diff --git a/class/defaults.yml b/class/defaults.yml index 9ad2c6805..7df43e201 100644 --- a/class/defaults.yml +++ b/class/defaults.yml @@ -132,7 +132,7 @@ parameters: charts: cilium: source: https://helm.cilium.io - version: "1.16.4" + version: "1.17.4" cilium-enterprise: source: "" # Configure the Chart repository URL in your global defaults version: "1.16.4" diff --git a/tests/golden/bgp-control-plane/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/daemonset.yaml b/tests/golden/bgp-control-plane/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/daemonset.yaml index 7d7504428..30d18377c 100644 --- a/tests/golden/bgp-control-plane/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/daemonset.yaml +++ b/tests/golden/bgp-control-plane/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/daemonset.yaml @@ -54,7 +54,7 @@ spec: resourceFieldRef: divisor: '1' resource: limits.memory - image: quay.io/cilium/cilium:v1.16.4@sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf + image: quay.io/cilium/cilium:v1.17.4@%!s() imagePullPolicy: IfNotPresent lifecycle: postStart: @@ -93,6 +93,8 @@ spec: httpHeaders: - name: brief value: 'true' + - name: require-k8s-connectivity + value: 'false' path: /healthz port: 9879 scheme: HTTP @@ -178,6 +180,9 @@ spec: name: bpf-maps - mountPath: /var/run/cilium name: cilium-run + - mountPath: /var/run/cilium/netns + mountPropagation: HostToContainer + name: cilium-netns - mountPath: /host/etc/cni/net.d name: etc-cni-netd - mountPath: /var/lib/cilium/clustermesh @@ -206,7 +211,7 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.namespace - image: quay.io/cilium/cilium:v1.16.4@sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf + image: quay.io/cilium/cilium:v1.17.4@%!s() imagePullPolicy: IfNotPresent name: config terminationMessagePolicy: FallbackToLogsOnError @@ -225,7 +230,7 @@ spec: value: /run/cilium/cgroupv2 - name: BIN_PATH value: /var/lib/cni/bin - image: quay.io/cilium/cilium:v1.16.4@sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf + image: quay.io/cilium/cilium:v1.17.4@%!s() imagePullPolicy: IfNotPresent name: mount-cgroup securityContext: @@ -255,7 +260,7 @@ spec: env: - name: BIN_PATH value: /var/lib/cni/bin - image: quay.io/cilium/cilium:v1.16.4@sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf + image: quay.io/cilium/cilium:v1.17.4@%!s() imagePullPolicy: IfNotPresent name: apply-sysctl-overwrites securityContext: @@ -281,7 +286,7 @@ spec: - /bin/bash - -c - -- - image: quay.io/cilium/cilium:v1.16.4@sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf + image: quay.io/cilium/cilium:v1.17.4@%!s() imagePullPolicy: IfNotPresent name: mount-bpf-fs securityContext: @@ -312,7 +317,7 @@ spec: key: write-cni-conf-when-ready name: cilium-config optional: true - image: quay.io/cilium/cilium:v1.16.4@sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf + image: quay.io/cilium/cilium:v1.17.4@%!s() imagePullPolicy: IfNotPresent name: clean-cilium-state securityContext: @@ -338,7 +343,7 @@ spec: name: cilium-run - command: - /install-plugin.sh - image: quay.io/cilium/cilium:v1.16.4@sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf + image: quay.io/cilium/cilium:v1.17.4@%!s() imagePullPolicy: IfNotPresent name: install-cni-binaries resources: @@ -371,6 +376,10 @@ spec: path: /var/run/cilium type: DirectoryOrCreate name: cilium-run + - hostPath: + path: /var/run/netns + type: DirectoryOrCreate + name: cilium-netns - hostPath: path: /sys/fs/bpf type: DirectoryOrCreate diff --git a/tests/golden/bgp-control-plane/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/role.yaml b/tests/golden/bgp-control-plane/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/role.yaml index 1047c0ad3..7b1d6b3b4 100644 --- a/tests/golden/bgp-control-plane/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/role.yaml +++ b/tests/golden/bgp-control-plane/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/role.yaml @@ -31,3 +31,20 @@ rules: - get - list - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + app.kubernetes.io/part-of: cilium + name: cilium-tlsinterception-secrets + namespace: cilium-secrets +rules: + - apiGroups: + - '' + resources: + - secrets + verbs: + - get + - list + - watch diff --git a/tests/golden/bgp-control-plane/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/rolebinding.yaml b/tests/golden/bgp-control-plane/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/rolebinding.yaml index 3e05b21ca..ad2fb2906 100644 --- a/tests/golden/bgp-control-plane/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/rolebinding.yaml +++ b/tests/golden/bgp-control-plane/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/rolebinding.yaml @@ -29,3 +29,19 @@ subjects: - kind: ServiceAccount name: cilium namespace: cilium +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app.kubernetes.io/part-of: cilium + name: cilium-tlsinterception-secrets + namespace: cilium-secrets +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: cilium-tlsinterception-secrets +subjects: + - kind: ServiceAccount + name: cilium + namespace: cilium diff --git a/tests/golden/bgp-control-plane/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/servicemonitor.yaml b/tests/golden/bgp-control-plane/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/servicemonitor.yaml index c22a31588..b8a21770a 100644 --- a/tests/golden/bgp-control-plane/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/servicemonitor.yaml +++ b/tests/golden/bgp-control-plane/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/servicemonitor.yaml @@ -21,6 +21,6 @@ spec: - cilium selector: matchLabels: - k8s-app: cilium + app.kubernetes.io/name: cilium-agent targetLabels: - k8s-app diff --git a/tests/golden/bgp-control-plane/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-configmap.yaml b/tests/golden/bgp-control-plane/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-configmap.yaml index d0975bb29..4833577da 100644 --- a/tests/golden/bgp-control-plane/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-configmap.yaml +++ b/tests/golden/bgp-control-plane/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-configmap.yaml @@ -4,14 +4,17 @@ data: arping-refresh-period: 30s auto-direct-node-routes: 'false' bgp-secrets-namespace: kube-system + bpf-distributed-lru: 'false' bpf-events-drop-enabled: 'true' bpf-events-policy-verdict-enabled: 'true' bpf-events-trace-enabled: 'true' bpf-lb-acceleration: disabled + bpf-lb-algorithm-annotation: 'false' bpf-lb-external-clusterip: 'false' bpf-lb-map-max: '65536' + bpf-lb-mode-annotation: 'false' bpf-lb-sock: 'false' - bpf-lb-sock-terminate-pod-connections: 'false' + bpf-lb-source-range-all-types: 'false' bpf-map-dynamic-size-ratio: '0.0025' bpf-policy-map-max: '16384' bpf-root: /sys/fs/bpf @@ -30,21 +33,26 @@ data: datapath-mode: veth debug: 'false' debug-verbose: '' + default-lb-service-ipam: lbipam direct-routing-skip-unreachable: 'false' dnsproxy-enable-transparent-mode: 'true' dnsproxy-socket-linger-timeout: '10' egress-gateway-reconciliation-trigger-interval: 1s enable-auto-protect-node-port-range: 'true' enable-bgp-control-plane: 'true' + enable-bgp-control-plane-status-report: 'true' enable-bpf-clock-probe: 'false' enable-bpf-masquerade: 'true' enable-endpoint-health-checking: 'true' + enable-endpoint-lockdown-on-policy-overflow: 'false' enable-endpoint-routes: 'true' + enable-experimental-lb: 'false' enable-health-check-loadbalancer-ip: 'false' enable-health-check-nodeport: 'true' enable-health-checking: 'true' enable-hubble: 'true' enable-hubble-open-metrics: 'false' + enable-internal-traffic-policy: 'true' enable-ipv4: 'true' enable-ipv4-big-tcp: 'false' enable-ipv4-masquerade: 'true' @@ -55,20 +63,27 @@ data: enable-k8s-terminating-endpoint: 'true' enable-l2-neigh-discovery: 'true' enable-l7-proxy: 'true' + enable-lb-ipam: 'true' enable-local-redirect-policy: 'false' enable-masquerade-to-route-source: 'false' enable-node-selector-labels: 'false' + enable-non-default-deny-policies: 'true' enable-policy: default + enable-policy-secrets-sync: 'true' enable-runtime-device-detection: 'true' enable-sctp: 'false' + enable-source-ip-verification: 'true' enable-svc-source-range-check: 'true' enable-tcx: 'true' enable-vtep: 'false' enable-well-known-identities: 'false' enable-xt-socket-fallback: 'true' + envoy-access-log-buffer-size: '4096' envoy-base-id: '0' envoy-keep-cap-netbindservice: 'false' external-envoy-proxy: 'false' + health-check-icmp-failure-threshold: '3' + http-retry-count: '3' hubble-disable-tls: 'true' hubble-export-file-max-backups: '5' hubble-export-file-max-size-mb: '10' @@ -85,6 +100,7 @@ data: install-no-conntrack-iptables-rules: 'false' ipam: cluster-pool ipam-cilium-node-update-rate: 15s + iptables-random-fully: 'false' k8s-client-burst: '30' k8s-client-qps: '15' k8s-require-ipv4-pod-cidr: 'false' @@ -106,12 +122,15 @@ data: nodes-gc-interval: 5m0s operator-api-serve-addr: 127.0.0.1:9234 policy-cidr-match-mode: '' + policy-secrets-namespace: cilium-secrets + policy-secrets-only-from-secrets-namespace: 'true' preallocate-bpf-maps: 'false' procfs: /host/proc prometheus-serve-addr: :9962 proxy-connect-timeout: '2' proxy-idle-timeout-seconds: '60' proxy-initial-fetch-timeout: '30' + proxy-max-concurrent-retries: '128' proxy-max-connection-duration-seconds: '0' proxy-max-requests-per-connection: '0' proxy-prometheus-port: '9964' @@ -125,11 +144,12 @@ data: synchronize-k8s-nodes: 'true' tofqdns-dns-reject-response-code: refused tofqdns-enable-dns-compression: 'true' - tofqdns-endpoint-max-ip-per-hostname: '50' + tofqdns-endpoint-max-ip-per-hostname: '1000' tofqdns-idle-connection-grace-period: 0s tofqdns-max-deferred-connection-deletes: '10000' tofqdns-proxy-response-max-delay: 100ms tunnel-protocol: vxlan + tunnel-source-port-range: 0-0 unmanaged-pod-watcher-interval: '15' vtep-cidr: '' vtep-endpoint: '' diff --git a/tests/golden/bgp-control-plane/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/clusterrole.yaml b/tests/golden/bgp-control-plane/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/clusterrole.yaml index cc748de66..9009493c9 100644 --- a/tests/golden/bgp-control-plane/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/clusterrole.yaml +++ b/tests/golden/bgp-control-plane/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/clusterrole.yaml @@ -55,6 +55,7 @@ rules: - '' resources: - namespaces + - secrets verbs: - get - list @@ -137,6 +138,13 @@ rules: - watch - delete - patch + - apiGroups: + - cilium.io + resources: + - ciliumbgpclusterconfigs/status + - ciliumbgppeerconfigs/status + verbs: + - update - apiGroups: - apiextensions.k8s.io resources: @@ -183,6 +191,7 @@ rules: - ciliumbgppeeringpolicies - ciliumbgpclusterconfigs - ciliumbgpnodeconfigoverrides + - ciliumbgppeerconfigs verbs: - get - list diff --git a/tests/golden/bgp-control-plane/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/deployment.yaml b/tests/golden/bgp-control-plane/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/deployment.yaml index ae3f1ce51..18e9213c6 100644 --- a/tests/golden/bgp-control-plane/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/deployment.yaml +++ b/tests/golden/bgp-control-plane/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/deployment.yaml @@ -59,7 +59,7 @@ spec: key: debug name: cilium-config optional: true - image: quay.io/cilium/operator-generic:v1.16.4@sha256:c55a7cbe19fe0b6b28903a085334edb586a3201add9db56d2122c8485f7a51c5 + image: quay.io/cilium/operator-generic:v1.17.4@%!s() imagePullPolicy: IfNotPresent livenessProbe: httpGet: diff --git a/tests/golden/bgp-control-plane/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/role.yaml b/tests/golden/bgp-control-plane/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/role.yaml new file mode 100644 index 000000000..79fc907d3 --- /dev/null +++ b/tests/golden/bgp-control-plane/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/role.yaml @@ -0,0 +1,17 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + app.kubernetes.io/part-of: cilium + name: cilium-operator-tlsinterception-secrets + namespace: cilium-secrets +rules: + - apiGroups: + - '' + resources: + - secrets + verbs: + - create + - delete + - update + - patch diff --git a/tests/golden/bgp-control-plane/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/rolebinding.yaml b/tests/golden/bgp-control-plane/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/rolebinding.yaml new file mode 100644 index 000000000..cbde47327 --- /dev/null +++ b/tests/golden/bgp-control-plane/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/rolebinding.yaml @@ -0,0 +1,15 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app.kubernetes.io/part-of: cilium + name: cilium-operator-tlsinterception-secrets + namespace: cilium-secrets +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: cilium-operator-tlsinterception-secrets +subjects: + - kind: ServiceAccount + name: cilium-operator + namespace: cilium diff --git a/tests/golden/bgp-control-plane/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-secrets-namespace.yaml b/tests/golden/bgp-control-plane/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-secrets-namespace.yaml new file mode 100644 index 000000000..30f28d314 --- /dev/null +++ b/tests/golden/bgp-control-plane/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-secrets-namespace.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: Namespace +metadata: + labels: + app.kubernetes.io/part-of: cilium + name: cilium-secrets diff --git a/tests/golden/bgp-control-plane/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/configmap.yaml b/tests/golden/bgp-control-plane/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/configmap.yaml index 33125e408..4beca2cfc 100644 --- a/tests/golden/bgp-control-plane/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/configmap.yaml +++ b/tests/golden/bgp-control-plane/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/configmap.yaml @@ -1,9 +1,9 @@ apiVersion: v1 data: - config.yaml: "cluster-name: default\npeer-service: \"hubble-peer.cilium.svc.cluster.local:80\"\ - \nlisten-address: :4245\ngops: true\ngops-port: \"9893\"\ndial-timeout: \nretry-timeout:\ - \ \nsort-buffer-len-max: \nsort-buffer-drain-timeout: \ndisable-client-tls: true\n\ - \ndisable-server-tls: true\n" + config.yaml: "cluster-name: default\npeer-service: \"hubble-peer.cilium.svc.cluster.local.:80\"\ + \nlisten-address: :4245\ngops: true\ngops-port: \"9893\"\nretry-timeout: \nsort-buffer-len-max:\ + \ \nsort-buffer-drain-timeout: \ndisable-client-tls: true\n\ndisable-server-tls:\ + \ true\n" kind: ConfigMap metadata: name: hubble-relay-config diff --git a/tests/golden/bgp-control-plane/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/deployment.yaml b/tests/golden/bgp-control-plane/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/deployment.yaml index 32db1394b..0b1d634e6 100644 --- a/tests/golden/bgp-control-plane/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/deployment.yaml +++ b/tests/golden/bgp-control-plane/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/deployment.yaml @@ -37,7 +37,7 @@ spec: - serve command: - hubble-relay - image: quay.io/cilium/hubble-relay:v1.16.4@sha256:fb2c7d127a1c809f6ba23c05973f3dd00f6b6a48e4aee2da95db925a4f0351d2 + image: quay.io/cilium/hubble-relay:v1.17.4@%!s() imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 12 diff --git a/tests/golden/defaults/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/daemonset.yaml b/tests/golden/defaults/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/daemonset.yaml index 7d7504428..30d18377c 100644 --- a/tests/golden/defaults/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/daemonset.yaml +++ b/tests/golden/defaults/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/daemonset.yaml @@ -54,7 +54,7 @@ spec: resourceFieldRef: divisor: '1' resource: limits.memory - image: quay.io/cilium/cilium:v1.16.4@sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf + image: quay.io/cilium/cilium:v1.17.4@%!s() imagePullPolicy: IfNotPresent lifecycle: postStart: @@ -93,6 +93,8 @@ spec: httpHeaders: - name: brief value: 'true' + - name: require-k8s-connectivity + value: 'false' path: /healthz port: 9879 scheme: HTTP @@ -178,6 +180,9 @@ spec: name: bpf-maps - mountPath: /var/run/cilium name: cilium-run + - mountPath: /var/run/cilium/netns + mountPropagation: HostToContainer + name: cilium-netns - mountPath: /host/etc/cni/net.d name: etc-cni-netd - mountPath: /var/lib/cilium/clustermesh @@ -206,7 +211,7 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.namespace - image: quay.io/cilium/cilium:v1.16.4@sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf + image: quay.io/cilium/cilium:v1.17.4@%!s() imagePullPolicy: IfNotPresent name: config terminationMessagePolicy: FallbackToLogsOnError @@ -225,7 +230,7 @@ spec: value: /run/cilium/cgroupv2 - name: BIN_PATH value: /var/lib/cni/bin - image: quay.io/cilium/cilium:v1.16.4@sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf + image: quay.io/cilium/cilium:v1.17.4@%!s() imagePullPolicy: IfNotPresent name: mount-cgroup securityContext: @@ -255,7 +260,7 @@ spec: env: - name: BIN_PATH value: /var/lib/cni/bin - image: quay.io/cilium/cilium:v1.16.4@sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf + image: quay.io/cilium/cilium:v1.17.4@%!s() imagePullPolicy: IfNotPresent name: apply-sysctl-overwrites securityContext: @@ -281,7 +286,7 @@ spec: - /bin/bash - -c - -- - image: quay.io/cilium/cilium:v1.16.4@sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf + image: quay.io/cilium/cilium:v1.17.4@%!s() imagePullPolicy: IfNotPresent name: mount-bpf-fs securityContext: @@ -312,7 +317,7 @@ spec: key: write-cni-conf-when-ready name: cilium-config optional: true - image: quay.io/cilium/cilium:v1.16.4@sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf + image: quay.io/cilium/cilium:v1.17.4@%!s() imagePullPolicy: IfNotPresent name: clean-cilium-state securityContext: @@ -338,7 +343,7 @@ spec: name: cilium-run - command: - /install-plugin.sh - image: quay.io/cilium/cilium:v1.16.4@sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf + image: quay.io/cilium/cilium:v1.17.4@%!s() imagePullPolicy: IfNotPresent name: install-cni-binaries resources: @@ -371,6 +376,10 @@ spec: path: /var/run/cilium type: DirectoryOrCreate name: cilium-run + - hostPath: + path: /var/run/netns + type: DirectoryOrCreate + name: cilium-netns - hostPath: path: /sys/fs/bpf type: DirectoryOrCreate diff --git a/tests/golden/defaults/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/role.yaml b/tests/golden/defaults/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/role.yaml index 6469cd598..eb921e499 100644 --- a/tests/golden/defaults/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/role.yaml +++ b/tests/golden/defaults/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/role.yaml @@ -14,3 +14,20 @@ rules: - get - list - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + app.kubernetes.io/part-of: cilium + name: cilium-tlsinterception-secrets + namespace: cilium-secrets +rules: + - apiGroups: + - '' + resources: + - secrets + verbs: + - get + - list + - watch diff --git a/tests/golden/defaults/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/rolebinding.yaml b/tests/golden/defaults/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/rolebinding.yaml index 1d47a92c5..8ec160c93 100644 --- a/tests/golden/defaults/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/rolebinding.yaml +++ b/tests/golden/defaults/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/rolebinding.yaml @@ -13,3 +13,19 @@ subjects: - kind: ServiceAccount name: cilium namespace: cilium +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app.kubernetes.io/part-of: cilium + name: cilium-tlsinterception-secrets + namespace: cilium-secrets +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: cilium-tlsinterception-secrets +subjects: + - kind: ServiceAccount + name: cilium + namespace: cilium diff --git a/tests/golden/defaults/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/servicemonitor.yaml b/tests/golden/defaults/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/servicemonitor.yaml index c22a31588..b8a21770a 100644 --- a/tests/golden/defaults/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/servicemonitor.yaml +++ b/tests/golden/defaults/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/servicemonitor.yaml @@ -21,6 +21,6 @@ spec: - cilium selector: matchLabels: - k8s-app: cilium + app.kubernetes.io/name: cilium-agent targetLabels: - k8s-app diff --git a/tests/golden/defaults/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-configmap.yaml b/tests/golden/defaults/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-configmap.yaml index 76be991b7..8e2632a70 100644 --- a/tests/golden/defaults/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-configmap.yaml +++ b/tests/golden/defaults/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-configmap.yaml @@ -3,14 +3,17 @@ data: agent-not-ready-taint-key: node.cilium.io/agent-not-ready arping-refresh-period: 30s auto-direct-node-routes: 'false' + bpf-distributed-lru: 'false' bpf-events-drop-enabled: 'true' bpf-events-policy-verdict-enabled: 'true' bpf-events-trace-enabled: 'true' bpf-lb-acceleration: disabled + bpf-lb-algorithm-annotation: 'false' bpf-lb-external-clusterip: 'false' bpf-lb-map-max: '65536' + bpf-lb-mode-annotation: 'false' bpf-lb-sock: 'false' - bpf-lb-sock-terminate-pod-connections: 'false' + bpf-lb-source-range-all-types: 'false' bpf-map-dynamic-size-ratio: '0.0025' bpf-policy-map-max: '16384' bpf-root: /sys/fs/bpf @@ -29,6 +32,7 @@ data: datapath-mode: veth debug: 'false' debug-verbose: '' + default-lb-service-ipam: lbipam direct-routing-skip-unreachable: 'false' dnsproxy-enable-transparent-mode: 'true' dnsproxy-socket-linger-timeout: '10' @@ -37,12 +41,15 @@ data: enable-bpf-clock-probe: 'false' enable-bpf-masquerade: 'true' enable-endpoint-health-checking: 'true' + enable-endpoint-lockdown-on-policy-overflow: 'false' enable-endpoint-routes: 'true' + enable-experimental-lb: 'false' enable-health-check-loadbalancer-ip: 'false' enable-health-check-nodeport: 'true' enable-health-checking: 'true' enable-hubble: 'true' enable-hubble-open-metrics: 'false' + enable-internal-traffic-policy: 'true' enable-ipv4: 'true' enable-ipv4-big-tcp: 'false' enable-ipv4-masquerade: 'true' @@ -53,20 +60,27 @@ data: enable-k8s-terminating-endpoint: 'true' enable-l2-neigh-discovery: 'true' enable-l7-proxy: 'true' + enable-lb-ipam: 'true' enable-local-redirect-policy: 'false' enable-masquerade-to-route-source: 'false' enable-node-selector-labels: 'false' + enable-non-default-deny-policies: 'true' enable-policy: default + enable-policy-secrets-sync: 'true' enable-runtime-device-detection: 'true' enable-sctp: 'false' + enable-source-ip-verification: 'true' enable-svc-source-range-check: 'true' enable-tcx: 'true' enable-vtep: 'false' enable-well-known-identities: 'false' enable-xt-socket-fallback: 'true' + envoy-access-log-buffer-size: '4096' envoy-base-id: '0' envoy-keep-cap-netbindservice: 'false' external-envoy-proxy: 'false' + health-check-icmp-failure-threshold: '3' + http-retry-count: '3' hubble-disable-tls: 'true' hubble-export-file-max-backups: '5' hubble-export-file-max-size-mb: '10' @@ -83,6 +97,7 @@ data: install-no-conntrack-iptables-rules: 'false' ipam: cluster-pool ipam-cilium-node-update-rate: 15s + iptables-random-fully: 'false' k8s-client-burst: '30' k8s-client-qps: '15' k8s-require-ipv4-pod-cidr: 'false' @@ -104,12 +119,15 @@ data: nodes-gc-interval: 5m0s operator-api-serve-addr: 127.0.0.1:9234 policy-cidr-match-mode: '' + policy-secrets-namespace: cilium-secrets + policy-secrets-only-from-secrets-namespace: 'true' preallocate-bpf-maps: 'false' procfs: /host/proc prometheus-serve-addr: :9962 proxy-connect-timeout: '2' proxy-idle-timeout-seconds: '60' proxy-initial-fetch-timeout: '30' + proxy-max-concurrent-retries: '128' proxy-max-connection-duration-seconds: '0' proxy-max-requests-per-connection: '0' proxy-prometheus-port: '9964' @@ -123,11 +141,12 @@ data: synchronize-k8s-nodes: 'true' tofqdns-dns-reject-response-code: refused tofqdns-enable-dns-compression: 'true' - tofqdns-endpoint-max-ip-per-hostname: '50' + tofqdns-endpoint-max-ip-per-hostname: '1000' tofqdns-idle-connection-grace-period: 0s tofqdns-max-deferred-connection-deletes: '10000' tofqdns-proxy-response-max-delay: 100ms tunnel-protocol: vxlan + tunnel-source-port-range: 0-0 unmanaged-pod-watcher-interval: '15' vtep-cidr: '' vtep-endpoint: '' diff --git a/tests/golden/defaults/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/clusterrole.yaml b/tests/golden/defaults/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/clusterrole.yaml index cc748de66..9009493c9 100644 --- a/tests/golden/defaults/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/clusterrole.yaml +++ b/tests/golden/defaults/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/clusterrole.yaml @@ -55,6 +55,7 @@ rules: - '' resources: - namespaces + - secrets verbs: - get - list @@ -137,6 +138,13 @@ rules: - watch - delete - patch + - apiGroups: + - cilium.io + resources: + - ciliumbgpclusterconfigs/status + - ciliumbgppeerconfigs/status + verbs: + - update - apiGroups: - apiextensions.k8s.io resources: @@ -183,6 +191,7 @@ rules: - ciliumbgppeeringpolicies - ciliumbgpclusterconfigs - ciliumbgpnodeconfigoverrides + - ciliumbgppeerconfigs verbs: - get - list diff --git a/tests/golden/defaults/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/deployment.yaml b/tests/golden/defaults/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/deployment.yaml index ae3f1ce51..18e9213c6 100644 --- a/tests/golden/defaults/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/deployment.yaml +++ b/tests/golden/defaults/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/deployment.yaml @@ -59,7 +59,7 @@ spec: key: debug name: cilium-config optional: true - image: quay.io/cilium/operator-generic:v1.16.4@sha256:c55a7cbe19fe0b6b28903a085334edb586a3201add9db56d2122c8485f7a51c5 + image: quay.io/cilium/operator-generic:v1.17.4@%!s() imagePullPolicy: IfNotPresent livenessProbe: httpGet: diff --git a/tests/golden/defaults/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/role.yaml b/tests/golden/defaults/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/role.yaml new file mode 100644 index 000000000..79fc907d3 --- /dev/null +++ b/tests/golden/defaults/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/role.yaml @@ -0,0 +1,17 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + app.kubernetes.io/part-of: cilium + name: cilium-operator-tlsinterception-secrets + namespace: cilium-secrets +rules: + - apiGroups: + - '' + resources: + - secrets + verbs: + - create + - delete + - update + - patch diff --git a/tests/golden/defaults/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/rolebinding.yaml b/tests/golden/defaults/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/rolebinding.yaml new file mode 100644 index 000000000..cbde47327 --- /dev/null +++ b/tests/golden/defaults/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/rolebinding.yaml @@ -0,0 +1,15 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app.kubernetes.io/part-of: cilium + name: cilium-operator-tlsinterception-secrets + namespace: cilium-secrets +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: cilium-operator-tlsinterception-secrets +subjects: + - kind: ServiceAccount + name: cilium-operator + namespace: cilium diff --git a/tests/golden/defaults/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-secrets-namespace.yaml b/tests/golden/defaults/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-secrets-namespace.yaml new file mode 100644 index 000000000..30f28d314 --- /dev/null +++ b/tests/golden/defaults/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-secrets-namespace.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: Namespace +metadata: + labels: + app.kubernetes.io/part-of: cilium + name: cilium-secrets diff --git a/tests/golden/defaults/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/configmap.yaml b/tests/golden/defaults/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/configmap.yaml index 33125e408..4beca2cfc 100644 --- a/tests/golden/defaults/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/configmap.yaml +++ b/tests/golden/defaults/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/configmap.yaml @@ -1,9 +1,9 @@ apiVersion: v1 data: - config.yaml: "cluster-name: default\npeer-service: \"hubble-peer.cilium.svc.cluster.local:80\"\ - \nlisten-address: :4245\ngops: true\ngops-port: \"9893\"\ndial-timeout: \nretry-timeout:\ - \ \nsort-buffer-len-max: \nsort-buffer-drain-timeout: \ndisable-client-tls: true\n\ - \ndisable-server-tls: true\n" + config.yaml: "cluster-name: default\npeer-service: \"hubble-peer.cilium.svc.cluster.local.:80\"\ + \nlisten-address: :4245\ngops: true\ngops-port: \"9893\"\nretry-timeout: \nsort-buffer-len-max:\ + \ \nsort-buffer-drain-timeout: \ndisable-client-tls: true\n\ndisable-server-tls:\ + \ true\n" kind: ConfigMap metadata: name: hubble-relay-config diff --git a/tests/golden/defaults/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/deployment.yaml b/tests/golden/defaults/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/deployment.yaml index 32db1394b..0b1d634e6 100644 --- a/tests/golden/defaults/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/deployment.yaml +++ b/tests/golden/defaults/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/deployment.yaml @@ -37,7 +37,7 @@ spec: - serve command: - hubble-relay - image: quay.io/cilium/hubble-relay:v1.16.4@sha256:fb2c7d127a1c809f6ba23c05973f3dd00f6b6a48e4aee2da95db925a4f0351d2 + image: quay.io/cilium/hubble-relay:v1.17.4@%!s() imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 12 diff --git a/tests/golden/egress-gateway/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/daemonset.yaml b/tests/golden/egress-gateway/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/daemonset.yaml index 7d7504428..30d18377c 100644 --- a/tests/golden/egress-gateway/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/daemonset.yaml +++ b/tests/golden/egress-gateway/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/daemonset.yaml @@ -54,7 +54,7 @@ spec: resourceFieldRef: divisor: '1' resource: limits.memory - image: quay.io/cilium/cilium:v1.16.4@sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf + image: quay.io/cilium/cilium:v1.17.4@%!s() imagePullPolicy: IfNotPresent lifecycle: postStart: @@ -93,6 +93,8 @@ spec: httpHeaders: - name: brief value: 'true' + - name: require-k8s-connectivity + value: 'false' path: /healthz port: 9879 scheme: HTTP @@ -178,6 +180,9 @@ spec: name: bpf-maps - mountPath: /var/run/cilium name: cilium-run + - mountPath: /var/run/cilium/netns + mountPropagation: HostToContainer + name: cilium-netns - mountPath: /host/etc/cni/net.d name: etc-cni-netd - mountPath: /var/lib/cilium/clustermesh @@ -206,7 +211,7 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.namespace - image: quay.io/cilium/cilium:v1.16.4@sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf + image: quay.io/cilium/cilium:v1.17.4@%!s() imagePullPolicy: IfNotPresent name: config terminationMessagePolicy: FallbackToLogsOnError @@ -225,7 +230,7 @@ spec: value: /run/cilium/cgroupv2 - name: BIN_PATH value: /var/lib/cni/bin - image: quay.io/cilium/cilium:v1.16.4@sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf + image: quay.io/cilium/cilium:v1.17.4@%!s() imagePullPolicy: IfNotPresent name: mount-cgroup securityContext: @@ -255,7 +260,7 @@ spec: env: - name: BIN_PATH value: /var/lib/cni/bin - image: quay.io/cilium/cilium:v1.16.4@sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf + image: quay.io/cilium/cilium:v1.17.4@%!s() imagePullPolicy: IfNotPresent name: apply-sysctl-overwrites securityContext: @@ -281,7 +286,7 @@ spec: - /bin/bash - -c - -- - image: quay.io/cilium/cilium:v1.16.4@sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf + image: quay.io/cilium/cilium:v1.17.4@%!s() imagePullPolicy: IfNotPresent name: mount-bpf-fs securityContext: @@ -312,7 +317,7 @@ spec: key: write-cni-conf-when-ready name: cilium-config optional: true - image: quay.io/cilium/cilium:v1.16.4@sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf + image: quay.io/cilium/cilium:v1.17.4@%!s() imagePullPolicy: IfNotPresent name: clean-cilium-state securityContext: @@ -338,7 +343,7 @@ spec: name: cilium-run - command: - /install-plugin.sh - image: quay.io/cilium/cilium:v1.16.4@sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf + image: quay.io/cilium/cilium:v1.17.4@%!s() imagePullPolicy: IfNotPresent name: install-cni-binaries resources: @@ -371,6 +376,10 @@ spec: path: /var/run/cilium type: DirectoryOrCreate name: cilium-run + - hostPath: + path: /var/run/netns + type: DirectoryOrCreate + name: cilium-netns - hostPath: path: /sys/fs/bpf type: DirectoryOrCreate diff --git a/tests/golden/egress-gateway/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/role.yaml b/tests/golden/egress-gateway/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/role.yaml index 6469cd598..eb921e499 100644 --- a/tests/golden/egress-gateway/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/role.yaml +++ b/tests/golden/egress-gateway/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/role.yaml @@ -14,3 +14,20 @@ rules: - get - list - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + app.kubernetes.io/part-of: cilium + name: cilium-tlsinterception-secrets + namespace: cilium-secrets +rules: + - apiGroups: + - '' + resources: + - secrets + verbs: + - get + - list + - watch diff --git a/tests/golden/egress-gateway/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/rolebinding.yaml b/tests/golden/egress-gateway/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/rolebinding.yaml index 1d47a92c5..8ec160c93 100644 --- a/tests/golden/egress-gateway/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/rolebinding.yaml +++ b/tests/golden/egress-gateway/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/rolebinding.yaml @@ -13,3 +13,19 @@ subjects: - kind: ServiceAccount name: cilium namespace: cilium +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app.kubernetes.io/part-of: cilium + name: cilium-tlsinterception-secrets + namespace: cilium-secrets +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: cilium-tlsinterception-secrets +subjects: + - kind: ServiceAccount + name: cilium + namespace: cilium diff --git a/tests/golden/egress-gateway/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/servicemonitor.yaml b/tests/golden/egress-gateway/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/servicemonitor.yaml index c22a31588..b8a21770a 100644 --- a/tests/golden/egress-gateway/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/servicemonitor.yaml +++ b/tests/golden/egress-gateway/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/servicemonitor.yaml @@ -21,6 +21,6 @@ spec: - cilium selector: matchLabels: - k8s-app: cilium + app.kubernetes.io/name: cilium-agent targetLabels: - k8s-app diff --git a/tests/golden/egress-gateway/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-configmap.yaml b/tests/golden/egress-gateway/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-configmap.yaml index 3640a975c..e050a8e10 100644 --- a/tests/golden/egress-gateway/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-configmap.yaml +++ b/tests/golden/egress-gateway/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-configmap.yaml @@ -3,14 +3,17 @@ data: agent-not-ready-taint-key: node.cilium.io/agent-not-ready arping-refresh-period: 30s auto-direct-node-routes: 'false' + bpf-distributed-lru: 'false' bpf-events-drop-enabled: 'true' bpf-events-policy-verdict-enabled: 'true' bpf-events-trace-enabled: 'true' bpf-lb-acceleration: disabled + bpf-lb-algorithm-annotation: 'false' bpf-lb-external-clusterip: 'false' bpf-lb-map-max: '65536' + bpf-lb-mode-annotation: 'false' bpf-lb-sock: 'false' - bpf-lb-sock-terminate-pod-connections: 'false' + bpf-lb-source-range-all-types: 'false' bpf-map-dynamic-size-ratio: '0.0025' bpf-policy-map-max: '16384' bpf-root: /sys/fs/bpf @@ -29,6 +32,7 @@ data: datapath-mode: veth debug: 'false' debug-verbose: '' + default-lb-service-ipam: lbipam direct-routing-skip-unreachable: 'false' dnsproxy-enable-transparent-mode: 'true' dnsproxy-socket-linger-timeout: '10' @@ -37,12 +41,15 @@ data: enable-bpf-clock-probe: 'false' enable-bpf-masquerade: 'true' enable-endpoint-health-checking: 'true' + enable-endpoint-lockdown-on-policy-overflow: 'false' enable-endpoint-routes: 'true' + enable-experimental-lb: 'false' enable-health-check-loadbalancer-ip: 'false' enable-health-check-nodeport: 'true' enable-health-checking: 'true' enable-hubble: 'true' enable-hubble-open-metrics: 'false' + enable-internal-traffic-policy: 'true' enable-ipv4: 'true' enable-ipv4-big-tcp: 'false' enable-ipv4-egress-gateway: 'true' @@ -54,20 +61,27 @@ data: enable-k8s-terminating-endpoint: 'true' enable-l2-neigh-discovery: 'true' enable-l7-proxy: 'false' + enable-lb-ipam: 'true' enable-local-redirect-policy: 'false' enable-masquerade-to-route-source: 'false' enable-node-selector-labels: 'false' + enable-non-default-deny-policies: 'true' enable-policy: default + enable-policy-secrets-sync: 'true' enable-runtime-device-detection: 'true' enable-sctp: 'false' + enable-source-ip-verification: 'true' enable-svc-source-range-check: 'true' enable-tcx: 'true' enable-vtep: 'false' enable-well-known-identities: 'false' enable-xt-socket-fallback: 'true' + envoy-access-log-buffer-size: '4096' envoy-base-id: '0' envoy-keep-cap-netbindservice: 'false' external-envoy-proxy: 'false' + health-check-icmp-failure-threshold: '3' + http-retry-count: '3' hubble-disable-tls: 'true' hubble-export-file-max-backups: '5' hubble-export-file-max-size-mb: '10' @@ -84,6 +98,7 @@ data: install-no-conntrack-iptables-rules: 'false' ipam: cluster-pool ipam-cilium-node-update-rate: 15s + iptables-random-fully: 'false' k8s-client-burst: '30' k8s-client-qps: '15' k8s-require-ipv4-pod-cidr: 'false' @@ -105,12 +120,15 @@ data: nodes-gc-interval: 5m0s operator-api-serve-addr: 127.0.0.1:9234 policy-cidr-match-mode: '' + policy-secrets-namespace: cilium-secrets + policy-secrets-only-from-secrets-namespace: 'true' preallocate-bpf-maps: 'false' procfs: /host/proc prometheus-serve-addr: :9962 proxy-connect-timeout: '2' proxy-idle-timeout-seconds: '60' proxy-initial-fetch-timeout: '30' + proxy-max-concurrent-retries: '128' proxy-max-connection-duration-seconds: '0' proxy-max-requests-per-connection: '0' proxy-prometheus-port: '9964' @@ -124,11 +142,12 @@ data: synchronize-k8s-nodes: 'true' tofqdns-dns-reject-response-code: refused tofqdns-enable-dns-compression: 'true' - tofqdns-endpoint-max-ip-per-hostname: '50' + tofqdns-endpoint-max-ip-per-hostname: '1000' tofqdns-idle-connection-grace-period: 0s tofqdns-max-deferred-connection-deletes: '10000' tofqdns-proxy-response-max-delay: 100ms tunnel-protocol: vxlan + tunnel-source-port-range: 0-0 unmanaged-pod-watcher-interval: '15' vtep-cidr: '' vtep-endpoint: '' diff --git a/tests/golden/egress-gateway/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/clusterrole.yaml b/tests/golden/egress-gateway/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/clusterrole.yaml index cc748de66..9009493c9 100644 --- a/tests/golden/egress-gateway/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/clusterrole.yaml +++ b/tests/golden/egress-gateway/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/clusterrole.yaml @@ -55,6 +55,7 @@ rules: - '' resources: - namespaces + - secrets verbs: - get - list @@ -137,6 +138,13 @@ rules: - watch - delete - patch + - apiGroups: + - cilium.io + resources: + - ciliumbgpclusterconfigs/status + - ciliumbgppeerconfigs/status + verbs: + - update - apiGroups: - apiextensions.k8s.io resources: @@ -183,6 +191,7 @@ rules: - ciliumbgppeeringpolicies - ciliumbgpclusterconfigs - ciliumbgpnodeconfigoverrides + - ciliumbgppeerconfigs verbs: - get - list diff --git a/tests/golden/egress-gateway/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/deployment.yaml b/tests/golden/egress-gateway/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/deployment.yaml index ae3f1ce51..18e9213c6 100644 --- a/tests/golden/egress-gateway/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/deployment.yaml +++ b/tests/golden/egress-gateway/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/deployment.yaml @@ -59,7 +59,7 @@ spec: key: debug name: cilium-config optional: true - image: quay.io/cilium/operator-generic:v1.16.4@sha256:c55a7cbe19fe0b6b28903a085334edb586a3201add9db56d2122c8485f7a51c5 + image: quay.io/cilium/operator-generic:v1.17.4@%!s() imagePullPolicy: IfNotPresent livenessProbe: httpGet: diff --git a/tests/golden/egress-gateway/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/role.yaml b/tests/golden/egress-gateway/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/role.yaml new file mode 100644 index 000000000..79fc907d3 --- /dev/null +++ b/tests/golden/egress-gateway/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/role.yaml @@ -0,0 +1,17 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + app.kubernetes.io/part-of: cilium + name: cilium-operator-tlsinterception-secrets + namespace: cilium-secrets +rules: + - apiGroups: + - '' + resources: + - secrets + verbs: + - create + - delete + - update + - patch diff --git a/tests/golden/egress-gateway/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/rolebinding.yaml b/tests/golden/egress-gateway/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/rolebinding.yaml new file mode 100644 index 000000000..cbde47327 --- /dev/null +++ b/tests/golden/egress-gateway/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/rolebinding.yaml @@ -0,0 +1,15 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app.kubernetes.io/part-of: cilium + name: cilium-operator-tlsinterception-secrets + namespace: cilium-secrets +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: cilium-operator-tlsinterception-secrets +subjects: + - kind: ServiceAccount + name: cilium-operator + namespace: cilium diff --git a/tests/golden/egress-gateway/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-secrets-namespace.yaml b/tests/golden/egress-gateway/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-secrets-namespace.yaml new file mode 100644 index 000000000..30f28d314 --- /dev/null +++ b/tests/golden/egress-gateway/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-secrets-namespace.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: Namespace +metadata: + labels: + app.kubernetes.io/part-of: cilium + name: cilium-secrets diff --git a/tests/golden/egress-gateway/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/configmap.yaml b/tests/golden/egress-gateway/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/configmap.yaml index 33125e408..4beca2cfc 100644 --- a/tests/golden/egress-gateway/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/configmap.yaml +++ b/tests/golden/egress-gateway/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/configmap.yaml @@ -1,9 +1,9 @@ apiVersion: v1 data: - config.yaml: "cluster-name: default\npeer-service: \"hubble-peer.cilium.svc.cluster.local:80\"\ - \nlisten-address: :4245\ngops: true\ngops-port: \"9893\"\ndial-timeout: \nretry-timeout:\ - \ \nsort-buffer-len-max: \nsort-buffer-drain-timeout: \ndisable-client-tls: true\n\ - \ndisable-server-tls: true\n" + config.yaml: "cluster-name: default\npeer-service: \"hubble-peer.cilium.svc.cluster.local.:80\"\ + \nlisten-address: :4245\ngops: true\ngops-port: \"9893\"\nretry-timeout: \nsort-buffer-len-max:\ + \ \nsort-buffer-drain-timeout: \ndisable-client-tls: true\n\ndisable-server-tls:\ + \ true\n" kind: ConfigMap metadata: name: hubble-relay-config diff --git a/tests/golden/egress-gateway/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/deployment.yaml b/tests/golden/egress-gateway/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/deployment.yaml index 32db1394b..0b1d634e6 100644 --- a/tests/golden/egress-gateway/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/deployment.yaml +++ b/tests/golden/egress-gateway/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/deployment.yaml @@ -37,7 +37,7 @@ spec: - serve command: - hubble-relay - image: quay.io/cilium/hubble-relay:v1.16.4@sha256:fb2c7d127a1c809f6ba23c05973f3dd00f6b6a48e4aee2da95db925a4f0351d2 + image: quay.io/cilium/hubble-relay:v1.17.4@%!s() imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 12 diff --git a/tests/golden/helm-opensource/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/daemonset.yaml b/tests/golden/helm-opensource/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/daemonset.yaml index 7d7504428..30d18377c 100644 --- a/tests/golden/helm-opensource/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/daemonset.yaml +++ b/tests/golden/helm-opensource/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/daemonset.yaml @@ -54,7 +54,7 @@ spec: resourceFieldRef: divisor: '1' resource: limits.memory - image: quay.io/cilium/cilium:v1.16.4@sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf + image: quay.io/cilium/cilium:v1.17.4@%!s() imagePullPolicy: IfNotPresent lifecycle: postStart: @@ -93,6 +93,8 @@ spec: httpHeaders: - name: brief value: 'true' + - name: require-k8s-connectivity + value: 'false' path: /healthz port: 9879 scheme: HTTP @@ -178,6 +180,9 @@ spec: name: bpf-maps - mountPath: /var/run/cilium name: cilium-run + - mountPath: /var/run/cilium/netns + mountPropagation: HostToContainer + name: cilium-netns - mountPath: /host/etc/cni/net.d name: etc-cni-netd - mountPath: /var/lib/cilium/clustermesh @@ -206,7 +211,7 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.namespace - image: quay.io/cilium/cilium:v1.16.4@sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf + image: quay.io/cilium/cilium:v1.17.4@%!s() imagePullPolicy: IfNotPresent name: config terminationMessagePolicy: FallbackToLogsOnError @@ -225,7 +230,7 @@ spec: value: /run/cilium/cgroupv2 - name: BIN_PATH value: /var/lib/cni/bin - image: quay.io/cilium/cilium:v1.16.4@sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf + image: quay.io/cilium/cilium:v1.17.4@%!s() imagePullPolicy: IfNotPresent name: mount-cgroup securityContext: @@ -255,7 +260,7 @@ spec: env: - name: BIN_PATH value: /var/lib/cni/bin - image: quay.io/cilium/cilium:v1.16.4@sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf + image: quay.io/cilium/cilium:v1.17.4@%!s() imagePullPolicy: IfNotPresent name: apply-sysctl-overwrites securityContext: @@ -281,7 +286,7 @@ spec: - /bin/bash - -c - -- - image: quay.io/cilium/cilium:v1.16.4@sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf + image: quay.io/cilium/cilium:v1.17.4@%!s() imagePullPolicy: IfNotPresent name: mount-bpf-fs securityContext: @@ -312,7 +317,7 @@ spec: key: write-cni-conf-when-ready name: cilium-config optional: true - image: quay.io/cilium/cilium:v1.16.4@sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf + image: quay.io/cilium/cilium:v1.17.4@%!s() imagePullPolicy: IfNotPresent name: clean-cilium-state securityContext: @@ -338,7 +343,7 @@ spec: name: cilium-run - command: - /install-plugin.sh - image: quay.io/cilium/cilium:v1.16.4@sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf + image: quay.io/cilium/cilium:v1.17.4@%!s() imagePullPolicy: IfNotPresent name: install-cni-binaries resources: @@ -371,6 +376,10 @@ spec: path: /var/run/cilium type: DirectoryOrCreate name: cilium-run + - hostPath: + path: /var/run/netns + type: DirectoryOrCreate + name: cilium-netns - hostPath: path: /sys/fs/bpf type: DirectoryOrCreate diff --git a/tests/golden/helm-opensource/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/role.yaml b/tests/golden/helm-opensource/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/role.yaml index 6469cd598..eb921e499 100644 --- a/tests/golden/helm-opensource/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/role.yaml +++ b/tests/golden/helm-opensource/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/role.yaml @@ -14,3 +14,20 @@ rules: - get - list - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + app.kubernetes.io/part-of: cilium + name: cilium-tlsinterception-secrets + namespace: cilium-secrets +rules: + - apiGroups: + - '' + resources: + - secrets + verbs: + - get + - list + - watch diff --git a/tests/golden/helm-opensource/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/rolebinding.yaml b/tests/golden/helm-opensource/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/rolebinding.yaml index 1d47a92c5..8ec160c93 100644 --- a/tests/golden/helm-opensource/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/rolebinding.yaml +++ b/tests/golden/helm-opensource/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/rolebinding.yaml @@ -13,3 +13,19 @@ subjects: - kind: ServiceAccount name: cilium namespace: cilium +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app.kubernetes.io/part-of: cilium + name: cilium-tlsinterception-secrets + namespace: cilium-secrets +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: cilium-tlsinterception-secrets +subjects: + - kind: ServiceAccount + name: cilium + namespace: cilium diff --git a/tests/golden/helm-opensource/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/servicemonitor.yaml b/tests/golden/helm-opensource/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/servicemonitor.yaml index c22a31588..b8a21770a 100644 --- a/tests/golden/helm-opensource/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/servicemonitor.yaml +++ b/tests/golden/helm-opensource/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/servicemonitor.yaml @@ -21,6 +21,6 @@ spec: - cilium selector: matchLabels: - k8s-app: cilium + app.kubernetes.io/name: cilium-agent targetLabels: - k8s-app diff --git a/tests/golden/helm-opensource/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-configmap.yaml b/tests/golden/helm-opensource/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-configmap.yaml index 76be991b7..8e2632a70 100644 --- a/tests/golden/helm-opensource/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-configmap.yaml +++ b/tests/golden/helm-opensource/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-configmap.yaml @@ -3,14 +3,17 @@ data: agent-not-ready-taint-key: node.cilium.io/agent-not-ready arping-refresh-period: 30s auto-direct-node-routes: 'false' + bpf-distributed-lru: 'false' bpf-events-drop-enabled: 'true' bpf-events-policy-verdict-enabled: 'true' bpf-events-trace-enabled: 'true' bpf-lb-acceleration: disabled + bpf-lb-algorithm-annotation: 'false' bpf-lb-external-clusterip: 'false' bpf-lb-map-max: '65536' + bpf-lb-mode-annotation: 'false' bpf-lb-sock: 'false' - bpf-lb-sock-terminate-pod-connections: 'false' + bpf-lb-source-range-all-types: 'false' bpf-map-dynamic-size-ratio: '0.0025' bpf-policy-map-max: '16384' bpf-root: /sys/fs/bpf @@ -29,6 +32,7 @@ data: datapath-mode: veth debug: 'false' debug-verbose: '' + default-lb-service-ipam: lbipam direct-routing-skip-unreachable: 'false' dnsproxy-enable-transparent-mode: 'true' dnsproxy-socket-linger-timeout: '10' @@ -37,12 +41,15 @@ data: enable-bpf-clock-probe: 'false' enable-bpf-masquerade: 'true' enable-endpoint-health-checking: 'true' + enable-endpoint-lockdown-on-policy-overflow: 'false' enable-endpoint-routes: 'true' + enable-experimental-lb: 'false' enable-health-check-loadbalancer-ip: 'false' enable-health-check-nodeport: 'true' enable-health-checking: 'true' enable-hubble: 'true' enable-hubble-open-metrics: 'false' + enable-internal-traffic-policy: 'true' enable-ipv4: 'true' enable-ipv4-big-tcp: 'false' enable-ipv4-masquerade: 'true' @@ -53,20 +60,27 @@ data: enable-k8s-terminating-endpoint: 'true' enable-l2-neigh-discovery: 'true' enable-l7-proxy: 'true' + enable-lb-ipam: 'true' enable-local-redirect-policy: 'false' enable-masquerade-to-route-source: 'false' enable-node-selector-labels: 'false' + enable-non-default-deny-policies: 'true' enable-policy: default + enable-policy-secrets-sync: 'true' enable-runtime-device-detection: 'true' enable-sctp: 'false' + enable-source-ip-verification: 'true' enable-svc-source-range-check: 'true' enable-tcx: 'true' enable-vtep: 'false' enable-well-known-identities: 'false' enable-xt-socket-fallback: 'true' + envoy-access-log-buffer-size: '4096' envoy-base-id: '0' envoy-keep-cap-netbindservice: 'false' external-envoy-proxy: 'false' + health-check-icmp-failure-threshold: '3' + http-retry-count: '3' hubble-disable-tls: 'true' hubble-export-file-max-backups: '5' hubble-export-file-max-size-mb: '10' @@ -83,6 +97,7 @@ data: install-no-conntrack-iptables-rules: 'false' ipam: cluster-pool ipam-cilium-node-update-rate: 15s + iptables-random-fully: 'false' k8s-client-burst: '30' k8s-client-qps: '15' k8s-require-ipv4-pod-cidr: 'false' @@ -104,12 +119,15 @@ data: nodes-gc-interval: 5m0s operator-api-serve-addr: 127.0.0.1:9234 policy-cidr-match-mode: '' + policy-secrets-namespace: cilium-secrets + policy-secrets-only-from-secrets-namespace: 'true' preallocate-bpf-maps: 'false' procfs: /host/proc prometheus-serve-addr: :9962 proxy-connect-timeout: '2' proxy-idle-timeout-seconds: '60' proxy-initial-fetch-timeout: '30' + proxy-max-concurrent-retries: '128' proxy-max-connection-duration-seconds: '0' proxy-max-requests-per-connection: '0' proxy-prometheus-port: '9964' @@ -123,11 +141,12 @@ data: synchronize-k8s-nodes: 'true' tofqdns-dns-reject-response-code: refused tofqdns-enable-dns-compression: 'true' - tofqdns-endpoint-max-ip-per-hostname: '50' + tofqdns-endpoint-max-ip-per-hostname: '1000' tofqdns-idle-connection-grace-period: 0s tofqdns-max-deferred-connection-deletes: '10000' tofqdns-proxy-response-max-delay: 100ms tunnel-protocol: vxlan + tunnel-source-port-range: 0-0 unmanaged-pod-watcher-interval: '15' vtep-cidr: '' vtep-endpoint: '' diff --git a/tests/golden/helm-opensource/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/clusterrole.yaml b/tests/golden/helm-opensource/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/clusterrole.yaml index cc748de66..9009493c9 100644 --- a/tests/golden/helm-opensource/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/clusterrole.yaml +++ b/tests/golden/helm-opensource/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/clusterrole.yaml @@ -55,6 +55,7 @@ rules: - '' resources: - namespaces + - secrets verbs: - get - list @@ -137,6 +138,13 @@ rules: - watch - delete - patch + - apiGroups: + - cilium.io + resources: + - ciliumbgpclusterconfigs/status + - ciliumbgppeerconfigs/status + verbs: + - update - apiGroups: - apiextensions.k8s.io resources: @@ -183,6 +191,7 @@ rules: - ciliumbgppeeringpolicies - ciliumbgpclusterconfigs - ciliumbgpnodeconfigoverrides + - ciliumbgppeerconfigs verbs: - get - list diff --git a/tests/golden/helm-opensource/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/deployment.yaml b/tests/golden/helm-opensource/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/deployment.yaml index ae3f1ce51..18e9213c6 100644 --- a/tests/golden/helm-opensource/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/deployment.yaml +++ b/tests/golden/helm-opensource/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/deployment.yaml @@ -59,7 +59,7 @@ spec: key: debug name: cilium-config optional: true - image: quay.io/cilium/operator-generic:v1.16.4@sha256:c55a7cbe19fe0b6b28903a085334edb586a3201add9db56d2122c8485f7a51c5 + image: quay.io/cilium/operator-generic:v1.17.4@%!s() imagePullPolicy: IfNotPresent livenessProbe: httpGet: diff --git a/tests/golden/helm-opensource/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/role.yaml b/tests/golden/helm-opensource/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/role.yaml new file mode 100644 index 000000000..79fc907d3 --- /dev/null +++ b/tests/golden/helm-opensource/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/role.yaml @@ -0,0 +1,17 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + app.kubernetes.io/part-of: cilium + name: cilium-operator-tlsinterception-secrets + namespace: cilium-secrets +rules: + - apiGroups: + - '' + resources: + - secrets + verbs: + - create + - delete + - update + - patch diff --git a/tests/golden/helm-opensource/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/rolebinding.yaml b/tests/golden/helm-opensource/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/rolebinding.yaml new file mode 100644 index 000000000..cbde47327 --- /dev/null +++ b/tests/golden/helm-opensource/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/rolebinding.yaml @@ -0,0 +1,15 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app.kubernetes.io/part-of: cilium + name: cilium-operator-tlsinterception-secrets + namespace: cilium-secrets +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: cilium-operator-tlsinterception-secrets +subjects: + - kind: ServiceAccount + name: cilium-operator + namespace: cilium diff --git a/tests/golden/helm-opensource/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-secrets-namespace.yaml b/tests/golden/helm-opensource/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-secrets-namespace.yaml new file mode 100644 index 000000000..30f28d314 --- /dev/null +++ b/tests/golden/helm-opensource/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-secrets-namespace.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: Namespace +metadata: + labels: + app.kubernetes.io/part-of: cilium + name: cilium-secrets diff --git a/tests/golden/helm-opensource/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/configmap.yaml b/tests/golden/helm-opensource/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/configmap.yaml index 33125e408..4beca2cfc 100644 --- a/tests/golden/helm-opensource/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/configmap.yaml +++ b/tests/golden/helm-opensource/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/configmap.yaml @@ -1,9 +1,9 @@ apiVersion: v1 data: - config.yaml: "cluster-name: default\npeer-service: \"hubble-peer.cilium.svc.cluster.local:80\"\ - \nlisten-address: :4245\ngops: true\ngops-port: \"9893\"\ndial-timeout: \nretry-timeout:\ - \ \nsort-buffer-len-max: \nsort-buffer-drain-timeout: \ndisable-client-tls: true\n\ - \ndisable-server-tls: true\n" + config.yaml: "cluster-name: default\npeer-service: \"hubble-peer.cilium.svc.cluster.local.:80\"\ + \nlisten-address: :4245\ngops: true\ngops-port: \"9893\"\nretry-timeout: \nsort-buffer-len-max:\ + \ \nsort-buffer-drain-timeout: \ndisable-client-tls: true\n\ndisable-server-tls:\ + \ true\n" kind: ConfigMap metadata: name: hubble-relay-config diff --git a/tests/golden/helm-opensource/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/deployment.yaml b/tests/golden/helm-opensource/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/deployment.yaml index 32db1394b..0b1d634e6 100644 --- a/tests/golden/helm-opensource/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/deployment.yaml +++ b/tests/golden/helm-opensource/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/deployment.yaml @@ -37,7 +37,7 @@ spec: - serve command: - hubble-relay - image: quay.io/cilium/hubble-relay:v1.16.4@sha256:fb2c7d127a1c809f6ba23c05973f3dd00f6b6a48e4aee2da95db925a4f0351d2 + image: quay.io/cilium/hubble-relay:v1.17.4@%!s() imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 12 diff --git a/tests/golden/kubeproxyreplacement-strict/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/daemonset.yaml b/tests/golden/kubeproxyreplacement-strict/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/daemonset.yaml index 7d7504428..30d18377c 100644 --- a/tests/golden/kubeproxyreplacement-strict/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/daemonset.yaml +++ b/tests/golden/kubeproxyreplacement-strict/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/daemonset.yaml @@ -54,7 +54,7 @@ spec: resourceFieldRef: divisor: '1' resource: limits.memory - image: quay.io/cilium/cilium:v1.16.4@sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf + image: quay.io/cilium/cilium:v1.17.4@%!s() imagePullPolicy: IfNotPresent lifecycle: postStart: @@ -93,6 +93,8 @@ spec: httpHeaders: - name: brief value: 'true' + - name: require-k8s-connectivity + value: 'false' path: /healthz port: 9879 scheme: HTTP @@ -178,6 +180,9 @@ spec: name: bpf-maps - mountPath: /var/run/cilium name: cilium-run + - mountPath: /var/run/cilium/netns + mountPropagation: HostToContainer + name: cilium-netns - mountPath: /host/etc/cni/net.d name: etc-cni-netd - mountPath: /var/lib/cilium/clustermesh @@ -206,7 +211,7 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.namespace - image: quay.io/cilium/cilium:v1.16.4@sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf + image: quay.io/cilium/cilium:v1.17.4@%!s() imagePullPolicy: IfNotPresent name: config terminationMessagePolicy: FallbackToLogsOnError @@ -225,7 +230,7 @@ spec: value: /run/cilium/cgroupv2 - name: BIN_PATH value: /var/lib/cni/bin - image: quay.io/cilium/cilium:v1.16.4@sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf + image: quay.io/cilium/cilium:v1.17.4@%!s() imagePullPolicy: IfNotPresent name: mount-cgroup securityContext: @@ -255,7 +260,7 @@ spec: env: - name: BIN_PATH value: /var/lib/cni/bin - image: quay.io/cilium/cilium:v1.16.4@sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf + image: quay.io/cilium/cilium:v1.17.4@%!s() imagePullPolicy: IfNotPresent name: apply-sysctl-overwrites securityContext: @@ -281,7 +286,7 @@ spec: - /bin/bash - -c - -- - image: quay.io/cilium/cilium:v1.16.4@sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf + image: quay.io/cilium/cilium:v1.17.4@%!s() imagePullPolicy: IfNotPresent name: mount-bpf-fs securityContext: @@ -312,7 +317,7 @@ spec: key: write-cni-conf-when-ready name: cilium-config optional: true - image: quay.io/cilium/cilium:v1.16.4@sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf + image: quay.io/cilium/cilium:v1.17.4@%!s() imagePullPolicy: IfNotPresent name: clean-cilium-state securityContext: @@ -338,7 +343,7 @@ spec: name: cilium-run - command: - /install-plugin.sh - image: quay.io/cilium/cilium:v1.16.4@sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf + image: quay.io/cilium/cilium:v1.17.4@%!s() imagePullPolicy: IfNotPresent name: install-cni-binaries resources: @@ -371,6 +376,10 @@ spec: path: /var/run/cilium type: DirectoryOrCreate name: cilium-run + - hostPath: + path: /var/run/netns + type: DirectoryOrCreate + name: cilium-netns - hostPath: path: /sys/fs/bpf type: DirectoryOrCreate diff --git a/tests/golden/kubeproxyreplacement-strict/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/role.yaml b/tests/golden/kubeproxyreplacement-strict/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/role.yaml index 6469cd598..eb921e499 100644 --- a/tests/golden/kubeproxyreplacement-strict/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/role.yaml +++ b/tests/golden/kubeproxyreplacement-strict/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/role.yaml @@ -14,3 +14,20 @@ rules: - get - list - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + app.kubernetes.io/part-of: cilium + name: cilium-tlsinterception-secrets + namespace: cilium-secrets +rules: + - apiGroups: + - '' + resources: + - secrets + verbs: + - get + - list + - watch diff --git a/tests/golden/kubeproxyreplacement-strict/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/rolebinding.yaml b/tests/golden/kubeproxyreplacement-strict/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/rolebinding.yaml index 1d47a92c5..8ec160c93 100644 --- a/tests/golden/kubeproxyreplacement-strict/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/rolebinding.yaml +++ b/tests/golden/kubeproxyreplacement-strict/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/rolebinding.yaml @@ -13,3 +13,19 @@ subjects: - kind: ServiceAccount name: cilium namespace: cilium +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app.kubernetes.io/part-of: cilium + name: cilium-tlsinterception-secrets + namespace: cilium-secrets +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: cilium-tlsinterception-secrets +subjects: + - kind: ServiceAccount + name: cilium + namespace: cilium diff --git a/tests/golden/kubeproxyreplacement-strict/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/servicemonitor.yaml b/tests/golden/kubeproxyreplacement-strict/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/servicemonitor.yaml index c22a31588..b8a21770a 100644 --- a/tests/golden/kubeproxyreplacement-strict/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/servicemonitor.yaml +++ b/tests/golden/kubeproxyreplacement-strict/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/servicemonitor.yaml @@ -21,6 +21,6 @@ spec: - cilium selector: matchLabels: - k8s-app: cilium + app.kubernetes.io/name: cilium-agent targetLabels: - k8s-app diff --git a/tests/golden/kubeproxyreplacement-strict/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-configmap.yaml b/tests/golden/kubeproxyreplacement-strict/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-configmap.yaml index 76be991b7..8e2632a70 100644 --- a/tests/golden/kubeproxyreplacement-strict/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-configmap.yaml +++ b/tests/golden/kubeproxyreplacement-strict/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-configmap.yaml @@ -3,14 +3,17 @@ data: agent-not-ready-taint-key: node.cilium.io/agent-not-ready arping-refresh-period: 30s auto-direct-node-routes: 'false' + bpf-distributed-lru: 'false' bpf-events-drop-enabled: 'true' bpf-events-policy-verdict-enabled: 'true' bpf-events-trace-enabled: 'true' bpf-lb-acceleration: disabled + bpf-lb-algorithm-annotation: 'false' bpf-lb-external-clusterip: 'false' bpf-lb-map-max: '65536' + bpf-lb-mode-annotation: 'false' bpf-lb-sock: 'false' - bpf-lb-sock-terminate-pod-connections: 'false' + bpf-lb-source-range-all-types: 'false' bpf-map-dynamic-size-ratio: '0.0025' bpf-policy-map-max: '16384' bpf-root: /sys/fs/bpf @@ -29,6 +32,7 @@ data: datapath-mode: veth debug: 'false' debug-verbose: '' + default-lb-service-ipam: lbipam direct-routing-skip-unreachable: 'false' dnsproxy-enable-transparent-mode: 'true' dnsproxy-socket-linger-timeout: '10' @@ -37,12 +41,15 @@ data: enable-bpf-clock-probe: 'false' enable-bpf-masquerade: 'true' enable-endpoint-health-checking: 'true' + enable-endpoint-lockdown-on-policy-overflow: 'false' enable-endpoint-routes: 'true' + enable-experimental-lb: 'false' enable-health-check-loadbalancer-ip: 'false' enable-health-check-nodeport: 'true' enable-health-checking: 'true' enable-hubble: 'true' enable-hubble-open-metrics: 'false' + enable-internal-traffic-policy: 'true' enable-ipv4: 'true' enable-ipv4-big-tcp: 'false' enable-ipv4-masquerade: 'true' @@ -53,20 +60,27 @@ data: enable-k8s-terminating-endpoint: 'true' enable-l2-neigh-discovery: 'true' enable-l7-proxy: 'true' + enable-lb-ipam: 'true' enable-local-redirect-policy: 'false' enable-masquerade-to-route-source: 'false' enable-node-selector-labels: 'false' + enable-non-default-deny-policies: 'true' enable-policy: default + enable-policy-secrets-sync: 'true' enable-runtime-device-detection: 'true' enable-sctp: 'false' + enable-source-ip-verification: 'true' enable-svc-source-range-check: 'true' enable-tcx: 'true' enable-vtep: 'false' enable-well-known-identities: 'false' enable-xt-socket-fallback: 'true' + envoy-access-log-buffer-size: '4096' envoy-base-id: '0' envoy-keep-cap-netbindservice: 'false' external-envoy-proxy: 'false' + health-check-icmp-failure-threshold: '3' + http-retry-count: '3' hubble-disable-tls: 'true' hubble-export-file-max-backups: '5' hubble-export-file-max-size-mb: '10' @@ -83,6 +97,7 @@ data: install-no-conntrack-iptables-rules: 'false' ipam: cluster-pool ipam-cilium-node-update-rate: 15s + iptables-random-fully: 'false' k8s-client-burst: '30' k8s-client-qps: '15' k8s-require-ipv4-pod-cidr: 'false' @@ -104,12 +119,15 @@ data: nodes-gc-interval: 5m0s operator-api-serve-addr: 127.0.0.1:9234 policy-cidr-match-mode: '' + policy-secrets-namespace: cilium-secrets + policy-secrets-only-from-secrets-namespace: 'true' preallocate-bpf-maps: 'false' procfs: /host/proc prometheus-serve-addr: :9962 proxy-connect-timeout: '2' proxy-idle-timeout-seconds: '60' proxy-initial-fetch-timeout: '30' + proxy-max-concurrent-retries: '128' proxy-max-connection-duration-seconds: '0' proxy-max-requests-per-connection: '0' proxy-prometheus-port: '9964' @@ -123,11 +141,12 @@ data: synchronize-k8s-nodes: 'true' tofqdns-dns-reject-response-code: refused tofqdns-enable-dns-compression: 'true' - tofqdns-endpoint-max-ip-per-hostname: '50' + tofqdns-endpoint-max-ip-per-hostname: '1000' tofqdns-idle-connection-grace-period: 0s tofqdns-max-deferred-connection-deletes: '10000' tofqdns-proxy-response-max-delay: 100ms tunnel-protocol: vxlan + tunnel-source-port-range: 0-0 unmanaged-pod-watcher-interval: '15' vtep-cidr: '' vtep-endpoint: '' diff --git a/tests/golden/kubeproxyreplacement-strict/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/clusterrole.yaml b/tests/golden/kubeproxyreplacement-strict/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/clusterrole.yaml index cc748de66..9009493c9 100644 --- a/tests/golden/kubeproxyreplacement-strict/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/clusterrole.yaml +++ b/tests/golden/kubeproxyreplacement-strict/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/clusterrole.yaml @@ -55,6 +55,7 @@ rules: - '' resources: - namespaces + - secrets verbs: - get - list @@ -137,6 +138,13 @@ rules: - watch - delete - patch + - apiGroups: + - cilium.io + resources: + - ciliumbgpclusterconfigs/status + - ciliumbgppeerconfigs/status + verbs: + - update - apiGroups: - apiextensions.k8s.io resources: @@ -183,6 +191,7 @@ rules: - ciliumbgppeeringpolicies - ciliumbgpclusterconfigs - ciliumbgpnodeconfigoverrides + - ciliumbgppeerconfigs verbs: - get - list diff --git a/tests/golden/kubeproxyreplacement-strict/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/deployment.yaml b/tests/golden/kubeproxyreplacement-strict/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/deployment.yaml index ae3f1ce51..18e9213c6 100644 --- a/tests/golden/kubeproxyreplacement-strict/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/deployment.yaml +++ b/tests/golden/kubeproxyreplacement-strict/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/deployment.yaml @@ -59,7 +59,7 @@ spec: key: debug name: cilium-config optional: true - image: quay.io/cilium/operator-generic:v1.16.4@sha256:c55a7cbe19fe0b6b28903a085334edb586a3201add9db56d2122c8485f7a51c5 + image: quay.io/cilium/operator-generic:v1.17.4@%!s() imagePullPolicy: IfNotPresent livenessProbe: httpGet: diff --git a/tests/golden/kubeproxyreplacement-strict/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/role.yaml b/tests/golden/kubeproxyreplacement-strict/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/role.yaml new file mode 100644 index 000000000..79fc907d3 --- /dev/null +++ b/tests/golden/kubeproxyreplacement-strict/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/role.yaml @@ -0,0 +1,17 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + app.kubernetes.io/part-of: cilium + name: cilium-operator-tlsinterception-secrets + namespace: cilium-secrets +rules: + - apiGroups: + - '' + resources: + - secrets + verbs: + - create + - delete + - update + - patch diff --git a/tests/golden/kubeproxyreplacement-strict/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/rolebinding.yaml b/tests/golden/kubeproxyreplacement-strict/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/rolebinding.yaml new file mode 100644 index 000000000..cbde47327 --- /dev/null +++ b/tests/golden/kubeproxyreplacement-strict/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/rolebinding.yaml @@ -0,0 +1,15 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app.kubernetes.io/part-of: cilium + name: cilium-operator-tlsinterception-secrets + namespace: cilium-secrets +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: cilium-operator-tlsinterception-secrets +subjects: + - kind: ServiceAccount + name: cilium-operator + namespace: cilium diff --git a/tests/golden/kubeproxyreplacement-strict/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-secrets-namespace.yaml b/tests/golden/kubeproxyreplacement-strict/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-secrets-namespace.yaml new file mode 100644 index 000000000..30f28d314 --- /dev/null +++ b/tests/golden/kubeproxyreplacement-strict/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-secrets-namespace.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: Namespace +metadata: + labels: + app.kubernetes.io/part-of: cilium + name: cilium-secrets diff --git a/tests/golden/kubeproxyreplacement-strict/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/configmap.yaml b/tests/golden/kubeproxyreplacement-strict/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/configmap.yaml index 33125e408..4beca2cfc 100644 --- a/tests/golden/kubeproxyreplacement-strict/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/configmap.yaml +++ b/tests/golden/kubeproxyreplacement-strict/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/configmap.yaml @@ -1,9 +1,9 @@ apiVersion: v1 data: - config.yaml: "cluster-name: default\npeer-service: \"hubble-peer.cilium.svc.cluster.local:80\"\ - \nlisten-address: :4245\ngops: true\ngops-port: \"9893\"\ndial-timeout: \nretry-timeout:\ - \ \nsort-buffer-len-max: \nsort-buffer-drain-timeout: \ndisable-client-tls: true\n\ - \ndisable-server-tls: true\n" + config.yaml: "cluster-name: default\npeer-service: \"hubble-peer.cilium.svc.cluster.local.:80\"\ + \nlisten-address: :4245\ngops: true\ngops-port: \"9893\"\nretry-timeout: \nsort-buffer-len-max:\ + \ \nsort-buffer-drain-timeout: \ndisable-client-tls: true\n\ndisable-server-tls:\ + \ true\n" kind: ConfigMap metadata: name: hubble-relay-config diff --git a/tests/golden/kubeproxyreplacement-strict/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/deployment.yaml b/tests/golden/kubeproxyreplacement-strict/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/deployment.yaml index 32db1394b..0b1d634e6 100644 --- a/tests/golden/kubeproxyreplacement-strict/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/deployment.yaml +++ b/tests/golden/kubeproxyreplacement-strict/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/deployment.yaml @@ -37,7 +37,7 @@ spec: - serve command: - hubble-relay - image: quay.io/cilium/hubble-relay:v1.16.4@sha256:fb2c7d127a1c809f6ba23c05973f3dd00f6b6a48e4aee2da95db925a4f0351d2 + image: quay.io/cilium/hubble-relay:v1.17.4@%!s() imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 12 diff --git a/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/daemonset.yaml b/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/daemonset.yaml index 7d7504428..30d18377c 100644 --- a/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/daemonset.yaml +++ b/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/daemonset.yaml @@ -54,7 +54,7 @@ spec: resourceFieldRef: divisor: '1' resource: limits.memory - image: quay.io/cilium/cilium:v1.16.4@sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf + image: quay.io/cilium/cilium:v1.17.4@%!s() imagePullPolicy: IfNotPresent lifecycle: postStart: @@ -93,6 +93,8 @@ spec: httpHeaders: - name: brief value: 'true' + - name: require-k8s-connectivity + value: 'false' path: /healthz port: 9879 scheme: HTTP @@ -178,6 +180,9 @@ spec: name: bpf-maps - mountPath: /var/run/cilium name: cilium-run + - mountPath: /var/run/cilium/netns + mountPropagation: HostToContainer + name: cilium-netns - mountPath: /host/etc/cni/net.d name: etc-cni-netd - mountPath: /var/lib/cilium/clustermesh @@ -206,7 +211,7 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.namespace - image: quay.io/cilium/cilium:v1.16.4@sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf + image: quay.io/cilium/cilium:v1.17.4@%!s() imagePullPolicy: IfNotPresent name: config terminationMessagePolicy: FallbackToLogsOnError @@ -225,7 +230,7 @@ spec: value: /run/cilium/cgroupv2 - name: BIN_PATH value: /var/lib/cni/bin - image: quay.io/cilium/cilium:v1.16.4@sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf + image: quay.io/cilium/cilium:v1.17.4@%!s() imagePullPolicy: IfNotPresent name: mount-cgroup securityContext: @@ -255,7 +260,7 @@ spec: env: - name: BIN_PATH value: /var/lib/cni/bin - image: quay.io/cilium/cilium:v1.16.4@sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf + image: quay.io/cilium/cilium:v1.17.4@%!s() imagePullPolicy: IfNotPresent name: apply-sysctl-overwrites securityContext: @@ -281,7 +286,7 @@ spec: - /bin/bash - -c - -- - image: quay.io/cilium/cilium:v1.16.4@sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf + image: quay.io/cilium/cilium:v1.17.4@%!s() imagePullPolicy: IfNotPresent name: mount-bpf-fs securityContext: @@ -312,7 +317,7 @@ spec: key: write-cni-conf-when-ready name: cilium-config optional: true - image: quay.io/cilium/cilium:v1.16.4@sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf + image: quay.io/cilium/cilium:v1.17.4@%!s() imagePullPolicy: IfNotPresent name: clean-cilium-state securityContext: @@ -338,7 +343,7 @@ spec: name: cilium-run - command: - /install-plugin.sh - image: quay.io/cilium/cilium:v1.16.4@sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf + image: quay.io/cilium/cilium:v1.17.4@%!s() imagePullPolicy: IfNotPresent name: install-cni-binaries resources: @@ -371,6 +376,10 @@ spec: path: /var/run/cilium type: DirectoryOrCreate name: cilium-run + - hostPath: + path: /var/run/netns + type: DirectoryOrCreate + name: cilium-netns - hostPath: path: /sys/fs/bpf type: DirectoryOrCreate diff --git a/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/role.yaml b/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/role.yaml index 6469cd598..eb921e499 100644 --- a/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/role.yaml +++ b/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/role.yaml @@ -14,3 +14,20 @@ rules: - get - list - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + app.kubernetes.io/part-of: cilium + name: cilium-tlsinterception-secrets + namespace: cilium-secrets +rules: + - apiGroups: + - '' + resources: + - secrets + verbs: + - get + - list + - watch diff --git a/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/rolebinding.yaml b/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/rolebinding.yaml index 1d47a92c5..8ec160c93 100644 --- a/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/rolebinding.yaml +++ b/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/rolebinding.yaml @@ -13,3 +13,19 @@ subjects: - kind: ServiceAccount name: cilium namespace: cilium +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app.kubernetes.io/part-of: cilium + name: cilium-tlsinterception-secrets + namespace: cilium-secrets +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: cilium-tlsinterception-secrets +subjects: + - kind: ServiceAccount + name: cilium + namespace: cilium diff --git a/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/servicemonitor.yaml b/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/servicemonitor.yaml index c22a31588..b8a21770a 100644 --- a/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/servicemonitor.yaml +++ b/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/servicemonitor.yaml @@ -21,6 +21,6 @@ spec: - cilium selector: matchLabels: - k8s-app: cilium + app.kubernetes.io/name: cilium-agent targetLabels: - k8s-app diff --git a/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-configmap.yaml b/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-configmap.yaml index b22153a0f..5bb38d47e 100644 --- a/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-configmap.yaml +++ b/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-configmap.yaml @@ -3,14 +3,17 @@ data: agent-not-ready-taint-key: node.cilium.io/agent-not-ready arping-refresh-period: 30s auto-direct-node-routes: 'false' + bpf-distributed-lru: 'false' bpf-events-drop-enabled: 'true' bpf-events-policy-verdict-enabled: 'true' bpf-events-trace-enabled: 'true' bpf-lb-acceleration: disabled + bpf-lb-algorithm-annotation: 'false' bpf-lb-external-clusterip: 'false' bpf-lb-map-max: '65536' + bpf-lb-mode-annotation: 'false' bpf-lb-sock: 'false' - bpf-lb-sock-terminate-pod-connections: 'false' + bpf-lb-source-range-all-types: 'false' bpf-map-dynamic-size-ratio: '0.0025' bpf-policy-map-max: '16384' bpf-root: /sys/fs/bpf @@ -29,6 +32,7 @@ data: datapath-mode: veth debug: 'false' debug-verbose: '' + default-lb-service-ipam: lbipam direct-routing-skip-unreachable: 'false' dnsproxy-enable-transparent-mode: 'true' dnsproxy-socket-linger-timeout: '10' @@ -37,12 +41,15 @@ data: enable-bpf-clock-probe: 'false' enable-bpf-masquerade: 'true' enable-endpoint-health-checking: 'true' + enable-endpoint-lockdown-on-policy-overflow: 'false' enable-endpoint-routes: 'true' + enable-experimental-lb: 'false' enable-health-check-loadbalancer-ip: 'false' enable-health-check-nodeport: 'true' enable-health-checking: 'true' enable-hubble: 'true' enable-hubble-open-metrics: 'false' + enable-internal-traffic-policy: 'true' enable-ipv4: 'true' enable-ipv4-big-tcp: 'false' enable-ipv4-masquerade: 'true' @@ -54,20 +61,27 @@ data: enable-l2-announcements: 'true' enable-l2-neigh-discovery: 'true' enable-l7-proxy: 'true' + enable-lb-ipam: 'true' enable-local-redirect-policy: 'false' enable-masquerade-to-route-source: 'false' enable-node-selector-labels: 'false' + enable-non-default-deny-policies: 'true' enable-policy: default + enable-policy-secrets-sync: 'true' enable-runtime-device-detection: 'true' enable-sctp: 'false' + enable-source-ip-verification: 'true' enable-svc-source-range-check: 'true' enable-tcx: 'true' enable-vtep: 'false' enable-well-known-identities: 'false' enable-xt-socket-fallback: 'true' + envoy-access-log-buffer-size: '4096' envoy-base-id: '0' envoy-keep-cap-netbindservice: 'false' external-envoy-proxy: 'false' + health-check-icmp-failure-threshold: '3' + http-retry-count: '3' hubble-disable-tls: 'true' hubble-export-file-max-backups: '5' hubble-export-file-max-size-mb: '10' @@ -84,6 +98,7 @@ data: install-no-conntrack-iptables-rules: 'false' ipam: cluster-pool ipam-cilium-node-update-rate: 15s + iptables-random-fully: 'false' k8s-client-burst: '45' k8s-client-qps: '35' k8s-require-ipv4-pod-cidr: 'false' @@ -105,12 +120,15 @@ data: nodes-gc-interval: 5m0s operator-api-serve-addr: 127.0.0.1:9234 policy-cidr-match-mode: '' + policy-secrets-namespace: cilium-secrets + policy-secrets-only-from-secrets-namespace: 'true' preallocate-bpf-maps: 'false' procfs: /host/proc prometheus-serve-addr: :9962 proxy-connect-timeout: '2' proxy-idle-timeout-seconds: '60' proxy-initial-fetch-timeout: '30' + proxy-max-concurrent-retries: '128' proxy-max-connection-duration-seconds: '0' proxy-max-requests-per-connection: '0' proxy-prometheus-port: '9964' @@ -124,11 +142,12 @@ data: synchronize-k8s-nodes: 'true' tofqdns-dns-reject-response-code: refused tofqdns-enable-dns-compression: 'true' - tofqdns-endpoint-max-ip-per-hostname: '50' + tofqdns-endpoint-max-ip-per-hostname: '1000' tofqdns-idle-connection-grace-period: 0s tofqdns-max-deferred-connection-deletes: '10000' tofqdns-proxy-response-max-delay: 100ms tunnel-protocol: vxlan + tunnel-source-port-range: 0-0 unmanaged-pod-watcher-interval: '15' vtep-cidr: '' vtep-endpoint: '' diff --git a/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/clusterrole.yaml b/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/clusterrole.yaml index cc748de66..9009493c9 100644 --- a/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/clusterrole.yaml +++ b/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/clusterrole.yaml @@ -55,6 +55,7 @@ rules: - '' resources: - namespaces + - secrets verbs: - get - list @@ -137,6 +138,13 @@ rules: - watch - delete - patch + - apiGroups: + - cilium.io + resources: + - ciliumbgpclusterconfigs/status + - ciliumbgppeerconfigs/status + verbs: + - update - apiGroups: - apiextensions.k8s.io resources: @@ -183,6 +191,7 @@ rules: - ciliumbgppeeringpolicies - ciliumbgpclusterconfigs - ciliumbgpnodeconfigoverrides + - ciliumbgppeerconfigs verbs: - get - list diff --git a/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/deployment.yaml b/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/deployment.yaml index ae3f1ce51..18e9213c6 100644 --- a/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/deployment.yaml +++ b/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/deployment.yaml @@ -59,7 +59,7 @@ spec: key: debug name: cilium-config optional: true - image: quay.io/cilium/operator-generic:v1.16.4@sha256:c55a7cbe19fe0b6b28903a085334edb586a3201add9db56d2122c8485f7a51c5 + image: quay.io/cilium/operator-generic:v1.17.4@%!s() imagePullPolicy: IfNotPresent livenessProbe: httpGet: diff --git a/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/role.yaml b/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/role.yaml new file mode 100644 index 000000000..79fc907d3 --- /dev/null +++ b/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/role.yaml @@ -0,0 +1,17 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + app.kubernetes.io/part-of: cilium + name: cilium-operator-tlsinterception-secrets + namespace: cilium-secrets +rules: + - apiGroups: + - '' + resources: + - secrets + verbs: + - create + - delete + - update + - patch diff --git a/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/rolebinding.yaml b/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/rolebinding.yaml new file mode 100644 index 000000000..cbde47327 --- /dev/null +++ b/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/rolebinding.yaml @@ -0,0 +1,15 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app.kubernetes.io/part-of: cilium + name: cilium-operator-tlsinterception-secrets + namespace: cilium-secrets +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: cilium-operator-tlsinterception-secrets +subjects: + - kind: ServiceAccount + name: cilium-operator + namespace: cilium diff --git a/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-secrets-namespace.yaml b/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-secrets-namespace.yaml new file mode 100644 index 000000000..30f28d314 --- /dev/null +++ b/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-secrets-namespace.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: Namespace +metadata: + labels: + app.kubernetes.io/part-of: cilium + name: cilium-secrets diff --git a/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/configmap.yaml b/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/configmap.yaml index 33125e408..4beca2cfc 100644 --- a/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/configmap.yaml +++ b/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/configmap.yaml @@ -1,9 +1,9 @@ apiVersion: v1 data: - config.yaml: "cluster-name: default\npeer-service: \"hubble-peer.cilium.svc.cluster.local:80\"\ - \nlisten-address: :4245\ngops: true\ngops-port: \"9893\"\ndial-timeout: \nretry-timeout:\ - \ \nsort-buffer-len-max: \nsort-buffer-drain-timeout: \ndisable-client-tls: true\n\ - \ndisable-server-tls: true\n" + config.yaml: "cluster-name: default\npeer-service: \"hubble-peer.cilium.svc.cluster.local.:80\"\ + \nlisten-address: :4245\ngops: true\ngops-port: \"9893\"\nretry-timeout: \nsort-buffer-len-max:\ + \ \nsort-buffer-drain-timeout: \ndisable-client-tls: true\n\ndisable-server-tls:\ + \ true\n" kind: ConfigMap metadata: name: hubble-relay-config diff --git a/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/deployment.yaml b/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/deployment.yaml index 32db1394b..0b1d634e6 100644 --- a/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/deployment.yaml +++ b/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/deployment.yaml @@ -37,7 +37,7 @@ spec: - serve command: - hubble-relay - image: quay.io/cilium/hubble-relay:v1.16.4@sha256:fb2c7d127a1c809f6ba23c05973f3dd00f6b6a48e4aee2da95db925a4f0351d2 + image: quay.io/cilium/hubble-relay:v1.17.4@%!s() imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 12