Update Helm release cilium to v1.18.1

class/defaults.yml

@@ -137,7 +137,7 @@ parameters:
     charts:
       cilium:
         source: https://helm.cilium.io
-        version: "1.16.4"
+        version: "1.18.1"
       cilium-enterprise:
         source: "<CILIUM-ENTERPRISE-CHART-REPO-URL>" # Configure the Chart repository URL in your global defaults
         version: "1.16.4"

tests/golden/bgp-control-plane/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/daemonset.yaml

@@ -18,6 +18,7 @@ spec:
         container.apparmor.security.beta.kubernetes.io/cilium-agent: unconfined
         container.apparmor.security.beta.kubernetes.io/clean-cilium-state: unconfined
         container.apparmor.security.beta.kubernetes.io/mount-cgroup: unconfined
+        kubectl.kubernetes.io/default-container: cilium-agent
       labels:
         app.kubernetes.io/name: cilium-agent
         app.kubernetes.io/part-of: cilium
@@ -54,7 +55,11 @@ spec:
                 resourceFieldRef:
                   divisor: '1'
                   resource: limits.memory
-          image: quay.io/cilium/cilium:v1.16.4@sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf
+            - name: KUBE_CLIENT_BACKOFF_BASE
+              value: '1'
+            - name: KUBE_CLIENT_BACKOFF_DURATION
+              value: '120'
+          image: quay.io/cilium/cilium:v1.18.1@sha256:65ab17c052d8758b2ad157ce766285e04173722df59bdee1ea6d5fda7149f0e9
           imagePullPolicy: IfNotPresent
           lifecycle:
             postStart:
@@ -93,6 +98,8 @@ spec:
               httpHeaders:
                 - name: brief
                   value: 'true'
+                - name: require-k8s-connectivity
+                  value: 'false'
               path: /healthz
               port: 9879
               scheme: HTTP
@@ -113,10 +120,6 @@ spec:
               hostPort: 9964
               name: envoy-metrics
               protocol: TCP
-            - containerPort: 9901
-              hostPort: 9901
-              name: envoy-admin
-              protocol: TCP
             - containerPort: 9965
               hostPort: 9965
               name: hubble-metrics
@@ -155,7 +158,7 @@ spec:
               level: s0
               type: spc_t
           startupProbe:
-            failureThreshold: 105
+            failureThreshold: 300
             httpGet:
               host: 127.0.0.1
               httpHeaders:
@@ -178,6 +181,9 @@ spec:
               name: bpf-maps
             - mountPath: /var/run/cilium
               name: cilium-run
+            - mountPath: /var/run/cilium/netns
+              mountPropagation: HostToContainer
+              name: cilium-netns
             - mountPath: /host/etc/cni/net.d
               name: etc-cni-netd
             - mountPath: /var/lib/cilium/clustermesh
@@ -206,7 +212,7 @@ spec:
                 fieldRef:
                   apiVersion: v1
                   fieldPath: metadata.namespace
-          image: quay.io/cilium/cilium:v1.16.4@sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf
+          image: quay.io/cilium/cilium:v1.18.1@sha256:65ab17c052d8758b2ad157ce766285e04173722df59bdee1ea6d5fda7149f0e9
           imagePullPolicy: IfNotPresent
           name: config
           terminationMessagePolicy: FallbackToLogsOnError
@@ -225,7 +231,7 @@ spec:
               value: /run/cilium/cgroupv2
             - name: BIN_PATH
               value: /var/lib/cni/bin
-          image: quay.io/cilium/cilium:v1.16.4@sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf
+          image: quay.io/cilium/cilium:v1.18.1@sha256:65ab17c052d8758b2ad157ce766285e04173722df59bdee1ea6d5fda7149f0e9
           imagePullPolicy: IfNotPresent
           name: mount-cgroup
           securityContext:
@@ -255,7 +261,7 @@ spec:
           env:
             - name: BIN_PATH
               value: /var/lib/cni/bin
-          image: quay.io/cilium/cilium:v1.16.4@sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf
+          image: quay.io/cilium/cilium:v1.18.1@sha256:65ab17c052d8758b2ad157ce766285e04173722df59bdee1ea6d5fda7149f0e9
           imagePullPolicy: IfNotPresent
           name: apply-sysctl-overwrites
           securityContext:
@@ -281,7 +287,7 @@ spec:
             - /bin/bash
             - -c
             - --
-          image: quay.io/cilium/cilium:v1.16.4@sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf
+          image: quay.io/cilium/cilium:v1.18.1@sha256:65ab17c052d8758b2ad157ce766285e04173722df59bdee1ea6d5fda7149f0e9
           imagePullPolicy: IfNotPresent
           name: mount-bpf-fs
           securityContext:
@@ -312,7 +318,7 @@ spec:
                   key: write-cni-conf-when-ready
                   name: cilium-config
                   optional: true
-          image: quay.io/cilium/cilium:v1.16.4@sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf
+          image: quay.io/cilium/cilium:v1.18.1@sha256:65ab17c052d8758b2ad157ce766285e04173722df59bdee1ea6d5fda7149f0e9
           imagePullPolicy: IfNotPresent
           name: clean-cilium-state
           securityContext:
@@ -338,7 +344,7 @@ spec:
               name: cilium-run
         - command:
             - /install-plugin.sh
-          image: quay.io/cilium/cilium:v1.16.4@sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf
+          image: quay.io/cilium/cilium:v1.18.1@sha256:65ab17c052d8758b2ad157ce766285e04173722df59bdee1ea6d5fda7149f0e9
           imagePullPolicy: IfNotPresent
           name: install-cni-binaries
           resources:
@@ -360,6 +366,9 @@ spec:
         kubernetes.io/os: linux
       priorityClassName: system-node-critical
       restartPolicy: Always
+      securityContext:
+        seccompProfile:
+          type: Unconfined
       serviceAccountName: cilium
       terminationGracePeriodSeconds: 1
       tolerations:
@@ -371,6 +380,10 @@ spec:
             path: /var/run/cilium
             type: DirectoryOrCreate
           name: cilium-run
+        - hostPath:
+            path: /var/run/netns
+            type: DirectoryOrCreate
+          name: cilium-netns
         - hostPath:
             path: /sys/fs/bpf
             type: DirectoryOrCreate

tests/golden/bgp-control-plane/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/role.yaml

@@ -31,3 +31,20 @@ rules:
       - get
       - list
       - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  labels:
+    app.kubernetes.io/part-of: cilium
+  name: cilium-tlsinterception-secrets
+  namespace: cilium-secrets
+rules:
+  - apiGroups:
+      - ''
+    resources:
+      - secrets
+    verbs:
+      - get
+      - list
+      - watch

tests/golden/bgp-control-plane/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/rolebinding.yaml

@@ -29,3 +29,19 @@ subjects:
   - kind: ServiceAccount
     name: cilium
     namespace: cilium
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/part-of: cilium
+  name: cilium-tlsinterception-secrets
+  namespace: cilium-secrets
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: cilium-tlsinterception-secrets
+subjects:
+  - kind: ServiceAccount
+    name: cilium
+    namespace: cilium

tests/golden/bgp-control-plane/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/servicemonitor.yaml

@@ -12,7 +12,8 @@ spec:
       path: /metrics
       port: metrics
       relabelings:
-        - replacement: ${1}
+        - action: replace
+          replacement: ${1}
           sourceLabels:
             - __meta_kubernetes_pod_node_name
           targetLabel: node
@@ -21,6 +22,6 @@ spec:
       - cilium
   selector:
     matchLabels:
-      k8s-app: cilium
+      app.kubernetes.io/name: cilium-agent
   targetLabels:
     - k8s-app

tests/golden/bgp-control-plane/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-configmap.yaml

@@ -1,19 +1,24 @@
 apiVersion: v1
 data:
   agent-not-ready-taint-key: node.cilium.io/agent-not-ready
-  arping-refresh-period: 30s
   auto-direct-node-routes: 'false'
+  bgp-router-id-allocation-ip-pool: ''
+  bgp-router-id-allocation-mode: default
   bgp-secrets-namespace: cilium
+  bpf-distributed-lru: 'false'
   bpf-events-drop-enabled: 'true'
   bpf-events-policy-verdict-enabled: 'true'
   bpf-events-trace-enabled: 'true'
   bpf-lb-acceleration: disabled
+  bpf-lb-algorithm-annotation: 'false'
   bpf-lb-external-clusterip: 'false'
   bpf-lb-map-max: '65536'
+  bpf-lb-mode-annotation: 'false'
   bpf-lb-sock: 'false'
-  bpf-lb-sock-terminate-pod-connections: 'false'
+  bpf-lb-source-range-all-types: 'false'
   bpf-map-dynamic-size-ratio: '0.0025'
   bpf-policy-map-max: '16384'
+  bpf-policy-stats-map-max: '65536'
   bpf-root: /sys/fs/bpf
   cgroup-root: /run/cilium/cgroupv2
   cilium-endpoint-gc-interval: 5m0s
@@ -30,61 +35,70 @@ data:
   datapath-mode: veth
   debug: 'false'
   debug-verbose: ''
+  default-lb-service-ipam: lbipam
   direct-routing-skip-unreachable: 'false'
   dnsproxy-enable-transparent-mode: 'true'
   dnsproxy-socket-linger-timeout: '10'
   egress-gateway-reconciliation-trigger-interval: 1s
   enable-auto-protect-node-port-range: 'true'
   enable-bgp-control-plane: 'true'
+  enable-bgp-control-plane-status-report: 'true'
   enable-bpf-clock-probe: 'false'
   enable-bpf-masquerade: 'true'
   enable-endpoint-health-checking: 'true'
+  enable-endpoint-lockdown-on-policy-overflow: 'false'
   enable-endpoint-routes: 'true'
   enable-health-check-loadbalancer-ip: 'false'
   enable-health-check-nodeport: 'true'
   enable-health-checking: 'true'
   enable-hubble: 'true'
   enable-hubble-open-metrics: 'false'
+  enable-internal-traffic-policy: 'true'
   enable-ipv4: 'true'
   enable-ipv4-big-tcp: 'false'
   enable-ipv4-masquerade: 'true'
   enable-ipv6: 'false'
   enable-ipv6-big-tcp: 'false'
   enable-ipv6-masquerade: 'true'
   enable-k8s-networkpolicy: 'true'
-  enable-k8s-terminating-endpoint: 'true'
-  enable-l2-neigh-discovery: 'true'
+  enable-l2-neigh-discovery: 'false'
   enable-l7-proxy: 'true'
-  enable-local-redirect-policy: 'false'
+  enable-lb-ipam: 'true'
   enable-masquerade-to-route-source: 'false'
   enable-node-selector-labels: 'false'
+  enable-non-default-deny-policies: 'true'
   enable-policy: default
-  enable-runtime-device-detection: 'true'
+  enable-policy-secrets-sync: 'true'
   enable-sctp: 'false'
+  enable-source-ip-verification: 'true'
   enable-svc-source-range-check: 'true'
   enable-tcx: 'true'
   enable-vtep: 'false'
   enable-well-known-identities: 'false'
   enable-xt-socket-fallback: 'true'
+  envoy-access-log-buffer-size: '4096'
   envoy-base-id: '0'
   envoy-keep-cap-netbindservice: 'false'
   external-envoy-proxy: 'false'
+  health-check-icmp-failure-threshold: '3'
+  http-retry-count: '3'
   hubble-disable-tls: 'true'
-  hubble-export-file-max-backups: '5'
-  hubble-export-file-max-size-mb: '10'
   hubble-listen-address: :4244
   hubble-metrics: httpV2:sourceContext=workload|namespace|reserved-identity;destinationContext=workload|namespace|reserved-identity
     dns:sourceContext=workload|namespace|reserved-identity;destinationContext=workload|namespace|reserved-identity
     drop:sourceContext=workload|namespace|reserved-identity;destinationContext=workload|namespace|reserved-identity
   hubble-metrics-server: :9965
   hubble-metrics-server-enable-tls: 'false'
+  hubble-network-policy-correlation-enabled: 'true'
   hubble-socket-path: /var/run/cilium/hubble.sock
   identity-allocation-mode: crd
   identity-gc-interval: 15m0s
   identity-heartbeat-timeout: 30m0s
+  identity-management-mode: agent
   install-no-conntrack-iptables-rules: 'false'
   ipam: cluster-pool
   ipam-cilium-node-update-rate: 15s
+  iptables-random-fully: 'false'
   k8s-client-burst: '30'
   k8s-client-qps: '15'
   k8s-require-ipv4-pod-cidr: 'false'
@@ -96,6 +110,7 @@ data:
   mesh-auth-gc-interval: 5m0s
   mesh-auth-queue-size: '1024'
   mesh-auth-rotated-identities-queue-size: '1024'
+  metrics-sampling-interval: 5m
   monitor-aggregation: medium
   monitor-aggregation-flags: all
   monitor-aggregation-interval: 5s
@@ -106,12 +121,16 @@ data:
   nodes-gc-interval: 5m0s
   operator-api-serve-addr: 127.0.0.1:9234
   policy-cidr-match-mode: ''
+  policy-default-local-cluster: 'false'
+  policy-secrets-namespace: cilium-secrets
+  policy-secrets-only-from-secrets-namespace: 'true'
   preallocate-bpf-maps: 'false'
   procfs: /host/proc
   prometheus-serve-addr: :9962
   proxy-connect-timeout: '2'
   proxy-idle-timeout-seconds: '60'
   proxy-initial-fetch-timeout: '30'
+  proxy-max-concurrent-retries: '128'
   proxy-max-connection-duration-seconds: '0'
   proxy-max-requests-per-connection: '0'
   proxy-prometheus-port: '9964'
@@ -125,11 +144,13 @@ data:
   synchronize-k8s-nodes: 'true'
   tofqdns-dns-reject-response-code: refused
   tofqdns-enable-dns-compression: 'true'
-  tofqdns-endpoint-max-ip-per-hostname: '50'
+  tofqdns-endpoint-max-ip-per-hostname: '1000'
   tofqdns-idle-connection-grace-period: 0s
   tofqdns-max-deferred-connection-deletes: '10000'
+  tofqdns-preallocate-identities: 'true'
   tofqdns-proxy-response-max-delay: 100ms
   tunnel-protocol: vxlan
+  tunnel-source-port-range: 0-0
   unmanaged-pod-watcher-interval: '15'
   vtep-cidr: ''
   vtep-endpoint: ''

tests/golden/bgp-control-plane/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/clusterrole.yaml

@@ -55,6 +55,7 @@ rules:
       - ''
     resources:
       - namespaces
+      - secrets
     verbs:
       - get
       - list
@@ -137,6 +138,13 @@ rules:
       - watch
       - delete
       - patch
+  - apiGroups:
+      - cilium.io
+    resources:
+      - ciliumbgpclusterconfigs/status
+      - ciliumbgppeerconfigs/status
+    verbs:
+      - update
   - apiGroups:
       - apiextensions.k8s.io
     resources:
@@ -162,7 +170,6 @@ rules:
       - ciliumendpoints.cilium.io
       - ciliumendpointslices.cilium.io
       - ciliumenvoyconfigs.cilium.io
-      - ciliumexternalworkloads.cilium.io
       - ciliumidentities.cilium.io
       - ciliumlocalredirectpolicies.cilium.io
       - ciliumnetworkpolicies.cilium.io
@@ -171,6 +178,7 @@ rules:
       - ciliumcidrgroups.cilium.io
       - ciliuml2announcementpolicies.cilium.io
       - ciliumpodippools.cilium.io
+      - ciliumgatewayclassconfigs.cilium.io
     resources:
       - customresourcedefinitions
     verbs:
@@ -183,6 +191,7 @@ rules:
       - ciliumbgppeeringpolicies
       - ciliumbgpclusterconfigs
       - ciliumbgpnodeconfigoverrides
+      - ciliumbgppeerconfigs
     verbs:
       - get
       - list