diff --git a/class/defaults.yml b/class/defaults.yml index 3fae226f..10d7654c 100644 --- a/class/defaults.yml +++ b/class/defaults.yml @@ -111,7 +111,7 @@ parameters: charts: cilium: source: https://helm.cilium.io - version: "1.15.6" + version: "1.15.8" cilium-enterprise: source: "" # Configure the Chart repository URL in your global defaults version: "1.15.6" diff --git a/tests/golden/bgp-control-plane/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/daemonset.yaml b/tests/golden/bgp-control-plane/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/daemonset.yaml index f1deebec..cfc67262 100644 --- a/tests/golden/bgp-control-plane/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/daemonset.yaml +++ b/tests/golden/bgp-control-plane/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/daemonset.yaml @@ -54,7 +54,7 @@ spec: resourceFieldRef: divisor: '1' resource: limits.memory - image: quay.io/cilium/cilium:v1.15.6@sha256:6aa840986a3a9722cd967ef63248d675a87add7e1704740902d5d3162f0c0def + image: quay.io/cilium/cilium:v1.15.8@sha256:3b5b0477f696502c449eaddff30019a7d399f077b7814bcafabc636829d194c7 imagePullPolicy: IfNotPresent lifecycle: postStart: @@ -202,7 +202,7 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.namespace - image: quay.io/cilium/cilium:v1.15.6@sha256:6aa840986a3a9722cd967ef63248d675a87add7e1704740902d5d3162f0c0def + image: quay.io/cilium/cilium:v1.15.8@sha256:3b5b0477f696502c449eaddff30019a7d399f077b7814bcafabc636829d194c7 imagePullPolicy: IfNotPresent name: config terminationMessagePolicy: FallbackToLogsOnError @@ -221,7 +221,7 @@ spec: value: /run/cilium/cgroupv2 - name: BIN_PATH value: /var/lib/cni/bin - image: quay.io/cilium/cilium:v1.15.6@sha256:6aa840986a3a9722cd967ef63248d675a87add7e1704740902d5d3162f0c0def + image: quay.io/cilium/cilium:v1.15.8@sha256:3b5b0477f696502c449eaddff30019a7d399f077b7814bcafabc636829d194c7 imagePullPolicy: IfNotPresent name: mount-cgroup securityContext: @@ -251,7 +251,7 @@ spec: env: - name: BIN_PATH value: /var/lib/cni/bin - image: quay.io/cilium/cilium:v1.15.6@sha256:6aa840986a3a9722cd967ef63248d675a87add7e1704740902d5d3162f0c0def + image: quay.io/cilium/cilium:v1.15.8@sha256:3b5b0477f696502c449eaddff30019a7d399f077b7814bcafabc636829d194c7 imagePullPolicy: IfNotPresent name: apply-sysctl-overwrites securityContext: @@ -277,7 +277,7 @@ spec: - /bin/bash - -c - -- - image: quay.io/cilium/cilium:v1.15.6@sha256:6aa840986a3a9722cd967ef63248d675a87add7e1704740902d5d3162f0c0def + image: quay.io/cilium/cilium:v1.15.8@sha256:3b5b0477f696502c449eaddff30019a7d399f077b7814bcafabc636829d194c7 imagePullPolicy: IfNotPresent name: mount-bpf-fs securityContext: @@ -308,7 +308,7 @@ spec: key: write-cni-conf-when-ready name: cilium-config optional: true - image: quay.io/cilium/cilium:v1.15.6@sha256:6aa840986a3a9722cd967ef63248d675a87add7e1704740902d5d3162f0c0def + image: quay.io/cilium/cilium:v1.15.8@sha256:3b5b0477f696502c449eaddff30019a7d399f077b7814bcafabc636829d194c7 imagePullPolicy: IfNotPresent name: clean-cilium-state securityContext: @@ -334,7 +334,7 @@ spec: name: cilium-run - command: - /install-plugin.sh - image: quay.io/cilium/cilium:v1.15.6@sha256:6aa840986a3a9722cd967ef63248d675a87add7e1704740902d5d3162f0c0def + image: quay.io/cilium/cilium:v1.15.8@sha256:3b5b0477f696502c449eaddff30019a7d399f077b7814bcafabc636829d194c7 imagePullPolicy: IfNotPresent name: install-cni-binaries resources: @@ -356,7 +356,6 @@ spec: kubernetes.io/os: linux priorityClassName: system-node-critical restartPolicy: Always - serviceAccount: cilium serviceAccountName: cilium terminationGracePeriodSeconds: 1 tolerations: diff --git a/tests/golden/bgp-control-plane/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-configmap.yaml b/tests/golden/bgp-control-plane/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-configmap.yaml index 6f6b0d54..f3aa6f0f 100644 --- a/tests/golden/bgp-control-plane/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-configmap.yaml +++ b/tests/golden/bgp-control-plane/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-configmap.yaml @@ -24,6 +24,7 @@ data: debug: 'false' debug-verbose: '' dnsproxy-enable-transparent-mode: 'true' + dnsproxy-socket-linger-timeout: '10' egress-gateway-reconciliation-trigger-interval: 1s enable-auto-protect-node-port-range: 'true' enable-bgp-control-plane: 'true' diff --git a/tests/golden/bgp-control-plane/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/deployment.yaml b/tests/golden/bgp-control-plane/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/deployment.yaml index c2cbc465..89713c95 100644 --- a/tests/golden/bgp-control-plane/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/deployment.yaml +++ b/tests/golden/bgp-control-plane/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/deployment.yaml @@ -59,7 +59,7 @@ spec: key: debug name: cilium-config optional: true - image: quay.io/cilium/operator-generic:v1.15.6@sha256:5789f0935eef96ad571e4f5565a8800d3a8fbb05265cf6909300cd82fd513c3d + image: quay.io/cilium/operator-generic:v1.15.8@sha256:e77ae6fc8a978f98363cf74d3c883dfaa6454c6e23ec417a60952f29408e2f18 imagePullPolicy: IfNotPresent livenessProbe: httpGet: @@ -98,7 +98,6 @@ spec: kubernetes.io/os: linux priorityClassName: system-cluster-critical restartPolicy: Always - serviceAccount: cilium-operator serviceAccountName: cilium-operator tolerations: - operator: Exists diff --git a/tests/golden/bgp-control-plane/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/deployment.yaml b/tests/golden/bgp-control-plane/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/deployment.yaml index 764463f9..3fd13333 100644 --- a/tests/golden/bgp-control-plane/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/deployment.yaml +++ b/tests/golden/bgp-control-plane/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/deployment.yaml @@ -37,12 +37,15 @@ spec: - serve command: - hubble-relay - image: quay.io/cilium/hubble-relay:v1.15.6@sha256:a0863dd70d081b273b87b9b7ce7e2d3f99171c2f5e202cd57bc6691e51283e0c + image: quay.io/cilium/hubble-relay:v1.15.8@sha256:47e8a19f60d0d226ec3d2c675ec63908f1f2fb936a39897f2e3255b3bab01ad6 imagePullPolicy: IfNotPresent livenessProbe: + failureThreshold: 12 grpc: port: 4222 - timeoutSeconds: 3 + initialDelaySeconds: 10 + periodSeconds: 10 + timeoutSeconds: 10 name: hubble-relay ports: - containerPort: 4245 @@ -62,8 +65,8 @@ spec: failureThreshold: 20 grpc: port: 4222 + initialDelaySeconds: 10 periodSeconds: 3 - timeoutSeconds: 3 terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /etc/hubble-relay @@ -75,7 +78,6 @@ spec: restartPolicy: Always securityContext: fsGroup: 65532 - serviceAccount: hubble-relay serviceAccountName: hubble-relay terminationGracePeriodSeconds: 1 volumes: diff --git a/tests/golden/defaults/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/daemonset.yaml b/tests/golden/defaults/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/daemonset.yaml index f1deebec..cfc67262 100644 --- a/tests/golden/defaults/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/daemonset.yaml +++ b/tests/golden/defaults/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/daemonset.yaml @@ -54,7 +54,7 @@ spec: resourceFieldRef: divisor: '1' resource: limits.memory - image: quay.io/cilium/cilium:v1.15.6@sha256:6aa840986a3a9722cd967ef63248d675a87add7e1704740902d5d3162f0c0def + image: quay.io/cilium/cilium:v1.15.8@sha256:3b5b0477f696502c449eaddff30019a7d399f077b7814bcafabc636829d194c7 imagePullPolicy: IfNotPresent lifecycle: postStart: @@ -202,7 +202,7 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.namespace - image: quay.io/cilium/cilium:v1.15.6@sha256:6aa840986a3a9722cd967ef63248d675a87add7e1704740902d5d3162f0c0def + image: quay.io/cilium/cilium:v1.15.8@sha256:3b5b0477f696502c449eaddff30019a7d399f077b7814bcafabc636829d194c7 imagePullPolicy: IfNotPresent name: config terminationMessagePolicy: FallbackToLogsOnError @@ -221,7 +221,7 @@ spec: value: /run/cilium/cgroupv2 - name: BIN_PATH value: /var/lib/cni/bin - image: quay.io/cilium/cilium:v1.15.6@sha256:6aa840986a3a9722cd967ef63248d675a87add7e1704740902d5d3162f0c0def + image: quay.io/cilium/cilium:v1.15.8@sha256:3b5b0477f696502c449eaddff30019a7d399f077b7814bcafabc636829d194c7 imagePullPolicy: IfNotPresent name: mount-cgroup securityContext: @@ -251,7 +251,7 @@ spec: env: - name: BIN_PATH value: /var/lib/cni/bin - image: quay.io/cilium/cilium:v1.15.6@sha256:6aa840986a3a9722cd967ef63248d675a87add7e1704740902d5d3162f0c0def + image: quay.io/cilium/cilium:v1.15.8@sha256:3b5b0477f696502c449eaddff30019a7d399f077b7814bcafabc636829d194c7 imagePullPolicy: IfNotPresent name: apply-sysctl-overwrites securityContext: @@ -277,7 +277,7 @@ spec: - /bin/bash - -c - -- - image: quay.io/cilium/cilium:v1.15.6@sha256:6aa840986a3a9722cd967ef63248d675a87add7e1704740902d5d3162f0c0def + image: quay.io/cilium/cilium:v1.15.8@sha256:3b5b0477f696502c449eaddff30019a7d399f077b7814bcafabc636829d194c7 imagePullPolicy: IfNotPresent name: mount-bpf-fs securityContext: @@ -308,7 +308,7 @@ spec: key: write-cni-conf-when-ready name: cilium-config optional: true - image: quay.io/cilium/cilium:v1.15.6@sha256:6aa840986a3a9722cd967ef63248d675a87add7e1704740902d5d3162f0c0def + image: quay.io/cilium/cilium:v1.15.8@sha256:3b5b0477f696502c449eaddff30019a7d399f077b7814bcafabc636829d194c7 imagePullPolicy: IfNotPresent name: clean-cilium-state securityContext: @@ -334,7 +334,7 @@ spec: name: cilium-run - command: - /install-plugin.sh - image: quay.io/cilium/cilium:v1.15.6@sha256:6aa840986a3a9722cd967ef63248d675a87add7e1704740902d5d3162f0c0def + image: quay.io/cilium/cilium:v1.15.8@sha256:3b5b0477f696502c449eaddff30019a7d399f077b7814bcafabc636829d194c7 imagePullPolicy: IfNotPresent name: install-cni-binaries resources: @@ -356,7 +356,6 @@ spec: kubernetes.io/os: linux priorityClassName: system-node-critical restartPolicy: Always - serviceAccount: cilium serviceAccountName: cilium terminationGracePeriodSeconds: 1 tolerations: diff --git a/tests/golden/defaults/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-configmap.yaml b/tests/golden/defaults/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-configmap.yaml index 79158a60..0842a17f 100644 --- a/tests/golden/defaults/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-configmap.yaml +++ b/tests/golden/defaults/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-configmap.yaml @@ -23,6 +23,7 @@ data: debug: 'false' debug-verbose: '' dnsproxy-enable-transparent-mode: 'true' + dnsproxy-socket-linger-timeout: '10' egress-gateway-reconciliation-trigger-interval: 1s enable-auto-protect-node-port-range: 'true' enable-bgp-control-plane: 'false' diff --git a/tests/golden/defaults/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/deployment.yaml b/tests/golden/defaults/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/deployment.yaml index c2cbc465..89713c95 100644 --- a/tests/golden/defaults/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/deployment.yaml +++ b/tests/golden/defaults/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/deployment.yaml @@ -59,7 +59,7 @@ spec: key: debug name: cilium-config optional: true - image: quay.io/cilium/operator-generic:v1.15.6@sha256:5789f0935eef96ad571e4f5565a8800d3a8fbb05265cf6909300cd82fd513c3d + image: quay.io/cilium/operator-generic:v1.15.8@sha256:e77ae6fc8a978f98363cf74d3c883dfaa6454c6e23ec417a60952f29408e2f18 imagePullPolicy: IfNotPresent livenessProbe: httpGet: @@ -98,7 +98,6 @@ spec: kubernetes.io/os: linux priorityClassName: system-cluster-critical restartPolicy: Always - serviceAccount: cilium-operator serviceAccountName: cilium-operator tolerations: - operator: Exists diff --git a/tests/golden/defaults/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/deployment.yaml b/tests/golden/defaults/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/deployment.yaml index 764463f9..3fd13333 100644 --- a/tests/golden/defaults/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/deployment.yaml +++ b/tests/golden/defaults/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/deployment.yaml @@ -37,12 +37,15 @@ spec: - serve command: - hubble-relay - image: quay.io/cilium/hubble-relay:v1.15.6@sha256:a0863dd70d081b273b87b9b7ce7e2d3f99171c2f5e202cd57bc6691e51283e0c + image: quay.io/cilium/hubble-relay:v1.15.8@sha256:47e8a19f60d0d226ec3d2c675ec63908f1f2fb936a39897f2e3255b3bab01ad6 imagePullPolicy: IfNotPresent livenessProbe: + failureThreshold: 12 grpc: port: 4222 - timeoutSeconds: 3 + initialDelaySeconds: 10 + periodSeconds: 10 + timeoutSeconds: 10 name: hubble-relay ports: - containerPort: 4245 @@ -62,8 +65,8 @@ spec: failureThreshold: 20 grpc: port: 4222 + initialDelaySeconds: 10 periodSeconds: 3 - timeoutSeconds: 3 terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /etc/hubble-relay @@ -75,7 +78,6 @@ spec: restartPolicy: Always securityContext: fsGroup: 65532 - serviceAccount: hubble-relay serviceAccountName: hubble-relay terminationGracePeriodSeconds: 1 volumes: diff --git a/tests/golden/egress-gateway/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/daemonset.yaml b/tests/golden/egress-gateway/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/daemonset.yaml index f1deebec..cfc67262 100644 --- a/tests/golden/egress-gateway/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/daemonset.yaml +++ b/tests/golden/egress-gateway/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/daemonset.yaml @@ -54,7 +54,7 @@ spec: resourceFieldRef: divisor: '1' resource: limits.memory - image: quay.io/cilium/cilium:v1.15.6@sha256:6aa840986a3a9722cd967ef63248d675a87add7e1704740902d5d3162f0c0def + image: quay.io/cilium/cilium:v1.15.8@sha256:3b5b0477f696502c449eaddff30019a7d399f077b7814bcafabc636829d194c7 imagePullPolicy: IfNotPresent lifecycle: postStart: @@ -202,7 +202,7 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.namespace - image: quay.io/cilium/cilium:v1.15.6@sha256:6aa840986a3a9722cd967ef63248d675a87add7e1704740902d5d3162f0c0def + image: quay.io/cilium/cilium:v1.15.8@sha256:3b5b0477f696502c449eaddff30019a7d399f077b7814bcafabc636829d194c7 imagePullPolicy: IfNotPresent name: config terminationMessagePolicy: FallbackToLogsOnError @@ -221,7 +221,7 @@ spec: value: /run/cilium/cgroupv2 - name: BIN_PATH value: /var/lib/cni/bin - image: quay.io/cilium/cilium:v1.15.6@sha256:6aa840986a3a9722cd967ef63248d675a87add7e1704740902d5d3162f0c0def + image: quay.io/cilium/cilium:v1.15.8@sha256:3b5b0477f696502c449eaddff30019a7d399f077b7814bcafabc636829d194c7 imagePullPolicy: IfNotPresent name: mount-cgroup securityContext: @@ -251,7 +251,7 @@ spec: env: - name: BIN_PATH value: /var/lib/cni/bin - image: quay.io/cilium/cilium:v1.15.6@sha256:6aa840986a3a9722cd967ef63248d675a87add7e1704740902d5d3162f0c0def + image: quay.io/cilium/cilium:v1.15.8@sha256:3b5b0477f696502c449eaddff30019a7d399f077b7814bcafabc636829d194c7 imagePullPolicy: IfNotPresent name: apply-sysctl-overwrites securityContext: @@ -277,7 +277,7 @@ spec: - /bin/bash - -c - -- - image: quay.io/cilium/cilium:v1.15.6@sha256:6aa840986a3a9722cd967ef63248d675a87add7e1704740902d5d3162f0c0def + image: quay.io/cilium/cilium:v1.15.8@sha256:3b5b0477f696502c449eaddff30019a7d399f077b7814bcafabc636829d194c7 imagePullPolicy: IfNotPresent name: mount-bpf-fs securityContext: @@ -308,7 +308,7 @@ spec: key: write-cni-conf-when-ready name: cilium-config optional: true - image: quay.io/cilium/cilium:v1.15.6@sha256:6aa840986a3a9722cd967ef63248d675a87add7e1704740902d5d3162f0c0def + image: quay.io/cilium/cilium:v1.15.8@sha256:3b5b0477f696502c449eaddff30019a7d399f077b7814bcafabc636829d194c7 imagePullPolicy: IfNotPresent name: clean-cilium-state securityContext: @@ -334,7 +334,7 @@ spec: name: cilium-run - command: - /install-plugin.sh - image: quay.io/cilium/cilium:v1.15.6@sha256:6aa840986a3a9722cd967ef63248d675a87add7e1704740902d5d3162f0c0def + image: quay.io/cilium/cilium:v1.15.8@sha256:3b5b0477f696502c449eaddff30019a7d399f077b7814bcafabc636829d194c7 imagePullPolicy: IfNotPresent name: install-cni-binaries resources: @@ -356,7 +356,6 @@ spec: kubernetes.io/os: linux priorityClassName: system-node-critical restartPolicy: Always - serviceAccount: cilium serviceAccountName: cilium terminationGracePeriodSeconds: 1 tolerations: diff --git a/tests/golden/egress-gateway/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-configmap.yaml b/tests/golden/egress-gateway/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-configmap.yaml index 7fffda4c..790f0d07 100644 --- a/tests/golden/egress-gateway/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-configmap.yaml +++ b/tests/golden/egress-gateway/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-configmap.yaml @@ -23,6 +23,7 @@ data: debug: 'false' debug-verbose: '' dnsproxy-enable-transparent-mode: 'true' + dnsproxy-socket-linger-timeout: '10' egress-gateway-reconciliation-trigger-interval: 1s enable-auto-protect-node-port-range: 'true' enable-bgp-control-plane: 'false' diff --git a/tests/golden/egress-gateway/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/deployment.yaml b/tests/golden/egress-gateway/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/deployment.yaml index c2cbc465..89713c95 100644 --- a/tests/golden/egress-gateway/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/deployment.yaml +++ b/tests/golden/egress-gateway/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/deployment.yaml @@ -59,7 +59,7 @@ spec: key: debug name: cilium-config optional: true - image: quay.io/cilium/operator-generic:v1.15.6@sha256:5789f0935eef96ad571e4f5565a8800d3a8fbb05265cf6909300cd82fd513c3d + image: quay.io/cilium/operator-generic:v1.15.8@sha256:e77ae6fc8a978f98363cf74d3c883dfaa6454c6e23ec417a60952f29408e2f18 imagePullPolicy: IfNotPresent livenessProbe: httpGet: @@ -98,7 +98,6 @@ spec: kubernetes.io/os: linux priorityClassName: system-cluster-critical restartPolicy: Always - serviceAccount: cilium-operator serviceAccountName: cilium-operator tolerations: - operator: Exists diff --git a/tests/golden/egress-gateway/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/deployment.yaml b/tests/golden/egress-gateway/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/deployment.yaml index 764463f9..3fd13333 100644 --- a/tests/golden/egress-gateway/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/deployment.yaml +++ b/tests/golden/egress-gateway/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/deployment.yaml @@ -37,12 +37,15 @@ spec: - serve command: - hubble-relay - image: quay.io/cilium/hubble-relay:v1.15.6@sha256:a0863dd70d081b273b87b9b7ce7e2d3f99171c2f5e202cd57bc6691e51283e0c + image: quay.io/cilium/hubble-relay:v1.15.8@sha256:47e8a19f60d0d226ec3d2c675ec63908f1f2fb936a39897f2e3255b3bab01ad6 imagePullPolicy: IfNotPresent livenessProbe: + failureThreshold: 12 grpc: port: 4222 - timeoutSeconds: 3 + initialDelaySeconds: 10 + periodSeconds: 10 + timeoutSeconds: 10 name: hubble-relay ports: - containerPort: 4245 @@ -62,8 +65,8 @@ spec: failureThreshold: 20 grpc: port: 4222 + initialDelaySeconds: 10 periodSeconds: 3 - timeoutSeconds: 3 terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /etc/hubble-relay @@ -75,7 +78,6 @@ spec: restartPolicy: Always securityContext: fsGroup: 65532 - serviceAccount: hubble-relay serviceAccountName: hubble-relay terminationGracePeriodSeconds: 1 volumes: diff --git a/tests/golden/helm-opensource/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/daemonset.yaml b/tests/golden/helm-opensource/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/daemonset.yaml index f1deebec..cfc67262 100644 --- a/tests/golden/helm-opensource/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/daemonset.yaml +++ b/tests/golden/helm-opensource/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/daemonset.yaml @@ -54,7 +54,7 @@ spec: resourceFieldRef: divisor: '1' resource: limits.memory - image: quay.io/cilium/cilium:v1.15.6@sha256:6aa840986a3a9722cd967ef63248d675a87add7e1704740902d5d3162f0c0def + image: quay.io/cilium/cilium:v1.15.8@sha256:3b5b0477f696502c449eaddff30019a7d399f077b7814bcafabc636829d194c7 imagePullPolicy: IfNotPresent lifecycle: postStart: @@ -202,7 +202,7 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.namespace - image: quay.io/cilium/cilium:v1.15.6@sha256:6aa840986a3a9722cd967ef63248d675a87add7e1704740902d5d3162f0c0def + image: quay.io/cilium/cilium:v1.15.8@sha256:3b5b0477f696502c449eaddff30019a7d399f077b7814bcafabc636829d194c7 imagePullPolicy: IfNotPresent name: config terminationMessagePolicy: FallbackToLogsOnError @@ -221,7 +221,7 @@ spec: value: /run/cilium/cgroupv2 - name: BIN_PATH value: /var/lib/cni/bin - image: quay.io/cilium/cilium:v1.15.6@sha256:6aa840986a3a9722cd967ef63248d675a87add7e1704740902d5d3162f0c0def + image: quay.io/cilium/cilium:v1.15.8@sha256:3b5b0477f696502c449eaddff30019a7d399f077b7814bcafabc636829d194c7 imagePullPolicy: IfNotPresent name: mount-cgroup securityContext: @@ -251,7 +251,7 @@ spec: env: - name: BIN_PATH value: /var/lib/cni/bin - image: quay.io/cilium/cilium:v1.15.6@sha256:6aa840986a3a9722cd967ef63248d675a87add7e1704740902d5d3162f0c0def + image: quay.io/cilium/cilium:v1.15.8@sha256:3b5b0477f696502c449eaddff30019a7d399f077b7814bcafabc636829d194c7 imagePullPolicy: IfNotPresent name: apply-sysctl-overwrites securityContext: @@ -277,7 +277,7 @@ spec: - /bin/bash - -c - -- - image: quay.io/cilium/cilium:v1.15.6@sha256:6aa840986a3a9722cd967ef63248d675a87add7e1704740902d5d3162f0c0def + image: quay.io/cilium/cilium:v1.15.8@sha256:3b5b0477f696502c449eaddff30019a7d399f077b7814bcafabc636829d194c7 imagePullPolicy: IfNotPresent name: mount-bpf-fs securityContext: @@ -308,7 +308,7 @@ spec: key: write-cni-conf-when-ready name: cilium-config optional: true - image: quay.io/cilium/cilium:v1.15.6@sha256:6aa840986a3a9722cd967ef63248d675a87add7e1704740902d5d3162f0c0def + image: quay.io/cilium/cilium:v1.15.8@sha256:3b5b0477f696502c449eaddff30019a7d399f077b7814bcafabc636829d194c7 imagePullPolicy: IfNotPresent name: clean-cilium-state securityContext: @@ -334,7 +334,7 @@ spec: name: cilium-run - command: - /install-plugin.sh - image: quay.io/cilium/cilium:v1.15.6@sha256:6aa840986a3a9722cd967ef63248d675a87add7e1704740902d5d3162f0c0def + image: quay.io/cilium/cilium:v1.15.8@sha256:3b5b0477f696502c449eaddff30019a7d399f077b7814bcafabc636829d194c7 imagePullPolicy: IfNotPresent name: install-cni-binaries resources: @@ -356,7 +356,6 @@ spec: kubernetes.io/os: linux priorityClassName: system-node-critical restartPolicy: Always - serviceAccount: cilium serviceAccountName: cilium terminationGracePeriodSeconds: 1 tolerations: diff --git a/tests/golden/helm-opensource/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-configmap.yaml b/tests/golden/helm-opensource/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-configmap.yaml index 79158a60..0842a17f 100644 --- a/tests/golden/helm-opensource/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-configmap.yaml +++ b/tests/golden/helm-opensource/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-configmap.yaml @@ -23,6 +23,7 @@ data: debug: 'false' debug-verbose: '' dnsproxy-enable-transparent-mode: 'true' + dnsproxy-socket-linger-timeout: '10' egress-gateway-reconciliation-trigger-interval: 1s enable-auto-protect-node-port-range: 'true' enable-bgp-control-plane: 'false' diff --git a/tests/golden/helm-opensource/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/deployment.yaml b/tests/golden/helm-opensource/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/deployment.yaml index c2cbc465..89713c95 100644 --- a/tests/golden/helm-opensource/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/deployment.yaml +++ b/tests/golden/helm-opensource/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/deployment.yaml @@ -59,7 +59,7 @@ spec: key: debug name: cilium-config optional: true - image: quay.io/cilium/operator-generic:v1.15.6@sha256:5789f0935eef96ad571e4f5565a8800d3a8fbb05265cf6909300cd82fd513c3d + image: quay.io/cilium/operator-generic:v1.15.8@sha256:e77ae6fc8a978f98363cf74d3c883dfaa6454c6e23ec417a60952f29408e2f18 imagePullPolicy: IfNotPresent livenessProbe: httpGet: @@ -98,7 +98,6 @@ spec: kubernetes.io/os: linux priorityClassName: system-cluster-critical restartPolicy: Always - serviceAccount: cilium-operator serviceAccountName: cilium-operator tolerations: - operator: Exists diff --git a/tests/golden/helm-opensource/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/deployment.yaml b/tests/golden/helm-opensource/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/deployment.yaml index 764463f9..3fd13333 100644 --- a/tests/golden/helm-opensource/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/deployment.yaml +++ b/tests/golden/helm-opensource/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/deployment.yaml @@ -37,12 +37,15 @@ spec: - serve command: - hubble-relay - image: quay.io/cilium/hubble-relay:v1.15.6@sha256:a0863dd70d081b273b87b9b7ce7e2d3f99171c2f5e202cd57bc6691e51283e0c + image: quay.io/cilium/hubble-relay:v1.15.8@sha256:47e8a19f60d0d226ec3d2c675ec63908f1f2fb936a39897f2e3255b3bab01ad6 imagePullPolicy: IfNotPresent livenessProbe: + failureThreshold: 12 grpc: port: 4222 - timeoutSeconds: 3 + initialDelaySeconds: 10 + periodSeconds: 10 + timeoutSeconds: 10 name: hubble-relay ports: - containerPort: 4245 @@ -62,8 +65,8 @@ spec: failureThreshold: 20 grpc: port: 4222 + initialDelaySeconds: 10 periodSeconds: 3 - timeoutSeconds: 3 terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /etc/hubble-relay @@ -75,7 +78,6 @@ spec: restartPolicy: Always securityContext: fsGroup: 65532 - serviceAccount: hubble-relay serviceAccountName: hubble-relay terminationGracePeriodSeconds: 1 volumes: diff --git a/tests/golden/kubeproxyreplacement-strict/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/daemonset.yaml b/tests/golden/kubeproxyreplacement-strict/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/daemonset.yaml index f1deebec..cfc67262 100644 --- a/tests/golden/kubeproxyreplacement-strict/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/daemonset.yaml +++ b/tests/golden/kubeproxyreplacement-strict/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/daemonset.yaml @@ -54,7 +54,7 @@ spec: resourceFieldRef: divisor: '1' resource: limits.memory - image: quay.io/cilium/cilium:v1.15.6@sha256:6aa840986a3a9722cd967ef63248d675a87add7e1704740902d5d3162f0c0def + image: quay.io/cilium/cilium:v1.15.8@sha256:3b5b0477f696502c449eaddff30019a7d399f077b7814bcafabc636829d194c7 imagePullPolicy: IfNotPresent lifecycle: postStart: @@ -202,7 +202,7 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.namespace - image: quay.io/cilium/cilium:v1.15.6@sha256:6aa840986a3a9722cd967ef63248d675a87add7e1704740902d5d3162f0c0def + image: quay.io/cilium/cilium:v1.15.8@sha256:3b5b0477f696502c449eaddff30019a7d399f077b7814bcafabc636829d194c7 imagePullPolicy: IfNotPresent name: config terminationMessagePolicy: FallbackToLogsOnError @@ -221,7 +221,7 @@ spec: value: /run/cilium/cgroupv2 - name: BIN_PATH value: /var/lib/cni/bin - image: quay.io/cilium/cilium:v1.15.6@sha256:6aa840986a3a9722cd967ef63248d675a87add7e1704740902d5d3162f0c0def + image: quay.io/cilium/cilium:v1.15.8@sha256:3b5b0477f696502c449eaddff30019a7d399f077b7814bcafabc636829d194c7 imagePullPolicy: IfNotPresent name: mount-cgroup securityContext: @@ -251,7 +251,7 @@ spec: env: - name: BIN_PATH value: /var/lib/cni/bin - image: quay.io/cilium/cilium:v1.15.6@sha256:6aa840986a3a9722cd967ef63248d675a87add7e1704740902d5d3162f0c0def + image: quay.io/cilium/cilium:v1.15.8@sha256:3b5b0477f696502c449eaddff30019a7d399f077b7814bcafabc636829d194c7 imagePullPolicy: IfNotPresent name: apply-sysctl-overwrites securityContext: @@ -277,7 +277,7 @@ spec: - /bin/bash - -c - -- - image: quay.io/cilium/cilium:v1.15.6@sha256:6aa840986a3a9722cd967ef63248d675a87add7e1704740902d5d3162f0c0def + image: quay.io/cilium/cilium:v1.15.8@sha256:3b5b0477f696502c449eaddff30019a7d399f077b7814bcafabc636829d194c7 imagePullPolicy: IfNotPresent name: mount-bpf-fs securityContext: @@ -308,7 +308,7 @@ spec: key: write-cni-conf-when-ready name: cilium-config optional: true - image: quay.io/cilium/cilium:v1.15.6@sha256:6aa840986a3a9722cd967ef63248d675a87add7e1704740902d5d3162f0c0def + image: quay.io/cilium/cilium:v1.15.8@sha256:3b5b0477f696502c449eaddff30019a7d399f077b7814bcafabc636829d194c7 imagePullPolicy: IfNotPresent name: clean-cilium-state securityContext: @@ -334,7 +334,7 @@ spec: name: cilium-run - command: - /install-plugin.sh - image: quay.io/cilium/cilium:v1.15.6@sha256:6aa840986a3a9722cd967ef63248d675a87add7e1704740902d5d3162f0c0def + image: quay.io/cilium/cilium:v1.15.8@sha256:3b5b0477f696502c449eaddff30019a7d399f077b7814bcafabc636829d194c7 imagePullPolicy: IfNotPresent name: install-cni-binaries resources: @@ -356,7 +356,6 @@ spec: kubernetes.io/os: linux priorityClassName: system-node-critical restartPolicy: Always - serviceAccount: cilium serviceAccountName: cilium terminationGracePeriodSeconds: 1 tolerations: diff --git a/tests/golden/kubeproxyreplacement-strict/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-configmap.yaml b/tests/golden/kubeproxyreplacement-strict/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-configmap.yaml index 79158a60..0842a17f 100644 --- a/tests/golden/kubeproxyreplacement-strict/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-configmap.yaml +++ b/tests/golden/kubeproxyreplacement-strict/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-configmap.yaml @@ -23,6 +23,7 @@ data: debug: 'false' debug-verbose: '' dnsproxy-enable-transparent-mode: 'true' + dnsproxy-socket-linger-timeout: '10' egress-gateway-reconciliation-trigger-interval: 1s enable-auto-protect-node-port-range: 'true' enable-bgp-control-plane: 'false' diff --git a/tests/golden/kubeproxyreplacement-strict/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/deployment.yaml b/tests/golden/kubeproxyreplacement-strict/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/deployment.yaml index c2cbc465..89713c95 100644 --- a/tests/golden/kubeproxyreplacement-strict/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/deployment.yaml +++ b/tests/golden/kubeproxyreplacement-strict/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/deployment.yaml @@ -59,7 +59,7 @@ spec: key: debug name: cilium-config optional: true - image: quay.io/cilium/operator-generic:v1.15.6@sha256:5789f0935eef96ad571e4f5565a8800d3a8fbb05265cf6909300cd82fd513c3d + image: quay.io/cilium/operator-generic:v1.15.8@sha256:e77ae6fc8a978f98363cf74d3c883dfaa6454c6e23ec417a60952f29408e2f18 imagePullPolicy: IfNotPresent livenessProbe: httpGet: @@ -98,7 +98,6 @@ spec: kubernetes.io/os: linux priorityClassName: system-cluster-critical restartPolicy: Always - serviceAccount: cilium-operator serviceAccountName: cilium-operator tolerations: - operator: Exists diff --git a/tests/golden/kubeproxyreplacement-strict/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/deployment.yaml b/tests/golden/kubeproxyreplacement-strict/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/deployment.yaml index 764463f9..3fd13333 100644 --- a/tests/golden/kubeproxyreplacement-strict/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/deployment.yaml +++ b/tests/golden/kubeproxyreplacement-strict/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/deployment.yaml @@ -37,12 +37,15 @@ spec: - serve command: - hubble-relay - image: quay.io/cilium/hubble-relay:v1.15.6@sha256:a0863dd70d081b273b87b9b7ce7e2d3f99171c2f5e202cd57bc6691e51283e0c + image: quay.io/cilium/hubble-relay:v1.15.8@sha256:47e8a19f60d0d226ec3d2c675ec63908f1f2fb936a39897f2e3255b3bab01ad6 imagePullPolicy: IfNotPresent livenessProbe: + failureThreshold: 12 grpc: port: 4222 - timeoutSeconds: 3 + initialDelaySeconds: 10 + periodSeconds: 10 + timeoutSeconds: 10 name: hubble-relay ports: - containerPort: 4245 @@ -62,8 +65,8 @@ spec: failureThreshold: 20 grpc: port: 4222 + initialDelaySeconds: 10 periodSeconds: 3 - timeoutSeconds: 3 terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /etc/hubble-relay @@ -75,7 +78,6 @@ spec: restartPolicy: Always securityContext: fsGroup: 65532 - serviceAccount: hubble-relay serviceAccountName: hubble-relay terminationGracePeriodSeconds: 1 volumes: diff --git a/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/00_cilium_namespace.yaml b/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/00_cilium_namespace.yaml new file mode 100644 index 00000000..d933cb0e --- /dev/null +++ b/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/00_cilium_namespace.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: Namespace +metadata: + annotations: {} + labels: + name: cilium + name: cilium diff --git a/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/clusterrole.yaml b/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/clusterrole.yaml new file mode 100644 index 00000000..e8204f02 --- /dev/null +++ b/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/clusterrole.yaml @@ -0,0 +1,108 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/part-of: cilium + name: cilium +rules: + - apiGroups: + - networking.k8s.io + resources: + - networkpolicies + verbs: + - get + - list + - watch + - apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - list + - watch + - apiGroups: + - '' + resources: + - namespaces + - services + - pods + - endpoints + - nodes + verbs: + - get + - list + - watch + - apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - list + - watch + - get + - apiGroups: + - cilium.io + resources: + - ciliumloadbalancerippools + - ciliumbgppeeringpolicies + - ciliumbgpnodeconfigs + - ciliumbgpadvertisements + - ciliumbgppeerconfigs + - ciliumclusterwideenvoyconfigs + - ciliumclusterwidenetworkpolicies + - ciliumegressgatewaypolicies + - ciliumendpoints + - ciliumendpointslices + - ciliumenvoyconfigs + - ciliumidentities + - ciliumlocalredirectpolicies + - ciliumnetworkpolicies + - ciliumnodes + - ciliumnodeconfigs + - ciliumcidrgroups + - ciliuml2announcementpolicies + - ciliumpodippools + verbs: + - list + - watch + - apiGroups: + - cilium.io + resources: + - ciliumidentities + - ciliumendpoints + - ciliumnodes + verbs: + - create + - apiGroups: + - cilium.io + resources: + - ciliumidentities + verbs: + - update + - apiGroups: + - cilium.io + resources: + - ciliumendpoints + verbs: + - delete + - get + - apiGroups: + - cilium.io + resources: + - ciliumnodes + - ciliumnodes/status + verbs: + - get + - update + - apiGroups: + - cilium.io + resources: + - ciliumnetworkpolicies/status + - ciliumclusterwidenetworkpolicies/status + - ciliumendpoints/status + - ciliumendpoints + - ciliuml2announcementpolicies/status + - ciliumbgpnodeconfigs/status + verbs: + - patch diff --git a/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/clusterrolebinding.yaml b/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/clusterrolebinding.yaml new file mode 100644 index 00000000..b6cf96eb --- /dev/null +++ b/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/clusterrolebinding.yaml @@ -0,0 +1,14 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/part-of: cilium + name: cilium +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cilium +subjects: + - kind: ServiceAccount + name: cilium + namespace: cilium diff --git a/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/daemonset.yaml b/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/daemonset.yaml new file mode 100644 index 00000000..cfc67262 --- /dev/null +++ b/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/daemonset.yaml @@ -0,0 +1,425 @@ +apiVersion: apps/v1 +kind: DaemonSet +metadata: + labels: + app.kubernetes.io/name: cilium-agent + app.kubernetes.io/part-of: cilium + k8s-app: cilium + name: cilium + namespace: cilium +spec: + selector: + matchLabels: + k8s-app: cilium + template: + metadata: + annotations: + container.apparmor.security.beta.kubernetes.io/apply-sysctl-overwrites: unconfined + container.apparmor.security.beta.kubernetes.io/cilium-agent: unconfined + container.apparmor.security.beta.kubernetes.io/clean-cilium-state: unconfined + container.apparmor.security.beta.kubernetes.io/mount-cgroup: unconfined + labels: + app.kubernetes.io/name: cilium-agent + app.kubernetes.io/part-of: cilium + k8s-app: cilium + spec: + affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: + k8s-app: cilium + topologyKey: kubernetes.io/hostname + automountServiceAccountToken: true + containers: + - args: + - --config-dir=/tmp/cilium/config-map + command: + - cilium-agent + env: + - name: K8S_NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + - name: CILIUM_K8S_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: CILIUM_CLUSTERMESH_CONFIG + value: /var/lib/cilium/clustermesh/ + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + divisor: '1' + resource: limits.memory + image: quay.io/cilium/cilium:v1.15.8@sha256:3b5b0477f696502c449eaddff30019a7d399f077b7814bcafabc636829d194c7 + imagePullPolicy: IfNotPresent + lifecycle: + postStart: + exec: + command: + - bash + - -c + - | + set -o errexit + set -o pipefail + set -o nounset + + # When running in AWS ENI mode, it's likely that 'aws-node' has + # had a chance to install SNAT iptables rules. These can result + # in dropped traffic, so we should attempt to remove them. + # We do it using a 'postStart' hook since this may need to run + # for nodes which might have already been init'ed but may still + # have dangling rules. This is safe because there are no + # dependencies on anything that is part of the startup script + # itself, and can be safely run multiple times per node (e.g. in + # case of a restart). + if [[ "$(iptables-save | grep -E -c 'AWS-SNAT-CHAIN|AWS-CONNMARK-CHAIN')" != "0" ]]; + then + echo 'Deleting iptables rules created by the AWS CNI VPC plugin' + iptables-save | grep -E -v 'AWS-SNAT-CHAIN|AWS-CONNMARK-CHAIN' | iptables-restore + fi + echo 'Done!' + preStop: + exec: + command: + - /cni-uninstall.sh + livenessProbe: + failureThreshold: 10 + httpGet: + host: 127.0.0.1 + httpHeaders: + - name: brief + value: 'true' + path: /healthz + port: 9879 + scheme: HTTP + periodSeconds: 30 + successThreshold: 1 + timeoutSeconds: 5 + name: cilium-agent + ports: + - containerPort: 4244 + hostPort: 4244 + name: peer-service + protocol: TCP + - containerPort: 9962 + hostPort: 9962 + name: prometheus + protocol: TCP + - containerPort: 9964 + hostPort: 9964 + name: envoy-metrics + protocol: TCP + - containerPort: 9965 + hostPort: 9965 + name: hubble-metrics + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + host: 127.0.0.1 + httpHeaders: + - name: brief + value: 'true' + path: /healthz + port: 9879 + scheme: HTTP + periodSeconds: 30 + successThreshold: 1 + timeoutSeconds: 5 + securityContext: + capabilities: + add: + - CHOWN + - KILL + - NET_ADMIN + - NET_RAW + - IPC_LOCK + - SYS_MODULE + - SYS_ADMIN + - SYS_RESOURCE + - DAC_OVERRIDE + - FOWNER + - SETGID + - SETUID + drop: + - ALL + seLinuxOptions: + level: s0 + type: spc_t + startupProbe: + failureThreshold: 105 + httpGet: + host: 127.0.0.1 + httpHeaders: + - name: brief + value: 'true' + path: /healthz + port: 9879 + scheme: HTTP + initialDelaySeconds: 5 + periodSeconds: 2 + successThreshold: 1 + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /host/proc/sys/net + name: host-proc-sys-net + - mountPath: /host/proc/sys/kernel + name: host-proc-sys-kernel + - mountPath: /sys/fs/bpf + mountPropagation: HostToContainer + name: bpf-maps + - mountPath: /var/run/cilium + name: cilium-run + - mountPath: /host/etc/cni/net.d + name: etc-cni-netd + - mountPath: /var/lib/cilium/clustermesh + name: clustermesh-secrets + readOnly: true + - mountPath: /lib/modules + name: lib-modules + readOnly: true + - mountPath: /run/xtables.lock + name: xtables-lock + - mountPath: /tmp + name: tmp + hostNetwork: true + initContainers: + - command: + - cilium-dbg + - build-config + env: + - name: K8S_NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + - name: CILIUM_K8S_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + image: quay.io/cilium/cilium:v1.15.8@sha256:3b5b0477f696502c449eaddff30019a7d399f077b7814bcafabc636829d194c7 + imagePullPolicy: IfNotPresent + name: config + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /tmp + name: tmp + - command: + - sh + - -ec + - | + cp /usr/bin/cilium-mount /hostbin/cilium-mount; + nsenter --cgroup=/hostproc/1/ns/cgroup --mount=/hostproc/1/ns/mnt "${BIN_PATH}/cilium-mount" $CGROUP_ROOT; + rm /hostbin/cilium-mount + env: + - name: CGROUP_ROOT + value: /run/cilium/cgroupv2 + - name: BIN_PATH + value: /var/lib/cni/bin + image: quay.io/cilium/cilium:v1.15.8@sha256:3b5b0477f696502c449eaddff30019a7d399f077b7814bcafabc636829d194c7 + imagePullPolicy: IfNotPresent + name: mount-cgroup + securityContext: + capabilities: + add: + - SYS_ADMIN + - SYS_CHROOT + - SYS_PTRACE + drop: + - ALL + seLinuxOptions: + level: s0 + type: spc_t + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /hostproc + name: hostproc + - mountPath: /hostbin + name: cni-path + - command: + - sh + - -ec + - | + cp /usr/bin/cilium-sysctlfix /hostbin/cilium-sysctlfix; + nsenter --mount=/hostproc/1/ns/mnt "${BIN_PATH}/cilium-sysctlfix"; + rm /hostbin/cilium-sysctlfix + env: + - name: BIN_PATH + value: /var/lib/cni/bin + image: quay.io/cilium/cilium:v1.15.8@sha256:3b5b0477f696502c449eaddff30019a7d399f077b7814bcafabc636829d194c7 + imagePullPolicy: IfNotPresent + name: apply-sysctl-overwrites + securityContext: + capabilities: + add: + - SYS_ADMIN + - SYS_CHROOT + - SYS_PTRACE + drop: + - ALL + seLinuxOptions: + level: s0 + type: spc_t + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /hostproc + name: hostproc + - mountPath: /hostbin + name: cni-path + - args: + - mount | grep "/sys/fs/bpf type bpf" || mount -t bpf bpf /sys/fs/bpf + command: + - /bin/bash + - -c + - -- + image: quay.io/cilium/cilium:v1.15.8@sha256:3b5b0477f696502c449eaddff30019a7d399f077b7814bcafabc636829d194c7 + imagePullPolicy: IfNotPresent + name: mount-bpf-fs + securityContext: + privileged: true + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /sys/fs/bpf + mountPropagation: Bidirectional + name: bpf-maps + - command: + - /init-container.sh + env: + - name: CILIUM_ALL_STATE + valueFrom: + configMapKeyRef: + key: clean-cilium-state + name: cilium-config + optional: true + - name: CILIUM_BPF_STATE + valueFrom: + configMapKeyRef: + key: clean-cilium-bpf-state + name: cilium-config + optional: true + - name: WRITE_CNI_CONF_WHEN_READY + valueFrom: + configMapKeyRef: + key: write-cni-conf-when-ready + name: cilium-config + optional: true + image: quay.io/cilium/cilium:v1.15.8@sha256:3b5b0477f696502c449eaddff30019a7d399f077b7814bcafabc636829d194c7 + imagePullPolicy: IfNotPresent + name: clean-cilium-state + securityContext: + capabilities: + add: + - NET_ADMIN + - SYS_MODULE + - SYS_ADMIN + - SYS_RESOURCE + drop: + - ALL + seLinuxOptions: + level: s0 + type: spc_t + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /sys/fs/bpf + name: bpf-maps + - mountPath: /run/cilium/cgroupv2 + mountPropagation: HostToContainer + name: cilium-cgroup + - mountPath: /var/run/cilium + name: cilium-run + - command: + - /install-plugin.sh + image: quay.io/cilium/cilium:v1.15.8@sha256:3b5b0477f696502c449eaddff30019a7d399f077b7814bcafabc636829d194c7 + imagePullPolicy: IfNotPresent + name: install-cni-binaries + resources: + requests: + cpu: 100m + memory: 10Mi + securityContext: + capabilities: + drop: + - ALL + seLinuxOptions: + level: s0 + type: spc_t + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /host/opt/cni/bin + name: cni-path + nodeSelector: + kubernetes.io/os: linux + priorityClassName: system-node-critical + restartPolicy: Always + serviceAccountName: cilium + terminationGracePeriodSeconds: 1 + tolerations: + - operator: Exists + volumes: + - emptyDir: {} + name: tmp + - hostPath: + path: /var/run/cilium + type: DirectoryOrCreate + name: cilium-run + - hostPath: + path: /sys/fs/bpf + type: DirectoryOrCreate + name: bpf-maps + - hostPath: + path: /proc + type: Directory + name: hostproc + - hostPath: + path: /run/cilium/cgroupv2 + type: DirectoryOrCreate + name: cilium-cgroup + - hostPath: + path: /var/lib/cni/bin + type: DirectoryOrCreate + name: cni-path + - hostPath: + path: /var/run/multus/cni/net.d + type: DirectoryOrCreate + name: etc-cni-netd + - hostPath: + path: /lib/modules + name: lib-modules + - hostPath: + path: /run/xtables.lock + type: FileOrCreate + name: xtables-lock + - name: clustermesh-secrets + projected: + defaultMode: 256 + sources: + - secret: + name: cilium-clustermesh + optional: true + - secret: + items: + - key: tls.key + path: common-etcd-client.key + - key: tls.crt + path: common-etcd-client.crt + - key: ca.crt + path: common-etcd-client-ca.crt + name: clustermesh-apiserver-remote-cert + optional: true + - hostPath: + path: /proc/sys/net + type: Directory + name: host-proc-sys-net + - hostPath: + path: /proc/sys/kernel + type: Directory + name: host-proc-sys-kernel + updateStrategy: + rollingUpdate: + maxUnavailable: 2 + type: RollingUpdate diff --git a/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/role.yaml b/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/role.yaml new file mode 100644 index 00000000..6469cd59 --- /dev/null +++ b/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/role.yaml @@ -0,0 +1,16 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + app.kubernetes.io/part-of: cilium + name: cilium-config-agent + namespace: cilium +rules: + - apiGroups: + - '' + resources: + - configmaps + verbs: + - get + - list + - watch diff --git a/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/rolebinding.yaml b/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/rolebinding.yaml new file mode 100644 index 00000000..1d47a92c --- /dev/null +++ b/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/rolebinding.yaml @@ -0,0 +1,15 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app.kubernetes.io/part-of: cilium + name: cilium-config-agent + namespace: cilium +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: cilium-config-agent +subjects: + - kind: ServiceAccount + name: cilium + namespace: cilium diff --git a/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/service.yaml b/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/service.yaml new file mode 100644 index 00000000..fc9fa1ab --- /dev/null +++ b/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/service.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/name: cilium-agent + app.kubernetes.io/part-of: cilium + k8s-app: cilium + name: cilium-agent + namespace: cilium +spec: + clusterIP: None + ports: + - name: metrics + port: 9962 + protocol: TCP + targetPort: prometheus + - name: envoy-metrics + port: 9964 + protocol: TCP + targetPort: envoy-metrics + selector: + k8s-app: cilium + type: ClusterIP diff --git a/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/serviceaccount.yaml b/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/serviceaccount.yaml new file mode 100644 index 00000000..cd8696cf --- /dev/null +++ b/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/serviceaccount.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: cilium + namespace: cilium diff --git a/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/servicemonitor.yaml b/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/servicemonitor.yaml new file mode 100644 index 00000000..c22a3158 --- /dev/null +++ b/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/servicemonitor.yaml @@ -0,0 +1,26 @@ +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + labels: + app.kubernetes.io/part-of: cilium + name: cilium-agent + namespace: cilium +spec: + endpoints: + - honorLabels: true + interval: 10s + path: /metrics + port: metrics + relabelings: + - replacement: ${1} + sourceLabels: + - __meta_kubernetes_pod_node_name + targetLabel: node + namespaceSelector: + matchNames: + - cilium + selector: + matchLabels: + k8s-app: cilium + targetLabels: + - k8s-app diff --git a/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-configmap.yaml b/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-configmap.yaml new file mode 100644 index 00000000..0842a17f --- /dev/null +++ b/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-configmap.yaml @@ -0,0 +1,124 @@ +apiVersion: v1 +data: + agent-not-ready-taint-key: node.cilium.io/agent-not-ready + arping-refresh-period: 30s + auto-direct-node-routes: 'false' + bpf-lb-acceleration: disabled + bpf-lb-external-clusterip: 'false' + bpf-lb-map-max: '65536' + bpf-lb-sock: 'false' + bpf-map-dynamic-size-ratio: '0.0025' + bpf-policy-map-max: '16384' + bpf-root: /sys/fs/bpf + cgroup-root: /run/cilium/cgroupv2 + cilium-endpoint-gc-interval: 5m0s + cluster-id: '0' + cluster-name: default + cluster-pool-ipv4-cidr: 10.128.0.0/14 + cluster-pool-ipv4-mask-size: '23' + cni-exclusive: 'true' + cni-log-file: /var/run/cilium/cilium-cni.log + controller-group-metrics: write-cni-file sync-host-ips sync-lb-maps-with-k8s-services + custom-cni-conf: 'false' + debug: 'false' + debug-verbose: '' + dnsproxy-enable-transparent-mode: 'true' + dnsproxy-socket-linger-timeout: '10' + egress-gateway-reconciliation-trigger-interval: 1s + enable-auto-protect-node-port-range: 'true' + enable-bgp-control-plane: 'false' + enable-bpf-clock-probe: 'false' + enable-bpf-masquerade: 'true' + enable-endpoint-health-checking: 'true' + enable-endpoint-routes: 'true' + enable-health-check-loadbalancer-ip: 'false' + enable-health-check-nodeport: 'true' + enable-health-checking: 'true' + enable-hubble: 'true' + enable-hubble-open-metrics: 'false' + enable-ipv4: 'true' + enable-ipv4-big-tcp: 'false' + enable-ipv4-masquerade: 'true' + enable-ipv6: 'false' + enable-ipv6-big-tcp: 'false' + enable-ipv6-masquerade: 'true' + enable-k8s-networkpolicy: 'true' + enable-k8s-terminating-endpoint: 'true' + enable-l2-neigh-discovery: 'true' + enable-l7-proxy: 'true' + enable-local-redirect-policy: 'false' + enable-masquerade-to-route-source: 'false' + enable-policy: default + enable-remote-node-identity: 'true' + enable-sctp: 'false' + enable-svc-source-range-check: 'true' + enable-vtep: 'false' + enable-well-known-identities: 'false' + enable-xt-socket-fallback: 'true' + external-envoy-proxy: 'false' + hubble-disable-tls: 'true' + hubble-export-file-max-backups: '5' + hubble-export-file-max-size-mb: '10' + hubble-listen-address: :4244 + hubble-metrics: httpV2:sourceContext=workload|namespace|reserved-identity;destinationContext=workload|namespace|reserved-identity + dns:sourceContext=workload|namespace|reserved-identity;destinationContext=workload|namespace|reserved-identity + drop:sourceContext=workload|namespace|reserved-identity;destinationContext=workload|namespace|reserved-identity + hubble-metrics-server: :9965 + hubble-socket-path: /var/run/cilium/hubble.sock + identity-allocation-mode: crd + identity-gc-interval: 15m0s + identity-heartbeat-timeout: 30m0s + install-no-conntrack-iptables-rules: 'false' + ipam: cluster-pool + ipam-cilium-node-update-rate: 15s + k8s-client-burst: '20' + k8s-client-qps: '10' + kube-proxy-replacement: 'true' + kube-proxy-replacement-healthz-bind-address: '' + max-connected-clusters: '255' + mesh-auth-enabled: 'true' + mesh-auth-gc-interval: 5m0s + mesh-auth-queue-size: '1024' + mesh-auth-rotated-identities-queue-size: '1024' + monitor-aggregation: medium + monitor-aggregation-flags: all + monitor-aggregation-interval: 5s + node-port-bind-protection: 'true' + nodes-gc-interval: 5m0s + operator-api-serve-addr: 127.0.0.1:9234 + policy-cidr-match-mode: '' + preallocate-bpf-maps: 'false' + procfs: /host/proc + prometheus-serve-addr: :9962 + proxy-connect-timeout: '2' + proxy-idle-timeout-seconds: '60' + proxy-max-connection-duration-seconds: '0' + proxy-max-requests-per-connection: '0' + proxy-prometheus-port: '9964' + proxy-xff-num-trusted-hops-egress: '0' + proxy-xff-num-trusted-hops-ingress: '0' + remove-cilium-node-taints: 'true' + routing-mode: tunnel + service-no-backend-response: reject + set-cilium-is-up-condition: 'true' + set-cilium-node-taints: 'true' + sidecar-istio-proxy-image: cilium/istio_proxy + skip-cnp-status-startup-clean: 'false' + synchronize-k8s-nodes: 'true' + tofqdns-dns-reject-response-code: refused + tofqdns-enable-dns-compression: 'true' + tofqdns-endpoint-max-ip-per-hostname: '50' + tofqdns-idle-connection-grace-period: 0s + tofqdns-max-deferred-connection-deletes: '10000' + tofqdns-proxy-response-max-delay: 100ms + tunnel-protocol: vxlan + unmanaged-pod-watcher-interval: '15' + vtep-cidr: '' + vtep-endpoint: '' + vtep-mac: '' + vtep-mask: '' + write-cni-conf-when-ready: /host/etc/cni/net.d/05-cilium.conflist +kind: ConfigMap +metadata: + name: cilium-config + namespace: cilium diff --git a/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/clusterrole.yaml b/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/clusterrole.yaml new file mode 100644 index 00000000..f4db2dea --- /dev/null +++ b/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/clusterrole.yaml @@ -0,0 +1,200 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/part-of: cilium + name: cilium-operator +rules: + - apiGroups: + - '' + resources: + - pods + verbs: + - get + - list + - watch + - delete + - apiGroups: + - '' + resources: + - nodes + verbs: + - list + - watch + - apiGroups: + - '' + resources: + - nodes + - nodes/status + verbs: + - patch + - apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - list + - watch + - apiGroups: + - '' + resources: + - services/status + verbs: + - update + - patch + - apiGroups: + - '' + resources: + - namespaces + verbs: + - get + - list + - watch + - apiGroups: + - '' + resources: + - services + - endpoints + verbs: + - get + - list + - watch + - apiGroups: + - cilium.io + resources: + - ciliumnetworkpolicies + - ciliumclusterwidenetworkpolicies + verbs: + - create + - update + - deletecollection + - patch + - get + - list + - watch + - apiGroups: + - cilium.io + resources: + - ciliumnetworkpolicies/status + - ciliumclusterwidenetworkpolicies/status + verbs: + - patch + - update + - apiGroups: + - cilium.io + resources: + - ciliumendpoints + - ciliumidentities + verbs: + - delete + - list + - watch + - apiGroups: + - cilium.io + resources: + - ciliumidentities + verbs: + - update + - apiGroups: + - cilium.io + resources: + - ciliumnodes + verbs: + - create + - update + - get + - list + - watch + - delete + - apiGroups: + - cilium.io + resources: + - ciliumnodes/status + verbs: + - update + - apiGroups: + - cilium.io + resources: + - ciliumendpointslices + - ciliumenvoyconfigs + - ciliumbgppeerconfigs + - ciliumbgpadvertisements + - ciliumbgpnodeconfigs + verbs: + - create + - update + - get + - list + - watch + - delete + - patch + - apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - create + - get + - list + - watch + - apiGroups: + - apiextensions.k8s.io + resourceNames: + - ciliumloadbalancerippools.cilium.io + - ciliumbgppeeringpolicies.cilium.io + - ciliumbgpclusterconfigs.cilium.io + - ciliumbgppeerconfigs.cilium.io + - ciliumbgpadvertisements.cilium.io + - ciliumbgpnodeconfigs.cilium.io + - ciliumbgpnodeconfigoverrides.cilium.io + - ciliumclusterwideenvoyconfigs.cilium.io + - ciliumclusterwidenetworkpolicies.cilium.io + - ciliumegressgatewaypolicies.cilium.io + - ciliumendpoints.cilium.io + - ciliumendpointslices.cilium.io + - ciliumenvoyconfigs.cilium.io + - ciliumexternalworkloads.cilium.io + - ciliumidentities.cilium.io + - ciliumlocalredirectpolicies.cilium.io + - ciliumnetworkpolicies.cilium.io + - ciliumnodes.cilium.io + - ciliumnodeconfigs.cilium.io + - ciliumcidrgroups.cilium.io + - ciliuml2announcementpolicies.cilium.io + - ciliumpodippools.cilium.io + resources: + - customresourcedefinitions + verbs: + - update + - apiGroups: + - cilium.io + resources: + - ciliumloadbalancerippools + - ciliumpodippools + - ciliumbgpclusterconfigs + - ciliumbgpnodeconfigoverrides + verbs: + - get + - list + - watch + - apiGroups: + - cilium.io + resources: + - ciliumpodippools + verbs: + - create + - apiGroups: + - cilium.io + resources: + - ciliumloadbalancerippools/status + verbs: + - patch + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create + - get + - update diff --git a/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/clusterrolebinding.yaml b/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/clusterrolebinding.yaml new file mode 100644 index 00000000..fa15a03c --- /dev/null +++ b/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/clusterrolebinding.yaml @@ -0,0 +1,14 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/part-of: cilium + name: cilium-operator +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cilium-operator +subjects: + - kind: ServiceAccount + name: cilium-operator + namespace: cilium diff --git a/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/deployment.yaml b/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/deployment.yaml new file mode 100644 index 00000000..89713c95 --- /dev/null +++ b/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/deployment.yaml @@ -0,0 +1,107 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app.kubernetes.io/name: cilium-operator + app.kubernetes.io/part-of: cilium + io.cilium/app: operator + name: cilium-operator + name: cilium-operator + namespace: cilium +spec: + replicas: 2 + selector: + matchLabels: + io.cilium/app: operator + name: cilium-operator + strategy: + rollingUpdate: + maxSurge: 25% + maxUnavailable: 50% + type: RollingUpdate + template: + metadata: + annotations: null + labels: + app.kubernetes.io/name: cilium-operator + app.kubernetes.io/part-of: cilium + io.cilium/app: operator + name: cilium-operator + spec: + affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: + io.cilium/app: operator + topologyKey: kubernetes.io/hostname + automountServiceAccountToken: true + containers: + - args: + - --config-dir=/tmp/cilium/config-map + - --debug=$(CILIUM_DEBUG) + command: + - cilium-operator-generic + env: + - name: K8S_NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + - name: CILIUM_K8S_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: CILIUM_DEBUG + valueFrom: + configMapKeyRef: + key: debug + name: cilium-config + optional: true + image: quay.io/cilium/operator-generic:v1.15.8@sha256:e77ae6fc8a978f98363cf74d3c883dfaa6454c6e23ec417a60952f29408e2f18 + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + host: 127.0.0.1 + path: /healthz + port: 9234 + scheme: HTTP + initialDelaySeconds: 60 + periodSeconds: 10 + timeoutSeconds: 3 + name: cilium-operator + readinessProbe: + failureThreshold: 5 + httpGet: + host: 127.0.0.1 + path: /healthz + port: 9234 + scheme: HTTP + initialDelaySeconds: 0 + periodSeconds: 5 + timeoutSeconds: 3 + resources: + limits: + cpu: 100m + memory: 250Mi + requests: + cpu: 100m + memory: 250Mi + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /tmp/cilium/config-map + name: cilium-config-path + readOnly: true + hostNetwork: true + nodeSelector: + kubernetes.io/os: linux + priorityClassName: system-cluster-critical + restartPolicy: Always + serviceAccountName: cilium-operator + tolerations: + - operator: Exists + volumes: + - configMap: + name: cilium-config + name: cilium-config-path diff --git a/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/serviceaccount.yaml b/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/serviceaccount.yaml new file mode 100644 index 00000000..242642c9 --- /dev/null +++ b/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/serviceaccount.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: cilium-operator + namespace: cilium diff --git a/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/configmap.yaml b/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/configmap.yaml new file mode 100644 index 00000000..7f549fea --- /dev/null +++ b/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/configmap.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +data: + config.yaml: "cluster-name: default\npeer-service: \"hubble-peer.cilium.svc.cluster.local:80\"\ + \nlisten-address: :4245\ngops: true\ngops-port: \"9893\"\ndial-timeout: \nretry-timeout:\ + \ \nsort-buffer-len-max: \nsort-buffer-drain-timeout: \ndisable-client-tls: true\n\ + disable-server-tls: true\n" +kind: ConfigMap +metadata: + name: hubble-relay-config + namespace: cilium diff --git a/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/deployment.yaml b/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/deployment.yaml new file mode 100644 index 00000000..3fd13333 --- /dev/null +++ b/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/deployment.yaml @@ -0,0 +1,89 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app.kubernetes.io/name: hubble-relay + app.kubernetes.io/part-of: cilium + k8s-app: hubble-relay + name: hubble-relay + namespace: cilium +spec: + replicas: 1 + selector: + matchLabels: + k8s-app: hubble-relay + strategy: + rollingUpdate: + maxUnavailable: 1 + type: RollingUpdate + template: + metadata: + annotations: null + labels: + app.kubernetes.io/name: hubble-relay + app.kubernetes.io/part-of: cilium + k8s-app: hubble-relay + spec: + affinity: + podAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: + k8s-app: cilium + topologyKey: kubernetes.io/hostname + automountServiceAccountToken: false + containers: + - args: + - serve + command: + - hubble-relay + image: quay.io/cilium/hubble-relay:v1.15.8@sha256:47e8a19f60d0d226ec3d2c675ec63908f1f2fb936a39897f2e3255b3bab01ad6 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 12 + grpc: + port: 4222 + initialDelaySeconds: 10 + periodSeconds: 10 + timeoutSeconds: 10 + name: hubble-relay + ports: + - containerPort: 4245 + name: grpc + readinessProbe: + grpc: + port: 4222 + timeoutSeconds: 3 + securityContext: + capabilities: + drop: + - ALL + runAsGroup: 65532 + runAsNonRoot: true + runAsUser: 65532 + startupProbe: + failureThreshold: 20 + grpc: + port: 4222 + initialDelaySeconds: 10 + periodSeconds: 3 + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /etc/hubble-relay + name: config + readOnly: true + nodeSelector: + kubernetes.io/os: linux + priorityClassName: null + restartPolicy: Always + securityContext: + fsGroup: 65532 + serviceAccountName: hubble-relay + terminationGracePeriodSeconds: 1 + volumes: + - configMap: + items: + - key: config.yaml + path: config.yaml + name: hubble-relay-config + name: config diff --git a/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/service.yaml b/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/service.yaml new file mode 100644 index 00000000..da8621dc --- /dev/null +++ b/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/service.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/name: hubble-relay + app.kubernetes.io/part-of: cilium + k8s-app: hubble-relay + name: hubble-relay + namespace: cilium +spec: + ports: + - port: 80 + protocol: TCP + targetPort: 4245 + selector: + k8s-app: hubble-relay + type: ClusterIP diff --git a/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/serviceaccount.yaml b/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/serviceaccount.yaml new file mode 100644 index 00000000..3d0be37c --- /dev/null +++ b/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/serviceaccount.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: hubble-relay + namespace: cilium diff --git a/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble/metrics-service.yaml b/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble/metrics-service.yaml new file mode 100644 index 00000000..ebeaf0fd --- /dev/null +++ b/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble/metrics-service.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Service +metadata: + annotations: null + labels: + app.kubernetes.io/name: hubble + app.kubernetes.io/part-of: cilium + k8s-app: hubble + name: hubble-metrics + namespace: cilium +spec: + clusterIP: None + ports: + - name: hubble-metrics + port: 9965 + protocol: TCP + targetPort: hubble-metrics + selector: + k8s-app: cilium + type: ClusterIP diff --git a/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble/peer-service.yaml b/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble/peer-service.yaml new file mode 100644 index 00000000..e492c74f --- /dev/null +++ b/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble/peer-service.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/name: hubble-peer + app.kubernetes.io/part-of: cilium + k8s-app: cilium + name: hubble-peer + namespace: cilium +spec: + internalTrafficPolicy: Local + ports: + - name: peer-service + port: 80 + protocol: TCP + targetPort: 4244 + selector: + k8s-app: cilium diff --git a/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble/servicemonitor.yaml b/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble/servicemonitor.yaml new file mode 100644 index 00000000..d044764f --- /dev/null +++ b/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble/servicemonitor.yaml @@ -0,0 +1,24 @@ +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + labels: + app.kubernetes.io/part-of: cilium + name: hubble + namespace: cilium +spec: + endpoints: + - honorLabels: true + interval: 10s + path: /metrics + port: hubble-metrics + relabelings: + - replacement: ${1} + sourceLabels: + - __meta_kubernetes_pod_node_name + targetLabel: node + namespaceSelector: + matchNames: + - cilium + selector: + matchLabels: + k8s-app: hubble diff --git a/tests/golden/l2-announcement/cilium/cilium/02_aggregated_clusterroles.yaml b/tests/golden/l2-announcement/cilium/cilium/02_aggregated_clusterroles.yaml new file mode 100644 index 00000000..652b0ab1 --- /dev/null +++ b/tests/golden/l2-announcement/cilium/cilium/02_aggregated_clusterroles.yaml @@ -0,0 +1,67 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + annotations: {} + labels: + name: syn-cilium-view + rbac.authorization.k8s.io/aggregate-to-admin: 'true' + rbac.authorization.k8s.io/aggregate-to-edit: 'true' + rbac.authorization.k8s.io/aggregate-to-view: 'true' + name: syn-cilium-view +rules: + - apiGroups: + - cilium.io + resources: + - ciliumnetworkpolicies + - ciliumendpoints + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + annotations: {} + labels: + name: syn-cilium-edit + rbac.authorization.k8s.io/aggregate-to-admin: 'true' + rbac.authorization.k8s.io/aggregate-to-edit: 'true' + name: syn-cilium-edit +rules: + - apiGroups: + - cilium.io + resources: + - ciliumnetworkpolicies + verbs: + - create + - delete + - deletecollection + - patch + - update +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + annotations: {} + labels: + name: syn-cilium-cluster-reader + rbac.authorization.k8s.io/aggregate-to-cluster-reader: 'true' + name: syn-cilium-cluster-reader +rules: + - apiGroups: + - cilium.io + resources: + - '*' + verbs: + - get + - list + - watch + - apiGroups: + - isovalent.com + resources: + - '*' + verbs: + - get + - list + - watch