/v{{.CNI.}} + */}} + path: ./k8s-platform/cni-caaph-resource/cilium/v1.15.2 + targetNamespace: {{.Name}} + prune: true + dependsOn: + - name: caaph + namespace: flux-system From dc1f105bcb67a266223764d394ebee476e36b1bd Mon Sep 17 00:00:00 2001 From: Olga Mirensky <5200844+olga-mir@users.noreply.github.com> Date: Sun, 24 Mar 2024 08:06:02 +1100 Subject: [PATCH 09/28] rework CNI CAAPH resource and enable Cilium Clustermesh --- .../cluster-01/caaph-hcp-v1.15.2.yaml | 3535 +++++++++++++++++ .../cluster-mgmt/cluster-01/capi-cluster.yaml | 2 +- .../cluster-01/kustomization.yaml | 1 + .../cluster-mgmt/cluster-01/platform.yaml | 18 - .../cluster-02/caaph-hcp-v1.15.2.yaml | 3535 +++++++++++++++++ .../cluster-mgmt/cluster-02/capi-cluster.yaml | 142 + .../cluster-02/kustomization.yaml | 7 + .../cluster-mgmt/cluster-02/namespace.yaml | 4 + .../cluster-mgmt/cluster-02/platform.yaml | 17 + clusters/cluster-mgmt/clusterctl.yaml | 21 +- .../caaph-hcp-no-mesh-v1.15.2.yaml | 0 .../tmp-mgmt/cluster-mgmt/kustomization.yaml | 8 +- clusters/tmp-mgmt/cluster-mgmt/platform.yaml | 16 - clusters/tmp-mgmt/clusterctl.yaml | 21 +- go/config.yaml | 14 +- .../cilium-helm-chart-proxy-no-mesh.yaml | 78 - .../v1.12.3/cilium-helm-chart-proxy.yaml | 88 - 17 files changed, 7276 insertions(+), 231 deletions(-) create mode 100644 clusters/cluster-mgmt/cluster-01/caaph-hcp-v1.15.2.yaml create mode 100644 clusters/cluster-mgmt/cluster-02/caaph-hcp-v1.15.2.yaml create mode 100644 clusters/cluster-mgmt/cluster-02/capi-cluster.yaml create mode 100644 clusters/cluster-mgmt/cluster-02/kustomization.yaml create mode 100644 clusters/cluster-mgmt/cluster-02/namespace.yaml create mode 100644 clusters/cluster-mgmt/cluster-02/platform.yaml rename k8s-platform/cni-caaph-resource/cilium/v1.15.2/helm-chart-proxy-no-mesh.yaml => clusters/tmp-mgmt/cluster-mgmt/caaph-hcp-no-mesh-v1.15.2.yaml (100%) delete mode 100644 k8s-platform/cni-caaph-resource/cilium/v1.12.3/cilium-helm-chart-proxy-no-mesh.yaml delete mode 100644 k8s-platform/cni-caaph-resource/cilium/v1.12.3/cilium-helm-chart-proxy.yaml diff --git a/clusters/cluster-mgmt/cluster-01/caaph-hcp-v1.15.2.yaml b/clusters/cluster-mgmt/cluster-01/caaph-hcp-v1.15.2.yaml new file mode 100644 index 0000000..a14037e --- /dev/null +++ b/clusters/cluster-mgmt/cluster-01/caaph-hcp-v1.15.2.yaml @@ -0,0 +1,3535 @@ +apiVersion: addons.cluster.x-k8s.io/v1alpha1 +kind: HelmChartProxy +metadata: + name: cilium +spec: + clusterSelector: + matchLabels: + cilium-mesh: main + repoURL: https://helm.cilium.io/ + chartName: cilium + namespace: cilium + version: "1.15.2" + valuesTemplate: | + # https://github.com/cilium/cilium/blob/v1.15.2/install/kubernetes/cilium/values.yaml + + # File generated by install/kubernetes/Makefile; DO NOT EDIT. + # This file is based on install/kubernetes/cilium/*values.yaml.tmpl. + + + # upgradeCompatibility helps users upgrading to ensure that the configMap for + # Cilium will not change critical values to ensure continued operation + # This flag is not required for new installations. + # For example: 1.7, 1.8, 1.9 + # upgradeCompatibility: '1.8' + + debug: + # -- Enable debug logging + enabled: false + # -- Configure verbosity levels for debug logging + # This option is used to enable debug messages for operations related to such + # sub-system such as (e.g. kvstore, envoy, datapath or policy), and flow is + # for enabling debug messages emitted per request, message and connection. + # Multiple values can be set via a space-separated string (e.g. "datapath envoy"). + # + # Applicable values: + # - flow + # - kvstore + # - envoy + # - datapath + # - policy + verbose: ~ + + rbac: + # -- Enable creation of Resource-Based Access Control configuration. + create: true + + # -- Configure image pull secrets for pulling container images + imagePullSecrets: + # - name: "image-pull-secret" + + # -- (string) Kubernetes config path + # @default -- `"~/.kube/config"` + kubeConfigPath: "" + # -- (string) Kubernetes service host + k8sServiceHost: {{ .Cluster.spec.controlPlaneEndpoint.host }} + # -- (string) Kubernetes service port + k8sServicePort: {{ .Cluster.spec.controlPlaneEndpoint.port }} + + # -- Configure the client side rate limit for the agent and operator + # + # If the amount of requests to the Kubernetes API server exceeds the configured + # rate limit, the agent and operator will start to throttle requests by delaying + # them until there is budget or the request times out. + k8sClientRateLimit: + # -- (int) The sustained request rate in requests per second. + # @default -- 5 for k8s up to 1.26. 10 for k8s version 1.27+ + qps: + # -- (int) The burst request rate in requests per second. + # The rate limiter will allow short bursts with a higher rate. + # @default -- 10 for k8s up to 1.26. 20 for k8s version 1.27+ + burst: + + cluster: + # -- Name of the cluster. Only required for Cluster Mesh and mutual authentication with SPIRE. + name: {{ .ControlPlane.metadata.name }} + # -- (int) Unique ID of the cluster. Must be unique across all connected + # clusters and in the range of 1 to 255. Only required for Cluster Mesh, + # may be 0 if Cluster Mesh is not used. + id: 1 + + # -- Define serviceAccount names for components. + # @default -- Component's fully qualified name. + serviceAccounts: + cilium: + create: true + name: cilium + automount: true + annotations: {} + nodeinit: + create: true + # -- Enabled is temporary until https://github.com/cilium/cilium-cli/issues/1396 is implemented. + # Cilium CLI doesn't create the SAs for node-init, thus the workaround. Helm is not affected by + # this issue. Name and automount can be configured, if enabled is set to true. + # Otherwise, they are ignored. Enabled can be removed once the issue is fixed. + # Cilium-nodeinit DS must also be fixed. + enabled: false + name: cilium-nodeinit + automount: true + annotations: {} + envoy: + create: true + name: cilium-envoy + automount: true + annotations: {} + etcd: + create: true + name: cilium-etcd-operator + automount: true + annotations: {} + operator: + create: true + name: cilium-operator + automount: true + annotations: {} + preflight: + create: true + name: cilium-pre-flight + automount: true + annotations: {} + relay: + create: true + name: hubble-relay + automount: false + annotations: {} + ui: + create: true + name: hubble-ui + automount: true + annotations: {} + clustermeshApiserver: + create: true + name: clustermesh-apiserver + automount: true + annotations: {} + # -- Clustermeshcertgen is used if clustermesh.apiserver.tls.auto.method=cronJob + clustermeshcertgen: + create: true + name: clustermesh-apiserver-generate-certs + automount: true + annotations: {} + # -- Hubblecertgen is used if hubble.tls.auto.method=cronJob + hubblecertgen: + create: true + name: hubble-generate-certs + automount: true + annotations: {} + + # -- Configure termination grace period for cilium-agent DaemonSet. + terminationGracePeriodSeconds: 1 + + # -- Install the cilium agent resources. + agent: true + + # -- Agent container name. + name: cilium + + # -- Roll out cilium agent pods automatically when configmap is updated. + rollOutCiliumPods: false + + # -- Agent container image. + image: + override: ~ + repository: "quay.io/cilium/cilium" + tag: "v1.15.2" + pullPolicy: "IfNotPresent" + # cilium-digest + digest: "" + useDigest: false + + # -- Affinity for cilium-agent. + affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - topologyKey: kubernetes.io/hostname + labelSelector: + matchLabels: + k8s-app: cilium + + # -- Node selector for cilium-agent. + nodeSelector: + kubernetes.io/os: linux + + # -- Node tolerations for agent scheduling to nodes with taints + # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ + tolerations: + - operator: Exists + # - key: "key" + # operator: "Equal|Exists" + # value: "value" + # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" + + # -- The priority class to use for cilium-agent. + priorityClassName: "" + + # -- DNS policy for Cilium agent pods. + # Ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy + dnsPolicy: "" + + # -- Additional containers added to the cilium DaemonSet. + extraContainers: [] + + # -- Additional agent container arguments. + extraArgs: [] + + # -- Additional agent container environment variables. + extraEnv: [] + + # -- Additional agent hostPath mounts. + extraHostPathMounts: [] + # - name: host-mnt-data + # mountPath: /host/mnt/data + # hostPath: /mnt/data + # hostPathType: Directory + # readOnly: true + # mountPropagation: HostToContainer + + # -- Additional agent volumes. + extraVolumes: [] + + # -- Additional agent volumeMounts. + extraVolumeMounts: [] + + # -- extraConfig allows you to specify additional configuration parameters to be + # included in the cilium-config configmap. + extraConfig: {} + # my-config-a: "1234" + # my-config-b: |- + # test 1 + # test 2 + # test 3 + + # -- Annotations to be added to all top-level cilium-agent objects (resources under templates/cilium-agent) + annotations: {} + + # -- Security Context for cilium-agent pods. + podSecurityContext: {} + + # -- Annotations to be added to agent pods + podAnnotations: {} + + # -- Labels to be added to agent pods + podLabels: {} + + # -- Agent resource limits & requests + # ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + resources: {} + # limits: + # cpu: 4000m + # memory: 4Gi + # requests: + # cpu: 100m + # memory: 512Mi + + # -- resources & limits for the agent init containers + initResources: {} + + securityContext: + # -- User to run the pod with + # runAsUser: 0 + # -- Run the pod with elevated privileges + privileged: false + # -- SELinux options for the `cilium-agent` and init containers + seLinuxOptions: + level: 's0' + # Running with spc_t since we have removed the privileged mode. + # Users can change it to a different type as long as they have the + # type available on the system. + type: 'spc_t' + capabilities: + # -- Capabilities for the `cilium-agent` container + ciliumAgent: + # Use to set socket permission + - CHOWN + # Used to terminate envoy child process + - KILL + # Used since cilium modifies routing tables, etc... + - NET_ADMIN + # Used since cilium creates raw sockets, etc... + - NET_RAW + # Used since cilium monitor uses mmap + - IPC_LOCK + # Used in iptables. Consider removing once we are iptables-free + - SYS_MODULE + # We need it for now but might not need it for >= 5.11 specially + # for the 'SYS_RESOURCE'. + # In >= 5.8 there's already BPF and PERMON capabilities + - SYS_ADMIN + # Could be an alternative for the SYS_ADMIN for the RLIMIT_NPROC + - SYS_RESOURCE + # Both PERFMON and BPF requires kernel 5.8, container runtime + # cri-o >= v1.22.0 or containerd >= v1.5.0. + # If available, SYS_ADMIN can be removed. + #- PERFMON + #- BPF + # Allow discretionary access control (e.g. required for package installation) + - DAC_OVERRIDE + # Allow to set Access Control Lists (ACLs) on arbitrary files (e.g. required for package installation) + - FOWNER + # Allow to execute program that changes GID (e.g. required for package installation) + - SETGID + # Allow to execute program that changes UID (e.g. required for package installation) + - SETUID + # -- Capabilities for the `mount-cgroup` init container + mountCgroup: + # Only used for 'mount' cgroup + - SYS_ADMIN + # Used for nsenter + - SYS_CHROOT + - SYS_PTRACE + # -- capabilities for the `apply-sysctl-overwrites` init container + applySysctlOverwrites: + # Required in order to access host's /etc/sysctl.d dir + - SYS_ADMIN + # Used for nsenter + - SYS_CHROOT + - SYS_PTRACE + # -- Capabilities for the `clean-cilium-state` init container + cleanCiliumState: + # Most of the capabilities here are the same ones used in the + # cilium-agent's container because this container can be used to + # uninstall all Cilium resources, and therefore it is likely that + # will need the same capabilities. + # Used since cilium modifies routing tables, etc... + - NET_ADMIN + # Used in iptables. Consider removing once we are iptables-free + - SYS_MODULE + # We need it for now but might not need it for >= 5.11 specially + # for the 'SYS_RESOURCE'. + # In >= 5.8 there's already BPF and PERMON capabilities + - SYS_ADMIN + # Could be an alternative for the SYS_ADMIN for the RLIMIT_NPROC + - SYS_RESOURCE + # Both PERFMON and BPF requires kernel 5.8, container runtime + # cri-o >= v1.22.0 or containerd >= v1.5.0. + # If available, SYS_ADMIN can be removed. + #- PERFMON + #- BPF + + # -- Cilium agent update strategy + updateStrategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 2 + + # Configuration Values for cilium-agent + + aksbyocni: + # -- Enable AKS BYOCNI integration. + # Note that this is incompatible with AKS clusters not created in BYOCNI mode: + # use Azure integration (`azure.enabled`) instead. + enabled: false + + # -- Enable installation of PodCIDR routes between worker + # nodes if worker nodes share a common L2 network segment. + autoDirectNodeRoutes: false + + # -- Annotate k8s node upon initialization with Cilium's metadata. + annotateK8sNode: false + + azure: + # -- Enable Azure integration. + # Note that this is incompatible with AKS clusters created in BYOCNI mode: use + # AKS BYOCNI integration (`aksbyocni.enabled`) instead. + enabled: false + # usePrimaryAddress: false + # resourceGroup: group1 + # subscriptionID: 00000000-0000-0000-0000-000000000000 + # tenantID: 00000000-0000-0000-0000-000000000000 + # clientID: 00000000-0000-0000-0000-000000000000 + # clientSecret: 00000000-0000-0000-0000-000000000000 + # userAssignedIdentityID: 00000000-0000-0000-0000-000000000000 + + alibabacloud: + # -- Enable AlibabaCloud ENI integration + enabled: false + + # -- Enable bandwidth manager to optimize TCP and UDP workloads and allow + # for rate-limiting traffic from individual Pods with EDT (Earliest Departure + # Time) through the "kubernetes.io/egress-bandwidth" Pod annotation. + bandwidthManager: + # -- Enable bandwidth manager infrastructure (also prerequirement for BBR) + enabled: false + # -- Activate BBR TCP congestion control for Pods + bbr: false + + # -- Configure standalone NAT46/NAT64 gateway + nat46x64Gateway: + # -- Enable RFC8215-prefixed translation + enabled: false + + # -- EnableHighScaleIPcache enables the special ipcache mode for high scale + # clusters. The ipcache content will be reduced to the strict minimum and + # traffic will be encapsulated to carry security identities. + highScaleIPcache: + # -- Enable the high scale mode for the ipcache. + enabled: false + + # -- Configure L2 announcements + l2announcements: + # -- Enable L2 announcements + enabled: false + # -- If a lease is not renewed for X duration, the current leader is considered dead, a new leader is picked + # leaseDuration: 15s + # -- The interval at which the leader will renew the lease + # leaseRenewDeadline: 5s + # -- The timeout between retries if renewal fails + # leaseRetryPeriod: 2s + + # -- Configure L2 pod announcements + l2podAnnouncements: + # -- Enable L2 pod announcements + enabled: false + # -- Interface used for sending Gratuitous ARP pod announcements + interface: "eth0" + + # -- Configure BGP + bgp: + # -- Enable BGP support inside Cilium; embeds a new ConfigMap for BGP inside + # cilium-agent and cilium-operator + enabled: false + announce: + # -- Enable allocation and announcement of service LoadBalancer IPs + loadbalancerIP: false + # -- Enable announcement of node pod CIDR + podCIDR: false + + # -- This feature set enables virtual BGP routers to be created via + # CiliumBGPPeeringPolicy CRDs. + bgpControlPlane: + # -- Enables the BGP control plane. + enabled: false + # -- SecretsNamespace is the namespace which BGP support will retrieve secrets from. + secretsNamespace: + # -- Create secrets namespace for BGP secrets. + create: false + # -- The name of the secret namespace to which Cilium agents are given read access + name: kube-system + + pmtuDiscovery: + # -- Enable path MTU discovery to send ICMP fragmentation-needed replies to + # the client. + enabled: false + + bpf: + autoMount: + # -- Enable automatic mount of BPF filesystem + # When `autoMount` is enabled, the BPF filesystem is mounted at + # `bpf.root` path on the underlying host and inside the cilium agent pod. + # If users disable `autoMount`, it's expected that users have mounted + # bpffs filesystem at the specified `bpf.root` volume, and then the + # volume will be mounted inside the cilium agent pod at the same path. + enabled: true + # -- Configure the mount point for the BPF filesystem + root: /sys/fs/bpf + + # -- Enables pre-allocation of eBPF map values. This increases + # memory usage but can reduce latency. + preallocateMaps: false + + # -- (int) Configure the maximum number of entries in auth map. + # @default -- `524288` + authMapMax: ~ + + # -- (int) Configure the maximum number of entries in the TCP connection tracking + # table. + # @default -- `524288` + ctTcpMax: ~ + + # -- (int) Configure the maximum number of entries for the non-TCP connection + # tracking table. + # @default -- `262144` + ctAnyMax: ~ + + # -- Configure the maximum number of service entries in the + # load balancer maps. + lbMapMax: 65536 + + # -- (int) Configure the maximum number of entries for the NAT table. + # @default -- `524288` + natMax: ~ + + # -- (int) Configure the maximum number of entries for the neighbor table. + # @default -- `524288` + neighMax: ~ + + # -- Configure the maximum number of entries in endpoint policy map (per endpoint). + policyMapMax: 16384 + + # -- (float64) Configure auto-sizing for all BPF maps based on available memory. + # ref: https://docs.cilium.io/en/stable/network/ebpf/maps/ + # @default -- `0.0025` + mapDynamicSizeRatio: ~ + + # -- Configure the level of aggregation for monitor notifications. + # Valid options are none, low, medium, maximum. + monitorAggregation: medium + + # -- Configure the typical time between monitor notifications for + # active connections. + monitorInterval: "5s" + + # -- Configure which TCP flags trigger notifications when seen for the + # first time in a connection. + monitorFlags: "all" + + # -- Allow cluster external access to ClusterIP services. + lbExternalClusterIP: false + + # -- (bool) Enable native IP masquerade support in eBPF + # @default -- `false` + masquerade: ~ + + # -- (bool) Configure whether direct routing mode should route traffic via + # host stack (true) or directly and more efficiently out of BPF (false) if + # the kernel supports it. The latter has the implication that it will also + # bypass netfilter in the host namespace. + # @default -- `false` + hostLegacyRouting: ~ + + # -- (bool) Configure the eBPF-based TPROXY to reduce reliance on iptables rules + # for implementing Layer 7 policy. + # @default -- `false` + tproxy: ~ + + # -- (list) Configure explicitly allowed VLAN id's for bpf logic bypass. + # [0] will allow all VLAN id's without any filtering. + # @default -- `[]` + vlanBypass: ~ + + # -- Enable BPF clock source probing for more efficient tick retrieval. + bpfClockProbe: false + + # -- Clean all eBPF datapath state from the initContainer of the cilium-agent + # DaemonSet. + # + # WARNING: Use with care! + cleanBpfState: false + + # -- Clean all local Cilium state from the initContainer of the cilium-agent + # DaemonSet. Implies cleanBpfState: true. + # + # WARNING: Use with care! + cleanState: false + + # -- Wait for KUBE-PROXY-CANARY iptables rule to appear in "wait-for-kube-proxy" + # init container before launching cilium-agent. + # More context can be found in the commit message of below PR + # https://github.com/cilium/cilium/pull/20123 + waitForKubeProxy: false + + cni: + # -- Install the CNI configuration and binary files into the filesystem. + install: true + + # -- Remove the CNI configuration and binary files on agent shutdown. Enable this + # if you're removing Cilium from the cluster. Disable this to prevent the CNI + # configuration file from being removed during agent upgrade, which can cause + # nodes to go unmanageable. + uninstall: false + + # -- Configure chaining on top of other CNI plugins. Possible values: + # - none + # - aws-cni + # - flannel + # - generic-veth + # - portmap + chainingMode: ~ + + # -- A CNI network name in to which the Cilium plugin should be added as a chained plugin. + # This will cause the agent to watch for a CNI network with this network name. When it is + # found, this will be used as the basis for Cilium's CNI configuration file. If this is + # set, it assumes a chaining mode of generic-veth. As a special case, a chaining mode + # of aws-cni implies a chainingTarget of aws-cni. + chainingTarget: ~ + + # -- Make Cilium take ownership over the `/etc/cni/net.d` directory on the + # node, renaming all non-Cilium CNI configurations to `*.cilium_bak`. + # This ensures no Pods can be scheduled using other CNI plugins during Cilium + # agent downtime. + exclusive: true + + # -- Configure the log file for CNI logging with retention policy of 7 days. + # Disable CNI file logging by setting this field to empty explicitly. + logFile: /var/run/cilium/cilium-cni.log + + # -- Skip writing of the CNI configuration. This can be used if + # writing of the CNI configuration is performed by external automation. + customConf: false + + # -- Configure the path to the CNI configuration directory on the host. + confPath: /etc/cni/net.d + + # -- Configure the path to the CNI binary directory on the host. + binPath: /opt/cni/bin + + # -- Specify the path to a CNI config to read from on agent start. + # This can be useful if you want to manage your CNI + # configuration outside of a Kubernetes environment. This parameter is + # mutually exclusive with the 'cni.configMap' parameter. The agent will + # write this to 05-cilium.conflist on startup. + # readCniConf: /host/etc/cni/net.d/05-sample.conflist.input + + # -- When defined, configMap will mount the provided value as ConfigMap and + # interpret the cniConf variable as CNI configuration file and write it + # when the agent starts up + # configMap: cni-configuration + + # -- Configure the key in the CNI ConfigMap to read the contents of + # the CNI configuration from. + configMapKey: cni-config + + # -- Configure the path to where to mount the ConfigMap inside the agent pod. + confFileMountPath: /tmp/cni-configuration + + # -- Configure the path to where the CNI configuration directory is mounted + # inside the agent pod. + hostConfDirMountPath: /host/etc/cni/net.d + + # -- Specifies the resources for the cni initContainer + resources: + requests: + cpu: 100m + memory: 10Mi + + # -- (string) Configure how frequently garbage collection should occur for the datapath + # connection tracking table. + # @default -- `"0s"` + conntrackGCInterval: "" + + # -- (string) Configure the maximum frequency for the garbage collection of the + # connection tracking table. Only affects the automatic computation for the frequency + # and has no effect when 'conntrackGCInterval' is set. This can be set to more frequently + # clean up unused identities created from ToFQDN policies. + conntrackGCMaxInterval: "" + + # -- Configure container runtime specific integration. + # Deprecated in favor of bpf.autoMount.enabled. To be removed in 1.15. + containerRuntime: + # -- Enables specific integrations for container runtimes. + # Supported values: + # - crio + # - none + integration: none + + # -- (string) Configure timeout in which Cilium will exit if CRDs are not available + # @default -- `"5m"` + crdWaitTimeout: "" + + # -- Tail call hooks for custom eBPF programs. + customCalls: + # -- Enable tail call hooks for custom eBPF programs. + enabled: false + + daemon: + # -- Configure where Cilium runtime state should be stored. + runPath: "/var/run/cilium" + + # -- Configure a custom list of possible configuration override sources + # The default is "config-map:cilium-config,cilium-node-config". For supported + # values, see the help text for the build-config subcommand. + # Note that this value should be a comma-separated string. + configSources: ~ + + # -- allowedConfigOverrides is a list of config-map keys that can be overridden. + # That is to say, if this value is set, config sources (excepting the first one) can + # only override keys in this list. + # + # This takes precedence over blockedConfigOverrides. + # + # By default, all keys may be overridden. To disable overrides, set this to "none" or + # change the configSources variable. + allowedConfigOverrides: ~ + + # -- blockedConfigOverrides is a list of config-map keys that may not be overridden. + # In other words, if any of these keys appear in a configuration source excepting the + # first one, they will be ignored + # + # This is ignored if allowedConfigOverrides is set. + # + # By default, all keys may be overridden. + blockedConfigOverrides: ~ + + # -- Specify which network interfaces can run the eBPF datapath. This means + # that a packet sent from a pod to a destination outside the cluster will be + # masqueraded (to an output device IPv4 address), if the output device runs the + # program. When not specified, probing will automatically detect devices that have + # a non-local route. This should be used only when autodetection is not suitable. + # devices: "" + + # -- Enables experimental support for the detection of new and removed datapath + # devices. When devices change the eBPF datapath is reloaded and services updated. + # If "devices" is set then only those devices, or devices matching a wildcard will + # be considered. + enableRuntimeDeviceDetection: false + + # -- Chains to ignore when installing feeder rules. + # disableIptablesFeederRules: "" + + # -- Limit iptables-based egress masquerading to interface selector. + # egressMasqueradeInterfaces: "" + + # -- Enable setting identity mark for local traffic. + # enableIdentityMark: true + + # -- Enable Kubernetes EndpointSlice feature in Cilium if the cluster supports it. + # enableK8sEndpointSlice: true + + # -- Enable CiliumEndpointSlice feature. + enableCiliumEndpointSlice: false + + envoyConfig: + # -- Enable CiliumEnvoyConfig CRD + # CiliumEnvoyConfig CRD can also be implicitly enabled by other options. + enabled: false + + # -- SecretsNamespace is the namespace in which envoy SDS will retrieve secrets from. + secretsNamespace: + # -- Create secrets namespace for CiliumEnvoyConfig CRDs. + create: true + + # -- The name of the secret namespace to which Cilium agents are given read access. + name: cilium-secrets + + ingressController: + # -- Enable cilium ingress controller + # This will automatically set enable-envoy-config as well. + enabled: false + + # -- Set cilium ingress controller to be the default ingress controller + # This will let cilium ingress controller route entries without ingress class set + default: false + + # -- Default ingress load balancer mode + # Supported values: shared, dedicated + # For granular control, use the following annotations on the ingress resource + # ingress.cilium.io/loadbalancer-mode: shared|dedicated, + loadbalancerMode: dedicated + + # -- Enforce https for host having matching TLS host in Ingress. + # Incoming traffic to http listener will return 308 http error code with respective location in header. + enforceHttps: true + + # -- Enable proxy protocol for all Ingress listeners. Note that _only_ Proxy protocol traffic will be accepted once this is enabled. + enableProxyProtocol: false + + # -- IngressLBAnnotations are the annotation and label prefixes, which are used to filter annotations and/or labels to propagate from Ingress to the Load Balancer service + ingressLBAnnotationPrefixes: ['service.beta.kubernetes.io', 'service.kubernetes.io', 'cloud.google.com'] + + # -- Default secret namespace for ingresses without .spec.tls[].secretName set. + defaultSecretNamespace: + + # -- Default secret name for ingresses without .spec.tls[].secretName set. + defaultSecretName: + + # -- SecretsNamespace is the namespace in which envoy SDS will retrieve TLS secrets from. + secretsNamespace: + # -- Create secrets namespace for Ingress. + create: true + + # -- Name of Ingress secret namespace. + name: cilium-secrets + + # -- Enable secret sync, which will make sure all TLS secrets used by Ingress are synced to secretsNamespace.name. + # If disabled, TLS secrets must be maintained externally. + sync: true + + # -- Load-balancer service in shared mode. + # This is a single load-balancer service for all Ingress resources. + service: + # -- Service name + name: cilium-ingress + # -- Labels to be added for the shared LB service + labels: {} + # -- Annotations to be added for the shared LB service + annotations: {} + # -- Service type for the shared LB service + type: LoadBalancer + # -- Configure a specific nodePort for insecure HTTP traffic on the shared LB service + insecureNodePort: ~ + # -- Configure a specific nodePort for secure HTTPS traffic on the shared LB service + secureNodePort : ~ + # -- Configure a specific loadBalancerClass on the shared LB service (requires Kubernetes 1.24+) + loadBalancerClass: ~ + # -- Configure a specific loadBalancerIP on the shared LB service + loadBalancerIP : ~ + # -- Configure if node port allocation is required for LB service + # ref: https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-nodeport-allocation + allocateLoadBalancerNodePorts: ~ + + gatewayAPI: + # -- Enable support for Gateway API in cilium + # This will automatically set enable-envoy-config as well. + enabled: false + + # -- SecretsNamespace is the namespace in which envoy SDS will retrieve TLS secrets from. + secretsNamespace: + # -- Create secrets namespace for Gateway API. + create: true + + # -- Name of Gateway API secret namespace. + name: cilium-secrets + + # -- Enable secret sync, which will make sure all TLS secrets used by Ingress are synced to secretsNamespace.name. + # If disabled, TLS secrets must be maintained externally. + sync: true + + # -- Enables the fallback compatibility solution for when the xt_socket kernel + # module is missing and it is needed for the datapath L7 redirection to work + # properly. See documentation for details on when this can be disabled: + # https://docs.cilium.io/en/stable/operations/system_requirements/#linux-kernel. + enableXTSocketFallback: true + + encryption: + # -- Enable transparent network encryption. + enabled: false + + # -- Encryption method. Can be either ipsec or wireguard. + type: ipsec + + # -- Enable encryption for pure node to node traffic. + # This option is only effective when encryption.type is set to "wireguard". + nodeEncryption: false + + # -- Configure the WireGuard Pod2Pod strict mode. + strictMode: + # -- Enable WireGuard Pod2Pod strict mode. + enabled: false + + # -- CIDR for the WireGuard Pod2Pod strict mode. + cidr: "" + + # -- Allow dynamic lookup of remote node identities. + # This is required when tunneling is used or direct routing is used and the node CIDR and pod CIDR overlap. + allowRemoteNodeIdentities: false + + ipsec: + # -- Name of the key file inside the Kubernetes secret configured via secretName. + keyFile: "" + + # -- Path to mount the secret inside the Cilium pod. + mountPath: "" + + # -- Name of the Kubernetes secret containing the encryption keys. + secretName: "" + + # -- The interface to use for encrypted traffic. + interface: "" + + # -- Enable the key watcher. If disabled, a restart of the agent will be + # necessary on key rotations. + keyWatcher: true + + # -- Maximum duration of the IPsec key rotation. The previous key will be + # removed after that delay. + keyRotationDuration: "5m" + + wireguard: + # -- Enables the fallback to the user-space implementation. + userspaceFallback: false + # -- Controls Wireguard PersistentKeepalive option. Set 0s to disable. + persistentKeepalive: 0s + + # -- Deprecated in favor of encryption.ipsec.keyFile. To be removed in 1.15. + # Name of the key file inside the Kubernetes secret configured via secretName. + # This option is only effective when encryption.type is set to ipsec. + keyFile: keys + + # -- Deprecated in favor of encryption.ipsec.mountPath. To be removed in 1.15. + # Path to mount the secret inside the Cilium pod. + # This option is only effective when encryption.type is set to ipsec. + mountPath: /etc/ipsec + + # -- Deprecated in favor of encryption.ipsec.secretName. To be removed in 1.15. + # Name of the Kubernetes secret containing the encryption keys. + # This option is only effective when encryption.type is set to ipsec. + secretName: cilium-ipsec-keys + + # -- Deprecated in favor of encryption.ipsec.interface. To be removed in 1.15. + # The interface to use for encrypted traffic. + # This option is only effective when encryption.type is set to ipsec. + interface: "" + + endpointHealthChecking: + # -- Enable connectivity health checking between virtual endpoints. + enabled: true + + # -- Enable endpoint status. + # Status can be: policy, health, controllers, log and / or state. For 2 or more options use a space. + endpointStatus: + enabled: false + status: "" + + endpointRoutes: + # -- Enable use of per endpoint routes instead of routing via + # the cilium_host interface. + enabled: false + + k8sNetworkPolicy: + # -- Enable support for K8s NetworkPolicy + enabled: true + + eni: + # -- Enable Elastic Network Interface (ENI) integration. + enabled: false + # -- Update ENI Adapter limits from the EC2 API + updateEC2AdapterLimitViaAPI: true + # -- Release IPs not used from the ENI + awsReleaseExcessIPs: false + # -- Enable ENI prefix delegation + awsEnablePrefixDelegation: false + # -- EC2 API endpoint to use + ec2APIEndpoint: "" + # -- Tags to apply to the newly created ENIs + eniTags: {} + # -- Interval for garbage collection of unattached ENIs. Set to "0s" to disable. + # @default -- `"5m"` + gcInterval: "" + # -- Additional tags attached to ENIs created by Cilium. + # Dangling ENIs with this tag will be garbage collected + # @default -- `{"io.cilium/cilium-managed":"true,"io.cilium/cluster-name":""}` + gcTags: {} + # -- If using IAM role for Service Accounts will not try to + # inject identity values from cilium-aws kubernetes secret. + # Adds annotation to service account if managed by Helm. + # See https://github.com/aws/amazon-eks-pod-identity-webhook + iamRole: "" + # -- Filter via subnet IDs which will dictate which subnets are going to be used to create new ENIs + # Important note: This requires that each instance has an ENI with a matching subnet attached + # when Cilium is deployed. If you only want to control subnets for ENIs attached by Cilium, + # use the CNI configuration file settings (cni.customConf) instead. + subnetIDsFilter: [] + # -- Filter via tags (k=v) which will dictate which subnets are going to be used to create new ENIs + # Important note: This requires that each instance has an ENI with a matching subnet attached + # when Cilium is deployed. If you only want to control subnets for ENIs attached by Cilium, + # use the CNI configuration file settings (cni.customConf) instead. + subnetTagsFilter: [] + # -- Filter via AWS EC2 Instance tags (k=v) which will dictate which AWS EC2 Instances + # are going to be used to create new ENIs + instanceTagsFilter: [] + + externalIPs: + # -- Enable ExternalIPs service support. + enabled: false + + # fragmentTracking enables IPv4 fragment tracking support in the datapath. + # fragmentTracking: true + + gke: + # -- Enable Google Kubernetes Engine integration + enabled: false + + # -- Enable connectivity health checking. + healthChecking: true + + # -- TCP port for the agent health API. This is not the port for cilium-health. + healthPort: 9879 + + # -- Configure the host firewall. + hostFirewall: + # -- Enables the enforcement of host policies in the eBPF datapath. + enabled: false + + hostPort: + # -- Enable hostPort service support. + enabled: false + + # -- Configure socket LB + socketLB: + # -- Enable socket LB + enabled: false + + # -- Disable socket lb for non-root ns. This is used to enable Istio routing rules. + # hostNamespaceOnly: false + + # -- Configure certificate generation for Hubble integration. + # If hubble.tls.auto.method=cronJob, these values are used + # for the Kubernetes CronJob which will be scheduled regularly to + # (re)generate any certificates not provided manually. + certgen: + image: + override: ~ + repository: "quay.io/cilium/certgen" + tag: "v0.1.9" + digest: "sha256:89a0847753686444daabde9474b48340993bd19c7bea66a46e45b2974b82041f" + useDigest: true + pullPolicy: "IfNotPresent" + # -- Seconds after which the completed job pod will be deleted + ttlSecondsAfterFinished: 1800 + # -- Labels to be added to hubble-certgen pods + podLabels: {} + # -- Annotations to be added to the hubble-certgen initial Job and CronJob + annotations: + job: {} + cronJob: {} + # -- Node tolerations for pod assignment on nodes with taints + # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ + tolerations: [] + + # -- Additional certgen volumes. + extraVolumes: [] + + # -- Additional certgen volumeMounts. + extraVolumeMounts: [] + + # -- Affinity for certgen + affinity: {} + + hubble: + # -- Enable Hubble (true by default). + enabled: true + + # -- Annotations to be added to all top-level hubble objects (resources under templates/hubble) + annotations: {} + + # -- Buffer size of the channel Hubble uses to receive monitor events. If this + # value is not set, the queue size is set to the default monitor queue size. + # eventQueueSize: "" + + # -- Number of recent flows for Hubble to cache. Defaults to 4095. + # Possible values are: + # 1, 3, 7, 15, 31, 63, 127, 255, 511, 1023, + # 2047, 4095, 8191, 16383, 32767, 65535 + # eventBufferCapacity: "4095" + + # -- Hubble metrics configuration. + # See https://docs.cilium.io/en/stable/observability/metrics/#hubble-metrics + # for more comprehensive documentation about Hubble metrics. + metrics: + # -- Configures the list of metrics to collect. If empty or null, metrics + # are disabled. + # Example: + # + # enabled: + # - dns:query;ignoreAAAA + # - drop + # - tcp + # - flow + # - icmp + # - http + # + # You can specify the list of metrics from the helm CLI: + # + # --set hubble.metrics.enabled="{dns:query;ignoreAAAA,drop,tcp,flow,icmp,http}" + # + enabled: ~ + # -- Enables exporting hubble metrics in OpenMetrics format. + enableOpenMetrics: false + # -- Configure the port the hubble metric server listens on. + port: 9965 + # -- Annotations to be added to hubble-metrics service. + serviceAnnotations: {} + serviceMonitor: + # -- Create ServiceMonitor resources for Prometheus Operator. + # This requires the prometheus CRDs to be available. + # ref: https://github.com/prometheus-operator/prometheus-operator/blob/main/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml) + enabled: false + # -- Labels to add to ServiceMonitor hubble + labels: {} + # -- Annotations to add to ServiceMonitor hubble + annotations: {} + # -- jobLabel to add for ServiceMonitor hubble + jobLabel: "" + # -- Interval for scrape metrics. + interval: "10s" + # -- Relabeling configs for the ServiceMonitor hubble + relabelings: + - sourceLabels: + - __meta_kubernetes_pod_node_name + targetLabel: node + replacement: ${1} + # -- Metrics relabeling configs for the ServiceMonitor hubble + metricRelabelings: ~ + # -- Grafana dashboards for hubble + # grafana can import dashboards based on the label and value + # ref: https://github.com/grafana/helm-charts/tree/main/charts/grafana#sidecar-for-dashboards + dashboards: + enabled: false + label: grafana_dashboard + namespace: ~ + labelValue: "1" + annotations: {} + + # -- Unix domain socket path to listen to when Hubble is enabled. + socketPath: /var/run/cilium/hubble.sock + + # -- Enables redacting sensitive information present in Layer 7 flows. + redact: + enabled: false + http: + # -- Enables redacting URL query (GET) parameters. + # Example: + # + # redact: + # enabled: true + # http: + # urlQuery: true + # + # You can specify the options from the helm CLI: + # + # --set hubble.redact.enabled="true" + # --set hubble.redact.http.urlQuery="true" + urlQuery: false + # -- Enables redacting user info, e.g., password when basic auth is used. + # Example: + # + # redact: + # enabled: true + # http: + # userInfo: true + # + # You can specify the options from the helm CLI: + # + # --set hubble.redact.enabled="true" + # --set hubble.redact.http.userInfo="true" + userInfo: true + headers: + # -- List of HTTP headers to allow: headers not matching will be redacted. Note: `allow` and `deny` lists cannot be used both at the same time, only one can be present. + # Example: + # redact: + # enabled: true + # http: + # headers: + # allow: + # - traceparent + # - tracestate + # - Cache-Control + # + # You can specify the options from the helm CLI: + # --set hubble.redact.enabled="true" + # --set hubble.redact.http.headers.allow="traceparent,tracestate,Cache-Control" + allow: [] + # -- List of HTTP headers to deny: matching headers will be redacted. Note: `allow` and `deny` lists cannot be used both at the same time, only one can be present. + # Example: + # redact: + # enabled: true + # http: + # headers: + # deny: + # - Authorization + # - Proxy-Authorization + # + # You can specify the options from the helm CLI: + # --set hubble.redact.enabled="true" + # --set hubble.redact.http.headers.deny="Authorization,Proxy-Authorization" + deny: [] + kafka: + # -- Enables redacting Kafka's API key. + # Example: + # + # redact: + # enabled: true + # kafka: + # apiKey: true + # + # You can specify the options from the helm CLI: + # + # --set hubble.redact.enabled="true" + # --set hubble.redact.kafka.apiKey="true" + apiKey: false + + # -- An additional address for Hubble to listen to. + # Set this field ":4244" if you are enabling Hubble Relay, as it assumes that + # Hubble is listening on port 4244. + listenAddress: ":4244" + # -- Whether Hubble should prefer to announce IPv6 or IPv4 addresses if both are available. + preferIpv6: false + # -- (bool) Skip Hubble events with unknown cgroup ids + # @default -- `true` + skipUnknownCGroupIDs: ~ + + peerService: + # -- Service Port for the Peer service. + # If not set, it is dynamically assigned to port 443 if TLS is enabled and to + # port 80 if not. + # servicePort: 80 + # -- Target Port for the Peer service, must match the hubble.listenAddress' + # port. + targetPort: 4244 + # -- The cluster domain to use to query the Hubble Peer service. It should + # be the local cluster. + clusterDomain: cluster.local + # -- TLS configuration for Hubble + tls: + # -- Enable mutual TLS for listenAddress. Setting this value to false is + # highly discouraged as the Hubble API provides access to potentially + # sensitive network flow metadata and is exposed on the host network. + enabled: true + # -- Configure automatic TLS certificates generation. + auto: + # -- Auto-generate certificates. + # When set to true, automatically generate a CA and certificates to + # enable mTLS between Hubble server and Hubble Relay instances. If set to + # false, the certs for Hubble server need to be provided by setting + # appropriate values below. + enabled: true + # -- Set the method to auto-generate certificates. Supported values: + # - helm: This method uses Helm to generate all certificates. + # - cronJob: This method uses a Kubernetes CronJob the generate any + # certificates not provided by the user at installation + # time. + # - certmanager: This method use cert-manager to generate & rotate certificates. + method: helm + # -- Generated certificates validity duration in days. + certValidityDuration: 1095 + # -- Schedule for certificates regeneration (regardless of their expiration date). + # Only used if method is "cronJob". If nil, then no recurring job will be created. + # Instead, only the one-shot job is deployed to generate the certificates at + # installation time. + # + # Defaults to midnight of the first day of every fourth month. For syntax, see + # https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/#schedule-syntax + schedule: "0 0 1 */4 *" + + # [Example] + # certManagerIssuerRef: + # group: cert-manager.io + # kind: ClusterIssuer + # name: ca-issuer + # -- certmanager issuer used when hubble.tls.auto.method=certmanager. + certManagerIssuerRef: {} + + # -- base64 encoded PEM values for the Hubble server certificate and private key + server: + cert: "" + key: "" + # -- Extra DNS names added to certificate when it's auto generated + extraDnsNames: [] + # -- Extra IP addresses added to certificate when it's auto generated + extraIpAddresses: [] + + relay: + # -- Enable Hubble Relay (requires hubble.enabled=true) + enabled: false + + # -- Roll out Hubble Relay pods automatically when configmap is updated. + rollOutPods: false + + # -- Hubble-relay container image. + image: + override: ~ + repository: "quay.io/cilium/hubble-relay" + tag: "v1.15.2" + # hubble-relay-digest + digest: "" + useDigest: false + pullPolicy: "IfNotPresent" + + # -- Specifies the resources for the hubble-relay pods + resources: {} + + # -- Number of replicas run for the hubble-relay deployment. + replicas: 1 + + # -- Affinity for hubble-replay + affinity: + podAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - topologyKey: kubernetes.io/hostname + labelSelector: + matchLabels: + k8s-app: cilium + + # -- Pod topology spread constraints for hubble-relay + topologySpreadConstraints: [] + # - maxSkew: 1 + # topologyKey: topology.kubernetes.io/zone + # whenUnsatisfiable: DoNotSchedule + + # -- Node labels for pod assignment + # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector + nodeSelector: + kubernetes.io/os: linux + + # -- Node tolerations for pod assignment on nodes with taints + # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ + tolerations: [] + + # -- Additional hubble-relay environment variables. + extraEnv: [] + + # -- Annotations to be added to all top-level hubble-relay objects (resources under templates/hubble-relay) + annotations: {} + + # -- Annotations to be added to hubble-relay pods + podAnnotations: {} + + # -- Labels to be added to hubble-relay pods + podLabels: {} + + # PodDisruptionBudget settings + podDisruptionBudget: + # -- enable PodDisruptionBudget + # ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ + enabled: false + # -- Minimum number/percentage of pods that should remain scheduled. + # When it's set, maxUnavailable must be disabled by `maxUnavailable: null` + minAvailable: null + # -- Maximum number/percentage of pods that may be made unavailable + maxUnavailable: 1 + + # -- The priority class to use for hubble-relay + priorityClassName: "" + + # -- Configure termination grace period for hubble relay Deployment. + terminationGracePeriodSeconds: 1 + + # -- hubble-relay update strategy + updateStrategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 1 + + # -- Additional hubble-relay volumes. + extraVolumes: [] + + # -- Additional hubble-relay volumeMounts. + extraVolumeMounts: [] + + # -- hubble-relay pod security context + podSecurityContext: + fsGroup: 65532 + + # -- hubble-relay container security context + securityContext: + # readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 65532 + runAsGroup: 65532 + capabilities: + drop: + - ALL + + # -- hubble-relay service configuration. + service: + # --- The type of service used for Hubble Relay access, either ClusterIP or NodePort. + type: ClusterIP + # --- The port to use when the service type is set to NodePort. + nodePort: 31234 + + # -- Host to listen to. Specify an empty string to bind to all the interfaces. + listenHost: "" + + # -- Port to listen to. + listenPort: "4245" + + # -- TLS configuration for Hubble Relay + tls: + # -- base64 encoded PEM values for the hubble-relay client certificate and private key + # This keypair is presented to Hubble server instances for mTLS + # authentication and is required when hubble.tls.enabled is true. + # These values need to be set manually if hubble.tls.auto.enabled is false. + client: + cert: "" + key: "" + # -- base64 encoded PEM values for the hubble-relay server certificate and private key + server: + # When set to true, enable TLS on for Hubble Relay server + # (ie: for clients connecting to the Hubble Relay API). + enabled: false + # When set to true enforces mutual TLS between Hubble Relay server and its clients. + # False allow non-mutual TLS connections. + # This option has no effect when TLS is disabled. + mtls: false + # These values need to be set manually if hubble.tls.auto.enabled is false. + cert: "" + key: "" + # -- extra DNS names added to certificate when its auto gen + extraDnsNames: [] + # -- extra IP addresses added to certificate when its auto gen + extraIpAddresses: [] + # DNS name used by the backend to connect to the relay + # This is a simple workaround as the relay certificates are currently hardcoded to + # *.hubble-relay.cilium.io + # See https://github.com/cilium/cilium/pull/28709#discussion_r1371792546 + # For GKE Dataplane V2 this should be set to relay.kube-system.svc.cluster.local + relayName: "ui.hubble-relay.cilium.io" + + # -- Dial timeout to connect to the local hubble instance to receive peer information (e.g. "30s"). + dialTimeout: ~ + + # -- Backoff duration to retry connecting to the local hubble instance in case of failure (e.g. "30s"). + retryTimeout: ~ + + # -- Max number of flows that can be buffered for sorting before being sent to the + # client (per request) (e.g. 100). + sortBufferLenMax: ~ + + # -- When the per-request flows sort buffer is not full, a flow is drained every + # time this timeout is reached (only affects requests in follow-mode) (e.g. "1s"). + sortBufferDrainTimeout: ~ + + # -- Port to use for the k8s service backed by hubble-relay pods. + # If not set, it is dynamically assigned to port 443 if TLS is enabled and to + # port 80 if not. + # servicePort: 80 + + # -- Enable prometheus metrics for hubble-relay on the configured port at + # /metrics + prometheus: + enabled: false + port: 9966 + serviceMonitor: + # -- Enable service monitors. + # This requires the prometheus CRDs to be available (see https://github.com/prometheus-operator/prometheus-operator/blob/main/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml) + enabled: false + # -- Labels to add to ServiceMonitor hubble-relay + labels: {} + # -- Annotations to add to ServiceMonitor hubble-relay + annotations: {} + # -- Interval for scrape metrics. + interval: "10s" + # -- Specify the Kubernetes namespace where Prometheus expects to find + # service monitors configured. + # namespace: "" + # -- Relabeling configs for the ServiceMonitor hubble-relay + relabelings: ~ + # -- Metrics relabeling configs for the ServiceMonitor hubble-relay + metricRelabelings: ~ + + gops: + # -- Enable gops for hubble-relay + enabled: true + # -- Configure gops listen port for hubble-relay + port: 9893 + + pprof: + # -- Enable pprof for hubble-relay + enabled: false + # -- Configure pprof listen address for hubble-relay + address: localhost + # -- Configure pprof listen port for hubble-relay + port: 6062 + + ui: + # -- Whether to enable the Hubble UI. + enabled: false + + standalone: + # -- When true, it will allow installing the Hubble UI only, without checking dependencies. + # It is useful if a cluster already has cilium and Hubble relay installed and you just + # want Hubble UI to be deployed. + # When installed via helm, installing UI should be done via `helm upgrade` and when installed via the cilium cli, then `cilium hubble enable --ui` + enabled: false + + tls: + # -- When deploying Hubble UI in standalone, with tls enabled for Hubble relay, it is required + # to provide a volume for mounting the client certificates. + certsVolume: {} + # projected: + # defaultMode: 0400 + # sources: + # - secret: + # name: hubble-ui-client-certs + # items: + # - key: tls.crt + # path: client.crt + # - key: tls.key + # path: client.key + # - key: ca.crt + # path: hubble-relay-ca.crt + + # -- Roll out Hubble-ui pods automatically when configmap is updated. + rollOutPods: false + + tls: + # -- base64 encoded PEM values used to connect to hubble-relay + # This keypair is presented to Hubble Relay instances for mTLS + # authentication and is required when hubble.relay.tls.server.enabled is true. + # These values need to be set manually if hubble.tls.auto.enabled is false. + client: + cert: "" + key: "" + + backend: + # -- Hubble-ui backend image. + image: + override: ~ + repository: "quay.io/cilium/hubble-ui-backend" + tag: "v0.13.0" + digest: "sha256:1e7657d997c5a48253bb8dc91ecee75b63018d16ff5e5797e5af367336bc8803" + useDigest: true + pullPolicy: "IfNotPresent" + + # -- Hubble-ui backend security context. + securityContext: {} + + # -- Additional hubble-ui backend environment variables. + extraEnv: [] + + # -- Additional hubble-ui backend volumes. + extraVolumes: [] + + # -- Additional hubble-ui backend volumeMounts. + extraVolumeMounts: [] + + livenessProbe: + # -- Enable liveness probe for Hubble-ui backend (requires Hubble-ui 0.12+) + enabled: false + + readinessProbe: + # -- Enable readiness probe for Hubble-ui backend (requires Hubble-ui 0.12+) + enabled: false + + # -- Resource requests and limits for the 'backend' container of the 'hubble-ui' deployment. + resources: {} + # limits: + # cpu: 1000m + # memory: 1024M + # requests: + # cpu: 100m + # memory: 64Mi + + frontend: + # -- Hubble-ui frontend image. + image: + override: ~ + repository: "quay.io/cilium/hubble-ui" + tag: "v0.13.0" + digest: "sha256:7d663dc16538dd6e29061abd1047013a645e6e69c115e008bee9ea9fef9a6666" + useDigest: true + pullPolicy: "IfNotPresent" + + # -- Hubble-ui frontend security context. + securityContext: {} + + # -- Additional hubble-ui frontend environment variables. + extraEnv: [] + + # -- Additional hubble-ui frontend volumes. + extraVolumes: [] + + # -- Additional hubble-ui frontend volumeMounts. + extraVolumeMounts: [] + + # -- Resource requests and limits for the 'frontend' container of the 'hubble-ui' deployment. + resources: {} + # limits: + # cpu: 1000m + # memory: 1024M + # requests: + # cpu: 100m + # memory: 64Mi + server: + # -- Controls server listener for ipv6 + ipv6: + enabled: true + + # -- The number of replicas of Hubble UI to deploy. + replicas: 1 + + # -- Annotations to be added to all top-level hubble-ui objects (resources under templates/hubble-ui) + annotations: {} + + # -- Annotations to be added to hubble-ui pods + podAnnotations: {} + + # -- Labels to be added to hubble-ui pods + podLabels: {} + + # PodDisruptionBudget settings + podDisruptionBudget: + # -- enable PodDisruptionBudget + # ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ + enabled: false + # -- Minimum number/percentage of pods that should remain scheduled. + # When it's set, maxUnavailable must be disabled by `maxUnavailable: null` + minAvailable: null + # -- Maximum number/percentage of pods that may be made unavailable + maxUnavailable: 1 + + # -- Affinity for hubble-ui + affinity: {} + + # -- Pod topology spread constraints for hubble-ui + topologySpreadConstraints: [] + # - maxSkew: 1 + # topologyKey: topology.kubernetes.io/zone + # whenUnsatisfiable: DoNotSchedule + + # -- Node labels for pod assignment + # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector + nodeSelector: + kubernetes.io/os: linux + + # -- Node tolerations for pod assignment on nodes with taints + # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ + tolerations: [] + + # -- The priority class to use for hubble-ui + priorityClassName: "" + + # -- hubble-ui update strategy. + updateStrategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 1 + + # -- Security context to be added to Hubble UI pods + securityContext: + runAsUser: 1001 + runAsGroup: 1001 + fsGroup: 1001 + + # -- hubble-ui service configuration. + service: + # -- Annotations to be added for the Hubble UI service + annotations: {} + # --- The type of service used for Hubble UI access, either ClusterIP or NodePort. + type: ClusterIP + # --- The port to use when the service type is set to NodePort. + nodePort: 31235 + + # -- Defines base url prefix for all hubble-ui http requests. + # It needs to be changed in case if ingress for hubble-ui is configured under some sub-path. + # Trailing `/` is required for custom path, ex. `/service-map/` + baseUrl: "/" + + # -- hubble-ui ingress configuration. + ingress: + enabled: false + annotations: {} + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + className: "" + hosts: + - chart-example.local + labels: {} + tls: [] + # - secretName: chart-example-tls + # hosts: + # - chart-example.local + + # -- Hubble flows export. + export: + # --- Defines max file size of output file before it gets rotated. + fileMaxSizeMb: 10 + # --- Defines max number of backup/rotated files. + fileMaxBackups: 5 + # --- Static exporter configuration. + # Static exporter is bound to agent lifecycle. + static: + enabled: false + filePath: /var/run/cilium/hubble/events.log + fieldMask: [] + # - time + # - source + # - destination + # - verdict + allowList: [] + # - '{"verdict":["DROPPED","ERROR"]}' + denyList: [] + # - '{"source_pod":["kube-system/"]}' + # - '{"destination_pod":["kube-system/"]}' + # --- Dynamic exporters configuration. + # Dynamic exporters may be reconfigured without a need of agent restarts. + dynamic: + enabled: false + config: + # ---- Name of configmap with configuration that may be altered to reconfigure exporters within a running agents. + configMapName: cilium-flowlog-config + # ---- True if helm installer should create config map. + # Switch to false if you want to self maintain the file content. + createConfigMap: true + # ---- Exporters configuration in YAML format. + content: + - name: all + fieldMask: [] + includeFilters: [] + excludeFilters: [] + filePath: "/var/run/cilium/hubble/events.log" + #- name: "test002" + # filePath: "/var/log/network/flow-log/pa/test002.log" + # fieldMask: ["source.namespace", "source.pod_name", "destination.namespace", "destination.pod_name", "verdict"] + # includeFilters: + # - source_pod: ["default/"] + # event_type: + # - type: 1 + # - destination_pod: ["frontend/nginx-975996d4c-7hhgt"] + # excludeFilters: [] + # end: "2023-10-09T23:59:59-07:00" + + # -- Method to use for identity allocation (`crd` or `kvstore`). + identityAllocationMode: "crd" + + # -- (string) Time to wait before using new identity on endpoint identity change. + # @default -- `"5s"` + identityChangeGracePeriod: "" + + # -- Install Iptables rules to skip netfilter connection tracking on all pod + # traffic. This option is only effective when Cilium is running in direct + # routing and full KPR mode. Moreover, this option cannot be enabled when Cilium + # is running in a managed Kubernetes environment or in a chained CNI setup. + installNoConntrackIptablesRules: false + + ipam: + # -- Configure IP Address Management mode. + # ref: https://docs.cilium.io/en/stable/network/concepts/ipam/ + mode: "cluster-pool" + # -- Maximum rate at which the CiliumNode custom resource is updated. + ciliumNodeUpdateRate: "15s" + operator: + # -- IPv4 CIDR list range to delegate to individual nodes for IPAM. + clusterPoolIPv4PodCIDRList: {{ index .Cluster.spec.clusterNetwork.pods.cidrBlocks 0 }} + # -- IPv4 CIDR mask size to delegate to individual nodes for IPAM. + clusterPoolIPv4MaskSize: 24 + # -- IPv6 CIDR list range to delegate to individual nodes for IPAM. + clusterPoolIPv6PodCIDRList: ["fd00::/104"] + # -- IPv6 CIDR mask size to delegate to individual nodes for IPAM. + clusterPoolIPv6MaskSize: 120 + # -- IP pools to auto-create in multi-pool IPAM mode. + autoCreateCiliumPodIPPools: {} + # default: + # ipv4: + # cidrs: + # - 10.10.0.0/8 + # maskSize: 24 + # other: + # ipv6: + # cidrs: + # - fd00:100::/80 + # maskSize: 96 + # -- The maximum burst size when rate limiting access to external APIs. + # Also known as the token bucket capacity. + # @default -- `20` + externalAPILimitBurstSize: ~ + # -- The maximum queries per second when rate limiting access to + # external APIs. Also known as the bucket refill rate, which is used to + # refill the bucket up to the burst size capacity. + # @default -- `4.0` + externalAPILimitQPS: ~ + + # -- The api-rate-limit option can be used to overwrite individual settings of the default configuration for rate limiting calls to the Cilium Agent API + apiRateLimit: ~ + + # -- Configure the eBPF-based ip-masq-agent + ipMasqAgent: + enabled: false + # the config of nonMasqueradeCIDRs + # config: + # nonMasqueradeCIDRs: [] + # masqLinkLocal: false + # masqLinkLocalIPv6: false + + # iptablesLockTimeout defines the iptables "--wait" option when invoked from Cilium. + # iptablesLockTimeout: "5s" + + ipv4: + # -- Enable IPv4 support. + enabled: true + + ipv6: + # -- Enable IPv6 support. + enabled: false + + # -- Configure Kubernetes specific configuration + k8s: {} + # -- requireIPv4PodCIDR enables waiting for Kubernetes to provide the PodCIDR + # range via the Kubernetes node resource + # requireIPv4PodCIDR: false + + # -- requireIPv6PodCIDR enables waiting for Kubernetes to provide the PodCIDR + # range via the Kubernetes node resource + # requireIPv6PodCIDR: false + + # -- Keep the deprecated selector labels when deploying Cilium DaemonSet. + keepDeprecatedLabels: false + + # -- Keep the deprecated probes when deploying Cilium DaemonSet + keepDeprecatedProbes: false + + startupProbe: + # -- failure threshold of startup probe. + # 105 x 2s translates to the old behaviour of the readiness probe (120s delay + 30 x 3s) + failureThreshold: 105 + # -- interval between checks of the startup probe + periodSeconds: 2 + livenessProbe: + # -- failure threshold of liveness probe + failureThreshold: 10 + # -- interval between checks of the liveness probe + periodSeconds: 30 + readinessProbe: + # -- failure threshold of readiness probe + failureThreshold: 3 + # -- interval between checks of the readiness probe + periodSeconds: 30 + + # -- Configure the kube-proxy replacement in Cilium BPF datapath + # Valid options are "true", "false", "disabled" (deprecated), "partial" (deprecated), "strict" (deprecated). + # ref: https://docs.cilium.io/en/stable/network/kubernetes/kubeproxy-free/ + #kubeProxyReplacement: "false" + + # -- healthz server bind address for the kube-proxy replacement. + # To enable set the value to '0.0.0.0:10256' for all ipv4 + # addresses and this '[::]:10256' for all ipv6 addresses. + # By default it is disabled. + kubeProxyReplacementHealthzBindAddr: "" + + l2NeighDiscovery: + # -- Enable L2 neighbor discovery in the agent + enabled: true + # -- Override the agent's default neighbor resolution refresh period. + refreshPeriod: "30s" + + # -- Enable Layer 7 network policy. + l7Proxy: true + + # -- Enable Local Redirect Policy. + localRedirectPolicy: false + + # To include or exclude matched resources from cilium identity evaluation + # labels: "" + + # logOptions allows you to define logging options. eg: + # logOptions: + # format: json + + # -- Enables periodic logging of system load + logSystemLoad: false + + # -- Configure maglev consistent hashing + maglev: {} + # -- tableSize is the size (parameter M) for the backend table of one + # service entry + # tableSize: + + # -- hashSeed is the cluster-wide base64 encoded seed for the hashing + # hashSeed: + + # -- Enables masquerading of IPv4 traffic leaving the node from endpoints. + enableIPv4Masquerade: true + + # -- Enables masquerading of IPv6 traffic leaving the node from endpoints. + enableIPv6Masquerade: true + + # -- Enables masquerading to the source of the route for traffic leaving the node from endpoints. + enableMasqueradeRouteSource: false + + # -- Enables IPv4 BIG TCP support which increases maximum IPv4 GSO/GRO limits for nodes and pods + enableIPv4BIGTCP: false + + # -- Enables IPv6 BIG TCP support which increases maximum IPv6 GSO/GRO limits for nodes and pods + enableIPv6BIGTCP: false + + egressGateway: + # -- Enables egress gateway to redirect and SNAT the traffic that leaves the + # cluster. + enabled: false + # -- Deprecated without a replacement necessary. + installRoutes: false + # -- Time between triggers of egress gateway state reconciliations + reconciliationTriggerInterval: 1s + # -- Maximum number of entries in egress gateway policy map + # maxPolicyEntries: 16384 + + vtep: + # -- Enables VXLAN Tunnel Endpoint (VTEP) Integration (beta) to allow + # Cilium-managed pods to talk to third party VTEP devices over Cilium tunnel. + enabled: false + + # -- A space separated list of VTEP device endpoint IPs, for example "1.1.1.1 1.1.2.1" + endpoint: "" + # -- A space separated list of VTEP device CIDRs, for example "1.1.1.0/24 1.1.2.0/24" + cidr: "" + # -- VTEP CIDRs Mask that applies to all VTEP CIDRs, for example "255.255.255.0" + mask: "" + # -- A space separated list of VTEP device MAC addresses (VTEP MAC), for example "x:x:x:x:x:x y:y:y:y:y:y:y" + mac: "" + + # -- (string) Allows to explicitly specify the IPv4 CIDR for native routing. + # When specified, Cilium assumes networking for this CIDR is preconfigured and + # hands traffic destined for that range to the Linux network stack without + # applying any SNAT. + # Generally speaking, specifying a native routing CIDR implies that Cilium can + # depend on the underlying networking stack to route packets to their + # destination. To offer a concrete example, if Cilium is configured to use + # direct routing and the Kubernetes CIDR is included in the native routing CIDR, + # the user must configure the routes to reach pods, either manually or by + # setting the auto-direct-node-routes flag. + ipv4NativeRoutingCIDR: "" + + # -- (string) Allows to explicitly specify the IPv6 CIDR for native routing. + # When specified, Cilium assumes networking for this CIDR is preconfigured and + # hands traffic destined for that range to the Linux network stack without + # applying any SNAT. + # Generally speaking, specifying a native routing CIDR implies that Cilium can + # depend on the underlying networking stack to route packets to their + # destination. To offer a concrete example, if Cilium is configured to use + # direct routing and the Kubernetes CIDR is included in the native routing CIDR, + # the user must configure the routes to reach pods, either manually or by + # setting the auto-direct-node-routes flag. + ipv6NativeRoutingCIDR: "" + + # -- cilium-monitor sidecar. + monitor: + # -- Enable the cilium-monitor sidecar. + enabled: false + + # -- Configure service load balancing + loadBalancer: + # -- standalone enables the standalone L4LB which does not connect to + # kube-apiserver. + # standalone: false + + # -- algorithm is the name of the load balancing algorithm for backend + # selection e.g. random or maglev + # algorithm: random + + # -- mode is the operation mode of load balancing for remote backends + # e.g. snat, dsr, hybrid + # mode: snat + + # -- acceleration is the option to accelerate service handling via XDP + # Applicable values can be: disabled (do not use XDP), native (XDP BPF + # program is run directly out of the networking driver's early receive + # path), or best-effort (use native mode XDP acceleration on devices + # that support it). + acceleration: disabled + + # -- dsrDispatch configures whether IP option or IPIP encapsulation is + # used to pass a service IP and port to remote backend + # dsrDispatch: opt + + # -- serviceTopology enables K8s Topology Aware Hints -based service + # endpoints filtering + # serviceTopology: false + + # -- L7 LoadBalancer + l7: + # -- Enable L7 service load balancing via envoy proxy. + # The request to a k8s service, which has specific annotation e.g. service.cilium.io/lb-l7, + # will be forwarded to the local backend proxy to be load balanced to the service endpoints. + # Please refer to docs for supported annotations for more configuration. + # + # Applicable values: + # - envoy: Enable L7 load balancing via envoy proxy. This will automatically set enable-envoy-config as well. + # - disabled: Disable L7 load balancing by way of service annotation. + backend: disabled + # -- List of ports from service to be automatically redirected to above backend. + # Any service exposing one of these ports will be automatically redirected. + # Fine-grained control can be achieved by using the service annotation. + ports: [] + # -- Default LB algorithm + # The default LB algorithm to be used for services, which can be overridden by the + # service annotation (e.g. service.cilium.io/lb-l7-algorithm) + # Applicable values: round_robin, least_request, random + algorithm: round_robin + + # -- Configure N-S k8s service loadbalancing + nodePort: + # -- Enable the Cilium NodePort service implementation. + enabled: false + + # -- Port range to use for NodePort services. + # range: "30000,32767" + + # -- Set to true to prevent applications binding to service ports. + bindProtection: true + + # -- Append NodePort range to ip_local_reserved_ports if clash with ephemeral + # ports is detected. + autoProtectPortRange: true + + # -- Enable healthcheck nodePort server for NodePort services + enableHealthCheck: true + + # -- Enable access of the healthcheck nodePort on the LoadBalancerIP. Needs + # EnableHealthCheck to be enabled + enableHealthCheckLoadBalancerIP: false + + # policyAuditMode: false + + # -- The agent can be put into one of the three policy enforcement modes: + # default, always and never. + # ref: https://docs.cilium.io/en/stable/security/policy/intro/#policy-enforcement-modes + policyEnforcementMode: "default" + + # -- policyCIDRMatchMode is a list of entities that may be selected by CIDR selector. + # The possible value is "nodes". + policyCIDRMatchMode: + + pprof: + # -- Enable pprof for cilium-agent + enabled: false + # -- Configure pprof listen address for cilium-agent + address: localhost + # -- Configure pprof listen port for cilium-agent + port: 6060 + + # -- Configure prometheus metrics on the configured port at /metrics + prometheus: + enabled: false + port: 9962 + serviceMonitor: + # -- Enable service monitors. + # This requires the prometheus CRDs to be available (see https://github.com/prometheus-operator/prometheus-operator/blob/main/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml) + enabled: false + # -- Labels to add to ServiceMonitor cilium-agent + labels: {} + # -- Annotations to add to ServiceMonitor cilium-agent + annotations: {} + # -- jobLabel to add for ServiceMonitor cilium-agent + jobLabel: "" + # -- Interval for scrape metrics. + interval: "10s" + # -- Specify the Kubernetes namespace where Prometheus expects to find + # service monitors configured. + # namespace: "" + # -- Relabeling configs for the ServiceMonitor cilium-agent + relabelings: + - sourceLabels: + - __meta_kubernetes_pod_node_name + targetLabel: node + replacement: ${1} + # -- Metrics relabeling configs for the ServiceMonitor cilium-agent + metricRelabelings: ~ + # -- Set to `true` and helm will not check for monitoring.coreos.com/v1 CRDs before deploying + trustCRDsExist: false + + # -- Metrics that should be enabled or disabled from the default metric list. + # The list is expected to be separated by a space. (+metric_foo to enable + # metric_foo , -metric_bar to disable metric_bar). + # ref: https://docs.cilium.io/en/stable/observability/metrics/ + metrics: ~ + + # --- Enable controller group metrics for monitoring specific Cilium + # subsystems. The list is a list of controller group names. The special + # values of "all" and "none" are supported. The set of controller + # group names is not guaranteed to be stable between Cilium versions. + controllerGroupMetrics: + - write-cni-file + - sync-host-ips + - sync-lb-maps-with-k8s-services + + # -- Grafana dashboards for cilium-agent + # grafana can import dashboards based on the label and value + # ref: https://github.com/grafana/helm-charts/tree/main/charts/grafana#sidecar-for-dashboards + dashboards: + enabled: false + label: grafana_dashboard + namespace: ~ + labelValue: "1" + annotations: {} + + # -- Configure Istio proxy options. + proxy: + + prometheus: + # -- Deprecated in favor of envoy.prometheus.enabled + enabled: true + # -- Deprecated in favor of envoy.prometheus.port + port: ~ + # -- Regular expression matching compatible Istio sidecar istio-proxy + # container image names + sidecarImageRegex: "cilium/istio_proxy" + + # Configure Cilium Envoy options. + envoy: + # -- Enable Envoy Proxy in standalone DaemonSet. + enabled: false + + log: + # -- The format string to use for laying out the log message metadata of Envoy. + format: "[%Y-%m-%d %T.%e][%t][%l][%n] [%g:%#] %v" + # -- Path to a separate Envoy log file, if any. Defaults to /dev/stdout. + path: "" + + # -- Time in seconds after which a TCP connection attempt times out + connectTimeoutSeconds: 2 + # -- ProxyMaxRequestsPerConnection specifies the max_requests_per_connection setting for Envoy + maxRequestsPerConnection: 0 + # -- Set Envoy HTTP option max_connection_duration seconds. Default 0 (disable) + maxConnectionDurationSeconds: 0 + # -- Set Envoy upstream HTTP idle connection timeout seconds. + # Does not apply to connections with pending requests. Default 60s + idleTimeoutDurationSeconds: 60 + + # -- Envoy container image. + image: + override: ~ + repository: "quay.io/cilium/cilium-envoy" + tag: "v1.27.3-99c1c8f42c8de70fc8f6dd594f4a425cd38b6688" + pullPolicy: "IfNotPresent" + digest: "sha256:877ead12d08d4c04a9f67f86d3c6e542aeb7bf97e1e401aee74de456f496ac30" + useDigest: true + + # -- Additional containers added to the cilium Envoy DaemonSet. + extraContainers: [] + + # -- Additional envoy container arguments. + extraArgs: [] + + # -- Additional envoy container environment variables. + extraEnv: [] + + # -- Additional envoy hostPath mounts. + extraHostPathMounts: [] + # - name: host-mnt-data + # mountPath: /host/mnt/data + # hostPath: /mnt/data + # hostPathType: Directory + # readOnly: true + # mountPropagation: HostToContainer + + # -- Additional envoy volumes. + extraVolumes: [] + + # -- Additional envoy volumeMounts. + extraVolumeMounts: [] + + # -- Configure termination grace period for cilium-envoy DaemonSet. + terminationGracePeriodSeconds: 1 + + # -- TCP port for the health API. + healthPort: 9878 + + # -- cilium-envoy update strategy + # ref: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/#updating-a-daemonset + updateStrategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 2 + # -- Roll out cilium envoy pods automatically when configmap is updated. + rollOutPods: false + + # -- Annotations to be added to all top-level cilium-envoy objects (resources under templates/cilium-envoy) + annotations: {} + + # -- Security Context for cilium-envoy pods. + podSecurityContext: {} + + # -- Annotations to be added to envoy pods + podAnnotations: {} + + # -- Labels to be added to envoy pods + podLabels: {} + + # -- Envoy resource limits & requests + # ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + resources: {} + # limits: + # cpu: 4000m + # memory: 4Gi + # requests: + # cpu: 100m + # memory: 512Mi + + startupProbe: + # -- failure threshold of startup probe. + # 105 x 2s translates to the old behaviour of the readiness probe (120s delay + 30 x 3s) + failureThreshold: 105 + # -- interval between checks of the startup probe + periodSeconds: 2 + livenessProbe: + # -- failure threshold of liveness probe + failureThreshold: 10 + # -- interval between checks of the liveness probe + periodSeconds: 30 + readinessProbe: + # -- failure threshold of readiness probe + failureThreshold: 3 + # -- interval between checks of the readiness probe + periodSeconds: 30 + + securityContext: + # -- User to run the pod with + # runAsUser: 0 + # -- Run the pod with elevated privileges + privileged: false + # -- SELinux options for the `cilium-envoy` container + seLinuxOptions: + level: 's0' + # Running with spc_t since we have removed the privileged mode. + # Users can change it to a different type as long as they have the + # type available on the system. + type: 'spc_t' + capabilities: + # -- Capabilities for the `cilium-envoy` container + envoy: + # Used since cilium proxy uses setting IPPROTO_IP/IP_TRANSPARENT + - NET_ADMIN + # We need it for now but might not need it for >= 5.11 specially + # for the 'SYS_RESOURCE'. + # In >= 5.8 there's already BPF and PERMON capabilities + - SYS_ADMIN + # Both PERFMON and BPF requires kernel 5.8, container runtime + # cri-o >= v1.22.0 or containerd >= v1.5.0. + # If available, SYS_ADMIN can be removed. + #- PERFMON + #- BPF + + # -- Affinity for cilium-envoy. + affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - topologyKey: kubernetes.io/hostname + labelSelector: + matchLabels: + k8s-app: cilium-envoy + + # -- Node selector for cilium-envoy. + nodeSelector: + kubernetes.io/os: linux + + # -- Node tolerations for envoy scheduling to nodes with taints + # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ + tolerations: + - operator: Exists + # - key: "key" + # operator: "Equal|Exists" + # value: "value" + # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" + + # -- The priority class to use for cilium-envoy. + priorityClassName: ~ + + # -- DNS policy for Cilium envoy pods. + # Ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy + dnsPolicy: ~ + + # -- Configure Cilium Envoy Prometheus options. + # Note that some of these apply to either cilium-agent or cilium-envoy. + prometheus: + # -- Enable prometheus metrics for cilium-envoy + enabled: true + serviceMonitor: + # -- Enable service monitors. + # This requires the prometheus CRDs to be available (see https://github.com/prometheus-operator/prometheus-operator/blob/main/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml) + # Note that this setting applies to both cilium-envoy _and_ cilium-agent + # with Envoy enabled. + enabled: false + # -- Labels to add to ServiceMonitor cilium-envoy + labels: {} + # -- Annotations to add to ServiceMonitor cilium-envoy + annotations: {} + # -- Interval for scrape metrics. + interval: "10s" + # -- Specify the Kubernetes namespace where Prometheus expects to find + # service monitors configured. + # namespace: "" + # -- Relabeling configs for the ServiceMonitor cilium-envoy + # or for cilium-agent with Envoy configured. + relabelings: + - sourceLabels: + - __meta_kubernetes_pod_node_name + targetLabel: node + replacement: ${1} + # -- Metrics relabeling configs for the ServiceMonitor cilium-envoy + # or for cilium-agent with Envoy configured. + metricRelabelings: ~ + # -- Serve prometheus metrics for cilium-envoy on the configured port + port: "9964" + + # -- Enable use of the remote node identity. + # ref: https://docs.cilium.io/en/v1.7/install/upgrade/#configmap-remote-node-identity + # Deprecated without replacement in 1.15. To be removed in 1.16. + remoteNodeIdentity: true + + # -- Enable resource quotas for priority classes used in the cluster. + resourceQuotas: + enabled: false + cilium: + hard: + # 5k nodes * 2 DaemonSets (Cilium and cilium node init) + pods: "10k" + operator: + hard: + # 15 "clusterwide" Cilium Operator pods for HA + pods: "15" + + # Need to document default + ################## + #sessionAffinity: false + + # -- Do not run Cilium agent when running with clean mode. Useful to completely + # uninstall Cilium as it will stop Cilium from starting and create artifacts + # in the node. + sleepAfterInit: false + + # -- Enable check of service source ranges (currently, only for LoadBalancer). + svcSourceRangeCheck: true + + # -- Synchronize Kubernetes nodes to kvstore and perform CNP GC. + synchronizeK8sNodes: true + + # -- Configure TLS configuration in the agent. + tls: + # -- This configures how the Cilium agent loads the secrets used TLS-aware CiliumNetworkPolicies + # (namely the secrets referenced by terminatingTLS and originatingTLS). + # Possible values: + # - local + # - k8s + secretsBackend: local + + # -- Base64 encoded PEM values for the CA certificate and private key. + # This can be used as common CA to generate certificates used by hubble and clustermesh components. + # It is neither required nor used when cert-manager is used to generate the certificates. + ca: + # -- Optional CA cert. If it is provided, it will be used by cilium to + # generate all other certificates. Otherwise, an ephemeral CA is generated. + cert: "" + + # -- Optional CA private key. If it is provided, it will be used by cilium to + # generate all other certificates. Otherwise, an ephemeral CA is generated. + key: "" + + # -- Generated certificates validity duration in days. This will be used for auto generated CA. + certValidityDuration: 1095 + + # -- Configure the CA trust bundle used for the validation of the certificates + # leveraged by hubble and clustermesh. When enabled, it overrides the content of the + # 'ca.crt' field of the respective certificates, allowing for CA rotation with no down-time. + caBundle: + # -- Enable the use of the CA trust bundle. + enabled: false + + # -- Name of the ConfigMap containing the CA trust bundle. + name: cilium-root-ca.crt + + # -- Entry of the ConfigMap containing the CA trust bundle. + key: ca.crt + + # -- Use a Secret instead of a ConfigMap. + useSecret: false + + # If uncommented, creates the ConfigMap and fills it with the specified content. + # Otherwise, the ConfigMap is assumed to be already present in .Release.Namespace. + # + # content: | + # -----BEGIN CERTIFICATE----- + # ... + # -----END CERTIFICATE----- + # -----BEGIN CERTIFICATE----- + # ... + # -----END CERTIFICATE----- + + # -- Tunneling protocol to use in tunneling mode and for ad-hoc tunnels. + # Possible values: + # - "" + # - vxlan + # - geneve + # @default -- `"vxlan"` + tunnelProtocol: "" + + # -- Enable native-routing mode or tunneling mode. + # Possible values: + # - "" + # - native + # - tunnel + # @default -- `"tunnel"` + routingMode: "" + + # -- Configure VXLAN and Geneve tunnel port. + # @default -- Port 8472 for VXLAN, Port 6081 for Geneve + tunnelPort: 0 + + # -- Configure what the response should be to traffic for a service without backends. + # "reject" only works on kernels >= 5.10, on lower kernels we fallback to "drop". + # Possible values: + # - reject (default) + # - drop + serviceNoBackendResponse: reject + + # -- Configure the underlying network MTU to overwrite auto-detected MTU. + MTU: 0 + + # -- Disable the usage of CiliumEndpoint CRD. + disableEndpointCRD: false + + wellKnownIdentities: + # -- Enable the use of well-known identities. + enabled: false + + etcd: + # -- Enable etcd mode for the agent. + enabled: false + + # -- cilium-etcd-operator image. + image: + override: ~ + repository: "quay.io/cilium/cilium-etcd-operator" + tag: "v2.0.7" + digest: "sha256:04b8327f7f992693c2cb483b999041ed8f92efc8e14f2a5f3ab95574a65ea2dc" + useDigest: true + pullPolicy: "IfNotPresent" + + # -- The priority class to use for cilium-etcd-operator + priorityClassName: "" + + # -- Additional cilium-etcd-operator container arguments. + extraArgs: [] + + # -- Additional cilium-etcd-operator volumes. + extraVolumes: [] + + # -- Additional cilium-etcd-operator volumeMounts. + extraVolumeMounts: [] + + # -- Node tolerations for cilium-etcd-operator scheduling to nodes with taints + # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ + tolerations: + - operator: Exists + # - key: "key" + # operator: "Equal|Exists" + # value: "value" + # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" + + # -- Pod topology spread constraints for cilium-etcd-operator + topologySpreadConstraints: [] + # - maxSkew: 1 + # topologyKey: topology.kubernetes.io/zone + # whenUnsatisfiable: DoNotSchedule + + # -- Node labels for cilium-etcd-operator pod assignment + # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector + nodeSelector: + kubernetes.io/os: linux + + # -- Annotations to be added to all top-level etcd-operator objects (resources under templates/etcd-operator) + annotations: {} + + # -- Security context to be added to cilium-etcd-operator pods + podSecurityContext: {} + + # -- Annotations to be added to cilium-etcd-operator pods + podAnnotations: {} + + # -- Labels to be added to cilium-etcd-operator pods + podLabels: {} + + # PodDisruptionBudget settings + podDisruptionBudget: + # -- enable PodDisruptionBudget + # ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ + enabled: false + # -- Minimum number/percentage of pods that should remain scheduled. + # When it's set, maxUnavailable must be disabled by `maxUnavailable: null` + minAvailable: null + # -- Maximum number/percentage of pods that may be made unavailable + maxUnavailable: 1 + + # -- cilium-etcd-operator resource limits & requests + # ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + resources: {} + # limits: + # cpu: 4000m + # memory: 4Gi + # requests: + # cpu: 100m + # memory: 512Mi + + # -- Security context to be added to cilium-etcd-operator pods + securityContext: {} + # runAsUser: 0 + + # -- cilium-etcd-operator update strategy + updateStrategy: + type: RollingUpdate + rollingUpdate: + maxSurge: 1 + maxUnavailable: 1 + + # -- If etcd is behind a k8s service set this option to true so that Cilium + # does the service translation automatically without requiring a DNS to be + # running. + k8sService: false + + # -- Cluster domain for cilium-etcd-operator. + clusterDomain: cluster.local + + # -- List of etcd endpoints (not needed when using managed=true). + endpoints: + - https://CHANGE-ME:2379 + + # -- Enable use of TLS/SSL for connectivity to etcd. (auto-enabled if + # managed=true) + ssl: false + + operator: + # -- Enable the cilium-operator component (required). + enabled: true + + # -- Roll out cilium-operator pods automatically when configmap is updated. + rollOutPods: false + + # -- cilium-operator image. + image: + override: ~ + repository: "quay.io/cilium/operator" + tag: "v1.15.2" + # operator-generic-digest + genericDigest: "" + # operator-azure-digest + azureDigest: "" + # operator-aws-digest + awsDigest: "" + # operator-alibabacloud-digest + alibabacloudDigest: "" + useDigest: false + pullPolicy: "IfNotPresent" + suffix: "" + + # -- Number of replicas to run for the cilium-operator deployment + replicas: 2 + + # -- The priority class to use for cilium-operator + priorityClassName: "" + + # -- DNS policy for Cilium operator pods. + # Ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy + dnsPolicy: "" + + # -- cilium-operator update strategy + updateStrategy: + type: RollingUpdate + rollingUpdate: + maxSurge: 25% + maxUnavailable: 50% + + # -- Affinity for cilium-operator + affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - topologyKey: kubernetes.io/hostname + labelSelector: + matchLabels: + io.cilium/app: operator + + # -- Pod topology spread constraints for cilium-operator + topologySpreadConstraints: [] + # - maxSkew: 1 + # topologyKey: topology.kubernetes.io/zone + # whenUnsatisfiable: DoNotSchedule + + # -- Node labels for cilium-operator pod assignment + # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector + nodeSelector: + kubernetes.io/os: linux + + # -- Node tolerations for cilium-operator scheduling to nodes with taints + # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ + tolerations: + - operator: Exists + # - key: "key" + # operator: "Equal|Exists" + # value: "value" + # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" + + # -- Additional cilium-operator container arguments. + extraArgs: [] + + # -- Additional cilium-operator environment variables. + extraEnv: [] + + # -- Additional cilium-operator hostPath mounts. + extraHostPathMounts: [] + # - name: host-mnt-data + # mountPath: /host/mnt/data + # hostPath: /mnt/data + # hostPathType: Directory + # readOnly: true + # mountPropagation: HostToContainer + + # -- Additional cilium-operator volumes. + extraVolumes: [] + + # -- Additional cilium-operator volumeMounts. + extraVolumeMounts: [] + + # -- Annotations to be added to all top-level cilium-operator objects (resources under templates/cilium-operator) + annotations: {} + + # -- Security context to be added to cilium-operator pods + podSecurityContext: {} + + # -- Annotations to be added to cilium-operator pods + podAnnotations: {} + + # -- Labels to be added to cilium-operator pods + podLabels: {} + + # PodDisruptionBudget settings + podDisruptionBudget: + # -- enable PodDisruptionBudget + # ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ + enabled: false + # -- Minimum number/percentage of pods that should remain scheduled. + # When it's set, maxUnavailable must be disabled by `maxUnavailable: null` + minAvailable: null + # -- Maximum number/percentage of pods that may be made unavailable + maxUnavailable: 1 + + # -- cilium-operator resource limits & requests + # ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + resources: {} + # limits: + # cpu: 1000m + # memory: 1Gi + # requests: + # cpu: 100m + # memory: 128Mi + + # -- Security context to be added to cilium-operator pods + securityContext: {} + # runAsUser: 0 + + # -- Interval for endpoint garbage collection. + endpointGCInterval: "5m0s" + + # -- Interval for cilium node garbage collection. + nodeGCInterval: "5m0s" + + # -- Skip CNP node status clean up at operator startup. + skipCNPStatusStartupClean: false + + # -- Interval for identity garbage collection. + identityGCInterval: "15m0s" + + # -- Timeout for identity heartbeats. + identityHeartbeatTimeout: "30m0s" + + pprof: + # -- Enable pprof for cilium-operator + enabled: false + # -- Configure pprof listen address for cilium-operator + address: localhost + # -- Configure pprof listen port for cilium-operator + port: 6061 + + # -- Enable prometheus metrics for cilium-operator on the configured port at + # /metrics + prometheus: + enabled: true + port: 9963 + serviceMonitor: + # -- Enable service monitors. + # This requires the prometheus CRDs to be available (see https://github.com/prometheus-operator/prometheus-operator/blob/main/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml) + enabled: false + # -- Labels to add to ServiceMonitor cilium-operator + labels: {} + # -- Annotations to add to ServiceMonitor cilium-operator + annotations: {} + # -- jobLabel to add for ServiceMonitor cilium-operator + jobLabel: "" + # -- Interval for scrape metrics. + interval: "10s" + # -- Relabeling configs for the ServiceMonitor cilium-operator + relabelings: ~ + # -- Metrics relabeling configs for the ServiceMonitor cilium-operator + metricRelabelings: ~ + + # -- Grafana dashboards for cilium-operator + # grafana can import dashboards based on the label and value + # ref: https://github.com/grafana/helm-charts/tree/main/charts/grafana#sidecar-for-dashboards + dashboards: + enabled: false + label: grafana_dashboard + namespace: ~ + labelValue: "1" + annotations: {} + + # -- Skip CRDs creation for cilium-operator + skipCRDCreation: false + + # -- Remove Cilium node taint from Kubernetes nodes that have a healthy Cilium + # pod running. + removeNodeTaints: true + + # -- Taint nodes where Cilium is scheduled but not running. This prevents pods + # from being scheduled to nodes where Cilium is not the default CNI provider. + # @default -- same as removeNodeTaints + setNodeTaints: ~ + + # -- Set Node condition NetworkUnavailable to 'false' with the reason + # 'CiliumIsUp' for nodes that have a healthy Cilium pod. + setNodeNetworkStatus: true + + unmanagedPodWatcher: + # -- Restart any pod that are not managed by Cilium. + restart: true + # -- Interval, in seconds, to check if there are any pods that are not + # managed by Cilium. + intervalSeconds: 15 + + nodeinit: + # -- Enable the node initialization DaemonSet + enabled: false + + # -- node-init image. + image: + override: ~ + repository: "quay.io/cilium/startup-script" + tag: "62093c5c233ea914bfa26a10ba41f8780d9b737f" + pullPolicy: "IfNotPresent" + + # -- The priority class to use for the nodeinit pod. + priorityClassName: "" + + # -- node-init update strategy + updateStrategy: + type: RollingUpdate + + # -- Additional nodeinit environment variables. + extraEnv: [] + + # -- Additional nodeinit volumes. + extraVolumes: [] + + # -- Additional nodeinit volumeMounts. + extraVolumeMounts: [] + + # -- Affinity for cilium-nodeinit + affinity: {} + + # -- Node labels for nodeinit pod assignment + # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector + nodeSelector: + kubernetes.io/os: linux + + # -- Node tolerations for nodeinit scheduling to nodes with taints + # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ + tolerations: + - operator: Exists + # - key: "key" + # operator: "Equal|Exists" + # value: "value" + # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" + + # -- Annotations to be added to all top-level nodeinit objects (resources under templates/cilium-nodeinit) + annotations: {} + + # -- Annotations to be added to node-init pods. + podAnnotations: {} + + # -- Labels to be added to node-init pods. + podLabels: {} + + # -- nodeinit resource limits & requests + # ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + resources: + requests: + cpu: 100m + memory: 100Mi + + # -- Security context to be added to nodeinit pods. + securityContext: + privileged: false + seLinuxOptions: + level: 's0' + # Running with spc_t since we have removed the privileged mode. + # Users can change it to a different type as long as they have the + # type available on the system. + type: 'spc_t' + capabilities: + add: + # Used in iptables. Consider removing once we are iptables-free + - SYS_MODULE + # Used for nsenter + - NET_ADMIN + - SYS_ADMIN + - SYS_CHROOT + - SYS_PTRACE + + # -- bootstrapFile is the location of the file where the bootstrap timestamp is + # written by the node-init DaemonSet + bootstrapFile: "/tmp/cilium-bootstrap.d/cilium-bootstrap-time" + + # -- startup offers way to customize startup nodeinit script (pre and post position) + startup: + preScript: "" + postScript: "" + # -- prestop offers way to customize prestop nodeinit script (pre and post position) + prestop: + preScript: "" + postScript: "" + + preflight: + # -- Enable Cilium pre-flight resources (required for upgrade) + enabled: false + + # -- Cilium pre-flight image. + image: + override: ~ + repository: "quay.io/cilium/cilium" + tag: "v1.15.2" + # cilium-digest + digest: "" + useDigest: false + pullPolicy: "IfNotPresent" + + # -- The priority class to use for the preflight pod. + priorityClassName: "" + + # -- preflight update strategy + updateStrategy: + type: RollingUpdate + + # -- Additional preflight environment variables. + extraEnv: [] + + # -- Additional preflight volumes. + extraVolumes: [] + + # -- Additional preflight volumeMounts. + extraVolumeMounts: [] + + # -- Affinity for cilium-preflight + affinity: + podAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - topologyKey: kubernetes.io/hostname + labelSelector: + matchLabels: + k8s-app: cilium + + # -- Node labels for preflight pod assignment + # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector + nodeSelector: + kubernetes.io/os: linux + + # -- Node tolerations for preflight scheduling to nodes with taints + # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ + tolerations: + - key: node.kubernetes.io/not-ready + effect: NoSchedule + - key: node-role.kubernetes.io/master + effect: NoSchedule + - key: node-role.kubernetes.io/control-plane + effect: NoSchedule + - key: node.cloudprovider.kubernetes.io/uninitialized + effect: NoSchedule + value: "true" + - key: CriticalAddonsOnly + operator: "Exists" + # - key: "key" + # operator: "Equal|Exists" + # value: "value" + # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" + + # -- Annotations to be added to all top-level preflight objects (resources under templates/cilium-preflight) + annotations: {} + + # -- Security context to be added to preflight pods. + podSecurityContext: {} + + # -- Annotations to be added to preflight pods + podAnnotations: {} + + # -- Labels to be added to the preflight pod. + podLabels: {} + + # PodDisruptionBudget settings + podDisruptionBudget: + # -- enable PodDisruptionBudget + # ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ + enabled: false + # -- Minimum number/percentage of pods that should remain scheduled. + # When it's set, maxUnavailable must be disabled by `maxUnavailable: null` + minAvailable: null + # -- Maximum number/percentage of pods that may be made unavailable + maxUnavailable: 1 + + # -- preflight resource limits & requests + # ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + resources: {} + # limits: + # cpu: 4000m + # memory: 4Gi + # requests: + # cpu: 100m + # memory: 512Mi + + # -- Security context to be added to preflight pods + securityContext: {} + # runAsUser: 0 + + # -- Path to write the `--tofqdns-pre-cache` file to. + tofqdnsPreCache: "" + + # -- Configure termination grace period for preflight Deployment and DaemonSet. + terminationGracePeriodSeconds: 1 + + # -- By default we should always validate the installed CNPs before upgrading + # Cilium. This will make sure the user will have the policies deployed in the + # cluster with the right schema. + validateCNPs: true + + # -- Explicitly enable or disable priority class. + # .Capabilities.KubeVersion is unsettable in `helm template` calls, + # it depends on k8s libraries version that Helm was compiled against. + # This option allows to explicitly disable setting the priority class, which + # is useful for rendering charts for gke clusters in advance. + enableCriticalPriorityClass: true + + # disableEnvoyVersionCheck removes the check for Envoy, which can be useful + # on AArch64 as the images do not currently ship a version of Envoy. + #disableEnvoyVersionCheck: false + + clustermesh: + # -- Deploy clustermesh-apiserver for clustermesh + useAPIServer: enabled + # -- The maximum number of clusters to support in a ClusterMesh. This value + # cannot be changed on running clusters, and all clusters in a ClusterMesh + # must be configured with the same value. Values > 255 will decrease the + # maximum allocatable cluster-local identities. + # Supported values are 255 and 511. + maxConnectedClusters: 255 + + # -- Annotations to be added to all top-level clustermesh objects (resources under templates/clustermesh-apiserver and templates/clustermesh-config) + annotations: {} + + # -- Clustermesh explicit configuration. + config: + # -- Enable the Clustermesh explicit configuration. + enabled: true + # -- Default dns domain for the Clustermesh API servers + # This is used in the case cluster addresses are not provided + # and IPs are used. + domain: mesh.cilium.io + # -- List of clusters to be peered in the mesh. + clusters: + # -- Name of the cluster + - name: cluster-01 + # -- Address of the cluster, use this if you created DNS records for + # the cluster Clustermesh API server. + address: cluster-01.mesh.cilium.io + # -- Port of the cluster Clustermesh API server. + port: 2379 + # -- IPs of the cluster Clustermesh API server, use multiple ones when + # you have multiple IPs to access the Clustermesh API server. + ips: + - 172.18.255.201 + # -- base64 encoded PEM values for the cluster client certificate, private key and certificate authority. + # These fields can (and should) be omitted in case the CA is shared across clusters. In that case, the + # "remote" private key and certificate available in the local cluster are automatically used instead. + # tls: + # cert: "" + # key: "" + # caCert: "" + - name: cluster-02 + # -- Address of the cluster, use this if you created DNS records for + # the cluster Clustermesh API server. + address: cluster-02.mesh.cilium.io + # -- Port of the cluster Clustermesh API server. + port: 2379 + # -- IPs of the cluster Clustermesh API server, use multiple ones when + # you have multiple IPs to access the Clustermesh API server. + ips: + - 172.18.255.202 + # -- base64 encoded PEM values for the cluster client certificate, private key and certificate authority. + # These fields can (and should) be omitted in case the CA is shared across clusters. In that case, the + # "remote" private key and certificate available in the local cluster are automatically used instead. + # tls: + # cert: "" + # key: "" + # caCert: "" + + + apiserver: + # -- Clustermesh API server image. + image: + override: ~ + repository: "quay.io/cilium/clustermesh-apiserver" + tag: "v1.15.2" + # clustermesh-apiserver-digest + digest: "" + useDigest: false + pullPolicy: "IfNotPresent" + + etcd: + # The etcd binary is included in the clustermesh API server image, so the same image from above is reused. + # Independent override isn't supported, because clustermesh-apiserver is tested against the etcd version it is + # built with. + + # -- Specifies the resources for etcd container in the apiserver + resources: {} + # requests: + # cpu: 200m + # memory: 256Mi + # limits: + # cpu: 1000m + # memory: 256Mi + + # -- Security context to be added to clustermesh-apiserver etcd containers + securityContext: {} + + # -- lifecycle setting for the etcd container + lifecycle: {} + + init: + # -- Specifies the resources for etcd init container in the apiserver + resources: {} + # requests: + # cpu: 100m + # memory: 100Mi + # limits: + # cpu: 100m + # memory: 100Mi + + # -- Additional arguments to `clustermesh-apiserver etcdinit`. + extraArgs: [] + + # -- Additional environment variables to `clustermesh-apiserver etcdinit`. + extraEnv: [] + + kvstoremesh: + # -- Enable KVStoreMesh. KVStoreMesh caches the information retrieved + # from the remote clusters in the local etcd instance. + enabled: false + + # -- Additional KVStoreMesh arguments. + extraArgs: [] + + # -- Additional KVStoreMesh environment variables. + extraEnv: [] + + # -- Resource requests and limits for the KVStoreMesh container + resources: {} + # requests: + # cpu: 100m + # memory: 64Mi + # limits: + # cpu: 1000m + # memory: 1024M + + # -- Additional KVStoreMesh volumeMounts. + extraVolumeMounts: [] + + # -- KVStoreMesh Security context + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + + # -- lifecycle setting for the KVStoreMesh container + lifecycle: {} + + service: + # -- The type of service used for apiserver access. + type: NodePort + # -- Optional port to use as the node port for apiserver access. + # + # WARNING: make sure to configure a different NodePort in each cluster if + # kube-proxy replacement is enabled, as Cilium is currently affected by a known + # bug (#24692) when NodePorts are handled by the KPR implementation. If a service + # with the same NodePort exists both in the local and the remote cluster, all + # traffic originating from inside the cluster and targeting the corresponding + # NodePort will be redirected to a local backend, regardless of whether the + # destination node belongs to the local or the remote cluster. + nodePort: 32379 + # -- Optional loadBalancer IP address to use with type LoadBalancer. + # loadBalancerIP: + + # -- Annotations for the clustermesh-apiserver + # For GKE LoadBalancer, use annotation cloud.google.com/load-balancer-type: "Internal" + # For EKS LoadBalancer, use annotation service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0 + annotations: {} + + # -- The externalTrafficPolicy of service used for apiserver access. + externalTrafficPolicy: + + # -- The internalTrafficPolicy of service used for apiserver access. + internalTrafficPolicy: + + # -- Number of replicas run for the clustermesh-apiserver deployment. + replicas: 1 + + # -- lifecycle setting for the apiserver container + lifecycle: {} + + # -- terminationGracePeriodSeconds for the clustermesh-apiserver deployment + terminationGracePeriodSeconds: 30 + + # -- Additional clustermesh-apiserver arguments. + extraArgs: [] + + # -- Additional clustermesh-apiserver environment variables. + extraEnv: [] + + # -- Additional clustermesh-apiserver volumes. + extraVolumes: [] + + # -- Additional clustermesh-apiserver volumeMounts. + extraVolumeMounts: [] + + # -- Security context to be added to clustermesh-apiserver containers + securityContext: {} + + # -- Security context to be added to clustermesh-apiserver pods + podSecurityContext: {} + + # -- Annotations to be added to clustermesh-apiserver pods + podAnnotations: {} + + # -- Labels to be added to clustermesh-apiserver pods + podLabels: {} + + # PodDisruptionBudget settings + podDisruptionBudget: + # -- enable PodDisruptionBudget + # ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ + enabled: false + # -- Minimum number/percentage of pods that should remain scheduled. + # When it's set, maxUnavailable must be disabled by `maxUnavailable: null` + minAvailable: null + # -- Maximum number/percentage of pods that may be made unavailable + maxUnavailable: 1 + + # -- Resource requests and limits for the clustermesh-apiserver container of the clustermesh-apiserver deployment, such as + # resources: + # limits: + # cpu: 1000m + # memory: 1024M + # requests: + # cpu: 100m + # memory: 64Mi + # -- Resource requests and limits for the clustermesh-apiserver + resources: {} + # requests: + # cpu: 100m + # memory: 64Mi + # limits: + # cpu: 1000m + # memory: 1024M + + # -- Affinity for clustermesh.apiserver + affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - topologyKey: kubernetes.io/hostname + labelSelector: + matchLabels: + k8s-app: clustermesh-apiserver + + # -- Pod topology spread constraints for clustermesh-apiserver + topologySpreadConstraints: [] + # - maxSkew: 1 + # topologyKey: topology.kubernetes.io/zone + # whenUnsatisfiable: DoNotSchedule + + # -- Node labels for pod assignment + # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector + nodeSelector: + kubernetes.io/os: linux + + # -- Node tolerations for pod assignment on nodes with taints + # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ + tolerations: [] + + # -- clustermesh-apiserver update strategy + updateStrategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 1 + + # -- The priority class to use for clustermesh-apiserver + priorityClassName: "" + + tls: + # -- Configure the clustermesh authentication mode. + # Supported values: + # - legacy: All clusters access remote clustermesh instances with the same + # username (i.e., remote). The "remote" certificate must be + # generated with CN=remote if provided manually. + # - migration: Intermediate mode required to upgrade from legacy to cluster + # (and vice versa) with no disruption. Specifically, it enables + # the creation of the per-cluster usernames, while still using + # the common one for authentication. The "remote" certificate must + # be generated with CN=remote if provided manually (same as legacy). + # - cluster: Each cluster accesses remote etcd instances with a username + # depending on the local cluster name (i.e., remote-). + # The "remote" certificate must be generated with CN=remote- + # if provided manually. Cluster mode is meaningful only when the same + # CA is shared across all clusters part of the mesh. + authMode: legacy + + # -- Configure automatic TLS certificates generation. + # A Kubernetes CronJob is used the generate any + # certificates not provided by the user at installation + # time. + auto: + # -- When set to true, automatically generate a CA and certificates to + # enable mTLS between clustermesh-apiserver and external workload instances. + # If set to false, the certs to be provided by setting appropriate values below. + enabled: true + # Sets the method to auto-generate certificates. Supported values: + # - helm: This method uses Helm to generate all certificates. + # - cronJob: This method uses a Kubernetes CronJob the generate any + # certificates not provided by the user at installation + # time. + # - certmanager: This method use cert-manager to generate & rotate certificates. + method: helm + # -- Generated certificates validity duration in days. + certValidityDuration: 1095 + # -- Schedule for certificates regeneration (regardless of their expiration date). + # Only used if method is "cronJob". If nil, then no recurring job will be created. + # Instead, only the one-shot job is deployed to generate the certificates at + # installation time. + # + # Due to the out-of-band distribution of client certs to external workloads the + # CA is (re)regenerated only if it is not provided as a helm value and the k8s + # secret is manually deleted. + # + # Defaults to none. Commented syntax gives midnight of the first day of every + # fourth month. For syntax, see + # https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/#schedule-syntax + # schedule: "0 0 1 */4 *" + + # [Example] + # certManagerIssuerRef: + # group: cert-manager.io + # kind: ClusterIssuer + # name: ca-issuer + # -- certmanager issuer used when clustermesh.apiserver.tls.auto.method=certmanager. + certManagerIssuerRef: {} + # -- base64 encoded PEM values for the clustermesh-apiserver server certificate and private key. + # Used if 'auto' is not enabled. + server: + cert: "" + key: "" + # -- Extra DNS names added to certificate when it's auto generated + extraDnsNames: [] + # -- Extra IP addresses added to certificate when it's auto generated + extraIpAddresses: [] + # -- base64 encoded PEM values for the clustermesh-apiserver admin certificate and private key. + # Used if 'auto' is not enabled. + admin: + cert: "" + key: "" + # -- base64 encoded PEM values for the clustermesh-apiserver client certificate and private key. + # Used if 'auto' is not enabled. + client: + cert: "" + key: "" + # -- base64 encoded PEM values for the clustermesh-apiserver remote cluster certificate and private key. + # Used if 'auto' is not enabled. + remote: + cert: "" + key: "" + + # clustermesh-apiserver Prometheus metrics configuration + metrics: + # -- Enables exporting apiserver metrics in OpenMetrics format. + enabled: true + # -- Configure the port the apiserver metric server listens on. + port: 9962 + + kvstoremesh: + # -- Enables exporting KVStoreMesh metrics in OpenMetrics format. + enabled: true + # -- Configure the port the KVStoreMesh metric server listens on. + port: 9964 + + etcd: + # -- Enables exporting etcd metrics in OpenMetrics format. + enabled: true + # -- Set level of detail for etcd metrics; specify 'extensive' to include server side gRPC histogram metrics. + mode: basic + # -- Configure the port the etcd metric server listens on. + port: 9963 + + serviceMonitor: + # -- Enable service monitor. + # This requires the prometheus CRDs to be available (see https://github.com/prometheus-operator/prometheus-operator/blob/main/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml) + enabled: false + # -- Labels to add to ServiceMonitor clustermesh-apiserver + labels: {} + # -- Annotations to add to ServiceMonitor clustermesh-apiserver + annotations: {} + # -- Specify the Kubernetes namespace where Prometheus expects to find + # service monitors configured. + # namespace: "" + + # -- Interval for scrape metrics (apiserver metrics) + interval: "10s" + # -- Relabeling configs for the ServiceMonitor clustermesh-apiserver (apiserver metrics) + relabelings: ~ + # -- Metrics relabeling configs for the ServiceMonitor clustermesh-apiserver (apiserver metrics) + metricRelabelings: ~ + + kvstoremesh: + # -- Interval for scrape metrics (KVStoreMesh metrics) + interval: "10s" + # -- Relabeling configs for the ServiceMonitor clustermesh-apiserver (KVStoreMesh metrics) + relabelings: ~ + # -- Metrics relabeling configs for the ServiceMonitor clustermesh-apiserver (KVStoreMesh metrics) + metricRelabelings: ~ + + etcd: + # -- Interval for scrape metrics (etcd metrics) + interval: "10s" + # -- Relabeling configs for the ServiceMonitor clustermesh-apiserver (etcd metrics) + relabelings: ~ + # -- Metrics relabeling configs for the ServiceMonitor clustermesh-apiserver (etcd metrics) + metricRelabelings: ~ + + # -- Configure external workloads support + externalWorkloads: + # -- Enable support for external workloads, such as VMs (false by default). + enabled: false + + # -- Configure cgroup related configuration + cgroup: + autoMount: + # -- Enable auto mount of cgroup2 filesystem. + # When `autoMount` is enabled, cgroup2 filesystem is mounted at + # `cgroup.hostRoot` path on the underlying host and inside the cilium agent pod. + # If users disable `autoMount`, it's expected that users have mounted + # cgroup2 filesystem at the specified `cgroup.hostRoot` volume, and then the + # volume will be mounted inside the cilium agent pod at the same path. + enabled: true + # -- Init Container Cgroup Automount resource limits & requests + resources: {} + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + # -- Configure cgroup root where cgroup2 filesystem is mounted on the host (see also: `cgroup.autoMount`) + hostRoot: /run/cilium/cgroupv2 + + # -- Configure whether to enable auto detect of terminating state for endpoints + # in order to support graceful termination. + enableK8sTerminatingEndpoint: true + + # -- Configure whether to unload DNS policy rules on graceful shutdown + # dnsPolicyUnloadOnShutdown: false + + # -- Configure the key of the taint indicating that Cilium is not ready on the node. + # When set to a value starting with `ignore-taint.cluster-autoscaler.kubernetes.io/`, the Cluster Autoscaler will ignore the taint on its decisions, allowing the cluster to scale up. + agentNotReadyTaintKey: "node.cilium.io/agent-not-ready" + + dnsProxy: + # -- DNS response code for rejecting DNS requests, available options are '[nameError refused]'. + dnsRejectResponseCode: refused + # -- Allow the DNS proxy to compress responses to endpoints that are larger than 512 Bytes or the EDNS0 option, if present. + enableDnsCompression: true + # -- Maximum number of IPs to maintain per FQDN name for each endpoint. + endpointMaxIpPerHostname: 50 + # -- Time during which idle but previously active connections with expired DNS lookups are still considered alive. + idleConnectionGracePeriod: 0s + # -- Maximum number of IPs to retain for expired DNS lookups with still-active connections. + maxDeferredConnectionDeletes: 10000 + # -- The minimum time, in seconds, to use DNS data for toFQDNs policies. If + # the upstream DNS server returns a DNS record with a shorter TTL, Cilium + # overwrites the TTL with this value. Setting this value to zero means that + # Cilium will honor the TTLs returned by the upstream DNS server. + minTtl: 0 + # -- DNS cache data at this path is preloaded on agent startup. + preCache: "" + # -- Global port on which the in-agent DNS proxy should listen. Default 0 is a OS-assigned port. + proxyPort: 0 + # -- The maximum time the DNS proxy holds an allowed DNS response before sending it along. Responses are sent as soon as the datapath is updated with the new IP information. + proxyResponseMaxDelay: 100ms + # -- DNS proxy operation mode (true/false, or unset to use version dependent defaults) + # enableTransparentMode: true + + # -- SCTP Configuration Values + sctp: + # -- Enable SCTP support. NOTE: Currently, SCTP support does not support rewriting ports or multihoming. + enabled: false + + # Configuration for types of authentication for Cilium (beta) + authentication: + # -- Enable authentication processing and garbage collection. + # Note that if disabled, policy enforcement will still block requests that require authentication. + # But the resulting authentication requests for these requests will not be processed, therefore the requests not be allowed. + enabled: true + # -- Buffer size of the channel Cilium uses to receive authentication events from the signal map. + queueSize: 1024 + # -- Buffer size of the channel Cilium uses to receive certificate expiration events from auth handlers. + rotatedIdentitiesQueueSize: 1024 + # -- Interval for garbage collection of auth map entries. + gcInterval: "5m0s" + # Configuration for Cilium's service-to-service mutual authentication using TLS handshakes. + # Note that this is not full mTLS support without also enabling encryption of some form. + # Current encryption options are Wireguard or IPSec, configured in encryption block above. + mutual: + # -- Port on the agent where mutual authentication handshakes between agents will be performed + port: 4250 + # -- Timeout for connecting to the remote node TCP socket + connectTimeout: 5s + # Settings for SPIRE + spire: + # -- Enable SPIRE integration (beta) + enabled: false + # -- Annotations to be added to all top-level spire objects (resources under templates/spire) + annotations: {} + # Settings to control the SPIRE installation and configuration + install: + # -- Enable SPIRE installation. + # This will only take effect only if authentication.mutual.spire.enabled is true + enabled: true + # -- SPIRE namespace to install into + namespace: cilium-spire + # -- SPIRE namespace already exists. Set to true if Helm should not create, manage, and import the SPIRE namespace. + existingNamespace: false + # -- init container image of SPIRE agent and server + initImage: + override: ~ + repository: "docker.io/library/busybox" + tag: "1.36.1" + digest: "sha256:223ae047b1065bd069aac01ae3ac8088b3ca4a527827e283b85112f29385fb1b" + useDigest: true + pullPolicy: "IfNotPresent" + # SPIRE agent configuration + agent: + # -- SPIRE agent image + image: + override: ~ + repository: "ghcr.io/spiffe/spire-agent" + tag: "1.8.5" + digest: "sha256:99405637647968245ff9fe215f8bd2bd0ea9807be9725f8bf19fe1b21471e52b" + useDigest: true + pullPolicy: "IfNotPresent" + # -- SPIRE agent service account + serviceAccount: + create: true + name: spire-agent + # -- SPIRE agent annotations + annotations: {} + # -- SPIRE agent labels + labels: {} + # -- SPIRE Workload Attestor kubelet verification. + skipKubeletVerification: true + # -- SPIRE agent tolerations configuration + # By default it follows the same tolerations as the agent itself + # to allow the Cilium agent on this node to connect to SPIRE. + # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ + tolerations: + - key: node.kubernetes.io/not-ready + effect: NoSchedule + - key: node-role.kubernetes.io/master + effect: NoSchedule + - key: node-role.kubernetes.io/control-plane + effect: NoSchedule + - key: node.cloudprovider.kubernetes.io/uninitialized + effect: NoSchedule + value: "true" + - key: CriticalAddonsOnly + operator: "Exists" + # -- SPIRE agent affinity configuration + affinity: {} + # -- SPIRE agent nodeSelector configuration + # ref: ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector + nodeSelector: {} + # -- Security context to be added to spire agent pods. + # SecurityContext holds pod-level security attributes and common container settings. + # ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + podSecurityContext: {} + # -- Security context to be added to spire agent containers. + # SecurityContext holds pod-level security attributes and common container settings. + # ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + securityContext: {} + server: + # -- SPIRE server image + image: + override: ~ + repository: "ghcr.io/spiffe/spire-server" + tag: "1.8.5" + digest: "sha256:28269265882048dcf0fed32fe47663cd98613727210b8d1a55618826f9bf5428" + useDigest: true + pullPolicy: "IfNotPresent" + # -- SPIRE server service account + serviceAccount: + create: true + name: spire-server + # -- SPIRE server init containers + initContainers: [] + # -- SPIRE server annotations + annotations: {} + # -- SPIRE server labels + labels: {} + # SPIRE server service configuration + service: + # -- Service type for the SPIRE server service + type: ClusterIP + # -- Annotations to be added to the SPIRE server service + annotations: {} + # -- Labels to be added to the SPIRE server service + labels: {} + # -- SPIRE server affinity configuration + affinity: {} + # -- SPIRE server nodeSelector configuration + # ref: ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector + nodeSelector: {} + # -- SPIRE server tolerations configuration + # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ + tolerations: [] + # SPIRE server datastorage configuration + dataStorage: + # -- Enable SPIRE server data storage + enabled: true + # -- Size of the SPIRE server data storage + size: 1Gi + # -- Access mode of the SPIRE server data storage + accessMode: ReadWriteOnce + # -- StorageClass of the SPIRE server data storage + storageClass: null + # -- Security context to be added to spire server pods. + # SecurityContext holds pod-level security attributes and common container settings. + # ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + podSecurityContext: {} + # -- Security context to be added to spire server containers. + # SecurityContext holds pod-level security attributes and common container settings. + # ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + securityContext: {} + # SPIRE CA configuration + ca: + # -- SPIRE CA key type + # AWS requires the use of RSA. EC cryptography is not supported + keyType: "rsa-4096" + # -- SPIRE CA Subject + subject: + country: "US" + organization: "SPIRE" + commonName: "Cilium SPIRE CA" + # -- SPIRE server address used by Cilium Operator + # + # If k8s Service DNS along with port number is used (e.g. ..svc(.*): format), + # Cilium Operator will resolve its address by looking up the clusterIP from Service resource. + # + # Example values: 10.0.0.1:8081, spire-server.cilium-spire.svc:8081 + serverAddress: ~ + # -- SPIFFE trust domain to use for fetching certificates + trustDomain: spiffe.cilium + # -- SPIRE socket path where the SPIRE delegated api agent is listening + adminSocketPath: /run/spire/sockets/admin.sock + # -- SPIRE socket path where the SPIRE workload agent is listening. + # Applies to both the Cilium Agent and Operator + agentSocketPath: /run/spire/sockets/agent/agent.sock + # -- SPIRE connection timeout + connectionTimeout: 30s diff --git a/clusters/cluster-mgmt/cluster-01/capi-cluster.yaml b/clusters/cluster-mgmt/cluster-01/capi-cluster.yaml index 290e1c3..e901a96 100644 --- a/clusters/cluster-mgmt/cluster-01/capi-cluster.yaml +++ b/clusters/cluster-mgmt/cluster-01/capi-cluster.yaml @@ -12,7 +12,7 @@ spec: clusterNetwork: pods: cidrBlocks: - - "192.168.0.0/20" + - "192.168.16.0/20" infrastructureRef: apiVersion: infrastructure.cluster.x-k8s.io/v1beta1 kind: AWSCluster diff --git a/clusters/cluster-mgmt/cluster-01/kustomization.yaml b/clusters/cluster-mgmt/cluster-01/kustomization.yaml index 3437598..5e13634 100644 --- a/clusters/cluster-mgmt/cluster-01/kustomization.yaml +++ b/clusters/cluster-mgmt/cluster-01/kustomization.yaml @@ -4,3 +4,4 @@ resources: - namespace.yaml - platform.yaml - capi-cluster.yaml + - caaph-hcp-v1.15.2.yaml diff --git a/clusters/cluster-mgmt/cluster-01/platform.yaml b/clusters/cluster-mgmt/cluster-01/platform.yaml index 24898cc..84ed2dd 100644 --- a/clusters/cluster-mgmt/cluster-01/platform.yaml +++ b/clusters/cluster-mgmt/cluster-01/platform.yaml @@ -15,21 +15,3 @@ spec: kubeConfig: secretRef: name: cluster-01-kubeconfig ---- -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: caaph-cni - namespace: cluster-01 -spec: - interval: 1m - sourceRef: - kind: GitRepository - name: flux-system - namespace: flux-system - path: ./k8s-platform/cni-caaph-resource/cilium/v1.15.2 - targetNamespace: cluster-01 - prune: true - dependsOn: - - name: caaph - namespace: flux-system diff --git a/clusters/cluster-mgmt/cluster-02/caaph-hcp-v1.15.2.yaml b/clusters/cluster-mgmt/cluster-02/caaph-hcp-v1.15.2.yaml new file mode 100644 index 0000000..ce844d3 --- /dev/null +++ b/clusters/cluster-mgmt/cluster-02/caaph-hcp-v1.15.2.yaml @@ -0,0 +1,3535 @@ +apiVersion: addons.cluster.x-k8s.io/v1alpha1 +kind: HelmChartProxy +metadata: + name: cilium +spec: + clusterSelector: + matchLabels: + cilium-mesh: main + repoURL: https://helm.cilium.io/ + chartName: cilium + namespace: cilium + version: "1.15.2" + valuesTemplate: | + # https://github.com/cilium/cilium/blob/v1.15.2/install/kubernetes/cilium/values.yaml + + # File generated by install/kubernetes/Makefile; DO NOT EDIT. + # This file is based on install/kubernetes/cilium/*values.yaml.tmpl. + + + # upgradeCompatibility helps users upgrading to ensure that the configMap for + # Cilium will not change critical values to ensure continued operation + # This flag is not required for new installations. + # For example: 1.7, 1.8, 1.9 + # upgradeCompatibility: '1.8' + + debug: + # -- Enable debug logging + enabled: false + # -- Configure verbosity levels for debug logging + # This option is used to enable debug messages for operations related to such + # sub-system such as (e.g. kvstore, envoy, datapath or policy), and flow is + # for enabling debug messages emitted per request, message and connection. + # Multiple values can be set via a space-separated string (e.g. "datapath envoy"). + # + # Applicable values: + # - flow + # - kvstore + # - envoy + # - datapath + # - policy + verbose: ~ + + rbac: + # -- Enable creation of Resource-Based Access Control configuration. + create: true + + # -- Configure image pull secrets for pulling container images + imagePullSecrets: + # - name: "image-pull-secret" + + # -- (string) Kubernetes config path + # @default -- `"~/.kube/config"` + kubeConfigPath: "" + # -- (string) Kubernetes service host + k8sServiceHost: {{ .Cluster.spec.controlPlaneEndpoint.host }} + # -- (string) Kubernetes service port + k8sServicePort: {{ .Cluster.spec.controlPlaneEndpoint.port }} + + # -- Configure the client side rate limit for the agent and operator + # + # If the amount of requests to the Kubernetes API server exceeds the configured + # rate limit, the agent and operator will start to throttle requests by delaying + # them until there is budget or the request times out. + k8sClientRateLimit: + # -- (int) The sustained request rate in requests per second. + # @default -- 5 for k8s up to 1.26. 10 for k8s version 1.27+ + qps: + # -- (int) The burst request rate in requests per second. + # The rate limiter will allow short bursts with a higher rate. + # @default -- 10 for k8s up to 1.26. 20 for k8s version 1.27+ + burst: + + cluster: + # -- Name of the cluster. Only required for Cluster Mesh and mutual authentication with SPIRE. + name: {{ .ControlPlane.metadata.name }} + # -- (int) Unique ID of the cluster. Must be unique across all connected + # clusters and in the range of 1 to 255. Only required for Cluster Mesh, + # may be 0 if Cluster Mesh is not used. + id: 2 + + # -- Define serviceAccount names for components. + # @default -- Component's fully qualified name. + serviceAccounts: + cilium: + create: true + name: cilium + automount: true + annotations: {} + nodeinit: + create: true + # -- Enabled is temporary until https://github.com/cilium/cilium-cli/issues/1396 is implemented. + # Cilium CLI doesn't create the SAs for node-init, thus the workaround. Helm is not affected by + # this issue. Name and automount can be configured, if enabled is set to true. + # Otherwise, they are ignored. Enabled can be removed once the issue is fixed. + # Cilium-nodeinit DS must also be fixed. + enabled: false + name: cilium-nodeinit + automount: true + annotations: {} + envoy: + create: true + name: cilium-envoy + automount: true + annotations: {} + etcd: + create: true + name: cilium-etcd-operator + automount: true + annotations: {} + operator: + create: true + name: cilium-operator + automount: true + annotations: {} + preflight: + create: true + name: cilium-pre-flight + automount: true + annotations: {} + relay: + create: true + name: hubble-relay + automount: false + annotations: {} + ui: + create: true + name: hubble-ui + automount: true + annotations: {} + clustermeshApiserver: + create: true + name: clustermesh-apiserver + automount: true + annotations: {} + # -- Clustermeshcertgen is used if clustermesh.apiserver.tls.auto.method=cronJob + clustermeshcertgen: + create: true + name: clustermesh-apiserver-generate-certs + automount: true + annotations: {} + # -- Hubblecertgen is used if hubble.tls.auto.method=cronJob + hubblecertgen: + create: true + name: hubble-generate-certs + automount: true + annotations: {} + + # -- Configure termination grace period for cilium-agent DaemonSet. + terminationGracePeriodSeconds: 1 + + # -- Install the cilium agent resources. + agent: true + + # -- Agent container name. + name: cilium + + # -- Roll out cilium agent pods automatically when configmap is updated. + rollOutCiliumPods: false + + # -- Agent container image. + image: + override: ~ + repository: "quay.io/cilium/cilium" + tag: "v1.15.2" + pullPolicy: "IfNotPresent" + # cilium-digest + digest: "" + useDigest: false + + # -- Affinity for cilium-agent. + affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - topologyKey: kubernetes.io/hostname + labelSelector: + matchLabels: + k8s-app: cilium + + # -- Node selector for cilium-agent. + nodeSelector: + kubernetes.io/os: linux + + # -- Node tolerations for agent scheduling to nodes with taints + # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ + tolerations: + - operator: Exists + # - key: "key" + # operator: "Equal|Exists" + # value: "value" + # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" + + # -- The priority class to use for cilium-agent. + priorityClassName: "" + + # -- DNS policy for Cilium agent pods. + # Ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy + dnsPolicy: "" + + # -- Additional containers added to the cilium DaemonSet. + extraContainers: [] + + # -- Additional agent container arguments. + extraArgs: [] + + # -- Additional agent container environment variables. + extraEnv: [] + + # -- Additional agent hostPath mounts. + extraHostPathMounts: [] + # - name: host-mnt-data + # mountPath: /host/mnt/data + # hostPath: /mnt/data + # hostPathType: Directory + # readOnly: true + # mountPropagation: HostToContainer + + # -- Additional agent volumes. + extraVolumes: [] + + # -- Additional agent volumeMounts. + extraVolumeMounts: [] + + # -- extraConfig allows you to specify additional configuration parameters to be + # included in the cilium-config configmap. + extraConfig: {} + # my-config-a: "1234" + # my-config-b: |- + # test 1 + # test 2 + # test 3 + + # -- Annotations to be added to all top-level cilium-agent objects (resources under templates/cilium-agent) + annotations: {} + + # -- Security Context for cilium-agent pods. + podSecurityContext: {} + + # -- Annotations to be added to agent pods + podAnnotations: {} + + # -- Labels to be added to agent pods + podLabels: {} + + # -- Agent resource limits & requests + # ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + resources: {} + # limits: + # cpu: 4000m + # memory: 4Gi + # requests: + # cpu: 100m + # memory: 512Mi + + # -- resources & limits for the agent init containers + initResources: {} + + securityContext: + # -- User to run the pod with + # runAsUser: 0 + # -- Run the pod with elevated privileges + privileged: false + # -- SELinux options for the `cilium-agent` and init containers + seLinuxOptions: + level: 's0' + # Running with spc_t since we have removed the privileged mode. + # Users can change it to a different type as long as they have the + # type available on the system. + type: 'spc_t' + capabilities: + # -- Capabilities for the `cilium-agent` container + ciliumAgent: + # Use to set socket permission + - CHOWN + # Used to terminate envoy child process + - KILL + # Used since cilium modifies routing tables, etc... + - NET_ADMIN + # Used since cilium creates raw sockets, etc... + - NET_RAW + # Used since cilium monitor uses mmap + - IPC_LOCK + # Used in iptables. Consider removing once we are iptables-free + - SYS_MODULE + # We need it for now but might not need it for >= 5.11 specially + # for the 'SYS_RESOURCE'. + # In >= 5.8 there's already BPF and PERMON capabilities + - SYS_ADMIN + # Could be an alternative for the SYS_ADMIN for the RLIMIT_NPROC + - SYS_RESOURCE + # Both PERFMON and BPF requires kernel 5.8, container runtime + # cri-o >= v1.22.0 or containerd >= v1.5.0. + # If available, SYS_ADMIN can be removed. + #- PERFMON + #- BPF + # Allow discretionary access control (e.g. required for package installation) + - DAC_OVERRIDE + # Allow to set Access Control Lists (ACLs) on arbitrary files (e.g. required for package installation) + - FOWNER + # Allow to execute program that changes GID (e.g. required for package installation) + - SETGID + # Allow to execute program that changes UID (e.g. required for package installation) + - SETUID + # -- Capabilities for the `mount-cgroup` init container + mountCgroup: + # Only used for 'mount' cgroup + - SYS_ADMIN + # Used for nsenter + - SYS_CHROOT + - SYS_PTRACE + # -- capabilities for the `apply-sysctl-overwrites` init container + applySysctlOverwrites: + # Required in order to access host's /etc/sysctl.d dir + - SYS_ADMIN + # Used for nsenter + - SYS_CHROOT + - SYS_PTRACE + # -- Capabilities for the `clean-cilium-state` init container + cleanCiliumState: + # Most of the capabilities here are the same ones used in the + # cilium-agent's container because this container can be used to + # uninstall all Cilium resources, and therefore it is likely that + # will need the same capabilities. + # Used since cilium modifies routing tables, etc... + - NET_ADMIN + # Used in iptables. Consider removing once we are iptables-free + - SYS_MODULE + # We need it for now but might not need it for >= 5.11 specially + # for the 'SYS_RESOURCE'. + # In >= 5.8 there's already BPF and PERMON capabilities + - SYS_ADMIN + # Could be an alternative for the SYS_ADMIN for the RLIMIT_NPROC + - SYS_RESOURCE + # Both PERFMON and BPF requires kernel 5.8, container runtime + # cri-o >= v1.22.0 or containerd >= v1.5.0. + # If available, SYS_ADMIN can be removed. + #- PERFMON + #- BPF + + # -- Cilium agent update strategy + updateStrategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 2 + + # Configuration Values for cilium-agent + + aksbyocni: + # -- Enable AKS BYOCNI integration. + # Note that this is incompatible with AKS clusters not created in BYOCNI mode: + # use Azure integration (`azure.enabled`) instead. + enabled: false + + # -- Enable installation of PodCIDR routes between worker + # nodes if worker nodes share a common L2 network segment. + autoDirectNodeRoutes: false + + # -- Annotate k8s node upon initialization with Cilium's metadata. + annotateK8sNode: false + + azure: + # -- Enable Azure integration. + # Note that this is incompatible with AKS clusters created in BYOCNI mode: use + # AKS BYOCNI integration (`aksbyocni.enabled`) instead. + enabled: false + # usePrimaryAddress: false + # resourceGroup: group1 + # subscriptionID: 00000000-0000-0000-0000-000000000000 + # tenantID: 00000000-0000-0000-0000-000000000000 + # clientID: 00000000-0000-0000-0000-000000000000 + # clientSecret: 00000000-0000-0000-0000-000000000000 + # userAssignedIdentityID: 00000000-0000-0000-0000-000000000000 + + alibabacloud: + # -- Enable AlibabaCloud ENI integration + enabled: false + + # -- Enable bandwidth manager to optimize TCP and UDP workloads and allow + # for rate-limiting traffic from individual Pods with EDT (Earliest Departure + # Time) through the "kubernetes.io/egress-bandwidth" Pod annotation. + bandwidthManager: + # -- Enable bandwidth manager infrastructure (also prerequirement for BBR) + enabled: false + # -- Activate BBR TCP congestion control for Pods + bbr: false + + # -- Configure standalone NAT46/NAT64 gateway + nat46x64Gateway: + # -- Enable RFC8215-prefixed translation + enabled: false + + # -- EnableHighScaleIPcache enables the special ipcache mode for high scale + # clusters. The ipcache content will be reduced to the strict minimum and + # traffic will be encapsulated to carry security identities. + highScaleIPcache: + # -- Enable the high scale mode for the ipcache. + enabled: false + + # -- Configure L2 announcements + l2announcements: + # -- Enable L2 announcements + enabled: false + # -- If a lease is not renewed for X duration, the current leader is considered dead, a new leader is picked + # leaseDuration: 15s + # -- The interval at which the leader will renew the lease + # leaseRenewDeadline: 5s + # -- The timeout between retries if renewal fails + # leaseRetryPeriod: 2s + + # -- Configure L2 pod announcements + l2podAnnouncements: + # -- Enable L2 pod announcements + enabled: false + # -- Interface used for sending Gratuitous ARP pod announcements + interface: "eth0" + + # -- Configure BGP + bgp: + # -- Enable BGP support inside Cilium; embeds a new ConfigMap for BGP inside + # cilium-agent and cilium-operator + enabled: false + announce: + # -- Enable allocation and announcement of service LoadBalancer IPs + loadbalancerIP: false + # -- Enable announcement of node pod CIDR + podCIDR: false + + # -- This feature set enables virtual BGP routers to be created via + # CiliumBGPPeeringPolicy CRDs. + bgpControlPlane: + # -- Enables the BGP control plane. + enabled: false + # -- SecretsNamespace is the namespace which BGP support will retrieve secrets from. + secretsNamespace: + # -- Create secrets namespace for BGP secrets. + create: false + # -- The name of the secret namespace to which Cilium agents are given read access + name: kube-system + + pmtuDiscovery: + # -- Enable path MTU discovery to send ICMP fragmentation-needed replies to + # the client. + enabled: false + + bpf: + autoMount: + # -- Enable automatic mount of BPF filesystem + # When `autoMount` is enabled, the BPF filesystem is mounted at + # `bpf.root` path on the underlying host and inside the cilium agent pod. + # If users disable `autoMount`, it's expected that users have mounted + # bpffs filesystem at the specified `bpf.root` volume, and then the + # volume will be mounted inside the cilium agent pod at the same path. + enabled: true + # -- Configure the mount point for the BPF filesystem + root: /sys/fs/bpf + + # -- Enables pre-allocation of eBPF map values. This increases + # memory usage but can reduce latency. + preallocateMaps: false + + # -- (int) Configure the maximum number of entries in auth map. + # @default -- `524288` + authMapMax: ~ + + # -- (int) Configure the maximum number of entries in the TCP connection tracking + # table. + # @default -- `524288` + ctTcpMax: ~ + + # -- (int) Configure the maximum number of entries for the non-TCP connection + # tracking table. + # @default -- `262144` + ctAnyMax: ~ + + # -- Configure the maximum number of service entries in the + # load balancer maps. + lbMapMax: 65536 + + # -- (int) Configure the maximum number of entries for the NAT table. + # @default -- `524288` + natMax: ~ + + # -- (int) Configure the maximum number of entries for the neighbor table. + # @default -- `524288` + neighMax: ~ + + # -- Configure the maximum number of entries in endpoint policy map (per endpoint). + policyMapMax: 16384 + + # -- (float64) Configure auto-sizing for all BPF maps based on available memory. + # ref: https://docs.cilium.io/en/stable/network/ebpf/maps/ + # @default -- `0.0025` + mapDynamicSizeRatio: ~ + + # -- Configure the level of aggregation for monitor notifications. + # Valid options are none, low, medium, maximum. + monitorAggregation: medium + + # -- Configure the typical time between monitor notifications for + # active connections. + monitorInterval: "5s" + + # -- Configure which TCP flags trigger notifications when seen for the + # first time in a connection. + monitorFlags: "all" + + # -- Allow cluster external access to ClusterIP services. + lbExternalClusterIP: false + + # -- (bool) Enable native IP masquerade support in eBPF + # @default -- `false` + masquerade: ~ + + # -- (bool) Configure whether direct routing mode should route traffic via + # host stack (true) or directly and more efficiently out of BPF (false) if + # the kernel supports it. The latter has the implication that it will also + # bypass netfilter in the host namespace. + # @default -- `false` + hostLegacyRouting: ~ + + # -- (bool) Configure the eBPF-based TPROXY to reduce reliance on iptables rules + # for implementing Layer 7 policy. + # @default -- `false` + tproxy: ~ + + # -- (list) Configure explicitly allowed VLAN id's for bpf logic bypass. + # [0] will allow all VLAN id's without any filtering. + # @default -- `[]` + vlanBypass: ~ + + # -- Enable BPF clock source probing for more efficient tick retrieval. + bpfClockProbe: false + + # -- Clean all eBPF datapath state from the initContainer of the cilium-agent + # DaemonSet. + # + # WARNING: Use with care! + cleanBpfState: false + + # -- Clean all local Cilium state from the initContainer of the cilium-agent + # DaemonSet. Implies cleanBpfState: true. + # + # WARNING: Use with care! + cleanState: false + + # -- Wait for KUBE-PROXY-CANARY iptables rule to appear in "wait-for-kube-proxy" + # init container before launching cilium-agent. + # More context can be found in the commit message of below PR + # https://github.com/cilium/cilium/pull/20123 + waitForKubeProxy: false + + cni: + # -- Install the CNI configuration and binary files into the filesystem. + install: true + + # -- Remove the CNI configuration and binary files on agent shutdown. Enable this + # if you're removing Cilium from the cluster. Disable this to prevent the CNI + # configuration file from being removed during agent upgrade, which can cause + # nodes to go unmanageable. + uninstall: false + + # -- Configure chaining on top of other CNI plugins. Possible values: + # - none + # - aws-cni + # - flannel + # - generic-veth + # - portmap + chainingMode: ~ + + # -- A CNI network name in to which the Cilium plugin should be added as a chained plugin. + # This will cause the agent to watch for a CNI network with this network name. When it is + # found, this will be used as the basis for Cilium's CNI configuration file. If this is + # set, it assumes a chaining mode of generic-veth. As a special case, a chaining mode + # of aws-cni implies a chainingTarget of aws-cni. + chainingTarget: ~ + + # -- Make Cilium take ownership over the `/etc/cni/net.d` directory on the + # node, renaming all non-Cilium CNI configurations to `*.cilium_bak`. + # This ensures no Pods can be scheduled using other CNI plugins during Cilium + # agent downtime. + exclusive: true + + # -- Configure the log file for CNI logging with retention policy of 7 days. + # Disable CNI file logging by setting this field to empty explicitly. + logFile: /var/run/cilium/cilium-cni.log + + # -- Skip writing of the CNI configuration. This can be used if + # writing of the CNI configuration is performed by external automation. + customConf: false + + # -- Configure the path to the CNI configuration directory on the host. + confPath: /etc/cni/net.d + + # -- Configure the path to the CNI binary directory on the host. + binPath: /opt/cni/bin + + # -- Specify the path to a CNI config to read from on agent start. + # This can be useful if you want to manage your CNI + # configuration outside of a Kubernetes environment. This parameter is + # mutually exclusive with the 'cni.configMap' parameter. The agent will + # write this to 05-cilium.conflist on startup. + # readCniConf: /host/etc/cni/net.d/05-sample.conflist.input + + # -- When defined, configMap will mount the provided value as ConfigMap and + # interpret the cniConf variable as CNI configuration file and write it + # when the agent starts up + # configMap: cni-configuration + + # -- Configure the key in the CNI ConfigMap to read the contents of + # the CNI configuration from. + configMapKey: cni-config + + # -- Configure the path to where to mount the ConfigMap inside the agent pod. + confFileMountPath: /tmp/cni-configuration + + # -- Configure the path to where the CNI configuration directory is mounted + # inside the agent pod. + hostConfDirMountPath: /host/etc/cni/net.d + + # -- Specifies the resources for the cni initContainer + resources: + requests: + cpu: 100m + memory: 10Mi + + # -- (string) Configure how frequently garbage collection should occur for the datapath + # connection tracking table. + # @default -- `"0s"` + conntrackGCInterval: "" + + # -- (string) Configure the maximum frequency for the garbage collection of the + # connection tracking table. Only affects the automatic computation for the frequency + # and has no effect when 'conntrackGCInterval' is set. This can be set to more frequently + # clean up unused identities created from ToFQDN policies. + conntrackGCMaxInterval: "" + + # -- Configure container runtime specific integration. + # Deprecated in favor of bpf.autoMount.enabled. To be removed in 1.15. + containerRuntime: + # -- Enables specific integrations for container runtimes. + # Supported values: + # - crio + # - none + integration: none + + # -- (string) Configure timeout in which Cilium will exit if CRDs are not available + # @default -- `"5m"` + crdWaitTimeout: "" + + # -- Tail call hooks for custom eBPF programs. + customCalls: + # -- Enable tail call hooks for custom eBPF programs. + enabled: false + + daemon: + # -- Configure where Cilium runtime state should be stored. + runPath: "/var/run/cilium" + + # -- Configure a custom list of possible configuration override sources + # The default is "config-map:cilium-config,cilium-node-config". For supported + # values, see the help text for the build-config subcommand. + # Note that this value should be a comma-separated string. + configSources: ~ + + # -- allowedConfigOverrides is a list of config-map keys that can be overridden. + # That is to say, if this value is set, config sources (excepting the first one) can + # only override keys in this list. + # + # This takes precedence over blockedConfigOverrides. + # + # By default, all keys may be overridden. To disable overrides, set this to "none" or + # change the configSources variable. + allowedConfigOverrides: ~ + + # -- blockedConfigOverrides is a list of config-map keys that may not be overridden. + # In other words, if any of these keys appear in a configuration source excepting the + # first one, they will be ignored + # + # This is ignored if allowedConfigOverrides is set. + # + # By default, all keys may be overridden. + blockedConfigOverrides: ~ + + # -- Specify which network interfaces can run the eBPF datapath. This means + # that a packet sent from a pod to a destination outside the cluster will be + # masqueraded (to an output device IPv4 address), if the output device runs the + # program. When not specified, probing will automatically detect devices that have + # a non-local route. This should be used only when autodetection is not suitable. + # devices: "" + + # -- Enables experimental support for the detection of new and removed datapath + # devices. When devices change the eBPF datapath is reloaded and services updated. + # If "devices" is set then only those devices, or devices matching a wildcard will + # be considered. + enableRuntimeDeviceDetection: false + + # -- Chains to ignore when installing feeder rules. + # disableIptablesFeederRules: "" + + # -- Limit iptables-based egress masquerading to interface selector. + # egressMasqueradeInterfaces: "" + + # -- Enable setting identity mark for local traffic. + # enableIdentityMark: true + + # -- Enable Kubernetes EndpointSlice feature in Cilium if the cluster supports it. + # enableK8sEndpointSlice: true + + # -- Enable CiliumEndpointSlice feature. + enableCiliumEndpointSlice: false + + envoyConfig: + # -- Enable CiliumEnvoyConfig CRD + # CiliumEnvoyConfig CRD can also be implicitly enabled by other options. + enabled: false + + # -- SecretsNamespace is the namespace in which envoy SDS will retrieve secrets from. + secretsNamespace: + # -- Create secrets namespace for CiliumEnvoyConfig CRDs. + create: true + + # -- The name of the secret namespace to which Cilium agents are given read access. + name: cilium-secrets + + ingressController: + # -- Enable cilium ingress controller + # This will automatically set enable-envoy-config as well. + enabled: false + + # -- Set cilium ingress controller to be the default ingress controller + # This will let cilium ingress controller route entries without ingress class set + default: false + + # -- Default ingress load balancer mode + # Supported values: shared, dedicated + # For granular control, use the following annotations on the ingress resource + # ingress.cilium.io/loadbalancer-mode: shared|dedicated, + loadbalancerMode: dedicated + + # -- Enforce https for host having matching TLS host in Ingress. + # Incoming traffic to http listener will return 308 http error code with respective location in header. + enforceHttps: true + + # -- Enable proxy protocol for all Ingress listeners. Note that _only_ Proxy protocol traffic will be accepted once this is enabled. + enableProxyProtocol: false + + # -- IngressLBAnnotations are the annotation and label prefixes, which are used to filter annotations and/or labels to propagate from Ingress to the Load Balancer service + ingressLBAnnotationPrefixes: ['service.beta.kubernetes.io', 'service.kubernetes.io', 'cloud.google.com'] + + # -- Default secret namespace for ingresses without .spec.tls[].secretName set. + defaultSecretNamespace: + + # -- Default secret name for ingresses without .spec.tls[].secretName set. + defaultSecretName: + + # -- SecretsNamespace is the namespace in which envoy SDS will retrieve TLS secrets from. + secretsNamespace: + # -- Create secrets namespace for Ingress. + create: true + + # -- Name of Ingress secret namespace. + name: cilium-secrets + + # -- Enable secret sync, which will make sure all TLS secrets used by Ingress are synced to secretsNamespace.name. + # If disabled, TLS secrets must be maintained externally. + sync: true + + # -- Load-balancer service in shared mode. + # This is a single load-balancer service for all Ingress resources. + service: + # -- Service name + name: cilium-ingress + # -- Labels to be added for the shared LB service + labels: {} + # -- Annotations to be added for the shared LB service + annotations: {} + # -- Service type for the shared LB service + type: LoadBalancer + # -- Configure a specific nodePort for insecure HTTP traffic on the shared LB service + insecureNodePort: ~ + # -- Configure a specific nodePort for secure HTTPS traffic on the shared LB service + secureNodePort : ~ + # -- Configure a specific loadBalancerClass on the shared LB service (requires Kubernetes 1.24+) + loadBalancerClass: ~ + # -- Configure a specific loadBalancerIP on the shared LB service + loadBalancerIP : ~ + # -- Configure if node port allocation is required for LB service + # ref: https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-nodeport-allocation + allocateLoadBalancerNodePorts: ~ + + gatewayAPI: + # -- Enable support for Gateway API in cilium + # This will automatically set enable-envoy-config as well. + enabled: false + + # -- SecretsNamespace is the namespace in which envoy SDS will retrieve TLS secrets from. + secretsNamespace: + # -- Create secrets namespace for Gateway API. + create: true + + # -- Name of Gateway API secret namespace. + name: cilium-secrets + + # -- Enable secret sync, which will make sure all TLS secrets used by Ingress are synced to secretsNamespace.name. + # If disabled, TLS secrets must be maintained externally. + sync: true + + # -- Enables the fallback compatibility solution for when the xt_socket kernel + # module is missing and it is needed for the datapath L7 redirection to work + # properly. See documentation for details on when this can be disabled: + # https://docs.cilium.io/en/stable/operations/system_requirements/#linux-kernel. + enableXTSocketFallback: true + + encryption: + # -- Enable transparent network encryption. + enabled: false + + # -- Encryption method. Can be either ipsec or wireguard. + type: ipsec + + # -- Enable encryption for pure node to node traffic. + # This option is only effective when encryption.type is set to "wireguard". + nodeEncryption: false + + # -- Configure the WireGuard Pod2Pod strict mode. + strictMode: + # -- Enable WireGuard Pod2Pod strict mode. + enabled: false + + # -- CIDR for the WireGuard Pod2Pod strict mode. + cidr: "" + + # -- Allow dynamic lookup of remote node identities. + # This is required when tunneling is used or direct routing is used and the node CIDR and pod CIDR overlap. + allowRemoteNodeIdentities: false + + ipsec: + # -- Name of the key file inside the Kubernetes secret configured via secretName. + keyFile: "" + + # -- Path to mount the secret inside the Cilium pod. + mountPath: "" + + # -- Name of the Kubernetes secret containing the encryption keys. + secretName: "" + + # -- The interface to use for encrypted traffic. + interface: "" + + # -- Enable the key watcher. If disabled, a restart of the agent will be + # necessary on key rotations. + keyWatcher: true + + # -- Maximum duration of the IPsec key rotation. The previous key will be + # removed after that delay. + keyRotationDuration: "5m" + + wireguard: + # -- Enables the fallback to the user-space implementation. + userspaceFallback: false + # -- Controls Wireguard PersistentKeepalive option. Set 0s to disable. + persistentKeepalive: 0s + + # -- Deprecated in favor of encryption.ipsec.keyFile. To be removed in 1.15. + # Name of the key file inside the Kubernetes secret configured via secretName. + # This option is only effective when encryption.type is set to ipsec. + keyFile: keys + + # -- Deprecated in favor of encryption.ipsec.mountPath. To be removed in 1.15. + # Path to mount the secret inside the Cilium pod. + # This option is only effective when encryption.type is set to ipsec. + mountPath: /etc/ipsec + + # -- Deprecated in favor of encryption.ipsec.secretName. To be removed in 1.15. + # Name of the Kubernetes secret containing the encryption keys. + # This option is only effective when encryption.type is set to ipsec. + secretName: cilium-ipsec-keys + + # -- Deprecated in favor of encryption.ipsec.interface. To be removed in 1.15. + # The interface to use for encrypted traffic. + # This option is only effective when encryption.type is set to ipsec. + interface: "" + + endpointHealthChecking: + # -- Enable connectivity health checking between virtual endpoints. + enabled: true + + # -- Enable endpoint status. + # Status can be: policy, health, controllers, log and / or state. For 2 or more options use a space. + endpointStatus: + enabled: false + status: "" + + endpointRoutes: + # -- Enable use of per endpoint routes instead of routing via + # the cilium_host interface. + enabled: false + + k8sNetworkPolicy: + # -- Enable support for K8s NetworkPolicy + enabled: true + + eni: + # -- Enable Elastic Network Interface (ENI) integration. + enabled: false + # -- Update ENI Adapter limits from the EC2 API + updateEC2AdapterLimitViaAPI: true + # -- Release IPs not used from the ENI + awsReleaseExcessIPs: false + # -- Enable ENI prefix delegation + awsEnablePrefixDelegation: false + # -- EC2 API endpoint to use + ec2APIEndpoint: "" + # -- Tags to apply to the newly created ENIs + eniTags: {} + # -- Interval for garbage collection of unattached ENIs. Set to "0s" to disable. + # @default -- `"5m"` + gcInterval: "" + # -- Additional tags attached to ENIs created by Cilium. + # Dangling ENIs with this tag will be garbage collected + # @default -- `{"io.cilium/cilium-managed":"true,"io.cilium/cluster-name":""}` + gcTags: {} + # -- If using IAM role for Service Accounts will not try to + # inject identity values from cilium-aws kubernetes secret. + # Adds annotation to service account if managed by Helm. + # See https://github.com/aws/amazon-eks-pod-identity-webhook + iamRole: "" + # -- Filter via subnet IDs which will dictate which subnets are going to be used to create new ENIs + # Important note: This requires that each instance has an ENI with a matching subnet attached + # when Cilium is deployed. If you only want to control subnets for ENIs attached by Cilium, + # use the CNI configuration file settings (cni.customConf) instead. + subnetIDsFilter: [] + # -- Filter via tags (k=v) which will dictate which subnets are going to be used to create new ENIs + # Important note: This requires that each instance has an ENI with a matching subnet attached + # when Cilium is deployed. If you only want to control subnets for ENIs attached by Cilium, + # use the CNI configuration file settings (cni.customConf) instead. + subnetTagsFilter: [] + # -- Filter via AWS EC2 Instance tags (k=v) which will dictate which AWS EC2 Instances + # are going to be used to create new ENIs + instanceTagsFilter: [] + + externalIPs: + # -- Enable ExternalIPs service support. + enabled: false + + # fragmentTracking enables IPv4 fragment tracking support in the datapath. + # fragmentTracking: true + + gke: + # -- Enable Google Kubernetes Engine integration + enabled: false + + # -- Enable connectivity health checking. + healthChecking: true + + # -- TCP port for the agent health API. This is not the port for cilium-health. + healthPort: 9879 + + # -- Configure the host firewall. + hostFirewall: + # -- Enables the enforcement of host policies in the eBPF datapath. + enabled: false + + hostPort: + # -- Enable hostPort service support. + enabled: false + + # -- Configure socket LB + socketLB: + # -- Enable socket LB + enabled: false + + # -- Disable socket lb for non-root ns. This is used to enable Istio routing rules. + # hostNamespaceOnly: false + + # -- Configure certificate generation for Hubble integration. + # If hubble.tls.auto.method=cronJob, these values are used + # for the Kubernetes CronJob which will be scheduled regularly to + # (re)generate any certificates not provided manually. + certgen: + image: + override: ~ + repository: "quay.io/cilium/certgen" + tag: "v0.1.9" + digest: "sha256:89a0847753686444daabde9474b48340993bd19c7bea66a46e45b2974b82041f" + useDigest: true + pullPolicy: "IfNotPresent" + # -- Seconds after which the completed job pod will be deleted + ttlSecondsAfterFinished: 1800 + # -- Labels to be added to hubble-certgen pods + podLabels: {} + # -- Annotations to be added to the hubble-certgen initial Job and CronJob + annotations: + job: {} + cronJob: {} + # -- Node tolerations for pod assignment on nodes with taints + # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ + tolerations: [] + + # -- Additional certgen volumes. + extraVolumes: [] + + # -- Additional certgen volumeMounts. + extraVolumeMounts: [] + + # -- Affinity for certgen + affinity: {} + + hubble: + # -- Enable Hubble (true by default). + enabled: true + + # -- Annotations to be added to all top-level hubble objects (resources under templates/hubble) + annotations: {} + + # -- Buffer size of the channel Hubble uses to receive monitor events. If this + # value is not set, the queue size is set to the default monitor queue size. + # eventQueueSize: "" + + # -- Number of recent flows for Hubble to cache. Defaults to 4095. + # Possible values are: + # 1, 3, 7, 15, 31, 63, 127, 255, 511, 1023, + # 2047, 4095, 8191, 16383, 32767, 65535 + # eventBufferCapacity: "4095" + + # -- Hubble metrics configuration. + # See https://docs.cilium.io/en/stable/observability/metrics/#hubble-metrics + # for more comprehensive documentation about Hubble metrics. + metrics: + # -- Configures the list of metrics to collect. If empty or null, metrics + # are disabled. + # Example: + # + # enabled: + # - dns:query;ignoreAAAA + # - drop + # - tcp + # - flow + # - icmp + # - http + # + # You can specify the list of metrics from the helm CLI: + # + # --set hubble.metrics.enabled="{dns:query;ignoreAAAA,drop,tcp,flow,icmp,http}" + # + enabled: ~ + # -- Enables exporting hubble metrics in OpenMetrics format. + enableOpenMetrics: false + # -- Configure the port the hubble metric server listens on. + port: 9965 + # -- Annotations to be added to hubble-metrics service. + serviceAnnotations: {} + serviceMonitor: + # -- Create ServiceMonitor resources for Prometheus Operator. + # This requires the prometheus CRDs to be available. + # ref: https://github.com/prometheus-operator/prometheus-operator/blob/main/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml) + enabled: false + # -- Labels to add to ServiceMonitor hubble + labels: {} + # -- Annotations to add to ServiceMonitor hubble + annotations: {} + # -- jobLabel to add for ServiceMonitor hubble + jobLabel: "" + # -- Interval for scrape metrics. + interval: "10s" + # -- Relabeling configs for the ServiceMonitor hubble + relabelings: + - sourceLabels: + - __meta_kubernetes_pod_node_name + targetLabel: node + replacement: ${1} + # -- Metrics relabeling configs for the ServiceMonitor hubble + metricRelabelings: ~ + # -- Grafana dashboards for hubble + # grafana can import dashboards based on the label and value + # ref: https://github.com/grafana/helm-charts/tree/main/charts/grafana#sidecar-for-dashboards + dashboards: + enabled: false + label: grafana_dashboard + namespace: ~ + labelValue: "1" + annotations: {} + + # -- Unix domain socket path to listen to when Hubble is enabled. + socketPath: /var/run/cilium/hubble.sock + + # -- Enables redacting sensitive information present in Layer 7 flows. + redact: + enabled: false + http: + # -- Enables redacting URL query (GET) parameters. + # Example: + # + # redact: + # enabled: true + # http: + # urlQuery: true + # + # You can specify the options from the helm CLI: + # + # --set hubble.redact.enabled="true" + # --set hubble.redact.http.urlQuery="true" + urlQuery: false + # -- Enables redacting user info, e.g., password when basic auth is used. + # Example: + # + # redact: + # enabled: true + # http: + # userInfo: true + # + # You can specify the options from the helm CLI: + # + # --set hubble.redact.enabled="true" + # --set hubble.redact.http.userInfo="true" + userInfo: true + headers: + # -- List of HTTP headers to allow: headers not matching will be redacted. Note: `allow` and `deny` lists cannot be used both at the same time, only one can be present. + # Example: + # redact: + # enabled: true + # http: + # headers: + # allow: + # - traceparent + # - tracestate + # - Cache-Control + # + # You can specify the options from the helm CLI: + # --set hubble.redact.enabled="true" + # --set hubble.redact.http.headers.allow="traceparent,tracestate,Cache-Control" + allow: [] + # -- List of HTTP headers to deny: matching headers will be redacted. Note: `allow` and `deny` lists cannot be used both at the same time, only one can be present. + # Example: + # redact: + # enabled: true + # http: + # headers: + # deny: + # - Authorization + # - Proxy-Authorization + # + # You can specify the options from the helm CLI: + # --set hubble.redact.enabled="true" + # --set hubble.redact.http.headers.deny="Authorization,Proxy-Authorization" + deny: [] + kafka: + # -- Enables redacting Kafka's API key. + # Example: + # + # redact: + # enabled: true + # kafka: + # apiKey: true + # + # You can specify the options from the helm CLI: + # + # --set hubble.redact.enabled="true" + # --set hubble.redact.kafka.apiKey="true" + apiKey: false + + # -- An additional address for Hubble to listen to. + # Set this field ":4244" if you are enabling Hubble Relay, as it assumes that + # Hubble is listening on port 4244. + listenAddress: ":4244" + # -- Whether Hubble should prefer to announce IPv6 or IPv4 addresses if both are available. + preferIpv6: false + # -- (bool) Skip Hubble events with unknown cgroup ids + # @default -- `true` + skipUnknownCGroupIDs: ~ + + peerService: + # -- Service Port for the Peer service. + # If not set, it is dynamically assigned to port 443 if TLS is enabled and to + # port 80 if not. + # servicePort: 80 + # -- Target Port for the Peer service, must match the hubble.listenAddress' + # port. + targetPort: 4244 + # -- The cluster domain to use to query the Hubble Peer service. It should + # be the local cluster. + clusterDomain: cluster.local + # -- TLS configuration for Hubble + tls: + # -- Enable mutual TLS for listenAddress. Setting this value to false is + # highly discouraged as the Hubble API provides access to potentially + # sensitive network flow metadata and is exposed on the host network. + enabled: true + # -- Configure automatic TLS certificates generation. + auto: + # -- Auto-generate certificates. + # When set to true, automatically generate a CA and certificates to + # enable mTLS between Hubble server and Hubble Relay instances. If set to + # false, the certs for Hubble server need to be provided by setting + # appropriate values below. + enabled: true + # -- Set the method to auto-generate certificates. Supported values: + # - helm: This method uses Helm to generate all certificates. + # - cronJob: This method uses a Kubernetes CronJob the generate any + # certificates not provided by the user at installation + # time. + # - certmanager: This method use cert-manager to generate & rotate certificates. + method: helm + # -- Generated certificates validity duration in days. + certValidityDuration: 1095 + # -- Schedule for certificates regeneration (regardless of their expiration date). + # Only used if method is "cronJob". If nil, then no recurring job will be created. + # Instead, only the one-shot job is deployed to generate the certificates at + # installation time. + # + # Defaults to midnight of the first day of every fourth month. For syntax, see + # https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/#schedule-syntax + schedule: "0 0 1 */4 *" + + # [Example] + # certManagerIssuerRef: + # group: cert-manager.io + # kind: ClusterIssuer + # name: ca-issuer + # -- certmanager issuer used when hubble.tls.auto.method=certmanager. + certManagerIssuerRef: {} + + # -- base64 encoded PEM values for the Hubble server certificate and private key + server: + cert: "" + key: "" + # -- Extra DNS names added to certificate when it's auto generated + extraDnsNames: [] + # -- Extra IP addresses added to certificate when it's auto generated + extraIpAddresses: [] + + relay: + # -- Enable Hubble Relay (requires hubble.enabled=true) + enabled: false + + # -- Roll out Hubble Relay pods automatically when configmap is updated. + rollOutPods: false + + # -- Hubble-relay container image. + image: + override: ~ + repository: "quay.io/cilium/hubble-relay" + tag: "v1.15.2" + # hubble-relay-digest + digest: "" + useDigest: false + pullPolicy: "IfNotPresent" + + # -- Specifies the resources for the hubble-relay pods + resources: {} + + # -- Number of replicas run for the hubble-relay deployment. + replicas: 1 + + # -- Affinity for hubble-replay + affinity: + podAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - topologyKey: kubernetes.io/hostname + labelSelector: + matchLabels: + k8s-app: cilium + + # -- Pod topology spread constraints for hubble-relay + topologySpreadConstraints: [] + # - maxSkew: 1 + # topologyKey: topology.kubernetes.io/zone + # whenUnsatisfiable: DoNotSchedule + + # -- Node labels for pod assignment + # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector + nodeSelector: + kubernetes.io/os: linux + + # -- Node tolerations for pod assignment on nodes with taints + # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ + tolerations: [] + + # -- Additional hubble-relay environment variables. + extraEnv: [] + + # -- Annotations to be added to all top-level hubble-relay objects (resources under templates/hubble-relay) + annotations: {} + + # -- Annotations to be added to hubble-relay pods + podAnnotations: {} + + # -- Labels to be added to hubble-relay pods + podLabels: {} + + # PodDisruptionBudget settings + podDisruptionBudget: + # -- enable PodDisruptionBudget + # ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ + enabled: false + # -- Minimum number/percentage of pods that should remain scheduled. + # When it's set, maxUnavailable must be disabled by `maxUnavailable: null` + minAvailable: null + # -- Maximum number/percentage of pods that may be made unavailable + maxUnavailable: 1 + + # -- The priority class to use for hubble-relay + priorityClassName: "" + + # -- Configure termination grace period for hubble relay Deployment. + terminationGracePeriodSeconds: 1 + + # -- hubble-relay update strategy + updateStrategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 1 + + # -- Additional hubble-relay volumes. + extraVolumes: [] + + # -- Additional hubble-relay volumeMounts. + extraVolumeMounts: [] + + # -- hubble-relay pod security context + podSecurityContext: + fsGroup: 65532 + + # -- hubble-relay container security context + securityContext: + # readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 65532 + runAsGroup: 65532 + capabilities: + drop: + - ALL + + # -- hubble-relay service configuration. + service: + # --- The type of service used for Hubble Relay access, either ClusterIP or NodePort. + type: ClusterIP + # --- The port to use when the service type is set to NodePort. + nodePort: 31234 + + # -- Host to listen to. Specify an empty string to bind to all the interfaces. + listenHost: "" + + # -- Port to listen to. + listenPort: "4245" + + # -- TLS configuration for Hubble Relay + tls: + # -- base64 encoded PEM values for the hubble-relay client certificate and private key + # This keypair is presented to Hubble server instances for mTLS + # authentication and is required when hubble.tls.enabled is true. + # These values need to be set manually if hubble.tls.auto.enabled is false. + client: + cert: "" + key: "" + # -- base64 encoded PEM values for the hubble-relay server certificate and private key + server: + # When set to true, enable TLS on for Hubble Relay server + # (ie: for clients connecting to the Hubble Relay API). + enabled: false + # When set to true enforces mutual TLS between Hubble Relay server and its clients. + # False allow non-mutual TLS connections. + # This option has no effect when TLS is disabled. + mtls: false + # These values need to be set manually if hubble.tls.auto.enabled is false. + cert: "" + key: "" + # -- extra DNS names added to certificate when its auto gen + extraDnsNames: [] + # -- extra IP addresses added to certificate when its auto gen + extraIpAddresses: [] + # DNS name used by the backend to connect to the relay + # This is a simple workaround as the relay certificates are currently hardcoded to + # *.hubble-relay.cilium.io + # See https://github.com/cilium/cilium/pull/28709#discussion_r1371792546 + # For GKE Dataplane V2 this should be set to relay.kube-system.svc.cluster.local + relayName: "ui.hubble-relay.cilium.io" + + # -- Dial timeout to connect to the local hubble instance to receive peer information (e.g. "30s"). + dialTimeout: ~ + + # -- Backoff duration to retry connecting to the local hubble instance in case of failure (e.g. "30s"). + retryTimeout: ~ + + # -- Max number of flows that can be buffered for sorting before being sent to the + # client (per request) (e.g. 100). + sortBufferLenMax: ~ + + # -- When the per-request flows sort buffer is not full, a flow is drained every + # time this timeout is reached (only affects requests in follow-mode) (e.g. "1s"). + sortBufferDrainTimeout: ~ + + # -- Port to use for the k8s service backed by hubble-relay pods. + # If not set, it is dynamically assigned to port 443 if TLS is enabled and to + # port 80 if not. + # servicePort: 80 + + # -- Enable prometheus metrics for hubble-relay on the configured port at + # /metrics + prometheus: + enabled: false + port: 9966 + serviceMonitor: + # -- Enable service monitors. + # This requires the prometheus CRDs to be available (see https://github.com/prometheus-operator/prometheus-operator/blob/main/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml) + enabled: false + # -- Labels to add to ServiceMonitor hubble-relay + labels: {} + # -- Annotations to add to ServiceMonitor hubble-relay + annotations: {} + # -- Interval for scrape metrics. + interval: "10s" + # -- Specify the Kubernetes namespace where Prometheus expects to find + # service monitors configured. + # namespace: "" + # -- Relabeling configs for the ServiceMonitor hubble-relay + relabelings: ~ + # -- Metrics relabeling configs for the ServiceMonitor hubble-relay + metricRelabelings: ~ + + gops: + # -- Enable gops for hubble-relay + enabled: true + # -- Configure gops listen port for hubble-relay + port: 9893 + + pprof: + # -- Enable pprof for hubble-relay + enabled: false + # -- Configure pprof listen address for hubble-relay + address: localhost + # -- Configure pprof listen port for hubble-relay + port: 6062 + + ui: + # -- Whether to enable the Hubble UI. + enabled: false + + standalone: + # -- When true, it will allow installing the Hubble UI only, without checking dependencies. + # It is useful if a cluster already has cilium and Hubble relay installed and you just + # want Hubble UI to be deployed. + # When installed via helm, installing UI should be done via `helm upgrade` and when installed via the cilium cli, then `cilium hubble enable --ui` + enabled: false + + tls: + # -- When deploying Hubble UI in standalone, with tls enabled for Hubble relay, it is required + # to provide a volume for mounting the client certificates. + certsVolume: {} + # projected: + # defaultMode: 0400 + # sources: + # - secret: + # name: hubble-ui-client-certs + # items: + # - key: tls.crt + # path: client.crt + # - key: tls.key + # path: client.key + # - key: ca.crt + # path: hubble-relay-ca.crt + + # -- Roll out Hubble-ui pods automatically when configmap is updated. + rollOutPods: false + + tls: + # -- base64 encoded PEM values used to connect to hubble-relay + # This keypair is presented to Hubble Relay instances for mTLS + # authentication and is required when hubble.relay.tls.server.enabled is true. + # These values need to be set manually if hubble.tls.auto.enabled is false. + client: + cert: "" + key: "" + + backend: + # -- Hubble-ui backend image. + image: + override: ~ + repository: "quay.io/cilium/hubble-ui-backend" + tag: "v0.13.0" + digest: "sha256:1e7657d997c5a48253bb8dc91ecee75b63018d16ff5e5797e5af367336bc8803" + useDigest: true + pullPolicy: "IfNotPresent" + + # -- Hubble-ui backend security context. + securityContext: {} + + # -- Additional hubble-ui backend environment variables. + extraEnv: [] + + # -- Additional hubble-ui backend volumes. + extraVolumes: [] + + # -- Additional hubble-ui backend volumeMounts. + extraVolumeMounts: [] + + livenessProbe: + # -- Enable liveness probe for Hubble-ui backend (requires Hubble-ui 0.12+) + enabled: false + + readinessProbe: + # -- Enable readiness probe for Hubble-ui backend (requires Hubble-ui 0.12+) + enabled: false + + # -- Resource requests and limits for the 'backend' container of the 'hubble-ui' deployment. + resources: {} + # limits: + # cpu: 1000m + # memory: 1024M + # requests: + # cpu: 100m + # memory: 64Mi + + frontend: + # -- Hubble-ui frontend image. + image: + override: ~ + repository: "quay.io/cilium/hubble-ui" + tag: "v0.13.0" + digest: "sha256:7d663dc16538dd6e29061abd1047013a645e6e69c115e008bee9ea9fef9a6666" + useDigest: true + pullPolicy: "IfNotPresent" + + # -- Hubble-ui frontend security context. + securityContext: {} + + # -- Additional hubble-ui frontend environment variables. + extraEnv: [] + + # -- Additional hubble-ui frontend volumes. + extraVolumes: [] + + # -- Additional hubble-ui frontend volumeMounts. + extraVolumeMounts: [] + + # -- Resource requests and limits for the 'frontend' container of the 'hubble-ui' deployment. + resources: {} + # limits: + # cpu: 1000m + # memory: 1024M + # requests: + # cpu: 100m + # memory: 64Mi + server: + # -- Controls server listener for ipv6 + ipv6: + enabled: true + + # -- The number of replicas of Hubble UI to deploy. + replicas: 1 + + # -- Annotations to be added to all top-level hubble-ui objects (resources under templates/hubble-ui) + annotations: {} + + # -- Annotations to be added to hubble-ui pods + podAnnotations: {} + + # -- Labels to be added to hubble-ui pods + podLabels: {} + + # PodDisruptionBudget settings + podDisruptionBudget: + # -- enable PodDisruptionBudget + # ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ + enabled: false + # -- Minimum number/percentage of pods that should remain scheduled. + # When it's set, maxUnavailable must be disabled by `maxUnavailable: null` + minAvailable: null + # -- Maximum number/percentage of pods that may be made unavailable + maxUnavailable: 1 + + # -- Affinity for hubble-ui + affinity: {} + + # -- Pod topology spread constraints for hubble-ui + topologySpreadConstraints: [] + # - maxSkew: 1 + # topologyKey: topology.kubernetes.io/zone + # whenUnsatisfiable: DoNotSchedule + + # -- Node labels for pod assignment + # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector + nodeSelector: + kubernetes.io/os: linux + + # -- Node tolerations for pod assignment on nodes with taints + # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ + tolerations: [] + + # -- The priority class to use for hubble-ui + priorityClassName: "" + + # -- hubble-ui update strategy. + updateStrategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 1 + + # -- Security context to be added to Hubble UI pods + securityContext: + runAsUser: 1001 + runAsGroup: 1001 + fsGroup: 1001 + + # -- hubble-ui service configuration. + service: + # -- Annotations to be added for the Hubble UI service + annotations: {} + # --- The type of service used for Hubble UI access, either ClusterIP or NodePort. + type: ClusterIP + # --- The port to use when the service type is set to NodePort. + nodePort: 31235 + + # -- Defines base url prefix for all hubble-ui http requests. + # It needs to be changed in case if ingress for hubble-ui is configured under some sub-path. + # Trailing `/` is required for custom path, ex. `/service-map/` + baseUrl: "/" + + # -- hubble-ui ingress configuration. + ingress: + enabled: false + annotations: {} + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + className: "" + hosts: + - chart-example.local + labels: {} + tls: [] + # - secretName: chart-example-tls + # hosts: + # - chart-example.local + + # -- Hubble flows export. + export: + # --- Defines max file size of output file before it gets rotated. + fileMaxSizeMb: 10 + # --- Defines max number of backup/rotated files. + fileMaxBackups: 5 + # --- Static exporter configuration. + # Static exporter is bound to agent lifecycle. + static: + enabled: false + filePath: /var/run/cilium/hubble/events.log + fieldMask: [] + # - time + # - source + # - destination + # - verdict + allowList: [] + # - '{"verdict":["DROPPED","ERROR"]}' + denyList: [] + # - '{"source_pod":["kube-system/"]}' + # - '{"destination_pod":["kube-system/"]}' + # --- Dynamic exporters configuration. + # Dynamic exporters may be reconfigured without a need of agent restarts. + dynamic: + enabled: false + config: + # ---- Name of configmap with configuration that may be altered to reconfigure exporters within a running agents. + configMapName: cilium-flowlog-config + # ---- True if helm installer should create config map. + # Switch to false if you want to self maintain the file content. + createConfigMap: true + # ---- Exporters configuration in YAML format. + content: + - name: all + fieldMask: [] + includeFilters: [] + excludeFilters: [] + filePath: "/var/run/cilium/hubble/events.log" + #- name: "test002" + # filePath: "/var/log/network/flow-log/pa/test002.log" + # fieldMask: ["source.namespace", "source.pod_name", "destination.namespace", "destination.pod_name", "verdict"] + # includeFilters: + # - source_pod: ["default/"] + # event_type: + # - type: 1 + # - destination_pod: ["frontend/nginx-975996d4c-7hhgt"] + # excludeFilters: [] + # end: "2023-10-09T23:59:59-07:00" + + # -- Method to use for identity allocation (`crd` or `kvstore`). + identityAllocationMode: "crd" + + # -- (string) Time to wait before using new identity on endpoint identity change. + # @default -- `"5s"` + identityChangeGracePeriod: "" + + # -- Install Iptables rules to skip netfilter connection tracking on all pod + # traffic. This option is only effective when Cilium is running in direct + # routing and full KPR mode. Moreover, this option cannot be enabled when Cilium + # is running in a managed Kubernetes environment or in a chained CNI setup. + installNoConntrackIptablesRules: false + + ipam: + # -- Configure IP Address Management mode. + # ref: https://docs.cilium.io/en/stable/network/concepts/ipam/ + mode: "cluster-pool" + # -- Maximum rate at which the CiliumNode custom resource is updated. + ciliumNodeUpdateRate: "15s" + operator: + # -- IPv4 CIDR list range to delegate to individual nodes for IPAM. + clusterPoolIPv4PodCIDRList: {{ index .Cluster.spec.clusterNetwork.pods.cidrBlocks 0 }} + # -- IPv4 CIDR mask size to delegate to individual nodes for IPAM. + clusterPoolIPv4MaskSize: 24 + # -- IPv6 CIDR list range to delegate to individual nodes for IPAM. + clusterPoolIPv6PodCIDRList: ["fd00::/104"] + # -- IPv6 CIDR mask size to delegate to individual nodes for IPAM. + clusterPoolIPv6MaskSize: 120 + # -- IP pools to auto-create in multi-pool IPAM mode. + autoCreateCiliumPodIPPools: {} + # default: + # ipv4: + # cidrs: + # - 10.10.0.0/8 + # maskSize: 24 + # other: + # ipv6: + # cidrs: + # - fd00:100::/80 + # maskSize: 96 + # -- The maximum burst size when rate limiting access to external APIs. + # Also known as the token bucket capacity. + # @default -- `20` + externalAPILimitBurstSize: ~ + # -- The maximum queries per second when rate limiting access to + # external APIs. Also known as the bucket refill rate, which is used to + # refill the bucket up to the burst size capacity. + # @default -- `4.0` + externalAPILimitQPS: ~ + + # -- The api-rate-limit option can be used to overwrite individual settings of the default configuration for rate limiting calls to the Cilium Agent API + apiRateLimit: ~ + + # -- Configure the eBPF-based ip-masq-agent + ipMasqAgent: + enabled: false + # the config of nonMasqueradeCIDRs + # config: + # nonMasqueradeCIDRs: [] + # masqLinkLocal: false + # masqLinkLocalIPv6: false + + # iptablesLockTimeout defines the iptables "--wait" option when invoked from Cilium. + # iptablesLockTimeout: "5s" + + ipv4: + # -- Enable IPv4 support. + enabled: true + + ipv6: + # -- Enable IPv6 support. + enabled: false + + # -- Configure Kubernetes specific configuration + k8s: {} + # -- requireIPv4PodCIDR enables waiting for Kubernetes to provide the PodCIDR + # range via the Kubernetes node resource + # requireIPv4PodCIDR: false + + # -- requireIPv6PodCIDR enables waiting for Kubernetes to provide the PodCIDR + # range via the Kubernetes node resource + # requireIPv6PodCIDR: false + + # -- Keep the deprecated selector labels when deploying Cilium DaemonSet. + keepDeprecatedLabels: false + + # -- Keep the deprecated probes when deploying Cilium DaemonSet + keepDeprecatedProbes: false + + startupProbe: + # -- failure threshold of startup probe. + # 105 x 2s translates to the old behaviour of the readiness probe (120s delay + 30 x 3s) + failureThreshold: 105 + # -- interval between checks of the startup probe + periodSeconds: 2 + livenessProbe: + # -- failure threshold of liveness probe + failureThreshold: 10 + # -- interval between checks of the liveness probe + periodSeconds: 30 + readinessProbe: + # -- failure threshold of readiness probe + failureThreshold: 3 + # -- interval between checks of the readiness probe + periodSeconds: 30 + + # -- Configure the kube-proxy replacement in Cilium BPF datapath + # Valid options are "true", "false", "disabled" (deprecated), "partial" (deprecated), "strict" (deprecated). + # ref: https://docs.cilium.io/en/stable/network/kubernetes/kubeproxy-free/ + #kubeProxyReplacement: "false" + + # -- healthz server bind address for the kube-proxy replacement. + # To enable set the value to '0.0.0.0:10256' for all ipv4 + # addresses and this '[::]:10256' for all ipv6 addresses. + # By default it is disabled. + kubeProxyReplacementHealthzBindAddr: "" + + l2NeighDiscovery: + # -- Enable L2 neighbor discovery in the agent + enabled: true + # -- Override the agent's default neighbor resolution refresh period. + refreshPeriod: "30s" + + # -- Enable Layer 7 network policy. + l7Proxy: true + + # -- Enable Local Redirect Policy. + localRedirectPolicy: false + + # To include or exclude matched resources from cilium identity evaluation + # labels: "" + + # logOptions allows you to define logging options. eg: + # logOptions: + # format: json + + # -- Enables periodic logging of system load + logSystemLoad: false + + # -- Configure maglev consistent hashing + maglev: {} + # -- tableSize is the size (parameter M) for the backend table of one + # service entry + # tableSize: + + # -- hashSeed is the cluster-wide base64 encoded seed for the hashing + # hashSeed: + + # -- Enables masquerading of IPv4 traffic leaving the node from endpoints. + enableIPv4Masquerade: true + + # -- Enables masquerading of IPv6 traffic leaving the node from endpoints. + enableIPv6Masquerade: true + + # -- Enables masquerading to the source of the route for traffic leaving the node from endpoints. + enableMasqueradeRouteSource: false + + # -- Enables IPv4 BIG TCP support which increases maximum IPv4 GSO/GRO limits for nodes and pods + enableIPv4BIGTCP: false + + # -- Enables IPv6 BIG TCP support which increases maximum IPv6 GSO/GRO limits for nodes and pods + enableIPv6BIGTCP: false + + egressGateway: + # -- Enables egress gateway to redirect and SNAT the traffic that leaves the + # cluster. + enabled: false + # -- Deprecated without a replacement necessary. + installRoutes: false + # -- Time between triggers of egress gateway state reconciliations + reconciliationTriggerInterval: 1s + # -- Maximum number of entries in egress gateway policy map + # maxPolicyEntries: 16384 + + vtep: + # -- Enables VXLAN Tunnel Endpoint (VTEP) Integration (beta) to allow + # Cilium-managed pods to talk to third party VTEP devices over Cilium tunnel. + enabled: false + + # -- A space separated list of VTEP device endpoint IPs, for example "1.1.1.1 1.1.2.1" + endpoint: "" + # -- A space separated list of VTEP device CIDRs, for example "1.1.1.0/24 1.1.2.0/24" + cidr: "" + # -- VTEP CIDRs Mask that applies to all VTEP CIDRs, for example "255.255.255.0" + mask: "" + # -- A space separated list of VTEP device MAC addresses (VTEP MAC), for example "x:x:x:x:x:x y:y:y:y:y:y:y" + mac: "" + + # -- (string) Allows to explicitly specify the IPv4 CIDR for native routing. + # When specified, Cilium assumes networking for this CIDR is preconfigured and + # hands traffic destined for that range to the Linux network stack without + # applying any SNAT. + # Generally speaking, specifying a native routing CIDR implies that Cilium can + # depend on the underlying networking stack to route packets to their + # destination. To offer a concrete example, if Cilium is configured to use + # direct routing and the Kubernetes CIDR is included in the native routing CIDR, + # the user must configure the routes to reach pods, either manually or by + # setting the auto-direct-node-routes flag. + ipv4NativeRoutingCIDR: "" + + # -- (string) Allows to explicitly specify the IPv6 CIDR for native routing. + # When specified, Cilium assumes networking for this CIDR is preconfigured and + # hands traffic destined for that range to the Linux network stack without + # applying any SNAT. + # Generally speaking, specifying a native routing CIDR implies that Cilium can + # depend on the underlying networking stack to route packets to their + # destination. To offer a concrete example, if Cilium is configured to use + # direct routing and the Kubernetes CIDR is included in the native routing CIDR, + # the user must configure the routes to reach pods, either manually or by + # setting the auto-direct-node-routes flag. + ipv6NativeRoutingCIDR: "" + + # -- cilium-monitor sidecar. + monitor: + # -- Enable the cilium-monitor sidecar. + enabled: false + + # -- Configure service load balancing + loadBalancer: + # -- standalone enables the standalone L4LB which does not connect to + # kube-apiserver. + # standalone: false + + # -- algorithm is the name of the load balancing algorithm for backend + # selection e.g. random or maglev + # algorithm: random + + # -- mode is the operation mode of load balancing for remote backends + # e.g. snat, dsr, hybrid + # mode: snat + + # -- acceleration is the option to accelerate service handling via XDP + # Applicable values can be: disabled (do not use XDP), native (XDP BPF + # program is run directly out of the networking driver's early receive + # path), or best-effort (use native mode XDP acceleration on devices + # that support it). + acceleration: disabled + + # -- dsrDispatch configures whether IP option or IPIP encapsulation is + # used to pass a service IP and port to remote backend + # dsrDispatch: opt + + # -- serviceTopology enables K8s Topology Aware Hints -based service + # endpoints filtering + # serviceTopology: false + + # -- L7 LoadBalancer + l7: + # -- Enable L7 service load balancing via envoy proxy. + # The request to a k8s service, which has specific annotation e.g. service.cilium.io/lb-l7, + # will be forwarded to the local backend proxy to be load balanced to the service endpoints. + # Please refer to docs for supported annotations for more configuration. + # + # Applicable values: + # - envoy: Enable L7 load balancing via envoy proxy. This will automatically set enable-envoy-config as well. + # - disabled: Disable L7 load balancing by way of service annotation. + backend: disabled + # -- List of ports from service to be automatically redirected to above backend. + # Any service exposing one of these ports will be automatically redirected. + # Fine-grained control can be achieved by using the service annotation. + ports: [] + # -- Default LB algorithm + # The default LB algorithm to be used for services, which can be overridden by the + # service annotation (e.g. service.cilium.io/lb-l7-algorithm) + # Applicable values: round_robin, least_request, random + algorithm: round_robin + + # -- Configure N-S k8s service loadbalancing + nodePort: + # -- Enable the Cilium NodePort service implementation. + enabled: false + + # -- Port range to use for NodePort services. + # range: "30000,32767" + + # -- Set to true to prevent applications binding to service ports. + bindProtection: true + + # -- Append NodePort range to ip_local_reserved_ports if clash with ephemeral + # ports is detected. + autoProtectPortRange: true + + # -- Enable healthcheck nodePort server for NodePort services + enableHealthCheck: true + + # -- Enable access of the healthcheck nodePort on the LoadBalancerIP. Needs + # EnableHealthCheck to be enabled + enableHealthCheckLoadBalancerIP: false + + # policyAuditMode: false + + # -- The agent can be put into one of the three policy enforcement modes: + # default, always and never. + # ref: https://docs.cilium.io/en/stable/security/policy/intro/#policy-enforcement-modes + policyEnforcementMode: "default" + + # -- policyCIDRMatchMode is a list of entities that may be selected by CIDR selector. + # The possible value is "nodes". + policyCIDRMatchMode: + + pprof: + # -- Enable pprof for cilium-agent + enabled: false + # -- Configure pprof listen address for cilium-agent + address: localhost + # -- Configure pprof listen port for cilium-agent + port: 6060 + + # -- Configure prometheus metrics on the configured port at /metrics + prometheus: + enabled: false + port: 9962 + serviceMonitor: + # -- Enable service monitors. + # This requires the prometheus CRDs to be available (see https://github.com/prometheus-operator/prometheus-operator/blob/main/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml) + enabled: false + # -- Labels to add to ServiceMonitor cilium-agent + labels: {} + # -- Annotations to add to ServiceMonitor cilium-agent + annotations: {} + # -- jobLabel to add for ServiceMonitor cilium-agent + jobLabel: "" + # -- Interval for scrape metrics. + interval: "10s" + # -- Specify the Kubernetes namespace where Prometheus expects to find + # service monitors configured. + # namespace: "" + # -- Relabeling configs for the ServiceMonitor cilium-agent + relabelings: + - sourceLabels: + - __meta_kubernetes_pod_node_name + targetLabel: node + replacement: ${1} + # -- Metrics relabeling configs for the ServiceMonitor cilium-agent + metricRelabelings: ~ + # -- Set to `true` and helm will not check for monitoring.coreos.com/v1 CRDs before deploying + trustCRDsExist: false + + # -- Metrics that should be enabled or disabled from the default metric list. + # The list is expected to be separated by a space. (+metric_foo to enable + # metric_foo , -metric_bar to disable metric_bar). + # ref: https://docs.cilium.io/en/stable/observability/metrics/ + metrics: ~ + + # --- Enable controller group metrics for monitoring specific Cilium + # subsystems. The list is a list of controller group names. The special + # values of "all" and "none" are supported. The set of controller + # group names is not guaranteed to be stable between Cilium versions. + controllerGroupMetrics: + - write-cni-file + - sync-host-ips + - sync-lb-maps-with-k8s-services + + # -- Grafana dashboards for cilium-agent + # grafana can import dashboards based on the label and value + # ref: https://github.com/grafana/helm-charts/tree/main/charts/grafana#sidecar-for-dashboards + dashboards: + enabled: false + label: grafana_dashboard + namespace: ~ + labelValue: "1" + annotations: {} + + # -- Configure Istio proxy options. + proxy: + + prometheus: + # -- Deprecated in favor of envoy.prometheus.enabled + enabled: true + # -- Deprecated in favor of envoy.prometheus.port + port: ~ + # -- Regular expression matching compatible Istio sidecar istio-proxy + # container image names + sidecarImageRegex: "cilium/istio_proxy" + + # Configure Cilium Envoy options. + envoy: + # -- Enable Envoy Proxy in standalone DaemonSet. + enabled: false + + log: + # -- The format string to use for laying out the log message metadata of Envoy. + format: "[%Y-%m-%d %T.%e][%t][%l][%n] [%g:%#] %v" + # -- Path to a separate Envoy log file, if any. Defaults to /dev/stdout. + path: "" + + # -- Time in seconds after which a TCP connection attempt times out + connectTimeoutSeconds: 2 + # -- ProxyMaxRequestsPerConnection specifies the max_requests_per_connection setting for Envoy + maxRequestsPerConnection: 0 + # -- Set Envoy HTTP option max_connection_duration seconds. Default 0 (disable) + maxConnectionDurationSeconds: 0 + # -- Set Envoy upstream HTTP idle connection timeout seconds. + # Does not apply to connections with pending requests. Default 60s + idleTimeoutDurationSeconds: 60 + + # -- Envoy container image. + image: + override: ~ + repository: "quay.io/cilium/cilium-envoy" + tag: "v1.27.3-99c1c8f42c8de70fc8f6dd594f4a425cd38b6688" + pullPolicy: "IfNotPresent" + digest: "sha256:877ead12d08d4c04a9f67f86d3c6e542aeb7bf97e1e401aee74de456f496ac30" + useDigest: true + + # -- Additional containers added to the cilium Envoy DaemonSet. + extraContainers: [] + + # -- Additional envoy container arguments. + extraArgs: [] + + # -- Additional envoy container environment variables. + extraEnv: [] + + # -- Additional envoy hostPath mounts. + extraHostPathMounts: [] + # - name: host-mnt-data + # mountPath: /host/mnt/data + # hostPath: /mnt/data + # hostPathType: Directory + # readOnly: true + # mountPropagation: HostToContainer + + # -- Additional envoy volumes. + extraVolumes: [] + + # -- Additional envoy volumeMounts. + extraVolumeMounts: [] + + # -- Configure termination grace period for cilium-envoy DaemonSet. + terminationGracePeriodSeconds: 1 + + # -- TCP port for the health API. + healthPort: 9878 + + # -- cilium-envoy update strategy + # ref: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/#updating-a-daemonset + updateStrategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 2 + # -- Roll out cilium envoy pods automatically when configmap is updated. + rollOutPods: false + + # -- Annotations to be added to all top-level cilium-envoy objects (resources under templates/cilium-envoy) + annotations: {} + + # -- Security Context for cilium-envoy pods. + podSecurityContext: {} + + # -- Annotations to be added to envoy pods + podAnnotations: {} + + # -- Labels to be added to envoy pods + podLabels: {} + + # -- Envoy resource limits & requests + # ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + resources: {} + # limits: + # cpu: 4000m + # memory: 4Gi + # requests: + # cpu: 100m + # memory: 512Mi + + startupProbe: + # -- failure threshold of startup probe. + # 105 x 2s translates to the old behaviour of the readiness probe (120s delay + 30 x 3s) + failureThreshold: 105 + # -- interval between checks of the startup probe + periodSeconds: 2 + livenessProbe: + # -- failure threshold of liveness probe + failureThreshold: 10 + # -- interval between checks of the liveness probe + periodSeconds: 30 + readinessProbe: + # -- failure threshold of readiness probe + failureThreshold: 3 + # -- interval between checks of the readiness probe + periodSeconds: 30 + + securityContext: + # -- User to run the pod with + # runAsUser: 0 + # -- Run the pod with elevated privileges + privileged: false + # -- SELinux options for the `cilium-envoy` container + seLinuxOptions: + level: 's0' + # Running with spc_t since we have removed the privileged mode. + # Users can change it to a different type as long as they have the + # type available on the system. + type: 'spc_t' + capabilities: + # -- Capabilities for the `cilium-envoy` container + envoy: + # Used since cilium proxy uses setting IPPROTO_IP/IP_TRANSPARENT + - NET_ADMIN + # We need it for now but might not need it for >= 5.11 specially + # for the 'SYS_RESOURCE'. + # In >= 5.8 there's already BPF and PERMON capabilities + - SYS_ADMIN + # Both PERFMON and BPF requires kernel 5.8, container runtime + # cri-o >= v1.22.0 or containerd >= v1.5.0. + # If available, SYS_ADMIN can be removed. + #- PERFMON + #- BPF + + # -- Affinity for cilium-envoy. + affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - topologyKey: kubernetes.io/hostname + labelSelector: + matchLabels: + k8s-app: cilium-envoy + + # -- Node selector for cilium-envoy. + nodeSelector: + kubernetes.io/os: linux + + # -- Node tolerations for envoy scheduling to nodes with taints + # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ + tolerations: + - operator: Exists + # - key: "key" + # operator: "Equal|Exists" + # value: "value" + # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" + + # -- The priority class to use for cilium-envoy. + priorityClassName: ~ + + # -- DNS policy for Cilium envoy pods. + # Ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy + dnsPolicy: ~ + + # -- Configure Cilium Envoy Prometheus options. + # Note that some of these apply to either cilium-agent or cilium-envoy. + prometheus: + # -- Enable prometheus metrics for cilium-envoy + enabled: true + serviceMonitor: + # -- Enable service monitors. + # This requires the prometheus CRDs to be available (see https://github.com/prometheus-operator/prometheus-operator/blob/main/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml) + # Note that this setting applies to both cilium-envoy _and_ cilium-agent + # with Envoy enabled. + enabled: false + # -- Labels to add to ServiceMonitor cilium-envoy + labels: {} + # -- Annotations to add to ServiceMonitor cilium-envoy + annotations: {} + # -- Interval for scrape metrics. + interval: "10s" + # -- Specify the Kubernetes namespace where Prometheus expects to find + # service monitors configured. + # namespace: "" + # -- Relabeling configs for the ServiceMonitor cilium-envoy + # or for cilium-agent with Envoy configured. + relabelings: + - sourceLabels: + - __meta_kubernetes_pod_node_name + targetLabel: node + replacement: ${1} + # -- Metrics relabeling configs for the ServiceMonitor cilium-envoy + # or for cilium-agent with Envoy configured. + metricRelabelings: ~ + # -- Serve prometheus metrics for cilium-envoy on the configured port + port: "9964" + + # -- Enable use of the remote node identity. + # ref: https://docs.cilium.io/en/v1.7/install/upgrade/#configmap-remote-node-identity + # Deprecated without replacement in 1.15. To be removed in 1.16. + remoteNodeIdentity: true + + # -- Enable resource quotas for priority classes used in the cluster. + resourceQuotas: + enabled: false + cilium: + hard: + # 5k nodes * 2 DaemonSets (Cilium and cilium node init) + pods: "10k" + operator: + hard: + # 15 "clusterwide" Cilium Operator pods for HA + pods: "15" + + # Need to document default + ################## + #sessionAffinity: false + + # -- Do not run Cilium agent when running with clean mode. Useful to completely + # uninstall Cilium as it will stop Cilium from starting and create artifacts + # in the node. + sleepAfterInit: false + + # -- Enable check of service source ranges (currently, only for LoadBalancer). + svcSourceRangeCheck: true + + # -- Synchronize Kubernetes nodes to kvstore and perform CNP GC. + synchronizeK8sNodes: true + + # -- Configure TLS configuration in the agent. + tls: + # -- This configures how the Cilium agent loads the secrets used TLS-aware CiliumNetworkPolicies + # (namely the secrets referenced by terminatingTLS and originatingTLS). + # Possible values: + # - local + # - k8s + secretsBackend: local + + # -- Base64 encoded PEM values for the CA certificate and private key. + # This can be used as common CA to generate certificates used by hubble and clustermesh components. + # It is neither required nor used when cert-manager is used to generate the certificates. + ca: + # -- Optional CA cert. If it is provided, it will be used by cilium to + # generate all other certificates. Otherwise, an ephemeral CA is generated. + cert: "" + + # -- Optional CA private key. If it is provided, it will be used by cilium to + # generate all other certificates. Otherwise, an ephemeral CA is generated. + key: "" + + # -- Generated certificates validity duration in days. This will be used for auto generated CA. + certValidityDuration: 1095 + + # -- Configure the CA trust bundle used for the validation of the certificates + # leveraged by hubble and clustermesh. When enabled, it overrides the content of the + # 'ca.crt' field of the respective certificates, allowing for CA rotation with no down-time. + caBundle: + # -- Enable the use of the CA trust bundle. + enabled: false + + # -- Name of the ConfigMap containing the CA trust bundle. + name: cilium-root-ca.crt + + # -- Entry of the ConfigMap containing the CA trust bundle. + key: ca.crt + + # -- Use a Secret instead of a ConfigMap. + useSecret: false + + # If uncommented, creates the ConfigMap and fills it with the specified content. + # Otherwise, the ConfigMap is assumed to be already present in .Release.Namespace. + # + # content: | + # -----BEGIN CERTIFICATE----- + # ... + # -----END CERTIFICATE----- + # -----BEGIN CERTIFICATE----- + # ... + # -----END CERTIFICATE----- + + # -- Tunneling protocol to use in tunneling mode and for ad-hoc tunnels. + # Possible values: + # - "" + # - vxlan + # - geneve + # @default -- `"vxlan"` + tunnelProtocol: "" + + # -- Enable native-routing mode or tunneling mode. + # Possible values: + # - "" + # - native + # - tunnel + # @default -- `"tunnel"` + routingMode: "" + + # -- Configure VXLAN and Geneve tunnel port. + # @default -- Port 8472 for VXLAN, Port 6081 for Geneve + tunnelPort: 0 + + # -- Configure what the response should be to traffic for a service without backends. + # "reject" only works on kernels >= 5.10, on lower kernels we fallback to "drop". + # Possible values: + # - reject (default) + # - drop + serviceNoBackendResponse: reject + + # -- Configure the underlying network MTU to overwrite auto-detected MTU. + MTU: 0 + + # -- Disable the usage of CiliumEndpoint CRD. + disableEndpointCRD: false + + wellKnownIdentities: + # -- Enable the use of well-known identities. + enabled: false + + etcd: + # -- Enable etcd mode for the agent. + enabled: false + + # -- cilium-etcd-operator image. + image: + override: ~ + repository: "quay.io/cilium/cilium-etcd-operator" + tag: "v2.0.7" + digest: "sha256:04b8327f7f992693c2cb483b999041ed8f92efc8e14f2a5f3ab95574a65ea2dc" + useDigest: true + pullPolicy: "IfNotPresent" + + # -- The priority class to use for cilium-etcd-operator + priorityClassName: "" + + # -- Additional cilium-etcd-operator container arguments. + extraArgs: [] + + # -- Additional cilium-etcd-operator volumes. + extraVolumes: [] + + # -- Additional cilium-etcd-operator volumeMounts. + extraVolumeMounts: [] + + # -- Node tolerations for cilium-etcd-operator scheduling to nodes with taints + # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ + tolerations: + - operator: Exists + # - key: "key" + # operator: "Equal|Exists" + # value: "value" + # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" + + # -- Pod topology spread constraints for cilium-etcd-operator + topologySpreadConstraints: [] + # - maxSkew: 1 + # topologyKey: topology.kubernetes.io/zone + # whenUnsatisfiable: DoNotSchedule + + # -- Node labels for cilium-etcd-operator pod assignment + # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector + nodeSelector: + kubernetes.io/os: linux + + # -- Annotations to be added to all top-level etcd-operator objects (resources under templates/etcd-operator) + annotations: {} + + # -- Security context to be added to cilium-etcd-operator pods + podSecurityContext: {} + + # -- Annotations to be added to cilium-etcd-operator pods + podAnnotations: {} + + # -- Labels to be added to cilium-etcd-operator pods + podLabels: {} + + # PodDisruptionBudget settings + podDisruptionBudget: + # -- enable PodDisruptionBudget + # ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ + enabled: false + # -- Minimum number/percentage of pods that should remain scheduled. + # When it's set, maxUnavailable must be disabled by `maxUnavailable: null` + minAvailable: null + # -- Maximum number/percentage of pods that may be made unavailable + maxUnavailable: 1 + + # -- cilium-etcd-operator resource limits & requests + # ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + resources: {} + # limits: + # cpu: 4000m + # memory: 4Gi + # requests: + # cpu: 100m + # memory: 512Mi + + # -- Security context to be added to cilium-etcd-operator pods + securityContext: {} + # runAsUser: 0 + + # -- cilium-etcd-operator update strategy + updateStrategy: + type: RollingUpdate + rollingUpdate: + maxSurge: 1 + maxUnavailable: 1 + + # -- If etcd is behind a k8s service set this option to true so that Cilium + # does the service translation automatically without requiring a DNS to be + # running. + k8sService: false + + # -- Cluster domain for cilium-etcd-operator. + clusterDomain: cluster.local + + # -- List of etcd endpoints (not needed when using managed=true). + endpoints: + - https://CHANGE-ME:2379 + + # -- Enable use of TLS/SSL for connectivity to etcd. (auto-enabled if + # managed=true) + ssl: false + + operator: + # -- Enable the cilium-operator component (required). + enabled: true + + # -- Roll out cilium-operator pods automatically when configmap is updated. + rollOutPods: false + + # -- cilium-operator image. + image: + override: ~ + repository: "quay.io/cilium/operator" + tag: "v1.15.2" + # operator-generic-digest + genericDigest: "" + # operator-azure-digest + azureDigest: "" + # operator-aws-digest + awsDigest: "" + # operator-alibabacloud-digest + alibabacloudDigest: "" + useDigest: false + pullPolicy: "IfNotPresent" + suffix: "" + + # -- Number of replicas to run for the cilium-operator deployment + replicas: 2 + + # -- The priority class to use for cilium-operator + priorityClassName: "" + + # -- DNS policy for Cilium operator pods. + # Ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy + dnsPolicy: "" + + # -- cilium-operator update strategy + updateStrategy: + type: RollingUpdate + rollingUpdate: + maxSurge: 25% + maxUnavailable: 50% + + # -- Affinity for cilium-operator + affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - topologyKey: kubernetes.io/hostname + labelSelector: + matchLabels: + io.cilium/app: operator + + # -- Pod topology spread constraints for cilium-operator + topologySpreadConstraints: [] + # - maxSkew: 1 + # topologyKey: topology.kubernetes.io/zone + # whenUnsatisfiable: DoNotSchedule + + # -- Node labels for cilium-operator pod assignment + # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector + nodeSelector: + kubernetes.io/os: linux + + # -- Node tolerations for cilium-operator scheduling to nodes with taints + # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ + tolerations: + - operator: Exists + # - key: "key" + # operator: "Equal|Exists" + # value: "value" + # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" + + # -- Additional cilium-operator container arguments. + extraArgs: [] + + # -- Additional cilium-operator environment variables. + extraEnv: [] + + # -- Additional cilium-operator hostPath mounts. + extraHostPathMounts: [] + # - name: host-mnt-data + # mountPath: /host/mnt/data + # hostPath: /mnt/data + # hostPathType: Directory + # readOnly: true + # mountPropagation: HostToContainer + + # -- Additional cilium-operator volumes. + extraVolumes: [] + + # -- Additional cilium-operator volumeMounts. + extraVolumeMounts: [] + + # -- Annotations to be added to all top-level cilium-operator objects (resources under templates/cilium-operator) + annotations: {} + + # -- Security context to be added to cilium-operator pods + podSecurityContext: {} + + # -- Annotations to be added to cilium-operator pods + podAnnotations: {} + + # -- Labels to be added to cilium-operator pods + podLabels: {} + + # PodDisruptionBudget settings + podDisruptionBudget: + # -- enable PodDisruptionBudget + # ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ + enabled: false + # -- Minimum number/percentage of pods that should remain scheduled. + # When it's set, maxUnavailable must be disabled by `maxUnavailable: null` + minAvailable: null + # -- Maximum number/percentage of pods that may be made unavailable + maxUnavailable: 1 + + # -- cilium-operator resource limits & requests + # ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + resources: {} + # limits: + # cpu: 1000m + # memory: 1Gi + # requests: + # cpu: 100m + # memory: 128Mi + + # -- Security context to be added to cilium-operator pods + securityContext: {} + # runAsUser: 0 + + # -- Interval for endpoint garbage collection. + endpointGCInterval: "5m0s" + + # -- Interval for cilium node garbage collection. + nodeGCInterval: "5m0s" + + # -- Skip CNP node status clean up at operator startup. + skipCNPStatusStartupClean: false + + # -- Interval for identity garbage collection. + identityGCInterval: "15m0s" + + # -- Timeout for identity heartbeats. + identityHeartbeatTimeout: "30m0s" + + pprof: + # -- Enable pprof for cilium-operator + enabled: false + # -- Configure pprof listen address for cilium-operator + address: localhost + # -- Configure pprof listen port for cilium-operator + port: 6061 + + # -- Enable prometheus metrics for cilium-operator on the configured port at + # /metrics + prometheus: + enabled: true + port: 9963 + serviceMonitor: + # -- Enable service monitors. + # This requires the prometheus CRDs to be available (see https://github.com/prometheus-operator/prometheus-operator/blob/main/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml) + enabled: false + # -- Labels to add to ServiceMonitor cilium-operator + labels: {} + # -- Annotations to add to ServiceMonitor cilium-operator + annotations: {} + # -- jobLabel to add for ServiceMonitor cilium-operator + jobLabel: "" + # -- Interval for scrape metrics. + interval: "10s" + # -- Relabeling configs for the ServiceMonitor cilium-operator + relabelings: ~ + # -- Metrics relabeling configs for the ServiceMonitor cilium-operator + metricRelabelings: ~ + + # -- Grafana dashboards for cilium-operator + # grafana can import dashboards based on the label and value + # ref: https://github.com/grafana/helm-charts/tree/main/charts/grafana#sidecar-for-dashboards + dashboards: + enabled: false + label: grafana_dashboard + namespace: ~ + labelValue: "1" + annotations: {} + + # -- Skip CRDs creation for cilium-operator + skipCRDCreation: false + + # -- Remove Cilium node taint from Kubernetes nodes that have a healthy Cilium + # pod running. + removeNodeTaints: true + + # -- Taint nodes where Cilium is scheduled but not running. This prevents pods + # from being scheduled to nodes where Cilium is not the default CNI provider. + # @default -- same as removeNodeTaints + setNodeTaints: ~ + + # -- Set Node condition NetworkUnavailable to 'false' with the reason + # 'CiliumIsUp' for nodes that have a healthy Cilium pod. + setNodeNetworkStatus: true + + unmanagedPodWatcher: + # -- Restart any pod that are not managed by Cilium. + restart: true + # -- Interval, in seconds, to check if there are any pods that are not + # managed by Cilium. + intervalSeconds: 15 + + nodeinit: + # -- Enable the node initialization DaemonSet + enabled: false + + # -- node-init image. + image: + override: ~ + repository: "quay.io/cilium/startup-script" + tag: "62093c5c233ea914bfa26a10ba41f8780d9b737f" + pullPolicy: "IfNotPresent" + + # -- The priority class to use for the nodeinit pod. + priorityClassName: "" + + # -- node-init update strategy + updateStrategy: + type: RollingUpdate + + # -- Additional nodeinit environment variables. + extraEnv: [] + + # -- Additional nodeinit volumes. + extraVolumes: [] + + # -- Additional nodeinit volumeMounts. + extraVolumeMounts: [] + + # -- Affinity for cilium-nodeinit + affinity: {} + + # -- Node labels for nodeinit pod assignment + # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector + nodeSelector: + kubernetes.io/os: linux + + # -- Node tolerations for nodeinit scheduling to nodes with taints + # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ + tolerations: + - operator: Exists + # - key: "key" + # operator: "Equal|Exists" + # value: "value" + # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" + + # -- Annotations to be added to all top-level nodeinit objects (resources under templates/cilium-nodeinit) + annotations: {} + + # -- Annotations to be added to node-init pods. + podAnnotations: {} + + # -- Labels to be added to node-init pods. + podLabels: {} + + # -- nodeinit resource limits & requests + # ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + resources: + requests: + cpu: 100m + memory: 100Mi + + # -- Security context to be added to nodeinit pods. + securityContext: + privileged: false + seLinuxOptions: + level: 's0' + # Running with spc_t since we have removed the privileged mode. + # Users can change it to a different type as long as they have the + # type available on the system. + type: 'spc_t' + capabilities: + add: + # Used in iptables. Consider removing once we are iptables-free + - SYS_MODULE + # Used for nsenter + - NET_ADMIN + - SYS_ADMIN + - SYS_CHROOT + - SYS_PTRACE + + # -- bootstrapFile is the location of the file where the bootstrap timestamp is + # written by the node-init DaemonSet + bootstrapFile: "/tmp/cilium-bootstrap.d/cilium-bootstrap-time" + + # -- startup offers way to customize startup nodeinit script (pre and post position) + startup: + preScript: "" + postScript: "" + # -- prestop offers way to customize prestop nodeinit script (pre and post position) + prestop: + preScript: "" + postScript: "" + + preflight: + # -- Enable Cilium pre-flight resources (required for upgrade) + enabled: false + + # -- Cilium pre-flight image. + image: + override: ~ + repository: "quay.io/cilium/cilium" + tag: "v1.15.2" + # cilium-digest + digest: "" + useDigest: false + pullPolicy: "IfNotPresent" + + # -- The priority class to use for the preflight pod. + priorityClassName: "" + + # -- preflight update strategy + updateStrategy: + type: RollingUpdate + + # -- Additional preflight environment variables. + extraEnv: [] + + # -- Additional preflight volumes. + extraVolumes: [] + + # -- Additional preflight volumeMounts. + extraVolumeMounts: [] + + # -- Affinity for cilium-preflight + affinity: + podAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - topologyKey: kubernetes.io/hostname + labelSelector: + matchLabels: + k8s-app: cilium + + # -- Node labels for preflight pod assignment + # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector + nodeSelector: + kubernetes.io/os: linux + + # -- Node tolerations for preflight scheduling to nodes with taints + # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ + tolerations: + - key: node.kubernetes.io/not-ready + effect: NoSchedule + - key: node-role.kubernetes.io/master + effect: NoSchedule + - key: node-role.kubernetes.io/control-plane + effect: NoSchedule + - key: node.cloudprovider.kubernetes.io/uninitialized + effect: NoSchedule + value: "true" + - key: CriticalAddonsOnly + operator: "Exists" + # - key: "key" + # operator: "Equal|Exists" + # value: "value" + # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" + + # -- Annotations to be added to all top-level preflight objects (resources under templates/cilium-preflight) + annotations: {} + + # -- Security context to be added to preflight pods. + podSecurityContext: {} + + # -- Annotations to be added to preflight pods + podAnnotations: {} + + # -- Labels to be added to the preflight pod. + podLabels: {} + + # PodDisruptionBudget settings + podDisruptionBudget: + # -- enable PodDisruptionBudget + # ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ + enabled: false + # -- Minimum number/percentage of pods that should remain scheduled. + # When it's set, maxUnavailable must be disabled by `maxUnavailable: null` + minAvailable: null + # -- Maximum number/percentage of pods that may be made unavailable + maxUnavailable: 1 + + # -- preflight resource limits & requests + # ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + resources: {} + # limits: + # cpu: 4000m + # memory: 4Gi + # requests: + # cpu: 100m + # memory: 512Mi + + # -- Security context to be added to preflight pods + securityContext: {} + # runAsUser: 0 + + # -- Path to write the `--tofqdns-pre-cache` file to. + tofqdnsPreCache: "" + + # -- Configure termination grace period for preflight Deployment and DaemonSet. + terminationGracePeriodSeconds: 1 + + # -- By default we should always validate the installed CNPs before upgrading + # Cilium. This will make sure the user will have the policies deployed in the + # cluster with the right schema. + validateCNPs: true + + # -- Explicitly enable or disable priority class. + # .Capabilities.KubeVersion is unsettable in `helm template` calls, + # it depends on k8s libraries version that Helm was compiled against. + # This option allows to explicitly disable setting the priority class, which + # is useful for rendering charts for gke clusters in advance. + enableCriticalPriorityClass: true + + # disableEnvoyVersionCheck removes the check for Envoy, which can be useful + # on AArch64 as the images do not currently ship a version of Envoy. + #disableEnvoyVersionCheck: false + + clustermesh: + # -- Deploy clustermesh-apiserver for clustermesh + useAPIServer: enabled + # -- The maximum number of clusters to support in a ClusterMesh. This value + # cannot be changed on running clusters, and all clusters in a ClusterMesh + # must be configured with the same value. Values > 255 will decrease the + # maximum allocatable cluster-local identities. + # Supported values are 255 and 511. + maxConnectedClusters: 255 + + # -- Annotations to be added to all top-level clustermesh objects (resources under templates/clustermesh-apiserver and templates/clustermesh-config) + annotations: {} + + # -- Clustermesh explicit configuration. + config: + # -- Enable the Clustermesh explicit configuration. + enabled: true + # -- Default dns domain for the Clustermesh API servers + # This is used in the case cluster addresses are not provided + # and IPs are used. + domain: mesh.cilium.io + # -- List of clusters to be peered in the mesh. + clusters: + # -- Name of the cluster + - name: cluster-01 + # -- Address of the cluster, use this if you created DNS records for + # the cluster Clustermesh API server. + address: cluster-01.mesh.cilium.io + # -- Port of the cluster Clustermesh API server. + port: 2379 + # -- IPs of the cluster Clustermesh API server, use multiple ones when + # you have multiple IPs to access the Clustermesh API server. + ips: + - 172.18.255.201 + # -- base64 encoded PEM values for the cluster client certificate, private key and certificate authority. + # These fields can (and should) be omitted in case the CA is shared across clusters. In that case, the + # "remote" private key and certificate available in the local cluster are automatically used instead. + # tls: + # cert: "" + # key: "" + # caCert: "" + - name: cluster-02 + # -- Address of the cluster, use this if you created DNS records for + # the cluster Clustermesh API server. + address: cluster-02.mesh.cilium.io + # -- Port of the cluster Clustermesh API server. + port: 2379 + # -- IPs of the cluster Clustermesh API server, use multiple ones when + # you have multiple IPs to access the Clustermesh API server. + ips: + - 172.18.255.202 + # -- base64 encoded PEM values for the cluster client certificate, private key and certificate authority. + # These fields can (and should) be omitted in case the CA is shared across clusters. In that case, the + # "remote" private key and certificate available in the local cluster are automatically used instead. + # tls: + # cert: "" + # key: "" + # caCert: "" + + + apiserver: + # -- Clustermesh API server image. + image: + override: ~ + repository: "quay.io/cilium/clustermesh-apiserver" + tag: "v1.15.2" + # clustermesh-apiserver-digest + digest: "" + useDigest: false + pullPolicy: "IfNotPresent" + + etcd: + # The etcd binary is included in the clustermesh API server image, so the same image from above is reused. + # Independent override isn't supported, because clustermesh-apiserver is tested against the etcd version it is + # built with. + + # -- Specifies the resources for etcd container in the apiserver + resources: {} + # requests: + # cpu: 200m + # memory: 256Mi + # limits: + # cpu: 1000m + # memory: 256Mi + + # -- Security context to be added to clustermesh-apiserver etcd containers + securityContext: {} + + # -- lifecycle setting for the etcd container + lifecycle: {} + + init: + # -- Specifies the resources for etcd init container in the apiserver + resources: {} + # requests: + # cpu: 100m + # memory: 100Mi + # limits: + # cpu: 100m + # memory: 100Mi + + # -- Additional arguments to `clustermesh-apiserver etcdinit`. + extraArgs: [] + + # -- Additional environment variables to `clustermesh-apiserver etcdinit`. + extraEnv: [] + + kvstoremesh: + # -- Enable KVStoreMesh. KVStoreMesh caches the information retrieved + # from the remote clusters in the local etcd instance. + enabled: false + + # -- Additional KVStoreMesh arguments. + extraArgs: [] + + # -- Additional KVStoreMesh environment variables. + extraEnv: [] + + # -- Resource requests and limits for the KVStoreMesh container + resources: {} + # requests: + # cpu: 100m + # memory: 64Mi + # limits: + # cpu: 1000m + # memory: 1024M + + # -- Additional KVStoreMesh volumeMounts. + extraVolumeMounts: [] + + # -- KVStoreMesh Security context + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + + # -- lifecycle setting for the KVStoreMesh container + lifecycle: {} + + service: + # -- The type of service used for apiserver access. + type: NodePort + # -- Optional port to use as the node port for apiserver access. + # + # WARNING: make sure to configure a different NodePort in each cluster if + # kube-proxy replacement is enabled, as Cilium is currently affected by a known + # bug (#24692) when NodePorts are handled by the KPR implementation. If a service + # with the same NodePort exists both in the local and the remote cluster, all + # traffic originating from inside the cluster and targeting the corresponding + # NodePort will be redirected to a local backend, regardless of whether the + # destination node belongs to the local or the remote cluster. + nodePort: 32379 + # -- Optional loadBalancer IP address to use with type LoadBalancer. + # loadBalancerIP: + + # -- Annotations for the clustermesh-apiserver + # For GKE LoadBalancer, use annotation cloud.google.com/load-balancer-type: "Internal" + # For EKS LoadBalancer, use annotation service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0 + annotations: {} + + # -- The externalTrafficPolicy of service used for apiserver access. + externalTrafficPolicy: + + # -- The internalTrafficPolicy of service used for apiserver access. + internalTrafficPolicy: + + # -- Number of replicas run for the clustermesh-apiserver deployment. + replicas: 1 + + # -- lifecycle setting for the apiserver container + lifecycle: {} + + # -- terminationGracePeriodSeconds for the clustermesh-apiserver deployment + terminationGracePeriodSeconds: 30 + + # -- Additional clustermesh-apiserver arguments. + extraArgs: [] + + # -- Additional clustermesh-apiserver environment variables. + extraEnv: [] + + # -- Additional clustermesh-apiserver volumes. + extraVolumes: [] + + # -- Additional clustermesh-apiserver volumeMounts. + extraVolumeMounts: [] + + # -- Security context to be added to clustermesh-apiserver containers + securityContext: {} + + # -- Security context to be added to clustermesh-apiserver pods + podSecurityContext: {} + + # -- Annotations to be added to clustermesh-apiserver pods + podAnnotations: {} + + # -- Labels to be added to clustermesh-apiserver pods + podLabels: {} + + # PodDisruptionBudget settings + podDisruptionBudget: + # -- enable PodDisruptionBudget + # ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ + enabled: false + # -- Minimum number/percentage of pods that should remain scheduled. + # When it's set, maxUnavailable must be disabled by `maxUnavailable: null` + minAvailable: null + # -- Maximum number/percentage of pods that may be made unavailable + maxUnavailable: 1 + + # -- Resource requests and limits for the clustermesh-apiserver container of the clustermesh-apiserver deployment, such as + # resources: + # limits: + # cpu: 1000m + # memory: 1024M + # requests: + # cpu: 100m + # memory: 64Mi + # -- Resource requests and limits for the clustermesh-apiserver + resources: {} + # requests: + # cpu: 100m + # memory: 64Mi + # limits: + # cpu: 1000m + # memory: 1024M + + # -- Affinity for clustermesh.apiserver + affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - topologyKey: kubernetes.io/hostname + labelSelector: + matchLabels: + k8s-app: clustermesh-apiserver + + # -- Pod topology spread constraints for clustermesh-apiserver + topologySpreadConstraints: [] + # - maxSkew: 1 + # topologyKey: topology.kubernetes.io/zone + # whenUnsatisfiable: DoNotSchedule + + # -- Node labels for pod assignment + # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector + nodeSelector: + kubernetes.io/os: linux + + # -- Node tolerations for pod assignment on nodes with taints + # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ + tolerations: [] + + # -- clustermesh-apiserver update strategy + updateStrategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 1 + + # -- The priority class to use for clustermesh-apiserver + priorityClassName: "" + + tls: + # -- Configure the clustermesh authentication mode. + # Supported values: + # - legacy: All clusters access remote clustermesh instances with the same + # username (i.e., remote). The "remote" certificate must be + # generated with CN=remote if provided manually. + # - migration: Intermediate mode required to upgrade from legacy to cluster + # (and vice versa) with no disruption. Specifically, it enables + # the creation of the per-cluster usernames, while still using + # the common one for authentication. The "remote" certificate must + # be generated with CN=remote if provided manually (same as legacy). + # - cluster: Each cluster accesses remote etcd instances with a username + # depending on the local cluster name (i.e., remote-). + # The "remote" certificate must be generated with CN=remote- + # if provided manually. Cluster mode is meaningful only when the same + # CA is shared across all clusters part of the mesh. + authMode: legacy + + # -- Configure automatic TLS certificates generation. + # A Kubernetes CronJob is used the generate any + # certificates not provided by the user at installation + # time. + auto: + # -- When set to true, automatically generate a CA and certificates to + # enable mTLS between clustermesh-apiserver and external workload instances. + # If set to false, the certs to be provided by setting appropriate values below. + enabled: true + # Sets the method to auto-generate certificates. Supported values: + # - helm: This method uses Helm to generate all certificates. + # - cronJob: This method uses a Kubernetes CronJob the generate any + # certificates not provided by the user at installation + # time. + # - certmanager: This method use cert-manager to generate & rotate certificates. + method: helm + # -- Generated certificates validity duration in days. + certValidityDuration: 1095 + # -- Schedule for certificates regeneration (regardless of their expiration date). + # Only used if method is "cronJob". If nil, then no recurring job will be created. + # Instead, only the one-shot job is deployed to generate the certificates at + # installation time. + # + # Due to the out-of-band distribution of client certs to external workloads the + # CA is (re)regenerated only if it is not provided as a helm value and the k8s + # secret is manually deleted. + # + # Defaults to none. Commented syntax gives midnight of the first day of every + # fourth month. For syntax, see + # https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/#schedule-syntax + # schedule: "0 0 1 */4 *" + + # [Example] + # certManagerIssuerRef: + # group: cert-manager.io + # kind: ClusterIssuer + # name: ca-issuer + # -- certmanager issuer used when clustermesh.apiserver.tls.auto.method=certmanager. + certManagerIssuerRef: {} + # -- base64 encoded PEM values for the clustermesh-apiserver server certificate and private key. + # Used if 'auto' is not enabled. + server: + cert: "" + key: "" + # -- Extra DNS names added to certificate when it's auto generated + extraDnsNames: [] + # -- Extra IP addresses added to certificate when it's auto generated + extraIpAddresses: [] + # -- base64 encoded PEM values for the clustermesh-apiserver admin certificate and private key. + # Used if 'auto' is not enabled. + admin: + cert: "" + key: "" + # -- base64 encoded PEM values for the clustermesh-apiserver client certificate and private key. + # Used if 'auto' is not enabled. + client: + cert: "" + key: "" + # -- base64 encoded PEM values for the clustermesh-apiserver remote cluster certificate and private key. + # Used if 'auto' is not enabled. + remote: + cert: "" + key: "" + + # clustermesh-apiserver Prometheus metrics configuration + metrics: + # -- Enables exporting apiserver metrics in OpenMetrics format. + enabled: true + # -- Configure the port the apiserver metric server listens on. + port: 9962 + + kvstoremesh: + # -- Enables exporting KVStoreMesh metrics in OpenMetrics format. + enabled: true + # -- Configure the port the KVStoreMesh metric server listens on. + port: 9964 + + etcd: + # -- Enables exporting etcd metrics in OpenMetrics format. + enabled: true + # -- Set level of detail for etcd metrics; specify 'extensive' to include server side gRPC histogram metrics. + mode: basic + # -- Configure the port the etcd metric server listens on. + port: 9963 + + serviceMonitor: + # -- Enable service monitor. + # This requires the prometheus CRDs to be available (see https://github.com/prometheus-operator/prometheus-operator/blob/main/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml) + enabled: false + # -- Labels to add to ServiceMonitor clustermesh-apiserver + labels: {} + # -- Annotations to add to ServiceMonitor clustermesh-apiserver + annotations: {} + # -- Specify the Kubernetes namespace where Prometheus expects to find + # service monitors configured. + # namespace: "" + + # -- Interval for scrape metrics (apiserver metrics) + interval: "10s" + # -- Relabeling configs for the ServiceMonitor clustermesh-apiserver (apiserver metrics) + relabelings: ~ + # -- Metrics relabeling configs for the ServiceMonitor clustermesh-apiserver (apiserver metrics) + metricRelabelings: ~ + + kvstoremesh: + # -- Interval for scrape metrics (KVStoreMesh metrics) + interval: "10s" + # -- Relabeling configs for the ServiceMonitor clustermesh-apiserver (KVStoreMesh metrics) + relabelings: ~ + # -- Metrics relabeling configs for the ServiceMonitor clustermesh-apiserver (KVStoreMesh metrics) + metricRelabelings: ~ + + etcd: + # -- Interval for scrape metrics (etcd metrics) + interval: "10s" + # -- Relabeling configs for the ServiceMonitor clustermesh-apiserver (etcd metrics) + relabelings: ~ + # -- Metrics relabeling configs for the ServiceMonitor clustermesh-apiserver (etcd metrics) + metricRelabelings: ~ + + # -- Configure external workloads support + externalWorkloads: + # -- Enable support for external workloads, such as VMs (false by default). + enabled: false + + # -- Configure cgroup related configuration + cgroup: + autoMount: + # -- Enable auto mount of cgroup2 filesystem. + # When `autoMount` is enabled, cgroup2 filesystem is mounted at + # `cgroup.hostRoot` path on the underlying host and inside the cilium agent pod. + # If users disable `autoMount`, it's expected that users have mounted + # cgroup2 filesystem at the specified `cgroup.hostRoot` volume, and then the + # volume will be mounted inside the cilium agent pod at the same path. + enabled: true + # -- Init Container Cgroup Automount resource limits & requests + resources: {} + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + # -- Configure cgroup root where cgroup2 filesystem is mounted on the host (see also: `cgroup.autoMount`) + hostRoot: /run/cilium/cgroupv2 + + # -- Configure whether to enable auto detect of terminating state for endpoints + # in order to support graceful termination. + enableK8sTerminatingEndpoint: true + + # -- Configure whether to unload DNS policy rules on graceful shutdown + # dnsPolicyUnloadOnShutdown: false + + # -- Configure the key of the taint indicating that Cilium is not ready on the node. + # When set to a value starting with `ignore-taint.cluster-autoscaler.kubernetes.io/`, the Cluster Autoscaler will ignore the taint on its decisions, allowing the cluster to scale up. + agentNotReadyTaintKey: "node.cilium.io/agent-not-ready" + + dnsProxy: + # -- DNS response code for rejecting DNS requests, available options are '[nameError refused]'. + dnsRejectResponseCode: refused + # -- Allow the DNS proxy to compress responses to endpoints that are larger than 512 Bytes or the EDNS0 option, if present. + enableDnsCompression: true + # -- Maximum number of IPs to maintain per FQDN name for each endpoint. + endpointMaxIpPerHostname: 50 + # -- Time during which idle but previously active connections with expired DNS lookups are still considered alive. + idleConnectionGracePeriod: 0s + # -- Maximum number of IPs to retain for expired DNS lookups with still-active connections. + maxDeferredConnectionDeletes: 10000 + # -- The minimum time, in seconds, to use DNS data for toFQDNs policies. If + # the upstream DNS server returns a DNS record with a shorter TTL, Cilium + # overwrites the TTL with this value. Setting this value to zero means that + # Cilium will honor the TTLs returned by the upstream DNS server. + minTtl: 0 + # -- DNS cache data at this path is preloaded on agent startup. + preCache: "" + # -- Global port on which the in-agent DNS proxy should listen. Default 0 is a OS-assigned port. + proxyPort: 0 + # -- The maximum time the DNS proxy holds an allowed DNS response before sending it along. Responses are sent as soon as the datapath is updated with the new IP information. + proxyResponseMaxDelay: 100ms + # -- DNS proxy operation mode (true/false, or unset to use version dependent defaults) + # enableTransparentMode: true + + # -- SCTP Configuration Values + sctp: + # -- Enable SCTP support. NOTE: Currently, SCTP support does not support rewriting ports or multihoming. + enabled: false + + # Configuration for types of authentication for Cilium (beta) + authentication: + # -- Enable authentication processing and garbage collection. + # Note that if disabled, policy enforcement will still block requests that require authentication. + # But the resulting authentication requests for these requests will not be processed, therefore the requests not be allowed. + enabled: true + # -- Buffer size of the channel Cilium uses to receive authentication events from the signal map. + queueSize: 1024 + # -- Buffer size of the channel Cilium uses to receive certificate expiration events from auth handlers. + rotatedIdentitiesQueueSize: 1024 + # -- Interval for garbage collection of auth map entries. + gcInterval: "5m0s" + # Configuration for Cilium's service-to-service mutual authentication using TLS handshakes. + # Note that this is not full mTLS support without also enabling encryption of some form. + # Current encryption options are Wireguard or IPSec, configured in encryption block above. + mutual: + # -- Port on the agent where mutual authentication handshakes between agents will be performed + port: 4250 + # -- Timeout for connecting to the remote node TCP socket + connectTimeout: 5s + # Settings for SPIRE + spire: + # -- Enable SPIRE integration (beta) + enabled: false + # -- Annotations to be added to all top-level spire objects (resources under templates/spire) + annotations: {} + # Settings to control the SPIRE installation and configuration + install: + # -- Enable SPIRE installation. + # This will only take effect only if authentication.mutual.spire.enabled is true + enabled: true + # -- SPIRE namespace to install into + namespace: cilium-spire + # -- SPIRE namespace already exists. Set to true if Helm should not create, manage, and import the SPIRE namespace. + existingNamespace: false + # -- init container image of SPIRE agent and server + initImage: + override: ~ + repository: "docker.io/library/busybox" + tag: "1.36.1" + digest: "sha256:223ae047b1065bd069aac01ae3ac8088b3ca4a527827e283b85112f29385fb1b" + useDigest: true + pullPolicy: "IfNotPresent" + # SPIRE agent configuration + agent: + # -- SPIRE agent image + image: + override: ~ + repository: "ghcr.io/spiffe/spire-agent" + tag: "1.8.5" + digest: "sha256:99405637647968245ff9fe215f8bd2bd0ea9807be9725f8bf19fe1b21471e52b" + useDigest: true + pullPolicy: "IfNotPresent" + # -- SPIRE agent service account + serviceAccount: + create: true + name: spire-agent + # -- SPIRE agent annotations + annotations: {} + # -- SPIRE agent labels + labels: {} + # -- SPIRE Workload Attestor kubelet verification. + skipKubeletVerification: true + # -- SPIRE agent tolerations configuration + # By default it follows the same tolerations as the agent itself + # to allow the Cilium agent on this node to connect to SPIRE. + # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ + tolerations: + - key: node.kubernetes.io/not-ready + effect: NoSchedule + - key: node-role.kubernetes.io/master + effect: NoSchedule + - key: node-role.kubernetes.io/control-plane + effect: NoSchedule + - key: node.cloudprovider.kubernetes.io/uninitialized + effect: NoSchedule + value: "true" + - key: CriticalAddonsOnly + operator: "Exists" + # -- SPIRE agent affinity configuration + affinity: {} + # -- SPIRE agent nodeSelector configuration + # ref: ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector + nodeSelector: {} + # -- Security context to be added to spire agent pods. + # SecurityContext holds pod-level security attributes and common container settings. + # ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + podSecurityContext: {} + # -- Security context to be added to spire agent containers. + # SecurityContext holds pod-level security attributes and common container settings. + # ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + securityContext: {} + server: + # -- SPIRE server image + image: + override: ~ + repository: "ghcr.io/spiffe/spire-server" + tag: "1.8.5" + digest: "sha256:28269265882048dcf0fed32fe47663cd98613727210b8d1a55618826f9bf5428" + useDigest: true + pullPolicy: "IfNotPresent" + # -- SPIRE server service account + serviceAccount: + create: true + name: spire-server + # -- SPIRE server init containers + initContainers: [] + # -- SPIRE server annotations + annotations: {} + # -- SPIRE server labels + labels: {} + # SPIRE server service configuration + service: + # -- Service type for the SPIRE server service + type: ClusterIP + # -- Annotations to be added to the SPIRE server service + annotations: {} + # -- Labels to be added to the SPIRE server service + labels: {} + # -- SPIRE server affinity configuration + affinity: {} + # -- SPIRE server nodeSelector configuration + # ref: ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector + nodeSelector: {} + # -- SPIRE server tolerations configuration + # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ + tolerations: [] + # SPIRE server datastorage configuration + dataStorage: + # -- Enable SPIRE server data storage + enabled: true + # -- Size of the SPIRE server data storage + size: 1Gi + # -- Access mode of the SPIRE server data storage + accessMode: ReadWriteOnce + # -- StorageClass of the SPIRE server data storage + storageClass: null + # -- Security context to be added to spire server pods. + # SecurityContext holds pod-level security attributes and common container settings. + # ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + podSecurityContext: {} + # -- Security context to be added to spire server containers. + # SecurityContext holds pod-level security attributes and common container settings. + # ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + securityContext: {} + # SPIRE CA configuration + ca: + # -- SPIRE CA key type + # AWS requires the use of RSA. EC cryptography is not supported + keyType: "rsa-4096" + # -- SPIRE CA Subject + subject: + country: "US" + organization: "SPIRE" + commonName: "Cilium SPIRE CA" + # -- SPIRE server address used by Cilium Operator + # + # If k8s Service DNS along with port number is used (e.g. ..svc(.*): format), + # Cilium Operator will resolve its address by looking up the clusterIP from Service resource. + # + # Example values: 10.0.0.1:8081, spire-server.cilium-spire.svc:8081 + serverAddress: ~ + # -- SPIFFE trust domain to use for fetching certificates + trustDomain: spiffe.cilium + # -- SPIRE socket path where the SPIRE delegated api agent is listening + adminSocketPath: /run/spire/sockets/admin.sock + # -- SPIRE socket path where the SPIRE workload agent is listening. + # Applies to both the Cilium Agent and Operator + agentSocketPath: /run/spire/sockets/agent/agent.sock + # -- SPIRE connection timeout + connectionTimeout: 30s diff --git a/clusters/cluster-mgmt/cluster-02/capi-cluster.yaml b/clusters/cluster-mgmt/cluster-02/capi-cluster.yaml new file mode 100644 index 0000000..785d10d --- /dev/null +++ b/clusters/cluster-mgmt/cluster-02/capi-cluster.yaml @@ -0,0 +1,142 @@ +--- +apiVersion: cluster.x-k8s.io/v1beta1 +kind: Cluster +metadata: + name: "cluster-02" + namespace: "cluster-02" + labels: + cluster.x-k8s.io/cluster-name: "cluster-02" + cilium-mesh: "main" + cilium-mesh-index: 2 +spec: + clusterNetwork: + pods: + cidrBlocks: + - "192.168.32.0/20" + infrastructureRef: + apiVersion: infrastructure.cluster.x-k8s.io/v1beta1 + kind: AWSCluster + name: "cluster-02" + controlPlaneRef: + kind: KubeadmControlPlane + apiVersion: controlplane.cluster.x-k8s.io/v1beta1 + name: "cluster-02-control-plane" +--- +apiVersion: infrastructure.cluster.x-k8s.io/v1beta1 +kind: AWSCluster +metadata: + name: "cluster-02" + namespace: "cluster-02" +spec: + region: "ap-southeast-2" + sshKeyName: "aws" + network: + vpc: + availabilityZoneUsageLimit: 1 + cni: + cniIngressRules: + - description: "(cilium) VXLAN overlay" + protocol: udp + fromPort: 8472 + toPort: 8472 + - description: "(cilium) health checks" + protocol: tcp + fromPort: 4240 + toPort: 4240 +--- +kind: KubeadmControlPlane +apiVersion: controlplane.cluster.x-k8s.io/v1beta1 +metadata: + name: "cluster-02-control-plane" + namespace: "cluster-02" +spec: + replicas: 1 + machineTemplate: + infrastructureRef: + kind: AWSMachineTemplate + apiVersion: infrastructure.cluster.x-k8s.io/v1beta1 + name: "cluster-02-control-plane" + kubeadmConfigSpec: + initConfiguration: + nodeRegistration: + name: '{{ ds.meta_data.local_hostname }}' + kubeletExtraArgs: + cloud-provider: aws + skipPhases: + - addon/kube-proxy + clusterConfiguration: + apiServer: + extraArgs: + cloud-provider: aws + controllerManager: + extraArgs: + cloud-provider: aws + joinConfiguration: + nodeRegistration: + name: '{{ ds.meta_data.local_hostname }}' + kubeletExtraArgs: + cloud-provider: aws + version: "1.25.4" +--- +kind: AWSMachineTemplate +apiVersion: infrastructure.cluster.x-k8s.io/v1beta1 +metadata: + name: "cluster-02-control-plane" + namespace: "cluster-02" +spec: + template: + spec: + instanceType: "t3.medium" + iamInstanceProfile: "control-plane.cluster-api-provider-aws.sigs.k8s.io" + sshKeyName: "aws" +--- +apiVersion: cluster.x-k8s.io/v1beta1 +kind: MachineDeployment +metadata: + name: "cluster-02-md-0" + namespace: "cluster-02" +spec: + clusterName: "cluster-02" + replicas: 1 + selector: + matchLabels: + template: + spec: + clusterName: "cluster-02" + version: "1.25.4" + bootstrap: + configRef: + name: "cluster-02-md-0" + apiVersion: bootstrap.cluster.x-k8s.io/v1beta1 + kind: KubeadmConfigTemplate + infrastructureRef: + name: "cluster-02-md-0" + apiVersion: infrastructure.cluster.x-k8s.io/v1beta1 + kind: AWSMachineTemplate +--- +apiVersion: infrastructure.cluster.x-k8s.io/v1beta1 +kind: AWSMachineTemplate +metadata: + name: "cluster-02-md-0" + namespace: "cluster-02" +spec: + template: + spec: + instanceType: "t3.medium" + iamInstanceProfile: "nodes.cluster-api-provider-aws.sigs.k8s.io" + sshKeyName: "aws" +--- +apiVersion: bootstrap.cluster.x-k8s.io/v1beta1 +kind: KubeadmConfigTemplate +metadata: + name: "cluster-02-md-0" + namespace: "cluster-02" +spec: + template: + spec: + joinConfiguration: + nodeRegistration: + name: '{{ ds.meta_data.local_hostname }}' + kubeletExtraArgs: + cloud-provider: aws + max-pods: '64' diff --git a/clusters/cluster-mgmt/cluster-02/kustomization.yaml b/clusters/cluster-mgmt/cluster-02/kustomization.yaml new file mode 100644 index 0000000..5e13634 --- /dev/null +++ b/clusters/cluster-mgmt/cluster-02/kustomization.yaml @@ -0,0 +1,7 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - namespace.yaml + - platform.yaml + - capi-cluster.yaml + - caaph-hcp-v1.15.2.yaml diff --git a/clusters/cluster-mgmt/cluster-02/namespace.yaml b/clusters/cluster-mgmt/cluster-02/namespace.yaml new file mode 100644 index 0000000..1190062 --- /dev/null +++ b/clusters/cluster-mgmt/cluster-02/namespace.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: cluster-02 diff --git a/clusters/cluster-mgmt/cluster-02/platform.yaml b/clusters/cluster-mgmt/cluster-02/platform.yaml new file mode 100644 index 0000000..7489aa3 --- /dev/null +++ b/clusters/cluster-mgmt/cluster-02/platform.yaml @@ -0,0 +1,17 @@ +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: flux-remote + namespace: cluster-02 +spec: + interval: 1m + sourceRef: + kind: GitRepository + name: flux-system + namespace: flux-system + path: ./k8s-platform/flux/v2.2.2 + prune: true + kubeConfig: + secretRef: + name: cluster-02-kubeconfig diff --git a/clusters/cluster-mgmt/clusterctl.yaml b/clusters/cluster-mgmt/clusterctl.yaml index b527cfc..0bf355b 100644 --- a/clusters/cluster-mgmt/clusterctl.yaml +++ b/clusters/cluster-mgmt/clusterctl.yaml @@ -23,13 +23,16 @@ providers: # url: "https://github.com/kubernetes-sigs/cluster-api-provider-aws/releases/v2.3.1/" # file: "infrastructure-components.yaml" -variables: - CLUSTER_NAME: "cluster-mgmt" - KUBERNETES_VERSION: "1.28.4" - EXP_CLUSTER_RESOURCE_SET: false +# TODO - these settings are already rendered and (from capi pov) are hardcoded in the repo. +# Is this true and is this the best way to do it? - AWS_CONTROL_PLANE_MACHINE_TYPE: "t3.medium" - AWS_NODE_MACHINE_TYPE: "t3.medium" - CONTROL_PLANE_MACHINE_COUNT: "1" - WORKER_MACHINE_COUNT: "1" - POD_CIDR: "192.168.0.0/20" +# variables: +# CLUSTER_NAME: "cluster-mgmt" +# KUBERNETES_VERSION: "1.28.4" +# EXP_CLUSTER_RESOURCE_SET: false +# +# AWS_CONTROL_PLANE_MACHINE_TYPE: "t3.medium" +# AWS_NODE_MACHINE_TYPE: "t3.medium" +# CONTROL_PLANE_MACHINE_COUNT: "1" +# WORKER_MACHINE_COUNT: "1" +# POD_CIDR: "192.168.0.0/20" diff --git a/k8s-platform/cni-caaph-resource/cilium/v1.15.2/helm-chart-proxy-no-mesh.yaml b/clusters/tmp-mgmt/cluster-mgmt/caaph-hcp-no-mesh-v1.15.2.yaml similarity index 100% rename from k8s-platform/cni-caaph-resource/cilium/v1.15.2/helm-chart-proxy-no-mesh.yaml rename to clusters/tmp-mgmt/cluster-mgmt/caaph-hcp-no-mesh-v1.15.2.yaml diff --git a/clusters/tmp-mgmt/cluster-mgmt/kustomization.yaml b/clusters/tmp-mgmt/cluster-mgmt/kustomization.yaml index 011716b..2ddb551 100644 --- a/clusters/tmp-mgmt/cluster-mgmt/kustomization.yaml +++ b/clusters/tmp-mgmt/cluster-mgmt/kustomization.yaml @@ -3,11 +3,5 @@ kind: Kustomization resources: - namespace.yaml - platform.yaml + - caaph-hcp-no-mesh-v1.15.2.yaml - capi-cluster.yaml -patches: -- path: patch.yaml - target: - group: addons.cluster.x-k8s.io - version: v1alpha1 - kind: HelmChartProxy - name: cilium-no-mesh diff --git a/clusters/tmp-mgmt/cluster-mgmt/platform.yaml b/clusters/tmp-mgmt/cluster-mgmt/platform.yaml index 8e9479e..e461925 100644 --- a/clusters/tmp-mgmt/cluster-mgmt/platform.yaml +++ b/clusters/tmp-mgmt/cluster-mgmt/platform.yaml @@ -15,19 +15,3 @@ spec: kubeConfig: secretRef: name: cluster-mgmt-kubeconfig ---- -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: caaph-cni - namespace: flux-system -spec: - interval: 1m - sourceRef: - kind: GitRepository - name: flux-system - path: ./k8s-platform/cni-caaph-resource/cilium/v1.15.2 - targetNamespace: cluster-mgmt - prune: true - dependsOn: - - name: caaph diff --git a/clusters/tmp-mgmt/clusterctl.yaml b/clusters/tmp-mgmt/clusterctl.yaml index 5b664b8..75d8197 100644 --- a/clusters/tmp-mgmt/clusterctl.yaml +++ b/clusters/tmp-mgmt/clusterctl.yaml @@ -23,13 +23,14 @@ providers: # url: "https://github.com/kubernetes-sigs/cluster-api-provider-aws/releases/v2.3.1/" # file: "infrastructure-components.yaml" -variables: - CLUSTER_NAME: "cluster-mgmt" - KUBERNETES_VERSION: "1.28.4" - EXP_CLUSTER_RESOURCE_SET: false - - AWS_CONTROL_PLANE_MACHINE_TYPE: "t3.medium" - AWS_NODE_MACHINE_TYPE: "t3.medium" - CONTROL_PLANE_MACHINE_COUNT: "1" - WORKER_MACHINE_COUNT: "1" - POD_CIDR: "192.168.16.0/20" +# TODO - see note in ./clusters/cluster-mgmt/clusterctl.yaml +# variables: +# CLUSTER_NAME: "cluster-mgmt" +# KUBERNETES_VERSION: "1.28.4" +# EXP_CLUSTER_RESOURCE_SET: false +# +# AWS_CONTROL_PLANE_MACHINE_TYPE: "t3.medium" +# AWS_NODE_MACHINE_TYPE: "t3.medium" +# CONTROL_PLANE_MACHINE_COUNT: "1" +# WORKER_MACHINE_COUNT: "1" +# POD_CIDR: "192.168.16.0/20" diff --git a/go/config.yaml b/go/config.yaml index 11a0e1e..3b5872c 100644 --- a/go/config.yaml +++ b/go/config.yaml @@ -25,8 +25,7 @@ clusters: version: "2.2.2" cni: name: "cilium" - config: - version: "1.15.2" + config: "TODO" aws: sshKeyName: "aws" region: "us-west-2" @@ -41,8 +40,7 @@ clusters: version: "2.2.2" cni: name: "cilium" - config: - version: "1.15.2" + config: "TODO" aws: sshKeyName: "aws" region: "us-west-2" @@ -58,6 +56,14 @@ kubeconfigPath: "$HOME/.kube/config" # podCIDR ranges +# 192.168.0.0/20 - cluster-mgmt +# 192.168.16.0/20 - cluster-01 +# 192.168.32.0/20 - cluster-02 +# 192.168.48.0/20 +# 192.168.64.0/20 +# 192.168.80.0/20 + + # 192.168.32.0/20 - cluster-mgmt # 192.168.16.0/20 - cluster-01 # 192.168.48.0/20 - cluster-02 diff --git a/k8s-platform/cni-caaph-resource/cilium/v1.12.3/cilium-helm-chart-proxy-no-mesh.yaml b/k8s-platform/cni-caaph-resource/cilium/v1.12.3/cilium-helm-chart-proxy-no-mesh.yaml deleted file mode 100644 index f3a2021..0000000 --- a/k8s-platform/cni-caaph-resource/cilium/v1.12.3/cilium-helm-chart-proxy-no-mesh.yaml +++ /dev/null @@ -1,78 +0,0 @@ -apiVersion: addons.cluster.x-k8s.io/v1alpha1 -kind: HelmChartProxy -metadata: - name: cilium-no-mesh -spec: - clusterSelector: - matchLabels: - cilium-mesh: none - repoURL: https://helm.cilium.io/ - chartName: cilium - namespace: cilium - version: "1.12.3" - valuesTemplate: | - # override defaults set in https://github.com/cilium/cilium/blob/v1.12.3/install/kubernetes/cilium/values.yaml - - k8sServiceHost: {{ .Cluster.spec.controlPlaneEndpoint.host }} - k8sServicePort: {{ .Cluster.spec.controlPlaneEndpoint.port }} - - # -- Configure ClusterIP service handling in the host namespace (the node). - hostServices: - # -- Enable host reachable services. - enabled: true - - # -- Supported list of protocols to apply ClusterIP translation to. - protocols: tcp,udp - - ipam: - # -- Configure IP Address Management mode. - # ref: https://docs.cilium.io/en/stable/concepts/networking/ipam/ - mode: "cluster-pool" - operator: - # -- IPv4 CIDR list range to delegate to individual nodes for IPAM. - clusterPoolIPv4PodCIDRList: {{ index .Cluster.spec.clusterNetwork.pods.cidrBlocks 0 }} - # -- IPv4 CIDR mask size to delegate to individual nodes for IPAM. - clusterPoolIPv4MaskSize: 24 - - kubeProxyReplacement: "strict" - logSystemLoad: true - remoteNodeIdentity: true - tunnel: "vxlan" - hubble: - # -- Enable Hubble (true by default). - enabled: true - relay: - enabled: true - ui: - enabled: true - - clustermesh: - # -- Deploy clustermesh-apiserver for clustermesh - useAPIServer: false - - # -- Clustermesh explicit configuration. - config: - # -- Enable the Clustermesh explicit configuration. - enabled: false - # -- Default dns domain for the Clustermesh API servers - # This is used in the case cluster addresses are not provided - # and IPs are used. - domain: mesh.cilium.io - # -- List of clusters to be peered in the mesh. - clusters: [] - # clusters: - # # -- Name of the cluster - # - name: cluster1 - # # -- Address of the cluster, use this if you created DNS records for - # # the cluster Clustermesh API server. - # address: cluster1.mesh.cilium.io - # # -- Port of the cluster Clustermesh API server. - # port: 2379 - # # -- IPs of the cluster Clustermesh API server, use multiple ones when - # # you have multiple IPs to access the Clustermesh API server. - # ips: - # - 172.18.255.201 - # # -- base64 encoded PEM values for the cluster client certificate, private key and certificate authority. - # tls: - # cert: "" - # key: "" diff --git a/k8s-platform/cni-caaph-resource/cilium/v1.12.3/cilium-helm-chart-proxy.yaml b/k8s-platform/cni-caaph-resource/cilium/v1.12.3/cilium-helm-chart-proxy.yaml deleted file mode 100644 index 6762f98..0000000 --- a/k8s-platform/cni-caaph-resource/cilium/v1.12.3/cilium-helm-chart-proxy.yaml +++ /dev/null @@ -1,88 +0,0 @@ -apiVersion: addons.cluster.x-k8s.io/v1alpha1 -kind: HelmChartProxy -metadata: - name: cilium -spec: - clusterSelector: - matchLabels: - cilium-mesh: main - repoURL: https://helm.cilium.io/ - chartName: cilium - namespace: cilium - version: "1.12.3" - valuesTemplate: | - # override defaults set in https://github.com/cilium/cilium/blob/v1.12.3/install/kubernetes/cilium/values.yaml - - k8sServiceHost: {{ .Cluster.spec.controlPlaneEndpoint.host }} - k8sServicePort: {{ .Cluster.spec.controlPlaneEndpoint.port }} - - cluster: - # -- Name of the cluster. Only required for Cluster Mesh. - name: {{ .ControlPlane.metadata.name }} - # -- (int) Unique ID of the cluster. Must be unique across all connected - # clusters and in the range of 1 to 255. Only required for Cluster Mesh. - # (strings not defined :( can't use: .ControlPlane.metadata.name | strings.TrimPrefix "cluster-0" - # this works, but cilium needs it as integer, while labels need to be strings :///// arghhhhh - # \{\{ .ControlPlane.metadata.labels.clusterindex \}\} - # id: 1 - - # -- Configure ClusterIP service handling in the host namespace (the node). - hostServices: - # -- Enable host reachable services. - enabled: true - - # -- Supported list of protocols to apply ClusterIP translation to. - protocols: tcp,udp - - ipam: - # -- Configure IP Address Management mode. - # ref: https://docs.cilium.io/en/stable/concepts/networking/ipam/ - mode: "cluster-pool" - operator: - # -- IPv4 CIDR list range to delegate to individual nodes for IPAM. - clusterPoolIPv4PodCIDRList: {{ index .Cluster.spec.clusterNetwork.pods.cidrBlocks 0 }} - # -- IPv4 CIDR mask size to delegate to individual nodes for IPAM. - clusterPoolIPv4MaskSize: 24 - - kubeProxyReplacement: "strict" - logSystemLoad: true - remoteNodeIdentity: true - tunnel: "vxlan" - hubble: - # -- Enable Hubble (true by default). - enabled: true - relay: - enabled: true - ui: - enabled: true - - clustermesh: - # -- Deploy clustermesh-apiserver for clustermesh - useAPIServer: false - - # -- Clustermesh explicit configuration. - config: - # -- Enable the Clustermesh explicit configuration. - enabled: false - # -- Default dns domain for the Clustermesh API servers - # This is used in the case cluster addresses are not provided - # and IPs are used. - domain: mesh.cilium.io - # -- List of clusters to be peered in the mesh. - clusters: [] - # clusters: - # # -- Name of the cluster - # - name: cluster1 - # # -- Address of the cluster, use this if you created DNS records for - # # the cluster Clustermesh API server. - # address: cluster1.mesh.cilium.io - # # -- Port of the cluster Clustermesh API server. - # port: 2379 - # # -- IPs of the cluster Clustermesh API server, use multiple ones when - # # you have multiple IPs to access the Clustermesh API server. - # ips: - # - 172.18.255.201 - # # -- base64 encoded PEM values for the cluster client certificate, private key and certificate authority. - # tls: - # cert: "" - # key: "" From 1843aa49cdb2c3f20e11c2955c12cf3e5ca35e71 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 23 Mar 2024 00:08:29 +0000 Subject: [PATCH 10/28] Bump github.com/cloudflare/circl from 1.3.3 to 1.3.7 in /go Bumps [github.com/cloudflare/circl](https://github.com/cloudflare/circl) from 1.3.3 to 1.3.7. - [Release notes](https://github.com/cloudflare/circl/releases) - [Commits](https://github.com/cloudflare/circl/compare/v1.3.3...v1.3.7) --- updated-dependencies: - dependency-name: github.com/cloudflare/circl dependency-type: indirect ... Signed-off-by: dependabot[bot] --- go/go.mod | 4 ++-- go/go.sum | 8 ++++---- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/go/go.mod b/go/go.mod index 0534767..da36875 100644 --- a/go/go.mod +++ b/go/go.mod @@ -31,7 +31,7 @@ require ( github.com/beorn7/perks v1.0.1 // indirect github.com/blang/semver/v4 v4.0.0 // indirect github.com/cespare/xxhash/v2 v2.2.0 // indirect - github.com/cloudflare/circl v1.3.3 // indirect + github.com/cloudflare/circl v1.3.7 // indirect github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect github.com/distribution/reference v0.5.0 // indirect github.com/drone/envsubst/v2 v2.0.0-20210730161058-179042472c46 // indirect @@ -91,7 +91,7 @@ require ( github.com/valyala/fastjson v1.6.4 // indirect go.uber.org/multierr v1.11.0 // indirect go.uber.org/zap v1.25.0 // indirect - golang.org/x/crypto v0.16.0 // indirect + golang.org/x/crypto v0.17.0 // indirect golang.org/x/exp v0.0.0-20230905200255-921286631fa9 // indirect golang.org/x/net v0.19.0 // indirect golang.org/x/oauth2 v0.14.0 // indirect diff --git a/go/go.sum b/go/go.sum index 78d298e..d61b6a9 100644 --- a/go/go.sum +++ b/go/go.sum @@ -70,8 +70,8 @@ github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5P github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU= github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw= github.com/cloudflare/circl v1.1.0/go.mod h1:prBCrKB9DV4poKZY1l9zBXg2QJY7mvgRvtMxxK7fi4I= -github.com/cloudflare/circl v1.3.3 h1:fE/Qz0QdIGqeWfnwq0RE0R7MI51s0M2E4Ga9kq5AEMs= -github.com/cloudflare/circl v1.3.3/go.mod h1:5XYMA4rFBvNIrhs50XuiBJ15vF2pZn4nnUKZrLbUZFA= +github.com/cloudflare/circl v1.3.7 h1:qlCDlTPz2n9fu58M0Nh1J/JzcFpfgkFHHX3O35r5vcU= +github.com/cloudflare/circl v1.3.7/go.mod h1:sRTcRWXGLrKw6yIGJ+l7amYJFfAXbZG0kBSc8r4zxgA= github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc= github.com/cncf/udpa/go v0.0.0-20200629203442-efcf912fb354/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk= github.com/cncf/udpa/go v0.0.0-20201120205902-5459f2c99403/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk= @@ -363,8 +363,8 @@ golang.org/x/crypto v0.0.0-20210421170649-83a5a9bb288b/go.mod h1:T9bdIzuCu7OtxOm golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= golang.org/x/crypto v0.3.0/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4= -golang.org/x/crypto v0.16.0 h1:mMMrFzRSCF0GvB7Ne27XVtVAaXLrPmgPC7/v0tkwHaY= -golang.org/x/crypto v0.16.0/go.mod h1:gCAAfMLgwOJRpTjQ2zCCt2OcSfYMTeZVSRtQlPC7Nq4= +golang.org/x/crypto v0.17.0 h1:r8bRNjWL3GshPW3gkd+RpvzWrZAwPS49OmTGZ/uhM4k= +golang.org/x/crypto v0.17.0/go.mod h1:gCAAfMLgwOJRpTjQ2zCCt2OcSfYMTeZVSRtQlPC7Nq4= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= From c3dfbdb1b647a44a78ce919632052fd43d35c4c3 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 23 Mar 2024 08:49:45 +0000 Subject: [PATCH 11/28] Bump google.golang.org/protobuf from 1.31.0 to 1.33.0 in /go Bumps google.golang.org/protobuf from 1.31.0 to 1.33.0. --- updated-dependencies: - dependency-name: google.golang.org/protobuf dependency-type: indirect ... Signed-off-by: dependabot[bot] --- go/go.mod | 2 +- go/go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go/go.mod b/go/go.mod index da36875..de29c9d 100644 --- a/go/go.mod +++ b/go/go.mod @@ -104,7 +104,7 @@ require ( google.golang.org/appengine v1.6.7 // indirect google.golang.org/genproto/googleapis/api v0.0.0-20230913181813-007df8e322eb // indirect google.golang.org/genproto/googleapis/rpc v0.0.0-20230920204549-e6e6cdab5c13 // indirect - google.golang.org/protobuf v1.31.0 // indirect + google.golang.org/protobuf v1.33.0 // indirect gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/ini.v1 v1.67.0 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect diff --git a/go/go.sum b/go/go.sum index d61b6a9..4a6021f 100644 --- a/go/go.sum +++ b/go/go.sum @@ -684,8 +684,8 @@ google.golang.org/protobuf v1.24.0/go.mod h1:r/3tXBNzIEhYS9I1OUVjXDlt8tc493IdKGj google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c= google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw= google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= -google.golang.org/protobuf v1.31.0 h1:g0LDEJHgrBl9N9r17Ru3sqWhkIx2NB67okBHPwC7hs8= -google.golang.org/protobuf v1.31.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= +google.golang.org/protobuf v1.33.0 h1:uNO2rsAINq/JlFpSdYEKIZ0uKD/R9cpdv0T+yoGwGmI= +google.golang.org/protobuf v1.33.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= From 53af5ffffc2ea096d2863555f61c279b2003c8e8 Mon Sep 17 00:00:00 2001 From: Olga Mirensky <5200844+olga-mir@users.noreply.github.com> Date: Sun, 24 Mar 2024 08:11:12 +1100 Subject: [PATCH 12/28] temp fix for cilium version --- clusters/tmp-mgmt/cluster-mgmt/caaph-cni.yaml | 17 +++++++++++++++++ .../tmp-mgmt/cluster-mgmt/kustomization.yaml | 1 + go/config.yaml | 3 +-- 3 files changed, 19 insertions(+), 2 deletions(-) create mode 100644 clusters/tmp-mgmt/cluster-mgmt/caaph-cni.yaml diff --git a/clusters/tmp-mgmt/cluster-mgmt/caaph-cni.yaml b/clusters/tmp-mgmt/cluster-mgmt/caaph-cni.yaml new file mode 100644 index 0000000..0b884e3 --- /dev/null +++ b/clusters/tmp-mgmt/cluster-mgmt/caaph-cni.yaml @@ -0,0 +1,17 @@ +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: caaph-cni + namespace: cluster-mgmt +spec: + interval: 1m + sourceRef: + kind: GitRepository + name: flux-system + namespace: flux-system + path: ./clusters/tmp-mgmt/cluster-mgmt/caaph-hcp-no-mesh-v1.15.2.yaml + targetNamespace: cluster-mgmt + prune: true + dependsOn: + - name: caaph + namespace: flux-system diff --git a/clusters/tmp-mgmt/cluster-mgmt/kustomization.yaml b/clusters/tmp-mgmt/cluster-mgmt/kustomization.yaml index 2ddb551..0456b81 100644 --- a/clusters/tmp-mgmt/cluster-mgmt/kustomization.yaml +++ b/clusters/tmp-mgmt/cluster-mgmt/kustomization.yaml @@ -3,5 +3,6 @@ kind: Kustomization resources: - namespace.yaml - platform.yaml + - caaph-cni.yaml - caaph-hcp-no-mesh-v1.15.2.yaml - capi-cluster.yaml diff --git a/go/config.yaml b/go/config.yaml index 3b5872c..fd3fd99 100644 --- a/go/config.yaml +++ b/go/config.yaml @@ -9,8 +9,7 @@ clusters: version: "2.2.2" cni: name: "cilium" - config: - version: "1.15.2" + config: "TODO" aws: sshKeyName: "aws" region: "ap-southeast-2" From 874689b0dcd2f922858868ad79d007b048fcc4c3 Mon Sep 17 00:00:00 2001 From: Olga Mirensky <5200844+olga-mir@users.noreply.github.com> Date: Sun, 24 Mar 2024 09:47:59 +1100 Subject: [PATCH 13/28] remove caaph-cni as a standalone flux ks --- clusters/tmp-mgmt/cluster-mgmt/caaph-cni.yaml | 17 ----------------- .../tmp-mgmt/cluster-mgmt/kustomization.yaml | 1 - clusters/tmp-mgmt/cluster-mgmt/patch.yaml | 3 --- 3 files changed, 21 deletions(-) delete mode 100644 clusters/tmp-mgmt/cluster-mgmt/caaph-cni.yaml delete mode 100644 clusters/tmp-mgmt/cluster-mgmt/patch.yaml diff --git a/clusters/tmp-mgmt/cluster-mgmt/caaph-cni.yaml b/clusters/tmp-mgmt/cluster-mgmt/caaph-cni.yaml deleted file mode 100644 index 0b884e3..0000000 --- a/clusters/tmp-mgmt/cluster-mgmt/caaph-cni.yaml +++ /dev/null @@ -1,17 +0,0 @@ -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: caaph-cni - namespace: cluster-mgmt -spec: - interval: 1m - sourceRef: - kind: GitRepository - name: flux-system - namespace: flux-system - path: ./clusters/tmp-mgmt/cluster-mgmt/caaph-hcp-no-mesh-v1.15.2.yaml - targetNamespace: cluster-mgmt - prune: true - dependsOn: - - name: caaph - namespace: flux-system diff --git a/clusters/tmp-mgmt/cluster-mgmt/kustomization.yaml b/clusters/tmp-mgmt/cluster-mgmt/kustomization.yaml index 0456b81..2ddb551 100644 --- a/clusters/tmp-mgmt/cluster-mgmt/kustomization.yaml +++ b/clusters/tmp-mgmt/cluster-mgmt/kustomization.yaml @@ -3,6 +3,5 @@ kind: Kustomization resources: - namespace.yaml - platform.yaml - - caaph-cni.yaml - caaph-hcp-no-mesh-v1.15.2.yaml - capi-cluster.yaml diff --git a/clusters/tmp-mgmt/cluster-mgmt/patch.yaml b/clusters/tmp-mgmt/cluster-mgmt/patch.yaml deleted file mode 100644 index 3548919..0000000 --- a/clusters/tmp-mgmt/cluster-mgmt/patch.yaml +++ /dev/null @@ -1,3 +0,0 @@ -- op: add - path: /metadata/namespace - value: cluster-mgmt From 6c8fe9e0517985dbbd5a5360976367797e2ee31f Mon Sep 17 00:00:00 2001 From: Olga Mirensky <5200844+olga-mir@users.noreply.github.com> Date: Sun, 24 Mar 2024 10:05:03 +1100 Subject: [PATCH 14/28] add caaph CNI in its own ks and folder --- .../caaph-hcp-no-mesh-v1.15.2.yaml | 0 .../tmp-mgmt/cluster-mgmt/kustomization.yaml | 1 - clusters/tmp-mgmt/cluster-mgmt/platform.yaml | 17 +++++++++++++++++ 3 files changed, 17 insertions(+), 1 deletion(-) rename clusters/tmp-mgmt/cluster-mgmt/{ => caaph-cni}/caaph-hcp-no-mesh-v1.15.2.yaml (100%) diff --git a/clusters/tmp-mgmt/cluster-mgmt/caaph-hcp-no-mesh-v1.15.2.yaml b/clusters/tmp-mgmt/cluster-mgmt/caaph-cni/caaph-hcp-no-mesh-v1.15.2.yaml similarity index 100% rename from clusters/tmp-mgmt/cluster-mgmt/caaph-hcp-no-mesh-v1.15.2.yaml rename to clusters/tmp-mgmt/cluster-mgmt/caaph-cni/caaph-hcp-no-mesh-v1.15.2.yaml diff --git a/clusters/tmp-mgmt/cluster-mgmt/kustomization.yaml b/clusters/tmp-mgmt/cluster-mgmt/kustomization.yaml index 2ddb551..3437598 100644 --- a/clusters/tmp-mgmt/cluster-mgmt/kustomization.yaml +++ b/clusters/tmp-mgmt/cluster-mgmt/kustomization.yaml @@ -3,5 +3,4 @@ kind: Kustomization resources: - namespace.yaml - platform.yaml - - caaph-hcp-no-mesh-v1.15.2.yaml - capi-cluster.yaml diff --git a/clusters/tmp-mgmt/cluster-mgmt/platform.yaml b/clusters/tmp-mgmt/cluster-mgmt/platform.yaml index e461925..886213b 100644 --- a/clusters/tmp-mgmt/cluster-mgmt/platform.yaml +++ b/clusters/tmp-mgmt/cluster-mgmt/platform.yaml @@ -15,3 +15,20 @@ spec: kubeConfig: secretRef: name: cluster-mgmt-kubeconfig +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: caaph-cni + namespace: flux-system +spec: + interval: 1m + sourceRef: + kind: GitRepository + name: flux-system + path: ./clusters/tmp-mgmt/cluster-mgmt/caaph-cni + targetNamespace: cluster-mgmt + prune: true + dependsOn: + - name: caaph + namespace: flux-system From e33edce58da37d683b898376955efa81268122f8 Mon Sep 17 00:00:00 2001 From: Olga Mirensky <5200844+olga-mir@users.noreply.github.com> Date: Sun, 24 Mar 2024 10:35:33 +1100 Subject: [PATCH 15/28] update tenants flux resources api version --- go/pkg/deployer/deploy.go | 5 ++++- tenants/base/team-1/sync.yaml | 4 ++-- tenants/dev/team-1-patch.yaml | 2 +- 3 files changed, 7 insertions(+), 4 deletions(-) diff --git a/go/pkg/deployer/deploy.go b/go/pkg/deployer/deploy.go index d65179b..f380948 100644 --- a/go/pkg/deployer/deploy.go +++ b/go/pkg/deployer/deploy.go @@ -2,6 +2,7 @@ package deployer import ( "fmt" + "time" "github.com/go-logr/logr" "github.com/olga-mir/k8s-multi-cluster/go/pkg/capi" @@ -105,7 +106,9 @@ func Deploy(log logr.Logger, cfg *config.Config) error { return fmt.Errorf("error creating Cluster API client: %v", err) } - log.Info("Installing Cluster API on the permanent management cluster") + log.Info("Installing Cluster API on the permanent management cluster - TODO: adding artificail sleep of 2min") + time.Sleep(2 * time.Minute) + if err := mgmtCAPI.InstallClusterAPI(); err != nil { return fmt.Errorf("error installing Cluster API: %v", err) } diff --git a/tenants/base/team-1/sync.yaml b/tenants/base/team-1/sync.yaml index 44d129d..421c266 100644 --- a/tenants/base/team-1/sync.yaml +++ b/tenants/base/team-1/sync.yaml @@ -1,4 +1,4 @@ -apiVersion: source.toolkit.fluxcd.io/v1beta2 +apiVersion: source.toolkit.fluxcd.io/v1 kind: GitRepository metadata: name: team-1 @@ -9,7 +9,7 @@ spec: ref: branch: main --- -apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 +apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: name: team-1 diff --git a/tenants/dev/team-1-patch.yaml b/tenants/dev/team-1-patch.yaml index 24d02a3..24023ce 100644 --- a/tenants/dev/team-1-patch.yaml +++ b/tenants/dev/team-1-patch.yaml @@ -1,4 +1,4 @@ -apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 +apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: name: team-1 From 1dbe1a07bff770da0b2389f6fc677e29a2c0fa09 Mon Sep 17 00:00:00 2001 From: Olga Mirensky <5200844+olga-mir@users.noreply.github.com> Date: Sun, 24 Mar 2024 10:46:52 +1100 Subject: [PATCH 16/28] restore env vars in clusterctl --- .../{ => caaph-cni}/caaph-hcp-v1.15.2.yaml | 0 .../cluster-01/kustomization.yaml | 2 +- .../{ => caaph-cni}/caaph-hcp-v1.15.2.yaml | 0 .../cluster-02/kustomization.yaml | 2 +- clusters/cluster-mgmt/clusterctl.yaml | 20 +++++++++---------- clusters/tmp-mgmt/clusterctl.yaml | 20 +++++++++---------- go/config.yaml | 9 +-------- go/pkg/capi/capi.go | 1 + go/pkg/deployer/deploy.go | 5 +---- 9 files changed, 25 insertions(+), 34 deletions(-) rename clusters/cluster-mgmt/cluster-01/{ => caaph-cni}/caaph-hcp-v1.15.2.yaml (100%) rename clusters/cluster-mgmt/cluster-02/{ => caaph-cni}/caaph-hcp-v1.15.2.yaml (100%) diff --git a/clusters/cluster-mgmt/cluster-01/caaph-hcp-v1.15.2.yaml b/clusters/cluster-mgmt/cluster-01/caaph-cni/caaph-hcp-v1.15.2.yaml similarity index 100% rename from clusters/cluster-mgmt/cluster-01/caaph-hcp-v1.15.2.yaml rename to clusters/cluster-mgmt/cluster-01/caaph-cni/caaph-hcp-v1.15.2.yaml diff --git a/clusters/cluster-mgmt/cluster-01/kustomization.yaml b/clusters/cluster-mgmt/cluster-01/kustomization.yaml index 5e13634..3ccc67d 100644 --- a/clusters/cluster-mgmt/cluster-01/kustomization.yaml +++ b/clusters/cluster-mgmt/cluster-01/kustomization.yaml @@ -4,4 +4,4 @@ resources: - namespace.yaml - platform.yaml - capi-cluster.yaml - - caaph-hcp-v1.15.2.yaml + - caaph-cni diff --git a/clusters/cluster-mgmt/cluster-02/caaph-hcp-v1.15.2.yaml b/clusters/cluster-mgmt/cluster-02/caaph-cni/caaph-hcp-v1.15.2.yaml similarity index 100% rename from clusters/cluster-mgmt/cluster-02/caaph-hcp-v1.15.2.yaml rename to clusters/cluster-mgmt/cluster-02/caaph-cni/caaph-hcp-v1.15.2.yaml diff --git a/clusters/cluster-mgmt/cluster-02/kustomization.yaml b/clusters/cluster-mgmt/cluster-02/kustomization.yaml index 5e13634..3ccc67d 100644 --- a/clusters/cluster-mgmt/cluster-02/kustomization.yaml +++ b/clusters/cluster-mgmt/cluster-02/kustomization.yaml @@ -4,4 +4,4 @@ resources: - namespace.yaml - platform.yaml - capi-cluster.yaml - - caaph-hcp-v1.15.2.yaml + - caaph-cni diff --git a/clusters/cluster-mgmt/clusterctl.yaml b/clusters/cluster-mgmt/clusterctl.yaml index 0bf355b..69c8ded 100644 --- a/clusters/cluster-mgmt/clusterctl.yaml +++ b/clusters/cluster-mgmt/clusterctl.yaml @@ -26,13 +26,13 @@ providers: # TODO - these settings are already rendered and (from capi pov) are hardcoded in the repo. # Is this true and is this the best way to do it? -# variables: -# CLUSTER_NAME: "cluster-mgmt" -# KUBERNETES_VERSION: "1.28.4" -# EXP_CLUSTER_RESOURCE_SET: false -# -# AWS_CONTROL_PLANE_MACHINE_TYPE: "t3.medium" -# AWS_NODE_MACHINE_TYPE: "t3.medium" -# CONTROL_PLANE_MACHINE_COUNT: "1" -# WORKER_MACHINE_COUNT: "1" -# POD_CIDR: "192.168.0.0/20" +variables: + CLUSTER_NAME: "cluster-mgmt" + KUBERNETES_VERSION: "1.28.4" + EXP_CLUSTER_RESOURCE_SET: false + + AWS_CONTROL_PLANE_MACHINE_TYPE: "t3.medium" + AWS_NODE_MACHINE_TYPE: "t3.medium" + CONTROL_PLANE_MACHINE_COUNT: "1" + WORKER_MACHINE_COUNT: "1" + POD_CIDR: "192.168.0.0/20" diff --git a/clusters/tmp-mgmt/clusterctl.yaml b/clusters/tmp-mgmt/clusterctl.yaml index 75d8197..f3b0ff7 100644 --- a/clusters/tmp-mgmt/clusterctl.yaml +++ b/clusters/tmp-mgmt/clusterctl.yaml @@ -24,13 +24,13 @@ providers: # file: "infrastructure-components.yaml" # TODO - see note in ./clusters/cluster-mgmt/clusterctl.yaml -# variables: -# CLUSTER_NAME: "cluster-mgmt" -# KUBERNETES_VERSION: "1.28.4" -# EXP_CLUSTER_RESOURCE_SET: false -# -# AWS_CONTROL_PLANE_MACHINE_TYPE: "t3.medium" -# AWS_NODE_MACHINE_TYPE: "t3.medium" -# CONTROL_PLANE_MACHINE_COUNT: "1" -# WORKER_MACHINE_COUNT: "1" -# POD_CIDR: "192.168.16.0/20" +variables: + CLUSTER_NAME: "cluster-mgmt" + KUBERNETES_VERSION: "1.28.4" + EXP_CLUSTER_RESOURCE_SET: false + + AWS_CONTROL_PLANE_MACHINE_TYPE: "t3.medium" + AWS_NODE_MACHINE_TYPE: "t3.medium" + CONTROL_PLANE_MACHINE_COUNT: "1" + WORKER_MACHINE_COUNT: "1" + POD_CIDR: "192.168.0.0/20" diff --git a/go/config.yaml b/go/config.yaml index fd3fd99..df6f9eb 100644 --- a/go/config.yaml +++ b/go/config.yaml @@ -60,11 +60,4 @@ kubeconfigPath: "$HOME/.kube/config" # 192.168.32.0/20 - cluster-02 # 192.168.48.0/20 # 192.168.64.0/20 -# 192.168.80.0/20 - - -# 192.168.32.0/20 - cluster-mgmt -# 192.168.16.0/20 - cluster-01 -# 192.168.48.0/20 - cluster-02 -# 192.168.64.0/20 -# 192.168.80.0/20 +# 192.168.80.0/20 \ No newline at end of file diff --git a/go/pkg/capi/capi.go b/go/pkg/capi/capi.go index 645172f..c9882c8 100644 --- a/go/pkg/capi/capi.go +++ b/go/pkg/capi/capi.go @@ -85,6 +85,7 @@ func (c *ClusterAPI) InstallClusterAPI() error { Kubeconfig: capiclient.Kubeconfig{Path: c.kubeconfigPath, Context: c.clusterAuth.ContextName}, InfrastructureProviders: []string{"aws:v2.3.1"}, // TODO - there is a bug in CAPI init file. infra provider has to be specified explicitely } + c.log.Info("Initializing Cluster API", "cluster", c.clusterAuth.ClusterName, "initoptions", initOptions) // Install Cluster API components on this cluster. if _, err := c.clusterctlClient.Init(context.TODO(), initOptions); err != nil { diff --git a/go/pkg/deployer/deploy.go b/go/pkg/deployer/deploy.go index f380948..d65179b 100644 --- a/go/pkg/deployer/deploy.go +++ b/go/pkg/deployer/deploy.go @@ -2,7 +2,6 @@ package deployer import ( "fmt" - "time" "github.com/go-logr/logr" "github.com/olga-mir/k8s-multi-cluster/go/pkg/capi" @@ -106,9 +105,7 @@ func Deploy(log logr.Logger, cfg *config.Config) error { return fmt.Errorf("error creating Cluster API client: %v", err) } - log.Info("Installing Cluster API on the permanent management cluster - TODO: adding artificail sleep of 2min") - time.Sleep(2 * time.Minute) - + log.Info("Installing Cluster API on the permanent management cluster") if err := mgmtCAPI.InstallClusterAPI(); err != nil { return fmt.Errorf("error installing Cluster API: %v", err) } From 838e1ff123c30e56538bf755a388cb54281cf9a9 Mon Sep 17 00:00:00 2001 From: Olga Mirensky <5200844+olga-mir@users.noreply.github.com> Date: Sun, 24 Mar 2024 19:38:07 +1100 Subject: [PATCH 17/28] temporarily restore previous version and settings for cilium on permanent mgmt cluster --- .../caaph-cni/caaph-hcp-no-mesh-v1.15.2.yaml | 3494 +---------------- 1 file changed, 27 insertions(+), 3467 deletions(-) diff --git a/clusters/tmp-mgmt/cluster-mgmt/caaph-cni/caaph-hcp-no-mesh-v1.15.2.yaml b/clusters/tmp-mgmt/cluster-mgmt/caaph-cni/caaph-hcp-no-mesh-v1.15.2.yaml index d92d472..f3a2021 100644 --- a/clusters/tmp-mgmt/cluster-mgmt/caaph-cni/caaph-hcp-no-mesh-v1.15.2.yaml +++ b/clusters/tmp-mgmt/cluster-mgmt/caaph-cni/caaph-hcp-no-mesh-v1.15.2.yaml @@ -9,2905 +9,46 @@ spec: repoURL: https://helm.cilium.io/ chartName: cilium namespace: cilium - version: "1.15.2" + version: "1.12.3" valuesTemplate: | - # https://github.com/cilium/cilium/blob/v1.15.2/install/kubernetes/cilium/values.yaml + # override defaults set in https://github.com/cilium/cilium/blob/v1.12.3/install/kubernetes/cilium/values.yaml - # File generated by install/kubernetes/Makefile; DO NOT EDIT. - # This file is based on install/kubernetes/cilium/*values.yaml.tmpl. - - - # upgradeCompatibility helps users upgrading to ensure that the configMap for - # Cilium will not change critical values to ensure continued operation - # This flag is not required for new installations. - # For example: 1.7, 1.8, 1.9 - # upgradeCompatibility: '1.8' - - debug: - # -- Enable debug logging - enabled: false - # -- Configure verbosity levels for debug logging - # This option is used to enable debug messages for operations related to such - # sub-system such as (e.g. kvstore, envoy, datapath or policy), and flow is - # for enabling debug messages emitted per request, message and connection. - # Multiple values can be set via a space-separated string (e.g. "datapath envoy"). - # - # Applicable values: - # - flow - # - kvstore - # - envoy - # - datapath - # - policy - verbose: ~ - - rbac: - # -- Enable creation of Resource-Based Access Control configuration. - create: true - - # -- Configure image pull secrets for pulling container images - imagePullSecrets: - # - name: "image-pull-secret" - - # -- (string) Kubernetes config path - # @default -- `"~/.kube/config"` - kubeConfigPath: "" - # -- (string) Kubernetes service host - k8sServiceHost: {{ .Cluster.spec.controlPlaneEndpoint.host }} - # -- (string) Kubernetes service port - k8sServicePort: {{ .Cluster.spec.controlPlaneEndpoint.port }} - - # -- Configure the client side rate limit for the agent and operator - # - # If the amount of requests to the Kubernetes API server exceeds the configured - # rate limit, the agent and operator will start to throttle requests by delaying - # them until there is budget or the request times out. - k8sClientRateLimit: - # -- (int) The sustained request rate in requests per second. - # @default -- 5 for k8s up to 1.26. 10 for k8s version 1.27+ - qps: - # -- (int) The burst request rate in requests per second. - # The rate limiter will allow short bursts with a higher rate. - # @default -- 10 for k8s up to 1.26. 20 for k8s version 1.27+ - burst: - - cluster: - # -- Name of the cluster. Only required for Cluster Mesh and mutual authentication with SPIRE. - name: {{ .ControlPlane.metadata.name }} - # -- (int) Unique ID of the cluster. Must be unique across all connected - # clusters and in the range of 1 to 255. Only required for Cluster Mesh, - # may be 0 if Cluster Mesh is not used. - id: 0 - - # -- Define serviceAccount names for components. - # @default -- Component's fully qualified name. - serviceAccounts: - cilium: - create: true - name: cilium - automount: true - annotations: {} - nodeinit: - create: true - # -- Enabled is temporary until https://github.com/cilium/cilium-cli/issues/1396 is implemented. - # Cilium CLI doesn't create the SAs for node-init, thus the workaround. Helm is not affected by - # this issue. Name and automount can be configured, if enabled is set to true. - # Otherwise, they are ignored. Enabled can be removed once the issue is fixed. - # Cilium-nodeinit DS must also be fixed. - enabled: false - name: cilium-nodeinit - automount: true - annotations: {} - envoy: - create: true - name: cilium-envoy - automount: true - annotations: {} - etcd: - create: true - name: cilium-etcd-operator - automount: true - annotations: {} - operator: - create: true - name: cilium-operator - automount: true - annotations: {} - preflight: - create: true - name: cilium-pre-flight - automount: true - annotations: {} - relay: - create: true - name: hubble-relay - automount: false - annotations: {} - ui: - create: true - name: hubble-ui - automount: true - annotations: {} - clustermeshApiserver: - create: true - name: clustermesh-apiserver - automount: true - annotations: {} - # -- Clustermeshcertgen is used if clustermesh.apiserver.tls.auto.method=cronJob - clustermeshcertgen: - create: true - name: clustermesh-apiserver-generate-certs - automount: true - annotations: {} - # -- Hubblecertgen is used if hubble.tls.auto.method=cronJob - hubblecertgen: - create: true - name: hubble-generate-certs - automount: true - annotations: {} - - # -- Configure termination grace period for cilium-agent DaemonSet. - terminationGracePeriodSeconds: 1 - - # -- Install the cilium agent resources. - agent: true - - # -- Agent container name. - name: cilium - - # -- Roll out cilium agent pods automatically when configmap is updated. - rollOutCiliumPods: false - - # -- Agent container image. - image: - override: ~ - repository: "quay.io/cilium/cilium" - tag: "v1.15.2" - pullPolicy: "IfNotPresent" - # cilium-digest - digest: "" - useDigest: false - - # -- Affinity for cilium-agent. - affinity: - podAntiAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - - topologyKey: kubernetes.io/hostname - labelSelector: - matchLabels: - k8s-app: cilium - - # -- Node selector for cilium-agent. - nodeSelector: - kubernetes.io/os: linux - - # -- Node tolerations for agent scheduling to nodes with taints - # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ - tolerations: - - operator: Exists - # - key: "key" - # operator: "Equal|Exists" - # value: "value" - # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" - - # -- The priority class to use for cilium-agent. - priorityClassName: "" - - # -- DNS policy for Cilium agent pods. - # Ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy - dnsPolicy: "" - - # -- Additional containers added to the cilium DaemonSet. - extraContainers: [] - - # -- Additional agent container arguments. - extraArgs: [] - - # -- Additional agent container environment variables. - extraEnv: [] - - # -- Additional agent hostPath mounts. - extraHostPathMounts: [] - # - name: host-mnt-data - # mountPath: /host/mnt/data - # hostPath: /mnt/data - # hostPathType: Directory - # readOnly: true - # mountPropagation: HostToContainer - - # -- Additional agent volumes. - extraVolumes: [] - - # -- Additional agent volumeMounts. - extraVolumeMounts: [] - - # -- extraConfig allows you to specify additional configuration parameters to be - # included in the cilium-config configmap. - extraConfig: {} - # my-config-a: "1234" - # my-config-b: |- - # test 1 - # test 2 - # test 3 - - # -- Annotations to be added to all top-level cilium-agent objects (resources under templates/cilium-agent) - annotations: {} - - # -- Security Context for cilium-agent pods. - podSecurityContext: {} - - # -- Annotations to be added to agent pods - podAnnotations: {} - - # -- Labels to be added to agent pods - podLabels: {} - - # -- Agent resource limits & requests - # ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - resources: {} - # limits: - # cpu: 4000m - # memory: 4Gi - # requests: - # cpu: 100m - # memory: 512Mi - - # -- resources & limits for the agent init containers - initResources: {} - - securityContext: - # -- User to run the pod with - # runAsUser: 0 - # -- Run the pod with elevated privileges - privileged: false - # -- SELinux options for the `cilium-agent` and init containers - seLinuxOptions: - level: 's0' - # Running with spc_t since we have removed the privileged mode. - # Users can change it to a different type as long as they have the - # type available on the system. - type: 'spc_t' - capabilities: - # -- Capabilities for the `cilium-agent` container - ciliumAgent: - # Use to set socket permission - - CHOWN - # Used to terminate envoy child process - - KILL - # Used since cilium modifies routing tables, etc... - - NET_ADMIN - # Used since cilium creates raw sockets, etc... - - NET_RAW - # Used since cilium monitor uses mmap - - IPC_LOCK - # Used in iptables. Consider removing once we are iptables-free - - SYS_MODULE - # We need it for now but might not need it for >= 5.11 specially - # for the 'SYS_RESOURCE'. - # In >= 5.8 there's already BPF and PERMON capabilities - - SYS_ADMIN - # Could be an alternative for the SYS_ADMIN for the RLIMIT_NPROC - - SYS_RESOURCE - # Both PERFMON and BPF requires kernel 5.8, container runtime - # cri-o >= v1.22.0 or containerd >= v1.5.0. - # If available, SYS_ADMIN can be removed. - #- PERFMON - #- BPF - # Allow discretionary access control (e.g. required for package installation) - - DAC_OVERRIDE - # Allow to set Access Control Lists (ACLs) on arbitrary files (e.g. required for package installation) - - FOWNER - # Allow to execute program that changes GID (e.g. required for package installation) - - SETGID - # Allow to execute program that changes UID (e.g. required for package installation) - - SETUID - # -- Capabilities for the `mount-cgroup` init container - mountCgroup: - # Only used for 'mount' cgroup - - SYS_ADMIN - # Used for nsenter - - SYS_CHROOT - - SYS_PTRACE - # -- capabilities for the `apply-sysctl-overwrites` init container - applySysctlOverwrites: - # Required in order to access host's /etc/sysctl.d dir - - SYS_ADMIN - # Used for nsenter - - SYS_CHROOT - - SYS_PTRACE - # -- Capabilities for the `clean-cilium-state` init container - cleanCiliumState: - # Most of the capabilities here are the same ones used in the - # cilium-agent's container because this container can be used to - # uninstall all Cilium resources, and therefore it is likely that - # will need the same capabilities. - # Used since cilium modifies routing tables, etc... - - NET_ADMIN - # Used in iptables. Consider removing once we are iptables-free - - SYS_MODULE - # We need it for now but might not need it for >= 5.11 specially - # for the 'SYS_RESOURCE'. - # In >= 5.8 there's already BPF and PERMON capabilities - - SYS_ADMIN - # Could be an alternative for the SYS_ADMIN for the RLIMIT_NPROC - - SYS_RESOURCE - # Both PERFMON and BPF requires kernel 5.8, container runtime - # cri-o >= v1.22.0 or containerd >= v1.5.0. - # If available, SYS_ADMIN can be removed. - #- PERFMON - #- BPF - - # -- Cilium agent update strategy - updateStrategy: - type: RollingUpdate - rollingUpdate: - maxUnavailable: 2 - - # Configuration Values for cilium-agent - - aksbyocni: - # -- Enable AKS BYOCNI integration. - # Note that this is incompatible with AKS clusters not created in BYOCNI mode: - # use Azure integration (`azure.enabled`) instead. - enabled: false - - # -- Enable installation of PodCIDR routes between worker - # nodes if worker nodes share a common L2 network segment. - autoDirectNodeRoutes: false - - # -- Annotate k8s node upon initialization with Cilium's metadata. - annotateK8sNode: false - - azure: - # -- Enable Azure integration. - # Note that this is incompatible with AKS clusters created in BYOCNI mode: use - # AKS BYOCNI integration (`aksbyocni.enabled`) instead. - enabled: false - # usePrimaryAddress: false - # resourceGroup: group1 - # subscriptionID: 00000000-0000-0000-0000-000000000000 - # tenantID: 00000000-0000-0000-0000-000000000000 - # clientID: 00000000-0000-0000-0000-000000000000 - # clientSecret: 00000000-0000-0000-0000-000000000000 - # userAssignedIdentityID: 00000000-0000-0000-0000-000000000000 - - alibabacloud: - # -- Enable AlibabaCloud ENI integration - enabled: false - - # -- Enable bandwidth manager to optimize TCP and UDP workloads and allow - # for rate-limiting traffic from individual Pods with EDT (Earliest Departure - # Time) through the "kubernetes.io/egress-bandwidth" Pod annotation. - bandwidthManager: - # -- Enable bandwidth manager infrastructure (also prerequirement for BBR) - enabled: false - # -- Activate BBR TCP congestion control for Pods - bbr: false - - # -- Configure standalone NAT46/NAT64 gateway - nat46x64Gateway: - # -- Enable RFC8215-prefixed translation - enabled: false - - # -- EnableHighScaleIPcache enables the special ipcache mode for high scale - # clusters. The ipcache content will be reduced to the strict minimum and - # traffic will be encapsulated to carry security identities. - highScaleIPcache: - # -- Enable the high scale mode for the ipcache. - enabled: false - - # -- Configure L2 announcements - l2announcements: - # -- Enable L2 announcements - enabled: false - # -- If a lease is not renewed for X duration, the current leader is considered dead, a new leader is picked - # leaseDuration: 15s - # -- The interval at which the leader will renew the lease - # leaseRenewDeadline: 5s - # -- The timeout between retries if renewal fails - # leaseRetryPeriod: 2s - - # -- Configure L2 pod announcements - l2podAnnouncements: - # -- Enable L2 pod announcements - enabled: false - # -- Interface used for sending Gratuitous ARP pod announcements - interface: "eth0" - - # -- Configure BGP - bgp: - # -- Enable BGP support inside Cilium; embeds a new ConfigMap for BGP inside - # cilium-agent and cilium-operator - enabled: false - announce: - # -- Enable allocation and announcement of service LoadBalancer IPs - loadbalancerIP: false - # -- Enable announcement of node pod CIDR - podCIDR: false - - # -- This feature set enables virtual BGP routers to be created via - # CiliumBGPPeeringPolicy CRDs. - bgpControlPlane: - # -- Enables the BGP control plane. - enabled: false - # -- SecretsNamespace is the namespace which BGP support will retrieve secrets from. - secretsNamespace: - # -- Create secrets namespace for BGP secrets. - create: false - # -- The name of the secret namespace to which Cilium agents are given read access - name: kube-system - - pmtuDiscovery: - # -- Enable path MTU discovery to send ICMP fragmentation-needed replies to - # the client. - enabled: false - - bpf: - autoMount: - # -- Enable automatic mount of BPF filesystem - # When `autoMount` is enabled, the BPF filesystem is mounted at - # `bpf.root` path on the underlying host and inside the cilium agent pod. - # If users disable `autoMount`, it's expected that users have mounted - # bpffs filesystem at the specified `bpf.root` volume, and then the - # volume will be mounted inside the cilium agent pod at the same path. - enabled: true - # -- Configure the mount point for the BPF filesystem - root: /sys/fs/bpf - - # -- Enables pre-allocation of eBPF map values. This increases - # memory usage but can reduce latency. - preallocateMaps: false - - # -- (int) Configure the maximum number of entries in auth map. - # @default -- `524288` - authMapMax: ~ - - # -- (int) Configure the maximum number of entries in the TCP connection tracking - # table. - # @default -- `524288` - ctTcpMax: ~ - - # -- (int) Configure the maximum number of entries for the non-TCP connection - # tracking table. - # @default -- `262144` - ctAnyMax: ~ - - # -- Configure the maximum number of service entries in the - # load balancer maps. - lbMapMax: 65536 - - # -- (int) Configure the maximum number of entries for the NAT table. - # @default -- `524288` - natMax: ~ - - # -- (int) Configure the maximum number of entries for the neighbor table. - # @default -- `524288` - neighMax: ~ - - # -- Configure the maximum number of entries in endpoint policy map (per endpoint). - policyMapMax: 16384 - - # -- (float64) Configure auto-sizing for all BPF maps based on available memory. - # ref: https://docs.cilium.io/en/stable/network/ebpf/maps/ - # @default -- `0.0025` - mapDynamicSizeRatio: ~ - - # -- Configure the level of aggregation for monitor notifications. - # Valid options are none, low, medium, maximum. - monitorAggregation: medium - - # -- Configure the typical time between monitor notifications for - # active connections. - monitorInterval: "5s" - - # -- Configure which TCP flags trigger notifications when seen for the - # first time in a connection. - monitorFlags: "all" - - # -- Allow cluster external access to ClusterIP services. - lbExternalClusterIP: false - - # -- (bool) Enable native IP masquerade support in eBPF - # @default -- `false` - masquerade: ~ - - # -- (bool) Configure whether direct routing mode should route traffic via - # host stack (true) or directly and more efficiently out of BPF (false) if - # the kernel supports it. The latter has the implication that it will also - # bypass netfilter in the host namespace. - # @default -- `false` - hostLegacyRouting: ~ - - # -- (bool) Configure the eBPF-based TPROXY to reduce reliance on iptables rules - # for implementing Layer 7 policy. - # @default -- `false` - tproxy: ~ - - # -- (list) Configure explicitly allowed VLAN id's for bpf logic bypass. - # [0] will allow all VLAN id's without any filtering. - # @default -- `[]` - vlanBypass: ~ - - # -- Enable BPF clock source probing for more efficient tick retrieval. - bpfClockProbe: false - - # -- Clean all eBPF datapath state from the initContainer of the cilium-agent - # DaemonSet. - # - # WARNING: Use with care! - cleanBpfState: false - - # -- Clean all local Cilium state from the initContainer of the cilium-agent - # DaemonSet. Implies cleanBpfState: true. - # - # WARNING: Use with care! - cleanState: false - - # -- Wait for KUBE-PROXY-CANARY iptables rule to appear in "wait-for-kube-proxy" - # init container before launching cilium-agent. - # More context can be found in the commit message of below PR - # https://github.com/cilium/cilium/pull/20123 - waitForKubeProxy: false - - cni: - # -- Install the CNI configuration and binary files into the filesystem. - install: true - - # -- Remove the CNI configuration and binary files on agent shutdown. Enable this - # if you're removing Cilium from the cluster. Disable this to prevent the CNI - # configuration file from being removed during agent upgrade, which can cause - # nodes to go unmanageable. - uninstall: false - - # -- Configure chaining on top of other CNI plugins. Possible values: - # - none - # - aws-cni - # - flannel - # - generic-veth - # - portmap - chainingMode: ~ - - # -- A CNI network name in to which the Cilium plugin should be added as a chained plugin. - # This will cause the agent to watch for a CNI network with this network name. When it is - # found, this will be used as the basis for Cilium's CNI configuration file. If this is - # set, it assumes a chaining mode of generic-veth. As a special case, a chaining mode - # of aws-cni implies a chainingTarget of aws-cni. - chainingTarget: ~ - - # -- Make Cilium take ownership over the `/etc/cni/net.d` directory on the - # node, renaming all non-Cilium CNI configurations to `*.cilium_bak`. - # This ensures no Pods can be scheduled using other CNI plugins during Cilium - # agent downtime. - exclusive: true - - # -- Configure the log file for CNI logging with retention policy of 7 days. - # Disable CNI file logging by setting this field to empty explicitly. - logFile: /var/run/cilium/cilium-cni.log - - # -- Skip writing of the CNI configuration. This can be used if - # writing of the CNI configuration is performed by external automation. - customConf: false - - # -- Configure the path to the CNI configuration directory on the host. - confPath: /etc/cni/net.d - - # -- Configure the path to the CNI binary directory on the host. - binPath: /opt/cni/bin - - # -- Specify the path to a CNI config to read from on agent start. - # This can be useful if you want to manage your CNI - # configuration outside of a Kubernetes environment. This parameter is - # mutually exclusive with the 'cni.configMap' parameter. The agent will - # write this to 05-cilium.conflist on startup. - # readCniConf: /host/etc/cni/net.d/05-sample.conflist.input - - # -- When defined, configMap will mount the provided value as ConfigMap and - # interpret the cniConf variable as CNI configuration file and write it - # when the agent starts up - # configMap: cni-configuration - - # -- Configure the key in the CNI ConfigMap to read the contents of - # the CNI configuration from. - configMapKey: cni-config - - # -- Configure the path to where to mount the ConfigMap inside the agent pod. - confFileMountPath: /tmp/cni-configuration - - # -- Configure the path to where the CNI configuration directory is mounted - # inside the agent pod. - hostConfDirMountPath: /host/etc/cni/net.d - - # -- Specifies the resources for the cni initContainer - resources: - requests: - cpu: 100m - memory: 10Mi - - # -- (string) Configure how frequently garbage collection should occur for the datapath - # connection tracking table. - # @default -- `"0s"` - conntrackGCInterval: "" - - # -- (string) Configure the maximum frequency for the garbage collection of the - # connection tracking table. Only affects the automatic computation for the frequency - # and has no effect when 'conntrackGCInterval' is set. This can be set to more frequently - # clean up unused identities created from ToFQDN policies. - conntrackGCMaxInterval: "" - - # -- Configure container runtime specific integration. - # Deprecated in favor of bpf.autoMount.enabled. To be removed in 1.15. - containerRuntime: - # -- Enables specific integrations for container runtimes. - # Supported values: - # - crio - # - none - integration: none - - # -- (string) Configure timeout in which Cilium will exit if CRDs are not available - # @default -- `"5m"` - crdWaitTimeout: "" - - # -- Tail call hooks for custom eBPF programs. - customCalls: - # -- Enable tail call hooks for custom eBPF programs. - enabled: false - - daemon: - # -- Configure where Cilium runtime state should be stored. - runPath: "/var/run/cilium" - - # -- Configure a custom list of possible configuration override sources - # The default is "config-map:cilium-config,cilium-node-config". For supported - # values, see the help text for the build-config subcommand. - # Note that this value should be a comma-separated string. - configSources: ~ - - # -- allowedConfigOverrides is a list of config-map keys that can be overridden. - # That is to say, if this value is set, config sources (excepting the first one) can - # only override keys in this list. - # - # This takes precedence over blockedConfigOverrides. - # - # By default, all keys may be overridden. To disable overrides, set this to "none" or - # change the configSources variable. - allowedConfigOverrides: ~ - - # -- blockedConfigOverrides is a list of config-map keys that may not be overridden. - # In other words, if any of these keys appear in a configuration source excepting the - # first one, they will be ignored - # - # This is ignored if allowedConfigOverrides is set. - # - # By default, all keys may be overridden. - blockedConfigOverrides: ~ - - # -- Specify which network interfaces can run the eBPF datapath. This means - # that a packet sent from a pod to a destination outside the cluster will be - # masqueraded (to an output device IPv4 address), if the output device runs the - # program. When not specified, probing will automatically detect devices that have - # a non-local route. This should be used only when autodetection is not suitable. - # devices: "" - - # -- Enables experimental support for the detection of new and removed datapath - # devices. When devices change the eBPF datapath is reloaded and services updated. - # If "devices" is set then only those devices, or devices matching a wildcard will - # be considered. - enableRuntimeDeviceDetection: false - - # -- Chains to ignore when installing feeder rules. - # disableIptablesFeederRules: "" - - # -- Limit iptables-based egress masquerading to interface selector. - # egressMasqueradeInterfaces: "" - - # -- Enable setting identity mark for local traffic. - # enableIdentityMark: true - - # -- Enable Kubernetes EndpointSlice feature in Cilium if the cluster supports it. - # enableK8sEndpointSlice: true - - # -- Enable CiliumEndpointSlice feature. - enableCiliumEndpointSlice: false - - envoyConfig: - # -- Enable CiliumEnvoyConfig CRD - # CiliumEnvoyConfig CRD can also be implicitly enabled by other options. - enabled: false - - # -- SecretsNamespace is the namespace in which envoy SDS will retrieve secrets from. - secretsNamespace: - # -- Create secrets namespace for CiliumEnvoyConfig CRDs. - create: true - - # -- The name of the secret namespace to which Cilium agents are given read access. - name: cilium-secrets - - ingressController: - # -- Enable cilium ingress controller - # This will automatically set enable-envoy-config as well. - enabled: false - - # -- Set cilium ingress controller to be the default ingress controller - # This will let cilium ingress controller route entries without ingress class set - default: false - - # -- Default ingress load balancer mode - # Supported values: shared, dedicated - # For granular control, use the following annotations on the ingress resource - # ingress.cilium.io/loadbalancer-mode: shared|dedicated, - loadbalancerMode: dedicated - - # -- Enforce https for host having matching TLS host in Ingress. - # Incoming traffic to http listener will return 308 http error code with respective location in header. - enforceHttps: true - - # -- Enable proxy protocol for all Ingress listeners. Note that _only_ Proxy protocol traffic will be accepted once this is enabled. - enableProxyProtocol: false - - # -- IngressLBAnnotations are the annotation and label prefixes, which are used to filter annotations and/or labels to propagate from Ingress to the Load Balancer service - ingressLBAnnotationPrefixes: ['service.beta.kubernetes.io', 'service.kubernetes.io', 'cloud.google.com'] - - # -- Default secret namespace for ingresses without .spec.tls[].secretName set. - defaultSecretNamespace: - - # -- Default secret name for ingresses without .spec.tls[].secretName set. - defaultSecretName: - - # -- SecretsNamespace is the namespace in which envoy SDS will retrieve TLS secrets from. - secretsNamespace: - # -- Create secrets namespace for Ingress. - create: true - - # -- Name of Ingress secret namespace. - name: cilium-secrets - - # -- Enable secret sync, which will make sure all TLS secrets used by Ingress are synced to secretsNamespace.name. - # If disabled, TLS secrets must be maintained externally. - sync: true - - # -- Load-balancer service in shared mode. - # This is a single load-balancer service for all Ingress resources. - service: - # -- Service name - name: cilium-ingress - # -- Labels to be added for the shared LB service - labels: {} - # -- Annotations to be added for the shared LB service - annotations: {} - # -- Service type for the shared LB service - type: LoadBalancer - # -- Configure a specific nodePort for insecure HTTP traffic on the shared LB service - insecureNodePort: ~ - # -- Configure a specific nodePort for secure HTTPS traffic on the shared LB service - secureNodePort : ~ - # -- Configure a specific loadBalancerClass on the shared LB service (requires Kubernetes 1.24+) - loadBalancerClass: ~ - # -- Configure a specific loadBalancerIP on the shared LB service - loadBalancerIP : ~ - # -- Configure if node port allocation is required for LB service - # ref: https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-nodeport-allocation - allocateLoadBalancerNodePorts: ~ - - gatewayAPI: - # -- Enable support for Gateway API in cilium - # This will automatically set enable-envoy-config as well. - enabled: false - - # -- SecretsNamespace is the namespace in which envoy SDS will retrieve TLS secrets from. - secretsNamespace: - # -- Create secrets namespace for Gateway API. - create: true - - # -- Name of Gateway API secret namespace. - name: cilium-secrets - - # -- Enable secret sync, which will make sure all TLS secrets used by Ingress are synced to secretsNamespace.name. - # If disabled, TLS secrets must be maintained externally. - sync: true - - # -- Enables the fallback compatibility solution for when the xt_socket kernel - # module is missing and it is needed for the datapath L7 redirection to work - # properly. See documentation for details on when this can be disabled: - # https://docs.cilium.io/en/stable/operations/system_requirements/#linux-kernel. - enableXTSocketFallback: true - - encryption: - # -- Enable transparent network encryption. - enabled: false - - # -- Encryption method. Can be either ipsec or wireguard. - type: ipsec - - # -- Enable encryption for pure node to node traffic. - # This option is only effective when encryption.type is set to "wireguard". - nodeEncryption: false - - # -- Configure the WireGuard Pod2Pod strict mode. - strictMode: - # -- Enable WireGuard Pod2Pod strict mode. - enabled: false - - # -- CIDR for the WireGuard Pod2Pod strict mode. - cidr: "" - - # -- Allow dynamic lookup of remote node identities. - # This is required when tunneling is used or direct routing is used and the node CIDR and pod CIDR overlap. - allowRemoteNodeIdentities: false - - ipsec: - # -- Name of the key file inside the Kubernetes secret configured via secretName. - keyFile: "" - - # -- Path to mount the secret inside the Cilium pod. - mountPath: "" - - # -- Name of the Kubernetes secret containing the encryption keys. - secretName: "" - - # -- The interface to use for encrypted traffic. - interface: "" - - # -- Enable the key watcher. If disabled, a restart of the agent will be - # necessary on key rotations. - keyWatcher: true - - # -- Maximum duration of the IPsec key rotation. The previous key will be - # removed after that delay. - keyRotationDuration: "5m" - - wireguard: - # -- Enables the fallback to the user-space implementation. - userspaceFallback: false - # -- Controls Wireguard PersistentKeepalive option. Set 0s to disable. - persistentKeepalive: 0s - - # -- Deprecated in favor of encryption.ipsec.keyFile. To be removed in 1.15. - # Name of the key file inside the Kubernetes secret configured via secretName. - # This option is only effective when encryption.type is set to ipsec. - keyFile: keys - - # -- Deprecated in favor of encryption.ipsec.mountPath. To be removed in 1.15. - # Path to mount the secret inside the Cilium pod. - # This option is only effective when encryption.type is set to ipsec. - mountPath: /etc/ipsec - - # -- Deprecated in favor of encryption.ipsec.secretName. To be removed in 1.15. - # Name of the Kubernetes secret containing the encryption keys. - # This option is only effective when encryption.type is set to ipsec. - secretName: cilium-ipsec-keys - - # -- Deprecated in favor of encryption.ipsec.interface. To be removed in 1.15. - # The interface to use for encrypted traffic. - # This option is only effective when encryption.type is set to ipsec. - interface: "" - - endpointHealthChecking: - # -- Enable connectivity health checking between virtual endpoints. - enabled: true - - # -- Enable endpoint status. - # Status can be: policy, health, controllers, log and / or state. For 2 or more options use a space. - endpointStatus: - enabled: false - status: "" - - endpointRoutes: - # -- Enable use of per endpoint routes instead of routing via - # the cilium_host interface. - enabled: false - - k8sNetworkPolicy: - # -- Enable support for K8s NetworkPolicy - enabled: true - - eni: - # -- Enable Elastic Network Interface (ENI) integration. - enabled: false - # -- Update ENI Adapter limits from the EC2 API - updateEC2AdapterLimitViaAPI: true - # -- Release IPs not used from the ENI - awsReleaseExcessIPs: false - # -- Enable ENI prefix delegation - awsEnablePrefixDelegation: false - # -- EC2 API endpoint to use - ec2APIEndpoint: "" - # -- Tags to apply to the newly created ENIs - eniTags: {} - # -- Interval for garbage collection of unattached ENIs. Set to "0s" to disable. - # @default -- `"5m"` - gcInterval: "" - # -- Additional tags attached to ENIs created by Cilium. - # Dangling ENIs with this tag will be garbage collected - # @default -- `{"io.cilium/cilium-managed":"true,"io.cilium/cluster-name":""}` - gcTags: {} - # -- If using IAM role for Service Accounts will not try to - # inject identity values from cilium-aws kubernetes secret. - # Adds annotation to service account if managed by Helm. - # See https://github.com/aws/amazon-eks-pod-identity-webhook - iamRole: "" - # -- Filter via subnet IDs which will dictate which subnets are going to be used to create new ENIs - # Important note: This requires that each instance has an ENI with a matching subnet attached - # when Cilium is deployed. If you only want to control subnets for ENIs attached by Cilium, - # use the CNI configuration file settings (cni.customConf) instead. - subnetIDsFilter: [] - # -- Filter via tags (k=v) which will dictate which subnets are going to be used to create new ENIs - # Important note: This requires that each instance has an ENI with a matching subnet attached - # when Cilium is deployed. If you only want to control subnets for ENIs attached by Cilium, - # use the CNI configuration file settings (cni.customConf) instead. - subnetTagsFilter: [] - # -- Filter via AWS EC2 Instance tags (k=v) which will dictate which AWS EC2 Instances - # are going to be used to create new ENIs - instanceTagsFilter: [] - - externalIPs: - # -- Enable ExternalIPs service support. - enabled: false - - # fragmentTracking enables IPv4 fragment tracking support in the datapath. - # fragmentTracking: true - - gke: - # -- Enable Google Kubernetes Engine integration - enabled: false - - # -- Enable connectivity health checking. - healthChecking: true - - # -- TCP port for the agent health API. This is not the port for cilium-health. - healthPort: 9879 - - # -- Configure the host firewall. - hostFirewall: - # -- Enables the enforcement of host policies in the eBPF datapath. - enabled: false - - hostPort: - # -- Enable hostPort service support. - enabled: false - - # -- Configure socket LB - socketLB: - # -- Enable socket LB - enabled: false - - # -- Disable socket lb for non-root ns. This is used to enable Istio routing rules. - # hostNamespaceOnly: false - - # -- Configure certificate generation for Hubble integration. - # If hubble.tls.auto.method=cronJob, these values are used - # for the Kubernetes CronJob which will be scheduled regularly to - # (re)generate any certificates not provided manually. - certgen: - image: - override: ~ - repository: "quay.io/cilium/certgen" - tag: "v0.1.9" - digest: "sha256:89a0847753686444daabde9474b48340993bd19c7bea66a46e45b2974b82041f" - useDigest: true - pullPolicy: "IfNotPresent" - # -- Seconds after which the completed job pod will be deleted - ttlSecondsAfterFinished: 1800 - # -- Labels to be added to hubble-certgen pods - podLabels: {} - # -- Annotations to be added to the hubble-certgen initial Job and CronJob - annotations: - job: {} - cronJob: {} - # -- Node tolerations for pod assignment on nodes with taints - # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ - tolerations: [] - - # -- Additional certgen volumes. - extraVolumes: [] - - # -- Additional certgen volumeMounts. - extraVolumeMounts: [] - - # -- Affinity for certgen - affinity: {} - - hubble: - # -- Enable Hubble (true by default). - enabled: true - - # -- Annotations to be added to all top-level hubble objects (resources under templates/hubble) - annotations: {} - - # -- Buffer size of the channel Hubble uses to receive monitor events. If this - # value is not set, the queue size is set to the default monitor queue size. - # eventQueueSize: "" - - # -- Number of recent flows for Hubble to cache. Defaults to 4095. - # Possible values are: - # 1, 3, 7, 15, 31, 63, 127, 255, 511, 1023, - # 2047, 4095, 8191, 16383, 32767, 65535 - # eventBufferCapacity: "4095" - - # -- Hubble metrics configuration. - # See https://docs.cilium.io/en/stable/observability/metrics/#hubble-metrics - # for more comprehensive documentation about Hubble metrics. - metrics: - # -- Configures the list of metrics to collect. If empty or null, metrics - # are disabled. - # Example: - # - # enabled: - # - dns:query;ignoreAAAA - # - drop - # - tcp - # - flow - # - icmp - # - http - # - # You can specify the list of metrics from the helm CLI: - # - # --set hubble.metrics.enabled="{dns:query;ignoreAAAA,drop,tcp,flow,icmp,http}" - # - enabled: ~ - # -- Enables exporting hubble metrics in OpenMetrics format. - enableOpenMetrics: false - # -- Configure the port the hubble metric server listens on. - port: 9965 - # -- Annotations to be added to hubble-metrics service. - serviceAnnotations: {} - serviceMonitor: - # -- Create ServiceMonitor resources for Prometheus Operator. - # This requires the prometheus CRDs to be available. - # ref: https://github.com/prometheus-operator/prometheus-operator/blob/main/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml) - enabled: false - # -- Labels to add to ServiceMonitor hubble - labels: {} - # -- Annotations to add to ServiceMonitor hubble - annotations: {} - # -- jobLabel to add for ServiceMonitor hubble - jobLabel: "" - # -- Interval for scrape metrics. - interval: "10s" - # -- Relabeling configs for the ServiceMonitor hubble - relabelings: - - sourceLabels: - - __meta_kubernetes_pod_node_name - targetLabel: node - replacement: ${1} - # -- Metrics relabeling configs for the ServiceMonitor hubble - metricRelabelings: ~ - # -- Grafana dashboards for hubble - # grafana can import dashboards based on the label and value - # ref: https://github.com/grafana/helm-charts/tree/main/charts/grafana#sidecar-for-dashboards - dashboards: - enabled: false - label: grafana_dashboard - namespace: ~ - labelValue: "1" - annotations: {} - - # -- Unix domain socket path to listen to when Hubble is enabled. - socketPath: /var/run/cilium/hubble.sock - - # -- Enables redacting sensitive information present in Layer 7 flows. - redact: - enabled: false - http: - # -- Enables redacting URL query (GET) parameters. - # Example: - # - # redact: - # enabled: true - # http: - # urlQuery: true - # - # You can specify the options from the helm CLI: - # - # --set hubble.redact.enabled="true" - # --set hubble.redact.http.urlQuery="true" - urlQuery: false - # -- Enables redacting user info, e.g., password when basic auth is used. - # Example: - # - # redact: - # enabled: true - # http: - # userInfo: true - # - # You can specify the options from the helm CLI: - # - # --set hubble.redact.enabled="true" - # --set hubble.redact.http.userInfo="true" - userInfo: true - headers: - # -- List of HTTP headers to allow: headers not matching will be redacted. Note: `allow` and `deny` lists cannot be used both at the same time, only one can be present. - # Example: - # redact: - # enabled: true - # http: - # headers: - # allow: - # - traceparent - # - tracestate - # - Cache-Control - # - # You can specify the options from the helm CLI: - # --set hubble.redact.enabled="true" - # --set hubble.redact.http.headers.allow="traceparent,tracestate,Cache-Control" - allow: [] - # -- List of HTTP headers to deny: matching headers will be redacted. Note: `allow` and `deny` lists cannot be used both at the same time, only one can be present. - # Example: - # redact: - # enabled: true - # http: - # headers: - # deny: - # - Authorization - # - Proxy-Authorization - # - # You can specify the options from the helm CLI: - # --set hubble.redact.enabled="true" - # --set hubble.redact.http.headers.deny="Authorization,Proxy-Authorization" - deny: [] - kafka: - # -- Enables redacting Kafka's API key. - # Example: - # - # redact: - # enabled: true - # kafka: - # apiKey: true - # - # You can specify the options from the helm CLI: - # - # --set hubble.redact.enabled="true" - # --set hubble.redact.kafka.apiKey="true" - apiKey: false - - # -- An additional address for Hubble to listen to. - # Set this field ":4244" if you are enabling Hubble Relay, as it assumes that - # Hubble is listening on port 4244. - listenAddress: ":4244" - # -- Whether Hubble should prefer to announce IPv6 or IPv4 addresses if both are available. - preferIpv6: false - # -- (bool) Skip Hubble events with unknown cgroup ids - # @default -- `true` - skipUnknownCGroupIDs: ~ - - peerService: - # -- Service Port for the Peer service. - # If not set, it is dynamically assigned to port 443 if TLS is enabled and to - # port 80 if not. - # servicePort: 80 - # -- Target Port for the Peer service, must match the hubble.listenAddress' - # port. - targetPort: 4244 - # -- The cluster domain to use to query the Hubble Peer service. It should - # be the local cluster. - clusterDomain: cluster.local - # -- TLS configuration for Hubble - tls: - # -- Enable mutual TLS for listenAddress. Setting this value to false is - # highly discouraged as the Hubble API provides access to potentially - # sensitive network flow metadata and is exposed on the host network. - enabled: true - # -- Configure automatic TLS certificates generation. - auto: - # -- Auto-generate certificates. - # When set to true, automatically generate a CA and certificates to - # enable mTLS between Hubble server and Hubble Relay instances. If set to - # false, the certs for Hubble server need to be provided by setting - # appropriate values below. - enabled: true - # -- Set the method to auto-generate certificates. Supported values: - # - helm: This method uses Helm to generate all certificates. - # - cronJob: This method uses a Kubernetes CronJob the generate any - # certificates not provided by the user at installation - # time. - # - certmanager: This method use cert-manager to generate & rotate certificates. - method: helm - # -- Generated certificates validity duration in days. - certValidityDuration: 1095 - # -- Schedule for certificates regeneration (regardless of their expiration date). - # Only used if method is "cronJob". If nil, then no recurring job will be created. - # Instead, only the one-shot job is deployed to generate the certificates at - # installation time. - # - # Defaults to midnight of the first day of every fourth month. For syntax, see - # https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/#schedule-syntax - schedule: "0 0 1 */4 *" - - # [Example] - # certManagerIssuerRef: - # group: cert-manager.io - # kind: ClusterIssuer - # name: ca-issuer - # -- certmanager issuer used when hubble.tls.auto.method=certmanager. - certManagerIssuerRef: {} - - # -- base64 encoded PEM values for the Hubble server certificate and private key - server: - cert: "" - key: "" - # -- Extra DNS names added to certificate when it's auto generated - extraDnsNames: [] - # -- Extra IP addresses added to certificate when it's auto generated - extraIpAddresses: [] - - relay: - # -- Enable Hubble Relay (requires hubble.enabled=true) - enabled: false - - # -- Roll out Hubble Relay pods automatically when configmap is updated. - rollOutPods: false - - # -- Hubble-relay container image. - image: - override: ~ - repository: "quay.io/cilium/hubble-relay" - tag: "v1.15.2" - # hubble-relay-digest - digest: "" - useDigest: false - pullPolicy: "IfNotPresent" - - # -- Specifies the resources for the hubble-relay pods - resources: {} - - # -- Number of replicas run for the hubble-relay deployment. - replicas: 1 - - # -- Affinity for hubble-replay - affinity: - podAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - - topologyKey: kubernetes.io/hostname - labelSelector: - matchLabels: - k8s-app: cilium - - # -- Pod topology spread constraints for hubble-relay - topologySpreadConstraints: [] - # - maxSkew: 1 - # topologyKey: topology.kubernetes.io/zone - # whenUnsatisfiable: DoNotSchedule - - # -- Node labels for pod assignment - # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector - nodeSelector: - kubernetes.io/os: linux - - # -- Node tolerations for pod assignment on nodes with taints - # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ - tolerations: [] - - # -- Additional hubble-relay environment variables. - extraEnv: [] - - # -- Annotations to be added to all top-level hubble-relay objects (resources under templates/hubble-relay) - annotations: {} - - # -- Annotations to be added to hubble-relay pods - podAnnotations: {} - - # -- Labels to be added to hubble-relay pods - podLabels: {} - - # PodDisruptionBudget settings - podDisruptionBudget: - # -- enable PodDisruptionBudget - # ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ - enabled: false - # -- Minimum number/percentage of pods that should remain scheduled. - # When it's set, maxUnavailable must be disabled by `maxUnavailable: null` - minAvailable: null - # -- Maximum number/percentage of pods that may be made unavailable - maxUnavailable: 1 - - # -- The priority class to use for hubble-relay - priorityClassName: "" - - # -- Configure termination grace period for hubble relay Deployment. - terminationGracePeriodSeconds: 1 - - # -- hubble-relay update strategy - updateStrategy: - type: RollingUpdate - rollingUpdate: - maxUnavailable: 1 - - # -- Additional hubble-relay volumes. - extraVolumes: [] - - # -- Additional hubble-relay volumeMounts. - extraVolumeMounts: [] - - # -- hubble-relay pod security context - podSecurityContext: - fsGroup: 65532 - - # -- hubble-relay container security context - securityContext: - # readOnlyRootFilesystem: true - runAsNonRoot: true - runAsUser: 65532 - runAsGroup: 65532 - capabilities: - drop: - - ALL - - # -- hubble-relay service configuration. - service: - # --- The type of service used for Hubble Relay access, either ClusterIP or NodePort. - type: ClusterIP - # --- The port to use when the service type is set to NodePort. - nodePort: 31234 - - # -- Host to listen to. Specify an empty string to bind to all the interfaces. - listenHost: "" - - # -- Port to listen to. - listenPort: "4245" - - # -- TLS configuration for Hubble Relay - tls: - # -- base64 encoded PEM values for the hubble-relay client certificate and private key - # This keypair is presented to Hubble server instances for mTLS - # authentication and is required when hubble.tls.enabled is true. - # These values need to be set manually if hubble.tls.auto.enabled is false. - client: - cert: "" - key: "" - # -- base64 encoded PEM values for the hubble-relay server certificate and private key - server: - # When set to true, enable TLS on for Hubble Relay server - # (ie: for clients connecting to the Hubble Relay API). - enabled: false - # When set to true enforces mutual TLS between Hubble Relay server and its clients. - # False allow non-mutual TLS connections. - # This option has no effect when TLS is disabled. - mtls: false - # These values need to be set manually if hubble.tls.auto.enabled is false. - cert: "" - key: "" - # -- extra DNS names added to certificate when its auto gen - extraDnsNames: [] - # -- extra IP addresses added to certificate when its auto gen - extraIpAddresses: [] - # DNS name used by the backend to connect to the relay - # This is a simple workaround as the relay certificates are currently hardcoded to - # *.hubble-relay.cilium.io - # See https://github.com/cilium/cilium/pull/28709#discussion_r1371792546 - # For GKE Dataplane V2 this should be set to relay.kube-system.svc.cluster.local - relayName: "ui.hubble-relay.cilium.io" - - # -- Dial timeout to connect to the local hubble instance to receive peer information (e.g. "30s"). - dialTimeout: ~ - - # -- Backoff duration to retry connecting to the local hubble instance in case of failure (e.g. "30s"). - retryTimeout: ~ - - # -- Max number of flows that can be buffered for sorting before being sent to the - # client (per request) (e.g. 100). - sortBufferLenMax: ~ - - # -- When the per-request flows sort buffer is not full, a flow is drained every - # time this timeout is reached (only affects requests in follow-mode) (e.g. "1s"). - sortBufferDrainTimeout: ~ - - # -- Port to use for the k8s service backed by hubble-relay pods. - # If not set, it is dynamically assigned to port 443 if TLS is enabled and to - # port 80 if not. - # servicePort: 80 - - # -- Enable prometheus metrics for hubble-relay on the configured port at - # /metrics - prometheus: - enabled: false - port: 9966 - serviceMonitor: - # -- Enable service monitors. - # This requires the prometheus CRDs to be available (see https://github.com/prometheus-operator/prometheus-operator/blob/main/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml) - enabled: false - # -- Labels to add to ServiceMonitor hubble-relay - labels: {} - # -- Annotations to add to ServiceMonitor hubble-relay - annotations: {} - # -- Interval for scrape metrics. - interval: "10s" - # -- Specify the Kubernetes namespace where Prometheus expects to find - # service monitors configured. - # namespace: "" - # -- Relabeling configs for the ServiceMonitor hubble-relay - relabelings: ~ - # -- Metrics relabeling configs for the ServiceMonitor hubble-relay - metricRelabelings: ~ - - gops: - # -- Enable gops for hubble-relay - enabled: true - # -- Configure gops listen port for hubble-relay - port: 9893 - - pprof: - # -- Enable pprof for hubble-relay - enabled: false - # -- Configure pprof listen address for hubble-relay - address: localhost - # -- Configure pprof listen port for hubble-relay - port: 6062 - - ui: - # -- Whether to enable the Hubble UI. - enabled: false - - standalone: - # -- When true, it will allow installing the Hubble UI only, without checking dependencies. - # It is useful if a cluster already has cilium and Hubble relay installed and you just - # want Hubble UI to be deployed. - # When installed via helm, installing UI should be done via `helm upgrade` and when installed via the cilium cli, then `cilium hubble enable --ui` - enabled: false - - tls: - # -- When deploying Hubble UI in standalone, with tls enabled for Hubble relay, it is required - # to provide a volume for mounting the client certificates. - certsVolume: {} - # projected: - # defaultMode: 0400 - # sources: - # - secret: - # name: hubble-ui-client-certs - # items: - # - key: tls.crt - # path: client.crt - # - key: tls.key - # path: client.key - # - key: ca.crt - # path: hubble-relay-ca.crt - - # -- Roll out Hubble-ui pods automatically when configmap is updated. - rollOutPods: false - - tls: - # -- base64 encoded PEM values used to connect to hubble-relay - # This keypair is presented to Hubble Relay instances for mTLS - # authentication and is required when hubble.relay.tls.server.enabled is true. - # These values need to be set manually if hubble.tls.auto.enabled is false. - client: - cert: "" - key: "" - - backend: - # -- Hubble-ui backend image. - image: - override: ~ - repository: "quay.io/cilium/hubble-ui-backend" - tag: "v0.13.0" - digest: "sha256:1e7657d997c5a48253bb8dc91ecee75b63018d16ff5e5797e5af367336bc8803" - useDigest: true - pullPolicy: "IfNotPresent" - - # -- Hubble-ui backend security context. - securityContext: {} - - # -- Additional hubble-ui backend environment variables. - extraEnv: [] - - # -- Additional hubble-ui backend volumes. - extraVolumes: [] - - # -- Additional hubble-ui backend volumeMounts. - extraVolumeMounts: [] - - livenessProbe: - # -- Enable liveness probe for Hubble-ui backend (requires Hubble-ui 0.12+) - enabled: false - - readinessProbe: - # -- Enable readiness probe for Hubble-ui backend (requires Hubble-ui 0.12+) - enabled: false - - # -- Resource requests and limits for the 'backend' container of the 'hubble-ui' deployment. - resources: {} - # limits: - # cpu: 1000m - # memory: 1024M - # requests: - # cpu: 100m - # memory: 64Mi - - frontend: - # -- Hubble-ui frontend image. - image: - override: ~ - repository: "quay.io/cilium/hubble-ui" - tag: "v0.13.0" - digest: "sha256:7d663dc16538dd6e29061abd1047013a645e6e69c115e008bee9ea9fef9a6666" - useDigest: true - pullPolicy: "IfNotPresent" - - # -- Hubble-ui frontend security context. - securityContext: {} - - # -- Additional hubble-ui frontend environment variables. - extraEnv: [] - - # -- Additional hubble-ui frontend volumes. - extraVolumes: [] - - # -- Additional hubble-ui frontend volumeMounts. - extraVolumeMounts: [] - - # -- Resource requests and limits for the 'frontend' container of the 'hubble-ui' deployment. - resources: {} - # limits: - # cpu: 1000m - # memory: 1024M - # requests: - # cpu: 100m - # memory: 64Mi - server: - # -- Controls server listener for ipv6 - ipv6: - enabled: true - - # -- The number of replicas of Hubble UI to deploy. - replicas: 1 - - # -- Annotations to be added to all top-level hubble-ui objects (resources under templates/hubble-ui) - annotations: {} - - # -- Annotations to be added to hubble-ui pods - podAnnotations: {} - - # -- Labels to be added to hubble-ui pods - podLabels: {} - - # PodDisruptionBudget settings - podDisruptionBudget: - # -- enable PodDisruptionBudget - # ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ - enabled: false - # -- Minimum number/percentage of pods that should remain scheduled. - # When it's set, maxUnavailable must be disabled by `maxUnavailable: null` - minAvailable: null - # -- Maximum number/percentage of pods that may be made unavailable - maxUnavailable: 1 - - # -- Affinity for hubble-ui - affinity: {} - - # -- Pod topology spread constraints for hubble-ui - topologySpreadConstraints: [] - # - maxSkew: 1 - # topologyKey: topology.kubernetes.io/zone - # whenUnsatisfiable: DoNotSchedule - - # -- Node labels for pod assignment - # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector - nodeSelector: - kubernetes.io/os: linux - - # -- Node tolerations for pod assignment on nodes with taints - # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ - tolerations: [] - - # -- The priority class to use for hubble-ui - priorityClassName: "" - - # -- hubble-ui update strategy. - updateStrategy: - type: RollingUpdate - rollingUpdate: - maxUnavailable: 1 - - # -- Security context to be added to Hubble UI pods - securityContext: - runAsUser: 1001 - runAsGroup: 1001 - fsGroup: 1001 - - # -- hubble-ui service configuration. - service: - # -- Annotations to be added for the Hubble UI service - annotations: {} - # --- The type of service used for Hubble UI access, either ClusterIP or NodePort. - type: ClusterIP - # --- The port to use when the service type is set to NodePort. - nodePort: 31235 - - # -- Defines base url prefix for all hubble-ui http requests. - # It needs to be changed in case if ingress for hubble-ui is configured under some sub-path. - # Trailing `/` is required for custom path, ex. `/service-map/` - baseUrl: "/" - - # -- hubble-ui ingress configuration. - ingress: - enabled: false - annotations: {} - # kubernetes.io/ingress.class: nginx - # kubernetes.io/tls-acme: "true" - className: "" - hosts: - - chart-example.local - labels: {} - tls: [] - # - secretName: chart-example-tls - # hosts: - # - chart-example.local - - # -- Hubble flows export. - export: - # --- Defines max file size of output file before it gets rotated. - fileMaxSizeMb: 10 - # --- Defines max number of backup/rotated files. - fileMaxBackups: 5 - # --- Static exporter configuration. - # Static exporter is bound to agent lifecycle. - static: - enabled: false - filePath: /var/run/cilium/hubble/events.log - fieldMask: [] - # - time - # - source - # - destination - # - verdict - allowList: [] - # - '{"verdict":["DROPPED","ERROR"]}' - denyList: [] - # - '{"source_pod":["kube-system/"]}' - # - '{"destination_pod":["kube-system/"]}' - # --- Dynamic exporters configuration. - # Dynamic exporters may be reconfigured without a need of agent restarts. - dynamic: - enabled: false - config: - # ---- Name of configmap with configuration that may be altered to reconfigure exporters within a running agents. - configMapName: cilium-flowlog-config - # ---- True if helm installer should create config map. - # Switch to false if you want to self maintain the file content. - createConfigMap: true - # ---- Exporters configuration in YAML format. - content: - - name: all - fieldMask: [] - includeFilters: [] - excludeFilters: [] - filePath: "/var/run/cilium/hubble/events.log" - #- name: "test002" - # filePath: "/var/log/network/flow-log/pa/test002.log" - # fieldMask: ["source.namespace", "source.pod_name", "destination.namespace", "destination.pod_name", "verdict"] - # includeFilters: - # - source_pod: ["default/"] - # event_type: - # - type: 1 - # - destination_pod: ["frontend/nginx-975996d4c-7hhgt"] - # excludeFilters: [] - # end: "2023-10-09T23:59:59-07:00" - - # -- Method to use for identity allocation (`crd` or `kvstore`). - identityAllocationMode: "crd" - - # -- (string) Time to wait before using new identity on endpoint identity change. - # @default -- `"5s"` - identityChangeGracePeriod: "" - - # -- Install Iptables rules to skip netfilter connection tracking on all pod - # traffic. This option is only effective when Cilium is running in direct - # routing and full KPR mode. Moreover, this option cannot be enabled when Cilium - # is running in a managed Kubernetes environment or in a chained CNI setup. - installNoConntrackIptablesRules: false - - ipam: - # -- Configure IP Address Management mode. - # ref: https://docs.cilium.io/en/stable/network/concepts/ipam/ - mode: "cluster-pool" - # -- Maximum rate at which the CiliumNode custom resource is updated. - ciliumNodeUpdateRate: "15s" - operator: - # -- IPv4 CIDR list range to delegate to individual nodes for IPAM. - clusterPoolIPv4PodCIDRList: {{ index .Cluster.spec.clusterNetwork.pods.cidrBlocks 0 }} - # -- IPv4 CIDR mask size to delegate to individual nodes for IPAM. - clusterPoolIPv4MaskSize: 24 - # -- IPv6 CIDR list range to delegate to individual nodes for IPAM. - clusterPoolIPv6PodCIDRList: ["fd00::/104"] - # -- IPv6 CIDR mask size to delegate to individual nodes for IPAM. - clusterPoolIPv6MaskSize: 120 - # -- IP pools to auto-create in multi-pool IPAM mode. - autoCreateCiliumPodIPPools: {} - # default: - # ipv4: - # cidrs: - # - 10.10.0.0/8 - # maskSize: 24 - # other: - # ipv6: - # cidrs: - # - fd00:100::/80 - # maskSize: 96 - # -- The maximum burst size when rate limiting access to external APIs. - # Also known as the token bucket capacity. - # @default -- `20` - externalAPILimitBurstSize: ~ - # -- The maximum queries per second when rate limiting access to - # external APIs. Also known as the bucket refill rate, which is used to - # refill the bucket up to the burst size capacity. - # @default -- `4.0` - externalAPILimitQPS: ~ - - # -- The api-rate-limit option can be used to overwrite individual settings of the default configuration for rate limiting calls to the Cilium Agent API - apiRateLimit: ~ - - # -- Configure the eBPF-based ip-masq-agent - ipMasqAgent: - enabled: false - # the config of nonMasqueradeCIDRs - # config: - # nonMasqueradeCIDRs: [] - # masqLinkLocal: false - # masqLinkLocalIPv6: false - - # iptablesLockTimeout defines the iptables "--wait" option when invoked from Cilium. - # iptablesLockTimeout: "5s" - - ipv4: - # -- Enable IPv4 support. - enabled: true - - ipv6: - # -- Enable IPv6 support. - enabled: false - - # -- Configure Kubernetes specific configuration - k8s: {} - # -- requireIPv4PodCIDR enables waiting for Kubernetes to provide the PodCIDR - # range via the Kubernetes node resource - # requireIPv4PodCIDR: false - - # -- requireIPv6PodCIDR enables waiting for Kubernetes to provide the PodCIDR - # range via the Kubernetes node resource - # requireIPv6PodCIDR: false - - # -- Keep the deprecated selector labels when deploying Cilium DaemonSet. - keepDeprecatedLabels: false - - # -- Keep the deprecated probes when deploying Cilium DaemonSet - keepDeprecatedProbes: false - - startupProbe: - # -- failure threshold of startup probe. - # 105 x 2s translates to the old behaviour of the readiness probe (120s delay + 30 x 3s) - failureThreshold: 105 - # -- interval between checks of the startup probe - periodSeconds: 2 - livenessProbe: - # -- failure threshold of liveness probe - failureThreshold: 10 - # -- interval between checks of the liveness probe - periodSeconds: 30 - readinessProbe: - # -- failure threshold of readiness probe - failureThreshold: 3 - # -- interval between checks of the readiness probe - periodSeconds: 30 - - # -- Configure the kube-proxy replacement in Cilium BPF datapath - # Valid options are "true", "false", "disabled" (deprecated), "partial" (deprecated), "strict" (deprecated). - # ref: https://docs.cilium.io/en/stable/network/kubernetes/kubeproxy-free/ - #kubeProxyReplacement: "false" - - # -- healthz server bind address for the kube-proxy replacement. - # To enable set the value to '0.0.0.0:10256' for all ipv4 - # addresses and this '[::]:10256' for all ipv6 addresses. - # By default it is disabled. - kubeProxyReplacementHealthzBindAddr: "" - - l2NeighDiscovery: - # -- Enable L2 neighbor discovery in the agent - enabled: true - # -- Override the agent's default neighbor resolution refresh period. - refreshPeriod: "30s" - - # -- Enable Layer 7 network policy. - l7Proxy: true - - # -- Enable Local Redirect Policy. - localRedirectPolicy: false - - # To include or exclude matched resources from cilium identity evaluation - # labels: "" - - # logOptions allows you to define logging options. eg: - # logOptions: - # format: json - - # -- Enables periodic logging of system load - logSystemLoad: false - - # -- Configure maglev consistent hashing - maglev: {} - # -- tableSize is the size (parameter M) for the backend table of one - # service entry - # tableSize: - - # -- hashSeed is the cluster-wide base64 encoded seed for the hashing - # hashSeed: - - # -- Enables masquerading of IPv4 traffic leaving the node from endpoints. - enableIPv4Masquerade: true - - # -- Enables masquerading of IPv6 traffic leaving the node from endpoints. - enableIPv6Masquerade: true - - # -- Enables masquerading to the source of the route for traffic leaving the node from endpoints. - enableMasqueradeRouteSource: false - - # -- Enables IPv4 BIG TCP support which increases maximum IPv4 GSO/GRO limits for nodes and pods - enableIPv4BIGTCP: false - - # -- Enables IPv6 BIG TCP support which increases maximum IPv6 GSO/GRO limits for nodes and pods - enableIPv6BIGTCP: false - - egressGateway: - # -- Enables egress gateway to redirect and SNAT the traffic that leaves the - # cluster. - enabled: false - # -- Deprecated without a replacement necessary. - installRoutes: false - # -- Time between triggers of egress gateway state reconciliations - reconciliationTriggerInterval: 1s - # -- Maximum number of entries in egress gateway policy map - # maxPolicyEntries: 16384 - - vtep: - # -- Enables VXLAN Tunnel Endpoint (VTEP) Integration (beta) to allow - # Cilium-managed pods to talk to third party VTEP devices over Cilium tunnel. - enabled: false - - # -- A space separated list of VTEP device endpoint IPs, for example "1.1.1.1 1.1.2.1" - endpoint: "" - # -- A space separated list of VTEP device CIDRs, for example "1.1.1.0/24 1.1.2.0/24" - cidr: "" - # -- VTEP CIDRs Mask that applies to all VTEP CIDRs, for example "255.255.255.0" - mask: "" - # -- A space separated list of VTEP device MAC addresses (VTEP MAC), for example "x:x:x:x:x:x y:y:y:y:y:y:y" - mac: "" - - # -- (string) Allows to explicitly specify the IPv4 CIDR for native routing. - # When specified, Cilium assumes networking for this CIDR is preconfigured and - # hands traffic destined for that range to the Linux network stack without - # applying any SNAT. - # Generally speaking, specifying a native routing CIDR implies that Cilium can - # depend on the underlying networking stack to route packets to their - # destination. To offer a concrete example, if Cilium is configured to use - # direct routing and the Kubernetes CIDR is included in the native routing CIDR, - # the user must configure the routes to reach pods, either manually or by - # setting the auto-direct-node-routes flag. - ipv4NativeRoutingCIDR: "" - - # -- (string) Allows to explicitly specify the IPv6 CIDR for native routing. - # When specified, Cilium assumes networking for this CIDR is preconfigured and - # hands traffic destined for that range to the Linux network stack without - # applying any SNAT. - # Generally speaking, specifying a native routing CIDR implies that Cilium can - # depend on the underlying networking stack to route packets to their - # destination. To offer a concrete example, if Cilium is configured to use - # direct routing and the Kubernetes CIDR is included in the native routing CIDR, - # the user must configure the routes to reach pods, either manually or by - # setting the auto-direct-node-routes flag. - ipv6NativeRoutingCIDR: "" - - # -- cilium-monitor sidecar. - monitor: - # -- Enable the cilium-monitor sidecar. - enabled: false - - # -- Configure service load balancing - loadBalancer: - # -- standalone enables the standalone L4LB which does not connect to - # kube-apiserver. - # standalone: false - - # -- algorithm is the name of the load balancing algorithm for backend - # selection e.g. random or maglev - # algorithm: random - - # -- mode is the operation mode of load balancing for remote backends - # e.g. snat, dsr, hybrid - # mode: snat - - # -- acceleration is the option to accelerate service handling via XDP - # Applicable values can be: disabled (do not use XDP), native (XDP BPF - # program is run directly out of the networking driver's early receive - # path), or best-effort (use native mode XDP acceleration on devices - # that support it). - acceleration: disabled - - # -- dsrDispatch configures whether IP option or IPIP encapsulation is - # used to pass a service IP and port to remote backend - # dsrDispatch: opt - - # -- serviceTopology enables K8s Topology Aware Hints -based service - # endpoints filtering - # serviceTopology: false - - # -- L7 LoadBalancer - l7: - # -- Enable L7 service load balancing via envoy proxy. - # The request to a k8s service, which has specific annotation e.g. service.cilium.io/lb-l7, - # will be forwarded to the local backend proxy to be load balanced to the service endpoints. - # Please refer to docs for supported annotations for more configuration. - # - # Applicable values: - # - envoy: Enable L7 load balancing via envoy proxy. This will automatically set enable-envoy-config as well. - # - disabled: Disable L7 load balancing by way of service annotation. - backend: disabled - # -- List of ports from service to be automatically redirected to above backend. - # Any service exposing one of these ports will be automatically redirected. - # Fine-grained control can be achieved by using the service annotation. - ports: [] - # -- Default LB algorithm - # The default LB algorithm to be used for services, which can be overridden by the - # service annotation (e.g. service.cilium.io/lb-l7-algorithm) - # Applicable values: round_robin, least_request, random - algorithm: round_robin - - # -- Configure N-S k8s service loadbalancing - nodePort: - # -- Enable the Cilium NodePort service implementation. - enabled: false - - # -- Port range to use for NodePort services. - # range: "30000,32767" - - # -- Set to true to prevent applications binding to service ports. - bindProtection: true - - # -- Append NodePort range to ip_local_reserved_ports if clash with ephemeral - # ports is detected. - autoProtectPortRange: true - - # -- Enable healthcheck nodePort server for NodePort services - enableHealthCheck: true - - # -- Enable access of the healthcheck nodePort on the LoadBalancerIP. Needs - # EnableHealthCheck to be enabled - enableHealthCheckLoadBalancerIP: false - - # policyAuditMode: false - - # -- The agent can be put into one of the three policy enforcement modes: - # default, always and never. - # ref: https://docs.cilium.io/en/stable/security/policy/intro/#policy-enforcement-modes - policyEnforcementMode: "default" - - # -- policyCIDRMatchMode is a list of entities that may be selected by CIDR selector. - # The possible value is "nodes". - policyCIDRMatchMode: - - pprof: - # -- Enable pprof for cilium-agent - enabled: false - # -- Configure pprof listen address for cilium-agent - address: localhost - # -- Configure pprof listen port for cilium-agent - port: 6060 - - # -- Configure prometheus metrics on the configured port at /metrics - prometheus: - enabled: false - port: 9962 - serviceMonitor: - # -- Enable service monitors. - # This requires the prometheus CRDs to be available (see https://github.com/prometheus-operator/prometheus-operator/blob/main/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml) - enabled: false - # -- Labels to add to ServiceMonitor cilium-agent - labels: {} - # -- Annotations to add to ServiceMonitor cilium-agent - annotations: {} - # -- jobLabel to add for ServiceMonitor cilium-agent - jobLabel: "" - # -- Interval for scrape metrics. - interval: "10s" - # -- Specify the Kubernetes namespace where Prometheus expects to find - # service monitors configured. - # namespace: "" - # -- Relabeling configs for the ServiceMonitor cilium-agent - relabelings: - - sourceLabels: - - __meta_kubernetes_pod_node_name - targetLabel: node - replacement: ${1} - # -- Metrics relabeling configs for the ServiceMonitor cilium-agent - metricRelabelings: ~ - # -- Set to `true` and helm will not check for monitoring.coreos.com/v1 CRDs before deploying - trustCRDsExist: false - - # -- Metrics that should be enabled or disabled from the default metric list. - # The list is expected to be separated by a space. (+metric_foo to enable - # metric_foo , -metric_bar to disable metric_bar). - # ref: https://docs.cilium.io/en/stable/observability/metrics/ - metrics: ~ - - # --- Enable controller group metrics for monitoring specific Cilium - # subsystems. The list is a list of controller group names. The special - # values of "all" and "none" are supported. The set of controller - # group names is not guaranteed to be stable between Cilium versions. - controllerGroupMetrics: - - write-cni-file - - sync-host-ips - - sync-lb-maps-with-k8s-services - - # -- Grafana dashboards for cilium-agent - # grafana can import dashboards based on the label and value - # ref: https://github.com/grafana/helm-charts/tree/main/charts/grafana#sidecar-for-dashboards - dashboards: - enabled: false - label: grafana_dashboard - namespace: ~ - labelValue: "1" - annotations: {} - - # -- Configure Istio proxy options. - proxy: - - prometheus: - # -- Deprecated in favor of envoy.prometheus.enabled - enabled: true - # -- Deprecated in favor of envoy.prometheus.port - port: ~ - # -- Regular expression matching compatible Istio sidecar istio-proxy - # container image names - sidecarImageRegex: "cilium/istio_proxy" - - # Configure Cilium Envoy options. - envoy: - # -- Enable Envoy Proxy in standalone DaemonSet. - enabled: false - - log: - # -- The format string to use for laying out the log message metadata of Envoy. - format: "[%Y-%m-%d %T.%e][%t][%l][%n] [%g:%#] %v" - # -- Path to a separate Envoy log file, if any. Defaults to /dev/stdout. - path: "" - - # -- Time in seconds after which a TCP connection attempt times out - connectTimeoutSeconds: 2 - # -- ProxyMaxRequestsPerConnection specifies the max_requests_per_connection setting for Envoy - maxRequestsPerConnection: 0 - # -- Set Envoy HTTP option max_connection_duration seconds. Default 0 (disable) - maxConnectionDurationSeconds: 0 - # -- Set Envoy upstream HTTP idle connection timeout seconds. - # Does not apply to connections with pending requests. Default 60s - idleTimeoutDurationSeconds: 60 - - # -- Envoy container image. - image: - override: ~ - repository: "quay.io/cilium/cilium-envoy" - tag: "v1.27.3-99c1c8f42c8de70fc8f6dd594f4a425cd38b6688" - pullPolicy: "IfNotPresent" - digest: "sha256:877ead12d08d4c04a9f67f86d3c6e542aeb7bf97e1e401aee74de456f496ac30" - useDigest: true - - # -- Additional containers added to the cilium Envoy DaemonSet. - extraContainers: [] - - # -- Additional envoy container arguments. - extraArgs: [] - - # -- Additional envoy container environment variables. - extraEnv: [] - - # -- Additional envoy hostPath mounts. - extraHostPathMounts: [] - # - name: host-mnt-data - # mountPath: /host/mnt/data - # hostPath: /mnt/data - # hostPathType: Directory - # readOnly: true - # mountPropagation: HostToContainer - - # -- Additional envoy volumes. - extraVolumes: [] - - # -- Additional envoy volumeMounts. - extraVolumeMounts: [] - - # -- Configure termination grace period for cilium-envoy DaemonSet. - terminationGracePeriodSeconds: 1 - - # -- TCP port for the health API. - healthPort: 9878 - - # -- cilium-envoy update strategy - # ref: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/#updating-a-daemonset - updateStrategy: - type: RollingUpdate - rollingUpdate: - maxUnavailable: 2 - # -- Roll out cilium envoy pods automatically when configmap is updated. - rollOutPods: false - - # -- Annotations to be added to all top-level cilium-envoy objects (resources under templates/cilium-envoy) - annotations: {} - - # -- Security Context for cilium-envoy pods. - podSecurityContext: {} - - # -- Annotations to be added to envoy pods - podAnnotations: {} - - # -- Labels to be added to envoy pods - podLabels: {} - - # -- Envoy resource limits & requests - # ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - resources: {} - # limits: - # cpu: 4000m - # memory: 4Gi - # requests: - # cpu: 100m - # memory: 512Mi - - startupProbe: - # -- failure threshold of startup probe. - # 105 x 2s translates to the old behaviour of the readiness probe (120s delay + 30 x 3s) - failureThreshold: 105 - # -- interval between checks of the startup probe - periodSeconds: 2 - livenessProbe: - # -- failure threshold of liveness probe - failureThreshold: 10 - # -- interval between checks of the liveness probe - periodSeconds: 30 - readinessProbe: - # -- failure threshold of readiness probe - failureThreshold: 3 - # -- interval between checks of the readiness probe - periodSeconds: 30 - - securityContext: - # -- User to run the pod with - # runAsUser: 0 - # -- Run the pod with elevated privileges - privileged: false - # -- SELinux options for the `cilium-envoy` container - seLinuxOptions: - level: 's0' - # Running with spc_t since we have removed the privileged mode. - # Users can change it to a different type as long as they have the - # type available on the system. - type: 'spc_t' - capabilities: - # -- Capabilities for the `cilium-envoy` container - envoy: - # Used since cilium proxy uses setting IPPROTO_IP/IP_TRANSPARENT - - NET_ADMIN - # We need it for now but might not need it for >= 5.11 specially - # for the 'SYS_RESOURCE'. - # In >= 5.8 there's already BPF and PERMON capabilities - - SYS_ADMIN - # Both PERFMON and BPF requires kernel 5.8, container runtime - # cri-o >= v1.22.0 or containerd >= v1.5.0. - # If available, SYS_ADMIN can be removed. - #- PERFMON - #- BPF - - # -- Affinity for cilium-envoy. - affinity: - podAntiAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - - topologyKey: kubernetes.io/hostname - labelSelector: - matchLabels: - k8s-app: cilium-envoy - - # -- Node selector for cilium-envoy. - nodeSelector: - kubernetes.io/os: linux - - # -- Node tolerations for envoy scheduling to nodes with taints - # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ - tolerations: - - operator: Exists - # - key: "key" - # operator: "Equal|Exists" - # value: "value" - # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" - - # -- The priority class to use for cilium-envoy. - priorityClassName: ~ - - # -- DNS policy for Cilium envoy pods. - # Ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy - dnsPolicy: ~ + k8sServiceHost: {{ .Cluster.spec.controlPlaneEndpoint.host }} + k8sServicePort: {{ .Cluster.spec.controlPlaneEndpoint.port }} - # -- Configure Cilium Envoy Prometheus options. - # Note that some of these apply to either cilium-agent or cilium-envoy. - prometheus: - # -- Enable prometheus metrics for cilium-envoy - enabled: true - serviceMonitor: - # -- Enable service monitors. - # This requires the prometheus CRDs to be available (see https://github.com/prometheus-operator/prometheus-operator/blob/main/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml) - # Note that this setting applies to both cilium-envoy _and_ cilium-agent - # with Envoy enabled. - enabled: false - # -- Labels to add to ServiceMonitor cilium-envoy - labels: {} - # -- Annotations to add to ServiceMonitor cilium-envoy - annotations: {} - # -- Interval for scrape metrics. - interval: "10s" - # -- Specify the Kubernetes namespace where Prometheus expects to find - # service monitors configured. - # namespace: "" - # -- Relabeling configs for the ServiceMonitor cilium-envoy - # or for cilium-agent with Envoy configured. - relabelings: - - sourceLabels: - - __meta_kubernetes_pod_node_name - targetLabel: node - replacement: ${1} - # -- Metrics relabeling configs for the ServiceMonitor cilium-envoy - # or for cilium-agent with Envoy configured. - metricRelabelings: ~ - # -- Serve prometheus metrics for cilium-envoy on the configured port - port: "9964" + # -- Configure ClusterIP service handling in the host namespace (the node). + hostServices: + # -- Enable host reachable services. + enabled: true - # -- Enable use of the remote node identity. - # ref: https://docs.cilium.io/en/v1.7/install/upgrade/#configmap-remote-node-identity - # Deprecated without replacement in 1.15. To be removed in 1.16. - remoteNodeIdentity: true + # -- Supported list of protocols to apply ClusterIP translation to. + protocols: tcp,udp - # -- Enable resource quotas for priority classes used in the cluster. - resourceQuotas: - enabled: false - cilium: - hard: - # 5k nodes * 2 DaemonSets (Cilium and cilium node init) - pods: "10k" + ipam: + # -- Configure IP Address Management mode. + # ref: https://docs.cilium.io/en/stable/concepts/networking/ipam/ + mode: "cluster-pool" operator: - hard: - # 15 "clusterwide" Cilium Operator pods for HA - pods: "15" - - # Need to document default - ################## - #sessionAffinity: false - - # -- Do not run Cilium agent when running with clean mode. Useful to completely - # uninstall Cilium as it will stop Cilium from starting and create artifacts - # in the node. - sleepAfterInit: false - - # -- Enable check of service source ranges (currently, only for LoadBalancer). - svcSourceRangeCheck: true - - # -- Synchronize Kubernetes nodes to kvstore and perform CNP GC. - synchronizeK8sNodes: true - - # -- Configure TLS configuration in the agent. - tls: - # -- This configures how the Cilium agent loads the secrets used TLS-aware CiliumNetworkPolicies - # (namely the secrets referenced by terminatingTLS and originatingTLS). - # Possible values: - # - local - # - k8s - secretsBackend: local - - # -- Base64 encoded PEM values for the CA certificate and private key. - # This can be used as common CA to generate certificates used by hubble and clustermesh components. - # It is neither required nor used when cert-manager is used to generate the certificates. - ca: - # -- Optional CA cert. If it is provided, it will be used by cilium to - # generate all other certificates. Otherwise, an ephemeral CA is generated. - cert: "" - - # -- Optional CA private key. If it is provided, it will be used by cilium to - # generate all other certificates. Otherwise, an ephemeral CA is generated. - key: "" - - # -- Generated certificates validity duration in days. This will be used for auto generated CA. - certValidityDuration: 1095 - - # -- Configure the CA trust bundle used for the validation of the certificates - # leveraged by hubble and clustermesh. When enabled, it overrides the content of the - # 'ca.crt' field of the respective certificates, allowing for CA rotation with no down-time. - caBundle: - # -- Enable the use of the CA trust bundle. - enabled: false - - # -- Name of the ConfigMap containing the CA trust bundle. - name: cilium-root-ca.crt - - # -- Entry of the ConfigMap containing the CA trust bundle. - key: ca.crt - - # -- Use a Secret instead of a ConfigMap. - useSecret: false - - # If uncommented, creates the ConfigMap and fills it with the specified content. - # Otherwise, the ConfigMap is assumed to be already present in .Release.Namespace. - # - # content: | - # -----BEGIN CERTIFICATE----- - # ... - # -----END CERTIFICATE----- - # -----BEGIN CERTIFICATE----- - # ... - # -----END CERTIFICATE----- - - # -- Tunneling protocol to use in tunneling mode and for ad-hoc tunnels. - # Possible values: - # - "" - # - vxlan - # - geneve - # @default -- `"vxlan"` - tunnelProtocol: "" - - # -- Enable native-routing mode or tunneling mode. - # Possible values: - # - "" - # - native - # - tunnel - # @default -- `"tunnel"` - routingMode: "" - - # -- Configure VXLAN and Geneve tunnel port. - # @default -- Port 8472 for VXLAN, Port 6081 for Geneve - tunnelPort: 0 - - # -- Configure what the response should be to traffic for a service without backends. - # "reject" only works on kernels >= 5.10, on lower kernels we fallback to "drop". - # Possible values: - # - reject (default) - # - drop - serviceNoBackendResponse: reject - - # -- Configure the underlying network MTU to overwrite auto-detected MTU. - MTU: 0 - - # -- Disable the usage of CiliumEndpoint CRD. - disableEndpointCRD: false - - wellKnownIdentities: - # -- Enable the use of well-known identities. - enabled: false - - etcd: - # -- Enable etcd mode for the agent. - enabled: false - - # -- cilium-etcd-operator image. - image: - override: ~ - repository: "quay.io/cilium/cilium-etcd-operator" - tag: "v2.0.7" - digest: "sha256:04b8327f7f992693c2cb483b999041ed8f92efc8e14f2a5f3ab95574a65ea2dc" - useDigest: true - pullPolicy: "IfNotPresent" - - # -- The priority class to use for cilium-etcd-operator - priorityClassName: "" - - # -- Additional cilium-etcd-operator container arguments. - extraArgs: [] - - # -- Additional cilium-etcd-operator volumes. - extraVolumes: [] - - # -- Additional cilium-etcd-operator volumeMounts. - extraVolumeMounts: [] - - # -- Node tolerations for cilium-etcd-operator scheduling to nodes with taints - # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ - tolerations: - - operator: Exists - # - key: "key" - # operator: "Equal|Exists" - # value: "value" - # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" - - # -- Pod topology spread constraints for cilium-etcd-operator - topologySpreadConstraints: [] - # - maxSkew: 1 - # topologyKey: topology.kubernetes.io/zone - # whenUnsatisfiable: DoNotSchedule - - # -- Node labels for cilium-etcd-operator pod assignment - # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector - nodeSelector: - kubernetes.io/os: linux - - # -- Annotations to be added to all top-level etcd-operator objects (resources under templates/etcd-operator) - annotations: {} - - # -- Security context to be added to cilium-etcd-operator pods - podSecurityContext: {} - - # -- Annotations to be added to cilium-etcd-operator pods - podAnnotations: {} - - # -- Labels to be added to cilium-etcd-operator pods - podLabels: {} - - # PodDisruptionBudget settings - podDisruptionBudget: - # -- enable PodDisruptionBudget - # ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ - enabled: false - # -- Minimum number/percentage of pods that should remain scheduled. - # When it's set, maxUnavailable must be disabled by `maxUnavailable: null` - minAvailable: null - # -- Maximum number/percentage of pods that may be made unavailable - maxUnavailable: 1 - - # -- cilium-etcd-operator resource limits & requests - # ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - resources: {} - # limits: - # cpu: 4000m - # memory: 4Gi - # requests: - # cpu: 100m - # memory: 512Mi - - # -- Security context to be added to cilium-etcd-operator pods - securityContext: {} - # runAsUser: 0 - - # -- cilium-etcd-operator update strategy - updateStrategy: - type: RollingUpdate - rollingUpdate: - maxSurge: 1 - maxUnavailable: 1 - - # -- If etcd is behind a k8s service set this option to true so that Cilium - # does the service translation automatically without requiring a DNS to be - # running. - k8sService: false - - # -- Cluster domain for cilium-etcd-operator. - clusterDomain: cluster.local - - # -- List of etcd endpoints (not needed when using managed=true). - endpoints: - - https://CHANGE-ME:2379 - - # -- Enable use of TLS/SSL for connectivity to etcd. (auto-enabled if - # managed=true) - ssl: false + # -- IPv4 CIDR list range to delegate to individual nodes for IPAM. + clusterPoolIPv4PodCIDRList: {{ index .Cluster.spec.clusterNetwork.pods.cidrBlocks 0 }} + # -- IPv4 CIDR mask size to delegate to individual nodes for IPAM. + clusterPoolIPv4MaskSize: 24 - operator: - # -- Enable the cilium-operator component (required). + kubeProxyReplacement: "strict" + logSystemLoad: true + remoteNodeIdentity: true + tunnel: "vxlan" + hubble: + # -- Enable Hubble (true by default). enabled: true - - # -- Roll out cilium-operator pods automatically when configmap is updated. - rollOutPods: false - - # -- cilium-operator image. - image: - override: ~ - repository: "quay.io/cilium/operator" - tag: "v1.15.2" - # operator-generic-digest - genericDigest: "" - # operator-azure-digest - azureDigest: "" - # operator-aws-digest - awsDigest: "" - # operator-alibabacloud-digest - alibabacloudDigest: "" - useDigest: false - pullPolicy: "IfNotPresent" - suffix: "" - - # -- Number of replicas to run for the cilium-operator deployment - replicas: 2 - - # -- The priority class to use for cilium-operator - priorityClassName: "" - - # -- DNS policy for Cilium operator pods. - # Ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy - dnsPolicy: "" - - # -- cilium-operator update strategy - updateStrategy: - type: RollingUpdate - rollingUpdate: - maxSurge: 25% - maxUnavailable: 50% - - # -- Affinity for cilium-operator - affinity: - podAntiAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - - topologyKey: kubernetes.io/hostname - labelSelector: - matchLabels: - io.cilium/app: operator - - # -- Pod topology spread constraints for cilium-operator - topologySpreadConstraints: [] - # - maxSkew: 1 - # topologyKey: topology.kubernetes.io/zone - # whenUnsatisfiable: DoNotSchedule - - # -- Node labels for cilium-operator pod assignment - # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector - nodeSelector: - kubernetes.io/os: linux - - # -- Node tolerations for cilium-operator scheduling to nodes with taints - # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ - tolerations: - - operator: Exists - # - key: "key" - # operator: "Equal|Exists" - # value: "value" - # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" - - # -- Additional cilium-operator container arguments. - extraArgs: [] - - # -- Additional cilium-operator environment variables. - extraEnv: [] - - # -- Additional cilium-operator hostPath mounts. - extraHostPathMounts: [] - # - name: host-mnt-data - # mountPath: /host/mnt/data - # hostPath: /mnt/data - # hostPathType: Directory - # readOnly: true - # mountPropagation: HostToContainer - - # -- Additional cilium-operator volumes. - extraVolumes: [] - - # -- Additional cilium-operator volumeMounts. - extraVolumeMounts: [] - - # -- Annotations to be added to all top-level cilium-operator objects (resources under templates/cilium-operator) - annotations: {} - - # -- Security context to be added to cilium-operator pods - podSecurityContext: {} - - # -- Annotations to be added to cilium-operator pods - podAnnotations: {} - - # -- Labels to be added to cilium-operator pods - podLabels: {} - - # PodDisruptionBudget settings - podDisruptionBudget: - # -- enable PodDisruptionBudget - # ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ - enabled: false - # -- Minimum number/percentage of pods that should remain scheduled. - # When it's set, maxUnavailable must be disabled by `maxUnavailable: null` - minAvailable: null - # -- Maximum number/percentage of pods that may be made unavailable - maxUnavailable: 1 - - # -- cilium-operator resource limits & requests - # ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - resources: {} - # limits: - # cpu: 1000m - # memory: 1Gi - # requests: - # cpu: 100m - # memory: 128Mi - - # -- Security context to be added to cilium-operator pods - securityContext: {} - # runAsUser: 0 - - # -- Interval for endpoint garbage collection. - endpointGCInterval: "5m0s" - - # -- Interval for cilium node garbage collection. - nodeGCInterval: "5m0s" - - # -- Skip CNP node status clean up at operator startup. - skipCNPStatusStartupClean: false - - # -- Interval for identity garbage collection. - identityGCInterval: "15m0s" - - # -- Timeout for identity heartbeats. - identityHeartbeatTimeout: "30m0s" - - pprof: - # -- Enable pprof for cilium-operator - enabled: false - # -- Configure pprof listen address for cilium-operator - address: localhost - # -- Configure pprof listen port for cilium-operator - port: 6061 - - # -- Enable prometheus metrics for cilium-operator on the configured port at - # /metrics - prometheus: + relay: + enabled: true + ui: enabled: true - port: 9963 - serviceMonitor: - # -- Enable service monitors. - # This requires the prometheus CRDs to be available (see https://github.com/prometheus-operator/prometheus-operator/blob/main/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml) - enabled: false - # -- Labels to add to ServiceMonitor cilium-operator - labels: {} - # -- Annotations to add to ServiceMonitor cilium-operator - annotations: {} - # -- jobLabel to add for ServiceMonitor cilium-operator - jobLabel: "" - # -- Interval for scrape metrics. - interval: "10s" - # -- Relabeling configs for the ServiceMonitor cilium-operator - relabelings: ~ - # -- Metrics relabeling configs for the ServiceMonitor cilium-operator - metricRelabelings: ~ - - # -- Grafana dashboards for cilium-operator - # grafana can import dashboards based on the label and value - # ref: https://github.com/grafana/helm-charts/tree/main/charts/grafana#sidecar-for-dashboards - dashboards: - enabled: false - label: grafana_dashboard - namespace: ~ - labelValue: "1" - annotations: {} - - # -- Skip CRDs creation for cilium-operator - skipCRDCreation: false - - # -- Remove Cilium node taint from Kubernetes nodes that have a healthy Cilium - # pod running. - removeNodeTaints: true - - # -- Taint nodes where Cilium is scheduled but not running. This prevents pods - # from being scheduled to nodes where Cilium is not the default CNI provider. - # @default -- same as removeNodeTaints - setNodeTaints: ~ - - # -- Set Node condition NetworkUnavailable to 'false' with the reason - # 'CiliumIsUp' for nodes that have a healthy Cilium pod. - setNodeNetworkStatus: true - - unmanagedPodWatcher: - # -- Restart any pod that are not managed by Cilium. - restart: true - # -- Interval, in seconds, to check if there are any pods that are not - # managed by Cilium. - intervalSeconds: 15 - - nodeinit: - # -- Enable the node initialization DaemonSet - enabled: false - - # -- node-init image. - image: - override: ~ - repository: "quay.io/cilium/startup-script" - tag: "62093c5c233ea914bfa26a10ba41f8780d9b737f" - pullPolicy: "IfNotPresent" - - # -- The priority class to use for the nodeinit pod. - priorityClassName: "" - - # -- node-init update strategy - updateStrategy: - type: RollingUpdate - - # -- Additional nodeinit environment variables. - extraEnv: [] - - # -- Additional nodeinit volumes. - extraVolumes: [] - - # -- Additional nodeinit volumeMounts. - extraVolumeMounts: [] - - # -- Affinity for cilium-nodeinit - affinity: {} - - # -- Node labels for nodeinit pod assignment - # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector - nodeSelector: - kubernetes.io/os: linux - - # -- Node tolerations for nodeinit scheduling to nodes with taints - # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ - tolerations: - - operator: Exists - # - key: "key" - # operator: "Equal|Exists" - # value: "value" - # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" - - # -- Annotations to be added to all top-level nodeinit objects (resources under templates/cilium-nodeinit) - annotations: {} - - # -- Annotations to be added to node-init pods. - podAnnotations: {} - - # -- Labels to be added to node-init pods. - podLabels: {} - - # -- nodeinit resource limits & requests - # ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - resources: - requests: - cpu: 100m - memory: 100Mi - - # -- Security context to be added to nodeinit pods. - securityContext: - privileged: false - seLinuxOptions: - level: 's0' - # Running with spc_t since we have removed the privileged mode. - # Users can change it to a different type as long as they have the - # type available on the system. - type: 'spc_t' - capabilities: - add: - # Used in iptables. Consider removing once we are iptables-free - - SYS_MODULE - # Used for nsenter - - NET_ADMIN - - SYS_ADMIN - - SYS_CHROOT - - SYS_PTRACE - - # -- bootstrapFile is the location of the file where the bootstrap timestamp is - # written by the node-init DaemonSet - bootstrapFile: "/tmp/cilium-bootstrap.d/cilium-bootstrap-time" - - # -- startup offers way to customize startup nodeinit script (pre and post position) - startup: - preScript: "" - postScript: "" - # -- prestop offers way to customize prestop nodeinit script (pre and post position) - prestop: - preScript: "" - postScript: "" - - preflight: - # -- Enable Cilium pre-flight resources (required for upgrade) - enabled: false - - # -- Cilium pre-flight image. - image: - override: ~ - repository: "quay.io/cilium/cilium" - tag: "v1.15.2" - # cilium-digest - digest: "" - useDigest: false - pullPolicy: "IfNotPresent" - - # -- The priority class to use for the preflight pod. - priorityClassName: "" - - # -- preflight update strategy - updateStrategy: - type: RollingUpdate - - # -- Additional preflight environment variables. - extraEnv: [] - - # -- Additional preflight volumes. - extraVolumes: [] - - # -- Additional preflight volumeMounts. - extraVolumeMounts: [] - - # -- Affinity for cilium-preflight - affinity: - podAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - - topologyKey: kubernetes.io/hostname - labelSelector: - matchLabels: - k8s-app: cilium - - # -- Node labels for preflight pod assignment - # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector - nodeSelector: - kubernetes.io/os: linux - - # -- Node tolerations for preflight scheduling to nodes with taints - # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ - tolerations: - - key: node.kubernetes.io/not-ready - effect: NoSchedule - - key: node-role.kubernetes.io/master - effect: NoSchedule - - key: node-role.kubernetes.io/control-plane - effect: NoSchedule - - key: node.cloudprovider.kubernetes.io/uninitialized - effect: NoSchedule - value: "true" - - key: CriticalAddonsOnly - operator: "Exists" - # - key: "key" - # operator: "Equal|Exists" - # value: "value" - # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" - - # -- Annotations to be added to all top-level preflight objects (resources under templates/cilium-preflight) - annotations: {} - - # -- Security context to be added to preflight pods. - podSecurityContext: {} - - # -- Annotations to be added to preflight pods - podAnnotations: {} - - # -- Labels to be added to the preflight pod. - podLabels: {} - - # PodDisruptionBudget settings - podDisruptionBudget: - # -- enable PodDisruptionBudget - # ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ - enabled: false - # -- Minimum number/percentage of pods that should remain scheduled. - # When it's set, maxUnavailable must be disabled by `maxUnavailable: null` - minAvailable: null - # -- Maximum number/percentage of pods that may be made unavailable - maxUnavailable: 1 - - # -- preflight resource limits & requests - # ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - resources: {} - # limits: - # cpu: 4000m - # memory: 4Gi - # requests: - # cpu: 100m - # memory: 512Mi - - # -- Security context to be added to preflight pods - securityContext: {} - # runAsUser: 0 - - # -- Path to write the `--tofqdns-pre-cache` file to. - tofqdnsPreCache: "" - - # -- Configure termination grace period for preflight Deployment and DaemonSet. - terminationGracePeriodSeconds: 1 - - # -- By default we should always validate the installed CNPs before upgrading - # Cilium. This will make sure the user will have the policies deployed in the - # cluster with the right schema. - validateCNPs: true - - # -- Explicitly enable or disable priority class. - # .Capabilities.KubeVersion is unsettable in `helm template` calls, - # it depends on k8s libraries version that Helm was compiled against. - # This option allows to explicitly disable setting the priority class, which - # is useful for rendering charts for gke clusters in advance. - enableCriticalPriorityClass: true - - # disableEnvoyVersionCheck removes the check for Envoy, which can be useful - # on AArch64 as the images do not currently ship a version of Envoy. - #disableEnvoyVersionCheck: false clustermesh: # -- Deploy clustermesh-apiserver for clustermesh useAPIServer: false - # -- The maximum number of clusters to support in a ClusterMesh. This value - # cannot be changed on running clusters, and all clusters in a ClusterMesh - # must be configured with the same value. Values > 255 will decrease the - # maximum allocatable cluster-local identities. - # Supported values are 255 and 511. - maxConnectedClusters: 255 - - # -- Annotations to be added to all top-level clustermesh objects (resources under templates/clustermesh-apiserver and templates/clustermesh-config) - annotations: {} # -- Clustermesh explicit configuration. config: @@ -2932,587 +73,6 @@ spec: # ips: # - 172.18.255.201 # # -- base64 encoded PEM values for the cluster client certificate, private key and certificate authority. - # # These fields can (and should) be omitted in case the CA is shared across clusters. In that case, the - # # "remote" private key and certificate available in the local cluster are automatically used instead. # tls: # cert: "" # key: "" - # caCert: "" - - apiserver: - # -- Clustermesh API server image. - image: - override: ~ - repository: "quay.io/cilium/clustermesh-apiserver" - tag: "v1.15.2" - # clustermesh-apiserver-digest - digest: "" - useDigest: false - pullPolicy: "IfNotPresent" - - etcd: - # The etcd binary is included in the clustermesh API server image, so the same image from above is reused. - # Independent override isn't supported, because clustermesh-apiserver is tested against the etcd version it is - # built with. - - # -- Specifies the resources for etcd container in the apiserver - resources: {} - # requests: - # cpu: 200m - # memory: 256Mi - # limits: - # cpu: 1000m - # memory: 256Mi - - # -- Security context to be added to clustermesh-apiserver etcd containers - securityContext: {} - - # -- lifecycle setting for the etcd container - lifecycle: {} - - init: - # -- Specifies the resources for etcd init container in the apiserver - resources: {} - # requests: - # cpu: 100m - # memory: 100Mi - # limits: - # cpu: 100m - # memory: 100Mi - - # -- Additional arguments to `clustermesh-apiserver etcdinit`. - extraArgs: [] - - # -- Additional environment variables to `clustermesh-apiserver etcdinit`. - extraEnv: [] - - kvstoremesh: - # -- Enable KVStoreMesh. KVStoreMesh caches the information retrieved - # from the remote clusters in the local etcd instance. - enabled: false - - # -- Additional KVStoreMesh arguments. - extraArgs: [] - - # -- Additional KVStoreMesh environment variables. - extraEnv: [] - - # -- Resource requests and limits for the KVStoreMesh container - resources: {} - # requests: - # cpu: 100m - # memory: 64Mi - # limits: - # cpu: 1000m - # memory: 1024M - - # -- Additional KVStoreMesh volumeMounts. - extraVolumeMounts: [] - - # -- KVStoreMesh Security context - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - - # -- lifecycle setting for the KVStoreMesh container - lifecycle: {} - - service: - # -- The type of service used for apiserver access. - type: NodePort - # -- Optional port to use as the node port for apiserver access. - # - # WARNING: make sure to configure a different NodePort in each cluster if - # kube-proxy replacement is enabled, as Cilium is currently affected by a known - # bug (#24692) when NodePorts are handled by the KPR implementation. If a service - # with the same NodePort exists both in the local and the remote cluster, all - # traffic originating from inside the cluster and targeting the corresponding - # NodePort will be redirected to a local backend, regardless of whether the - # destination node belongs to the local or the remote cluster. - nodePort: 32379 - # -- Optional loadBalancer IP address to use with type LoadBalancer. - # loadBalancerIP: - - # -- Annotations for the clustermesh-apiserver - # For GKE LoadBalancer, use annotation cloud.google.com/load-balancer-type: "Internal" - # For EKS LoadBalancer, use annotation service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0 - annotations: {} - - # -- The externalTrafficPolicy of service used for apiserver access. - externalTrafficPolicy: - - # -- The internalTrafficPolicy of service used for apiserver access. - internalTrafficPolicy: - - # -- Number of replicas run for the clustermesh-apiserver deployment. - replicas: 1 - - # -- lifecycle setting for the apiserver container - lifecycle: {} - - # -- terminationGracePeriodSeconds for the clustermesh-apiserver deployment - terminationGracePeriodSeconds: 30 - - # -- Additional clustermesh-apiserver arguments. - extraArgs: [] - - # -- Additional clustermesh-apiserver environment variables. - extraEnv: [] - - # -- Additional clustermesh-apiserver volumes. - extraVolumes: [] - - # -- Additional clustermesh-apiserver volumeMounts. - extraVolumeMounts: [] - - # -- Security context to be added to clustermesh-apiserver containers - securityContext: {} - - # -- Security context to be added to clustermesh-apiserver pods - podSecurityContext: {} - - # -- Annotations to be added to clustermesh-apiserver pods - podAnnotations: {} - - # -- Labels to be added to clustermesh-apiserver pods - podLabels: {} - - # PodDisruptionBudget settings - podDisruptionBudget: - # -- enable PodDisruptionBudget - # ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ - enabled: false - # -- Minimum number/percentage of pods that should remain scheduled. - # When it's set, maxUnavailable must be disabled by `maxUnavailable: null` - minAvailable: null - # -- Maximum number/percentage of pods that may be made unavailable - maxUnavailable: 1 - - # -- Resource requests and limits for the clustermesh-apiserver container of the clustermesh-apiserver deployment, such as - # resources: - # limits: - # cpu: 1000m - # memory: 1024M - # requests: - # cpu: 100m - # memory: 64Mi - # -- Resource requests and limits for the clustermesh-apiserver - resources: {} - # requests: - # cpu: 100m - # memory: 64Mi - # limits: - # cpu: 1000m - # memory: 1024M - - # -- Affinity for clustermesh.apiserver - affinity: - podAntiAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - - topologyKey: kubernetes.io/hostname - labelSelector: - matchLabels: - k8s-app: clustermesh-apiserver - - # -- Pod topology spread constraints for clustermesh-apiserver - topologySpreadConstraints: [] - # - maxSkew: 1 - # topologyKey: topology.kubernetes.io/zone - # whenUnsatisfiable: DoNotSchedule - - # -- Node labels for pod assignment - # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector - nodeSelector: - kubernetes.io/os: linux - - # -- Node tolerations for pod assignment on nodes with taints - # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ - tolerations: [] - - # -- clustermesh-apiserver update strategy - updateStrategy: - type: RollingUpdate - rollingUpdate: - maxUnavailable: 1 - - # -- The priority class to use for clustermesh-apiserver - priorityClassName: "" - - tls: - # -- Configure the clustermesh authentication mode. - # Supported values: - # - legacy: All clusters access remote clustermesh instances with the same - # username (i.e., remote). The "remote" certificate must be - # generated with CN=remote if provided manually. - # - migration: Intermediate mode required to upgrade from legacy to cluster - # (and vice versa) with no disruption. Specifically, it enables - # the creation of the per-cluster usernames, while still using - # the common one for authentication. The "remote" certificate must - # be generated with CN=remote if provided manually (same as legacy). - # - cluster: Each cluster accesses remote etcd instances with a username - # depending on the local cluster name (i.e., remote-). - # The "remote" certificate must be generated with CN=remote- - # if provided manually. Cluster mode is meaningful only when the same - # CA is shared across all clusters part of the mesh. - authMode: legacy - - # -- Configure automatic TLS certificates generation. - # A Kubernetes CronJob is used the generate any - # certificates not provided by the user at installation - # time. - auto: - # -- When set to true, automatically generate a CA and certificates to - # enable mTLS between clustermesh-apiserver and external workload instances. - # If set to false, the certs to be provided by setting appropriate values below. - enabled: true - # Sets the method to auto-generate certificates. Supported values: - # - helm: This method uses Helm to generate all certificates. - # - cronJob: This method uses a Kubernetes CronJob the generate any - # certificates not provided by the user at installation - # time. - # - certmanager: This method use cert-manager to generate & rotate certificates. - method: helm - # -- Generated certificates validity duration in days. - certValidityDuration: 1095 - # -- Schedule for certificates regeneration (regardless of their expiration date). - # Only used if method is "cronJob". If nil, then no recurring job will be created. - # Instead, only the one-shot job is deployed to generate the certificates at - # installation time. - # - # Due to the out-of-band distribution of client certs to external workloads the - # CA is (re)regenerated only if it is not provided as a helm value and the k8s - # secret is manually deleted. - # - # Defaults to none. Commented syntax gives midnight of the first day of every - # fourth month. For syntax, see - # https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/#schedule-syntax - # schedule: "0 0 1 */4 *" - - # [Example] - # certManagerIssuerRef: - # group: cert-manager.io - # kind: ClusterIssuer - # name: ca-issuer - # -- certmanager issuer used when clustermesh.apiserver.tls.auto.method=certmanager. - certManagerIssuerRef: {} - # -- base64 encoded PEM values for the clustermesh-apiserver server certificate and private key. - # Used if 'auto' is not enabled. - server: - cert: "" - key: "" - # -- Extra DNS names added to certificate when it's auto generated - extraDnsNames: [] - # -- Extra IP addresses added to certificate when it's auto generated - extraIpAddresses: [] - # -- base64 encoded PEM values for the clustermesh-apiserver admin certificate and private key. - # Used if 'auto' is not enabled. - admin: - cert: "" - key: "" - # -- base64 encoded PEM values for the clustermesh-apiserver client certificate and private key. - # Used if 'auto' is not enabled. - client: - cert: "" - key: "" - # -- base64 encoded PEM values for the clustermesh-apiserver remote cluster certificate and private key. - # Used if 'auto' is not enabled. - remote: - cert: "" - key: "" - - # clustermesh-apiserver Prometheus metrics configuration - metrics: - # -- Enables exporting apiserver metrics in OpenMetrics format. - enabled: true - # -- Configure the port the apiserver metric server listens on. - port: 9962 - - kvstoremesh: - # -- Enables exporting KVStoreMesh metrics in OpenMetrics format. - enabled: true - # -- Configure the port the KVStoreMesh metric server listens on. - port: 9964 - - etcd: - # -- Enables exporting etcd metrics in OpenMetrics format. - enabled: true - # -- Set level of detail for etcd metrics; specify 'extensive' to include server side gRPC histogram metrics. - mode: basic - # -- Configure the port the etcd metric server listens on. - port: 9963 - - serviceMonitor: - # -- Enable service monitor. - # This requires the prometheus CRDs to be available (see https://github.com/prometheus-operator/prometheus-operator/blob/main/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml) - enabled: false - # -- Labels to add to ServiceMonitor clustermesh-apiserver - labels: {} - # -- Annotations to add to ServiceMonitor clustermesh-apiserver - annotations: {} - # -- Specify the Kubernetes namespace where Prometheus expects to find - # service monitors configured. - # namespace: "" - - # -- Interval for scrape metrics (apiserver metrics) - interval: "10s" - # -- Relabeling configs for the ServiceMonitor clustermesh-apiserver (apiserver metrics) - relabelings: ~ - # -- Metrics relabeling configs for the ServiceMonitor clustermesh-apiserver (apiserver metrics) - metricRelabelings: ~ - - kvstoremesh: - # -- Interval for scrape metrics (KVStoreMesh metrics) - interval: "10s" - # -- Relabeling configs for the ServiceMonitor clustermesh-apiserver (KVStoreMesh metrics) - relabelings: ~ - # -- Metrics relabeling configs for the ServiceMonitor clustermesh-apiserver (KVStoreMesh metrics) - metricRelabelings: ~ - - etcd: - # -- Interval for scrape metrics (etcd metrics) - interval: "10s" - # -- Relabeling configs for the ServiceMonitor clustermesh-apiserver (etcd metrics) - relabelings: ~ - # -- Metrics relabeling configs for the ServiceMonitor clustermesh-apiserver (etcd metrics) - metricRelabelings: ~ - - # -- Configure external workloads support - externalWorkloads: - # -- Enable support for external workloads, such as VMs (false by default). - enabled: false - - # -- Configure cgroup related configuration - cgroup: - autoMount: - # -- Enable auto mount of cgroup2 filesystem. - # When `autoMount` is enabled, cgroup2 filesystem is mounted at - # `cgroup.hostRoot` path on the underlying host and inside the cilium agent pod. - # If users disable `autoMount`, it's expected that users have mounted - # cgroup2 filesystem at the specified `cgroup.hostRoot` volume, and then the - # volume will be mounted inside the cilium agent pod at the same path. - enabled: true - # -- Init Container Cgroup Automount resource limits & requests - resources: {} - # limits: - # cpu: 100m - # memory: 128Mi - # requests: - # cpu: 100m - # memory: 128Mi - # -- Configure cgroup root where cgroup2 filesystem is mounted on the host (see also: `cgroup.autoMount`) - hostRoot: /run/cilium/cgroupv2 - - # -- Configure whether to enable auto detect of terminating state for endpoints - # in order to support graceful termination. - enableK8sTerminatingEndpoint: true - - # -- Configure whether to unload DNS policy rules on graceful shutdown - # dnsPolicyUnloadOnShutdown: false - - # -- Configure the key of the taint indicating that Cilium is not ready on the node. - # When set to a value starting with `ignore-taint.cluster-autoscaler.kubernetes.io/`, the Cluster Autoscaler will ignore the taint on its decisions, allowing the cluster to scale up. - agentNotReadyTaintKey: "node.cilium.io/agent-not-ready" - - dnsProxy: - # -- DNS response code for rejecting DNS requests, available options are '[nameError refused]'. - dnsRejectResponseCode: refused - # -- Allow the DNS proxy to compress responses to endpoints that are larger than 512 Bytes or the EDNS0 option, if present. - enableDnsCompression: true - # -- Maximum number of IPs to maintain per FQDN name for each endpoint. - endpointMaxIpPerHostname: 50 - # -- Time during which idle but previously active connections with expired DNS lookups are still considered alive. - idleConnectionGracePeriod: 0s - # -- Maximum number of IPs to retain for expired DNS lookups with still-active connections. - maxDeferredConnectionDeletes: 10000 - # -- The minimum time, in seconds, to use DNS data for toFQDNs policies. If - # the upstream DNS server returns a DNS record with a shorter TTL, Cilium - # overwrites the TTL with this value. Setting this value to zero means that - # Cilium will honor the TTLs returned by the upstream DNS server. - minTtl: 0 - # -- DNS cache data at this path is preloaded on agent startup. - preCache: "" - # -- Global port on which the in-agent DNS proxy should listen. Default 0 is a OS-assigned port. - proxyPort: 0 - # -- The maximum time the DNS proxy holds an allowed DNS response before sending it along. Responses are sent as soon as the datapath is updated with the new IP information. - proxyResponseMaxDelay: 100ms - # -- DNS proxy operation mode (true/false, or unset to use version dependent defaults) - # enableTransparentMode: true - - # -- SCTP Configuration Values - sctp: - # -- Enable SCTP support. NOTE: Currently, SCTP support does not support rewriting ports or multihoming. - enabled: false - - # Configuration for types of authentication for Cilium (beta) - authentication: - # -- Enable authentication processing and garbage collection. - # Note that if disabled, policy enforcement will still block requests that require authentication. - # But the resulting authentication requests for these requests will not be processed, therefore the requests not be allowed. - enabled: true - # -- Buffer size of the channel Cilium uses to receive authentication events from the signal map. - queueSize: 1024 - # -- Buffer size of the channel Cilium uses to receive certificate expiration events from auth handlers. - rotatedIdentitiesQueueSize: 1024 - # -- Interval for garbage collection of auth map entries. - gcInterval: "5m0s" - # Configuration for Cilium's service-to-service mutual authentication using TLS handshakes. - # Note that this is not full mTLS support without also enabling encryption of some form. - # Current encryption options are Wireguard or IPSec, configured in encryption block above. - mutual: - # -- Port on the agent where mutual authentication handshakes between agents will be performed - port: 4250 - # -- Timeout for connecting to the remote node TCP socket - connectTimeout: 5s - # Settings for SPIRE - spire: - # -- Enable SPIRE integration (beta) - enabled: false - # -- Annotations to be added to all top-level spire objects (resources under templates/spire) - annotations: {} - # Settings to control the SPIRE installation and configuration - install: - # -- Enable SPIRE installation. - # This will only take effect only if authentication.mutual.spire.enabled is true - enabled: true - # -- SPIRE namespace to install into - namespace: cilium-spire - # -- SPIRE namespace already exists. Set to true if Helm should not create, manage, and import the SPIRE namespace. - existingNamespace: false - # -- init container image of SPIRE agent and server - initImage: - override: ~ - repository: "docker.io/library/busybox" - tag: "1.36.1" - digest: "sha256:223ae047b1065bd069aac01ae3ac8088b3ca4a527827e283b85112f29385fb1b" - useDigest: true - pullPolicy: "IfNotPresent" - # SPIRE agent configuration - agent: - # -- SPIRE agent image - image: - override: ~ - repository: "ghcr.io/spiffe/spire-agent" - tag: "1.8.5" - digest: "sha256:99405637647968245ff9fe215f8bd2bd0ea9807be9725f8bf19fe1b21471e52b" - useDigest: true - pullPolicy: "IfNotPresent" - # -- SPIRE agent service account - serviceAccount: - create: true - name: spire-agent - # -- SPIRE agent annotations - annotations: {} - # -- SPIRE agent labels - labels: {} - # -- SPIRE Workload Attestor kubelet verification. - skipKubeletVerification: true - # -- SPIRE agent tolerations configuration - # By default it follows the same tolerations as the agent itself - # to allow the Cilium agent on this node to connect to SPIRE. - # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ - tolerations: - - key: node.kubernetes.io/not-ready - effect: NoSchedule - - key: node-role.kubernetes.io/master - effect: NoSchedule - - key: node-role.kubernetes.io/control-plane - effect: NoSchedule - - key: node.cloudprovider.kubernetes.io/uninitialized - effect: NoSchedule - value: "true" - - key: CriticalAddonsOnly - operator: "Exists" - # -- SPIRE agent affinity configuration - affinity: {} - # -- SPIRE agent nodeSelector configuration - # ref: ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector - nodeSelector: {} - # -- Security context to be added to spire agent pods. - # SecurityContext holds pod-level security attributes and common container settings. - # ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod - podSecurityContext: {} - # -- Security context to be added to spire agent containers. - # SecurityContext holds pod-level security attributes and common container settings. - # ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container - securityContext: {} - server: - # -- SPIRE server image - image: - override: ~ - repository: "ghcr.io/spiffe/spire-server" - tag: "1.8.5" - digest: "sha256:28269265882048dcf0fed32fe47663cd98613727210b8d1a55618826f9bf5428" - useDigest: true - pullPolicy: "IfNotPresent" - # -- SPIRE server service account - serviceAccount: - create: true - name: spire-server - # -- SPIRE server init containers - initContainers: [] - # -- SPIRE server annotations - annotations: {} - # -- SPIRE server labels - labels: {} - # SPIRE server service configuration - service: - # -- Service type for the SPIRE server service - type: ClusterIP - # -- Annotations to be added to the SPIRE server service - annotations: {} - # -- Labels to be added to the SPIRE server service - labels: {} - # -- SPIRE server affinity configuration - affinity: {} - # -- SPIRE server nodeSelector configuration - # ref: ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector - nodeSelector: {} - # -- SPIRE server tolerations configuration - # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ - tolerations: [] - # SPIRE server datastorage configuration - dataStorage: - # -- Enable SPIRE server data storage - enabled: true - # -- Size of the SPIRE server data storage - size: 1Gi - # -- Access mode of the SPIRE server data storage - accessMode: ReadWriteOnce - # -- StorageClass of the SPIRE server data storage - storageClass: null - # -- Security context to be added to spire server pods. - # SecurityContext holds pod-level security attributes and common container settings. - # ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod - podSecurityContext: {} - # -- Security context to be added to spire server containers. - # SecurityContext holds pod-level security attributes and common container settings. - # ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container - securityContext: {} - # SPIRE CA configuration - ca: - # -- SPIRE CA key type - # AWS requires the use of RSA. EC cryptography is not supported - keyType: "rsa-4096" - # -- SPIRE CA Subject - subject: - country: "US" - organization: "SPIRE" - commonName: "Cilium SPIRE CA" - # -- SPIRE server address used by Cilium Operator - # - # If k8s Service DNS along with port number is used (e.g. ..svc(.*): format), - # Cilium Operator will resolve its address by looking up the clusterIP from Service resource. - # - # Example values: 10.0.0.1:8081, spire-server.cilium-spire.svc:8081 - serverAddress: ~ - # -- SPIFFE trust domain to use for fetching certificates - trustDomain: spiffe.cilium - # -- SPIRE socket path where the SPIRE delegated api agent is listening - adminSocketPath: /run/spire/sockets/admin.sock - # -- SPIRE socket path where the SPIRE workload agent is listening. - # Applies to both the Cilium Agent and Operator - agentSocketPath: /run/spire/sockets/agent/agent.sock - # -- SPIRE connection timeout - connectionTimeout: 30s \ No newline at end of file From aec3fe82ce4c8ee59ff3a23bfd3e7e377f74cb34 Mon Sep 17 00:00:00 2001 From: Olga Mirensky <5200844+olga-mir@users.noreply.github.com> Date: Sun, 24 Mar 2024 20:08:32 +1100 Subject: [PATCH 18/28] temp - test 1.13.0 with no mesh on cluster 01 --- .../caaph-cni/caaph-hcp-v1.15.2.yaml | 1838 ++++------------- .../cluster-01/kustomization.yaml | 1 - .../cluster-mgmt/cluster-01/platform.yaml | 17 + .../cluster-02/kustomization.yaml | 1 - .../cluster-mgmt/cluster-02/platform.yaml | 17 + 5 files changed, 419 insertions(+), 1455 deletions(-) diff --git a/clusters/cluster-mgmt/cluster-01/caaph-cni/caaph-hcp-v1.15.2.yaml b/clusters/cluster-mgmt/cluster-01/caaph-cni/caaph-hcp-v1.15.2.yaml index a14037e..62bf0da 100644 --- a/clusters/cluster-mgmt/cluster-01/caaph-cni/caaph-hcp-v1.15.2.yaml +++ b/clusters/cluster-mgmt/cluster-01/caaph-cni/caaph-hcp-v1.15.2.yaml @@ -1,7 +1,7 @@ apiVersion: addons.cluster.x-k8s.io/v1alpha1 kind: HelmChartProxy metadata: - name: cilium + name: cilium-no-mesh spec: clusterSelector: matchLabels: @@ -9,17 +9,18 @@ spec: repoURL: https://helm.cilium.io/ chartName: cilium namespace: cilium - version: "1.15.2" + version: "1.13.0" valuesTemplate: | - # https://github.com/cilium/cilium/blob/v1.15.2/install/kubernetes/cilium/values.yaml + # hostServices: - exists in 1.12 and not in 1.13 ? - # File generated by install/kubernetes/Makefile; DO NOT EDIT. - # This file is based on install/kubernetes/cilium/*values.yaml.tmpl. + # Copied and adjusted from: https://github.com/cilium/cilium/blob/v1.13.0/install/kubernetes/cilium/values.yaml + # File generated by install/kubernetes/Makefile; DO NOT EDIT. + # This file is based on install/kubernetes/cilium/values.yaml.tmpl. # upgradeCompatibility helps users upgrading to ensure that the configMap for # Cilium will not change critical values to ensure continued operation - # This flag is not required for new installations. + # This is flag is not required for new installations. # For example: 1.7, 1.8, 1.9 # upgradeCompatibility: '1.8' @@ -30,7 +31,6 @@ spec: # This option is used to enable debug messages for operations related to such # sub-system such as (e.g. kvstore, envoy, datapath or policy), and flow is # for enabling debug messages emitted per request, message and connection. - # Multiple values can be set via a space-separated string (e.g. "datapath envoy"). # # Applicable values: # - flow @@ -44,130 +44,92 @@ spec: # -- Enable creation of Resource-Based Access Control configuration. create: true - # -- Configure image pull secrets for pulling container images +# -- Configure image pull secrets for pulling container images imagePullSecrets: - # - name: "image-pull-secret" +# - name: "image-pull-secret" - # -- (string) Kubernetes config path - # @default -- `"~/.kube/config"` +# -- (string) Kubernetes config path +# @default -- `"~/.kube/config"` kubeConfigPath: "" - # -- (string) Kubernetes service host +# -- (string) Kubernetes service host k8sServiceHost: {{ .Cluster.spec.controlPlaneEndpoint.host }} - # -- (string) Kubernetes service port - k8sServicePort: {{ .Cluster.spec.controlPlaneEndpoint.port }} - # -- Configure the client side rate limit for the agent and operator - # - # If the amount of requests to the Kubernetes API server exceeds the configured - # rate limit, the agent and operator will start to throttle requests by delaying - # them until there is budget or the request times out. - k8sClientRateLimit: - # -- (int) The sustained request rate in requests per second. - # @default -- 5 for k8s up to 1.26. 10 for k8s version 1.27+ - qps: - # -- (int) The burst request rate in requests per second. - # The rate limiter will allow short bursts with a higher rate. - # @default -- 10 for k8s up to 1.26. 20 for k8s version 1.27+ - burst: +# -- (string) Kubernetes service port + k8sServicePort: {{ .Cluster.spec.controlPlaneEndpoint.port }} cluster: - # -- Name of the cluster. Only required for Cluster Mesh and mutual authentication with SPIRE. - name: {{ .ControlPlane.metadata.name }} + # -- Name of the cluster. Only required for Cluster Mesh. + name: default # -- (int) Unique ID of the cluster. Must be unique across all connected # clusters and in the range of 1 to 255. Only required for Cluster Mesh, # may be 0 if Cluster Mesh is not used. - id: 1 + id: 0 - # -- Define serviceAccount names for components. - # @default -- Component's fully qualified name. +# -- Define serviceAccount names for components. +# @default -- Component's fully qualified name. serviceAccounts: cilium: create: true name: cilium - automount: true - annotations: {} - nodeinit: - create: true - # -- Enabled is temporary until https://github.com/cilium/cilium-cli/issues/1396 is implemented. - # Cilium CLI doesn't create the SAs for node-init, thus the workaround. Helm is not affected by - # this issue. Name and automount can be configured, if enabled is set to true. - # Otherwise, they are ignored. Enabled can be removed once the issue is fixed. - # Cilium-nodeinit DS must also be fixed. - enabled: false - name: cilium-nodeinit - automount: true - annotations: {} - envoy: - create: true - name: cilium-envoy - automount: true annotations: {} etcd: create: true name: cilium-etcd-operator - automount: true annotations: {} operator: create: true name: cilium-operator - automount: true annotations: {} preflight: create: true name: cilium-pre-flight - automount: true annotations: {} relay: create: true name: hubble-relay - automount: false annotations: {} ui: create: true name: hubble-ui - automount: true annotations: {} clustermeshApiserver: create: true name: clustermesh-apiserver - automount: true annotations: {} # -- Clustermeshcertgen is used if clustermesh.apiserver.tls.auto.method=cronJob clustermeshcertgen: create: true name: clustermesh-apiserver-generate-certs - automount: true annotations: {} # -- Hubblecertgen is used if hubble.tls.auto.method=cronJob hubblecertgen: create: true name: hubble-generate-certs - automount: true annotations: {} - # -- Configure termination grace period for cilium-agent DaemonSet. +# -- Configure termination grace period for cilium-agent DaemonSet. terminationGracePeriodSeconds: 1 - # -- Install the cilium agent resources. +# -- Install the cilium agent resources. agent: true - # -- Agent container name. +# -- Agent container name. name: cilium - # -- Roll out cilium agent pods automatically when configmap is updated. +# -- Roll out cilium agent pods automatically when configmap is updated. rollOutCiliumPods: false - # -- Agent container image. +# -- Agent container image. image: override: ~ repository: "quay.io/cilium/cilium" - tag: "v1.15.2" + tag: "v1.13.0" pullPolicy: "IfNotPresent" # cilium-digest digest: "" useDigest: false - # -- Affinity for cilium-agent. +# -- Affinity for cilium-agent. affinity: podAntiAffinity: requiredDuringSchedulingIgnoredDuringExecution: @@ -176,12 +138,12 @@ spec: matchLabels: k8s-app: cilium - # -- Node selector for cilium-agent. +# -- Node selector for cilium-agent. nodeSelector: kubernetes.io/os: linux - # -- Node tolerations for agent scheduling to nodes with taints - # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ +# -- Node tolerations for agent scheduling to nodes with taints +# ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ tolerations: - operator: Exists # - key: "key" @@ -189,23 +151,23 @@ spec: # value: "value" # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" - # -- The priority class to use for cilium-agent. +# -- The priority class to use for cilium-agent. priorityClassName: "" - # -- DNS policy for Cilium agent pods. - # Ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy +# -- DNS policy for Cilium agent pods. +# Ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy dnsPolicy: "" - # -- Additional containers added to the cilium DaemonSet. +# -- Additional containers added to the cilium DaemonSet. extraContainers: [] - # -- Additional agent container arguments. +# -- Additional agent container arguments. extraArgs: [] - # -- Additional agent container environment variables. +# -- Additional agent container environment variables. extraEnv: [] - # -- Additional agent hostPath mounts. +# -- Additional agent hostPath mounts. extraHostPathMounts: [] # - name: host-mnt-data # mountPath: /host/mnt/data @@ -214,35 +176,29 @@ spec: # readOnly: true # mountPropagation: HostToContainer - # -- Additional agent volumes. +# -- Additional agent volumes. extraVolumes: [] - # -- Additional agent volumeMounts. +# -- Additional agent volumeMounts. extraVolumeMounts: [] - # -- extraConfig allows you to specify additional configuration parameters to be - # included in the cilium-config configmap. +# -- extraConfig allows you to specify additional configuration parameters to be +# included in the cilium-config configmap. extraConfig: {} - # my-config-a: "1234" - # my-config-b: |- - # test 1 - # test 2 - # test 3 - - # -- Annotations to be added to all top-level cilium-agent objects (resources under templates/cilium-agent) - annotations: {} +# my-config-a: "1234" +# my-config-b: |- +# test 1 +# test 2 +# test 3 - # -- Security Context for cilium-agent pods. - podSecurityContext: {} - - # -- Annotations to be added to agent pods +# -- Annotations to be added to agent pods podAnnotations: {} - # -- Labels to be added to agent pods +# -- Labels to be added to agent pods podLabels: {} - # -- Agent resource limits & requests - # ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ +# -- Agent resource limits & requests +# ref: https://kubernetes.io/docs/user-guide/compute-resources/ resources: {} # limits: # cpu: 4000m @@ -251,9 +207,6 @@ spec: # cpu: 100m # memory: 512Mi - # -- resources & limits for the agent init containers - initResources: {} - securityContext: # -- User to run the pod with # runAsUser: 0 @@ -336,13 +289,13 @@ spec: #- PERFMON #- BPF - # -- Cilium agent update strategy +# -- Cilium agent update strategy updateStrategy: type: RollingUpdate rollingUpdate: maxUnavailable: 2 - # Configuration Values for cilium-agent +# Configuration Values for cilium-agent aksbyocni: # -- Enable AKS BYOCNI integration. @@ -350,11 +303,11 @@ spec: # use Azure integration (`azure.enabled`) instead. enabled: false - # -- Enable installation of PodCIDR routes between worker - # nodes if worker nodes share a common L2 network segment. +# -- Enable installation of PodCIDR routes between worker +# nodes if worker nodes share a common L2 network segment. autoDirectNodeRoutes: false - # -- Annotate k8s node upon initialization with Cilium's metadata. +# -- Annotate k8s node upon initialization with Cilium's metadata. annotateK8sNode: false azure: @@ -374,46 +327,21 @@ spec: # -- Enable AlibabaCloud ENI integration enabled: false - # -- Enable bandwidth manager to optimize TCP and UDP workloads and allow - # for rate-limiting traffic from individual Pods with EDT (Earliest Departure - # Time) through the "kubernetes.io/egress-bandwidth" Pod annotation. +# -- Enable bandwidth manager to optimize TCP and UDP workloads and allow +# for rate-limiting traffic from individual Pods with EDT (Earliest Departure +# Time) through the "kubernetes.io/egress-bandwidth" Pod annotation. bandwidthManager: # -- Enable bandwidth manager infrastructure (also prerequirement for BBR) enabled: false # -- Activate BBR TCP congestion control for Pods bbr: false - # -- Configure standalone NAT46/NAT64 gateway +# -- Configure standalone NAT46/NAT64 gateway nat46x64Gateway: # -- Enable RFC8215-prefixed translation enabled: false - # -- EnableHighScaleIPcache enables the special ipcache mode for high scale - # clusters. The ipcache content will be reduced to the strict minimum and - # traffic will be encapsulated to carry security identities. - highScaleIPcache: - # -- Enable the high scale mode for the ipcache. - enabled: false - - # -- Configure L2 announcements - l2announcements: - # -- Enable L2 announcements - enabled: false - # -- If a lease is not renewed for X duration, the current leader is considered dead, a new leader is picked - # leaseDuration: 15s - # -- The interval at which the leader will renew the lease - # leaseRenewDeadline: 5s - # -- The timeout between retries if renewal fails - # leaseRetryPeriod: 2s - - # -- Configure L2 pod announcements - l2podAnnouncements: - # -- Enable L2 pod announcements - enabled: false - # -- Interface used for sending Gratuitous ARP pod announcements - interface: "eth0" - - # -- Configure BGP +# -- Configure BGP bgp: # -- Enable BGP support inside Cilium; embeds a new ConfigMap for BGP inside # cilium-agent and cilium-operator @@ -424,17 +352,11 @@ spec: # -- Enable announcement of node pod CIDR podCIDR: false - # -- This feature set enables virtual BGP routers to be created via - # CiliumBGPPeeringPolicy CRDs. +# -- This feature set enables virtual BGP routers to be created via +# CiliumBGPPeeringPolicy CRDs. bgpControlPlane: # -- Enables the BGP control plane. enabled: false - # -- SecretsNamespace is the namespace which BGP support will retrieve secrets from. - secretsNamespace: - # -- Create secrets namespace for BGP secrets. - create: false - # -- The name of the secret namespace to which Cilium agents are given read access - name: kube-system pmtuDiscovery: # -- Enable path MTU discovery to send ICMP fragmentation-needed replies to @@ -442,25 +364,16 @@ spec: enabled: false bpf: - autoMount: - # -- Enable automatic mount of BPF filesystem - # When `autoMount` is enabled, the BPF filesystem is mounted at - # `bpf.root` path on the underlying host and inside the cilium agent pod. - # If users disable `autoMount`, it's expected that users have mounted - # bpffs filesystem at the specified `bpf.root` volume, and then the - # volume will be mounted inside the cilium agent pod at the same path. - enabled: true # -- Configure the mount point for the BPF filesystem root: /sys/fs/bpf + # -- Enable BPF clock source probing for more efficient tick retrieval. + clockProbe: false + # -- Enables pre-allocation of eBPF map values. This increases # memory usage but can reduce latency. preallocateMaps: false - # -- (int) Configure the maximum number of entries in auth map. - # @default -- `524288` - authMapMax: ~ - # -- (int) Configure the maximum number of entries in the TCP connection tracking # table. # @default -- `524288` @@ -487,7 +400,7 @@ spec: policyMapMax: 16384 # -- (float64) Configure auto-sizing for all BPF maps based on available memory. - # ref: https://docs.cilium.io/en/stable/network/ebpf/maps/ + # ref: https://docs.cilium.io/en/stable/concepts/ebpf/maps/#ebpf-maps # @default -- `0.0025` mapDynamicSizeRatio: ~ @@ -527,51 +440,35 @@ spec: # @default -- `[]` vlanBypass: ~ - # -- Enable BPF clock source probing for more efficient tick retrieval. - bpfClockProbe: false - - # -- Clean all eBPF datapath state from the initContainer of the cilium-agent - # DaemonSet. - # - # WARNING: Use with care! +# -- Clean all eBPF datapath state from the initContainer of the cilium-agent +# DaemonSet. +# +# WARNING: Use with care! cleanBpfState: false - # -- Clean all local Cilium state from the initContainer of the cilium-agent - # DaemonSet. Implies cleanBpfState: true. - # - # WARNING: Use with care! +# -- Clean all local Cilium state from the initContainer of the cilium-agent +# DaemonSet. Implies cleanBpfState: true. +# +# WARNING: Use with care! cleanState: false - # -- Wait for KUBE-PROXY-CANARY iptables rule to appear in "wait-for-kube-proxy" - # init container before launching cilium-agent. - # More context can be found in the commit message of below PR - # https://github.com/cilium/cilium/pull/20123 +# -- Wait for KUBE-PROXY-CANARY iptables rule to appear in "wait-for-kube-proxy" +# init container before launching cilium-agent. +# More context can be found in the commit message of below PR +# https://github.com/cilium/cilium/pull/20123 waitForKubeProxy: false cni: # -- Install the CNI configuration and binary files into the filesystem. install: true - # -- Remove the CNI configuration and binary files on agent shutdown. Enable this - # if you're removing Cilium from the cluster. Disable this to prevent the CNI - # configuration file from being removed during agent upgrade, which can cause - # nodes to go unmanageable. - uninstall: false - # -- Configure chaining on top of other CNI plugins. Possible values: # - none # - aws-cni # - flannel # - generic-veth # - portmap - chainingMode: ~ - - # -- A CNI network name in to which the Cilium plugin should be added as a chained plugin. - # This will cause the agent to watch for a CNI network with this network name. When it is - # found, this will be used as the basis for Cilium's CNI configuration file. If this is - # set, it assumes a chaining mode of generic-veth. As a special case, a chaining mode - # of aws-cni implies a chainingTarget of aws-cni. - chainingTarget: ~ + chainingMode: none # -- Make Cilium take ownership over the `/etc/cni/net.d` directory on the # node, renaming all non-Cilium CNI configurations to `*.cilium_bak`. @@ -596,9 +493,8 @@ spec: # -- Specify the path to a CNI config to read from on agent start. # This can be useful if you want to manage your CNI # configuration outside of a Kubernetes environment. This parameter is - # mutually exclusive with the 'cni.configMap' parameter. The agent will - # write this to 05-cilium.conflist on startup. - # readCniConf: /host/etc/cni/net.d/05-sample.conflist.input + # mutually exclusive with the 'cni.configMap' parameter. + # readCniConf: /host/etc/cni/net.d/05-cilium.conf # -- When defined, configMap will mount the provided value as ConfigMap and # interpret the cniConf variable as CNI configuration file and write it @@ -616,37 +512,29 @@ spec: # inside the agent pod. hostConfDirMountPath: /host/etc/cni/net.d - # -- Specifies the resources for the cni initContainer - resources: - requests: - cpu: 100m - memory: 10Mi - - # -- (string) Configure how frequently garbage collection should occur for the datapath - # connection tracking table. - # @default -- `"0s"` +# -- (string) Configure how frequently garbage collection should occur for the datapath +# connection tracking table. +# @default -- `"0s"` conntrackGCInterval: "" - # -- (string) Configure the maximum frequency for the garbage collection of the - # connection tracking table. Only affects the automatic computation for the frequency - # and has no effect when 'conntrackGCInterval' is set. This can be set to more frequently - # clean up unused identities created from ToFQDN policies. - conntrackGCMaxInterval: "" - - # -- Configure container runtime specific integration. - # Deprecated in favor of bpf.autoMount.enabled. To be removed in 1.15. +# -- Configure container runtime specific integration. containerRuntime: # -- Enables specific integrations for container runtimes. # Supported values: + # - containerd # - crio + # - docker # - none + # - auto (automatically detect the container runtime) integration: none + # -- Configure the path to the container runtime control socket. + # socketPath: /path/to/runtime.sock - # -- (string) Configure timeout in which Cilium will exit if CRDs are not available - # @default -- `"5m"` +# -- (string) Configure timeout in which Cilium will exit if CRDs are not available +# @default -- `"5m"` crdWaitTimeout: "" - # -- Tail call hooks for custom eBPF programs. +# -- Tail call hooks for custom eBPF programs. customCalls: # -- Enable tail call hooks for custom eBPF programs. enabled: false @@ -680,56 +568,45 @@ spec: # By default, all keys may be overridden. blockedConfigOverrides: ~ - # -- Specify which network interfaces can run the eBPF datapath. This means - # that a packet sent from a pod to a destination outside the cluster will be - # masqueraded (to an output device IPv4 address), if the output device runs the - # program. When not specified, probing will automatically detect devices that have - # a non-local route. This should be used only when autodetection is not suitable. - # devices: "" - - # -- Enables experimental support for the detection of new and removed datapath - # devices. When devices change the eBPF datapath is reloaded and services updated. - # If "devices" is set then only those devices, or devices matching a wildcard will - # be considered. - enableRuntimeDeviceDetection: false +# -- Specify which network interfaces can run the eBPF datapath. This means +# that a packet sent from a pod to a destination outside the cluster will be +# masqueraded (to an output device IPv4 address), if the output device runs the +# program. When not specified, probing will automatically detect devices. +# devices: "" - # -- Chains to ignore when installing feeder rules. - # disableIptablesFeederRules: "" +# -- Enables experimental support for the detection of new and removed datapath +# devices. When devices change the eBPF datapath is reloaded and services updated. +# If "devices" is set then only those devices, or devices matching a wildcard will +# be considered. + enableRuntimeDeviceDetection: false - # -- Limit iptables-based egress masquerading to interface selector. - # egressMasqueradeInterfaces: "" +# -- Chains to ignore when installing feeder rules. +# disableIptablesFeederRules: "" - # -- Enable setting identity mark for local traffic. - # enableIdentityMark: true +# -- Limit egress masquerading to interface selector. +# egressMasqueradeInterfaces: "" - # -- Enable Kubernetes EndpointSlice feature in Cilium if the cluster supports it. - # enableK8sEndpointSlice: true +# -- Whether to enable CNP status updates. + enableCnpStatusUpdates: false - # -- Enable CiliumEndpointSlice feature. - enableCiliumEndpointSlice: false +# -- Configures the use of the KVStore to optimize Kubernetes event handling by +# mirroring it into the KVstore for reduced overhead in large clusters. + enableK8sEventHandover: false - envoyConfig: - # -- Enable CiliumEnvoyConfig CRD - # CiliumEnvoyConfig CRD can also be implicitly enabled by other options. - enabled: false +# -- Enable setting identity mark for local traffic. +# enableIdentityMark: true - # -- SecretsNamespace is the namespace in which envoy SDS will retrieve secrets from. - secretsNamespace: - # -- Create secrets namespace for CiliumEnvoyConfig CRDs. - create: true +# -- Enable Kubernetes EndpointSlice feature in Cilium if the cluster supports it. +# enableK8sEndpointSlice: true - # -- The name of the secret namespace to which Cilium agents are given read access. - name: cilium-secrets +# -- Enable CiliumEndpointSlice feature. + enableCiliumEndpointSlice: false ingressController: # -- Enable cilium ingress controller # This will automatically set enable-envoy-config as well. enabled: false - # -- Set cilium ingress controller to be the default ingress controller - # This will let cilium ingress controller route entries without ingress class set - default: false - # -- Default ingress load balancer mode # Supported values: shared, dedicated # For granular control, use the following annotations on the ingress resource @@ -740,18 +617,10 @@ spec: # Incoming traffic to http listener will return 308 http error code with respective location in header. enforceHttps: true - # -- Enable proxy protocol for all Ingress listeners. Note that _only_ Proxy protocol traffic will be accepted once this is enabled. - enableProxyProtocol: false - - # -- IngressLBAnnotations are the annotation and label prefixes, which are used to filter annotations and/or labels to propagate from Ingress to the Load Balancer service + # -- IngressLBAnnotations are the annotation prefixes, which are used to filter annotations to propagate + # from Ingress to the Load Balancer service ingressLBAnnotationPrefixes: ['service.beta.kubernetes.io', 'service.kubernetes.io', 'cloud.google.com'] - # -- Default secret namespace for ingresses without .spec.tls[].secretName set. - defaultSecretNamespace: - - # -- Default secret name for ingresses without .spec.tls[].secretName set. - defaultSecretName: - # -- SecretsNamespace is the namespace in which envoy SDS will retrieve TLS secrets from. secretsNamespace: # -- Create secrets namespace for Ingress. @@ -779,13 +648,6 @@ spec: insecureNodePort: ~ # -- Configure a specific nodePort for secure HTTPS traffic on the shared LB service secureNodePort : ~ - # -- Configure a specific loadBalancerClass on the shared LB service (requires Kubernetes 1.24+) - loadBalancerClass: ~ - # -- Configure a specific loadBalancerIP on the shared LB service - loadBalancerIP : ~ - # -- Configure if node port allocation is required for LB service - # ref: https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-nodeport-allocation - allocateLoadBalancerNodePorts: ~ gatewayAPI: # -- Enable support for Gateway API in cilium @@ -804,10 +666,10 @@ spec: # If disabled, TLS secrets must be maintained externally. sync: true - # -- Enables the fallback compatibility solution for when the xt_socket kernel - # module is missing and it is needed for the datapath L7 redirection to work - # properly. See documentation for details on when this can be disabled: - # https://docs.cilium.io/en/stable/operations/system_requirements/#linux-kernel. +# -- Enables the fallback compatibility solution for when the xt_socket kernel +# module is missing and it is needed for the datapath L7 redirection to work +# properly. See documentation for details on when this can be disabled: +# https://docs.cilium.io/en/stable/operations/system_requirements/#linux-kernel. enableXTSocketFallback: true encryption: @@ -818,21 +680,9 @@ spec: type: ipsec # -- Enable encryption for pure node to node traffic. - # This option is only effective when encryption.type is set to "wireguard". + # This option is only effective when encryption.type is set to ipsec. nodeEncryption: false - # -- Configure the WireGuard Pod2Pod strict mode. - strictMode: - # -- Enable WireGuard Pod2Pod strict mode. - enabled: false - - # -- CIDR for the WireGuard Pod2Pod strict mode. - cidr: "" - - # -- Allow dynamic lookup of remote node identities. - # This is required when tunneling is used or direct routing is used and the node CIDR and pod CIDR overlap. - allowRemoteNodeIdentities: false - ipsec: # -- Name of the key file inside the Kubernetes secret configured via secretName. keyFile: "" @@ -846,36 +696,26 @@ spec: # -- The interface to use for encrypted traffic. interface: "" - # -- Enable the key watcher. If disabled, a restart of the agent will be - # necessary on key rotations. - keyWatcher: true - - # -- Maximum duration of the IPsec key rotation. The previous key will be - # removed after that delay. - keyRotationDuration: "5m" - wireguard: # -- Enables the fallback to the user-space implementation. userspaceFallback: false - # -- Controls Wireguard PersistentKeepalive option. Set 0s to disable. - persistentKeepalive: 0s - # -- Deprecated in favor of encryption.ipsec.keyFile. To be removed in 1.15. + # -- Deprecated in favor of encryption.ipsec.keyFile. # Name of the key file inside the Kubernetes secret configured via secretName. # This option is only effective when encryption.type is set to ipsec. keyFile: keys - # -- Deprecated in favor of encryption.ipsec.mountPath. To be removed in 1.15. + # -- Deprecated in favor of encryption.ipsec.mountPath. # Path to mount the secret inside the Cilium pod. # This option is only effective when encryption.type is set to ipsec. mountPath: /etc/ipsec - # -- Deprecated in favor of encryption.ipsec.secretName. To be removed in 1.15. + # -- Deprecated in favor of encryption.ipsec.secretName. # Name of the Kubernetes secret containing the encryption keys. # This option is only effective when encryption.type is set to ipsec. secretName: cilium-ipsec-keys - # -- Deprecated in favor of encryption.ipsec.interface. To be removed in 1.15. + # -- Deprecated in favor of encryption.ipsec.interface. # The interface to use for encrypted traffic. # This option is only effective when encryption.type is set to ipsec. interface: "" @@ -884,8 +724,8 @@ spec: # -- Enable connectivity health checking between virtual endpoints. enabled: true - # -- Enable endpoint status. - # Status can be: policy, health, controllers, log and / or state. For 2 or more options use a space. +# -- Enable endpoint status. +# Status can be: policy, health, controllers, log and / or state. For 2 or more options use a space. endpointStatus: enabled: false status: "" @@ -895,15 +735,11 @@ spec: # the cilium_host interface. enabled: false - k8sNetworkPolicy: - # -- Enable support for K8s NetworkPolicy - enabled: true - eni: # -- Enable Elastic Network Interface (ENI) integration. enabled: false # -- Update ENI Adapter limits from the EC2 API - updateEC2AdapterLimitViaAPI: true + updateEC2AdapterLimitViaAPI: false # -- Release IPs not used from the ENI awsReleaseExcessIPs: false # -- Enable ENI prefix delegation @@ -942,20 +778,20 @@ spec: # -- Enable ExternalIPs service support. enabled: false - # fragmentTracking enables IPv4 fragment tracking support in the datapath. - # fragmentTracking: true +# fragmentTracking enables IPv4 fragment tracking support in the datapath. +# fragmentTracking: true gke: # -- Enable Google Kubernetes Engine integration enabled: false - # -- Enable connectivity health checking. +# -- Enable connectivity health checking. healthChecking: true - # -- TCP port for the agent health API. This is not the port for cilium-health. +# -- TCP port for the agent health API. This is not the port for cilium-health. healthPort: 9879 - # -- Configure the host firewall. +# -- Configure the host firewall. hostFirewall: # -- Enables the enforcement of host policies in the eBPF datapath. enabled: false @@ -964,7 +800,7 @@ spec: # -- Enable hostPort service support. enabled: false - # -- Configure socket LB +# -- Configure socket LB socketLB: # -- Enable socket LB enabled: false @@ -972,46 +808,28 @@ spec: # -- Disable socket lb for non-root ns. This is used to enable Istio routing rules. # hostNamespaceOnly: false - # -- Configure certificate generation for Hubble integration. - # If hubble.tls.auto.method=cronJob, these values are used - # for the Kubernetes CronJob which will be scheduled regularly to - # (re)generate any certificates not provided manually. +# -- Configure certificate generation for Hubble integration. +# If hubble.tls.auto.method=cronJob, these values are used +# for the Kubernetes CronJob which will be scheduled regularly to +# (re)generate any certificates not provided manually. certgen: image: override: ~ repository: "quay.io/cilium/certgen" - tag: "v0.1.9" - digest: "sha256:89a0847753686444daabde9474b48340993bd19c7bea66a46e45b2974b82041f" - useDigest: true + tag: "v0.1.8@sha256:4a456552a5f192992a6edcec2febb1c54870d665173a33dc7d876129b199ddbd" pullPolicy: "IfNotPresent" # -- Seconds after which the completed job pod will be deleted ttlSecondsAfterFinished: 1800 # -- Labels to be added to hubble-certgen pods podLabels: {} - # -- Annotations to be added to the hubble-certgen initial Job and CronJob - annotations: - job: {} - cronJob: {} # -- Node tolerations for pod assignment on nodes with taints - # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ + # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ tolerations: [] - # -- Additional certgen volumes. - extraVolumes: [] - - # -- Additional certgen volumeMounts. - extraVolumeMounts: [] - - # -- Affinity for certgen - affinity: {} - hubble: # -- Enable Hubble (true by default). enabled: true - # -- Annotations to be added to all top-level hubble objects (resources under templates/hubble) - annotations: {} - # -- Buffer size of the channel Hubble uses to receive monitor events. If this # value is not set, the queue size is set to the default monitor queue size. # eventQueueSize: "" @@ -1023,7 +841,7 @@ spec: # eventBufferCapacity: "4095" # -- Hubble metrics configuration. - # See https://docs.cilium.io/en/stable/observability/metrics/#hubble-metrics + # See https://docs.cilium.io/en/stable/operations/metrics/#hubble-metrics # for more comprehensive documentation about Hubble metrics. metrics: # -- Configures the list of metrics to collect. If empty or null, metrics @@ -1040,7 +858,7 @@ spec: # # You can specify the list of metrics from the helm CLI: # - # --set hubble.metrics.enabled="{dns:query;ignoreAAAA,drop,tcp,flow,icmp,http}" + # --set metrics.enabled="{dns:query;ignoreAAAA,drop,tcp,flow,icmp,http}" # enabled: ~ # -- Enables exporting hubble metrics in OpenMetrics format. @@ -1052,14 +870,12 @@ spec: serviceMonitor: # -- Create ServiceMonitor resources for Prometheus Operator. # This requires the prometheus CRDs to be available. - # ref: https://github.com/prometheus-operator/prometheus-operator/blob/main/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml) + # ref: https://github.com/prometheus-operator/prometheus-operator/blob/master/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml) enabled: false # -- Labels to add to ServiceMonitor hubble labels: {} # -- Annotations to add to ServiceMonitor hubble annotations: {} - # -- jobLabel to add for ServiceMonitor hubble - jobLabel: "" # -- Interval for scrape metrics. interval: "10s" # -- Relabeling configs for the ServiceMonitor hubble @@ -1070,9 +886,6 @@ spec: replacement: ${1} # -- Metrics relabeling configs for the ServiceMonitor hubble metricRelabelings: ~ - # -- Grafana dashboards for hubble - # grafana can import dashboards based on the label and value - # ref: https://github.com/grafana/helm-charts/tree/main/charts/grafana#sidecar-for-dashboards dashboards: enabled: false label: grafana_dashboard @@ -1083,81 +896,6 @@ spec: # -- Unix domain socket path to listen to when Hubble is enabled. socketPath: /var/run/cilium/hubble.sock - # -- Enables redacting sensitive information present in Layer 7 flows. - redact: - enabled: false - http: - # -- Enables redacting URL query (GET) parameters. - # Example: - # - # redact: - # enabled: true - # http: - # urlQuery: true - # - # You can specify the options from the helm CLI: - # - # --set hubble.redact.enabled="true" - # --set hubble.redact.http.urlQuery="true" - urlQuery: false - # -- Enables redacting user info, e.g., password when basic auth is used. - # Example: - # - # redact: - # enabled: true - # http: - # userInfo: true - # - # You can specify the options from the helm CLI: - # - # --set hubble.redact.enabled="true" - # --set hubble.redact.http.userInfo="true" - userInfo: true - headers: - # -- List of HTTP headers to allow: headers not matching will be redacted. Note: `allow` and `deny` lists cannot be used both at the same time, only one can be present. - # Example: - # redact: - # enabled: true - # http: - # headers: - # allow: - # - traceparent - # - tracestate - # - Cache-Control - # - # You can specify the options from the helm CLI: - # --set hubble.redact.enabled="true" - # --set hubble.redact.http.headers.allow="traceparent,tracestate,Cache-Control" - allow: [] - # -- List of HTTP headers to deny: matching headers will be redacted. Note: `allow` and `deny` lists cannot be used both at the same time, only one can be present. - # Example: - # redact: - # enabled: true - # http: - # headers: - # deny: - # - Authorization - # - Proxy-Authorization - # - # You can specify the options from the helm CLI: - # --set hubble.redact.enabled="true" - # --set hubble.redact.http.headers.deny="Authorization,Proxy-Authorization" - deny: [] - kafka: - # -- Enables redacting Kafka's API key. - # Example: - # - # redact: - # enabled: true - # kafka: - # apiKey: true - # - # You can specify the options from the helm CLI: - # - # --set hubble.redact.enabled="true" - # --set hubble.redact.kafka.apiKey="true" - apiKey: false - # -- An additional address for Hubble to listen to. # Set this field ":4244" if you are enabling Hubble Relay, as it assumes that # Hubble is listening on port 4244. @@ -1169,6 +907,10 @@ spec: skipUnknownCGroupIDs: ~ peerService: + # -- Enable a K8s Service for the Peer service, so that it can be accessed + # by a non-local client. This configuration option is deprecated, the peer + # service will be non-optional starting Cilium v1.14. + enabled: true # -- Service Port for the Peer service. # If not set, it is dynamically assigned to port 443 if TLS is enabled and to # port 80 if not. @@ -1208,7 +950,7 @@ spec: # installation time. # # Defaults to midnight of the first day of every fourth month. For syntax, see - # https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/#schedule-syntax + # https://kubernetes.io/docs/tasks/job/automated-tasks-with-cron-jobs/#schedule schedule: "0 0 1 */4 *" # [Example] @@ -1217,8 +959,19 @@ spec: # kind: ClusterIssuer # name: ca-issuer # -- certmanager issuer used when hubble.tls.auto.method=certmanager. + # If not specified, a CA issuer will be created. certManagerIssuerRef: {} + # -- Deprecated in favor of tls.ca. To be removed in 1.13. + # base64 encoded PEM values for the Hubble CA certificate and private key. + ca: + # -- Deprecated in favor of tls.ca.cert. To be removed in 1.13. + cert: "" + # -- Deprecated in favor of tls.ca.key. To be removed in 1.13. + # The CA private key (optional). If it is provided, then it will be + # used by hubble.tls.auto.method=cronJob to generate all other certificates. + # Otherwise, a ephemeral CA is generated if hubble.tls.auto.enabled=true. + key: "" # -- base64 encoded PEM values for the Hubble server certificate and private key server: cert: "" @@ -1239,8 +992,8 @@ spec: image: override: ~ repository: "quay.io/cilium/hubble-relay" - tag: "v1.15.2" - # hubble-relay-digest + tag: "v1.13.0" + # hubble-relay-digest digest: "" useDigest: false pullPolicy: "IfNotPresent" @@ -1267,20 +1020,18 @@ spec: # whenUnsatisfiable: DoNotSchedule # -- Node labels for pod assignment - # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector + # ref: https://kubernetes.io/docs/user-guide/node-selection/ nodeSelector: kubernetes.io/os: linux # -- Node tolerations for pod assignment on nodes with taints - # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ + # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ + # tolerations: [] # -- Additional hubble-relay environment variables. extraEnv: [] - # -- Annotations to be added to all top-level hubble-relay objects (resources under templates/hubble-relay) - annotations: {} - # -- Annotations to be added to hubble-relay pods podAnnotations: {} @@ -1310,25 +1061,8 @@ spec: rollingUpdate: maxUnavailable: 1 - # -- Additional hubble-relay volumes. - extraVolumes: [] - - # -- Additional hubble-relay volumeMounts. - extraVolumeMounts: [] - - # -- hubble-relay pod security context - podSecurityContext: - fsGroup: 65532 - - # -- hubble-relay container security context - securityContext: - # readOnlyRootFilesystem: true - runAsNonRoot: true - runAsUser: 65532 - runAsGroup: 65532 - capabilities: - drop: - - ALL + # -- hubble-relay security context + securityContext: {} # -- hubble-relay service configuration. service: @@ -1357,10 +1091,6 @@ spec: # When set to true, enable TLS on for Hubble Relay server # (ie: for clients connecting to the Hubble Relay API). enabled: false - # When set to true enforces mutual TLS between Hubble Relay server and its clients. - # False allow non-mutual TLS connections. - # This option has no effect when TLS is disabled. - mtls: false # These values need to be set manually if hubble.tls.auto.enabled is false. cert: "" key: "" @@ -1368,12 +1098,6 @@ spec: extraDnsNames: [] # -- extra IP addresses added to certificate when its auto gen extraIpAddresses: [] - # DNS name used by the backend to connect to the relay - # This is a simple workaround as the relay certificates are currently hardcoded to - # *.hubble-relay.cilium.io - # See https://github.com/cilium/cilium/pull/28709#discussion_r1371792546 - # For GKE Dataplane V2 this should be set to relay.kube-system.svc.cluster.local - relayName: "ui.hubble-relay.cilium.io" # -- Dial timeout to connect to the local hubble instance to receive peer information (e.g. "30s"). dialTimeout: ~ @@ -1401,7 +1125,7 @@ spec: port: 9966 serviceMonitor: # -- Enable service monitors. - # This requires the prometheus CRDs to be available (see https://github.com/prometheus-operator/prometheus-operator/blob/main/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml) + # This requires the prometheus CRDs to be available (see https://github.com/prometheus-operator/prometheus-operator/blob/master/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml) enabled: false # -- Labels to add to ServiceMonitor hubble-relay labels: {} @@ -1417,12 +1141,6 @@ spec: # -- Metrics relabeling configs for the ServiceMonitor hubble-relay metricRelabelings: ~ - gops: - # -- Enable gops for hubble-relay - enabled: true - # -- Configure gops listen port for hubble-relay - port: 9893 - pprof: # -- Enable pprof for hubble-relay enabled: false @@ -1476,31 +1194,12 @@ spec: image: override: ~ repository: "quay.io/cilium/hubble-ui-backend" - tag: "v0.13.0" - digest: "sha256:1e7657d997c5a48253bb8dc91ecee75b63018d16ff5e5797e5af367336bc8803" - useDigest: true + tag: "v0.10.0@sha256:cc5e2730b3be6f117b22176e25875f2308834ced7c3aa34fb598aa87a2c0a6a4" pullPolicy: "IfNotPresent" - # -- Hubble-ui backend security context. - securityContext: {} - # -- Additional hubble-ui backend environment variables. extraEnv: [] - # -- Additional hubble-ui backend volumes. - extraVolumes: [] - - # -- Additional hubble-ui backend volumeMounts. - extraVolumeMounts: [] - - livenessProbe: - # -- Enable liveness probe for Hubble-ui backend (requires Hubble-ui 0.12+) - enabled: false - - readinessProbe: - # -- Enable readiness probe for Hubble-ui backend (requires Hubble-ui 0.12+) - enabled: false - # -- Resource requests and limits for the 'backend' container of the 'hubble-ui' deployment. resources: {} # limits: @@ -1515,23 +1214,12 @@ spec: image: override: ~ repository: "quay.io/cilium/hubble-ui" - tag: "v0.13.0" - digest: "sha256:7d663dc16538dd6e29061abd1047013a645e6e69c115e008bee9ea9fef9a6666" - useDigest: true + tag: "v0.10.0@sha256:118ad2fcfd07fabcae4dde35ec88d33564c9ca7abe520aa45b1eb13ba36c6e0a" pullPolicy: "IfNotPresent" - # -- Hubble-ui frontend security context. - securityContext: {} - # -- Additional hubble-ui frontend environment variables. extraEnv: [] - # -- Additional hubble-ui frontend volumes. - extraVolumes: [] - - # -- Additional hubble-ui frontend volumeMounts. - extraVolumeMounts: [] - # -- Resource requests and limits for the 'frontend' container of the 'hubble-ui' deployment. resources: {} # limits: @@ -1548,9 +1236,6 @@ spec: # -- The number of replicas of Hubble UI to deploy. replicas: 1 - # -- Annotations to be added to all top-level hubble-ui objects (resources under templates/hubble-ui) - annotations: {} - # -- Annotations to be added to hubble-ui pods podAnnotations: {} @@ -1578,12 +1263,13 @@ spec: # whenUnsatisfiable: DoNotSchedule # -- Node labels for pod assignment - # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector + # ref: https://kubernetes.io/docs/user-guide/node-selection/ nodeSelector: kubernetes.io/os: linux # -- Node tolerations for pod assignment on nodes with taints - # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ + # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ + # tolerations: [] # -- The priority class to use for hubble-ui @@ -1597,24 +1283,20 @@ spec: # -- Security context to be added to Hubble UI pods securityContext: + # -- Deprecated in favor of hubble.ui.securityContext. + # Whether to set the security context on the Hubble UI pods. + enabled: true runAsUser: 1001 runAsGroup: 1001 fsGroup: 1001 # -- hubble-ui service configuration. service: - # -- Annotations to be added for the Hubble UI service - annotations: {} # --- The type of service used for Hubble UI access, either ClusterIP or NodePort. type: ClusterIP # --- The port to use when the service type is set to NodePort. nodePort: 31235 - # -- Defines base url prefix for all hubble-ui http requests. - # It needs to be changed in case if ingress for hubble-ui is configured under some sub-path. - # Trailing `/` is required for custom path, ex. `/service-map/` - baseUrl: "/" - # -- hubble-ui ingress configuration. ingress: enabled: false @@ -1624,101 +1306,49 @@ spec: className: "" hosts: - chart-example.local - labels: {} tls: [] # - secretName: chart-example-tls # hosts: # - chart-example.local - # -- Hubble flows export. - export: - # --- Defines max file size of output file before it gets rotated. - fileMaxSizeMb: 10 - # --- Defines max number of backup/rotated files. - fileMaxBackups: 5 - # --- Static exporter configuration. - # Static exporter is bound to agent lifecycle. - static: - enabled: false - filePath: /var/run/cilium/hubble/events.log - fieldMask: [] - # - time - # - source - # - destination - # - verdict - allowList: [] - # - '{"verdict":["DROPPED","ERROR"]}' - denyList: [] - # - '{"source_pod":["kube-system/"]}' - # - '{"destination_pod":["kube-system/"]}' - # --- Dynamic exporters configuration. - # Dynamic exporters may be reconfigured without a need of agent restarts. - dynamic: - enabled: false - config: - # ---- Name of configmap with configuration that may be altered to reconfigure exporters within a running agents. - configMapName: cilium-flowlog-config - # ---- True if helm installer should create config map. - # Switch to false if you want to self maintain the file content. - createConfigMap: true - # ---- Exporters configuration in YAML format. - content: - - name: all - fieldMask: [] - includeFilters: [] - excludeFilters: [] - filePath: "/var/run/cilium/hubble/events.log" - #- name: "test002" - # filePath: "/var/log/network/flow-log/pa/test002.log" - # fieldMask: ["source.namespace", "source.pod_name", "destination.namespace", "destination.pod_name", "verdict"] - # includeFilters: - # - source_pod: ["default/"] - # event_type: - # - type: 1 - # - destination_pod: ["frontend/nginx-975996d4c-7hhgt"] - # excludeFilters: [] - # end: "2023-10-09T23:59:59-07:00" - - # -- Method to use for identity allocation (`crd` or `kvstore`). + +# -- Method to use for identity allocation (`crd` or `kvstore`). identityAllocationMode: "crd" - # -- (string) Time to wait before using new identity on endpoint identity change. - # @default -- `"5s"` +# -- (string) Time to wait before using new identity on endpoint identity change. +# @default -- `"5s"` identityChangeGracePeriod: "" - # -- Install Iptables rules to skip netfilter connection tracking on all pod - # traffic. This option is only effective when Cilium is running in direct - # routing and full KPR mode. Moreover, this option cannot be enabled when Cilium - # is running in a managed Kubernetes environment or in a chained CNI setup. +# -- Configure whether to install iptables rules to allow for TPROXY +# (L7 proxy injection), iptables-based masquerading and compatibility +# with kube-proxy. + installIptablesRules: true + +# -- Install Iptables rules to skip netfilter connection tracking on all pod +# traffic. This option is only effective when Cilium is running in direct +# routing and full KPR mode. Moreover, this option cannot be enabled when Cilium +# is running in a managed Kubernetes environment or in a chained CNI setup. installNoConntrackIptablesRules: false ipam: # -- Configure IP Address Management mode. - # ref: https://docs.cilium.io/en/stable/network/concepts/ipam/ + # ref: https://docs.cilium.io/en/stable/concepts/networking/ipam/ mode: "cluster-pool" - # -- Maximum rate at which the CiliumNode custom resource is updated. - ciliumNodeUpdateRate: "15s" operator: + # -- Deprecated in favor of ipam.operator.clusterPoolIPv4PodCIDRList. + # IPv4 CIDR range to delegate to individual nodes for IPAM. + clusterPoolIPv4PodCIDR: "10.0.0.0/8" # -- IPv4 CIDR list range to delegate to individual nodes for IPAM. clusterPoolIPv4PodCIDRList: {{ index .Cluster.spec.clusterNetwork.pods.cidrBlocks 0 }} # -- IPv4 CIDR mask size to delegate to individual nodes for IPAM. clusterPoolIPv4MaskSize: 24 - # -- IPv6 CIDR list range to delegate to individual nodes for IPAM. - clusterPoolIPv6PodCIDRList: ["fd00::/104"] + # -- Deprecated in favor of ipam.operator.clusterPoolIPv6PodCIDRList. + # IPv6 CIDR range to delegate to individual nodes for IPAM. + clusterPoolIPv6PodCIDR: "fd00::/104" + # -- IPv6 CIDR list range to delegate to individual nodes for IPAM. + clusterPoolIPv6PodCIDRList: [] # -- IPv6 CIDR mask size to delegate to individual nodes for IPAM. clusterPoolIPv6MaskSize: 120 - # -- IP pools to auto-create in multi-pool IPAM mode. - autoCreateCiliumPodIPPools: {} - # default: - # ipv4: - # cidrs: - # - 10.10.0.0/8 - # maskSize: 24 - # other: - # ipv6: - # cidrs: - # - fd00:100::/80 - # maskSize: 96 # -- The maximum burst size when rate limiting access to external APIs. # Also known as the token bucket capacity. # @default -- `20` @@ -1729,20 +1359,16 @@ spec: # @default -- `4.0` externalAPILimitQPS: ~ - # -- The api-rate-limit option can be used to overwrite individual settings of the default configuration for rate limiting calls to the Cilium Agent API - apiRateLimit: ~ - - # -- Configure the eBPF-based ip-masq-agent +# -- Configure the eBPF-based ip-masq-agent ipMasqAgent: enabled: false - # the config of nonMasqueradeCIDRs - # config: +# the config of nonMasqueradeCIDRs +# config: # nonMasqueradeCIDRs: [] # masqLinkLocal: false - # masqLinkLocalIPv6: false - # iptablesLockTimeout defines the iptables "--wait" option when invoked from Cilium. - # iptablesLockTimeout: "5s" +# iptablesLockTimeout defines the iptables "--wait" option when invoked from Cilium. +# iptablesLockTimeout: "5s" ipv4: # -- Enable IPv4 support. @@ -1752,7 +1378,7 @@ spec: # -- Enable IPv6 support. enabled: false - # -- Configure Kubernetes specific configuration +# -- Configure Kubernetes specific configuration k8s: {} # -- requireIPv4PodCIDR enables waiting for Kubernetes to provide the PodCIDR # range via the Kubernetes node resource @@ -1762,10 +1388,10 @@ spec: # range via the Kubernetes node resource # requireIPv6PodCIDR: false - # -- Keep the deprecated selector labels when deploying Cilium DaemonSet. +# -- Keep the deprecated selector labels when deploying Cilium DaemonSet. keepDeprecatedLabels: false - # -- Keep the deprecated probes when deploying Cilium DaemonSet +# -- Keep the deprecated probes when deploying Cilium DaemonSet keepDeprecatedProbes: false startupProbe: @@ -1785,15 +1411,15 @@ spec: # -- interval between checks of the readiness probe periodSeconds: 30 - # -- Configure the kube-proxy replacement in Cilium BPF datapath - # Valid options are "true", "false", "disabled" (deprecated), "partial" (deprecated), "strict" (deprecated). - # ref: https://docs.cilium.io/en/stable/network/kubernetes/kubeproxy-free/ - #kubeProxyReplacement: "false" +# -- Configure the kube-proxy replacement in Cilium BPF datapath +# Valid options are "disabled", "partial", "strict". +# ref: https://docs.cilium.io/en/stable/gettingstarted/kubeproxy-free/ + kubeProxyReplacement: "strict" - # -- healthz server bind address for the kube-proxy replacement. - # To enable set the value to '0.0.0.0:10256' for all ipv4 - # addresses and this '[::]:10256' for all ipv6 addresses. - # By default it is disabled. +# -- healthz server bind address for the kube-proxy replacement. +# To enable set the value to '0.0.0.0:10256' for all ipv4 +# addresses and this '[::]:10256' for all ipv6 addresses. +# By default it is disabled. kubeProxyReplacementHealthzBindAddr: "" l2NeighDiscovery: @@ -1802,23 +1428,24 @@ spec: # -- Override the agent's default neighbor resolution refresh period. refreshPeriod: "30s" - # -- Enable Layer 7 network policy. +# -- Enable Layer 7 network policy. l7Proxy: true - # -- Enable Local Redirect Policy. +# -- Enable Local Redirect Policy. localRedirectPolicy: false - # To include or exclude matched resources from cilium identity evaluation - # labels: "" +# To include or exclude matched resources from cilium identity evaluation +# labels: "" - # logOptions allows you to define logging options. eg: - # logOptions: - # format: json +# logOptions allows you to define logging options. eg: +# logOptions: +# format: json - # -- Enables periodic logging of system load +# -- Enables periodic logging of system load logSystemLoad: false - # -- Configure maglev consistent hashing + +# -- Configure maglev consistent hashing maglev: {} # -- tableSize is the size (parameter M) for the backend table of one # service entry @@ -1827,76 +1454,67 @@ spec: # -- hashSeed is the cluster-wide base64 encoded seed for the hashing # hashSeed: - # -- Enables masquerading of IPv4 traffic leaving the node from endpoints. +# -- Enables masquerading of IPv4 traffic leaving the node from endpoints. enableIPv4Masquerade: true - # -- Enables masquerading of IPv6 traffic leaving the node from endpoints. - enableIPv6Masquerade: true - - # -- Enables masquerading to the source of the route for traffic leaving the node from endpoints. - enableMasqueradeRouteSource: false - - # -- Enables IPv4 BIG TCP support which increases maximum IPv4 GSO/GRO limits for nodes and pods - enableIPv4BIGTCP: false - - # -- Enables IPv6 BIG TCP support which increases maximum IPv6 GSO/GRO limits for nodes and pods +# -- Enables IPv6 BIG TCP support which increases maximum GSO/GRO limits for nodes and pods enableIPv6BIGTCP: false +# -- Enables masquerading of IPv6 traffic leaving the node from endpoints. + enableIPv6Masquerade: true + +# -- Enables egress gateway to redirect and SNAT the traffic that leaves the +# cluster. egressGateway: - # -- Enables egress gateway to redirect and SNAT the traffic that leaves the - # cluster. enabled: false - # -- Deprecated without a replacement necessary. + # -- Install egress gateway IP rules and routes in order to properly steer + # egress gateway traffic to the correct ENI interface installRoutes: false - # -- Time between triggers of egress gateway state reconciliations - reconciliationTriggerInterval: 1s - # -- Maximum number of entries in egress gateway policy map - # maxPolicyEntries: 16384 vtep: - # -- Enables VXLAN Tunnel Endpoint (VTEP) Integration (beta) to allow - # Cilium-managed pods to talk to third party VTEP devices over Cilium tunnel. +# -- Enables VXLAN Tunnel Endpoint (VTEP) Integration (beta) to allow +# Cilium-managed pods to talk to third party VTEP devices over Cilium tunnel. enabled: false - # -- A space separated list of VTEP device endpoint IPs, for example "1.1.1.1 1.1.2.1" +# -- A space separated list of VTEP device endpoint IPs, for example "1.1.1.1 1.1.2.1" endpoint: "" - # -- A space separated list of VTEP device CIDRs, for example "1.1.1.0/24 1.1.2.0/24" +# -- A space separated list of VTEP device CIDRs, for example "1.1.1.0/24 1.1.2.0/24" cidr: "" - # -- VTEP CIDRs Mask that applies to all VTEP CIDRs, for example "255.255.255.0" +# -- VTEP CIDRs Mask that applies to all VTEP CIDRs, for example "255.255.255.0" mask: "" - # -- A space separated list of VTEP device MAC addresses (VTEP MAC), for example "x:x:x:x:x:x y:y:y:y:y:y:y" +# -- A space separated list of VTEP device MAC addresses (VTEP MAC), for example "x:x:x:x:x:x y:y:y:y:y:y:y" mac: "" - # -- (string) Allows to explicitly specify the IPv4 CIDR for native routing. - # When specified, Cilium assumes networking for this CIDR is preconfigured and - # hands traffic destined for that range to the Linux network stack without - # applying any SNAT. - # Generally speaking, specifying a native routing CIDR implies that Cilium can - # depend on the underlying networking stack to route packets to their - # destination. To offer a concrete example, if Cilium is configured to use - # direct routing and the Kubernetes CIDR is included in the native routing CIDR, - # the user must configure the routes to reach pods, either manually or by - # setting the auto-direct-node-routes flag. +# -- (string) Allows to explicitly specify the IPv4 CIDR for native routing. +# When specified, Cilium assumes networking for this CIDR is preconfigured and +# hands traffic destined for that range to the Linux network stack without +# applying any SNAT. +# Generally speaking, specifying a native routing CIDR implies that Cilium can +# depend on the underlying networking stack to route packets to their +# destination. To offer a concrete example, if Cilium is configured to use +# direct routing and the Kubernetes CIDR is included in the native routing CIDR, +# the user must configure the routes to reach pods, either manually or by +# setting the auto-direct-node-routes flag. ipv4NativeRoutingCIDR: "" - # -- (string) Allows to explicitly specify the IPv6 CIDR for native routing. - # When specified, Cilium assumes networking for this CIDR is preconfigured and - # hands traffic destined for that range to the Linux network stack without - # applying any SNAT. - # Generally speaking, specifying a native routing CIDR implies that Cilium can - # depend on the underlying networking stack to route packets to their - # destination. To offer a concrete example, if Cilium is configured to use - # direct routing and the Kubernetes CIDR is included in the native routing CIDR, - # the user must configure the routes to reach pods, either manually or by - # setting the auto-direct-node-routes flag. +# -- (string) Allows to explicitly specify the IPv6 CIDR for native routing. +# When specified, Cilium assumes networking for this CIDR is preconfigured and +# hands traffic destined for that range to the Linux network stack without +# applying any SNAT. +# Generally speaking, specifying a native routing CIDR implies that Cilium can +# depend on the underlying networking stack to route packets to their +# destination. To offer a concrete example, if Cilium is configured to use +# direct routing and the Kubernetes CIDR is included in the native routing CIDR, +# the user must configure the routes to reach pods, either manually or by +# setting the auto-direct-node-routes flag. ipv6NativeRoutingCIDR: "" - # -- cilium-monitor sidecar. +# -- cilium-monitor sidecar. monitor: # -- Enable the cilium-monitor sidecar. enabled: false - # -- Configure service load balancing +# -- Configure service load balancing loadBalancer: # -- standalone enables the standalone L4LB which does not connect to # kube-apiserver. @@ -1911,11 +1529,8 @@ spec: # mode: snat # -- acceleration is the option to accelerate service handling via XDP - # Applicable values can be: disabled (do not use XDP), native (XDP BPF - # program is run directly out of the networking driver's early receive - # path), or best-effort (use native mode XDP acceleration on devices - # that support it). - acceleration: disabled + # e.g. native, disabled + # acceleration: disabled # -- dsrDispatch configures whether IP option or IPIP encapsulation is # used to pass a service IP and port to remote backend @@ -1934,7 +1549,7 @@ spec: # # Applicable values: # - envoy: Enable L7 load balancing via envoy proxy. This will automatically set enable-envoy-config as well. - # - disabled: Disable L7 load balancing by way of service annotation. + # - disabled: Disable L7 load balancing. backend: disabled # -- List of ports from service to be automatically redirected to above backend. # Any service exposing one of these ports will be automatically redirected. @@ -1946,7 +1561,7 @@ spec: # Applicable values: round_robin, least_request, random algorithm: round_robin - # -- Configure N-S k8s service loadbalancing +# -- Configure N-S k8s service loadbalancing nodePort: # -- Enable the Cilium NodePort service implementation. enabled: false @@ -1964,21 +1579,13 @@ spec: # -- Enable healthcheck nodePort server for NodePort services enableHealthCheck: true - # -- Enable access of the healthcheck nodePort on the LoadBalancerIP. Needs - # EnableHealthCheck to be enabled - enableHealthCheckLoadBalancerIP: false - - # policyAuditMode: false +# policyAuditMode: false - # -- The agent can be put into one of the three policy enforcement modes: - # default, always and never. - # ref: https://docs.cilium.io/en/stable/security/policy/intro/#policy-enforcement-modes +# -- The agent can be put into one of the three policy enforcement modes: +# default, always and never. +# ref: https://docs.cilium.io/en/stable/policy/intro/#policy-enforcement-modes policyEnforcementMode: "default" - # -- policyCIDRMatchMode is a list of entities that may be selected by CIDR selector. - # The possible value is "nodes". - policyCIDRMatchMode: - pprof: # -- Enable pprof for cilium-agent enabled: false @@ -1987,20 +1594,18 @@ spec: # -- Configure pprof listen port for cilium-agent port: 6060 - # -- Configure prometheus metrics on the configured port at /metrics +# -- Configure prometheus metrics on the configured port at /metrics prometheus: enabled: false port: 9962 serviceMonitor: # -- Enable service monitors. - # This requires the prometheus CRDs to be available (see https://github.com/prometheus-operator/prometheus-operator/blob/main/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml) + # This requires the prometheus CRDs to be available (see https://github.com/prometheus-operator/prometheus-operator/blob/master/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml) enabled: false # -- Labels to add to ServiceMonitor cilium-agent labels: {} # -- Annotations to add to ServiceMonitor cilium-agent annotations: {} - # -- jobLabel to add for ServiceMonitor cilium-agent - jobLabel: "" # -- Interval for scrape metrics. interval: "10s" # -- Specify the Kubernetes namespace where Prometheus expects to find @@ -2014,249 +1619,26 @@ spec: replacement: ${1} # -- Metrics relabeling configs for the ServiceMonitor cilium-agent metricRelabelings: ~ - # -- Set to `true` and helm will not check for monitoring.coreos.com/v1 CRDs before deploying - trustCRDsExist: false - - # -- Metrics that should be enabled or disabled from the default metric list. - # The list is expected to be separated by a space. (+metric_foo to enable - # metric_foo , -metric_bar to disable metric_bar). - # ref: https://docs.cilium.io/en/stable/observability/metrics/ + # -- Metrics that should be enabled or disabled from the default metric + # list. (+metric_foo to enable metric_foo , -metric_bar to disable + # metric_bar). + # ref: https://docs.cilium.io/en/stable/operations/metrics/#exported-metrics metrics: ~ - # --- Enable controller group metrics for monitoring specific Cilium - # subsystems. The list is a list of controller group names. The special - # values of "all" and "none" are supported. The set of controller - # group names is not guaranteed to be stable between Cilium versions. - controllerGroupMetrics: - - write-cni-file - - sync-host-ips - - sync-lb-maps-with-k8s-services - - # -- Grafana dashboards for cilium-agent - # grafana can import dashboards based on the label and value - # ref: https://github.com/grafana/helm-charts/tree/main/charts/grafana#sidecar-for-dashboards - dashboards: - enabled: false - label: grafana_dashboard - namespace: ~ - labelValue: "1" - annotations: {} - - # -- Configure Istio proxy options. +# -- Configure Istio proxy options. proxy: - prometheus: - # -- Deprecated in favor of envoy.prometheus.enabled enabled: true - # -- Deprecated in favor of envoy.prometheus.port - port: ~ + port: "9964" # -- Regular expression matching compatible Istio sidecar istio-proxy # container image names sidecarImageRegex: "cilium/istio_proxy" - # Configure Cilium Envoy options. - envoy: - # -- Enable Envoy Proxy in standalone DaemonSet. - enabled: false - - log: - # -- The format string to use for laying out the log message metadata of Envoy. - format: "[%Y-%m-%d %T.%e][%t][%l][%n] [%g:%#] %v" - # -- Path to a separate Envoy log file, if any. Defaults to /dev/stdout. - path: "" - - # -- Time in seconds after which a TCP connection attempt times out - connectTimeoutSeconds: 2 - # -- ProxyMaxRequestsPerConnection specifies the max_requests_per_connection setting for Envoy - maxRequestsPerConnection: 0 - # -- Set Envoy HTTP option max_connection_duration seconds. Default 0 (disable) - maxConnectionDurationSeconds: 0 - # -- Set Envoy upstream HTTP idle connection timeout seconds. - # Does not apply to connections with pending requests. Default 60s - idleTimeoutDurationSeconds: 60 - - # -- Envoy container image. - image: - override: ~ - repository: "quay.io/cilium/cilium-envoy" - tag: "v1.27.3-99c1c8f42c8de70fc8f6dd594f4a425cd38b6688" - pullPolicy: "IfNotPresent" - digest: "sha256:877ead12d08d4c04a9f67f86d3c6e542aeb7bf97e1e401aee74de456f496ac30" - useDigest: true - - # -- Additional containers added to the cilium Envoy DaemonSet. - extraContainers: [] - - # -- Additional envoy container arguments. - extraArgs: [] - - # -- Additional envoy container environment variables. - extraEnv: [] - - # -- Additional envoy hostPath mounts. - extraHostPathMounts: [] - # - name: host-mnt-data - # mountPath: /host/mnt/data - # hostPath: /mnt/data - # hostPathType: Directory - # readOnly: true - # mountPropagation: HostToContainer - - # -- Additional envoy volumes. - extraVolumes: [] - - # -- Additional envoy volumeMounts. - extraVolumeMounts: [] - - # -- Configure termination grace period for cilium-envoy DaemonSet. - terminationGracePeriodSeconds: 1 - - # -- TCP port for the health API. - healthPort: 9878 - - # -- cilium-envoy update strategy - # ref: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/#updating-a-daemonset - updateStrategy: - type: RollingUpdate - rollingUpdate: - maxUnavailable: 2 - # -- Roll out cilium envoy pods automatically when configmap is updated. - rollOutPods: false - - # -- Annotations to be added to all top-level cilium-envoy objects (resources under templates/cilium-envoy) - annotations: {} - - # -- Security Context for cilium-envoy pods. - podSecurityContext: {} - - # -- Annotations to be added to envoy pods - podAnnotations: {} - - # -- Labels to be added to envoy pods - podLabels: {} - - # -- Envoy resource limits & requests - # ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - resources: {} - # limits: - # cpu: 4000m - # memory: 4Gi - # requests: - # cpu: 100m - # memory: 512Mi - - startupProbe: - # -- failure threshold of startup probe. - # 105 x 2s translates to the old behaviour of the readiness probe (120s delay + 30 x 3s) - failureThreshold: 105 - # -- interval between checks of the startup probe - periodSeconds: 2 - livenessProbe: - # -- failure threshold of liveness probe - failureThreshold: 10 - # -- interval between checks of the liveness probe - periodSeconds: 30 - readinessProbe: - # -- failure threshold of readiness probe - failureThreshold: 3 - # -- interval between checks of the readiness probe - periodSeconds: 30 - - securityContext: - # -- User to run the pod with - # runAsUser: 0 - # -- Run the pod with elevated privileges - privileged: false - # -- SELinux options for the `cilium-envoy` container - seLinuxOptions: - level: 's0' - # Running with spc_t since we have removed the privileged mode. - # Users can change it to a different type as long as they have the - # type available on the system. - type: 'spc_t' - capabilities: - # -- Capabilities for the `cilium-envoy` container - envoy: - # Used since cilium proxy uses setting IPPROTO_IP/IP_TRANSPARENT - - NET_ADMIN - # We need it for now but might not need it for >= 5.11 specially - # for the 'SYS_RESOURCE'. - # In >= 5.8 there's already BPF and PERMON capabilities - - SYS_ADMIN - # Both PERFMON and BPF requires kernel 5.8, container runtime - # cri-o >= v1.22.0 or containerd >= v1.5.0. - # If available, SYS_ADMIN can be removed. - #- PERFMON - #- BPF - - # -- Affinity for cilium-envoy. - affinity: - podAntiAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - - topologyKey: kubernetes.io/hostname - labelSelector: - matchLabels: - k8s-app: cilium-envoy - - # -- Node selector for cilium-envoy. - nodeSelector: - kubernetes.io/os: linux - - # -- Node tolerations for envoy scheduling to nodes with taints - # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ - tolerations: - - operator: Exists - # - key: "key" - # operator: "Equal|Exists" - # value: "value" - # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" - - # -- The priority class to use for cilium-envoy. - priorityClassName: ~ - - # -- DNS policy for Cilium envoy pods. - # Ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy - dnsPolicy: ~ - - # -- Configure Cilium Envoy Prometheus options. - # Note that some of these apply to either cilium-agent or cilium-envoy. - prometheus: - # -- Enable prometheus metrics for cilium-envoy - enabled: true - serviceMonitor: - # -- Enable service monitors. - # This requires the prometheus CRDs to be available (see https://github.com/prometheus-operator/prometheus-operator/blob/main/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml) - # Note that this setting applies to both cilium-envoy _and_ cilium-agent - # with Envoy enabled. - enabled: false - # -- Labels to add to ServiceMonitor cilium-envoy - labels: {} - # -- Annotations to add to ServiceMonitor cilium-envoy - annotations: {} - # -- Interval for scrape metrics. - interval: "10s" - # -- Specify the Kubernetes namespace where Prometheus expects to find - # service monitors configured. - # namespace: "" - # -- Relabeling configs for the ServiceMonitor cilium-envoy - # or for cilium-agent with Envoy configured. - relabelings: - - sourceLabels: - - __meta_kubernetes_pod_node_name - targetLabel: node - replacement: ${1} - # -- Metrics relabeling configs for the ServiceMonitor cilium-envoy - # or for cilium-agent with Envoy configured. - metricRelabelings: ~ - # -- Serve prometheus metrics for cilium-envoy on the configured port - port: "9964" - - # -- Enable use of the remote node identity. - # ref: https://docs.cilium.io/en/v1.7/install/upgrade/#configmap-remote-node-identity - # Deprecated without replacement in 1.15. To be removed in 1.16. +# -- Enable use of the remote node identity. +# ref: https://docs.cilium.io/en/v1.7/install/upgrade/#configmap-remote-node-identity remoteNodeIdentity: true - # -- Enable resource quotas for priority classes used in the cluster. +# -- Enable resource quotas for priority classes used in the cluster. resourceQuotas: enabled: false cilium: @@ -2268,22 +1650,27 @@ spec: # 15 "clusterwide" Cilium Operator pods for HA pods: "15" - # Need to document default - ################## - #sessionAffinity: false +# Need to document default +################## +#sessionAffinity: false - # -- Do not run Cilium agent when running with clean mode. Useful to completely - # uninstall Cilium as it will stop Cilium from starting and create artifacts - # in the node. +# -- Do not run Cilium agent when running with clean mode. Useful to completely +# uninstall Cilium as it will stop Cilium from starting and create artifacts +# in the node. sleepAfterInit: false - # -- Enable check of service source ranges (currently, only for LoadBalancer). +# -- Configure BPF socket operations configuration + sockops: + # enabled enables installation of socket options acceleration. + enabled: false + +# -- Enable check of service source ranges (currently, only for LoadBalancer). svcSourceRangeCheck: true - # -- Synchronize Kubernetes nodes to kvstore and perform CNP GC. +# -- Synchronize Kubernetes nodes to kvstore and perform CNP GC. synchronizeK8sNodes: true - # -- Configure TLS configuration in the agent. +# -- Configure TLS configuration in the agent. tls: # -- This configures how the Cilium agent loads the secrets used TLS-aware CiliumNetworkPolicies # (namely the secrets referenced by terminatingTLS and originatingTLS). @@ -2293,8 +1680,7 @@ spec: secretsBackend: local # -- Base64 encoded PEM values for the CA certificate and private key. - # This can be used as common CA to generate certificates used by hubble and clustermesh components. - # It is neither required nor used when cert-manager is used to generate the certificates. + # This can be used as common CA to generate certificates used by hubble and clustermesh components ca: # -- Optional CA cert. If it is provided, it will be used by cilium to # generate all other certificates. Otherwise, an ephemeral CA is generated. @@ -2307,65 +1693,22 @@ spec: # -- Generated certificates validity duration in days. This will be used for auto generated CA. certValidityDuration: 1095 - # -- Configure the CA trust bundle used for the validation of the certificates - # leveraged by hubble and clustermesh. When enabled, it overrides the content of the - # 'ca.crt' field of the respective certificates, allowing for CA rotation with no down-time. - caBundle: - # -- Enable the use of the CA trust bundle. - enabled: false - - # -- Name of the ConfigMap containing the CA trust bundle. - name: cilium-root-ca.crt - - # -- Entry of the ConfigMap containing the CA trust bundle. - key: ca.crt - - # -- Use a Secret instead of a ConfigMap. - useSecret: false +# -- Configure the encapsulation configuration for communication between nodes. +# Possible values: +# - disabled +# - vxlan (default) +# - geneve + tunnel: "vxlan" - # If uncommented, creates the ConfigMap and fills it with the specified content. - # Otherwise, the ConfigMap is assumed to be already present in .Release.Namespace. - # - # content: | - # -----BEGIN CERTIFICATE----- - # ... - # -----END CERTIFICATE----- - # -----BEGIN CERTIFICATE----- - # ... - # -----END CERTIFICATE----- - - # -- Tunneling protocol to use in tunneling mode and for ad-hoc tunnels. - # Possible values: - # - "" - # - vxlan - # - geneve - # @default -- `"vxlan"` - tunnelProtocol: "" - - # -- Enable native-routing mode or tunneling mode. - # Possible values: - # - "" - # - native - # - tunnel - # @default -- `"tunnel"` - routingMode: "" - - # -- Configure VXLAN and Geneve tunnel port. - # @default -- Port 8472 for VXLAN, Port 6081 for Geneve +# -- Configure VXLAN and Geneve tunnel port. +# @default -- Port 8472 for VXLAN, Port 6081 for Geneve tunnelPort: 0 - # -- Configure what the response should be to traffic for a service without backends. - # "reject" only works on kernels >= 5.10, on lower kernels we fallback to "drop". - # Possible values: - # - reject (default) - # - drop - serviceNoBackendResponse: reject - - # -- Configure the underlying network MTU to overwrite auto-detected MTU. +# -- Configure the underlying network MTU to overwrite auto-detected MTU. MTU: 0 - # -- Disable the usage of CiliumEndpoint CRD. - disableEndpointCRD: false +# -- Disable the usage of CiliumEndpoint CRD. + disableEndpointCRD: "false" wellKnownIdentities: # -- Enable the use of well-known identities. @@ -2379,9 +1722,7 @@ spec: image: override: ~ repository: "quay.io/cilium/cilium-etcd-operator" - tag: "v2.0.7" - digest: "sha256:04b8327f7f992693c2cb483b999041ed8f92efc8e14f2a5f3ab95574a65ea2dc" - useDigest: true + tag: "v2.0.7@sha256:04b8327f7f992693c2cb483b999041ed8f92efc8e14f2a5f3ab95574a65ea2dc" pullPolicy: "IfNotPresent" # -- The priority class to use for cilium-etcd-operator @@ -2390,14 +1731,8 @@ spec: # -- Additional cilium-etcd-operator container arguments. extraArgs: [] - # -- Additional cilium-etcd-operator volumes. - extraVolumes: [] - - # -- Additional cilium-etcd-operator volumeMounts. - extraVolumeMounts: [] - # -- Node tolerations for cilium-etcd-operator scheduling to nodes with taints - # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ + # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ tolerations: - operator: Exists # - key: "key" @@ -2412,16 +1747,10 @@ spec: # whenUnsatisfiable: DoNotSchedule # -- Node labels for cilium-etcd-operator pod assignment - # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector + # ref: https://kubernetes.io/docs/user-guide/node-selection/ nodeSelector: kubernetes.io/os: linux - # -- Annotations to be added to all top-level etcd-operator objects (resources under templates/etcd-operator) - annotations: {} - - # -- Security context to be added to cilium-etcd-operator pods - podSecurityContext: {} - # -- Annotations to be added to cilium-etcd-operator pods podAnnotations: {} @@ -2440,7 +1769,7 @@ spec: maxUnavailable: 1 # -- cilium-etcd-operator resource limits & requests - # ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + # ref: https://kubernetes.io/docs/user-guide/compute-resources/ resources: {} # limits: # cpu: 4000m @@ -2487,7 +1816,7 @@ spec: image: override: ~ repository: "quay.io/cilium/operator" - tag: "v1.15.2" + tag: "v1.13.0" # operator-generic-digest genericDigest: "" # operator-azure-digest @@ -2514,8 +1843,8 @@ spec: updateStrategy: type: RollingUpdate rollingUpdate: - maxSurge: 25% - maxUnavailable: 50% + maxSurge: 1 + maxUnavailable: 1 # -- Affinity for cilium-operator affinity: @@ -2533,12 +1862,13 @@ spec: # whenUnsatisfiable: DoNotSchedule # -- Node labels for cilium-operator pod assignment - # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector + # ref: https://kubernetes.io/docs/user-guide/node-selection/ + # nodeSelector: kubernetes.io/os: linux # -- Node tolerations for cilium-operator scheduling to nodes with taints - # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ + # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ tolerations: - operator: Exists # - key: "key" @@ -2567,12 +1897,6 @@ spec: # -- Additional cilium-operator volumeMounts. extraVolumeMounts: [] - # -- Annotations to be added to all top-level cilium-operator objects (resources under templates/cilium-operator) - annotations: {} - - # -- Security context to be added to cilium-operator pods - podSecurityContext: {} - # -- Annotations to be added to cilium-operator pods podAnnotations: {} @@ -2591,7 +1915,7 @@ spec: maxUnavailable: 1 # -- cilium-operator resource limits & requests - # ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + # ref: https://kubernetes.io/docs/user-guide/compute-resources/ resources: {} # limits: # cpu: 1000m @@ -2630,18 +1954,16 @@ spec: # -- Enable prometheus metrics for cilium-operator on the configured port at # /metrics prometheus: - enabled: true + enabled: false port: 9963 serviceMonitor: # -- Enable service monitors. - # This requires the prometheus CRDs to be available (see https://github.com/prometheus-operator/prometheus-operator/blob/main/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml) + # This requires the prometheus CRDs to be available (see https://github.com/prometheus-operator/prometheus-operator/blob/master/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml) enabled: false # -- Labels to add to ServiceMonitor cilium-operator labels: {} # -- Annotations to add to ServiceMonitor cilium-operator annotations: {} - # -- jobLabel to add for ServiceMonitor cilium-operator - jobLabel: "" # -- Interval for scrape metrics. interval: "10s" # -- Relabeling configs for the ServiceMonitor cilium-operator @@ -2649,16 +1971,6 @@ spec: # -- Metrics relabeling configs for the ServiceMonitor cilium-operator metricRelabelings: ~ - # -- Grafana dashboards for cilium-operator - # grafana can import dashboards based on the label and value - # ref: https://github.com/grafana/helm-charts/tree/main/charts/grafana#sidecar-for-dashboards - dashboards: - enabled: false - label: grafana_dashboard - namespace: ~ - labelValue: "1" - annotations: {} - # -- Skip CRDs creation for cilium-operator skipCRDCreation: false @@ -2666,11 +1978,6 @@ spec: # pod running. removeNodeTaints: true - # -- Taint nodes where Cilium is scheduled but not running. This prevents pods - # from being scheduled to nodes where Cilium is not the default CNI provider. - # @default -- same as removeNodeTaints - setNodeTaints: ~ - # -- Set Node condition NetworkUnavailable to 'false' with the reason # 'CiliumIsUp' for nodes that have a healthy Cilium pod. setNodeNetworkStatus: true @@ -2690,7 +1997,7 @@ spec: image: override: ~ repository: "quay.io/cilium/startup-script" - tag: "62093c5c233ea914bfa26a10ba41f8780d9b737f" + tag: "d69851597ea019af980891a4628fb36b7880ec26" pullPolicy: "IfNotPresent" # -- The priority class to use for the nodeinit pod. @@ -2703,22 +2010,17 @@ spec: # -- Additional nodeinit environment variables. extraEnv: [] - # -- Additional nodeinit volumes. - extraVolumes: [] - - # -- Additional nodeinit volumeMounts. - extraVolumeMounts: [] - # -- Affinity for cilium-nodeinit affinity: {} # -- Node labels for nodeinit pod assignment - # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector + # ref: https://kubernetes.io/docs/user-guide/node-selection/ + # nodeSelector: kubernetes.io/os: linux # -- Node tolerations for nodeinit scheduling to nodes with taints - # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ + # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ tolerations: - operator: Exists # - key: "key" @@ -2726,9 +2028,6 @@ spec: # value: "value" # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" - # -- Annotations to be added to all top-level nodeinit objects (resources under templates/cilium-nodeinit) - annotations: {} - # -- Annotations to be added to node-init pods. podAnnotations: {} @@ -2736,7 +2035,7 @@ spec: podLabels: {} # -- nodeinit resource limits & requests - # ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + # ref: https://kubernetes.io/docs/user-guide/compute-resources/ resources: requests: cpu: 100m @@ -2765,15 +2064,6 @@ spec: # written by the node-init DaemonSet bootstrapFile: "/tmp/cilium-bootstrap.d/cilium-bootstrap-time" - # -- startup offers way to customize startup nodeinit script (pre and post position) - startup: - preScript: "" - postScript: "" - # -- prestop offers way to customize prestop nodeinit script (pre and post position) - prestop: - preScript: "" - postScript: "" - preflight: # -- Enable Cilium pre-flight resources (required for upgrade) enabled: false @@ -2782,7 +2072,7 @@ spec: image: override: ~ repository: "quay.io/cilium/cilium" - tag: "v1.15.2" + tag: "v1.13.0" # cilium-digest digest: "" useDigest: false @@ -2798,12 +2088,6 @@ spec: # -- Additional preflight environment variables. extraEnv: [] - # -- Additional preflight volumes. - extraVolumes: [] - - # -- Additional preflight volumeMounts. - extraVolumeMounts: [] - # -- Affinity for cilium-preflight affinity: podAffinity: @@ -2814,12 +2098,13 @@ spec: k8s-app: cilium # -- Node labels for preflight pod assignment - # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector + # ref: https://kubernetes.io/docs/user-guide/node-selection/ + # nodeSelector: kubernetes.io/os: linux # -- Node tolerations for preflight scheduling to nodes with taints - # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ + # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ tolerations: - key: node.kubernetes.io/not-ready effect: NoSchedule @@ -2837,12 +2122,6 @@ spec: # value: "value" # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" - # -- Annotations to be added to all top-level preflight objects (resources under templates/cilium-preflight) - annotations: {} - - # -- Security context to be added to preflight pods. - podSecurityContext: {} - # -- Annotations to be added to preflight pods podAnnotations: {} @@ -2861,7 +2140,7 @@ spec: maxUnavailable: 1 # -- preflight resource limits & requests - # ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + # ref: https://kubernetes.io/docs/user-guide/compute-resources/ resources: {} # limits: # cpu: 4000m @@ -2885,92 +2164,66 @@ spec: # cluster with the right schema. validateCNPs: true - # -- Explicitly enable or disable priority class. - # .Capabilities.KubeVersion is unsettable in `helm template` calls, - # it depends on k8s libraries version that Helm was compiled against. - # This option allows to explicitly disable setting the priority class, which - # is useful for rendering charts for gke clusters in advance. +# -- Explicitly enable or disable priority class. +# .Capabilities.KubeVersion is unsettable in `helm template` calls, +# it depends on k8s libraries version that Helm was compiled against. +# This option allows to explicitly disable setting the priority class, which +# is useful for rendering charts for gke clusters in advance. enableCriticalPriorityClass: true - # disableEnvoyVersionCheck removes the check for Envoy, which can be useful - # on AArch64 as the images do not currently ship a version of Envoy. - #disableEnvoyVersionCheck: false +# disableEnvoyVersionCheck removes the check for Envoy, which can be useful +# on AArch64 as the images do not currently ship a version of Envoy. +#disableEnvoyVersionCheck: false clustermesh: # -- Deploy clustermesh-apiserver for clustermesh - useAPIServer: enabled - # -- The maximum number of clusters to support in a ClusterMesh. This value - # cannot be changed on running clusters, and all clusters in a ClusterMesh - # must be configured with the same value. Values > 255 will decrease the - # maximum allocatable cluster-local identities. - # Supported values are 255 and 511. - maxConnectedClusters: 255 - - # -- Annotations to be added to all top-level clustermesh objects (resources under templates/clustermesh-apiserver and templates/clustermesh-config) - annotations: {} + useAPIServer: false # -- Clustermesh explicit configuration. config: # -- Enable the Clustermesh explicit configuration. - enabled: true + enabled: false # -- Default dns domain for the Clustermesh API servers # This is used in the case cluster addresses are not provided # and IPs are used. domain: mesh.cilium.io # -- List of clusters to be peered in the mesh. - clusters: - # -- Name of the cluster - - name: cluster-01 - # -- Address of the cluster, use this if you created DNS records for - # the cluster Clustermesh API server. - address: cluster-01.mesh.cilium.io - # -- Port of the cluster Clustermesh API server. - port: 2379 - # -- IPs of the cluster Clustermesh API server, use multiple ones when - # you have multiple IPs to access the Clustermesh API server. - ips: - - 172.18.255.201 - # -- base64 encoded PEM values for the cluster client certificate, private key and certificate authority. - # These fields can (and should) be omitted in case the CA is shared across clusters. In that case, the - # "remote" private key and certificate available in the local cluster are automatically used instead. - # tls: - # cert: "" - # key: "" - # caCert: "" - - name: cluster-02 - # -- Address of the cluster, use this if you created DNS records for - # the cluster Clustermesh API server. - address: cluster-02.mesh.cilium.io - # -- Port of the cluster Clustermesh API server. - port: 2379 - # -- IPs of the cluster Clustermesh API server, use multiple ones when - # you have multiple IPs to access the Clustermesh API server. - ips: - - 172.18.255.202 - # -- base64 encoded PEM values for the cluster client certificate, private key and certificate authority. - # These fields can (and should) be omitted in case the CA is shared across clusters. In that case, the - # "remote" private key and certificate available in the local cluster are automatically used instead. + clusters: [] + # clusters: + # # -- Name of the cluster + # - name: cluster1 + # # -- Address of the cluster, use this if you created DNS records for + # # the cluster Clustermesh API server. + # address: cluster1.mesh.cilium.io + # # -- Port of the cluster Clustermesh API server. + # port: 2379 + # # -- IPs of the cluster Clustermesh API server, use multiple ones when + # # you have multiple IPs to access the Clustermesh API server. + # ips: + # - 172.18.255.201 + # # -- base64 encoded PEM values for the cluster client certificate, private key and certificate authority. # tls: # cert: "" # key: "" - # caCert: "" - apiserver: # -- Clustermesh API server image. image: override: ~ repository: "quay.io/cilium/clustermesh-apiserver" - tag: "v1.15.2" + tag: "v1.13.0" # clustermesh-apiserver-digest digest: "" useDigest: false pullPolicy: "IfNotPresent" etcd: - # The etcd binary is included in the clustermesh API server image, so the same image from above is reused. - # Independent override isn't supported, because clustermesh-apiserver is tested against the etcd version it is - # built with. + # -- Clustermesh API server etcd image. + image: + override: ~ + repository: "quay.io/coreos/etcd" + tag: "v3.5.4@sha256:795d8660c48c439a7c3764c2330ed9222ab5db5bb524d8d0607cac76f7ba82a3" + pullPolicy: "IfNotPresent" # -- Specifies the resources for etcd container in the apiserver resources: {} @@ -2981,12 +2234,6 @@ spec: # cpu: 1000m # memory: 256Mi - # -- Security context to be added to clustermesh-apiserver etcd containers - securityContext: {} - - # -- lifecycle setting for the etcd container - lifecycle: {} - init: # -- Specifies the resources for etcd init container in the apiserver resources: {} @@ -2997,57 +2244,10 @@ spec: # cpu: 100m # memory: 100Mi - # -- Additional arguments to `clustermesh-apiserver etcdinit`. - extraArgs: [] - - # -- Additional environment variables to `clustermesh-apiserver etcdinit`. - extraEnv: [] - - kvstoremesh: - # -- Enable KVStoreMesh. KVStoreMesh caches the information retrieved - # from the remote clusters in the local etcd instance. - enabled: false - - # -- Additional KVStoreMesh arguments. - extraArgs: [] - - # -- Additional KVStoreMesh environment variables. - extraEnv: [] - - # -- Resource requests and limits for the KVStoreMesh container - resources: {} - # requests: - # cpu: 100m - # memory: 64Mi - # limits: - # cpu: 1000m - # memory: 1024M - - # -- Additional KVStoreMesh volumeMounts. - extraVolumeMounts: [] - - # -- KVStoreMesh Security context - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - - # -- lifecycle setting for the KVStoreMesh container - lifecycle: {} - service: # -- The type of service used for apiserver access. type: NodePort # -- Optional port to use as the node port for apiserver access. - # - # WARNING: make sure to configure a different NodePort in each cluster if - # kube-proxy replacement is enabled, as Cilium is currently affected by a known - # bug (#24692) when NodePorts are handled by the KPR implementation. If a service - # with the same NodePort exists both in the local and the remote cluster, all - # traffic originating from inside the cluster and targeting the corresponding - # NodePort will be redirected to a local backend, regardless of whether the - # destination node belongs to the local or the remote cluster. nodePort: 32379 # -- Optional loadBalancer IP address to use with type LoadBalancer. # loadBalancerIP: @@ -3057,39 +2257,12 @@ spec: # For EKS LoadBalancer, use annotation service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0 annotations: {} - # -- The externalTrafficPolicy of service used for apiserver access. - externalTrafficPolicy: - - # -- The internalTrafficPolicy of service used for apiserver access. - internalTrafficPolicy: - # -- Number of replicas run for the clustermesh-apiserver deployment. replicas: 1 - # -- lifecycle setting for the apiserver container - lifecycle: {} - - # -- terminationGracePeriodSeconds for the clustermesh-apiserver deployment - terminationGracePeriodSeconds: 30 - - # -- Additional clustermesh-apiserver arguments. - extraArgs: [] - # -- Additional clustermesh-apiserver environment variables. extraEnv: [] - # -- Additional clustermesh-apiserver volumes. - extraVolumes: [] - - # -- Additional clustermesh-apiserver volumeMounts. - extraVolumeMounts: [] - - # -- Security context to be added to clustermesh-apiserver containers - securityContext: {} - - # -- Security context to be added to clustermesh-apiserver pods - podSecurityContext: {} - # -- Annotations to be added to clustermesh-apiserver pods podAnnotations: {} @@ -3140,12 +2313,12 @@ spec: # whenUnsatisfiable: DoNotSchedule # -- Node labels for pod assignment - # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector + # ref: https://kubernetes.io/docs/user-guide/node-selection/ nodeSelector: kubernetes.io/os: linux # -- Node tolerations for pod assignment on nodes with taints - # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ + # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ tolerations: [] # -- clustermesh-apiserver update strategy @@ -3158,23 +2331,6 @@ spec: priorityClassName: "" tls: - # -- Configure the clustermesh authentication mode. - # Supported values: - # - legacy: All clusters access remote clustermesh instances with the same - # username (i.e., remote). The "remote" certificate must be - # generated with CN=remote if provided manually. - # - migration: Intermediate mode required to upgrade from legacy to cluster - # (and vice versa) with no disruption. Specifically, it enables - # the creation of the per-cluster usernames, while still using - # the common one for authentication. The "remote" certificate must - # be generated with CN=remote if provided manually (same as legacy). - # - cluster: Each cluster accesses remote etcd instances with a username - # depending on the local cluster name (i.e., remote-). - # The "remote" certificate must be generated with CN=remote- - # if provided manually. Cluster mode is meaningful only when the same - # CA is shared across all clusters part of the mesh. - authMode: legacy - # -- Configure automatic TLS certificates generation. # A Kubernetes CronJob is used the generate any # certificates not provided by the user at installation @@ -3204,7 +2360,7 @@ spec: # # Defaults to none. Commented syntax gives midnight of the first day of every # fourth month. For syntax, see - # https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/#schedule-syntax + # https://kubernetes.io/docs/tasks/job/automated-tasks-with-cron-jobs/#schedule # schedule: "0 0 1 */4 *" # [Example] @@ -3213,7 +2369,16 @@ spec: # kind: ClusterIssuer # name: ca-issuer # -- certmanager issuer used when clustermesh.apiserver.tls.auto.method=certmanager. + # If not specified, a CA issuer will be created. certManagerIssuerRef: {} + # -- base64 encoded PEM values for the ExternalWorkload CA certificate and private key. + ca: + # -- Optional CA cert. If it is provided, it will be used by the 'cronJob' method to + # generate all other certificates. Otherwise, an ephemeral CA is generated. + cert: "" + # -- Optional CA private key. If it is provided, it will be used by the 'cronJob' method to + # generate all other certificates. Otherwise, an ephemeral CA is generated. + key: "" # -- base64 encoded PEM values for the clustermesh-apiserver server certificate and private key. # Used if 'auto' is not enabled. server: @@ -3239,68 +2404,12 @@ spec: cert: "" key: "" - # clustermesh-apiserver Prometheus metrics configuration - metrics: - # -- Enables exporting apiserver metrics in OpenMetrics format. - enabled: true - # -- Configure the port the apiserver metric server listens on. - port: 9962 - - kvstoremesh: - # -- Enables exporting KVStoreMesh metrics in OpenMetrics format. - enabled: true - # -- Configure the port the KVStoreMesh metric server listens on. - port: 9964 - - etcd: - # -- Enables exporting etcd metrics in OpenMetrics format. - enabled: true - # -- Set level of detail for etcd metrics; specify 'extensive' to include server side gRPC histogram metrics. - mode: basic - # -- Configure the port the etcd metric server listens on. - port: 9963 - - serviceMonitor: - # -- Enable service monitor. - # This requires the prometheus CRDs to be available (see https://github.com/prometheus-operator/prometheus-operator/blob/main/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml) - enabled: false - # -- Labels to add to ServiceMonitor clustermesh-apiserver - labels: {} - # -- Annotations to add to ServiceMonitor clustermesh-apiserver - annotations: {} - # -- Specify the Kubernetes namespace where Prometheus expects to find - # service monitors configured. - # namespace: "" - - # -- Interval for scrape metrics (apiserver metrics) - interval: "10s" - # -- Relabeling configs for the ServiceMonitor clustermesh-apiserver (apiserver metrics) - relabelings: ~ - # -- Metrics relabeling configs for the ServiceMonitor clustermesh-apiserver (apiserver metrics) - metricRelabelings: ~ - - kvstoremesh: - # -- Interval for scrape metrics (KVStoreMesh metrics) - interval: "10s" - # -- Relabeling configs for the ServiceMonitor clustermesh-apiserver (KVStoreMesh metrics) - relabelings: ~ - # -- Metrics relabeling configs for the ServiceMonitor clustermesh-apiserver (KVStoreMesh metrics) - metricRelabelings: ~ - - etcd: - # -- Interval for scrape metrics (etcd metrics) - interval: "10s" - # -- Relabeling configs for the ServiceMonitor clustermesh-apiserver (etcd metrics) - relabelings: ~ - # -- Metrics relabeling configs for the ServiceMonitor clustermesh-apiserver (etcd metrics) - metricRelabelings: ~ - - # -- Configure external workloads support +# -- Configure external workloads support externalWorkloads: # -- Enable support for external workloads, such as VMs (false by default). enabled: false - # -- Configure cgroup related configuration +# -- Configure cgroup related configuration cgroup: autoMount: # -- Enable auto mount of cgroup2 filesystem. @@ -3321,15 +2430,15 @@ spec: # -- Configure cgroup root where cgroup2 filesystem is mounted on the host (see also: `cgroup.autoMount`) hostRoot: /run/cilium/cgroupv2 - # -- Configure whether to enable auto detect of terminating state for endpoints - # in order to support graceful termination. +# -- Configure whether to enable auto detect of terminating state for endpoints +# in order to support graceful termination. enableK8sTerminatingEndpoint: true - # -- Configure whether to unload DNS policy rules on graceful shutdown - # dnsPolicyUnloadOnShutdown: false +# -- Configure whether to unload DNS policy rules on graceful shutdown +# dnsPolicyUnloadOnShutdown: false - # -- Configure the key of the taint indicating that Cilium is not ready on the node. - # When set to a value starting with `ignore-taint.cluster-autoscaler.kubernetes.io/`, the Cluster Autoscaler will ignore the taint on its decisions, allowing the cluster to scale up. +# -- Configure the key of the taint indicating that Cilium is not ready on the node. +# When set to a value starting with `ignore-taint.cluster-autoscaler.kubernetes.io/`, the Cluster Autoscaler will ignore the taint on its decisions, allowing the cluster to scale up. agentNotReadyTaintKey: "node.cilium.io/agent-not-ready" dnsProxy: @@ -3343,193 +2452,16 @@ spec: idleConnectionGracePeriod: 0s # -- Maximum number of IPs to retain for expired DNS lookups with still-active connections. maxDeferredConnectionDeletes: 10000 - # -- The minimum time, in seconds, to use DNS data for toFQDNs policies. If - # the upstream DNS server returns a DNS record with a shorter TTL, Cilium - # overwrites the TTL with this value. Setting this value to zero means that - # Cilium will honor the TTLs returned by the upstream DNS server. - minTtl: 0 + # -- The minimum time, in seconds, to use DNS data for toFQDNs policies. + minTtl: 3600 # -- DNS cache data at this path is preloaded on agent startup. preCache: "" # -- Global port on which the in-agent DNS proxy should listen. Default 0 is a OS-assigned port. proxyPort: 0 # -- The maximum time the DNS proxy holds an allowed DNS response before sending it along. Responses are sent as soon as the datapath is updated with the new IP information. proxyResponseMaxDelay: 100ms - # -- DNS proxy operation mode (true/false, or unset to use version dependent defaults) - # enableTransparentMode: true - # -- SCTP Configuration Values +# -- SCTP Configuration Values sctp: # -- Enable SCTP support. NOTE: Currently, SCTP support does not support rewriting ports or multihoming. enabled: false - - # Configuration for types of authentication for Cilium (beta) - authentication: - # -- Enable authentication processing and garbage collection. - # Note that if disabled, policy enforcement will still block requests that require authentication. - # But the resulting authentication requests for these requests will not be processed, therefore the requests not be allowed. - enabled: true - # -- Buffer size of the channel Cilium uses to receive authentication events from the signal map. - queueSize: 1024 - # -- Buffer size of the channel Cilium uses to receive certificate expiration events from auth handlers. - rotatedIdentitiesQueueSize: 1024 - # -- Interval for garbage collection of auth map entries. - gcInterval: "5m0s" - # Configuration for Cilium's service-to-service mutual authentication using TLS handshakes. - # Note that this is not full mTLS support without also enabling encryption of some form. - # Current encryption options are Wireguard or IPSec, configured in encryption block above. - mutual: - # -- Port on the agent where mutual authentication handshakes between agents will be performed - port: 4250 - # -- Timeout for connecting to the remote node TCP socket - connectTimeout: 5s - # Settings for SPIRE - spire: - # -- Enable SPIRE integration (beta) - enabled: false - # -- Annotations to be added to all top-level spire objects (resources under templates/spire) - annotations: {} - # Settings to control the SPIRE installation and configuration - install: - # -- Enable SPIRE installation. - # This will only take effect only if authentication.mutual.spire.enabled is true - enabled: true - # -- SPIRE namespace to install into - namespace: cilium-spire - # -- SPIRE namespace already exists. Set to true if Helm should not create, manage, and import the SPIRE namespace. - existingNamespace: false - # -- init container image of SPIRE agent and server - initImage: - override: ~ - repository: "docker.io/library/busybox" - tag: "1.36.1" - digest: "sha256:223ae047b1065bd069aac01ae3ac8088b3ca4a527827e283b85112f29385fb1b" - useDigest: true - pullPolicy: "IfNotPresent" - # SPIRE agent configuration - agent: - # -- SPIRE agent image - image: - override: ~ - repository: "ghcr.io/spiffe/spire-agent" - tag: "1.8.5" - digest: "sha256:99405637647968245ff9fe215f8bd2bd0ea9807be9725f8bf19fe1b21471e52b" - useDigest: true - pullPolicy: "IfNotPresent" - # -- SPIRE agent service account - serviceAccount: - create: true - name: spire-agent - # -- SPIRE agent annotations - annotations: {} - # -- SPIRE agent labels - labels: {} - # -- SPIRE Workload Attestor kubelet verification. - skipKubeletVerification: true - # -- SPIRE agent tolerations configuration - # By default it follows the same tolerations as the agent itself - # to allow the Cilium agent on this node to connect to SPIRE. - # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ - tolerations: - - key: node.kubernetes.io/not-ready - effect: NoSchedule - - key: node-role.kubernetes.io/master - effect: NoSchedule - - key: node-role.kubernetes.io/control-plane - effect: NoSchedule - - key: node.cloudprovider.kubernetes.io/uninitialized - effect: NoSchedule - value: "true" - - key: CriticalAddonsOnly - operator: "Exists" - # -- SPIRE agent affinity configuration - affinity: {} - # -- SPIRE agent nodeSelector configuration - # ref: ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector - nodeSelector: {} - # -- Security context to be added to spire agent pods. - # SecurityContext holds pod-level security attributes and common container settings. - # ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod - podSecurityContext: {} - # -- Security context to be added to spire agent containers. - # SecurityContext holds pod-level security attributes and common container settings. - # ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container - securityContext: {} - server: - # -- SPIRE server image - image: - override: ~ - repository: "ghcr.io/spiffe/spire-server" - tag: "1.8.5" - digest: "sha256:28269265882048dcf0fed32fe47663cd98613727210b8d1a55618826f9bf5428" - useDigest: true - pullPolicy: "IfNotPresent" - # -- SPIRE server service account - serviceAccount: - create: true - name: spire-server - # -- SPIRE server init containers - initContainers: [] - # -- SPIRE server annotations - annotations: {} - # -- SPIRE server labels - labels: {} - # SPIRE server service configuration - service: - # -- Service type for the SPIRE server service - type: ClusterIP - # -- Annotations to be added to the SPIRE server service - annotations: {} - # -- Labels to be added to the SPIRE server service - labels: {} - # -- SPIRE server affinity configuration - affinity: {} - # -- SPIRE server nodeSelector configuration - # ref: ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector - nodeSelector: {} - # -- SPIRE server tolerations configuration - # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ - tolerations: [] - # SPIRE server datastorage configuration - dataStorage: - # -- Enable SPIRE server data storage - enabled: true - # -- Size of the SPIRE server data storage - size: 1Gi - # -- Access mode of the SPIRE server data storage - accessMode: ReadWriteOnce - # -- StorageClass of the SPIRE server data storage - storageClass: null - # -- Security context to be added to spire server pods. - # SecurityContext holds pod-level security attributes and common container settings. - # ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod - podSecurityContext: {} - # -- Security context to be added to spire server containers. - # SecurityContext holds pod-level security attributes and common container settings. - # ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container - securityContext: {} - # SPIRE CA configuration - ca: - # -- SPIRE CA key type - # AWS requires the use of RSA. EC cryptography is not supported - keyType: "rsa-4096" - # -- SPIRE CA Subject - subject: - country: "US" - organization: "SPIRE" - commonName: "Cilium SPIRE CA" - # -- SPIRE server address used by Cilium Operator - # - # If k8s Service DNS along with port number is used (e.g. ..svc(.*): format), - # Cilium Operator will resolve its address by looking up the clusterIP from Service resource. - # - # Example values: 10.0.0.1:8081, spire-server.cilium-spire.svc:8081 - serverAddress: ~ - # -- SPIFFE trust domain to use for fetching certificates - trustDomain: spiffe.cilium - # -- SPIRE socket path where the SPIRE delegated api agent is listening - adminSocketPath: /run/spire/sockets/admin.sock - # -- SPIRE socket path where the SPIRE workload agent is listening. - # Applies to both the Cilium Agent and Operator - agentSocketPath: /run/spire/sockets/agent/agent.sock - # -- SPIRE connection timeout - connectionTimeout: 30s diff --git a/clusters/cluster-mgmt/cluster-01/kustomization.yaml b/clusters/cluster-mgmt/cluster-01/kustomization.yaml index 3ccc67d..3437598 100644 --- a/clusters/cluster-mgmt/cluster-01/kustomization.yaml +++ b/clusters/cluster-mgmt/cluster-01/kustomization.yaml @@ -4,4 +4,3 @@ resources: - namespace.yaml - platform.yaml - capi-cluster.yaml - - caaph-cni diff --git a/clusters/cluster-mgmt/cluster-01/platform.yaml b/clusters/cluster-mgmt/cluster-01/platform.yaml index 84ed2dd..8a8ec2a 100644 --- a/clusters/cluster-mgmt/cluster-01/platform.yaml +++ b/clusters/cluster-mgmt/cluster-01/platform.yaml @@ -15,3 +15,20 @@ spec: kubeConfig: secretRef: name: cluster-01-kubeconfig +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: caaph-cni + namespace: flux-system +spec: + interval: 1m + sourceRef: + kind: GitRepository + name: flux-system + path: ./clusters/cluster-mgmt/cluster-01/caaph-cni + targetNamespace: cluster-01 + prune: true + dependsOn: + - name: caaph + namespace: flux-system diff --git a/clusters/cluster-mgmt/cluster-02/kustomization.yaml b/clusters/cluster-mgmt/cluster-02/kustomization.yaml index 3ccc67d..3437598 100644 --- a/clusters/cluster-mgmt/cluster-02/kustomization.yaml +++ b/clusters/cluster-mgmt/cluster-02/kustomization.yaml @@ -4,4 +4,3 @@ resources: - namespace.yaml - platform.yaml - capi-cluster.yaml - - caaph-cni diff --git a/clusters/cluster-mgmt/cluster-02/platform.yaml b/clusters/cluster-mgmt/cluster-02/platform.yaml index 7489aa3..1fbdb35 100644 --- a/clusters/cluster-mgmt/cluster-02/platform.yaml +++ b/clusters/cluster-mgmt/cluster-02/platform.yaml @@ -15,3 +15,20 @@ spec: kubeConfig: secretRef: name: cluster-02-kubeconfig +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: caaph-cni + namespace: flux-system +spec: + interval: 1m + sourceRef: + kind: GitRepository + name: flux-system + path: ./clusters/cluster-mgmt/cluster-02/caaph-cni + targetNamespace: cluster-02 + prune: true + dependsOn: + - name: caaph + namespace: flux-system From 1772d3fc6759a0cc62e788c94f10b5fc70f8fe1d Mon Sep 17 00:00:00 2001 From: Olga Mirensky <5200844+olga-mir@users.noreply.github.com> Date: Sun, 24 Mar 2024 20:18:20 +1100 Subject: [PATCH 19/28] remove cluster-02 for now --- clusters/cluster-mgmt/kustomization.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/clusters/cluster-mgmt/kustomization.yaml b/clusters/cluster-mgmt/kustomization.yaml index 0247d60..02893cd 100644 --- a/clusters/cluster-mgmt/kustomization.yaml +++ b/clusters/cluster-mgmt/kustomization.yaml @@ -3,4 +3,3 @@ kind: Kustomization resources: - platform.yaml - cluster-01 - - cluster-02 From c8585a7d5ebdbc26fd27cc175d5e69c598a1d1f8 Mon Sep 17 00:00:00 2001 From: Olga Mirensky <5200844+olga-mir@users.noreply.github.com> Date: Sun, 24 Mar 2024 20:36:42 +1100 Subject: [PATCH 20/28] fix identation --- .../caaph-cni/caaph-hcp-v1.15.2.yaml | 440 +++++++++--------- 1 file changed, 220 insertions(+), 220 deletions(-) diff --git a/clusters/cluster-mgmt/cluster-01/caaph-cni/caaph-hcp-v1.15.2.yaml b/clusters/cluster-mgmt/cluster-01/caaph-cni/caaph-hcp-v1.15.2.yaml index 62bf0da..2effd0d 100644 --- a/clusters/cluster-mgmt/cluster-01/caaph-cni/caaph-hcp-v1.15.2.yaml +++ b/clusters/cluster-mgmt/cluster-01/caaph-cni/caaph-hcp-v1.15.2.yaml @@ -44,17 +44,17 @@ spec: # -- Enable creation of Resource-Based Access Control configuration. create: true -# -- Configure image pull secrets for pulling container images + # -- Configure image pull secrets for pulling container images imagePullSecrets: -# - name: "image-pull-secret" + # - name: "image-pull-secret" -# -- (string) Kubernetes config path -# @default -- `"~/.kube/config"` + # -- (string) Kubernetes config path + # @default -- `"~/.kube/config"` kubeConfigPath: "" -# -- (string) Kubernetes service host + # -- (string) Kubernetes service host k8sServiceHost: {{ .Cluster.spec.controlPlaneEndpoint.host }} -# -- (string) Kubernetes service port + # -- (string) Kubernetes service port k8sServicePort: {{ .Cluster.spec.controlPlaneEndpoint.port }} cluster: @@ -65,8 +65,8 @@ spec: # may be 0 if Cluster Mesh is not used. id: 0 -# -- Define serviceAccount names for components. -# @default -- Component's fully qualified name. + # -- Define serviceAccount names for components. + # @default -- Component's fully qualified name. serviceAccounts: cilium: create: true @@ -107,19 +107,19 @@ spec: name: hubble-generate-certs annotations: {} -# -- Configure termination grace period for cilium-agent DaemonSet. + # -- Configure termination grace period for cilium-agent DaemonSet. terminationGracePeriodSeconds: 1 -# -- Install the cilium agent resources. + # -- Install the cilium agent resources. agent: true -# -- Agent container name. + # -- Agent container name. name: cilium -# -- Roll out cilium agent pods automatically when configmap is updated. + # -- Roll out cilium agent pods automatically when configmap is updated. rollOutCiliumPods: false -# -- Agent container image. + # -- Agent container image image: override: ~ repository: "quay.io/cilium/cilium" @@ -129,7 +129,7 @@ spec: digest: "" useDigest: false -# -- Affinity for cilium-agent. + # -- Affinity for cilium-agent. affinity: podAntiAffinity: requiredDuringSchedulingIgnoredDuringExecution: @@ -138,12 +138,12 @@ spec: matchLabels: k8s-app: cilium -# -- Node selector for cilium-agent. + # -- Node selector for cilium-agent. nodeSelector: kubernetes.io/os: linux -# -- Node tolerations for agent scheduling to nodes with taints -# ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ + # -- Node tolerations for agent scheduling to nodes with taints + # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ tolerations: - operator: Exists # - key: "key" @@ -151,23 +151,23 @@ spec: # value: "value" # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" -# -- The priority class to use for cilium-agent. + # -- The priority class to use for cilium-agent. priorityClassName: "" -# -- DNS policy for Cilium agent pods. -# Ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy + # -- DNS policy for Cilium agent pods. + # Ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy dnsPolicy: "" -# -- Additional containers added to the cilium DaemonSet. + # -- Additional containers added to the cilium DaemonSet. extraContainers: [] -# -- Additional agent container arguments. + # -- Additional agent container arguments. extraArgs: [] -# -- Additional agent container environment variables. + # -- Additional agent container environment variables. extraEnv: [] -# -- Additional agent hostPath mounts. + # -- Additional agent hostPath mounts. extraHostPathMounts: [] # - name: host-mnt-data # mountPath: /host/mnt/data @@ -176,29 +176,29 @@ spec: # readOnly: true # mountPropagation: HostToContainer -# -- Additional agent volumes. + # -- Additional agent volumes. extraVolumes: [] -# -- Additional agent volumeMounts. + # -- Additional agent volumeMounts. extraVolumeMounts: [] -# -- extraConfig allows you to specify additional configuration parameters to be -# included in the cilium-config configmap. + # -- extraConfig allows you to specify additional configuration parameters to be + # included in the cilium-config configmap. extraConfig: {} -# my-config-a: "1234" -# my-config-b: |- -# test 1 -# test 2 -# test 3 + # my-config-a: "1234" + # my-config-b: |- + # test 1 + # test 2 + # test 3 -# -- Annotations to be added to agent pods + # -- Annotations to be added to agent pods podAnnotations: {} -# -- Labels to be added to agent pods + # -- Labels to be added to agent pods podLabels: {} -# -- Agent resource limits & requests -# ref: https://kubernetes.io/docs/user-guide/compute-resources/ + # -- Agent resource limits & requests + # ref: https://kubernetes.io/docs/user-guide/compute-resources/ resources: {} # limits: # cpu: 4000m @@ -289,13 +289,13 @@ spec: #- PERFMON #- BPF -# -- Cilium agent update strategy + # -- Cilium agent update strategy updateStrategy: type: RollingUpdate rollingUpdate: maxUnavailable: 2 -# Configuration Values for cilium-agent + # Configuration Values for cilium-agent aksbyocni: # -- Enable AKS BYOCNI integration. @@ -303,11 +303,11 @@ spec: # use Azure integration (`azure.enabled`) instead. enabled: false -# -- Enable installation of PodCIDR routes between worker -# nodes if worker nodes share a common L2 network segment. + # -- Enable installation of PodCIDR routes between worker + # nodes if worker nodes share a common L2 network segment. autoDirectNodeRoutes: false -# -- Annotate k8s node upon initialization with Cilium's metadata. + # -- Annotate k8s node upon initialization with Cilium's metadata. annotateK8sNode: false azure: @@ -327,21 +327,21 @@ spec: # -- Enable AlibabaCloud ENI integration enabled: false -# -- Enable bandwidth manager to optimize TCP and UDP workloads and allow -# for rate-limiting traffic from individual Pods with EDT (Earliest Departure -# Time) through the "kubernetes.io/egress-bandwidth" Pod annotation. + # -- Enable bandwidth manager to optimize TCP and UDP workloads and allow + # for rate-limiting traffic from individual Pods with EDT (Earliest Departure + # Time) through the "kubernetes.io/egress-bandwidth" Pod annotation. bandwidthManager: # -- Enable bandwidth manager infrastructure (also prerequirement for BBR) enabled: false # -- Activate BBR TCP congestion control for Pods bbr: false -# -- Configure standalone NAT46/NAT64 gateway + # -- Configure standalone NAT46/NAT64 gateway nat46x64Gateway: # -- Enable RFC8215-prefixed translation enabled: false -# -- Configure BGP + # -- Configure BGP bgp: # -- Enable BGP support inside Cilium; embeds a new ConfigMap for BGP inside # cilium-agent and cilium-operator @@ -352,8 +352,8 @@ spec: # -- Enable announcement of node pod CIDR podCIDR: false -# -- This feature set enables virtual BGP routers to be created via -# CiliumBGPPeeringPolicy CRDs. + # -- This feature set enables virtual BGP routers to be created via + # CiliumBGPPeeringPolicy CRDs. bgpControlPlane: # -- Enables the BGP control plane. enabled: false @@ -440,22 +440,22 @@ spec: # @default -- `[]` vlanBypass: ~ -# -- Clean all eBPF datapath state from the initContainer of the cilium-agent -# DaemonSet. -# -# WARNING: Use with care! + # -- Clean all eBPF datapath state from the initContainer of the cilium-agent + # DaemonSet. + # + # WARNING: Use with care! cleanBpfState: false -# -- Clean all local Cilium state from the initContainer of the cilium-agent -# DaemonSet. Implies cleanBpfState: true. -# -# WARNING: Use with care! + # -- Clean all local Cilium state from the initContainer of the cilium-agent + # DaemonSet. Implies cleanBpfState: true. + # + # WARNING: Use with care! cleanState: false -# -- Wait for KUBE-PROXY-CANARY iptables rule to appear in "wait-for-kube-proxy" -# init container before launching cilium-agent. -# More context can be found in the commit message of below PR -# https://github.com/cilium/cilium/pull/20123 + # -- Wait for KUBE-PROXY-CANARY iptables rule to appear in "wait-for-kube-proxy" + # init container before launching cilium-agent. + # More context can be found in the commit message of below PR + # https://github.com/cilium/cilium/pull/20123 waitForKubeProxy: false cni: @@ -512,12 +512,12 @@ spec: # inside the agent pod. hostConfDirMountPath: /host/etc/cni/net.d -# -- (string) Configure how frequently garbage collection should occur for the datapath -# connection tracking table. -# @default -- `"0s"` + # -- (string) Configure how frequently garbage collection should occur for the datapath + # connection tracking table. + # @default -- `"0s"` conntrackGCInterval: "" -# -- Configure container runtime specific integration. + # -- Configure container runtime specific integration. containerRuntime: # -- Enables specific integrations for container runtimes. # Supported values: @@ -530,11 +530,11 @@ spec: # -- Configure the path to the container runtime control socket. # socketPath: /path/to/runtime.sock -# -- (string) Configure timeout in which Cilium will exit if CRDs are not available -# @default -- `"5m"` + # -- (string) Configure timeout in which Cilium will exit if CRDs are not available + # @default -- `"5m"` crdWaitTimeout: "" -# -- Tail call hooks for custom eBPF programs. + # -- Tail call hooks for custom eBPF programs. customCalls: # -- Enable tail call hooks for custom eBPF programs. enabled: false @@ -568,38 +568,38 @@ spec: # By default, all keys may be overridden. blockedConfigOverrides: ~ -# -- Specify which network interfaces can run the eBPF datapath. This means -# that a packet sent from a pod to a destination outside the cluster will be -# masqueraded (to an output device IPv4 address), if the output device runs the -# program. When not specified, probing will automatically detect devices. -# devices: "" + # -- Specify which network interfaces can run the eBPF datapath. This means + # that a packet sent from a pod to a destination outside the cluster will be + # masqueraded (to an output device IPv4 address), if the output device runs the + # program. When not specified, probing will automatically detect devices. + # devices: "" -# -- Enables experimental support for the detection of new and removed datapath -# devices. When devices change the eBPF datapath is reloaded and services updated. -# If "devices" is set then only those devices, or devices matching a wildcard will -# be considered. + # -- Enables experimental support for the detection of new and removed datapath + # devices. When devices change the eBPF datapath is reloaded and services updated. + # If "devices" is set then only those devices, or devices matching a wildcard will + # be considered. enableRuntimeDeviceDetection: false -# -- Chains to ignore when installing feeder rules. -# disableIptablesFeederRules: "" + # -- Chains to ignore when installing feeder rules. + # disableIptablesFeederRules: "" -# -- Limit egress masquerading to interface selector. -# egressMasqueradeInterfaces: "" + # -- Limit egress masquerading to interface selector. + # egressMasqueradeInterfaces: "" -# -- Whether to enable CNP status updates. + # -- Whether to enable CNP status updates. enableCnpStatusUpdates: false -# -- Configures the use of the KVStore to optimize Kubernetes event handling by -# mirroring it into the KVstore for reduced overhead in large clusters. + # -- Configures the use of the KVStore to optimize Kubernetes event handling by + # mirroring it into the KVstore for reduced overhead in large clusters. enableK8sEventHandover: false -# -- Enable setting identity mark for local traffic. -# enableIdentityMark: true + # -- Enable setting identity mark for local traffic. + # enableIdentityMark: true -# -- Enable Kubernetes EndpointSlice feature in Cilium if the cluster supports it. -# enableK8sEndpointSlice: true + # -- Enable Kubernetes EndpointSlice feature in Cilium if the cluster supports it. + # enableK8sEndpointSlice: true -# -- Enable CiliumEndpointSlice feature. + # -- Enable CiliumEndpointSlice feature. enableCiliumEndpointSlice: false ingressController: @@ -666,10 +666,10 @@ spec: # If disabled, TLS secrets must be maintained externally. sync: true -# -- Enables the fallback compatibility solution for when the xt_socket kernel -# module is missing and it is needed for the datapath L7 redirection to work -# properly. See documentation for details on when this can be disabled: -# https://docs.cilium.io/en/stable/operations/system_requirements/#linux-kernel. + # -- Enables the fallback compatibility solution for when the xt_socket kernel + # module is missing and it is needed for the datapath L7 redirection to work + # properly. See documentation for details on when this can be disabled: + # https://docs.cilium.io/en/stable/operations/system_requirements/#linux-kernel. enableXTSocketFallback: true encryption: @@ -724,8 +724,8 @@ spec: # -- Enable connectivity health checking between virtual endpoints. enabled: true -# -- Enable endpoint status. -# Status can be: policy, health, controllers, log and / or state. For 2 or more options use a space. + # -- Enable endpoint status. + # Status can be: policy, health, controllers, log and / or state. For 2 or more options use a space. endpointStatus: enabled: false status: "" @@ -778,20 +778,20 @@ spec: # -- Enable ExternalIPs service support. enabled: false -# fragmentTracking enables IPv4 fragment tracking support in the datapath. -# fragmentTracking: true + # fragmentTracking enables IPv4 fragment tracking support in the datapath. + # fragmentTracking: true gke: # -- Enable Google Kubernetes Engine integration enabled: false -# -- Enable connectivity health checking. + # -- Enable connectivity health checking. healthChecking: true -# -- TCP port for the agent health API. This is not the port for cilium-health. + # -- TCP port for the agent health API. This is not the port for cilium-health. healthPort: 9879 -# -- Configure the host firewall. + # -- Configure the host firewall. hostFirewall: # -- Enables the enforcement of host policies in the eBPF datapath. enabled: false @@ -800,7 +800,7 @@ spec: # -- Enable hostPort service support. enabled: false -# -- Configure socket LB + # -- Configure socket LB socketLB: # -- Enable socket LB enabled: false @@ -808,10 +808,10 @@ spec: # -- Disable socket lb for non-root ns. This is used to enable Istio routing rules. # hostNamespaceOnly: false -# -- Configure certificate generation for Hubble integration. -# If hubble.tls.auto.method=cronJob, these values are used -# for the Kubernetes CronJob which will be scheduled regularly to -# (re)generate any certificates not provided manually. + # -- Configure certificate generation for Hubble integration. + # If hubble.tls.auto.method=cronJob, these values are used + # for the Kubernetes CronJob which will be scheduled regularly to + # (re)generate any certificates not provided manually. certgen: image: override: ~ @@ -993,7 +993,7 @@ spec: override: ~ repository: "quay.io/cilium/hubble-relay" tag: "v1.13.0" - # hubble-relay-digest + # hubble-relay-digest digest: "" useDigest: false pullPolicy: "IfNotPresent" @@ -1312,22 +1312,22 @@ spec: # - chart-example.local -# -- Method to use for identity allocation (`crd` or `kvstore`). + # -- Method to use for identity allocation (`crd` or `kvstore`). identityAllocationMode: "crd" -# -- (string) Time to wait before using new identity on endpoint identity change. -# @default -- `"5s"` + # -- (string) Time to wait before using new identity on endpoint identity change. + # @default -- `"5s"` identityChangeGracePeriod: "" -# -- Configure whether to install iptables rules to allow for TPROXY -# (L7 proxy injection), iptables-based masquerading and compatibility -# with kube-proxy. + # -- Configure whether to install iptables rules to allow for TPROXY + # (L7 proxy injection), iptables-based masquerading and compatibility + # with kube-proxy. installIptablesRules: true -# -- Install Iptables rules to skip netfilter connection tracking on all pod -# traffic. This option is only effective when Cilium is running in direct -# routing and full KPR mode. Moreover, this option cannot be enabled when Cilium -# is running in a managed Kubernetes environment or in a chained CNI setup. + # -- Install Iptables rules to skip netfilter connection tracking on all pod + # traffic. This option is only effective when Cilium is running in direct + # routing and full KPR mode. Moreover, this option cannot be enabled when Cilium + # is running in a managed Kubernetes environment or in a chained CNI setup. installNoConntrackIptablesRules: false ipam: @@ -1345,7 +1345,7 @@ spec: # -- Deprecated in favor of ipam.operator.clusterPoolIPv6PodCIDRList. # IPv6 CIDR range to delegate to individual nodes for IPAM. clusterPoolIPv6PodCIDR: "fd00::/104" - # -- IPv6 CIDR list range to delegate to individual nodes for IPAM. + # -- IPv6 CIDR list range to delegate to individual nodes for IPAM. clusterPoolIPv6PodCIDRList: [] # -- IPv6 CIDR mask size to delegate to individual nodes for IPAM. clusterPoolIPv6MaskSize: 120 @@ -1359,16 +1359,16 @@ spec: # @default -- `4.0` externalAPILimitQPS: ~ -# -- Configure the eBPF-based ip-masq-agent + # -- Configure the eBPF-based ip-masq-agent ipMasqAgent: enabled: false -# the config of nonMasqueradeCIDRs -# config: + # the config of nonMasqueradeCIDRs + # config: # nonMasqueradeCIDRs: [] # masqLinkLocal: false -# iptablesLockTimeout defines the iptables "--wait" option when invoked from Cilium. -# iptablesLockTimeout: "5s" + # iptablesLockTimeout defines the iptables "--wait" option when invoked from Cilium. + # iptablesLockTimeout: "5s" ipv4: # -- Enable IPv4 support. @@ -1378,7 +1378,7 @@ spec: # -- Enable IPv6 support. enabled: false -# -- Configure Kubernetes specific configuration + # -- Configure Kubernetes specific configuration k8s: {} # -- requireIPv4PodCIDR enables waiting for Kubernetes to provide the PodCIDR # range via the Kubernetes node resource @@ -1388,10 +1388,10 @@ spec: # range via the Kubernetes node resource # requireIPv6PodCIDR: false -# -- Keep the deprecated selector labels when deploying Cilium DaemonSet. + # -- Keep the deprecated selector labels when deploying Cilium DaemonSet. keepDeprecatedLabels: false -# -- Keep the deprecated probes when deploying Cilium DaemonSet + # -- Keep the deprecated probes when deploying Cilium DaemonSet keepDeprecatedProbes: false startupProbe: @@ -1411,15 +1411,15 @@ spec: # -- interval between checks of the readiness probe periodSeconds: 30 -# -- Configure the kube-proxy replacement in Cilium BPF datapath -# Valid options are "disabled", "partial", "strict". -# ref: https://docs.cilium.io/en/stable/gettingstarted/kubeproxy-free/ + # -- Configure the kube-proxy replacement in Cilium BPF datapath + # Valid options are "disabled", "partial", "strict". + # ref: https://docs.cilium.io/en/stable/gettingstarted/kubeproxy-free/ kubeProxyReplacement: "strict" -# -- healthz server bind address for the kube-proxy replacement. -# To enable set the value to '0.0.0.0:10256' for all ipv4 -# addresses and this '[::]:10256' for all ipv6 addresses. -# By default it is disabled. + # -- healthz server bind address for the kube-proxy replacement. + # To enable set the value to '0.0.0.0:10256' for all ipv4 + # addresses and this '[::]:10256' for all ipv6 addresses. + # By default it is disabled. kubeProxyReplacementHealthzBindAddr: "" l2NeighDiscovery: @@ -1428,24 +1428,24 @@ spec: # -- Override the agent's default neighbor resolution refresh period. refreshPeriod: "30s" -# -- Enable Layer 7 network policy. + # -- Enable Layer 7 network policy. l7Proxy: true -# -- Enable Local Redirect Policy. + # -- Enable Local Redirect Policy. localRedirectPolicy: false -# To include or exclude matched resources from cilium identity evaluation -# labels: "" + # To include or exclude matched resources from cilium identity evaluation + # labels: "" -# logOptions allows you to define logging options. eg: -# logOptions: -# format: json + # logOptions allows you to define logging options. eg: + # logOptions: + # format: json -# -- Enables periodic logging of system load + # -- Enables periodic logging of system load logSystemLoad: false -# -- Configure maglev consistent hashing + # -- Configure maglev consistent hashing maglev: {} # -- tableSize is the size (parameter M) for the backend table of one # service entry @@ -1454,17 +1454,17 @@ spec: # -- hashSeed is the cluster-wide base64 encoded seed for the hashing # hashSeed: -# -- Enables masquerading of IPv4 traffic leaving the node from endpoints. + # -- Enables masquerading of IPv4 traffic leaving the node from endpoints. enableIPv4Masquerade: true -# -- Enables IPv6 BIG TCP support which increases maximum GSO/GRO limits for nodes and pods + # -- Enables IPv6 BIG TCP support which increases maximum GSO/GRO limits for nodes and pods enableIPv6BIGTCP: false -# -- Enables masquerading of IPv6 traffic leaving the node from endpoints. + # -- Enables masquerading of IPv6 traffic leaving the node from endpoints. enableIPv6Masquerade: true -# -- Enables egress gateway to redirect and SNAT the traffic that leaves the -# cluster. + # -- Enables egress gateway to redirect and SNAT the traffic that leaves the + # cluster. egressGateway: enabled: false # -- Install egress gateway IP rules and routes in order to properly steer @@ -1472,49 +1472,49 @@ spec: installRoutes: false vtep: -# -- Enables VXLAN Tunnel Endpoint (VTEP) Integration (beta) to allow -# Cilium-managed pods to talk to third party VTEP devices over Cilium tunnel. + # -- Enables VXLAN Tunnel Endpoint (VTEP) Integration (beta) to allow + # Cilium-managed pods to talk to third party VTEP devices over Cilium tunnel. enabled: false -# -- A space separated list of VTEP device endpoint IPs, for example "1.1.1.1 1.1.2.1" + # -- A space separated list of VTEP device endpoint IPs, for example "1.1.1.1 1.1.2.1" endpoint: "" -# -- A space separated list of VTEP device CIDRs, for example "1.1.1.0/24 1.1.2.0/24" + # -- A space separated list of VTEP device CIDRs, for example "1.1.1.0/24 1.1.2.0/24" cidr: "" -# -- VTEP CIDRs Mask that applies to all VTEP CIDRs, for example "255.255.255.0" + # -- VTEP CIDRs Mask that applies to all VTEP CIDRs, for example "255.255.255.0" mask: "" -# -- A space separated list of VTEP device MAC addresses (VTEP MAC), for example "x:x:x:x:x:x y:y:y:y:y:y:y" + # -- A space separated list of VTEP device MAC addresses (VTEP MAC), for example "x:x:x:x:x:x y:y:y:y:y:y:y" mac: "" -# -- (string) Allows to explicitly specify the IPv4 CIDR for native routing. -# When specified, Cilium assumes networking for this CIDR is preconfigured and -# hands traffic destined for that range to the Linux network stack without -# applying any SNAT. -# Generally speaking, specifying a native routing CIDR implies that Cilium can -# depend on the underlying networking stack to route packets to their -# destination. To offer a concrete example, if Cilium is configured to use -# direct routing and the Kubernetes CIDR is included in the native routing CIDR, -# the user must configure the routes to reach pods, either manually or by -# setting the auto-direct-node-routes flag. + # -- (string) Allows to explicitly specify the IPv4 CIDR for native routing. + # When specified, Cilium assumes networking for this CIDR is preconfigured and + # hands traffic destined for that range to the Linux network stack without + # applying any SNAT. + # Generally speaking, specifying a native routing CIDR implies that Cilium can + # depend on the underlying networking stack to route packets to their + # destination. To offer a concrete example, if Cilium is configured to use + # direct routing and the Kubernetes CIDR is included in the native routing CIDR, + # the user must configure the routes to reach pods, either manually or by + # setting the auto-direct-node-routes flag. ipv4NativeRoutingCIDR: "" -# -- (string) Allows to explicitly specify the IPv6 CIDR for native routing. -# When specified, Cilium assumes networking for this CIDR is preconfigured and -# hands traffic destined for that range to the Linux network stack without -# applying any SNAT. -# Generally speaking, specifying a native routing CIDR implies that Cilium can -# depend on the underlying networking stack to route packets to their -# destination. To offer a concrete example, if Cilium is configured to use -# direct routing and the Kubernetes CIDR is included in the native routing CIDR, -# the user must configure the routes to reach pods, either manually or by -# setting the auto-direct-node-routes flag. + # -- (string) Allows to explicitly specify the IPv6 CIDR for native routing. + # When specified, Cilium assumes networking for this CIDR is preconfigured and + # hands traffic destined for that range to the Linux network stack without + # applying any SNAT. + # Generally speaking, specifying a native routing CIDR implies that Cilium can + # depend on the underlying networking stack to route packets to their + # destination. To offer a concrete example, if Cilium is configured to use + # direct routing and the Kubernetes CIDR is included in the native routing CIDR, + # the user must configure the routes to reach pods, either manually or by + # setting the auto-direct-node-routes flag. ipv6NativeRoutingCIDR: "" -# -- cilium-monitor sidecar. + # -- cilium-monitor sidecar. monitor: # -- Enable the cilium-monitor sidecar. enabled: false -# -- Configure service load balancing + # -- Configure service load balancing loadBalancer: # -- standalone enables the standalone L4LB which does not connect to # kube-apiserver. @@ -1561,7 +1561,7 @@ spec: # Applicable values: round_robin, least_request, random algorithm: round_robin -# -- Configure N-S k8s service loadbalancing + # -- Configure N-S k8s service loadbalancing nodePort: # -- Enable the Cilium NodePort service implementation. enabled: false @@ -1579,11 +1579,11 @@ spec: # -- Enable healthcheck nodePort server for NodePort services enableHealthCheck: true -# policyAuditMode: false + # policyAuditMode: false -# -- The agent can be put into one of the three policy enforcement modes: -# default, always and never. -# ref: https://docs.cilium.io/en/stable/policy/intro/#policy-enforcement-modes + # -- The agent can be put into one of the three policy enforcement modes: + # default, always and never. + # ref: https://docs.cilium.io/en/stable/policy/intro/#policy-enforcement-modes policyEnforcementMode: "default" pprof: @@ -1594,7 +1594,7 @@ spec: # -- Configure pprof listen port for cilium-agent port: 6060 -# -- Configure prometheus metrics on the configured port at /metrics + # -- Configure prometheus metrics on the configured port at /metrics prometheus: enabled: false port: 9962 @@ -1625,7 +1625,7 @@ spec: # ref: https://docs.cilium.io/en/stable/operations/metrics/#exported-metrics metrics: ~ -# -- Configure Istio proxy options. + # -- Configure Istio proxy options. proxy: prometheus: enabled: true @@ -1634,11 +1634,11 @@ spec: # container image names sidecarImageRegex: "cilium/istio_proxy" -# -- Enable use of the remote node identity. -# ref: https://docs.cilium.io/en/v1.7/install/upgrade/#configmap-remote-node-identity + # -- Enable use of the remote node identity. + # ref: https://docs.cilium.io/en/v1.7/install/upgrade/#configmap-remote-node-identity remoteNodeIdentity: true -# -- Enable resource quotas for priority classes used in the cluster. + # -- Enable resource quotas for priority classes used in the cluster. resourceQuotas: enabled: false cilium: @@ -1650,27 +1650,27 @@ spec: # 15 "clusterwide" Cilium Operator pods for HA pods: "15" -# Need to document default -################## -#sessionAffinity: false + # Need to document default + ################## + #sessionAffinity: false -# -- Do not run Cilium agent when running with clean mode. Useful to completely -# uninstall Cilium as it will stop Cilium from starting and create artifacts -# in the node. + # -- Do not run Cilium agent when running with clean mode. Useful to completely + # uninstall Cilium as it will stop Cilium from starting and create artifacts + # in the node. sleepAfterInit: false -# -- Configure BPF socket operations configuration + # -- Configure BPF socket operations configuration sockops: # enabled enables installation of socket options acceleration. enabled: false -# -- Enable check of service source ranges (currently, only for LoadBalancer). + # -- Enable check of service source ranges (currently, only for LoadBalancer). svcSourceRangeCheck: true -# -- Synchronize Kubernetes nodes to kvstore and perform CNP GC. + # -- Synchronize Kubernetes nodes to kvstore and perform CNP GC. synchronizeK8sNodes: true -# -- Configure TLS configuration in the agent. + # -- Configure TLS configuration in the agent. tls: # -- This configures how the Cilium agent loads the secrets used TLS-aware CiliumNetworkPolicies # (namely the secrets referenced by terminatingTLS and originatingTLS). @@ -1693,21 +1693,21 @@ spec: # -- Generated certificates validity duration in days. This will be used for auto generated CA. certValidityDuration: 1095 -# -- Configure the encapsulation configuration for communication between nodes. -# Possible values: -# - disabled -# - vxlan (default) -# - geneve + # -- Configure the encapsulation configuration for communication between nodes. + # Possible values: + # - disabled + # - vxlan (default) + # - geneve tunnel: "vxlan" -# -- Configure VXLAN and Geneve tunnel port. -# @default -- Port 8472 for VXLAN, Port 6081 for Geneve + # -- Configure VXLAN and Geneve tunnel port. + # @default -- Port 8472 for VXLAN, Port 6081 for Geneve tunnelPort: 0 -# -- Configure the underlying network MTU to overwrite auto-detected MTU. + # -- Configure the underlying network MTU to overwrite auto-detected MTU. MTU: 0 -# -- Disable the usage of CiliumEndpoint CRD. + # -- Disable the usage of CiliumEndpoint CRD. disableEndpointCRD: "false" wellKnownIdentities: @@ -2164,16 +2164,16 @@ spec: # cluster with the right schema. validateCNPs: true -# -- Explicitly enable or disable priority class. -# .Capabilities.KubeVersion is unsettable in `helm template` calls, -# it depends on k8s libraries version that Helm was compiled against. -# This option allows to explicitly disable setting the priority class, which -# is useful for rendering charts for gke clusters in advance. + # -- Explicitly enable or disable priority class. + # .Capabilities.KubeVersion is unsettable in `helm template` calls, + # it depends on k8s libraries version that Helm was compiled against. + # This option allows to explicitly disable setting the priority class, which + # is useful for rendering charts for gke clusters in advance. enableCriticalPriorityClass: true -# disableEnvoyVersionCheck removes the check for Envoy, which can be useful -# on AArch64 as the images do not currently ship a version of Envoy. -#disableEnvoyVersionCheck: false + # disableEnvoyVersionCheck removes the check for Envoy, which can be useful + # on AArch64 as the images do not currently ship a version of Envoy. + #disableEnvoyVersionCheck: false clustermesh: # -- Deploy clustermesh-apiserver for clustermesh @@ -2404,12 +2404,12 @@ spec: cert: "" key: "" -# -- Configure external workloads support + # -- Configure external workloads support externalWorkloads: # -- Enable support for external workloads, such as VMs (false by default). enabled: false -# -- Configure cgroup related configuration + # -- Configure cgroup related configuration cgroup: autoMount: # -- Enable auto mount of cgroup2 filesystem. @@ -2430,15 +2430,15 @@ spec: # -- Configure cgroup root where cgroup2 filesystem is mounted on the host (see also: `cgroup.autoMount`) hostRoot: /run/cilium/cgroupv2 -# -- Configure whether to enable auto detect of terminating state for endpoints -# in order to support graceful termination. + # -- Configure whether to enable auto detect of terminating state for endpoints + # in order to support graceful termination. enableK8sTerminatingEndpoint: true -# -- Configure whether to unload DNS policy rules on graceful shutdown -# dnsPolicyUnloadOnShutdown: false + # -- Configure whether to unload DNS policy rules on graceful shutdown + # dnsPolicyUnloadOnShutdown: false -# -- Configure the key of the taint indicating that Cilium is not ready on the node. -# When set to a value starting with `ignore-taint.cluster-autoscaler.kubernetes.io/`, the Cluster Autoscaler will ignore the taint on its decisions, allowing the cluster to scale up. + # -- Configure the key of the taint indicating that Cilium is not ready on the node. + # When set to a value starting with `ignore-taint.cluster-autoscaler.kubernetes.io/`, the Cluster Autoscaler will ignore the taint on its decisions, allowing the cluster to scale up. agentNotReadyTaintKey: "node.cilium.io/agent-not-ready" dnsProxy: @@ -2461,7 +2461,7 @@ spec: # -- The maximum time the DNS proxy holds an allowed DNS response before sending it along. Responses are sent as soon as the datapath is updated with the new IP information. proxyResponseMaxDelay: 100ms -# -- SCTP Configuration Values + # -- SCTP Configuration Values sctp: # -- Enable SCTP support. NOTE: Currently, SCTP support does not support rewriting ports or multihoming. enabled: false From eacb30712e07b8c9f209a158c70f4fc0bf3e22d2 Mon Sep 17 00:00:00 2001 From: Olga Mirensky <5200844+olga-mir@users.noreply.github.com> Date: Sun, 24 Mar 2024 20:56:24 +1100 Subject: [PATCH 21/28] fix labels on cluster-01 --- clusters/cluster-mgmt/cluster-01/capi-cluster.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/clusters/cluster-mgmt/cluster-01/capi-cluster.yaml b/clusters/cluster-mgmt/cluster-01/capi-cluster.yaml index e901a96..e77e7ec 100644 --- a/clusters/cluster-mgmt/cluster-01/capi-cluster.yaml +++ b/clusters/cluster-mgmt/cluster-01/capi-cluster.yaml @@ -7,7 +7,7 @@ metadata: labels: cluster.x-k8s.io/cluster-name: "cluster-01" cilium-mesh: "main" - cilium-mesh-index: 1 + cilium-mesh-index: "1" spec: clusterNetwork: pods: From 1e761bb9f3d621fe84f2cfaf0f4fa58c2c8353ec Mon Sep 17 00:00:00 2001 From: Olga Mirensky <5200844+olga-mir@users.noreply.github.com> Date: Tue, 26 Mar 2024 18:33:28 +1100 Subject: [PATCH 22/28] move cluster-01,02 to cilium version 1.15.2 --- .../caaph-cni/caaph-hcp-v1.15.2.yaml | 1438 ++++++++++++++--- .../caaph-cni/caaph-hcp-v1.15.2.yaml | 9 +- 2 files changed, 1257 insertions(+), 190 deletions(-) diff --git a/clusters/cluster-mgmt/cluster-01/caaph-cni/caaph-hcp-v1.15.2.yaml b/clusters/cluster-mgmt/cluster-01/caaph-cni/caaph-hcp-v1.15.2.yaml index 2effd0d..f39e710 100644 --- a/clusters/cluster-mgmt/cluster-01/caaph-cni/caaph-hcp-v1.15.2.yaml +++ b/clusters/cluster-mgmt/cluster-01/caaph-cni/caaph-hcp-v1.15.2.yaml @@ -1,7 +1,7 @@ apiVersion: addons.cluster.x-k8s.io/v1alpha1 kind: HelmChartProxy metadata: - name: cilium-no-mesh + name: cilium-cluster-mesh # for now mesh is not enabled, but it is WIP spec: clusterSelector: matchLabels: @@ -9,18 +9,17 @@ spec: repoURL: https://helm.cilium.io/ chartName: cilium namespace: cilium - version: "1.13.0" + version: "1.15.2" valuesTemplate: | - # hostServices: - exists in 1.12 and not in 1.13 ? - - # Copied and adjusted from: https://github.com/cilium/cilium/blob/v1.13.0/install/kubernetes/cilium/values.yaml + # Copied and adjusted from: https://github.com/cilium/cilium/blob/v1.15.2/install/kubernetes/cilium/values.yaml # File generated by install/kubernetes/Makefile; DO NOT EDIT. - # This file is based on install/kubernetes/cilium/values.yaml.tmpl. + # This file is based on install/kubernetes/cilium/*values.yaml.tmpl. + # upgradeCompatibility helps users upgrading to ensure that the configMap for # Cilium will not change critical values to ensure continued operation - # This is flag is not required for new installations. + # This flag is not required for new installations. # For example: 1.7, 1.8, 1.9 # upgradeCompatibility: '1.8' @@ -31,6 +30,7 @@ spec: # This option is used to enable debug messages for operations related to such # sub-system such as (e.g. kvstore, envoy, datapath or policy), and flow is # for enabling debug messages emitted per request, message and connection. + # Multiple values can be set via a space-separated string (e.g. "datapath envoy"). # # Applicable values: # - flow @@ -53,17 +53,30 @@ spec: kubeConfigPath: "" # -- (string) Kubernetes service host k8sServiceHost: {{ .Cluster.spec.controlPlaneEndpoint.host }} - # -- (string) Kubernetes service port k8sServicePort: {{ .Cluster.spec.controlPlaneEndpoint.port }} + # -- Configure the client side rate limit for the agent and operator + # + # If the amount of requests to the Kubernetes API server exceeds the configured + # rate limit, the agent and operator will start to throttle requests by delaying + # them until there is budget or the request times out. + k8sClientRateLimit: + # -- (int) The sustained request rate in requests per second. + # @default -- 5 for k8s up to 1.26. 10 for k8s version 1.27+ + qps: + # -- (int) The burst request rate in requests per second. + # The rate limiter will allow short bursts with a higher rate. + # @default -- 10 for k8s up to 1.26. 20 for k8s version 1.27+ + burst: + cluster: - # -- Name of the cluster. Only required for Cluster Mesh. - name: default + # -- Name of the cluster. Only required for Cluster Mesh and mutual authentication with SPIRE. + name: {{ .ControlPlane.metadata.name }} # -- (int) Unique ID of the cluster. Must be unique across all connected # clusters and in the range of 1 to 255. Only required for Cluster Mesh, # may be 0 if Cluster Mesh is not used. - id: 0 + id: 1 # -- Define serviceAccount names for components. # @default -- Component's fully qualified name. @@ -71,40 +84,65 @@ spec: cilium: create: true name: cilium + automount: true + annotations: {} + nodeinit: + create: true + # -- Enabled is temporary until https://github.com/cilium/cilium-cli/issues/1396 is implemented. + # Cilium CLI doesn't create the SAs for node-init, thus the workaround. Helm is not affected by + # this issue. Name and automount can be configured, if enabled is set to true. + # Otherwise, they are ignored. Enabled can be removed once the issue is fixed. + # Cilium-nodeinit DS must also be fixed. + enabled: false + name: cilium-nodeinit + automount: true + annotations: {} + envoy: + create: true + name: cilium-envoy + automount: true annotations: {} etcd: create: true name: cilium-etcd-operator + automount: true annotations: {} operator: create: true name: cilium-operator + automount: true annotations: {} preflight: create: true name: cilium-pre-flight + automount: true annotations: {} relay: create: true name: hubble-relay + automount: false annotations: {} ui: create: true name: hubble-ui + automount: true annotations: {} clustermeshApiserver: create: true name: clustermesh-apiserver + automount: true annotations: {} # -- Clustermeshcertgen is used if clustermesh.apiserver.tls.auto.method=cronJob clustermeshcertgen: create: true name: clustermesh-apiserver-generate-certs + automount: true annotations: {} # -- Hubblecertgen is used if hubble.tls.auto.method=cronJob hubblecertgen: create: true name: hubble-generate-certs + automount: true annotations: {} # -- Configure termination grace period for cilium-agent DaemonSet. @@ -119,11 +157,11 @@ spec: # -- Roll out cilium agent pods automatically when configmap is updated. rollOutCiliumPods: false - # -- Agent container image + # -- Agent container image. image: override: ~ repository: "quay.io/cilium/cilium" - tag: "v1.13.0" + tag: "v1.15.2" pullPolicy: "IfNotPresent" # cilium-digest digest: "" @@ -143,7 +181,7 @@ spec: kubernetes.io/os: linux # -- Node tolerations for agent scheduling to nodes with taints - # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ + # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ tolerations: - operator: Exists # - key: "key" @@ -191,6 +229,12 @@ spec: # test 2 # test 3 + # -- Annotations to be added to all top-level cilium-agent objects (resources under templates/cilium-agent) + annotations: {} + + # -- Security Context for cilium-agent pods. + podSecurityContext: {} + # -- Annotations to be added to agent pods podAnnotations: {} @@ -198,7 +242,7 @@ spec: podLabels: {} # -- Agent resource limits & requests - # ref: https://kubernetes.io/docs/user-guide/compute-resources/ + # ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ resources: {} # limits: # cpu: 4000m @@ -207,6 +251,9 @@ spec: # cpu: 100m # memory: 512Mi + # -- resources & limits for the agent init containers + initResources: {} + securityContext: # -- User to run the pod with # runAsUser: 0 @@ -341,6 +388,31 @@ spec: # -- Enable RFC8215-prefixed translation enabled: false + # -- EnableHighScaleIPcache enables the special ipcache mode for high scale + # clusters. The ipcache content will be reduced to the strict minimum and + # traffic will be encapsulated to carry security identities. + highScaleIPcache: + # -- Enable the high scale mode for the ipcache. + enabled: false + + # -- Configure L2 announcements + l2announcements: + # -- Enable L2 announcements + enabled: false + # -- If a lease is not renewed for X duration, the current leader is considered dead, a new leader is picked + # leaseDuration: 15s + # -- The interval at which the leader will renew the lease + # leaseRenewDeadline: 5s + # -- The timeout between retries if renewal fails + # leaseRetryPeriod: 2s + + # -- Configure L2 pod announcements + l2podAnnouncements: + # -- Enable L2 pod announcements + enabled: false + # -- Interface used for sending Gratuitous ARP pod announcements + interface: "eth0" + # -- Configure BGP bgp: # -- Enable BGP support inside Cilium; embeds a new ConfigMap for BGP inside @@ -357,6 +429,12 @@ spec: bgpControlPlane: # -- Enables the BGP control plane. enabled: false + # -- SecretsNamespace is the namespace which BGP support will retrieve secrets from. + secretsNamespace: + # -- Create secrets namespace for BGP secrets. + create: false + # -- The name of the secret namespace to which Cilium agents are given read access + name: kube-system pmtuDiscovery: # -- Enable path MTU discovery to send ICMP fragmentation-needed replies to @@ -364,16 +442,25 @@ spec: enabled: false bpf: + autoMount: + # -- Enable automatic mount of BPF filesystem + # When `autoMount` is enabled, the BPF filesystem is mounted at + # `bpf.root` path on the underlying host and inside the cilium agent pod. + # If users disable `autoMount`, it's expected that users have mounted + # bpffs filesystem at the specified `bpf.root` volume, and then the + # volume will be mounted inside the cilium agent pod at the same path. + enabled: true # -- Configure the mount point for the BPF filesystem root: /sys/fs/bpf - # -- Enable BPF clock source probing for more efficient tick retrieval. - clockProbe: false - # -- Enables pre-allocation of eBPF map values. This increases # memory usage but can reduce latency. preallocateMaps: false + # -- (int) Configure the maximum number of entries in auth map. + # @default -- `524288` + authMapMax: ~ + # -- (int) Configure the maximum number of entries in the TCP connection tracking # table. # @default -- `524288` @@ -400,7 +487,7 @@ spec: policyMapMax: 16384 # -- (float64) Configure auto-sizing for all BPF maps based on available memory. - # ref: https://docs.cilium.io/en/stable/concepts/ebpf/maps/#ebpf-maps + # ref: https://docs.cilium.io/en/stable/network/ebpf/maps/ # @default -- `0.0025` mapDynamicSizeRatio: ~ @@ -440,6 +527,9 @@ spec: # @default -- `[]` vlanBypass: ~ + # -- Enable BPF clock source probing for more efficient tick retrieval. + bpfClockProbe: false + # -- Clean all eBPF datapath state from the initContainer of the cilium-agent # DaemonSet. # @@ -462,13 +552,26 @@ spec: # -- Install the CNI configuration and binary files into the filesystem. install: true + # -- Remove the CNI configuration and binary files on agent shutdown. Enable this + # if you're removing Cilium from the cluster. Disable this to prevent the CNI + # configuration file from being removed during agent upgrade, which can cause + # nodes to go unmanageable. + uninstall: false + # -- Configure chaining on top of other CNI plugins. Possible values: # - none # - aws-cni # - flannel # - generic-veth # - portmap - chainingMode: none + chainingMode: ~ + + # -- A CNI network name in to which the Cilium plugin should be added as a chained plugin. + # This will cause the agent to watch for a CNI network with this network name. When it is + # found, this will be used as the basis for Cilium's CNI configuration file. If this is + # set, it assumes a chaining mode of generic-veth. As a special case, a chaining mode + # of aws-cni implies a chainingTarget of aws-cni. + chainingTarget: ~ # -- Make Cilium take ownership over the `/etc/cni/net.d` directory on the # node, renaming all non-Cilium CNI configurations to `*.cilium_bak`. @@ -493,8 +596,9 @@ spec: # -- Specify the path to a CNI config to read from on agent start. # This can be useful if you want to manage your CNI # configuration outside of a Kubernetes environment. This parameter is - # mutually exclusive with the 'cni.configMap' parameter. - # readCniConf: /host/etc/cni/net.d/05-cilium.conf + # mutually exclusive with the 'cni.configMap' parameter. The agent will + # write this to 05-cilium.conflist on startup. + # readCniConf: /host/etc/cni/net.d/05-sample.conflist.input # -- When defined, configMap will mount the provided value as ConfigMap and # interpret the cniConf variable as CNI configuration file and write it @@ -512,23 +616,31 @@ spec: # inside the agent pod. hostConfDirMountPath: /host/etc/cni/net.d + # -- Specifies the resources for the cni initContainer + resources: + requests: + cpu: 100m + memory: 10Mi + # -- (string) Configure how frequently garbage collection should occur for the datapath # connection tracking table. # @default -- `"0s"` conntrackGCInterval: "" + # -- (string) Configure the maximum frequency for the garbage collection of the + # connection tracking table. Only affects the automatic computation for the frequency + # and has no effect when 'conntrackGCInterval' is set. This can be set to more frequently + # clean up unused identities created from ToFQDN policies. + conntrackGCMaxInterval: "" + # -- Configure container runtime specific integration. + # Deprecated in favor of bpf.autoMount.enabled. To be removed in 1.15. containerRuntime: # -- Enables specific integrations for container runtimes. # Supported values: - # - containerd # - crio - # - docker # - none - # - auto (automatically detect the container runtime) integration: none - # -- Configure the path to the container runtime control socket. - # socketPath: /path/to/runtime.sock # -- (string) Configure timeout in which Cilium will exit if CRDs are not available # @default -- `"5m"` @@ -571,7 +683,8 @@ spec: # -- Specify which network interfaces can run the eBPF datapath. This means # that a packet sent from a pod to a destination outside the cluster will be # masqueraded (to an output device IPv4 address), if the output device runs the - # program. When not specified, probing will automatically detect devices. + # program. When not specified, probing will automatically detect devices that have + # a non-local route. This should be used only when autodetection is not suitable. # devices: "" # -- Enables experimental support for the detection of new and removed datapath @@ -583,16 +696,9 @@ spec: # -- Chains to ignore when installing feeder rules. # disableIptablesFeederRules: "" - # -- Limit egress masquerading to interface selector. + # -- Limit iptables-based egress masquerading to interface selector. # egressMasqueradeInterfaces: "" - # -- Whether to enable CNP status updates. - enableCnpStatusUpdates: false - - # -- Configures the use of the KVStore to optimize Kubernetes event handling by - # mirroring it into the KVstore for reduced overhead in large clusters. - enableK8sEventHandover: false - # -- Enable setting identity mark for local traffic. # enableIdentityMark: true @@ -602,11 +708,28 @@ spec: # -- Enable CiliumEndpointSlice feature. enableCiliumEndpointSlice: false + envoyConfig: + # -- Enable CiliumEnvoyConfig CRD + # CiliumEnvoyConfig CRD can also be implicitly enabled by other options. + enabled: false + + # -- SecretsNamespace is the namespace in which envoy SDS will retrieve secrets from. + secretsNamespace: + # -- Create secrets namespace for CiliumEnvoyConfig CRDs. + create: true + + # -- The name of the secret namespace to which Cilium agents are given read access. + name: cilium-secrets + ingressController: # -- Enable cilium ingress controller # This will automatically set enable-envoy-config as well. enabled: false + # -- Set cilium ingress controller to be the default ingress controller + # This will let cilium ingress controller route entries without ingress class set + default: false + # -- Default ingress load balancer mode # Supported values: shared, dedicated # For granular control, use the following annotations on the ingress resource @@ -617,10 +740,18 @@ spec: # Incoming traffic to http listener will return 308 http error code with respective location in header. enforceHttps: true - # -- IngressLBAnnotations are the annotation prefixes, which are used to filter annotations to propagate - # from Ingress to the Load Balancer service + # -- Enable proxy protocol for all Ingress listeners. Note that _only_ Proxy protocol traffic will be accepted once this is enabled. + enableProxyProtocol: false + + # -- IngressLBAnnotations are the annotation and label prefixes, which are used to filter annotations and/or labels to propagate from Ingress to the Load Balancer service ingressLBAnnotationPrefixes: ['service.beta.kubernetes.io', 'service.kubernetes.io', 'cloud.google.com'] + # -- Default secret namespace for ingresses without .spec.tls[].secretName set. + defaultSecretNamespace: + + # -- Default secret name for ingresses without .spec.tls[].secretName set. + defaultSecretName: + # -- SecretsNamespace is the namespace in which envoy SDS will retrieve TLS secrets from. secretsNamespace: # -- Create secrets namespace for Ingress. @@ -648,6 +779,13 @@ spec: insecureNodePort: ~ # -- Configure a specific nodePort for secure HTTPS traffic on the shared LB service secureNodePort : ~ + # -- Configure a specific loadBalancerClass on the shared LB service (requires Kubernetes 1.24+) + loadBalancerClass: ~ + # -- Configure a specific loadBalancerIP on the shared LB service + loadBalancerIP : ~ + # -- Configure if node port allocation is required for LB service + # ref: https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-nodeport-allocation + allocateLoadBalancerNodePorts: ~ gatewayAPI: # -- Enable support for Gateway API in cilium @@ -680,9 +818,21 @@ spec: type: ipsec # -- Enable encryption for pure node to node traffic. - # This option is only effective when encryption.type is set to ipsec. + # This option is only effective when encryption.type is set to "wireguard". nodeEncryption: false + # -- Configure the WireGuard Pod2Pod strict mode. + strictMode: + # -- Enable WireGuard Pod2Pod strict mode. + enabled: false + + # -- CIDR for the WireGuard Pod2Pod strict mode. + cidr: "" + + # -- Allow dynamic lookup of remote node identities. + # This is required when tunneling is used or direct routing is used and the node CIDR and pod CIDR overlap. + allowRemoteNodeIdentities: false + ipsec: # -- Name of the key file inside the Kubernetes secret configured via secretName. keyFile: "" @@ -696,26 +846,36 @@ spec: # -- The interface to use for encrypted traffic. interface: "" + # -- Enable the key watcher. If disabled, a restart of the agent will be + # necessary on key rotations. + keyWatcher: true + + # -- Maximum duration of the IPsec key rotation. The previous key will be + # removed after that delay. + keyRotationDuration: "5m" + wireguard: # -- Enables the fallback to the user-space implementation. userspaceFallback: false + # -- Controls Wireguard PersistentKeepalive option. Set 0s to disable. + persistentKeepalive: 0s - # -- Deprecated in favor of encryption.ipsec.keyFile. + # -- Deprecated in favor of encryption.ipsec.keyFile. To be removed in 1.15. # Name of the key file inside the Kubernetes secret configured via secretName. # This option is only effective when encryption.type is set to ipsec. keyFile: keys - # -- Deprecated in favor of encryption.ipsec.mountPath. + # -- Deprecated in favor of encryption.ipsec.mountPath. To be removed in 1.15. # Path to mount the secret inside the Cilium pod. # This option is only effective when encryption.type is set to ipsec. mountPath: /etc/ipsec - # -- Deprecated in favor of encryption.ipsec.secretName. + # -- Deprecated in favor of encryption.ipsec.secretName. To be removed in 1.15. # Name of the Kubernetes secret containing the encryption keys. # This option is only effective when encryption.type is set to ipsec. secretName: cilium-ipsec-keys - # -- Deprecated in favor of encryption.ipsec.interface. + # -- Deprecated in favor of encryption.ipsec.interface. To be removed in 1.15. # The interface to use for encrypted traffic. # This option is only effective when encryption.type is set to ipsec. interface: "" @@ -735,11 +895,15 @@ spec: # the cilium_host interface. enabled: false + k8sNetworkPolicy: + # -- Enable support for K8s NetworkPolicy + enabled: true + eni: # -- Enable Elastic Network Interface (ENI) integration. enabled: false # -- Update ENI Adapter limits from the EC2 API - updateEC2AdapterLimitViaAPI: false + updateEC2AdapterLimitViaAPI: true # -- Release IPs not used from the ENI awsReleaseExcessIPs: false # -- Enable ENI prefix delegation @@ -816,20 +980,38 @@ spec: image: override: ~ repository: "quay.io/cilium/certgen" - tag: "v0.1.8@sha256:4a456552a5f192992a6edcec2febb1c54870d665173a33dc7d876129b199ddbd" + tag: "v0.1.9" + digest: "sha256:89a0847753686444daabde9474b48340993bd19c7bea66a46e45b2974b82041f" + useDigest: true pullPolicy: "IfNotPresent" # -- Seconds after which the completed job pod will be deleted ttlSecondsAfterFinished: 1800 # -- Labels to be added to hubble-certgen pods podLabels: {} + # -- Annotations to be added to the hubble-certgen initial Job and CronJob + annotations: + job: {} + cronJob: {} # -- Node tolerations for pod assignment on nodes with taints - # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ + # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ tolerations: [] + # -- Additional certgen volumes. + extraVolumes: [] + + # -- Additional certgen volumeMounts. + extraVolumeMounts: [] + + # -- Affinity for certgen + affinity: {} + hubble: # -- Enable Hubble (true by default). enabled: true + # -- Annotations to be added to all top-level hubble objects (resources under templates/hubble) + annotations: {} + # -- Buffer size of the channel Hubble uses to receive monitor events. If this # value is not set, the queue size is set to the default monitor queue size. # eventQueueSize: "" @@ -841,7 +1023,7 @@ spec: # eventBufferCapacity: "4095" # -- Hubble metrics configuration. - # See https://docs.cilium.io/en/stable/operations/metrics/#hubble-metrics + # See https://docs.cilium.io/en/stable/observability/metrics/#hubble-metrics # for more comprehensive documentation about Hubble metrics. metrics: # -- Configures the list of metrics to collect. If empty or null, metrics @@ -858,7 +1040,7 @@ spec: # # You can specify the list of metrics from the helm CLI: # - # --set metrics.enabled="{dns:query;ignoreAAAA,drop,tcp,flow,icmp,http}" + # --set hubble.metrics.enabled="{dns:query;ignoreAAAA,drop,tcp,flow,icmp,http}" # enabled: ~ # -- Enables exporting hubble metrics in OpenMetrics format. @@ -870,12 +1052,14 @@ spec: serviceMonitor: # -- Create ServiceMonitor resources for Prometheus Operator. # This requires the prometheus CRDs to be available. - # ref: https://github.com/prometheus-operator/prometheus-operator/blob/master/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml) + # ref: https://github.com/prometheus-operator/prometheus-operator/blob/main/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml) enabled: false # -- Labels to add to ServiceMonitor hubble labels: {} # -- Annotations to add to ServiceMonitor hubble annotations: {} + # -- jobLabel to add for ServiceMonitor hubble + jobLabel: "" # -- Interval for scrape metrics. interval: "10s" # -- Relabeling configs for the ServiceMonitor hubble @@ -886,6 +1070,9 @@ spec: replacement: ${1} # -- Metrics relabeling configs for the ServiceMonitor hubble metricRelabelings: ~ + # -- Grafana dashboards for hubble + # grafana can import dashboards based on the label and value + # ref: https://github.com/grafana/helm-charts/tree/main/charts/grafana#sidecar-for-dashboards dashboards: enabled: false label: grafana_dashboard @@ -896,6 +1083,81 @@ spec: # -- Unix domain socket path to listen to when Hubble is enabled. socketPath: /var/run/cilium/hubble.sock + # -- Enables redacting sensitive information present in Layer 7 flows. + redact: + enabled: false + http: + # -- Enables redacting URL query (GET) parameters. + # Example: + # + # redact: + # enabled: true + # http: + # urlQuery: true + # + # You can specify the options from the helm CLI: + # + # --set hubble.redact.enabled="true" + # --set hubble.redact.http.urlQuery="true" + urlQuery: false + # -- Enables redacting user info, e.g., password when basic auth is used. + # Example: + # + # redact: + # enabled: true + # http: + # userInfo: true + # + # You can specify the options from the helm CLI: + # + # --set hubble.redact.enabled="true" + # --set hubble.redact.http.userInfo="true" + userInfo: true + headers: + # -- List of HTTP headers to allow: headers not matching will be redacted. Note: `allow` and `deny` lists cannot be used both at the same time, only one can be present. + # Example: + # redact: + # enabled: true + # http: + # headers: + # allow: + # - traceparent + # - tracestate + # - Cache-Control + # + # You can specify the options from the helm CLI: + # --set hubble.redact.enabled="true" + # --set hubble.redact.http.headers.allow="traceparent,tracestate,Cache-Control" + allow: [] + # -- List of HTTP headers to deny: matching headers will be redacted. Note: `allow` and `deny` lists cannot be used both at the same time, only one can be present. + # Example: + # redact: + # enabled: true + # http: + # headers: + # deny: + # - Authorization + # - Proxy-Authorization + # + # You can specify the options from the helm CLI: + # --set hubble.redact.enabled="true" + # --set hubble.redact.http.headers.deny="Authorization,Proxy-Authorization" + deny: [] + kafka: + # -- Enables redacting Kafka's API key. + # Example: + # + # redact: + # enabled: true + # kafka: + # apiKey: true + # + # You can specify the options from the helm CLI: + # + # --set hubble.redact.enabled="true" + # --set hubble.redact.kafka.apiKey="true" + apiKey: false + # -- An additional address for Hubble to listen to. # Set this field ":4244" if you are enabling Hubble Relay, as it assumes that # Hubble is listening on port 4244. @@ -907,10 +1169,6 @@ spec: skipUnknownCGroupIDs: ~ peerService: - # -- Enable a K8s Service for the Peer service, so that it can be accessed - # by a non-local client. This configuration option is deprecated, the peer - # service will be non-optional starting Cilium v1.14. - enabled: true # -- Service Port for the Peer service. # If not set, it is dynamically assigned to port 443 if TLS is enabled and to # port 80 if not. @@ -950,7 +1208,7 @@ spec: # installation time. # # Defaults to midnight of the first day of every fourth month. For syntax, see - # https://kubernetes.io/docs/tasks/job/automated-tasks-with-cron-jobs/#schedule + # https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/#schedule-syntax schedule: "0 0 1 */4 *" # [Example] @@ -959,19 +1217,8 @@ spec: # kind: ClusterIssuer # name: ca-issuer # -- certmanager issuer used when hubble.tls.auto.method=certmanager. - # If not specified, a CA issuer will be created. certManagerIssuerRef: {} - # -- Deprecated in favor of tls.ca. To be removed in 1.13. - # base64 encoded PEM values for the Hubble CA certificate and private key. - ca: - # -- Deprecated in favor of tls.ca.cert. To be removed in 1.13. - cert: "" - # -- Deprecated in favor of tls.ca.key. To be removed in 1.13. - # The CA private key (optional). If it is provided, then it will be - # used by hubble.tls.auto.method=cronJob to generate all other certificates. - # Otherwise, a ephemeral CA is generated if hubble.tls.auto.enabled=true. - key: "" # -- base64 encoded PEM values for the Hubble server certificate and private key server: cert: "" @@ -992,7 +1239,7 @@ spec: image: override: ~ repository: "quay.io/cilium/hubble-relay" - tag: "v1.13.0" + tag: "v1.15.2" # hubble-relay-digest digest: "" useDigest: false @@ -1020,18 +1267,20 @@ spec: # whenUnsatisfiable: DoNotSchedule # -- Node labels for pod assignment - # ref: https://kubernetes.io/docs/user-guide/node-selection/ + # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector nodeSelector: kubernetes.io/os: linux # -- Node tolerations for pod assignment on nodes with taints - # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ - # + # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ tolerations: [] # -- Additional hubble-relay environment variables. extraEnv: [] + # -- Annotations to be added to all top-level hubble-relay objects (resources under templates/hubble-relay) + annotations: {} + # -- Annotations to be added to hubble-relay pods podAnnotations: {} @@ -1061,8 +1310,25 @@ spec: rollingUpdate: maxUnavailable: 1 - # -- hubble-relay security context - securityContext: {} + # -- Additional hubble-relay volumes. + extraVolumes: [] + + # -- Additional hubble-relay volumeMounts. + extraVolumeMounts: [] + + # -- hubble-relay pod security context + podSecurityContext: + fsGroup: 65532 + + # -- hubble-relay container security context + securityContext: + # readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 65532 + runAsGroup: 65532 + capabilities: + drop: + - ALL # -- hubble-relay service configuration. service: @@ -1091,6 +1357,10 @@ spec: # When set to true, enable TLS on for Hubble Relay server # (ie: for clients connecting to the Hubble Relay API). enabled: false + # When set to true enforces mutual TLS between Hubble Relay server and its clients. + # False allow non-mutual TLS connections. + # This option has no effect when TLS is disabled. + mtls: false # These values need to be set manually if hubble.tls.auto.enabled is false. cert: "" key: "" @@ -1098,6 +1368,12 @@ spec: extraDnsNames: [] # -- extra IP addresses added to certificate when its auto gen extraIpAddresses: [] + # DNS name used by the backend to connect to the relay + # This is a simple workaround as the relay certificates are currently hardcoded to + # *.hubble-relay.cilium.io + # See https://github.com/cilium/cilium/pull/28709#discussion_r1371792546 + # For GKE Dataplane V2 this should be set to relay.kube-system.svc.cluster.local + relayName: "ui.hubble-relay.cilium.io" # -- Dial timeout to connect to the local hubble instance to receive peer information (e.g. "30s"). dialTimeout: ~ @@ -1125,7 +1401,7 @@ spec: port: 9966 serviceMonitor: # -- Enable service monitors. - # This requires the prometheus CRDs to be available (see https://github.com/prometheus-operator/prometheus-operator/blob/master/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml) + # This requires the prometheus CRDs to be available (see https://github.com/prometheus-operator/prometheus-operator/blob/main/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml) enabled: false # -- Labels to add to ServiceMonitor hubble-relay labels: {} @@ -1141,6 +1417,12 @@ spec: # -- Metrics relabeling configs for the ServiceMonitor hubble-relay metricRelabelings: ~ + gops: + # -- Enable gops for hubble-relay + enabled: true + # -- Configure gops listen port for hubble-relay + port: 9893 + pprof: # -- Enable pprof for hubble-relay enabled: false @@ -1194,12 +1476,31 @@ spec: image: override: ~ repository: "quay.io/cilium/hubble-ui-backend" - tag: "v0.10.0@sha256:cc5e2730b3be6f117b22176e25875f2308834ced7c3aa34fb598aa87a2c0a6a4" + tag: "v0.13.0" + digest: "sha256:1e7657d997c5a48253bb8dc91ecee75b63018d16ff5e5797e5af367336bc8803" + useDigest: true pullPolicy: "IfNotPresent" + # -- Hubble-ui backend security context. + securityContext: {} + # -- Additional hubble-ui backend environment variables. extraEnv: [] + # -- Additional hubble-ui backend volumes. + extraVolumes: [] + + # -- Additional hubble-ui backend volumeMounts. + extraVolumeMounts: [] + + livenessProbe: + # -- Enable liveness probe for Hubble-ui backend (requires Hubble-ui 0.12+) + enabled: false + + readinessProbe: + # -- Enable readiness probe for Hubble-ui backend (requires Hubble-ui 0.12+) + enabled: false + # -- Resource requests and limits for the 'backend' container of the 'hubble-ui' deployment. resources: {} # limits: @@ -1214,12 +1515,23 @@ spec: image: override: ~ repository: "quay.io/cilium/hubble-ui" - tag: "v0.10.0@sha256:118ad2fcfd07fabcae4dde35ec88d33564c9ca7abe520aa45b1eb13ba36c6e0a" + tag: "v0.13.0" + digest: "sha256:7d663dc16538dd6e29061abd1047013a645e6e69c115e008bee9ea9fef9a6666" + useDigest: true pullPolicy: "IfNotPresent" + # -- Hubble-ui frontend security context. + securityContext: {} + # -- Additional hubble-ui frontend environment variables. extraEnv: [] + # -- Additional hubble-ui frontend volumes. + extraVolumes: [] + + # -- Additional hubble-ui frontend volumeMounts. + extraVolumeMounts: [] + # -- Resource requests and limits for the 'frontend' container of the 'hubble-ui' deployment. resources: {} # limits: @@ -1236,6 +1548,9 @@ spec: # -- The number of replicas of Hubble UI to deploy. replicas: 1 + # -- Annotations to be added to all top-level hubble-ui objects (resources under templates/hubble-ui) + annotations: {} + # -- Annotations to be added to hubble-ui pods podAnnotations: {} @@ -1263,13 +1578,12 @@ spec: # whenUnsatisfiable: DoNotSchedule # -- Node labels for pod assignment - # ref: https://kubernetes.io/docs/user-guide/node-selection/ + # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector nodeSelector: kubernetes.io/os: linux # -- Node tolerations for pod assignment on nodes with taints - # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ - # + # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ tolerations: [] # -- The priority class to use for hubble-ui @@ -1283,20 +1597,24 @@ spec: # -- Security context to be added to Hubble UI pods securityContext: - # -- Deprecated in favor of hubble.ui.securityContext. - # Whether to set the security context on the Hubble UI pods. - enabled: true runAsUser: 1001 runAsGroup: 1001 fsGroup: 1001 # -- hubble-ui service configuration. service: + # -- Annotations to be added for the Hubble UI service + annotations: {} # --- The type of service used for Hubble UI access, either ClusterIP or NodePort. type: ClusterIP # --- The port to use when the service type is set to NodePort. nodePort: 31235 + # -- Defines base url prefix for all hubble-ui http requests. + # It needs to be changed in case if ingress for hubble-ui is configured under some sub-path. + # Trailing `/` is required for custom path, ex. `/service-map/` + baseUrl: "/" + # -- hubble-ui ingress configuration. ingress: enabled: false @@ -1306,11 +1624,60 @@ spec: className: "" hosts: - chart-example.local + labels: {} tls: [] # - secretName: chart-example-tls # hosts: # - chart-example.local + # -- Hubble flows export. + export: + # --- Defines max file size of output file before it gets rotated. + fileMaxSizeMb: 10 + # --- Defines max number of backup/rotated files. + fileMaxBackups: 5 + # --- Static exporter configuration. + # Static exporter is bound to agent lifecycle. + static: + enabled: false + filePath: /var/run/cilium/hubble/events.log + fieldMask: [] + # - time + # - source + # - destination + # - verdict + allowList: [] + # - '{"verdict":["DROPPED","ERROR"]}' + denyList: [] + # - '{"source_pod":["kube-system/"]}' + # - '{"destination_pod":["kube-system/"]}' + # --- Dynamic exporters configuration. + # Dynamic exporters may be reconfigured without a need of agent restarts. + dynamic: + enabled: false + config: + # ---- Name of configmap with configuration that may be altered to reconfigure exporters within a running agents. + configMapName: cilium-flowlog-config + # ---- True if helm installer should create config map. + # Switch to false if you want to self maintain the file content. + createConfigMap: true + # ---- Exporters configuration in YAML format. + content: + - name: all + fieldMask: [] + includeFilters: [] + excludeFilters: [] + filePath: "/var/run/cilium/hubble/events.log" + #- name: "test002" + # filePath: "/var/log/network/flow-log/pa/test002.log" + # fieldMask: ["source.namespace", "source.pod_name", "destination.namespace", "destination.pod_name", "verdict"] + # includeFilters: + # - source_pod: ["default/"] + # event_type: + # - type: 1 + # - destination_pod: ["frontend/nginx-975996d4c-7hhgt"] + # excludeFilters: [] + # end: "2023-10-09T23:59:59-07:00" # -- Method to use for identity allocation (`crd` or `kvstore`). identityAllocationMode: "crd" @@ -1319,11 +1686,6 @@ spec: # @default -- `"5s"` identityChangeGracePeriod: "" - # -- Configure whether to install iptables rules to allow for TPROXY - # (L7 proxy injection), iptables-based masquerading and compatibility - # with kube-proxy. - installIptablesRules: true - # -- Install Iptables rules to skip netfilter connection tracking on all pod # traffic. This option is only effective when Cilium is running in direct # routing and full KPR mode. Moreover, this option cannot be enabled when Cilium @@ -1332,23 +1694,31 @@ spec: ipam: # -- Configure IP Address Management mode. - # ref: https://docs.cilium.io/en/stable/concepts/networking/ipam/ + # ref: https://docs.cilium.io/en/stable/network/concepts/ipam/ mode: "cluster-pool" + # -- Maximum rate at which the CiliumNode custom resource is updated. + ciliumNodeUpdateRate: "15s" operator: - # -- Deprecated in favor of ipam.operator.clusterPoolIPv4PodCIDRList. - # IPv4 CIDR range to delegate to individual nodes for IPAM. - clusterPoolIPv4PodCIDR: "10.0.0.0/8" # -- IPv4 CIDR list range to delegate to individual nodes for IPAM. clusterPoolIPv4PodCIDRList: {{ index .Cluster.spec.clusterNetwork.pods.cidrBlocks 0 }} # -- IPv4 CIDR mask size to delegate to individual nodes for IPAM. clusterPoolIPv4MaskSize: 24 - # -- Deprecated in favor of ipam.operator.clusterPoolIPv6PodCIDRList. - # IPv6 CIDR range to delegate to individual nodes for IPAM. - clusterPoolIPv6PodCIDR: "fd00::/104" # -- IPv6 CIDR list range to delegate to individual nodes for IPAM. - clusterPoolIPv6PodCIDRList: [] + clusterPoolIPv6PodCIDRList: ["fd00::/104"] # -- IPv6 CIDR mask size to delegate to individual nodes for IPAM. clusterPoolIPv6MaskSize: 120 + # -- IP pools to auto-create in multi-pool IPAM mode. + autoCreateCiliumPodIPPools: {} + # default: + # ipv4: + # cidrs: + # - 10.10.0.0/8 + # maskSize: 24 + # other: + # ipv6: + # cidrs: + # - fd00:100::/80 + # maskSize: 96 # -- The maximum burst size when rate limiting access to external APIs. # Also known as the token bucket capacity. # @default -- `20` @@ -1359,6 +1729,9 @@ spec: # @default -- `4.0` externalAPILimitQPS: ~ + # -- The api-rate-limit option can be used to overwrite individual settings of the default configuration for rate limiting calls to the Cilium Agent API + apiRateLimit: ~ + # -- Configure the eBPF-based ip-masq-agent ipMasqAgent: enabled: false @@ -1366,6 +1739,7 @@ spec: # config: # nonMasqueradeCIDRs: [] # masqLinkLocal: false + # masqLinkLocalIPv6: false # iptablesLockTimeout defines the iptables "--wait" option when invoked from Cilium. # iptablesLockTimeout: "5s" @@ -1412,9 +1786,9 @@ spec: periodSeconds: 30 # -- Configure the kube-proxy replacement in Cilium BPF datapath - # Valid options are "disabled", "partial", "strict". - # ref: https://docs.cilium.io/en/stable/gettingstarted/kubeproxy-free/ - kubeProxyReplacement: "strict" + # Valid options are "true", "false", "disabled" (deprecated), "partial" (deprecated), "strict" (deprecated). + # ref: https://docs.cilium.io/en/stable/network/kubernetes/kubeproxy-free/ + #kubeProxyReplacement: "false" # -- healthz server bind address for the kube-proxy replacement. # To enable set the value to '0.0.0.0:10256' for all ipv4 @@ -1444,7 +1818,6 @@ spec: # -- Enables periodic logging of system load logSystemLoad: false - # -- Configure maglev consistent hashing maglev: {} # -- tableSize is the size (parameter M) for the backend table of one @@ -1457,19 +1830,28 @@ spec: # -- Enables masquerading of IPv4 traffic leaving the node from endpoints. enableIPv4Masquerade: true - # -- Enables IPv6 BIG TCP support which increases maximum GSO/GRO limits for nodes and pods - enableIPv6BIGTCP: false - # -- Enables masquerading of IPv6 traffic leaving the node from endpoints. enableIPv6Masquerade: true - # -- Enables egress gateway to redirect and SNAT the traffic that leaves the - # cluster. + # -- Enables masquerading to the source of the route for traffic leaving the node from endpoints. + enableMasqueradeRouteSource: false + + # -- Enables IPv4 BIG TCP support which increases maximum IPv4 GSO/GRO limits for nodes and pods + enableIPv4BIGTCP: false + + # -- Enables IPv6 BIG TCP support which increases maximum IPv6 GSO/GRO limits for nodes and pods + enableIPv6BIGTCP: false + egressGateway: + # -- Enables egress gateway to redirect and SNAT the traffic that leaves the + # cluster. enabled: false - # -- Install egress gateway IP rules and routes in order to properly steer - # egress gateway traffic to the correct ENI interface + # -- Deprecated without a replacement necessary. installRoutes: false + # -- Time between triggers of egress gateway state reconciliations + reconciliationTriggerInterval: 1s + # -- Maximum number of entries in egress gateway policy map + # maxPolicyEntries: 16384 vtep: # -- Enables VXLAN Tunnel Endpoint (VTEP) Integration (beta) to allow @@ -1529,8 +1911,11 @@ spec: # mode: snat # -- acceleration is the option to accelerate service handling via XDP - # e.g. native, disabled - # acceleration: disabled + # Applicable values can be: disabled (do not use XDP), native (XDP BPF + # program is run directly out of the networking driver's early receive + # path), or best-effort (use native mode XDP acceleration on devices + # that support it). + acceleration: disabled # -- dsrDispatch configures whether IP option or IPIP encapsulation is # used to pass a service IP and port to remote backend @@ -1549,7 +1934,7 @@ spec: # # Applicable values: # - envoy: Enable L7 load balancing via envoy proxy. This will automatically set enable-envoy-config as well. - # - disabled: Disable L7 load balancing. + # - disabled: Disable L7 load balancing by way of service annotation. backend: disabled # -- List of ports from service to be automatically redirected to above backend. # Any service exposing one of these ports will be automatically redirected. @@ -1579,13 +1964,21 @@ spec: # -- Enable healthcheck nodePort server for NodePort services enableHealthCheck: true + # -- Enable access of the healthcheck nodePort on the LoadBalancerIP. Needs + # EnableHealthCheck to be enabled + enableHealthCheckLoadBalancerIP: false + # policyAuditMode: false # -- The agent can be put into one of the three policy enforcement modes: # default, always and never. - # ref: https://docs.cilium.io/en/stable/policy/intro/#policy-enforcement-modes + # ref: https://docs.cilium.io/en/stable/security/policy/intro/#policy-enforcement-modes policyEnforcementMode: "default" + # -- policyCIDRMatchMode is a list of entities that may be selected by CIDR selector. + # The possible value is "nodes". + policyCIDRMatchMode: + pprof: # -- Enable pprof for cilium-agent enabled: false @@ -1600,12 +1993,14 @@ spec: port: 9962 serviceMonitor: # -- Enable service monitors. - # This requires the prometheus CRDs to be available (see https://github.com/prometheus-operator/prometheus-operator/blob/master/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml) + # This requires the prometheus CRDs to be available (see https://github.com/prometheus-operator/prometheus-operator/blob/main/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml) enabled: false # -- Labels to add to ServiceMonitor cilium-agent labels: {} # -- Annotations to add to ServiceMonitor cilium-agent annotations: {} + # -- jobLabel to add for ServiceMonitor cilium-agent + jobLabel: "" # -- Interval for scrape metrics. interval: "10s" # -- Specify the Kubernetes namespace where Prometheus expects to find @@ -1619,23 +2014,246 @@ spec: replacement: ${1} # -- Metrics relabeling configs for the ServiceMonitor cilium-agent metricRelabelings: ~ - # -- Metrics that should be enabled or disabled from the default metric - # list. (+metric_foo to enable metric_foo , -metric_bar to disable - # metric_bar). - # ref: https://docs.cilium.io/en/stable/operations/metrics/#exported-metrics + # -- Set to `true` and helm will not check for monitoring.coreos.com/v1 CRDs before deploying + trustCRDsExist: false + + # -- Metrics that should be enabled or disabled from the default metric list. + # The list is expected to be separated by a space. (+metric_foo to enable + # metric_foo , -metric_bar to disable metric_bar). + # ref: https://docs.cilium.io/en/stable/observability/metrics/ metrics: ~ + # --- Enable controller group metrics for monitoring specific Cilium + # subsystems. The list is a list of controller group names. The special + # values of "all" and "none" are supported. The set of controller + # group names is not guaranteed to be stable between Cilium versions. + controllerGroupMetrics: + - write-cni-file + - sync-host-ips + - sync-lb-maps-with-k8s-services + + # -- Grafana dashboards for cilium-agent + # grafana can import dashboards based on the label and value + # ref: https://github.com/grafana/helm-charts/tree/main/charts/grafana#sidecar-for-dashboards + dashboards: + enabled: false + label: grafana_dashboard + namespace: ~ + labelValue: "1" + annotations: {} + # -- Configure Istio proxy options. proxy: + prometheus: + # -- Deprecated in favor of envoy.prometheus.enabled enabled: true - port: "9964" + # -- Deprecated in favor of envoy.prometheus.port + port: ~ # -- Regular expression matching compatible Istio sidecar istio-proxy # container image names sidecarImageRegex: "cilium/istio_proxy" + # Configure Cilium Envoy options. + envoy: + # -- Enable Envoy Proxy in standalone DaemonSet. + enabled: false + + log: + # -- The format string to use for laying out the log message metadata of Envoy. + format: "[%Y-%m-%d %T.%e][%t][%l][%n] [%g:%#] %v" + # -- Path to a separate Envoy log file, if any. Defaults to /dev/stdout. + path: "" + + # -- Time in seconds after which a TCP connection attempt times out + connectTimeoutSeconds: 2 + # -- ProxyMaxRequestsPerConnection specifies the max_requests_per_connection setting for Envoy + maxRequestsPerConnection: 0 + # -- Set Envoy HTTP option max_connection_duration seconds. Default 0 (disable) + maxConnectionDurationSeconds: 0 + # -- Set Envoy upstream HTTP idle connection timeout seconds. + # Does not apply to connections with pending requests. Default 60s + idleTimeoutDurationSeconds: 60 + + # -- Envoy container image. + image: + override: ~ + repository: "quay.io/cilium/cilium-envoy" + tag: "v1.27.3-99c1c8f42c8de70fc8f6dd594f4a425cd38b6688" + pullPolicy: "IfNotPresent" + digest: "sha256:877ead12d08d4c04a9f67f86d3c6e542aeb7bf97e1e401aee74de456f496ac30" + useDigest: true + + # -- Additional containers added to the cilium Envoy DaemonSet. + extraContainers: [] + + # -- Additional envoy container arguments. + extraArgs: [] + + # -- Additional envoy container environment variables. + extraEnv: [] + + # -- Additional envoy hostPath mounts. + extraHostPathMounts: [] + # - name: host-mnt-data + # mountPath: /host/mnt/data + # hostPath: /mnt/data + # hostPathType: Directory + # readOnly: true + # mountPropagation: HostToContainer + + # -- Additional envoy volumes. + extraVolumes: [] + + # -- Additional envoy volumeMounts. + extraVolumeMounts: [] + + # -- Configure termination grace period for cilium-envoy DaemonSet. + terminationGracePeriodSeconds: 1 + + # -- TCP port for the health API. + healthPort: 9878 + + # -- cilium-envoy update strategy + # ref: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/#updating-a-daemonset + updateStrategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 2 + # -- Roll out cilium envoy pods automatically when configmap is updated. + rollOutPods: false + + # -- Annotations to be added to all top-level cilium-envoy objects (resources under templates/cilium-envoy) + annotations: {} + + # -- Security Context for cilium-envoy pods. + podSecurityContext: {} + + # -- Annotations to be added to envoy pods + podAnnotations: {} + + # -- Labels to be added to envoy pods + podLabels: {} + + # -- Envoy resource limits & requests + # ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + resources: {} + # limits: + # cpu: 4000m + # memory: 4Gi + # requests: + # cpu: 100m + # memory: 512Mi + + startupProbe: + # -- failure threshold of startup probe. + # 105 x 2s translates to the old behaviour of the readiness probe (120s delay + 30 x 3s) + failureThreshold: 105 + # -- interval between checks of the startup probe + periodSeconds: 2 + livenessProbe: + # -- failure threshold of liveness probe + failureThreshold: 10 + # -- interval between checks of the liveness probe + periodSeconds: 30 + readinessProbe: + # -- failure threshold of readiness probe + failureThreshold: 3 + # -- interval between checks of the readiness probe + periodSeconds: 30 + + securityContext: + # -- User to run the pod with + # runAsUser: 0 + # -- Run the pod with elevated privileges + privileged: false + # -- SELinux options for the `cilium-envoy` container + seLinuxOptions: + level: 's0' + # Running with spc_t since we have removed the privileged mode. + # Users can change it to a different type as long as they have the + # type available on the system. + type: 'spc_t' + capabilities: + # -- Capabilities for the `cilium-envoy` container + envoy: + # Used since cilium proxy uses setting IPPROTO_IP/IP_TRANSPARENT + - NET_ADMIN + # We need it for now but might not need it for >= 5.11 specially + # for the 'SYS_RESOURCE'. + # In >= 5.8 there's already BPF and PERMON capabilities + - SYS_ADMIN + # Both PERFMON and BPF requires kernel 5.8, container runtime + # cri-o >= v1.22.0 or containerd >= v1.5.0. + # If available, SYS_ADMIN can be removed. + #- PERFMON + #- BPF + + # -- Affinity for cilium-envoy. + affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - topologyKey: kubernetes.io/hostname + labelSelector: + matchLabels: + k8s-app: cilium-envoy + + # -- Node selector for cilium-envoy. + nodeSelector: + kubernetes.io/os: linux + + # -- Node tolerations for envoy scheduling to nodes with taints + # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ + tolerations: + - operator: Exists + # - key: "key" + # operator: "Equal|Exists" + # value: "value" + # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" + + # -- The priority class to use for cilium-envoy. + priorityClassName: ~ + + # -- DNS policy for Cilium envoy pods. + # Ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy + dnsPolicy: ~ + + # -- Configure Cilium Envoy Prometheus options. + # Note that some of these apply to either cilium-agent or cilium-envoy. + prometheus: + # -- Enable prometheus metrics for cilium-envoy + enabled: true + serviceMonitor: + # -- Enable service monitors. + # This requires the prometheus CRDs to be available (see https://github.com/prometheus-operator/prometheus-operator/blob/main/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml) + # Note that this setting applies to both cilium-envoy _and_ cilium-agent + # with Envoy enabled. + enabled: false + # -- Labels to add to ServiceMonitor cilium-envoy + labels: {} + # -- Annotations to add to ServiceMonitor cilium-envoy + annotations: {} + # -- Interval for scrape metrics. + interval: "10s" + # -- Specify the Kubernetes namespace where Prometheus expects to find + # service monitors configured. + # namespace: "" + # -- Relabeling configs for the ServiceMonitor cilium-envoy + # or for cilium-agent with Envoy configured. + relabelings: + - sourceLabels: + - __meta_kubernetes_pod_node_name + targetLabel: node + replacement: ${1} + # -- Metrics relabeling configs for the ServiceMonitor cilium-envoy + # or for cilium-agent with Envoy configured. + metricRelabelings: ~ + # -- Serve prometheus metrics for cilium-envoy on the configured port + port: "9964" + # -- Enable use of the remote node identity. # ref: https://docs.cilium.io/en/v1.7/install/upgrade/#configmap-remote-node-identity + # Deprecated without replacement in 1.15. To be removed in 1.16. remoteNodeIdentity: true # -- Enable resource quotas for priority classes used in the cluster. @@ -1659,11 +2277,6 @@ spec: # in the node. sleepAfterInit: false - # -- Configure BPF socket operations configuration - sockops: - # enabled enables installation of socket options acceleration. - enabled: false - # -- Enable check of service source ranges (currently, only for LoadBalancer). svcSourceRangeCheck: true @@ -1680,7 +2293,8 @@ spec: secretsBackend: local # -- Base64 encoded PEM values for the CA certificate and private key. - # This can be used as common CA to generate certificates used by hubble and clustermesh components + # This can be used as common CA to generate certificates used by hubble and clustermesh components. + # It is neither required nor used when cert-manager is used to generate the certificates. ca: # -- Optional CA cert. If it is provided, it will be used by cilium to # generate all other certificates. Otherwise, an ephemeral CA is generated. @@ -1693,22 +2307,65 @@ spec: # -- Generated certificates validity duration in days. This will be used for auto generated CA. certValidityDuration: 1095 - # -- Configure the encapsulation configuration for communication between nodes. + # -- Configure the CA trust bundle used for the validation of the certificates + # leveraged by hubble and clustermesh. When enabled, it overrides the content of the + # 'ca.crt' field of the respective certificates, allowing for CA rotation with no down-time. + caBundle: + # -- Enable the use of the CA trust bundle. + enabled: false + + # -- Name of the ConfigMap containing the CA trust bundle. + name: cilium-root-ca.crt + + # -- Entry of the ConfigMap containing the CA trust bundle. + key: ca.crt + + # -- Use a Secret instead of a ConfigMap. + useSecret: false + + # If uncommented, creates the ConfigMap and fills it with the specified content. + # Otherwise, the ConfigMap is assumed to be already present in .Release.Namespace. + # + # content: | + # -----BEGIN CERTIFICATE----- + # ... + # -----END CERTIFICATE----- + # -----BEGIN CERTIFICATE----- + # ... + # -----END CERTIFICATE----- + + # -- Tunneling protocol to use in tunneling mode and for ad-hoc tunnels. # Possible values: - # - disabled - # - vxlan (default) + # - "" + # - vxlan # - geneve - tunnel: "vxlan" + # @default -- `"vxlan"` + tunnelProtocol: "" + + # -- Enable native-routing mode or tunneling mode. + # Possible values: + # - "" + # - native + # - tunnel + # @default -- `"tunnel"` + routingMode: "" # -- Configure VXLAN and Geneve tunnel port. # @default -- Port 8472 for VXLAN, Port 6081 for Geneve tunnelPort: 0 + # -- Configure what the response should be to traffic for a service without backends. + # "reject" only works on kernels >= 5.10, on lower kernels we fallback to "drop". + # Possible values: + # - reject (default) + # - drop + serviceNoBackendResponse: reject + # -- Configure the underlying network MTU to overwrite auto-detected MTU. MTU: 0 # -- Disable the usage of CiliumEndpoint CRD. - disableEndpointCRD: "false" + disableEndpointCRD: false wellKnownIdentities: # -- Enable the use of well-known identities. @@ -1722,7 +2379,9 @@ spec: image: override: ~ repository: "quay.io/cilium/cilium-etcd-operator" - tag: "v2.0.7@sha256:04b8327f7f992693c2cb483b999041ed8f92efc8e14f2a5f3ab95574a65ea2dc" + tag: "v2.0.7" + digest: "sha256:04b8327f7f992693c2cb483b999041ed8f92efc8e14f2a5f3ab95574a65ea2dc" + useDigest: true pullPolicy: "IfNotPresent" # -- The priority class to use for cilium-etcd-operator @@ -1731,8 +2390,14 @@ spec: # -- Additional cilium-etcd-operator container arguments. extraArgs: [] + # -- Additional cilium-etcd-operator volumes. + extraVolumes: [] + + # -- Additional cilium-etcd-operator volumeMounts. + extraVolumeMounts: [] + # -- Node tolerations for cilium-etcd-operator scheduling to nodes with taints - # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ + # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ tolerations: - operator: Exists # - key: "key" @@ -1747,10 +2412,16 @@ spec: # whenUnsatisfiable: DoNotSchedule # -- Node labels for cilium-etcd-operator pod assignment - # ref: https://kubernetes.io/docs/user-guide/node-selection/ + # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector nodeSelector: kubernetes.io/os: linux + # -- Annotations to be added to all top-level etcd-operator objects (resources under templates/etcd-operator) + annotations: {} + + # -- Security context to be added to cilium-etcd-operator pods + podSecurityContext: {} + # -- Annotations to be added to cilium-etcd-operator pods podAnnotations: {} @@ -1769,7 +2440,7 @@ spec: maxUnavailable: 1 # -- cilium-etcd-operator resource limits & requests - # ref: https://kubernetes.io/docs/user-guide/compute-resources/ + # ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ resources: {} # limits: # cpu: 4000m @@ -1816,7 +2487,7 @@ spec: image: override: ~ repository: "quay.io/cilium/operator" - tag: "v1.13.0" + tag: "v1.15.2" # operator-generic-digest genericDigest: "" # operator-azure-digest @@ -1843,8 +2514,8 @@ spec: updateStrategy: type: RollingUpdate rollingUpdate: - maxSurge: 1 - maxUnavailable: 1 + maxSurge: 25% + maxUnavailable: 50% # -- Affinity for cilium-operator affinity: @@ -1862,13 +2533,12 @@ spec: # whenUnsatisfiable: DoNotSchedule # -- Node labels for cilium-operator pod assignment - # ref: https://kubernetes.io/docs/user-guide/node-selection/ - # + # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector nodeSelector: kubernetes.io/os: linux # -- Node tolerations for cilium-operator scheduling to nodes with taints - # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ + # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ tolerations: - operator: Exists # - key: "key" @@ -1897,6 +2567,12 @@ spec: # -- Additional cilium-operator volumeMounts. extraVolumeMounts: [] + # -- Annotations to be added to all top-level cilium-operator objects (resources under templates/cilium-operator) + annotations: {} + + # -- Security context to be added to cilium-operator pods + podSecurityContext: {} + # -- Annotations to be added to cilium-operator pods podAnnotations: {} @@ -1915,7 +2591,7 @@ spec: maxUnavailable: 1 # -- cilium-operator resource limits & requests - # ref: https://kubernetes.io/docs/user-guide/compute-resources/ + # ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ resources: {} # limits: # cpu: 1000m @@ -1954,16 +2630,18 @@ spec: # -- Enable prometheus metrics for cilium-operator on the configured port at # /metrics prometheus: - enabled: false + enabled: true port: 9963 serviceMonitor: # -- Enable service monitors. - # This requires the prometheus CRDs to be available (see https://github.com/prometheus-operator/prometheus-operator/blob/master/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml) + # This requires the prometheus CRDs to be available (see https://github.com/prometheus-operator/prometheus-operator/blob/main/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml) enabled: false # -- Labels to add to ServiceMonitor cilium-operator labels: {} # -- Annotations to add to ServiceMonitor cilium-operator annotations: {} + # -- jobLabel to add for ServiceMonitor cilium-operator + jobLabel: "" # -- Interval for scrape metrics. interval: "10s" # -- Relabeling configs for the ServiceMonitor cilium-operator @@ -1971,6 +2649,16 @@ spec: # -- Metrics relabeling configs for the ServiceMonitor cilium-operator metricRelabelings: ~ + # -- Grafana dashboards for cilium-operator + # grafana can import dashboards based on the label and value + # ref: https://github.com/grafana/helm-charts/tree/main/charts/grafana#sidecar-for-dashboards + dashboards: + enabled: false + label: grafana_dashboard + namespace: ~ + labelValue: "1" + annotations: {} + # -- Skip CRDs creation for cilium-operator skipCRDCreation: false @@ -1978,6 +2666,11 @@ spec: # pod running. removeNodeTaints: true + # -- Taint nodes where Cilium is scheduled but not running. This prevents pods + # from being scheduled to nodes where Cilium is not the default CNI provider. + # @default -- same as removeNodeTaints + setNodeTaints: ~ + # -- Set Node condition NetworkUnavailable to 'false' with the reason # 'CiliumIsUp' for nodes that have a healthy Cilium pod. setNodeNetworkStatus: true @@ -1997,7 +2690,7 @@ spec: image: override: ~ repository: "quay.io/cilium/startup-script" - tag: "d69851597ea019af980891a4628fb36b7880ec26" + tag: "62093c5c233ea914bfa26a10ba41f8780d9b737f" pullPolicy: "IfNotPresent" # -- The priority class to use for the nodeinit pod. @@ -2010,17 +2703,22 @@ spec: # -- Additional nodeinit environment variables. extraEnv: [] + # -- Additional nodeinit volumes. + extraVolumes: [] + + # -- Additional nodeinit volumeMounts. + extraVolumeMounts: [] + # -- Affinity for cilium-nodeinit affinity: {} # -- Node labels for nodeinit pod assignment - # ref: https://kubernetes.io/docs/user-guide/node-selection/ - # + # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector nodeSelector: kubernetes.io/os: linux # -- Node tolerations for nodeinit scheduling to nodes with taints - # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ + # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ tolerations: - operator: Exists # - key: "key" @@ -2028,6 +2726,9 @@ spec: # value: "value" # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" + # -- Annotations to be added to all top-level nodeinit objects (resources under templates/cilium-nodeinit) + annotations: {} + # -- Annotations to be added to node-init pods. podAnnotations: {} @@ -2035,7 +2736,7 @@ spec: podLabels: {} # -- nodeinit resource limits & requests - # ref: https://kubernetes.io/docs/user-guide/compute-resources/ + # ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ resources: requests: cpu: 100m @@ -2064,6 +2765,15 @@ spec: # written by the node-init DaemonSet bootstrapFile: "/tmp/cilium-bootstrap.d/cilium-bootstrap-time" + # -- startup offers way to customize startup nodeinit script (pre and post position) + startup: + preScript: "" + postScript: "" + # -- prestop offers way to customize prestop nodeinit script (pre and post position) + prestop: + preScript: "" + postScript: "" + preflight: # -- Enable Cilium pre-flight resources (required for upgrade) enabled: false @@ -2072,7 +2782,7 @@ spec: image: override: ~ repository: "quay.io/cilium/cilium" - tag: "v1.13.0" + tag: "v1.15.2" # cilium-digest digest: "" useDigest: false @@ -2088,6 +2798,12 @@ spec: # -- Additional preflight environment variables. extraEnv: [] + # -- Additional preflight volumes. + extraVolumes: [] + + # -- Additional preflight volumeMounts. + extraVolumeMounts: [] + # -- Affinity for cilium-preflight affinity: podAffinity: @@ -2098,13 +2814,12 @@ spec: k8s-app: cilium # -- Node labels for preflight pod assignment - # ref: https://kubernetes.io/docs/user-guide/node-selection/ - # + # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector nodeSelector: kubernetes.io/os: linux # -- Node tolerations for preflight scheduling to nodes with taints - # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ + # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ tolerations: - key: node.kubernetes.io/not-ready effect: NoSchedule @@ -2122,6 +2837,12 @@ spec: # value: "value" # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" + # -- Annotations to be added to all top-level preflight objects (resources under templates/cilium-preflight) + annotations: {} + + # -- Security context to be added to preflight pods. + podSecurityContext: {} + # -- Annotations to be added to preflight pods podAnnotations: {} @@ -2140,7 +2861,7 @@ spec: maxUnavailable: 1 # -- preflight resource limits & requests - # ref: https://kubernetes.io/docs/user-guide/compute-resources/ + # ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ resources: {} # limits: # cpu: 4000m @@ -2177,53 +2898,79 @@ spec: clustermesh: # -- Deploy clustermesh-apiserver for clustermesh - useAPIServer: false + useAPIServer: true + # -- The maximum number of clusters to support in a ClusterMesh. This value + # cannot be changed on running clusters, and all clusters in a ClusterMesh + # must be configured with the same value. Values > 255 will decrease the + # maximum allocatable cluster-local identities. + # Supported values are 255 and 511. + maxConnectedClusters: 255 + + # -- Annotations to be added to all top-level clustermesh objects (resources under templates/clustermesh-apiserver and templates/clustermesh-config) + annotations: {} # -- Clustermesh explicit configuration. config: # -- Enable the Clustermesh explicit configuration. - enabled: false + enabled: true # -- Default dns domain for the Clustermesh API servers # This is used in the case cluster addresses are not provided # and IPs are used. domain: mesh.cilium.io # -- List of clusters to be peered in the mesh. - clusters: [] - # clusters: - # # -- Name of the cluster - # - name: cluster1 - # # -- Address of the cluster, use this if you created DNS records for - # # the cluster Clustermesh API server. - # address: cluster1.mesh.cilium.io - # # -- Port of the cluster Clustermesh API server. - # port: 2379 - # # -- IPs of the cluster Clustermesh API server, use multiple ones when - # # you have multiple IPs to access the Clustermesh API server. - # ips: - # - 172.18.255.201 - # # -- base64 encoded PEM values for the cluster client certificate, private key and certificate authority. + clusters: + # -- Name of the cluster + - name: cluster-01 + # -- Address of the cluster, use this if you created DNS records for + # the cluster Clustermesh API server. + address: cluster-01.mesh.cilium.io + # -- Port of the cluster Clustermesh API server. + port: 2379 + # -- IPs of the cluster Clustermesh API server, use multiple ones when + # you have multiple IPs to access the Clustermesh API server. + ips: + - 172.18.255.201 + # -- base64 encoded PEM values for the cluster client certificate, private key and certificate authority. + # These fields can (and should) be omitted in case the CA is shared across clusters. In that case, the + # "remote" private key and certificate available in the local cluster are automatically used instead. + # tls: + # cert: "" + # key: "" + # caCert: "" + - name: cluster-02 + # -- Address of the cluster, use this if you created DNS records for + # the cluster Clustermesh API server. + address: cluster-02.mesh.cilium.io + # -- Port of the cluster Clustermesh API server. + port: 2379 + # -- IPs of the cluster Clustermesh API server, use multiple ones when + # you have multiple IPs to access the Clustermesh API server. + ips: + - 172.18.255.201 + # -- base64 encoded PEM values for the cluster client certificate, private key and certificate authority. + # These fields can (and should) be omitted in case the CA is shared across clusters. In that case, the + # "remote" private key and certificate available in the local cluster are automatically used instead. # tls: # cert: "" # key: "" + # caCert: "" + apiserver: # -- Clustermesh API server image. image: override: ~ repository: "quay.io/cilium/clustermesh-apiserver" - tag: "v1.13.0" + tag: "v1.15.2" # clustermesh-apiserver-digest digest: "" useDigest: false pullPolicy: "IfNotPresent" etcd: - # -- Clustermesh API server etcd image. - image: - override: ~ - repository: "quay.io/coreos/etcd" - tag: "v3.5.4@sha256:795d8660c48c439a7c3764c2330ed9222ab5db5bb524d8d0607cac76f7ba82a3" - pullPolicy: "IfNotPresent" + # The etcd binary is included in the clustermesh API server image, so the same image from above is reused. + # Independent override isn't supported, because clustermesh-apiserver is tested against the etcd version it is + # built with. # -- Specifies the resources for etcd container in the apiserver resources: {} @@ -2234,6 +2981,12 @@ spec: # cpu: 1000m # memory: 256Mi + # -- Security context to be added to clustermesh-apiserver etcd containers + securityContext: {} + + # -- lifecycle setting for the etcd container + lifecycle: {} + init: # -- Specifies the resources for etcd init container in the apiserver resources: {} @@ -2244,10 +2997,57 @@ spec: # cpu: 100m # memory: 100Mi + # -- Additional arguments to `clustermesh-apiserver etcdinit`. + extraArgs: [] + + # -- Additional environment variables to `clustermesh-apiserver etcdinit`. + extraEnv: [] + + kvstoremesh: + # -- Enable KVStoreMesh. KVStoreMesh caches the information retrieved + # from the remote clusters in the local etcd instance. + enabled: false + + # -- Additional KVStoreMesh arguments. + extraArgs: [] + + # -- Additional KVStoreMesh environment variables. + extraEnv: [] + + # -- Resource requests and limits for the KVStoreMesh container + resources: {} + # requests: + # cpu: 100m + # memory: 64Mi + # limits: + # cpu: 1000m + # memory: 1024M + + # -- Additional KVStoreMesh volumeMounts. + extraVolumeMounts: [] + + # -- KVStoreMesh Security context + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + + # -- lifecycle setting for the KVStoreMesh container + lifecycle: {} + service: # -- The type of service used for apiserver access. type: NodePort # -- Optional port to use as the node port for apiserver access. + # + # WARNING: make sure to configure a different NodePort in each cluster if + # kube-proxy replacement is enabled, as Cilium is currently affected by a known + # bug (#24692) when NodePorts are handled by the KPR implementation. If a service + # with the same NodePort exists both in the local and the remote cluster, all + # traffic originating from inside the cluster and targeting the corresponding + # NodePort will be redirected to a local backend, regardless of whether the + # destination node belongs to the local or the remote cluster. nodePort: 32379 # -- Optional loadBalancer IP address to use with type LoadBalancer. # loadBalancerIP: @@ -2257,12 +3057,39 @@ spec: # For EKS LoadBalancer, use annotation service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0 annotations: {} + # -- The externalTrafficPolicy of service used for apiserver access. + externalTrafficPolicy: + + # -- The internalTrafficPolicy of service used for apiserver access. + internalTrafficPolicy: + # -- Number of replicas run for the clustermesh-apiserver deployment. replicas: 1 + # -- lifecycle setting for the apiserver container + lifecycle: {} + + # -- terminationGracePeriodSeconds for the clustermesh-apiserver deployment + terminationGracePeriodSeconds: 30 + + # -- Additional clustermesh-apiserver arguments. + extraArgs: [] + # -- Additional clustermesh-apiserver environment variables. extraEnv: [] + # -- Additional clustermesh-apiserver volumes. + extraVolumes: [] + + # -- Additional clustermesh-apiserver volumeMounts. + extraVolumeMounts: [] + + # -- Security context to be added to clustermesh-apiserver containers + securityContext: {} + + # -- Security context to be added to clustermesh-apiserver pods + podSecurityContext: {} + # -- Annotations to be added to clustermesh-apiserver pods podAnnotations: {} @@ -2313,12 +3140,12 @@ spec: # whenUnsatisfiable: DoNotSchedule # -- Node labels for pod assignment - # ref: https://kubernetes.io/docs/user-guide/node-selection/ + # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector nodeSelector: kubernetes.io/os: linux # -- Node tolerations for pod assignment on nodes with taints - # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ + # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ tolerations: [] # -- clustermesh-apiserver update strategy @@ -2331,6 +3158,23 @@ spec: priorityClassName: "" tls: + # -- Configure the clustermesh authentication mode. + # Supported values: + # - legacy: All clusters access remote clustermesh instances with the same + # username (i.e., remote). The "remote" certificate must be + # generated with CN=remote if provided manually. + # - migration: Intermediate mode required to upgrade from legacy to cluster + # (and vice versa) with no disruption. Specifically, it enables + # the creation of the per-cluster usernames, while still using + # the common one for authentication. The "remote" certificate must + # be generated with CN=remote if provided manually (same as legacy). + # - cluster: Each cluster accesses remote etcd instances with a username + # depending on the local cluster name (i.e., remote-). + # The "remote" certificate must be generated with CN=remote- + # if provided manually. Cluster mode is meaningful only when the same + # CA is shared across all clusters part of the mesh. + authMode: legacy + # -- Configure automatic TLS certificates generation. # A Kubernetes CronJob is used the generate any # certificates not provided by the user at installation @@ -2360,7 +3204,7 @@ spec: # # Defaults to none. Commented syntax gives midnight of the first day of every # fourth month. For syntax, see - # https://kubernetes.io/docs/tasks/job/automated-tasks-with-cron-jobs/#schedule + # https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/#schedule-syntax # schedule: "0 0 1 */4 *" # [Example] @@ -2369,16 +3213,7 @@ spec: # kind: ClusterIssuer # name: ca-issuer # -- certmanager issuer used when clustermesh.apiserver.tls.auto.method=certmanager. - # If not specified, a CA issuer will be created. certManagerIssuerRef: {} - # -- base64 encoded PEM values for the ExternalWorkload CA certificate and private key. - ca: - # -- Optional CA cert. If it is provided, it will be used by the 'cronJob' method to - # generate all other certificates. Otherwise, an ephemeral CA is generated. - cert: "" - # -- Optional CA private key. If it is provided, it will be used by the 'cronJob' method to - # generate all other certificates. Otherwise, an ephemeral CA is generated. - key: "" # -- base64 encoded PEM values for the clustermesh-apiserver server certificate and private key. # Used if 'auto' is not enabled. server: @@ -2404,6 +3239,62 @@ spec: cert: "" key: "" + # clustermesh-apiserver Prometheus metrics configuration + metrics: + # -- Enables exporting apiserver metrics in OpenMetrics format. + enabled: true + # -- Configure the port the apiserver metric server listens on. + port: 9962 + + kvstoremesh: + # -- Enables exporting KVStoreMesh metrics in OpenMetrics format. + enabled: true + # -- Configure the port the KVStoreMesh metric server listens on. + port: 9964 + + etcd: + # -- Enables exporting etcd metrics in OpenMetrics format. + enabled: true + # -- Set level of detail for etcd metrics; specify 'extensive' to include server side gRPC histogram metrics. + mode: basic + # -- Configure the port the etcd metric server listens on. + port: 9963 + + serviceMonitor: + # -- Enable service monitor. + # This requires the prometheus CRDs to be available (see https://github.com/prometheus-operator/prometheus-operator/blob/main/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml) + enabled: false + # -- Labels to add to ServiceMonitor clustermesh-apiserver + labels: {} + # -- Annotations to add to ServiceMonitor clustermesh-apiserver + annotations: {} + # -- Specify the Kubernetes namespace where Prometheus expects to find + # service monitors configured. + # namespace: "" + + # -- Interval for scrape metrics (apiserver metrics) + interval: "10s" + # -- Relabeling configs for the ServiceMonitor clustermesh-apiserver (apiserver metrics) + relabelings: ~ + # -- Metrics relabeling configs for the ServiceMonitor clustermesh-apiserver (apiserver metrics) + metricRelabelings: ~ + + kvstoremesh: + # -- Interval for scrape metrics (KVStoreMesh metrics) + interval: "10s" + # -- Relabeling configs for the ServiceMonitor clustermesh-apiserver (KVStoreMesh metrics) + relabelings: ~ + # -- Metrics relabeling configs for the ServiceMonitor clustermesh-apiserver (KVStoreMesh metrics) + metricRelabelings: ~ + + etcd: + # -- Interval for scrape metrics (etcd metrics) + interval: "10s" + # -- Relabeling configs for the ServiceMonitor clustermesh-apiserver (etcd metrics) + relabelings: ~ + # -- Metrics relabeling configs for the ServiceMonitor clustermesh-apiserver (etcd metrics) + metricRelabelings: ~ + # -- Configure external workloads support externalWorkloads: # -- Enable support for external workloads, such as VMs (false by default). @@ -2452,16 +3343,193 @@ spec: idleConnectionGracePeriod: 0s # -- Maximum number of IPs to retain for expired DNS lookups with still-active connections. maxDeferredConnectionDeletes: 10000 - # -- The minimum time, in seconds, to use DNS data for toFQDNs policies. - minTtl: 3600 + # -- The minimum time, in seconds, to use DNS data for toFQDNs policies. If + # the upstream DNS server returns a DNS record with a shorter TTL, Cilium + # overwrites the TTL with this value. Setting this value to zero means that + # Cilium will honor the TTLs returned by the upstream DNS server. + minTtl: 0 # -- DNS cache data at this path is preloaded on agent startup. preCache: "" # -- Global port on which the in-agent DNS proxy should listen. Default 0 is a OS-assigned port. proxyPort: 0 # -- The maximum time the DNS proxy holds an allowed DNS response before sending it along. Responses are sent as soon as the datapath is updated with the new IP information. proxyResponseMaxDelay: 100ms + # -- DNS proxy operation mode (true/false, or unset to use version dependent defaults) + # enableTransparentMode: true # -- SCTP Configuration Values sctp: # -- Enable SCTP support. NOTE: Currently, SCTP support does not support rewriting ports or multihoming. enabled: false + + # Configuration for types of authentication for Cilium (beta) + authentication: + # -- Enable authentication processing and garbage collection. + # Note that if disabled, policy enforcement will still block requests that require authentication. + # But the resulting authentication requests for these requests will not be processed, therefore the requests not be allowed. + enabled: true + # -- Buffer size of the channel Cilium uses to receive authentication events from the signal map. + queueSize: 1024 + # -- Buffer size of the channel Cilium uses to receive certificate expiration events from auth handlers. + rotatedIdentitiesQueueSize: 1024 + # -- Interval for garbage collection of auth map entries. + gcInterval: "5m0s" + # Configuration for Cilium's service-to-service mutual authentication using TLS handshakes. + # Note that this is not full mTLS support without also enabling encryption of some form. + # Current encryption options are Wireguard or IPSec, configured in encryption block above. + mutual: + # -- Port on the agent where mutual authentication handshakes between agents will be performed + port: 4250 + # -- Timeout for connecting to the remote node TCP socket + connectTimeout: 5s + # Settings for SPIRE + spire: + # -- Enable SPIRE integration (beta) + enabled: false + # -- Annotations to be added to all top-level spire objects (resources under templates/spire) + annotations: {} + # Settings to control the SPIRE installation and configuration + install: + # -- Enable SPIRE installation. + # This will only take effect only if authentication.mutual.spire.enabled is true + enabled: true + # -- SPIRE namespace to install into + namespace: cilium-spire + # -- SPIRE namespace already exists. Set to true if Helm should not create, manage, and import the SPIRE namespace. + existingNamespace: false + # -- init container image of SPIRE agent and server + initImage: + override: ~ + repository: "docker.io/library/busybox" + tag: "1.36.1" + digest: "sha256:223ae047b1065bd069aac01ae3ac8088b3ca4a527827e283b85112f29385fb1b" + useDigest: true + pullPolicy: "IfNotPresent" + # SPIRE agent configuration + agent: + # -- SPIRE agent image + image: + override: ~ + repository: "ghcr.io/spiffe/spire-agent" + tag: "1.8.5" + digest: "sha256:99405637647968245ff9fe215f8bd2bd0ea9807be9725f8bf19fe1b21471e52b" + useDigest: true + pullPolicy: "IfNotPresent" + # -- SPIRE agent service account + serviceAccount: + create: true + name: spire-agent + # -- SPIRE agent annotations + annotations: {} + # -- SPIRE agent labels + labels: {} + # -- SPIRE Workload Attestor kubelet verification. + skipKubeletVerification: true + # -- SPIRE agent tolerations configuration + # By default it follows the same tolerations as the agent itself + # to allow the Cilium agent on this node to connect to SPIRE. + # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ + tolerations: + - key: node.kubernetes.io/not-ready + effect: NoSchedule + - key: node-role.kubernetes.io/master + effect: NoSchedule + - key: node-role.kubernetes.io/control-plane + effect: NoSchedule + - key: node.cloudprovider.kubernetes.io/uninitialized + effect: NoSchedule + value: "true" + - key: CriticalAddonsOnly + operator: "Exists" + # -- SPIRE agent affinity configuration + affinity: {} + # -- SPIRE agent nodeSelector configuration + # ref: ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector + nodeSelector: {} + # -- Security context to be added to spire agent pods. + # SecurityContext holds pod-level security attributes and common container settings. + # ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + podSecurityContext: {} + # -- Security context to be added to spire agent containers. + # SecurityContext holds pod-level security attributes and common container settings. + # ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + securityContext: {} + server: + # -- SPIRE server image + image: + override: ~ + repository: "ghcr.io/spiffe/spire-server" + tag: "1.8.5" + digest: "sha256:28269265882048dcf0fed32fe47663cd98613727210b8d1a55618826f9bf5428" + useDigest: true + pullPolicy: "IfNotPresent" + # -- SPIRE server service account + serviceAccount: + create: true + name: spire-server + # -- SPIRE server init containers + initContainers: [] + # -- SPIRE server annotations + annotations: {} + # -- SPIRE server labels + labels: {} + # SPIRE server service configuration + service: + # -- Service type for the SPIRE server service + type: ClusterIP + # -- Annotations to be added to the SPIRE server service + annotations: {} + # -- Labels to be added to the SPIRE server service + labels: {} + # -- SPIRE server affinity configuration + affinity: {} + # -- SPIRE server nodeSelector configuration + # ref: ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector + nodeSelector: {} + # -- SPIRE server tolerations configuration + # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ + tolerations: [] + # SPIRE server datastorage configuration + dataStorage: + # -- Enable SPIRE server data storage + enabled: true + # -- Size of the SPIRE server data storage + size: 1Gi + # -- Access mode of the SPIRE server data storage + accessMode: ReadWriteOnce + # -- StorageClass of the SPIRE server data storage + storageClass: null + # -- Security context to be added to spire server pods. + # SecurityContext holds pod-level security attributes and common container settings. + # ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + podSecurityContext: {} + # -- Security context to be added to spire server containers. + # SecurityContext holds pod-level security attributes and common container settings. + # ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + securityContext: {} + # SPIRE CA configuration + ca: + # -- SPIRE CA key type + # AWS requires the use of RSA. EC cryptography is not supported + keyType: "rsa-4096" + # -- SPIRE CA Subject + subject: + country: "US" + organization: "SPIRE" + commonName: "Cilium SPIRE CA" + # -- SPIRE server address used by Cilium Operator + # + # If k8s Service DNS along with port number is used (e.g. ..svc(.*): format), + # Cilium Operator will resolve its address by looking up the clusterIP from Service resource. + # + # Example values: 10.0.0.1:8081, spire-server.cilium-spire.svc:8081 + serverAddress: ~ + # -- SPIFFE trust domain to use for fetching certificates + trustDomain: spiffe.cilium + # -- SPIRE socket path where the SPIRE delegated api agent is listening + adminSocketPath: /run/spire/sockets/admin.sock + # -- SPIRE socket path where the SPIRE workload agent is listening. + # Applies to both the Cilium Agent and Operator + agentSocketPath: /run/spire/sockets/agent/agent.sock + # -- SPIRE connection timeout + connectionTimeout: 30s diff --git a/clusters/cluster-mgmt/cluster-02/caaph-cni/caaph-hcp-v1.15.2.yaml b/clusters/cluster-mgmt/cluster-02/caaph-cni/caaph-hcp-v1.15.2.yaml index ce844d3..9f929a0 100644 --- a/clusters/cluster-mgmt/cluster-02/caaph-cni/caaph-hcp-v1.15.2.yaml +++ b/clusters/cluster-mgmt/cluster-02/caaph-cni/caaph-hcp-v1.15.2.yaml @@ -1,7 +1,7 @@ apiVersion: addons.cluster.x-k8s.io/v1alpha1 kind: HelmChartProxy metadata: - name: cilium + name: cilium-cluster-mesh spec: clusterSelector: matchLabels: @@ -11,7 +11,7 @@ spec: namespace: cilium version: "1.15.2" valuesTemplate: | - # https://github.com/cilium/cilium/blob/v1.15.2/install/kubernetes/cilium/values.yaml + # Copied and adjusted from: https://github.com/cilium/cilium/blob/v1.15.2/install/kubernetes/cilium/values.yaml # File generated by install/kubernetes/Makefile; DO NOT EDIT. # This file is based on install/kubernetes/cilium/*values.yaml.tmpl. @@ -2898,7 +2898,7 @@ spec: clustermesh: # -- Deploy clustermesh-apiserver for clustermesh - useAPIServer: enabled + useAPIServer: true # -- The maximum number of clusters to support in a ClusterMesh. This value # cannot be changed on running clusters, and all clusters in a ClusterMesh # must be configured with the same value. Values > 255 will decrease the @@ -2946,7 +2946,7 @@ spec: # -- IPs of the cluster Clustermesh API server, use multiple ones when # you have multiple IPs to access the Clustermesh API server. ips: - - 172.18.255.202 + - 172.18.255.201 # -- base64 encoded PEM values for the cluster client certificate, private key and certificate authority. # These fields can (and should) be omitted in case the CA is shared across clusters. In that case, the # "remote" private key and certificate available in the local cluster are automatically used instead. @@ -2955,7 +2955,6 @@ spec: # key: "" # caCert: "" - apiserver: # -- Clustermesh API server image. image: From 821192b02abb0842e381aa0128d345078e15968f Mon Sep 17 00:00:00 2001 From: Olga Mirensky <5200844+olga-mir@users.noreply.github.com> Date: Tue, 26 Mar 2024 19:07:37 +1100 Subject: [PATCH 23/28] restore cluster-02 --- clusters/cluster-mgmt/kustomization.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/clusters/cluster-mgmt/kustomization.yaml b/clusters/cluster-mgmt/kustomization.yaml index 02893cd..0247d60 100644 --- a/clusters/cluster-mgmt/kustomization.yaml +++ b/clusters/cluster-mgmt/kustomization.yaml @@ -3,3 +3,4 @@ kind: Kustomization resources: - platform.yaml - cluster-01 + - cluster-02 From 5c20037af239536473ccda5b55b2cecee3f3a172 Mon Sep 17 00:00:00 2001 From: Olga Mirensky <5200844+olga-mir@users.noreply.github.com> Date: Tue, 26 Mar 2024 19:09:47 +1100 Subject: [PATCH 24/28] enable SPIRE --- .../cluster-mgmt/cluster-01/caaph-cni/caaph-hcp-v1.15.2.yaml | 2 +- .../cluster-mgmt/cluster-02/caaph-cni/caaph-hcp-v1.15.2.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/clusters/cluster-mgmt/cluster-01/caaph-cni/caaph-hcp-v1.15.2.yaml b/clusters/cluster-mgmt/cluster-01/caaph-cni/caaph-hcp-v1.15.2.yaml index f39e710..3280190 100644 --- a/clusters/cluster-mgmt/cluster-01/caaph-cni/caaph-hcp-v1.15.2.yaml +++ b/clusters/cluster-mgmt/cluster-01/caaph-cni/caaph-hcp-v1.15.2.yaml @@ -3385,7 +3385,7 @@ spec: # Settings for SPIRE spire: # -- Enable SPIRE integration (beta) - enabled: false + enabled: true # -- Annotations to be added to all top-level spire objects (resources under templates/spire) annotations: {} # Settings to control the SPIRE installation and configuration diff --git a/clusters/cluster-mgmt/cluster-02/caaph-cni/caaph-hcp-v1.15.2.yaml b/clusters/cluster-mgmt/cluster-02/caaph-cni/caaph-hcp-v1.15.2.yaml index 9f929a0..e0d31ee 100644 --- a/clusters/cluster-mgmt/cluster-02/caaph-cni/caaph-hcp-v1.15.2.yaml +++ b/clusters/cluster-mgmt/cluster-02/caaph-cni/caaph-hcp-v1.15.2.yaml @@ -3384,7 +3384,7 @@ spec: # Settings for SPIRE spire: # -- Enable SPIRE integration (beta) - enabled: false + enabled: true # -- Annotations to be added to all top-level spire objects (resources under templates/spire) annotations: {} # Settings to control the SPIRE installation and configuration From 99e8205f503625593ccc34a3dcf94e210733f475 Mon Sep 17 00:00:00 2001 From: Olga Mirensky <5200844+olga-mir@users.noreply.github.com> Date: Tue, 9 Jul 2024 19:49:27 +1000 Subject: [PATCH 25/28] try caaph resource in its own namespace --- .../cluster-02/caaph-cni/caaph-hcp-v1.15.2.yaml | 1 + go/pkg/capi/capi.go | 6 +++++- go/pkg/deployer/deploy.go | 1 + 3 files changed, 7 insertions(+), 1 deletion(-) diff --git a/clusters/cluster-mgmt/cluster-02/caaph-cni/caaph-hcp-v1.15.2.yaml b/clusters/cluster-mgmt/cluster-02/caaph-cni/caaph-hcp-v1.15.2.yaml index e0d31ee..3b0a544 100644 --- a/clusters/cluster-mgmt/cluster-02/caaph-cni/caaph-hcp-v1.15.2.yaml +++ b/clusters/cluster-mgmt/cluster-02/caaph-cni/caaph-hcp-v1.15.2.yaml @@ -2,6 +2,7 @@ apiVersion: addons.cluster.x-k8s.io/v1alpha1 kind: HelmChartProxy metadata: name: cilium-cluster-mesh + namespace: cluster-02 spec: clusterSelector: matchLabels: diff --git a/go/pkg/capi/capi.go b/go/pkg/capi/capi.go index c9882c8..2c8157f 100644 --- a/go/pkg/capi/capi.go +++ b/go/pkg/capi/capi.go @@ -153,7 +153,7 @@ func (c *ClusterAPI) WaitForWorkloadClusterFullyRunning(name string) error { // might still be in the process of becoming ready. Therefore, additional checks should be performed // after this function returns to ensure that all critical components of the cluster are functional. func (c *ClusterAPI) waitForCAPIClusterStateProvisioned(clusterName, namespace string) error { - timeout := 15 * time.Minute + timeout := 10 * time.Minute ctx, cancel := context.WithTimeout(context.Background(), timeout) defer cancel() @@ -173,6 +173,7 @@ func (c *ClusterAPI) waitForCAPIClusterStateProvisioned(clusterName, namespace s return nil } + c.log.Info("GGG waitForCAPIClusterStateProvisioned, sleep 30s...", "clusterName", clusterName) time.Sleep(30 * time.Second) } } @@ -183,6 +184,7 @@ func (c *ClusterAPI) WaitForAllClustersProvisioning() error { if err != nil { return fmt.Errorf("failed to list all namespaces: %w", err) } + c.log.Info("GGG WaitForAllClustersProvisioning", "cluster context name", c.clusterAuth.ContextName) var wg sync.WaitGroup errors := make(chan error, len(namespaces)) @@ -190,6 +192,7 @@ func (c *ClusterAPI) WaitForAllClustersProvisioning() error { for _, ns := range namespaces { wg.Add(1) go func(namespace string) { + c.log.Info("GGG WaitForAllClustersProvisioning In Go routine", "namespace", namespace, "cluster context name", c.clusterAuth.ContextName) defer wg.Done() // TODO - need to rework the cluster/namespace relashionship later. // One namespace should allow more than 1 cluster @@ -206,6 +209,7 @@ func (c *ClusterAPI) WaitForAllClustersProvisioning() error { // Check for errors for err := range errors { if err != nil { + c.log.Info("GGG WaitForAllClustersProvisioning", "err", err) return err // Return on the first error encountered } } diff --git a/go/pkg/deployer/deploy.go b/go/pkg/deployer/deploy.go index d65179b..4adb7d0 100644 --- a/go/pkg/deployer/deploy.go +++ b/go/pkg/deployer/deploy.go @@ -127,6 +127,7 @@ func Deploy(log logr.Logger, cfg *config.Config) error { return fmt.Errorf("error creating FluxCD secret: %v", err) } + log.Info("Flux Secret provisioned, start checking the clusters") if err := mgmtCAPI.WaitForAllClustersProvisioning(); err != nil { fmt.Printf("Error waiting for clusters to be provisioned: %s\n", err) } From efd7f646b5b7ea061abaa633d3de877f032cd198 Mon Sep 17 00:00:00 2001 From: Olga Mirensky <5200844+olga-mir@users.noreply.github.com> Date: Tue, 9 Jul 2024 20:12:11 +1000 Subject: [PATCH 26/28] fix flux kustomization names to avoid clash --- .../cluster-mgmt/cluster-01/caaph-cni/caaph-hcp-v1.15.2.yaml | 3 ++- clusters/cluster-mgmt/cluster-01/platform.yaml | 2 +- clusters/cluster-mgmt/cluster-02/platform.yaml | 2 +- 3 files changed, 4 insertions(+), 3 deletions(-) diff --git a/clusters/cluster-mgmt/cluster-01/caaph-cni/caaph-hcp-v1.15.2.yaml b/clusters/cluster-mgmt/cluster-01/caaph-cni/caaph-hcp-v1.15.2.yaml index 3280190..62b5660 100644 --- a/clusters/cluster-mgmt/cluster-01/caaph-cni/caaph-hcp-v1.15.2.yaml +++ b/clusters/cluster-mgmt/cluster-01/caaph-cni/caaph-hcp-v1.15.2.yaml @@ -1,7 +1,8 @@ apiVersion: addons.cluster.x-k8s.io/v1alpha1 kind: HelmChartProxy metadata: - name: cilium-cluster-mesh # for now mesh is not enabled, but it is WIP + name: cilium-cluster-mesh + namespace: cluster-01 spec: clusterSelector: matchLabels: diff --git a/clusters/cluster-mgmt/cluster-01/platform.yaml b/clusters/cluster-mgmt/cluster-01/platform.yaml index 8a8ec2a..3ebe08d 100644 --- a/clusters/cluster-mgmt/cluster-01/platform.yaml +++ b/clusters/cluster-mgmt/cluster-01/platform.yaml @@ -19,7 +19,7 @@ spec: apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: - name: caaph-cni + name: caaph-cni-01 namespace: flux-system spec: interval: 1m diff --git a/clusters/cluster-mgmt/cluster-02/platform.yaml b/clusters/cluster-mgmt/cluster-02/platform.yaml index 1fbdb35..2cfae72 100644 --- a/clusters/cluster-mgmt/cluster-02/platform.yaml +++ b/clusters/cluster-mgmt/cluster-02/platform.yaml @@ -19,7 +19,7 @@ spec: apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: - name: caaph-cni + name: caaph-cni-02 namespace: flux-system spec: interval: 1m From a7f47641ef8d3b6ea4f5167c2bea491dfa066a4e Mon Sep 17 00:00:00 2001 From: Olga Mirensky <5200844+olga-mir@users.noreply.github.com> Date: Sat, 28 Sep 2024 16:55:46 +1000 Subject: [PATCH 27/28] update to latest k8s version --- go/config.yaml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/go/config.yaml b/go/config.yaml index df6f9eb..d294992 100644 --- a/go/config.yaml +++ b/go/config.yaml @@ -1,7 +1,7 @@ clusters: - name: "cluster-mgmt" provider: "aws" - kubernetesVersion: "1.28.5" + kubernetesVersion: "1.31.1" podCIDR: "192.168.0.0/20" managementCluster: "" flux: @@ -16,7 +16,7 @@ clusters: - name: "cluster-01" provider: "aws" - kubernetesVersion: "1.28.5" + kubernetesVersion: "1.31.1" podCIDR: "192.168.16.0/20" managementCluster: "cluster-mgmt" flux: @@ -31,7 +31,7 @@ clusters: - name: "cluster-02" provider: "aws" - kubernetesVersion: "1.28.5" + kubernetesVersion: "1.31.1" podCIDR: "192.168.48.0/20" managementCluster: "cluster-mgmt" flux: @@ -53,11 +53,11 @@ github: # Can be overwritten with K8S_MULTI_KUBECONFIG env variable kubeconfigPath: "$HOME/.kube/config" - # podCIDR ranges # 192.168.0.0/20 - cluster-mgmt # 192.168.16.0/20 - cluster-01 # 192.168.32.0/20 - cluster-02 # 192.168.48.0/20 # 192.168.64.0/20 -# 192.168.80.0/20 \ No newline at end of file +# 192.168.80.0/20 + From d3aa48c6de95d5b80da16eef01864cdfa6b1447e Mon Sep 17 00:00:00 2001 From: Olga Mirensky <5200844+olga-mir@users.noreply.github.com> Date: Sat, 28 Sep 2024 17:04:59 +1000 Subject: [PATCH 28/28] update go dependencies --- go/go.mod | 159 ++++++----- go/go.sum | 817 +++++++++++++++--------------------------------------- 2 files changed, 316 insertions(+), 660 deletions(-) diff --git a/go/go.mod b/go/go.mod index de29c9d..9768d3e 100644 --- a/go/go.mod +++ b/go/go.mod @@ -1,120 +1,139 @@ module github.com/olga-mir/k8s-multi-cluster/go -go 1.21.5 +go 1.22.0 + +toolchain go1.23.1 replace github.com/olga-mir/k8s-multi-cluster/go => ../ require ( - github.com/fluxcd/kustomize-controller/api v1.2.1 - github.com/fluxcd/pkg/apis/meta v1.2.0 - github.com/fluxcd/source-controller/api v1.2.3 - github.com/go-logr/logr v1.3.0 - github.com/spf13/cobra v1.8.0 - github.com/spf13/viper v1.17.0 - k8s.io/api v0.29.0 - k8s.io/apiextensions-apiserver v0.28.4 - k8s.io/apimachinery v0.29.0 - k8s.io/client-go v0.29.0 - sigs.k8s.io/cluster-api v1.6.0 - sigs.k8s.io/controller-runtime v0.16.3 + github.com/fluxcd/kustomize-controller/api v1.4.0 + github.com/fluxcd/pkg/apis/meta v1.6.1 + github.com/fluxcd/source-controller/api v1.4.1 + github.com/go-logr/logr v1.4.2 + github.com/spf13/cobra v1.8.1 + github.com/spf13/viper v1.19.0 + k8s.io/api v0.31.1 + k8s.io/apiextensions-apiserver v0.31.1 + k8s.io/apimachinery v0.31.1 + k8s.io/client-go v0.31.1 + sigs.k8s.io/cluster-api v1.8.3 + sigs.k8s.io/controller-runtime v0.19.0 ) require ( + dario.cat/mergo v1.0.1 // indirect github.com/MakeNowJust/heredoc v1.0.0 // indirect github.com/Masterminds/goutils v1.1.1 // indirect - github.com/Masterminds/semver/v3 v3.2.0 // indirect - github.com/Masterminds/sprig/v3 v3.2.3 // indirect - github.com/ProtonMail/go-crypto v0.0.0-20230217124315-7d5c6f04bbb8 // indirect - github.com/adrg/xdg v0.4.0 // indirect - github.com/antlr/antlr4/runtime/Go/antlr/v4 v4.0.0-20230305170008-8188dc5388df // indirect - github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a // indirect + github.com/Masterminds/semver/v3 v3.3.0 // indirect + github.com/Masterminds/sprig/v3 v3.3.0 // indirect + github.com/ProtonMail/go-crypto v1.0.0 // indirect + github.com/adrg/xdg v0.5.0 // indirect + github.com/antlr4-go/antlr/v4 v4.13.1 // indirect + github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect github.com/beorn7/perks v1.0.1 // indirect github.com/blang/semver/v4 v4.0.0 // indirect - github.com/cespare/xxhash/v2 v2.2.0 // indirect - github.com/cloudflare/circl v1.3.7 // indirect + github.com/cenkalti/backoff/v4 v4.3.0 // indirect + github.com/cespare/xxhash/v2 v2.3.0 // indirect + github.com/cloudflare/circl v1.4.0 // indirect github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect - github.com/distribution/reference v0.5.0 // indirect + github.com/distribution/reference v0.6.0 // indirect github.com/drone/envsubst/v2 v2.0.0-20210730161058-179042472c46 // indirect - github.com/emicklei/go-restful/v3 v3.11.0 // indirect - github.com/evanphx/json-patch v5.6.0+incompatible // indirect - github.com/evanphx/json-patch/v5 v5.7.0 // indirect - github.com/fluxcd/pkg/apis/acl v0.1.0 // indirect - github.com/fluxcd/pkg/apis/kustomize v1.2.0 // indirect - github.com/fsnotify/fsnotify v1.6.0 // indirect - github.com/go-logr/zapr v1.2.4 // indirect - github.com/go-openapi/jsonpointer v0.19.6 // indirect - github.com/go-openapi/jsonreference v0.20.2 // indirect - github.com/go-openapi/swag v0.22.3 // indirect - github.com/gobuffalo/flect v1.0.2 // indirect + github.com/emicklei/go-restful/v3 v3.12.1 // indirect + github.com/evanphx/json-patch v5.9.0+incompatible // indirect + github.com/evanphx/json-patch/v5 v5.9.0 // indirect + github.com/felixge/httpsnoop v1.0.4 // indirect + github.com/fluxcd/pkg/apis/acl v0.3.0 // indirect + github.com/fluxcd/pkg/apis/kustomize v1.6.1 // indirect + github.com/fsnotify/fsnotify v1.7.0 // indirect + github.com/fxamacker/cbor/v2 v2.7.0 // indirect + github.com/go-logr/stdr v1.2.2 // indirect + github.com/go-logr/zapr v1.3.0 // indirect + github.com/go-openapi/jsonpointer v0.21.0 // indirect + github.com/go-openapi/jsonreference v0.21.0 // indirect + github.com/go-openapi/swag v0.23.0 // indirect + github.com/gobuffalo/flect v1.0.3 // indirect github.com/gogo/protobuf v1.3.2 // indirect github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect - github.com/golang/protobuf v1.5.3 // indirect - github.com/google/cel-go v0.16.1 // indirect + github.com/golang/protobuf v1.5.4 // indirect + github.com/google/cel-go v0.21.0 // indirect github.com/google/gnostic-models v0.6.8 // indirect github.com/google/go-cmp v0.6.0 // indirect github.com/google/go-github/v53 v53.2.0 // indirect github.com/google/go-querystring v1.1.0 // indirect github.com/google/gofuzz v1.2.0 // indirect - github.com/google/uuid v1.3.1 // indirect + github.com/google/uuid v1.6.0 // indirect + github.com/grpc-ecosystem/grpc-gateway/v2 v2.22.0 // indirect github.com/hashicorp/hcl v1.0.0 // indirect - github.com/huandu/xstrings v1.3.3 // indirect - github.com/imdario/mergo v0.3.13 // indirect + github.com/huandu/xstrings v1.5.0 // indirect + github.com/imdario/mergo v0.3.16 // indirect github.com/inconshreveable/mousetrap v1.1.0 // indirect github.com/josharian/intern v1.0.0 // indirect github.com/json-iterator/go v1.1.12 // indirect + github.com/klauspost/compress v1.17.10 // indirect github.com/magiconair/properties v1.8.7 // indirect github.com/mailru/easyjson v0.7.7 // indirect - github.com/matttproud/golang_protobuf_extensions v1.0.4 // indirect github.com/mitchellh/copystructure v1.2.0 // indirect github.com/mitchellh/mapstructure v1.5.0 // indirect github.com/mitchellh/reflectwalk v1.0.2 // indirect github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect github.com/modern-go/reflect2 v1.0.2 // indirect github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect - github.com/onsi/gomega v1.30.0 // indirect + github.com/onsi/gomega v1.34.2 // indirect github.com/opencontainers/go-digest v1.0.0 // indirect - github.com/pelletier/go-toml/v2 v2.1.0 // indirect + github.com/pelletier/go-toml/v2 v2.2.3 // indirect github.com/pkg/errors v0.9.1 // indirect - github.com/prometheus/client_golang v1.17.0 // indirect - github.com/prometheus/client_model v0.4.1-0.20230718164431-9a2bf3000d16 // indirect - github.com/prometheus/common v0.44.0 // indirect - github.com/prometheus/procfs v0.11.1 // indirect - github.com/sagikazarmark/locafero v0.3.0 // indirect + github.com/prometheus/client_golang v1.20.4 // indirect + github.com/prometheus/client_model v0.6.1 // indirect + github.com/prometheus/common v0.59.1 // indirect + github.com/prometheus/procfs v0.15.1 // indirect + github.com/sagikazarmark/locafero v0.6.0 // indirect github.com/sagikazarmark/slog-shim v0.1.0 // indirect - github.com/shopspring/decimal v1.3.1 // indirect + github.com/shopspring/decimal v1.4.0 // indirect github.com/sourcegraph/conc v0.3.0 // indirect - github.com/spf13/afero v1.10.0 // indirect - github.com/spf13/cast v1.5.1 // indirect + github.com/spf13/afero v1.11.0 // indirect + github.com/spf13/cast v1.7.0 // indirect github.com/spf13/pflag v1.0.5 // indirect - github.com/stoewer/go-strcase v1.2.0 // indirect + github.com/stoewer/go-strcase v1.3.0 // indirect github.com/subosito/gotenv v1.6.0 // indirect github.com/valyala/fastjson v1.6.4 // indirect + github.com/x448/float16 v0.8.4 // indirect + go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.55.0 // indirect + go.opentelemetry.io/otel v1.30.0 // indirect + go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.30.0 // indirect + go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.30.0 // indirect + go.opentelemetry.io/otel/metric v1.30.0 // indirect + go.opentelemetry.io/otel/sdk v1.30.0 // indirect + go.opentelemetry.io/otel/trace v1.30.0 // indirect + go.opentelemetry.io/proto/otlp v1.3.1 // indirect go.uber.org/multierr v1.11.0 // indirect - go.uber.org/zap v1.25.0 // indirect - golang.org/x/crypto v0.17.0 // indirect - golang.org/x/exp v0.0.0-20230905200255-921286631fa9 // indirect - golang.org/x/net v0.19.0 // indirect - golang.org/x/oauth2 v0.14.0 // indirect - golang.org/x/sync v0.4.0 // indirect - golang.org/x/sys v0.15.0 // indirect - golang.org/x/term v0.15.0 // indirect - golang.org/x/text v0.14.0 // indirect - golang.org/x/time v0.3.0 // indirect + go.uber.org/zap v1.27.0 // indirect + golang.org/x/crypto v0.27.0 // indirect + golang.org/x/exp v0.0.0-20240909161429-701f63a606c0 // indirect + golang.org/x/net v0.29.0 // indirect + golang.org/x/oauth2 v0.23.0 // indirect + golang.org/x/sync v0.8.0 // indirect + golang.org/x/sys v0.25.0 // indirect + golang.org/x/term v0.24.0 // indirect + golang.org/x/text v0.18.0 // indirect + golang.org/x/time v0.6.0 // indirect gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect - google.golang.org/appengine v1.6.7 // indirect - google.golang.org/genproto/googleapis/api v0.0.0-20230913181813-007df8e322eb // indirect - google.golang.org/genproto/googleapis/rpc v0.0.0-20230920204549-e6e6cdab5c13 // indirect - google.golang.org/protobuf v1.33.0 // indirect + google.golang.org/genproto/googleapis/api v0.0.0-20240924160255-9d4c2d233b61 // indirect + google.golang.org/genproto/googleapis/rpc v0.0.0-20240924160255-9d4c2d233b61 // indirect + google.golang.org/grpc v1.67.0 // indirect + google.golang.org/protobuf v1.34.2 // indirect + gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/ini.v1 v1.67.0 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect - k8s.io/apiserver v0.28.4 // indirect - k8s.io/cluster-bootstrap v0.28.4 // indirect - k8s.io/component-base v0.28.4 // indirect - k8s.io/klog/v2 v2.110.1 // indirect - k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00 // indirect - k8s.io/utils v0.0.0-20231127182322-b307cd553661 // indirect + k8s.io/apiserver v0.31.1 // indirect + k8s.io/cluster-bootstrap v0.31.1 // indirect + k8s.io/component-base v0.31.1 // indirect + k8s.io/klog/v2 v2.130.1 // indirect + k8s.io/kube-openapi v0.0.0-20240903163716-9e1beecbcb38 // indirect + k8s.io/utils v0.0.0-20240921022957-49e7df575cb6 // indirect + sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.30.3 // indirect sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect sigs.k8s.io/yaml v1.4.0 // indirect diff --git a/go/go.sum b/go/go.sum index 4a6021f..1bf917e 100644 --- a/go/go.sum +++ b/go/go.sum @@ -1,186 +1,104 @@ -cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= -cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= -cloud.google.com/go v0.38.0/go.mod h1:990N+gfupTy94rShfmMCWGDn0LpTmnzTp2qbd1dvSRU= -cloud.google.com/go v0.44.1/go.mod h1:iSa0KzasP4Uvy3f1mN/7PiObzGgflwredwwASm/v6AU= -cloud.google.com/go v0.44.2/go.mod h1:60680Gw3Yr4ikxnPRS/oxxkBccT6SA1yMk63TGekxKY= -cloud.google.com/go v0.44.3/go.mod h1:60680Gw3Yr4ikxnPRS/oxxkBccT6SA1yMk63TGekxKY= -cloud.google.com/go v0.45.1/go.mod h1:RpBamKRgapWJb87xiFSdk4g1CME7QZg3uwTez+TSTjc= -cloud.google.com/go v0.46.3/go.mod h1:a6bKKbmY7er1mI7TEI4lsAkts/mkhTSZK8w33B4RAg0= -cloud.google.com/go v0.50.0/go.mod h1:r9sluTvynVuxRIOHXQEHMFffphuXHOMZMycpNR5e6To= -cloud.google.com/go v0.52.0/go.mod h1:pXajvRH/6o3+F9jDHZWQ5PbGhn+o8w9qiu/CffaVdO4= -cloud.google.com/go v0.53.0/go.mod h1:fp/UouUEsRkN6ryDKNW/Upv/JBKnv6WDthjR6+vze6M= -cloud.google.com/go v0.54.0/go.mod h1:1rq2OEkV3YMf6n/9ZvGWI3GWw0VoqH/1x2nd8Is/bPc= -cloud.google.com/go v0.56.0/go.mod h1:jr7tqZxxKOVYizybht9+26Z/gUq7tiRzu+ACVAMbKVk= -cloud.google.com/go v0.57.0/go.mod h1:oXiQ6Rzq3RAkkY7N6t3TcE6jE+CIBBbA36lwQ1JyzZs= -cloud.google.com/go v0.62.0/go.mod h1:jmCYTdRCQuc1PHIIJ/maLInMho30T/Y0M4hTdTShOYc= -cloud.google.com/go v0.65.0/go.mod h1:O5N8zS7uWy9vkA9vayVHs65eM1ubvY4h553ofrNHObY= -cloud.google.com/go v0.72.0/go.mod h1:M+5Vjvlc2wnp6tjzE102Dw08nGShTscUx2nZMufOKPI= -cloud.google.com/go v0.74.0/go.mod h1:VV1xSbzvo+9QJOxLDaJfTjx5e+MePCpCWwvftOeQmWk= -cloud.google.com/go v0.75.0/go.mod h1:VGuuCn7PG0dwsd5XPVm2Mm3wlh3EL55/79EKB6hlPTY= -cloud.google.com/go/bigquery v1.0.1/go.mod h1:i/xbL2UlR5RvWAURpBYZTtm/cXjCha9lbfbpx4poX+o= -cloud.google.com/go/bigquery v1.3.0/go.mod h1:PjpwJnslEMmckchkHFfq+HTD2DmtT67aNFKH1/VBDHE= -cloud.google.com/go/bigquery v1.4.0/go.mod h1:S8dzgnTigyfTmLBfrtrhyYhwRxG72rYxvftPBK2Dvzc= -cloud.google.com/go/bigquery v1.5.0/go.mod h1:snEHRnqQbz117VIFhE8bmtwIDY80NLUZUMb4Nv6dBIg= -cloud.google.com/go/bigquery v1.7.0/go.mod h1://okPTzCYNXSlb24MZs83e2Do+h+VXtc4gLoIoXIAPc= -cloud.google.com/go/bigquery v1.8.0/go.mod h1:J5hqkt3O0uAFnINi6JXValWIb1v0goeZM77hZzJN/fQ= -cloud.google.com/go/datastore v1.0.0/go.mod h1:LXYbyblFSglQ5pkeyhO+Qmw7ukd3C+pD7TKLgZqpHYE= -cloud.google.com/go/datastore v1.1.0/go.mod h1:umbIZjpQpHh4hmRpGhH4tLFup+FVzqBi1b3c64qFpCk= -cloud.google.com/go/pubsub v1.0.1/go.mod h1:R0Gpsv3s54REJCy4fxDixWD93lHJMoZTyQ2kNxGRt3I= -cloud.google.com/go/pubsub v1.1.0/go.mod h1:EwwdRX2sKPjnvnqCa270oGRyludottCI76h+R3AArQw= -cloud.google.com/go/pubsub v1.2.0/go.mod h1:jhfEVHT8odbXTkndysNHCcx0awwzvfOlguIAii9o8iA= -cloud.google.com/go/pubsub v1.3.1/go.mod h1:i+ucay31+CNRpDW4Lu78I4xXG+O1r/MAHgjpRVR+TSU= -cloud.google.com/go/storage v1.0.0/go.mod h1:IhtSnM/ZTZV8YYJWCY8RULGVqBDmpoyjwiyrjsg+URw= -cloud.google.com/go/storage v1.5.0/go.mod h1:tpKbwo567HUNpVclU5sGELwQWBDZ8gh0ZeosJ0Rtdos= -cloud.google.com/go/storage v1.6.0/go.mod h1:N7U0C8pVQ/+NIKOBQyamJIeKQKkZ+mxpohlUTyfDhBk= -cloud.google.com/go/storage v1.8.0/go.mod h1:Wv1Oy7z6Yz3DshWRJFhqM/UCfaWIRTdp0RXyy7KQOVs= -cloud.google.com/go/storage v1.10.0/go.mod h1:FLPqc6j+Ki4BU591ie1oL6qBQGu2Bl/tZ9ullr3+Kg0= -cloud.google.com/go/storage v1.14.0/go.mod h1:GrKmX003DSIwi9o29oFT7YDnHYwZoctc3fOKtUw0Xmo= -dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU= -github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= -github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo= +dario.cat/mergo v1.0.1 h1:Ra4+bf83h2ztPIQYNP99R6m+Y7KfnARDfID+a+vLl4s= +dario.cat/mergo v1.0.1/go.mod h1:uNxQE+84aUszobStD9th8a29P2fMDhsBdgRYvZOxGmk= github.com/MakeNowJust/heredoc v1.0.0 h1:cXCdzVdstXyiTqTvfqk9SDHpKNjxuom+DOlyEeQ4pzQ= github.com/MakeNowJust/heredoc v1.0.0/go.mod h1:mG5amYoWBHf8vpLOuehzbGGw0EHxpZZ6lCpQ4fNJ8LE= github.com/Masterminds/goutils v1.1.1 h1:5nUrii3FMTL5diU80unEVvNevw1nH4+ZV4DSLVJLSYI= github.com/Masterminds/goutils v1.1.1/go.mod h1:8cTjp+g8YejhMuvIA5y2vz3BpJxksy863GQaJW2MFNU= -github.com/Masterminds/semver/v3 v3.2.0 h1:3MEsd0SM6jqZojhjLWWeBY+Kcjy9i6MQAeY7YgDP83g= -github.com/Masterminds/semver/v3 v3.2.0/go.mod h1:qvl/7zhW3nngYb5+80sSMF+FG2BjYrf8m9wsX0PNOMQ= -github.com/Masterminds/sprig/v3 v3.2.3 h1:eL2fZNezLomi0uOLqjQoN6BfsDD+fyLtgbJMAj9n6YA= -github.com/Masterminds/sprig/v3 v3.2.3/go.mod h1:rXcFaZ2zZbLRJv/xSysmlgIM1u11eBaRMhvYXJNkGuM= -github.com/ProtonMail/go-crypto v0.0.0-20230217124315-7d5c6f04bbb8 h1:wPbRQzjjwFc0ih8puEVAOFGELsn1zoIIYdxvML7mDxA= -github.com/ProtonMail/go-crypto v0.0.0-20230217124315-7d5c6f04bbb8/go.mod h1:I0gYDMZ6Z5GRU7l58bNFSkPTFN6Yl12dsUlAZ8xy98g= -github.com/adrg/xdg v0.4.0 h1:RzRqFcjH4nE5C6oTAxhBtoE2IRyjBSa62SCbyPidvls= -github.com/adrg/xdg v0.4.0/go.mod h1:N6ag73EX4wyxeaoeHctc1mas01KZgsj5tYiAIwqJE/E= -github.com/antlr/antlr4/runtime/Go/antlr/v4 v4.0.0-20230305170008-8188dc5388df h1:7RFfzj4SSt6nnvCPbCqijJi1nWCd+TqAT3bYCStRC18= -github.com/antlr/antlr4/runtime/Go/antlr/v4 v4.0.0-20230305170008-8188dc5388df/go.mod h1:pSwJ0fSY5KhvocuWSx4fz3BA8OrA1bQn+K1Eli3BRwM= -github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a h1:idn718Q4B6AGu/h5Sxe66HYVdqdGu2l9Iebqhi/AEoA= -github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a/go.mod h1:lB+ZfQJz7igIIfQNfa7Ml4HSf2uFQQRzpGGRXenZAgY= -github.com/benbjohnson/clock v1.1.0/go.mod h1:J11/hYXuz8f4ySSvYwY0FKfm+ezbsZBKZxNJlLklBHA= -github.com/benbjohnson/clock v1.3.0 h1:ip6w0uFQkncKQ979AypyG0ER7mqUSBdKLOgAle/AT8A= -github.com/benbjohnson/clock v1.3.0/go.mod h1:J11/hYXuz8f4ySSvYwY0FKfm+ezbsZBKZxNJlLklBHA= +github.com/Masterminds/semver/v3 v3.3.0 h1:B8LGeaivUe71a5qox1ICM/JLl0NqZSW5CHyL+hmvYS0= +github.com/Masterminds/semver/v3 v3.3.0/go.mod h1:4V+yj/TJE1HU9XfppCwVMZq3I84lprf4nC11bSS5beM= +github.com/Masterminds/sprig/v3 v3.3.0 h1:mQh0Yrg1XPo6vjYXgtf5OtijNAKJRNcTdOOGZe3tPhs= +github.com/Masterminds/sprig/v3 v3.3.0/go.mod h1:Zy1iXRYNqNLUolqCpL4uhk6SHUMAOSCzdgBfDb35Lz0= +github.com/ProtonMail/go-crypto v1.0.0 h1:LRuvITjQWX+WIfr930YHG2HNfjR1uOfyf5vE0kC2U78= +github.com/ProtonMail/go-crypto v1.0.0/go.mod h1:EjAoLdwvbIOoOQr3ihjnSoLZRtE8azugULFRteWMNc0= +github.com/adrg/xdg v0.5.0 h1:dDaZvhMXatArP1NPHhnfaQUqWBLBsmx1h1HXQdMoFCY= +github.com/adrg/xdg v0.5.0/go.mod h1:dDdY4M4DF9Rjy4kHPeNL+ilVF+p2lK8IdM9/rTSGcI4= +github.com/antlr4-go/antlr/v4 v4.13.1 h1:SqQKkuVZ+zWkMMNkjy5FZe5mr5WURWnlpmOuzYWrPrQ= +github.com/antlr4-go/antlr/v4 v4.13.1/go.mod h1:GKmUxMtwp6ZgGwZSva4eWPC5mS6vUAmOABFgjdkM7Nw= +github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 h1:DklsrG3dyBCFEj5IhUbnKptjxatkF07cF2ak3yi77so= +github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2/go.mod h1:WaHUgvxTVq04UNunO+XhnAqY/wQc+bxr74GqbsZ/Jqw= github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM= github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw= github.com/blang/semver/v4 v4.0.0 h1:1PFHFE6yCCTv8C1TeyNNarDzntLi7wMI5i/pzqYIsAM= github.com/blang/semver/v4 v4.0.0/go.mod h1:IbckMUScFkM3pff0VJDNKRiT6TG/YpiHIM2yvyW5YoQ= -github.com/bwesterb/go-ristretto v1.2.0/go.mod h1:fUIoIZaG73pV5biE2Blr2xEzDoMj7NFEuV9ekS419A0= -github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= -github.com/cespare/xxhash/v2 v2.2.0 h1:DC2CZ1Ep5Y4k3ZQ899DldepgrayRUGE6BBZ/cd9Cj44= -github.com/cespare/xxhash/v2 v2.2.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= -github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI= -github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI= -github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU= -github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw= -github.com/cloudflare/circl v1.1.0/go.mod h1:prBCrKB9DV4poKZY1l9zBXg2QJY7mvgRvtMxxK7fi4I= -github.com/cloudflare/circl v1.3.7 h1:qlCDlTPz2n9fu58M0Nh1J/JzcFpfgkFHHX3O35r5vcU= -github.com/cloudflare/circl v1.3.7/go.mod h1:sRTcRWXGLrKw6yIGJ+l7amYJFfAXbZG0kBSc8r4zxgA= -github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc= -github.com/cncf/udpa/go v0.0.0-20200629203442-efcf912fb354/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk= -github.com/cncf/udpa/go v0.0.0-20201120205902-5459f2c99403/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk= -github.com/coredns/caddy v1.1.0 h1:ezvsPrT/tA/7pYDBZxu0cT0VmWk75AfIaf6GSYCNMf0= -github.com/coredns/caddy v1.1.0/go.mod h1:A6ntJQlAWuQfFlsd9hvigKbo2WS0VUs2l1e2F+BawD4= -github.com/coredns/corefile-migration v1.0.21 h1:W/DCETrHDiFo0Wj03EyMkaQ9fwsmSgqTCQDHpceaSsE= -github.com/coredns/corefile-migration v1.0.21/go.mod h1:XnhgULOEouimnzgn0t4WPuFDN2/PJQcTxdWKC5eXNGE= -github.com/cpuguy83/go-md2man/v2 v2.0.3/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= -github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= +github.com/bwesterb/go-ristretto v1.2.3/go.mod h1:fUIoIZaG73pV5biE2Blr2xEzDoMj7NFEuV9ekS419A0= +github.com/cenkalti/backoff/v4 v4.3.0 h1:MyRJ/UdXutAwSAT+s3wNd7MfTIcy71VQueUuFK343L8= +github.com/cenkalti/backoff/v4 v4.3.0/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE= +github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs= +github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= +github.com/cloudflare/circl v1.3.3/go.mod h1:5XYMA4rFBvNIrhs50XuiBJ15vF2pZn4nnUKZrLbUZFA= +github.com/cloudflare/circl v1.4.0 h1:BV7h5MgrktNzytKmWjpOtdYrf0lkkbF8YMlBGPhJQrY= +github.com/cloudflare/circl v1.4.0/go.mod h1:PDRU+oXvdD7KCtgKxW95M5Z8BpSCJXQORiZFnBQS5QU= +github.com/coredns/caddy v1.1.1 h1:2eYKZT7i6yxIfGP3qLJoJ7HAsDJqYB+X68g4NYjSrE0= +github.com/coredns/caddy v1.1.1/go.mod h1:A6ntJQlAWuQfFlsd9hvigKbo2WS0VUs2l1e2F+BawD4= +github.com/coredns/corefile-migration v1.0.23 h1:Fp4FETmk8sT/IRgnKX2xstC2dL7+QdcU+BL5AYIN3Jw= +github.com/coredns/corefile-migration v1.0.23/go.mod h1:8HyMhuyzx9RLZp8cRc9Uf3ECpEAafHOFxQWUPqktMQI= +github.com/coreos/go-semver v0.3.1 h1:yi21YpKnrx1gt5R+la8n5WgS0kCrsPp33dmEyHReZr4= +github.com/coreos/go-semver v0.3.1/go.mod h1:irMmmIw/7yzSRPWryHsK7EYSg09caPQL03VsM8rvUec= +github.com/coreos/go-systemd v0.0.0-20191104093116-d3cd4ed1dbcf h1:iW4rZ826su+pqaw19uhpSCzhj44qo35pNgKFGqzDKkU= +github.com/coreos/go-systemd/v22 v22.5.0 h1:RrqgGjYQKalulkV8NGVIfkXQf6YYmOyiJKk8iXXhfZs= +github.com/coreos/go-systemd/v22 v22.5.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc= +github.com/cpuguy83/go-md2man/v2 v2.0.4/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM= github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= -github.com/distribution/reference v0.5.0 h1:/FUIFXtfc/x2gpa5/VGfiGLuOIdYa1t65IKK2OFGvA0= -github.com/distribution/reference v0.5.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E= +github.com/distribution/reference v0.6.0 h1:0IXCQ5g4/QMHHkarYzh5l+u8T3t73zM5QvfrDyIgxBk= +github.com/distribution/reference v0.6.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E= github.com/drone/envsubst/v2 v2.0.0-20210730161058-179042472c46 h1:7QPwrLT79GlD5sizHf27aoY2RTvw62mO6x7mxkScNk0= github.com/drone/envsubst/v2 v2.0.0-20210730161058-179042472c46/go.mod h1:esf2rsHFNlZlxsqsZDojNBcnNs5REqIvRrWRHqX0vEU= -github.com/emicklei/go-restful/v3 v3.11.0 h1:rAQeMHw1c7zTmncogyy8VvRZwtkmkZ4FxERmMY4rD+g= -github.com/emicklei/go-restful/v3 v3.11.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= -github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= -github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= -github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98= -github.com/envoyproxy/go-control-plane v0.9.7/go.mod h1:cwu0lG7PUMfa9snN8LXBig5ynNVH9qI8YYLbd1fK2po= -github.com/envoyproxy/go-control-plane v0.9.9-0.20201210154907-fd9021fe5dad/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk= -github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c= -github.com/evanphx/json-patch v5.6.0+incompatible h1:jBYDEEiFBPxA0v50tFdvOzQQTCvpL6mnFh5mB2/l16U= -github.com/evanphx/json-patch v5.6.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= -github.com/evanphx/json-patch/v5 v5.7.0 h1:nJqP7uwL84RJInrohHfW0Fx3awjbm8qZeFv0nW9SYGc= -github.com/evanphx/json-patch/v5 v5.7.0/go.mod h1:VNkHZ/282BpEyt/tObQO8s5CMPmYYq14uClGH4abBuQ= -github.com/fluxcd/kustomize-controller/api v1.2.1 h1:+WgQOU7jpqz9bA4djPWmaeYAp9cG7c/TdcIYku3Jrzk= -github.com/fluxcd/kustomize-controller/api v1.2.1/go.mod h1:0Kgc4uYnr5jCm4H8JwArkR0v4WTmXeX/9KgoDbxluVc= -github.com/fluxcd/pkg/apis/acl v0.1.0 h1:EoAl377hDQYL3WqanWCdifauXqXbMyFuK82NnX6pH4Q= -github.com/fluxcd/pkg/apis/acl v0.1.0/go.mod h1:zfEZzz169Oap034EsDhmCAGgnWlcWmIObZjYMusoXS8= -github.com/fluxcd/pkg/apis/kustomize v1.2.0 h1:vkVs+OumxaWso0jNCqdgFFfMHdh+qtZhykTkjl7OgmA= -github.com/fluxcd/pkg/apis/kustomize v1.2.0/go.mod h1:VF7tR/WuVFeum+HaMTHwp+eCtsHiiQlY6ihgqtAnW/M= -github.com/fluxcd/pkg/apis/meta v1.2.0 h1:O766PzGAdMdQKybSflGL8oV0+GgCNIkdsxfalRyzeO8= -github.com/fluxcd/pkg/apis/meta v1.2.0/go.mod h1:fU/Az9AoVyIxC0oI4ihG0NVMNnvrcCzdEym3wxjIQsc= -github.com/fluxcd/source-controller/api v1.2.3 h1:71mXv3Qg9HEhcpqOq1ObmoE+P/HuZNaAvxfI7dqZMo8= -github.com/fluxcd/source-controller/api v1.2.3/go.mod h1:5gaIVVH7hgb8p3HKFp8P6hGmZEC8fKSt4EcrG3g5vZI= -github.com/frankban/quicktest v1.14.4 h1:g2rn0vABPOOXmZUj+vbmUp0lPoXEMuhTpIluN0XL9UY= -github.com/frankban/quicktest v1.14.4/go.mod h1:4ptaffx2x8+WTWXmUCuVU6aPUX1/Mz7zb5vbUoiM6w0= -github.com/fsnotify/fsnotify v1.6.0 h1:n+5WquG0fcWoWp6xPWfHdbskMCQaFnG6PfBrh1Ky4HY= -github.com/fsnotify/fsnotify v1.6.0/go.mod h1:sl3t1tCWJFWoRz9R8WJCbQihKKwmorjAbSClcnxKAGw= -github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU= -github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8= -github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8= -github.com/go-logr/logr v1.2.4/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= -github.com/go-logr/logr v1.3.0 h1:2y3SDp0ZXuc6/cjLSZ+Q3ir+QB9T/iG5yYRXqsagWSY= -github.com/go-logr/logr v1.3.0/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= -github.com/go-logr/zapr v1.2.4 h1:QHVo+6stLbfJmYGkQ7uGHUCu5hnAFAj6mDe6Ea0SeOo= -github.com/go-logr/zapr v1.2.4/go.mod h1:FyHWQIzQORZ0QVE1BtVHv3cKtNLuXsbNLtpuhNapBOA= -github.com/go-openapi/jsonpointer v0.19.6 h1:eCs3fxoIi3Wh6vtgmLTOjdhSpiqphQ+DaPn38N2ZdrE= -github.com/go-openapi/jsonpointer v0.19.6/go.mod h1:osyAmYz/mB/C3I+WsTTSgw1ONzaLJoLCyoi6/zppojs= -github.com/go-openapi/jsonreference v0.20.2 h1:3sVjiK66+uXK/6oQ8xgcRKcFgQ5KXa2KvnJRumpMGbE= -github.com/go-openapi/jsonreference v0.20.2/go.mod h1:Bl1zwGIM8/wsvqjsOQLJ/SH+En5Ap4rVB5KVcIDZG2k= -github.com/go-openapi/swag v0.22.3 h1:yMBqmnQ0gyZvEb/+KzuWZOXgllrXT4SADYbvDaXHv/g= -github.com/go-openapi/swag v0.22.3/go.mod h1:UzaqsxGiab7freDnrUUra0MwWfN/q7tE4j+VcZ0yl14= -github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 h1:tfuBGBXKqDEevZMzYi5KSi8KkcZtzBcTgAUUtapy0OI= -github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572/go.mod h1:9Pwr4B2jHnOSGXyyzV8ROjYa2ojvAY6HCGYYfMoC3Ls= -github.com/gobuffalo/flect v1.0.2 h1:eqjPGSo2WmjgY2XlpGwo2NXgL3RucAKo4k4qQMNA5sA= -github.com/gobuffalo/flect v1.0.2/go.mod h1:A5msMlrHtLqh9umBSnvabjsMrCcCpAyzglnDvkbYKHs= +github.com/emicklei/go-restful/v3 v3.12.1 h1:PJMDIM/ak7btuL8Ex0iYET9hxM3CI2sjZtzpL63nKAU= +github.com/emicklei/go-restful/v3 v3.12.1/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= +github.com/evanphx/json-patch v5.9.0+incompatible h1:fBXyNpNMuTTDdquAq/uisOr2lShz4oaXpDTX2bLe7ls= +github.com/evanphx/json-patch v5.9.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= +github.com/evanphx/json-patch/v5 v5.9.0 h1:kcBlZQbplgElYIlo/n1hJbls2z/1awpXxpRi0/FOJfg= +github.com/evanphx/json-patch/v5 v5.9.0/go.mod h1:VNkHZ/282BpEyt/tObQO8s5CMPmYYq14uClGH4abBuQ= +github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg= +github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U= +github.com/fluxcd/kustomize-controller/api v1.4.0 h1:QReBAuNAlrAez4aLkbYjVlWDCIZABFsKPgRa9W05VCQ= +github.com/fluxcd/kustomize-controller/api v1.4.0/go.mod h1:z1SD5EJS+vbGmF6B17x8aJfT5nnzGVEQ+3WGquOmhwA= +github.com/fluxcd/pkg/apis/acl v0.3.0 h1:UOrKkBTOJK+OlZX7n8rWt2rdBmDCoTK+f5TY2LcZi8A= +github.com/fluxcd/pkg/apis/acl v0.3.0/go.mod h1:WVF9XjSMVBZuU+HTTiSebGAWMgM7IYexFLyVWbK9bNY= +github.com/fluxcd/pkg/apis/kustomize v1.6.1 h1:22FJc69Mq4i8aCxnKPlddHhSMyI4UPkQkqiAdWFcqe0= +github.com/fluxcd/pkg/apis/kustomize v1.6.1/go.mod h1:5dvQ4IZwz0hMGmuj8tTWGtarsuxW0rWsxJOwC6i+0V8= +github.com/fluxcd/pkg/apis/meta v1.6.1 h1:maLhcRJ3P/70ArLCY/LF/YovkxXbX+6sTWZwZQBeNq0= +github.com/fluxcd/pkg/apis/meta v1.6.1/go.mod h1:YndB/gxgGZmKfqpAfFxyCDNFJFP0ikpeJzs66jwq280= +github.com/fluxcd/source-controller/api v1.4.1 h1:zV01D7xzHOXWbYXr36lXHWWYS7POARsjLt61Nbh3kVY= +github.com/fluxcd/source-controller/api v1.4.1/go.mod h1:gSjg57T+IG66SsBR0aquv+DFrm4YyBNpKIJVDnu3Ya8= +github.com/frankban/quicktest v1.14.6 h1:7Xjx+VpznH+oBnejlPUj8oUpdxnVs4f8XU8WnHkI4W8= +github.com/frankban/quicktest v1.14.6/go.mod h1:4ptaffx2x8+WTWXmUCuVU6aPUX1/Mz7zb5vbUoiM6w0= +github.com/fsnotify/fsnotify v1.7.0 h1:8JEhPFa5W2WU7YfeZzPNqzMP6Lwt7L2715Ggo0nosvA= +github.com/fsnotify/fsnotify v1.7.0/go.mod h1:40Bi/Hjc2AVfZrqy+aj+yEI+/bRxZnMJyTJwOpGvigM= +github.com/fxamacker/cbor/v2 v2.7.0 h1:iM5WgngdRBanHcxugY4JySA0nk1wZorNOpTgCMedv5E= +github.com/fxamacker/cbor/v2 v2.7.0/go.mod h1:pxXPTn3joSm21Gbwsv0w9OSA2y1HFR9qXEeXQVeNoDQ= +github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= +github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY= +github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= +github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag= +github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE= +github.com/go-logr/zapr v1.3.0 h1:XGdV8XW8zdwFiwOA2Dryh1gj2KRQyOOoNmBy4EplIcQ= +github.com/go-logr/zapr v1.3.0/go.mod h1:YKepepNBd1u/oyhd/yQmtjVXmm9uML4IXUgMOwR8/Gg= +github.com/go-openapi/jsonpointer v0.21.0 h1:YgdVicSA9vH5RiHs9TZW5oyafXZFc6+2Vc1rr/O9oNQ= +github.com/go-openapi/jsonpointer v0.21.0/go.mod h1:IUyH9l/+uyhIYQ/PXVA41Rexl+kOkAPDdXEYns6fzUY= +github.com/go-openapi/jsonreference v0.21.0 h1:Rs+Y7hSXT83Jacb7kFyjn4ijOuVGSvOdF2+tg1TRrwQ= +github.com/go-openapi/jsonreference v0.21.0/go.mod h1:LmZmgsrTkVg9LG4EaHeY8cBDslNPMo06cago5JNLkm4= +github.com/go-openapi/swag v0.23.0 h1:vsEVJDUo2hPJ2tu0/Xc+4noaxyEffXNIs3cOULZ+GrE= +github.com/go-openapi/swag v0.23.0/go.mod h1:esZ8ITTYEsH1V2trKHjAN8Ai7xHb8RV+YSZ577vPjgQ= +github.com/go-task/slim-sprig/v3 v3.0.0 h1:sUs3vkvUymDpBKi3qH1YSqBQk9+9D/8M2mN1vB6EwHI= +github.com/go-task/slim-sprig/v3 v3.0.0/go.mod h1:W848ghGpv3Qj3dhTPRyJypKRiqCdHZiAzKg9hl15HA8= +github.com/gobuffalo/flect v1.0.3 h1:xeWBM2nui+qnVvNM4S3foBhCAL2XgPU+a7FdpelbTq4= +github.com/gobuffalo/flect v1.0.3/go.mod h1:A5msMlrHtLqh9umBSnvabjsMrCcCpAyzglnDvkbYKHs= github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= -github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= -github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= -github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= -github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da h1:oI5xCqsCo564l8iNU+DwB5epxmsaqB+rhGL0m5jtYqE= github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= -github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A= -github.com/golang/mock v1.2.0/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A= -github.com/golang/mock v1.3.1/go.mod h1:sBzyDLLjw3U8JLTeZvSv8jJB+tU5PVekmnlKIyFUx0Y= -github.com/golang/mock v1.4.0/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw= -github.com/golang/mock v1.4.1/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw= -github.com/golang/mock v1.4.3/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw= -github.com/golang/mock v1.4.4/go.mod h1:l3mdAwkq5BuhzHwde/uurv3sEJeZMXNpwsxVWU71h+4= -github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= -github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= -github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= -github.com/golang/protobuf v1.3.3/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw= -github.com/golang/protobuf v1.3.4/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw= -github.com/golang/protobuf v1.3.5/go.mod h1:6O5/vntMXwX2lRkT1hjjk0nAC1IDOTvTlVgjlRvqsdk= -github.com/golang/protobuf v1.4.0-rc.1/go.mod h1:ceaxUfeHdC40wWswd/P6IGgMaK3YpKi5j83Wpe3EHw8= -github.com/golang/protobuf v1.4.0-rc.1.0.20200221234624-67d41d38c208/go.mod h1:xKAWHe0F5eneWXFV3EuXVDTCmh+JuBKY0li0aMyXATA= -github.com/golang/protobuf v1.4.0-rc.2/go.mod h1:LlEzMj4AhA7rCAGe4KMBDvJI+AwstrUpVNzEA03Pprs= -github.com/golang/protobuf v1.4.0-rc.4.0.20200313231945-b860323f09d0/go.mod h1:WU3c8KckQ9AFe+yFwt9sWVRKCVIyN9cPHBJSNnbL67w= -github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvqG2KuDX0= -github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QDs8UjoX8= -github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI= -github.com/golang/protobuf v1.4.3/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI= -github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk= -github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg= -github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY= -github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= -github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= -github.com/google/cel-go v0.16.1 h1:3hZfSNiAU3KOiNtxuFXVp5WFy4hf/Ly3Sa4/7F8SXNo= -github.com/google/cel-go v0.16.1/go.mod h1:HXZKzB0LXqer5lHHgfWAnlYwJaQBDKMjxjulNQzhwhY= +github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek= +github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps= +github.com/google/cel-go v0.21.0 h1:cl6uW/gxN+Hy50tNYvI691+sXxioCnstFzLp2WO4GCI= +github.com/google/cel-go v0.21.0/go.mod h1:rHUlWCcBKgyEk+eV03RPdZUekPp6YcJwV0FxuUksYxc= github.com/google/gnostic-models v0.6.8 h1:yo/ABAfM5IMRsS1VnXjTBvUb61tFIHozhlYvRgGre9I= github.com/google/gnostic-models v0.6.8/go.mod h1:5n7qKqH0f5wFt+aWF8CW6pZLLNOfYuF5OpfBSENuI8U= github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M= -github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= -github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= -github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= -github.com/google/go-cmp v0.4.1/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= -github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= -github.com/google/go-cmp v0.5.1/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= -github.com/google/go-cmp v0.5.4/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= -github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI= github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= @@ -191,71 +109,44 @@ github.com/google/go-querystring v1.1.0/go.mod h1:Kcdr2DB4koayq7X8pmAG4sNG59So17 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0= github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= -github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs= -github.com/google/martian/v3 v3.0.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0= -github.com/google/martian/v3 v3.1.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0= -github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc= -github.com/google/pprof v0.0.0-20190515194954-54271f7e092f/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc= -github.com/google/pprof v0.0.0-20191218002539-d4f498aebedc/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= -github.com/google/pprof v0.0.0-20200212024743-f11f1df84d12/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= -github.com/google/pprof v0.0.0-20200229191704-1ebb73c60ed3/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= -github.com/google/pprof v0.0.0-20200430221834-fc25d7d30c6d/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= -github.com/google/pprof v0.0.0-20200708004538-1a94d8640e99/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= -github.com/google/pprof v0.0.0-20201023163331-3e6fc7fc9c4c/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= -github.com/google/pprof v0.0.0-20201203190320-1bf35d6f28c2/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= -github.com/google/pprof v0.0.0-20201218002935-b9804c9f04c2/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= -github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1 h1:K6RDEckDVWvDI9JAJYCmNdQXq6neHJOYx3V6jnqNEec= -github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= -github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI= -github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= -github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= -github.com/google/uuid v1.3.1 h1:KjJaJ9iWZ3jOFZIf1Lqf4laDRCasjl0BCmnEGxkdLb4= -github.com/google/uuid v1.3.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= -github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg= -github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk= -github.com/googleapis/google-cloud-go-testing v0.0.0-20200911160855-bcd43fbb19e8/go.mod h1:dvDLG8qkwmyD9a/MJJN3XJcT3xFxOKAvTZGvuZmac9g= -github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= -github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= +github.com/google/pprof v0.0.0-20240827171923-fa2c70bbbfe5 h1:5iH8iuqE5apketRbSFBy+X1V0o+l+8NF1avt4HWl7cA= +github.com/google/pprof v0.0.0-20240827171923-fa2c70bbbfe5/go.mod h1:vavhavw2zAxS5dIdcRluK6cSGGPlZynqzFM8NdvU144= +github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0= +github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= +github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0 h1:Ovs26xHkKqVztRpIrF/92BcuyuQ/YW4NSIpoGtfXNho= +github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0/go.mod h1:8NvIoxWQoOIhqOTXgfV/d3M/q6VIi02HzZEHgUlZvzk= +github.com/grpc-ecosystem/grpc-gateway/v2 v2.22.0 h1:asbCHRVmodnJTuQ3qamDwqVOIjwqUPTYmYuemVOx+Ys= +github.com/grpc-ecosystem/grpc-gateway/v2 v2.22.0/go.mod h1:ggCgvZ2r7uOoQjOyu2Y1NhHmEPPzzuhWgcza5M1Ji1I= github.com/hashicorp/hcl v1.0.0 h1:0Anlzjpi4vEasTeNFn2mLJgTSwt0+6sfsiTG8qcWGx4= github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ= -github.com/huandu/xstrings v1.3.3 h1:/Gcsuc1x8JVbJ9/rlye4xZnVAbEkGauT8lbebqcQws4= -github.com/huandu/xstrings v1.3.3/go.mod h1:y5/lhBue+AyNmUVz9RLU9xbLR0o4KIIExikq4ovT0aE= -github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc= -github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc= -github.com/imdario/mergo v0.3.11/go.mod h1:jmQim1M+e3UYxmgPu/WyfjB3N3VflVyUjjjwH0dnCYA= -github.com/imdario/mergo v0.3.13 h1:lFzP57bqS/wsqKssCGmtLAb8A0wKjLGrve2q3PPVcBk= -github.com/imdario/mergo v0.3.13/go.mod h1:4lJ1jqUDcsbIECGy0RUJAXNIhg+6ocWgb1ALK2O4oXg= +github.com/huandu/xstrings v1.5.0 h1:2ag3IFq9ZDANvthTwTiqSSZLjDc+BedvHPAp5tJy2TI= +github.com/huandu/xstrings v1.5.0/go.mod h1:y5/lhBue+AyNmUVz9RLU9xbLR0o4KIIExikq4ovT0aE= +github.com/imdario/mergo v0.3.16 h1:wwQJbIsHYGMUyLSPrEq1CT16AhnhNJQ51+4fdHUnCl4= +github.com/imdario/mergo v0.3.16/go.mod h1:WBLT9ZmE3lPoWsEzCh9LPo3TiwVN+ZKEjmz+hD27ysY= github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8= github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw= github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY= github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y= github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM= github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo= -github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU= -github.com/jstemmer/go-junit-report v0.9.1/go.mod h1:Brl9GWCQeLvo8nXZwPNNblvFj/XSXhF0NWZEnDohbsk= github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8= github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= -github.com/kr/fs v0.1.0/go.mod h1:FFnZGqtBN9Gxj7eW1uZ42v5BccTP0vu6NEaFoC2HwRg= -github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo= -github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI= +github.com/klauspost/compress v1.17.10 h1:oXAz+Vh0PMUvJczoi+flxpnBEPxoER1IaAnU/NMPtT0= +github.com/klauspost/compress v1.17.10/go.mod h1:pMDklpSncoRMuLFrf1W9Ss9KT+0rH90U12bZKk7uwG0= github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE= github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk= -github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= -github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= +github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc= +github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw= github.com/magiconair/properties v1.8.7 h1:IeQXZAiQcpL9mgcAe1Nu6cX9LLw6ExEHKjN0VQdvPDY= github.com/magiconair/properties v1.8.7/go.mod h1:Dhd985XPs7jluiymwWYZ0G4Z61jb3vdS329zhj2hYo0= github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0= github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc= -github.com/matttproud/golang_protobuf_extensions v1.0.4 h1:mmDVorXM7PCGKw94cs5zkfA9PSy5pEvNWRP0ET0TIVo= -github.com/matttproud/golang_protobuf_extensions v1.0.4/go.mod h1:BSXmuO+STAnVfrANrmjBb36TMTDstsz7MSK+HVaYKv4= -github.com/mitchellh/copystructure v1.0.0/go.mod h1:SNtv71yrdKgLRyLFxmLdkAbkKEFWgYaq1OVrnRcwhnw= github.com/mitchellh/copystructure v1.2.0 h1:vpKXTN4ewci03Vljg/q9QvCGUDttBOGBIa15WveJJGw= github.com/mitchellh/copystructure v1.2.0/go.mod h1:qLl+cE2AmVv+CoeAwDPye/v+N2HKCj9FbZEVFJRxO9s= github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY= github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo= -github.com/mitchellh/reflectwalk v1.0.0/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw= github.com/mitchellh/reflectwalk v1.0.2 h1:G2LzWKi524PWgd3mLHV8Y5k7s6XUvT0Gef6zxSIeXaQ= github.com/mitchellh/reflectwalk v1.0.2/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw= github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= @@ -265,479 +156,225 @@ github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9G github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk= github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA= github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= -github.com/onsi/ginkgo/v2 v2.13.1 h1:LNGfMbR2OVGBfXjvRZIZ2YCTQdGKtPLvuI1rMCCj3OU= -github.com/onsi/ginkgo/v2 v2.13.1/go.mod h1:XStQ8QcGwLyF4HdfcZB8SFOS/MWCgDuXMSBe6zrvLgM= -github.com/onsi/gomega v1.30.0 h1:hvMK7xYz4D3HapigLTeGdId/NcfQx1VHMJc60ew99+8= -github.com/onsi/gomega v1.30.0/go.mod h1:9sxs+SwGrKI0+PWe4Fxa9tFQQBG5xSsSbMXOI8PPpoQ= +github.com/onsi/ginkgo/v2 v2.20.1 h1:YlVIbqct+ZmnEph770q9Q7NVAz4wwIiVNahee6JyUzo= +github.com/onsi/ginkgo/v2 v2.20.1/go.mod h1:lG9ey2Z29hR41WMVthyJBGUBcBhGOtoPF2VFMvBXFCI= +github.com/onsi/gomega v1.34.2 h1:pNCwDkzrsv7MS9kpaQvVb1aVLahQXyJ/Tv5oAZMI3i8= +github.com/onsi/gomega v1.34.2/go.mod h1:v1xfxRgk0KIsG+QOdm7p8UosrOzPYRo60fd3B/1Dukc= github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U= github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM= -github.com/pelletier/go-toml/v2 v2.1.0 h1:FnwAJ4oYMvbT/34k9zzHuZNrhlz48GB3/s6at6/MHO4= -github.com/pelletier/go-toml/v2 v2.1.0/go.mod h1:tJU2Z3ZkXwnxa4DPO899bsyIoywizdUvyaeZurnPPDc= -github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= +github.com/pelletier/go-toml/v2 v2.2.3 h1:YmeHyLY8mFWbdkNWwpr+qIL2bEqT0o95WSdkNHvL12M= +github.com/pelletier/go-toml/v2 v2.2.3/go.mod h1:MfCQTFTvCcUyyvvwm1+G6H/jORL20Xlb6rzQu9GuUkc= github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= -github.com/pkg/sftp v1.13.1/go.mod h1:3HaPG6Dq1ILlpPZRO0HVMrsydcdLt6HRDccSgb87qRg= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U= github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= -github.com/prometheus/client_golang v1.17.0 h1:rl2sfwZMtSthVU752MqfjQozy7blglC+1SOtjMAMh+Q= -github.com/prometheus/client_golang v1.17.0/go.mod h1:VeL+gMmOAxkS2IqfCq0ZmHSL+LjWfWDUmp1mBz9JgUY= -github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= -github.com/prometheus/client_model v0.4.1-0.20230718164431-9a2bf3000d16 h1:v7DLqVdK4VrYkVD5diGdl4sxJurKJEMnODWRJlxV9oM= -github.com/prometheus/client_model v0.4.1-0.20230718164431-9a2bf3000d16/go.mod h1:oMQmHW1/JoDwqLtg57MGgP/Fb1CJEYF2imWWhWtMkYU= -github.com/prometheus/common v0.44.0 h1:+5BrQJwiBB9xsMygAB3TNvpQKOwlkc25LbISbrdOOfY= -github.com/prometheus/common v0.44.0/go.mod h1:ofAIvZbQ1e/nugmZGz4/qCb9Ap1VoSTIO7x0VV9VvuY= -github.com/prometheus/procfs v0.11.1 h1:xRC8Iq1yyca5ypa9n1EZnWZkt7dwcoRPQwX/5gwaUuI= -github.com/prometheus/procfs v0.11.1/go.mod h1:eesXgaPo1q7lBpVMoMy0ZOFTth9hBn4W/y0/p/ScXhY= -github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4= -github.com/rogpeppe/go-internal v1.11.0 h1:cWPaGQEPrBb5/AsnsZesgZZ9yb1OQ+GOISoDNXVBh4M= -github.com/rogpeppe/go-internal v1.11.0/go.mod h1:ddIwULY96R17DhadqLgMfk9H9tvdUzkipdSkR5nkCZA= +github.com/prometheus/client_golang v1.20.4 h1:Tgh3Yr67PaOv/uTqloMsCEdeuFTatm5zIq5+qNN23vI= +github.com/prometheus/client_golang v1.20.4/go.mod h1:PIEt8X02hGcP8JWbeHyeZ53Y/jReSnHgO035n//V5WE= +github.com/prometheus/client_model v0.6.1 h1:ZKSh/rekM+n3CeS952MLRAdFwIKqeY8b62p8ais2e9E= +github.com/prometheus/client_model v0.6.1/go.mod h1:OrxVMOVHjw3lKMa8+x6HeMGkHMQyHDk9E3jmP2AmGiY= +github.com/prometheus/common v0.59.1 h1:LXb1quJHWm1P6wq/U824uxYi4Sg0oGvNeUm1z5dJoX0= +github.com/prometheus/common v0.59.1/go.mod h1:GpWM7dewqmVYcd7SmRaiWVe9SSqjf0UrwnYnpEZNuT0= +github.com/prometheus/procfs v0.15.1 h1:YagwOFzUgYfKKHX6Dr+sHT7km/hxC76UB0learggepc= +github.com/prometheus/procfs v0.15.1/go.mod h1:fB45yRUv8NstnjriLhBQLuOUt+WW4BsoGhij/e3PBqk= +github.com/rogpeppe/go-internal v1.12.0 h1:exVL4IDcn6na9z1rAb56Vxr+CgyK3nn3O+epU5NdKM8= +github.com/rogpeppe/go-internal v1.12.0/go.mod h1:E+RYuTGaKKdloAfM02xzb0FW3Paa99yedzYV+kq4uf4= github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= -github.com/sagikazarmark/locafero v0.3.0 h1:zT7VEGWC2DTflmccN/5T1etyKvxSxpHsjb9cJvm4SvQ= -github.com/sagikazarmark/locafero v0.3.0/go.mod h1:w+v7UsPNFwzF1cHuOajOOzoq4U7v/ig1mpRjqV+Bu1U= +github.com/sagikazarmark/locafero v0.6.0 h1:ON7AQg37yzcRPU69mt7gwhFEBwxI6P9T4Qu3N51bwOk= +github.com/sagikazarmark/locafero v0.6.0/go.mod h1:77OmuIc6VTraTXKXIs/uvUxKGUXjE1GbemJYHqdNjX0= github.com/sagikazarmark/slog-shim v0.1.0 h1:diDBnUNK9N/354PgrxMywXnAwEr1QZcOr6gto+ugjYE= github.com/sagikazarmark/slog-shim v0.1.0/go.mod h1:SrcSrq8aKtyuqEI1uvTDTK1arOWRIczQRv+GVI1AkeQ= -github.com/shopspring/decimal v1.2.0/go.mod h1:DKyhrW/HYNuLGql+MJL6WCR6knT2jwCFRcu2hWCYk4o= -github.com/shopspring/decimal v1.3.1 h1:2Usl1nmF/WZucqkFZhnfFYxxxu8LG21F6nPQBE5gKV8= -github.com/shopspring/decimal v1.3.1/go.mod h1:DKyhrW/HYNuLGql+MJL6WCR6knT2jwCFRcu2hWCYk4o= +github.com/shopspring/decimal v1.4.0 h1:bxl37RwXBklmTi0C79JfXCEBD1cqqHt0bbgBAGFp81k= +github.com/shopspring/decimal v1.4.0/go.mod h1:gawqmDU56v4yIKSwfBSFip1HdCCXN8/+DMd9qYNcwME= github.com/sourcegraph/conc v0.3.0 h1:OQTbbt6P72L20UqAkXXuLOj79LfEanQ+YQFNpLA9ySo= github.com/sourcegraph/conc v0.3.0/go.mod h1:Sdozi7LEKbFPqYX2/J+iBAM6HpqSLTASQIKqDmF7Mt0= -github.com/spf13/afero v1.10.0 h1:EaGW2JJh15aKOejeuJ+wpFSHnbd7GE6Wvp3TsNhb6LY= -github.com/spf13/afero v1.10.0/go.mod h1:UBogFpq8E9Hx+xc5CNTTEpTnuHVmXDwZcZcE1eb/UhQ= -github.com/spf13/cast v1.3.1/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE= -github.com/spf13/cast v1.5.1 h1:R+kOtfhWQE6TVQzY+4D7wJLBgkdVasCEFxSUBYBYIlA= -github.com/spf13/cast v1.5.1/go.mod h1:b9PdjNptOpzXr7Rq1q9gJML/2cdGQAo69NKzQ10KN48= -github.com/spf13/cobra v1.8.0 h1:7aJaZx1B85qltLMc546zn58BxxfZdR/W22ej9CFoEf0= -github.com/spf13/cobra v1.8.0/go.mod h1:WXLWApfZ71AjXPya3WOlMsY9yMs7YeiHhFVlvLyhcho= +github.com/spf13/afero v1.11.0 h1:WJQKhtpdm3v2IzqG8VMqrr6Rf3UYpEF239Jy9wNepM8= +github.com/spf13/afero v1.11.0/go.mod h1:GH9Y3pIexgf1MTIWtNGyogA5MwRIDXGUr+hbWNoBjkY= +github.com/spf13/cast v1.7.0 h1:ntdiHjuueXFgm5nzDRdOS4yfT43P5Fnud6DH50rz/7w= +github.com/spf13/cast v1.7.0/go.mod h1:ancEpBxwJDODSW/UG4rDrAqiKolqNNh2DX3mk86cAdo= +github.com/spf13/cobra v1.8.1 h1:e5/vxKd/rZsfSJMUX1agtjeTDf+qv1/JdBF8gg5k9ZM= +github.com/spf13/cobra v1.8.1/go.mod h1:wHxEcudfqmLYa8iTfL+OuZPbBZkmvliBWKIezN3kD9Y= github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= -github.com/spf13/viper v1.17.0 h1:I5txKw7MJasPL/BrfkbA0Jyo/oELqVmux4pR/UxOMfI= -github.com/spf13/viper v1.17.0/go.mod h1:BmMMMLQXSbcHK6KAOiFLz0l5JHrU89OdIRHvsk0+yVI= -github.com/stoewer/go-strcase v1.2.0 h1:Z2iHWqGXH00XYgqDmNgQbIBxf3wrNq0F3feEy0ainaU= -github.com/stoewer/go-strcase v1.2.0/go.mod h1:IBiWB2sKIp3wVVQ3Y035++gc+knqhUQag1KpM8ahLw8= +github.com/spf13/viper v1.19.0 h1:RWq5SEjt8o25SROyN3z2OrDB9l7RPd3lwTWU8EcEdcI= +github.com/spf13/viper v1.19.0/go.mod h1:GQUN9bilAbhU/jgc1bKs99f/suXKeUMct8Adx5+Ntkg= +github.com/stoewer/go-strcase v1.3.0 h1:g0eASXYtp+yvN9fK8sH94oCIk0fau9uV1/ZdJ0AVEzs= +github.com/stoewer/go-strcase v1.3.0/go.mod h1:fAH5hQ5pehh+j3nZfvwdk2RgEgQjAoM8wodgtPmh1xo= github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw= github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo= -github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= -github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4= -github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA= -github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU= github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= -github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk= -github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo= +github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg= +github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY= github.com/subosito/gotenv v1.6.0 h1:9NlTDc1FTs4qu0DDq7AEtTPNw6SVm7uBMsUCUjABIf8= github.com/subosito/gotenv v1.6.0/go.mod h1:Dk4QP5c2W3ibzajGcXpNraDfq2IrhjMIvMSWPKKo0FU= github.com/valyala/fastjson v1.6.4 h1:uAUNq9Z6ymTgGhcm0UynUAB6tlbakBrz6CQFax3BXVQ= github.com/valyala/fastjson v1.6.4/go.mod h1:CLCAqky6SMuOcxStkYQvblddUtoRxhYMGLrsQns1aXY= -github.com/yuin/goldmark v1.1.25/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= +github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM= +github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg= github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= -github.com/yuin/goldmark v1.1.32/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= -github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k= github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY= -go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU= -go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8= -go.opencensus.io v0.22.2/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= -go.opencensus.io v0.22.3/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= -go.opencensus.io v0.22.4/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= -go.opencensus.io v0.22.5/go.mod h1:5pWMHQbX5EPX2/62yrJeAkowc+lfs/XD7Uxpq3pI6kk= -go.uber.org/atomic v1.7.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc= -go.uber.org/goleak v1.1.11/go.mod h1:cwTWslyiVhfpKIDGSZEM2HlOvcqm+tG4zioyIeLoqMQ= -go.uber.org/goleak v1.2.1 h1:NBol2c7O1ZokfZ0LEU9K6Whx/KnwvepVetCUhtKja4A= -go.uber.org/goleak v1.2.1/go.mod h1:qlT2yGI9QafXHhZZLxlSuNsMw3FFLxBr+tBRlmO1xH4= -go.uber.org/multierr v1.6.0/go.mod h1:cdWPpRnG4AhwMwsgIHip0KRBQjJy5kYEpYjJxpXp9iU= +go.etcd.io/etcd/api/v3 v3.5.15 h1:3KpLJir1ZEBrYuV2v+Twaa/e2MdDCEZ/70H+lzEiwsk= +go.etcd.io/etcd/api/v3 v3.5.15/go.mod h1:N9EhGzXq58WuMllgH9ZvnEr7SI9pS0k0+DHZezGp7jM= +go.etcd.io/etcd/client/pkg/v3 v3.5.15 h1:fo0HpWz/KlHGMCC+YejpiCmyWDEuIpnTDzpJLB5fWlA= +go.etcd.io/etcd/client/pkg/v3 v3.5.15/go.mod h1:mXDI4NAOwEiszrHCb0aqfAYNCrZP4e9hRca3d1YK8EU= +go.etcd.io/etcd/client/v3 v3.5.15 h1:23M0eY4Fd/inNv1ZfU3AxrbbOdW79r9V9Rl62Nm6ip4= +go.etcd.io/etcd/client/v3 v3.5.15/go.mod h1:CLSJxrYjvLtHsrPKsy7LmZEE+DK2ktfd2bN4RhBMwlU= +go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.53.0 h1:9G6E0TXzGFVfTnawRzrPl83iHOAV7L8NJiR8RSGYV1g= +go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.53.0/go.mod h1:azvtTADFQJA8mX80jIH/akaE7h+dbm/sVuaHqN13w74= +go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.55.0 h1:ZIg3ZT/aQ7AfKqdwp7ECpOK6vHqquXXuyTjIO8ZdmPs= +go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.55.0/go.mod h1:DQAwmETtZV00skUwgD6+0U89g80NKsJE3DCKeLLPQMI= +go.opentelemetry.io/otel v1.30.0 h1:F2t8sK4qf1fAmY9ua4ohFS/K+FUuOPemHUIXHtktrts= +go.opentelemetry.io/otel v1.30.0/go.mod h1:tFw4Br9b7fOS+uEao81PJjVMjW/5fvNCbpsDIXqP0pc= +go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.30.0 h1:lsInsfvhVIfOI6qHVyysXMNDnjO9Npvl7tlDPJFBVd4= +go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.30.0/go.mod h1:KQsVNh4OjgjTG0G6EiNi1jVpnaeeKsKMRwbLN+f1+8M= +go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.30.0 h1:m0yTiGDLUvVYaTFbAvCkVYIYcvwKt3G7OLoN77NUs/8= +go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.30.0/go.mod h1:wBQbT4UekBfegL2nx0Xk1vBcnzyBPsIVm9hRG4fYcr4= +go.opentelemetry.io/otel/metric v1.30.0 h1:4xNulvn9gjzo4hjg+wzIKG7iNFEaBMX00Qd4QIZs7+w= +go.opentelemetry.io/otel/metric v1.30.0/go.mod h1:aXTfST94tswhWEb+5QjlSqG+cZlmyXy/u8jFpor3WqQ= +go.opentelemetry.io/otel/sdk v1.30.0 h1:cHdik6irO49R5IysVhdn8oaiR9m8XluDaJAs4DfOrYE= +go.opentelemetry.io/otel/sdk v1.30.0/go.mod h1:p14X4Ok8S+sygzblytT1nqG98QG2KYKv++HE0LY/mhg= +go.opentelemetry.io/otel/trace v1.30.0 h1:7UBkkYzeg3C7kQX8VAidWh2biiQbtAKjyIML8dQ9wmc= +go.opentelemetry.io/otel/trace v1.30.0/go.mod h1:5EyKqTzzmyqB9bwtCCq6pDLktPK6fmGf/Dph+8VI02o= +go.opentelemetry.io/proto/otlp v1.3.1 h1:TrMUixzpM0yuc/znrFTP9MMRh8trP93mkCiDVeXrui0= +go.opentelemetry.io/proto/otlp v1.3.1/go.mod h1:0X1WI4de4ZsLrrJNLAQbFeLCm3T7yBkR0XqQ7niQU+8= +go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto= +go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE= go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0= go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y= -go.uber.org/zap v1.24.0/go.mod h1:2kMP+WWQ8aoFoedH3T2sq6iJ2yDWpHbP0f6MQbS9Gkg= -go.uber.org/zap v1.25.0 h1:4Hvk6GtkucQ790dqmj7l1eEnRdKm3k3ZUrUMS2d5+5c= -go.uber.org/zap v1.25.0/go.mod h1:JIAUzQIH94IC4fOJQm7gMmBJP5k7wQfdcnYdPoEXJYk= +go.uber.org/zap v1.27.0 h1:aJMhYGrd5QSmlpLMr2MftRKl7t8J8PTZPA732ud/XR8= +go.uber.org/zap v1.27.0/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= -golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= -golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= -golang.org/x/crypto v0.0.0-20210421170649-83a5a9bb288b/go.mod h1:T9bdIzuCu7OtxOm1hfPfRQxPLYneinmdGuTeoZ9dtd4= golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= -golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= -golang.org/x/crypto v0.3.0/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4= -golang.org/x/crypto v0.17.0 h1:r8bRNjWL3GshPW3gkd+RpvzWrZAwPS49OmTGZ/uhM4k= -golang.org/x/crypto v0.17.0/go.mod h1:gCAAfMLgwOJRpTjQ2zCCt2OcSfYMTeZVSRtQlPC7Nq4= -golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= -golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= -golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= -golang.org/x/exp v0.0.0-20190829153037-c13cbed26979/go.mod h1:86+5VVa7VpoJ4kLfm080zCjGlMRFzhUhsZKEZO7MGek= -golang.org/x/exp v0.0.0-20191030013958-a1ab85dbe136/go.mod h1:JXzH8nQsPlswgeRAPE3MuO9GYsAcnJvJ4vnMwN/5qkY= -golang.org/x/exp v0.0.0-20191129062945-2f5052295587/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4= -golang.org/x/exp v0.0.0-20191227195350-da58074b4299/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4= -golang.org/x/exp v0.0.0-20200119233911-0405dc783f0a/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4= -golang.org/x/exp v0.0.0-20200207192155-f17229e696bd/go.mod h1:J/WKrq2StrnmMY6+EHIKF9dgMWnmCNThgcyBT1FY9mM= -golang.org/x/exp v0.0.0-20200224162631-6cc2880d07d6/go.mod h1:3jZMyOhIsHpP37uCMkUooju7aAi5cS1Q23tOzKc+0MU= -golang.org/x/exp v0.0.0-20230905200255-921286631fa9 h1:GoHiUyI/Tp2nVkLI2mCxVkOjsbSXD66ic0XW0js0R9g= -golang.org/x/exp v0.0.0-20230905200255-921286631fa9/go.mod h1:S2oDrQGGwySpoQPVqRShND87VCbxmc6bL1Yd2oYrm6k= -golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js= -golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0= -golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= -golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU= -golang.org/x/lint v0.0.0-20190301231843-5614ed5bae6f/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= -golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= -golang.org/x/lint v0.0.0-20190409202823-959b441ac422/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= -golang.org/x/lint v0.0.0-20190909230951-414d861bb4ac/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= -golang.org/x/lint v0.0.0-20190930215403-16217165b5de/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= -golang.org/x/lint v0.0.0-20191125180803-fdd1cda4f05f/go.mod h1:5qLYkcX4OjUUV8bRuDixDT3tpyyb+LUpUlRWLxfhWrs= -golang.org/x/lint v0.0.0-20200130185559-910be7a94367/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY= -golang.org/x/lint v0.0.0-20200302205851-738671d3881b/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY= -golang.org/x/lint v0.0.0-20201208152925-83fdc39ff7b5/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY= -golang.org/x/mobile v0.0.0-20190312151609-d3739f865fa6/go.mod h1:z+o9i4GpDbdi3rU15maQ/Ox0txvL9dWGYEHz965HBQE= -golang.org/x/mobile v0.0.0-20190719004257-d2bd2a29d028/go.mod h1:E/iHnbuqvinMTCcRqshq8CkpyQDoeVncDDYHnLhea+o= -golang.org/x/mod v0.0.0-20190513183733-4bf6d317e70e/go.mod h1:mXi4GBBbnImb6dmsKGUJ2LatrhH/nqhxcFungHvyanc= -golang.org/x/mod v0.1.0/go.mod h1:0QHyrYULN0/3qlju5TqG8bIK38QM8yzMo5ekMj3DlcY= -golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg= -golang.org/x/mod v0.1.1-0.20191107180719-034126e5016b/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg= +golang.org/x/crypto v0.3.1-0.20221117191849-2c476679df9a/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4= +golang.org/x/crypto v0.7.0/go.mod h1:pYwdfH91IfpZVANVyUOhSIPZaFoJGxTFbZhFTx+dXZU= +golang.org/x/crypto v0.27.0 h1:GXm2NjJrPaiv/h1tb2UH8QfgC/hOf/+z0p6PT8o1w7A= +golang.org/x/crypto v0.27.0/go.mod h1:1Xngt8kV6Dvbssa53Ziq6Eqn0HqbZi5Z6R0ZpwQzt70= +golang.org/x/exp v0.0.0-20240909161429-701f63a606c0 h1:e66Fs6Z+fZTbFBAxKfP3PALWBtpfqks2bwGcexMxgtk= +golang.org/x/exp v0.0.0-20240909161429-701f63a606c0/go.mod h1:2TbTHSBQa924w8M6Xs1QcRcFwyucIwBGpK1p2f1YFFY= golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= -golang.org/x/mod v0.4.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= -golang.org/x/mod v0.4.1/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= -golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= -golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= -golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= -golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= -golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= -golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= +golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= -golang.org/x/net v0.0.0-20190501004415-9ce7a6920f09/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= -golang.org/x/net v0.0.0-20190503192946-f4e77d36d62c/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= -golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks= golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= -golang.org/x/net v0.0.0-20190628185345-da137c7871d7/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= -golang.org/x/net v0.0.0-20190724013045-ca1201d0de80/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= -golang.org/x/net v0.0.0-20191209160850-c0dbc17a3553/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= -golang.org/x/net v0.0.0-20200114155413-6afb5195e5aa/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= -golang.org/x/net v0.0.0-20200202094626-16171245cfb2/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= -golang.org/x/net v0.0.0-20200222125558-5a598a2470a0/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= -golang.org/x/net v0.0.0-20200301022130-244492dfa37a/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= -golang.org/x/net v0.0.0-20200324143707-d3edc9973b7e/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= -golang.org/x/net v0.0.0-20200501053045-e0ff5e5a1de5/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= -golang.org/x/net v0.0.0-20200506145744-7e3656a0809f/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= -golang.org/x/net v0.0.0-20200513185701-a91f0712d120/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= -golang.org/x/net v0.0.0-20200520182314-0ba52f642ac2/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= -golang.org/x/net v0.0.0-20200625001655-4c5254603344/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= -golang.org/x/net v0.0.0-20200707034311-ab3426394381/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= -golang.org/x/net v0.0.0-20200822124328-c89045814202/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= -golang.org/x/net v0.0.0-20201031054903-ff519b6c9102/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= -golang.org/x/net v0.0.0-20201209123823-ac852fbbde11/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= -golang.org/x/net v0.0.0-20201224014010-6772e930b67b/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= -golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM= -golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= golang.org/x/net v0.2.0/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY= -golang.org/x/net v0.19.0 h1:zTwKpTd2XuCqf8huc7Fo2iSy+4RHPd10s4KzeTnVr1c= -golang.org/x/net v0.19.0/go.mod h1:CfAk/cbD4CthTvqiEl8NpboMuiuOYsAr/7NOjZJtv1U= -golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= -golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= -golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= -golang.org/x/oauth2 v0.0.0-20191202225959-858c2ad4c8b6/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= -golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= -golang.org/x/oauth2 v0.0.0-20200902213428-5d25da1a8d43/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= -golang.org/x/oauth2 v0.0.0-20201109201403-9fd604954f58/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= -golang.org/x/oauth2 v0.0.0-20201208152858-08078c50e5b5/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= -golang.org/x/oauth2 v0.0.0-20210218202405-ba52d332ba99/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= -golang.org/x/oauth2 v0.14.0 h1:P0Vrf/2538nmC0H+pEQ3MNFRRnVR7RlqyVw+bvm26z0= -golang.org/x/oauth2 v0.14.0/go.mod h1:lAtNWgaWfL4cm7j2OV8TxGi9Qb7ECORx8DktCY74OwM= -golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.0.0-20190227155943-e225da77a7e6/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= +golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc= +golang.org/x/net v0.29.0 h1:5ORfpBpCs4HzDYoodCDBbwHzdR5UrLBZ3sOnUJmFoHo= +golang.org/x/net v0.29.0/go.mod h1:gLkgy8jTGERgjzMic6DS9+SP0ajcu6Xu3Orq/SpETg0= +golang.org/x/oauth2 v0.23.0 h1:PbgcYx2W7i4LvjJWEbf0ngHV6qJYr86PkAV3bXdLEbs= +golang.org/x/oauth2 v0.23.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI= golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.4.0 h1:zxkM55ReGkDlKSM+Fu41A+zmbZuaPVbGMzvvdUPznYQ= -golang.org/x/sync v0.4.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y= -golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.8.0 h1:3NFvSEYkUoMifnESzZl15y791HH1qU2xm6eCJU5ZPXQ= +golang.org/x/sync v0.8.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= -golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20190502145724-3ef323f4f1fd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20190507160741-ecd444e8653b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20190606165138-5da285871e9c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20190624142023-c5567b49c5d0/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20190726091711-fc99dfbffb4e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20191001151750-bb3f8db39f24/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20191228213918-04cbcbbfeed8/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200113162924-86b910548bc1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200122134326-e047566fdf82/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200202164722-d101bd2416d5/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200212091648-12a6c2dcc1e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200223170610-d5e6a3e2c0ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200302150141-5c8b2ff67527/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200331124033-c3d80250170d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200501052902-10377860bb8e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200511232937-7e40ca221e25/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200515095857-1151b9dac4a9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200523222454-059865788121/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200803210538-64077c9b5642/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200905004654-be1d3432aa8f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20201201145000-ef89a241ccb3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210104204734-6f8348627aad/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210119212857-b64e53b001e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210225134936-a50acf3fe073/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210423185535-09eb48e85fd7/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20211007075335-d3039528d8ac/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20211025201205-69cdffdb9359/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20220908164124-27713097b956/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.15.0 h1:h48lPFYpsTvQJZF4EKyI4aLHaev3CxivZmv7yZig9pc= -golang.org/x/sys v0.15.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/sys v0.3.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.25.0 h1:r+8e+loiHxRqhXVl6ML1nO3l1+oFoWbnlu2Ehimmi34= +golang.org/x/sys v0.25.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.2.0/go.mod h1:TVmDHMZPmdnySmBfhjOoOdhjzdE1h4u1VwSiw2l1Nuc= -golang.org/x/term v0.15.0 h1:y/Oo/a/q3IXu26lQgl04j/gjuBDOBlx7X6Om1j2CPW4= -golang.org/x/term v0.15.0/go.mod h1:BDl952bC7+uMoWR75FIrCDx79TPU9oHkTZ9yRbYOrX0= -golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= +golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k= +golang.org/x/term v0.6.0/go.mod h1:m6U89DPEgQRMq3DNkDClhWw02AUbt2daBVO4cn4Hv9U= +golang.org/x/term v0.24.0 h1:Mh5cbb+Zk2hqqXNO7S1iTjEphVL+jb8ZWaqh/g+JWkM= +golang.org/x/term v0.24.0/go.mod h1:lOBK/LVxemqiMij05LGJ0tzNr8xlmwBRJ81PX6wVLH8= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= -golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= -golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= -golang.org/x/text v0.3.4/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= -golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= -golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ= -golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= -golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= -golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= -golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= -golang.org/x/time v0.3.0 h1:rg5rLMjNzMS1RkNLzCG38eapWhnYLFYXDXj2gOlr8j4= -golang.org/x/time v0.3.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= +golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= +golang.org/x/text v0.8.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8= +golang.org/x/text v0.18.0 h1:XvMDiNzPAl0jr17s6W9lcaIhGUfUORdGCNsuLmPG224= +golang.org/x/text v0.18.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY= +golang.org/x/time v0.6.0 h1:eTDhh4ZXt5Qf0augr54TN6suAUudPcawVZeIAPU7D4U= +golang.org/x/time v0.6.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= -golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= -golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY= -golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= -golang.org/x/tools v0.0.0-20190312151545-0bb0c0a6e846/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= -golang.org/x/tools v0.0.0-20190312170243-e65039ee4138/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= -golang.org/x/tools v0.0.0-20190425150028-36563e24a262/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= -golang.org/x/tools v0.0.0-20190506145303-2d16b83fe98c/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= -golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= -golang.org/x/tools v0.0.0-20190606124116-d0a3d012864b/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= -golang.org/x/tools v0.0.0-20190621195816-6e04913cbbac/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= -golang.org/x/tools v0.0.0-20190628153133-6cdbf07be9d0/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= -golang.org/x/tools v0.0.0-20190816200558-6889da9d5479/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= -golang.org/x/tools v0.0.0-20190911174233-4f2ddba30aff/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= -golang.org/x/tools v0.0.0-20191012152004-8de300cfc20a/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= -golang.org/x/tools v0.0.0-20191113191852-77e3bb0ad9e7/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= -golang.org/x/tools v0.0.0-20191115202509-3a792d9c32b2/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= -golang.org/x/tools v0.0.0-20191125144606-a911d9008d1f/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= -golang.org/x/tools v0.0.0-20191130070609-6e064ea0cf2d/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= -golang.org/x/tools v0.0.0-20191216173652-a0e659d51361/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= -golang.org/x/tools v0.0.0-20191227053925-7b8e75db28f4/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= -golang.org/x/tools v0.0.0-20200117161641-43d50277825c/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= -golang.org/x/tools v0.0.0-20200122220014-bf1340f18c4a/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= -golang.org/x/tools v0.0.0-20200130002326-2f3ba24bd6e7/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= -golang.org/x/tools v0.0.0-20200204074204-1cc6d1ef6c74/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= -golang.org/x/tools v0.0.0-20200207183749-b753a1ba74fa/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= -golang.org/x/tools v0.0.0-20200212150539-ea181f53ac56/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= -golang.org/x/tools v0.0.0-20200224181240-023911ca70b2/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= -golang.org/x/tools v0.0.0-20200227222343-706bc42d1f0d/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= -golang.org/x/tools v0.0.0-20200304193943-95d2e580d8eb/go.mod h1:o4KQGtdN14AW+yjsvvwRTJJuXz8XRtIHtEnmAXLyFUw= -golang.org/x/tools v0.0.0-20200312045724-11d5b4c81c7d/go.mod h1:o4KQGtdN14AW+yjsvvwRTJJuXz8XRtIHtEnmAXLyFUw= -golang.org/x/tools v0.0.0-20200331025713-a30bf2db82d4/go.mod h1:Sl4aGygMT6LrqrWclx+PTx3U+LnKx/seiNR+3G19Ar8= -golang.org/x/tools v0.0.0-20200501065659-ab2804fb9c9d/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= -golang.org/x/tools v0.0.0-20200512131952-2bc93b1c0c88/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= -golang.org/x/tools v0.0.0-20200515010526-7d3b6ebf133d/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= -golang.org/x/tools v0.0.0-20200618134242-20370b0cb4b2/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= -golang.org/x/tools v0.0.0-20200729194436-6467de6f59a7/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA= -golang.org/x/tools v0.0.0-20200804011535-6c149bb5ef0d/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA= -golang.org/x/tools v0.0.0-20200825202427-b303f430e36d/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA= -golang.org/x/tools v0.0.0-20200904185747-39188db58858/go.mod h1:Cj7w3i3Rnn0Xh82ur9kSqwfTHTeVxaDqrfMjpcNT6bE= -golang.org/x/tools v0.0.0-20201110124207-079ba7bd75cd/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= -golang.org/x/tools v0.0.0-20201201161351-ac6f37ff4c2a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= -golang.org/x/tools v0.0.0-20201208233053-a543418bbed2/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= -golang.org/x/tools v0.0.0-20210105154028-b0ab187a4818/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= -golang.org/x/tools v0.0.0-20210108195828-e2f9c7f1fc8e/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= -golang.org/x/tools v0.1.0/go.mod h1:xkSsbof2nBLbhDlRMhhhyNLN/zl3eTqcnHD5viDpcZ0= -golang.org/x/tools v0.1.5/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= -golang.org/x/tools v0.14.0 h1:jvNa2pY0M4r62jkRQ6RwEZZyPcymeL9XZMLBbV7U2nc= -golang.org/x/tools v0.14.0/go.mod h1:uYBEerGOWcJyEORxN+Ek8+TT266gXkNlHdJBwexUsBg= +golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU= +golang.org/x/tools v0.25.0 h1:oFU9pkj/iJgs+0DT+VMHrx+oBKs/LJMV+Uvg78sl+fE= +golang.org/x/tools v0.25.0/go.mod h1:/vtpO8WL1N9cQC3FN5zPqb//fRXskFHbLKk4OW1Q7rg= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= gomodules.xyz/jsonpatch/v2 v2.4.0 h1:Ci3iUJyx9UeRx7CeFN8ARgGbkESwJK+KB9lLcWxY/Zw= gomodules.xyz/jsonpatch/v2 v2.4.0/go.mod h1:AH3dM2RI6uoBZxn3LVrfvJ3E0/9dG4cSrbuBJT4moAY= -google.golang.org/api v0.4.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE= -google.golang.org/api v0.7.0/go.mod h1:WtwebWUNSVBH/HAw79HIFXZNqEvBhG+Ra+ax0hx3E3M= -google.golang.org/api v0.8.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg= -google.golang.org/api v0.9.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg= -google.golang.org/api v0.13.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI= -google.golang.org/api v0.14.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI= -google.golang.org/api v0.15.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI= -google.golang.org/api v0.17.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE= -google.golang.org/api v0.18.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE= -google.golang.org/api v0.19.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE= -google.golang.org/api v0.20.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE= -google.golang.org/api v0.22.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE= -google.golang.org/api v0.24.0/go.mod h1:lIXQywCXRcnZPGlsd8NbLnOjtAoL6em04bJ9+z0MncE= -google.golang.org/api v0.28.0/go.mod h1:lIXQywCXRcnZPGlsd8NbLnOjtAoL6em04bJ9+z0MncE= -google.golang.org/api v0.29.0/go.mod h1:Lcubydp8VUV7KeIHD9z2Bys/sm/vGKnG1UHuDBSrHWM= -google.golang.org/api v0.30.0/go.mod h1:QGmEvQ87FHZNiUVJkT14jQNYJ4ZJjdRF23ZXz5138Fc= -google.golang.org/api v0.35.0/go.mod h1:/XrVsuzM0rZmrsbjJutiuftIzeuTQcEeaYcSk/mQ1dg= -google.golang.org/api v0.36.0/go.mod h1:+z5ficQTmoYpPn8LCUNVpK5I7hwkpjbcgqA7I34qYtE= -google.golang.org/api v0.40.0/go.mod h1:fYKFpnQN0DsDSKRVRcQSDQNtqWPfM9i+zNPxepjRCQ8= -google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM= -google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= -google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= -google.golang.org/appengine v1.6.1/go.mod h1:i06prIuMbXzDqacNJfV5OdTW448YApPu5ww/cMBSeb0= -google.golang.org/appengine v1.6.5/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= -google.golang.org/appengine v1.6.6/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= -google.golang.org/appengine v1.6.7 h1:FZR1q0exgwxzPzp/aF+VccGrSfxfPpkBqjIIEq3ru6c= -google.golang.org/appengine v1.6.7/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= -google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc= -google.golang.org/genproto v0.0.0-20190307195333-5fe7a883aa19/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= -google.golang.org/genproto v0.0.0-20190418145605-e7d98fc518a7/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= -google.golang.org/genproto v0.0.0-20190425155659-357c62f0e4bb/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= -google.golang.org/genproto v0.0.0-20190502173448-54afdca5d873/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= -google.golang.org/genproto v0.0.0-20190801165951-fa694d86fc64/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc= -google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc= -google.golang.org/genproto v0.0.0-20190911173649-1774047e7e51/go.mod h1:IbNlFCBrqXvoKpeg0TB2l7cyZUmoaFKYIwrEpbDKLA8= -google.golang.org/genproto v0.0.0-20191108220845-16a3f7862a1a/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= -google.golang.org/genproto v0.0.0-20191115194625-c23dd37a84c9/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= -google.golang.org/genproto v0.0.0-20191216164720-4f79533eabd1/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= -google.golang.org/genproto v0.0.0-20191230161307-f3c370f40bfb/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= -google.golang.org/genproto v0.0.0-20200115191322-ca5a22157cba/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= -google.golang.org/genproto v0.0.0-20200122232147-0452cf42e150/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= -google.golang.org/genproto v0.0.0-20200204135345-fa8e72b47b90/go.mod h1:GmwEX6Z4W5gMy59cAlVYjN9JhxgbQH6Gn+gFDQe2lzA= -google.golang.org/genproto v0.0.0-20200212174721-66ed5ce911ce/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= -google.golang.org/genproto v0.0.0-20200224152610-e50cd9704f63/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= -google.golang.org/genproto v0.0.0-20200228133532-8c2c7df3a383/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= -google.golang.org/genproto v0.0.0-20200305110556-506484158171/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= -google.golang.org/genproto v0.0.0-20200312145019-da6875a35672/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= -google.golang.org/genproto v0.0.0-20200331122359-1ee6d9798940/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= -google.golang.org/genproto v0.0.0-20200430143042-b979b6f78d84/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= -google.golang.org/genproto v0.0.0-20200511104702-f5ebc3bea380/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= -google.golang.org/genproto v0.0.0-20200515170657-fc4c6c6a6587/go.mod h1:YsZOwe1myG/8QRHRsmBRE1LrgQY60beZKjly0O1fX9U= -google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo= -google.golang.org/genproto v0.0.0-20200618031413-b414f8b61790/go.mod h1:jDfRM7FcilCzHH/e9qn6dsT145K34l5v+OpcnNgKAAA= -google.golang.org/genproto v0.0.0-20200729003335-053ba62fc06f/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= -google.golang.org/genproto v0.0.0-20200804131852-c06518451d9c/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= -google.golang.org/genproto v0.0.0-20200825200019-8632dd797987/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= -google.golang.org/genproto v0.0.0-20200904004341-0bd0a958aa1d/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= -google.golang.org/genproto v0.0.0-20201109203340-2640f1f9cdfb/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= -google.golang.org/genproto v0.0.0-20201201144952-b05cb90ed32e/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= -google.golang.org/genproto v0.0.0-20201210142538-e3217bee35cc/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= -google.golang.org/genproto v0.0.0-20201214200347-8c77b98c765d/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= -google.golang.org/genproto v0.0.0-20210108203827-ffc7fda8c3d7/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= -google.golang.org/genproto v0.0.0-20210226172003-ab064af71705/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= -google.golang.org/genproto/googleapis/api v0.0.0-20230913181813-007df8e322eb h1:lK0oleSc7IQsUxO3U5TjL9DWlsxpEBemh+zpB7IqhWI= -google.golang.org/genproto/googleapis/api v0.0.0-20230913181813-007df8e322eb/go.mod h1:KjSP20unUpOx5kyQUFa7k4OJg0qeJ7DEZflGDu2p6Bk= -google.golang.org/genproto/googleapis/rpc v0.0.0-20230920204549-e6e6cdab5c13 h1:N3bU/SQDCDyD6R528GJ/PwW9KjYcJA3dgyH+MovAkIM= -google.golang.org/genproto/googleapis/rpc v0.0.0-20230920204549-e6e6cdab5c13/go.mod h1:KSqppvjFjtoCI+KGd4PELB0qLNxdJHRGqRI09mB6pQA= -google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= -google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38= -google.golang.org/grpc v1.21.1/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM= -google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg= -google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY= -google.golang.org/grpc v1.26.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= -google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= -google.golang.org/grpc v1.27.1/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= -google.golang.org/grpc v1.28.0/go.mod h1:rpkK4SK4GF4Ach/+MFLZUBavHOvF2JJB5uozKKal+60= -google.golang.org/grpc v1.29.1/go.mod h1:itym6AZVZYACWQqET3MqgPpjcuV5QH3BxFS3IjizoKk= -google.golang.org/grpc v1.30.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak= -google.golang.org/grpc v1.31.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak= -google.golang.org/grpc v1.31.1/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak= -google.golang.org/grpc v1.33.2/go.mod h1:JMHMWHQWaTccqQQlmk3MJZS+GWXOdAesneDmEnv2fbc= -google.golang.org/grpc v1.34.0/go.mod h1:WotjhfgOW/POjDeRt8vscBtXq+2VjORFy659qA51WJ8= -google.golang.org/grpc v1.35.0/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU= -google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= -google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0= -google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM= -google.golang.org/protobuf v1.20.1-0.20200309200217-e05f789c0967/go.mod h1:A+miEFZTKqfCUM6K7xSMQL9OKL/b6hQv+e19PK+JZNE= -google.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzikPIcrTAo= -google.golang.org/protobuf v1.22.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= -google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= -google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= -google.golang.org/protobuf v1.24.0/go.mod h1:r/3tXBNzIEhYS9I1OUVjXDlt8tc493IdKGjtUeSXeh4= -google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c= -google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw= -google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= -google.golang.org/protobuf v1.33.0 h1:uNO2rsAINq/JlFpSdYEKIZ0uKD/R9cpdv0T+yoGwGmI= -google.golang.org/protobuf v1.33.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos= +google.golang.org/genproto/googleapis/api v0.0.0-20240924160255-9d4c2d233b61 h1:pAjq8XSSzXoP9ya73v/w+9QEAAJNluLrpmMq5qFJQNY= +google.golang.org/genproto/googleapis/api v0.0.0-20240924160255-9d4c2d233b61/go.mod h1:O6rP0uBq4k0mdi/b4ZEMAZjkhYWhS815kCvaMha4VN8= +google.golang.org/genproto/googleapis/rpc v0.0.0-20240924160255-9d4c2d233b61 h1:N9BgCIAUvn/M+p4NJccWPWb3BWh88+zyL0ll9HgbEeM= +google.golang.org/genproto/googleapis/rpc v0.0.0-20240924160255-9d4c2d233b61/go.mod h1:UqMtugtsSgubUsoxbuAoiCXvqvErP7Gf0so0mK9tHxU= +google.golang.org/grpc v1.67.0 h1:IdH9y6PF5MPSdAntIcpjQ+tXO41pcQsfZV2RxtQgVcw= +google.golang.org/grpc v1.67.0/go.mod h1:1gLDyUQU7CTLJI90u3nXZ9ekeghjeM7pTDZlqFNg2AA= +google.golang.org/protobuf v1.34.2 h1:6xV6lTsCfpGD21XK49h7MhtcApnLqkfYgPcdHftf6hg= +google.golang.org/protobuf v1.34.2/go.mod h1:qYOHts0dSfpeUzUFpOMr/WGzszTmLH+DiWniOlNbLDw= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= -gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q= -gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI= +gopkg.in/evanphx/json-patch.v4 v4.12.0 h1:n6jtcsulIzXPJaxegRbvFNNrZDjbij7ny3gmSPG+6V4= +gopkg.in/evanphx/json-patch.v4 v4.12.0/go.mod h1:p8EYWUEYMpynmqDbY58zCKCFZw8pRWMG4EsWvDvM72M= gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc= gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw= gopkg.in/ini.v1 v1.67.0 h1:Dgnx+6+nfE+IfzjUEISNeydPJh9AXNNsWbGP9KzCsOA= gopkg.in/ini.v1 v1.67.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k= -gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= -gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY= gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= -gopkg.in/yaml.v3 v3.0.0/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= -honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= -honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= -honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= -honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= -honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg= -honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= -honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= -k8s.io/api v0.29.0 h1:NiCdQMY1QOp1H8lfRyeEf8eOwV6+0xA6XEE44ohDX2A= -k8s.io/api v0.29.0/go.mod h1:sdVmXoz2Bo/cb77Pxi71IPTSErEW32xa4aXwKH7gfBA= -k8s.io/apiextensions-apiserver v0.28.4 h1:AZpKY/7wQ8n+ZYDtNHbAJBb+N4AXXJvyZx6ww6yAJvU= -k8s.io/apiextensions-apiserver v0.28.4/go.mod h1:pgQIZ1U8eJSMQcENew/0ShUTlePcSGFq6dxSxf2mwPM= -k8s.io/apimachinery v0.29.0 h1:+ACVktwyicPz0oc6MTMLwa2Pw3ouLAfAon1wPLtG48o= -k8s.io/apimachinery v0.29.0/go.mod h1:eVBxQ/cwiJxH58eK/jd/vAk4mrxmVlnpBH5J2GbMeis= -k8s.io/apiserver v0.28.4 h1:BJXlaQbAU/RXYX2lRz+E1oPe3G3TKlozMMCZWu5GMgg= -k8s.io/apiserver v0.28.4/go.mod h1:Idq71oXugKZoVGUUL2wgBCTHbUR+FYTWa4rq9j4n23w= -k8s.io/client-go v0.29.0 h1:KmlDtFcrdUzOYrBhXHgKw5ycWzc3ryPX5mQe0SkG3y8= -k8s.io/client-go v0.29.0/go.mod h1:yLkXH4HKMAywcrD82KMSmfYg2DlE8mepPR4JGSo5n38= -k8s.io/cluster-bootstrap v0.28.4 h1:4MKNy1Qd9QY7pl47rSMGIORF+tm3CUaqC1M8U9bjn4Q= -k8s.io/cluster-bootstrap v0.28.4/go.mod h1:/c4ro/R4yf4EtJgFgFtvnHkbDOHwubeKJXh5R1c89Bc= -k8s.io/component-base v0.28.4 h1:c/iQLWPdUgI90O+T9TeECg8o7N3YJTiuz2sKxILYcYo= -k8s.io/component-base v0.28.4/go.mod h1:m9hR0uvqXDybiGL2nf/3Lf0MerAfQXzkfWhUY58JUbU= -k8s.io/klog/v2 v2.110.1 h1:U/Af64HJf7FcwMcXyKm2RPM22WZzyR7OSpYj5tg3cL0= -k8s.io/klog/v2 v2.110.1/go.mod h1:YGtd1984u+GgbuZ7e08/yBuAfKLSO0+uR1Fhi6ExXjo= -k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00 h1:aVUu9fTY98ivBPKR9Y5w/AuzbMm96cd3YHRTU83I780= -k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00/go.mod h1:AsvuZPBlUDVuCdzJ87iajxtXuR9oktsTctW/R9wwouA= -k8s.io/utils v0.0.0-20231127182322-b307cd553661 h1:FepOBzJ0GXm8t0su67ln2wAZjbQ6RxQGZDnzuLcrUTI= -k8s.io/utils v0.0.0-20231127182322-b307cd553661/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= -rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8= -rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0= -rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA= -sigs.k8s.io/cluster-api v1.6.0 h1:2bhVSnUbtWI8taCjd9lGiHExsRUpKf7Z1fXqi/IwYx4= -sigs.k8s.io/cluster-api v1.6.0/go.mod h1:LB7u/WxiWj4/bbpHNOa1oQ8nq0MQ5iYlD0pGfRSBGLI= -sigs.k8s.io/controller-runtime v0.16.3 h1:2TuvuokmfXvDUamSx1SuAOO3eTyye+47mJCigwG62c4= -sigs.k8s.io/controller-runtime v0.16.3/go.mod h1:j7bialYoSn142nv9sCOJmQgDXQXxnroFU4VnX/brVJ0= +k8s.io/api v0.31.1 h1:Xe1hX/fPW3PXYYv8BlozYqw63ytA92snr96zMW9gWTU= +k8s.io/api v0.31.1/go.mod h1:sbN1g6eY6XVLeqNsZGLnI5FwVseTrZX7Fv3O26rhAaI= +k8s.io/apiextensions-apiserver v0.31.1 h1:L+hwULvXx+nvTYX/MKM3kKMZyei+UiSXQWciX/N6E40= +k8s.io/apiextensions-apiserver v0.31.1/go.mod h1:tWMPR3sgW+jsl2xm9v7lAyRF1rYEK71i9G5dRtkknoQ= +k8s.io/apimachinery v0.31.1 h1:mhcUBbj7KUjaVhyXILglcVjuS4nYXiwC+KKFBgIVy7U= +k8s.io/apimachinery v0.31.1/go.mod h1:rsPdaZJfTfLsNJSQzNHQvYoTmxhoOEofxtOsF3rtsMo= +k8s.io/apiserver v0.31.1 h1:Sars5ejQDCRBY5f7R3QFHdqN3s61nhkpaX8/k1iEw1c= +k8s.io/apiserver v0.31.1/go.mod h1:lzDhpeToamVZJmmFlaLwdYZwd7zB+WYRYIboqA1kGxM= +k8s.io/client-go v0.31.1 h1:f0ugtWSbWpxHR7sjVpQwuvw9a3ZKLXX0u0itkFXufb0= +k8s.io/client-go v0.31.1/go.mod h1:sKI8871MJN2OyeqRlmA4W4KM9KBdBUpDLu/43eGemCg= +k8s.io/cluster-bootstrap v0.31.1 h1:lS5aJi2r6WEKnjO5UhbYsz8e3xmEfoF4Hiob/gnB/Nk= +k8s.io/cluster-bootstrap v0.31.1/go.mod h1:dxroRr4eQ0ekxis/kzGa1qODprQXAxQZrgDLfTk8Pug= +k8s.io/component-base v0.31.1 h1:UpOepcrX3rQ3ab5NB6g5iP0tvsgJWzxTyAo20sgYSy8= +k8s.io/component-base v0.31.1/go.mod h1:WGeaw7t/kTsqpVTaCoVEtillbqAhF2/JgvO0LDOMa0w= +k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk= +k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE= +k8s.io/kube-openapi v0.0.0-20240903163716-9e1beecbcb38 h1:1dWzkmJrrprYvjGwh9kEUxmcUV/CtNU8QM7h1FLWQOo= +k8s.io/kube-openapi v0.0.0-20240903163716-9e1beecbcb38/go.mod h1:coRQXBK9NxO98XUv3ZD6AK3xzHCxV6+b7lrquKwaKzA= +k8s.io/utils v0.0.0-20240921022957-49e7df575cb6 h1:MDF6h2H/h4tbzmtIKTuctcwZmY0tY9mD9fNT47QO6HI= +k8s.io/utils v0.0.0-20240921022957-49e7df575cb6/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= +sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.30.3 h1:2770sDpzrjjsAtVhSeUFseziht227YAWYHLGNM8QPwY= +sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.30.3/go.mod h1:Ve9uj1L+deCXFrPOk1LpFXqTg7LCFzFso6PA48q/XZw= +sigs.k8s.io/cluster-api v1.8.3 h1:N6i25rF5QMadwVg2UPfuO6CzmNXjqnF2r1MAO+kcsro= +sigs.k8s.io/cluster-api v1.8.3/go.mod h1:pXv5LqLxuIbhGIXykyNKiJh+KrLweSBajVHHitPLyoY= +sigs.k8s.io/controller-runtime v0.19.0 h1:nWVM7aq+Il2ABxwiCizrVDSlmDcshi9llbaFbC0ji/Q= +sigs.k8s.io/controller-runtime v0.19.0/go.mod h1:iRmWllt8IlaLjvTTDLhRBXIEtkCK6hwVBJJsYS9Ajf4= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0= sigs.k8s.io/structured-merge-diff/v4 v4.4.1 h1:150L+0vs/8DA78h1u02ooW1/fFq/Lwr+sGiqlzvrtq4=