Bitnami/charts
2
0
Fork 0
mirror of https://github.com/bitnami/charts.git synced 2026-04-02 23:37:20 +08:00
Code Issues Packages Projects Releases Wiki Activity

New chart: Cilium (#26374)

Browse Source
This commit is contained in:
Juan Ariza Toledano
2024-06-21 08:14:03 +02:00
committed by GitHub
parent efb420b65a
commit 71fafcbb69
49 changed files with 6986 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

208
.vib/cilium/ginkgo/cilium_suite_test.go Normal file
View File

@@ -0,0 +1,208 @@
package cilium_test
import (
"context"
"flag"
"fmt"
"testing"
"time"
. "github.com/onsi/ginkgo/v2"
. "github.com/onsi/gomega"
appsv1 "k8s.io/api/apps/v1"
batchv1 "k8s.io/api/batch/v1"
v1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
"k8s.io/apimachinery/pkg/runtime/schema"
"k8s.io/apimachinery/pkg/util/intstr"
"k8s.io/client-go/dynamic"
"k8s.io/client-go/kubernetes"
)
var (
kubeconfig string
releaseName string
namespace string
timeoutSeconds int
timeout time.Duration
ciliumNetworkPolicyType = schema.GroupVersionResource{Group: "cilium.io", Version: "v2", Resource: "ciliumnetworkpolicies"}
)
func init() {
flag.StringVar(&kubeconfig, "kubeconfig", "", "absolute path to the kubeconfig file")
flag.StringVar(&namespace, "namespace", "", "namespace where Cilium is running")
flag.StringVar(&releaseName, "releaseName", "", "Cilium chart release name")
flag.IntVar(&timeoutSeconds, "timeout", 120, "timeout in seconds")
timeout = time.Duration(timeoutSeconds) * time.Second
}
func TestCilium(t *testing.T) {
RegisterFailHandler(Fail)
RunSpecs(t, "Cilium Test Suite")
}
func createAPIMockDeploy(ctx context.Context, c kubernetes.Interface, fsGroup, user *int64) error {
podSecurityContext := &v1.PodSecurityContext{
FSGroup: fsGroup,
}
containerSecurityContext := &v1.SecurityContext{
RunAsUser: user,
}
deploy := &appsv1.Deployment{
ObjectMeta: metav1.ObjectMeta{
Name: "api-mock",
},
TypeMeta: metav1.TypeMeta{
Kind: "Deployment",
},
Spec: appsv1.DeploymentSpec{
Selector: &metav1.LabelSelector{
MatchLabels: map[string]string{
"app": "api-mock",
},
},
Template: v1.PodTemplateSpec{
ObjectMeta: metav1.ObjectMeta{
Labels: map[string]string{
"app": "api-mock",
},
},
Spec: v1.PodSpec{
SecurityContext: podSecurityContext,
Containers: []v1.Container{{
Name: "api-mock",
Image: "docker.io/juanariza131/api-mock:latest",
SecurityContext: containerSecurityContext,
Env: []v1.EnvVar{
{
Name: "SUB_ROUTES",
Value: "/foo",
},
},
Ports: []v1.ContainerPort{{
Name: "http",
ContainerPort: int32(8080),
}},
}},
},
},
},
}
_, err := c.AppsV1().Deployments(namespace).Create(ctx, deploy, metav1.CreateOptions{})
return err
}
func createAPIMockService(ctx context.Context, c kubernetes.Interface) error {
service := &v1.Service{
ObjectMeta: metav1.ObjectMeta{
Name: "api-mock",
},
TypeMeta: metav1.TypeMeta{
Kind: "Service",
},
Spec: v1.ServiceSpec{
Type: v1.ServiceTypeClusterIP,
Ports: []v1.ServicePort{{
Name: "http",
Port: int32(8080),
TargetPort: intstr.IntOrString{Type: intstr.String, StrVal: "http"},
}},
Selector: map[string]string{
"app": "api-mock",
},
},
}
_, err := c.CoreV1().Services(namespace).Create(ctx, service, metav1.CreateOptions{})
return err
}
func createAPIMockCiliumNetworkPolicy(ctx context.Context, dC dynamic.Interface) error {
payload := &unstructured.Unstructured{
Object: map[string]interface{}{
"apiVersion": "cilium.io/v2",
"kind": "CiliumNetworkPolicy",
"metadata": map[string]interface{}{
"name": "api-mock",
},
"spec": map[string]interface{}{
"description": "L3-L4 policy to restrict API mock",
"endpointSelector": map[string]interface{}{
"matchLabels": map[string]interface{}{
"app": "api-mock",
},
},
"ingress": []map[string]interface{}{{
"fromEndpoints": []map[string]interface{}{{
"matchLabels": map[string]interface{}{
"api-mock-client": "true",
},
}},
"toPorts": []map[string]interface{}{{
"ports": []interface{}{
map[string]interface{}{
"port": "8080",
"protocol": "TCP",
},
},
}},
}},
},
},
}
_, err := dC.Resource(ciliumNetworkPolicyType).Namespace(namespace).Create(ctx, payload, metav1.CreateOptions{})
if err != nil {
panic(fmt.Sprintf("There was an error creating the CiliumNetworkPolicy resource: %s", err))
}
return err
}
func createAPIMockClientJob(ctx context.Context, c kubernetes.Interface, jobName string, fsGroup, user *int64, podLabels map[string]string) error {
podSecurityContext := &v1.PodSecurityContext{
FSGroup: fsGroup,
}
containerSecurityContext := &v1.SecurityContext{
RunAsUser: user,
}
job := &batchv1.Job{
ObjectMeta: metav1.ObjectMeta{
Name: jobName,
},
TypeMeta: metav1.TypeMeta{
Kind: "Job",
},
Spec: batchv1.JobSpec{
Template: v1.PodTemplateSpec{
ObjectMeta: metav1.ObjectMeta{
Labels: podLabels,
},
Spec: v1.PodSpec{
RestartPolicy: "Never",
SecurityContext: podSecurityContext,
Containers: []v1.Container{
{
Name: "curl",
Image: "docker.io/bitnami/os-shell:latest",
Command: []string{"bash", "-ec"},
Args: []string{"curl --connect-timeout 5 -X GET -H 'Accept: application/json' http://api-mock:8080/v1/mock/foo"},
SecurityContext: containerSecurityContext,
},
},
},
},
},
}
_, err := c.BatchV1().Jobs(namespace).Create(ctx, job, metav1.CreateOptions{})
return err
}

101
.vib/cilium/ginkgo/cilium_test.go Normal file
View File

@@ -0,0 +1,101 @@
package cilium_test
import (
"context"
"fmt"
"time"
utils "github.com/bitnami/charts/.vib/common-tests/ginkgo-utils"
. "github.com/onsi/ginkgo/v2"
. "github.com/onsi/gomega"
batchv1 "k8s.io/api/batch/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/client-go/dynamic"
"k8s.io/client-go/kubernetes"
)
const (
PollingInterval = 1 * time.Second
)
var _ = Describe("Cilium", Ordered, func() {
var c *kubernetes.Clientset
var dC dynamic.Interface
var ctx context.Context
var cancel context.CancelFunc
BeforeEach(func() {
ctx, cancel = context.WithCancel(context.Background())
conf := utils.MustBuildClusterConfig(kubeconfig)
c = kubernetes.NewForConfigOrDie(conf)
dC = dynamic.NewForConfigOrDie(conf)
})
When("a CiliumNetworkPolicy is created", func() {
AfterEach(func() {
cancel()
})
It("should restrict the traffic", func() {
getSucceededJobs := func(j *batchv1.Job) int32 { return j.Status.Succeeded }
getFailedJobs := func(j *batchv1.Job) int32 { return j.Status.Failed }
getOpts := metav1.GetOptions{}
By("checking Cilium Agent is available")
agentDsName := fmt.Sprintf("%s-agent", releaseName)
agentDs, err := c.AppsV1().DaemonSets(namespace).Get(ctx, agentDsName, getOpts)
Expect(err).NotTo(HaveOccurred())
fsGroup := agentDs.Spec.Template.Spec.SecurityContext.FSGroup
runAsUser := agentDs.Spec.Template.Spec.Containers[0].SecurityContext.RunAsUser
Expect(err).NotTo(HaveOccurred())
By("creating a deployment and a service to expose a mock API")
err = createAPIMockDeploy(ctx, c, fsGroup, runAsUser)
Expect(err).NotTo(HaveOccurred())
err = createAPIMockService(ctx, c)
Expect(err).NotTo(HaveOccurred())
By("creating a CiliumNetworkPolicy to restrict the traffic")
err = createAPIMockCiliumNetworkPolicy(ctx, dC)
Expect(err).NotTo(HaveOccurred())
By("creating a job to access the mock API with required labels")
jobName := "api-client-labelled"
err = createAPIMockClientJob(ctx, c, jobName, fsGroup, runAsUser, map[string]string{"api-mock-client": "true"})
Expect(err).NotTo(HaveOccurred())
By("waiting for the job to succeed")
Eventually(func() (*batchv1.Job, error) {
return c.BatchV1().Jobs(namespace).Get(ctx, jobName, getOpts)
}, timeout, PollingInterval).Should(WithTransform(getSucceededJobs, Equal(int32(1))))
By("deleting the job once it has succeeded")
err = c.BatchV1().Jobs(namespace).Delete(ctx, jobName, metav1.DeleteOptions{})
Expect(err).NotTo(HaveOccurred())
By("creating a 2nd job to access the mock API without required labels")
jobName = "api-client-no-labels"
err = createAPIMockClientJob(ctx, c, jobName, fsGroup, runAsUser, map[string]string{})
Expect(err).NotTo(HaveOccurred())
By("waiting for the job to fail")
Eventually(func() (*batchv1.Job, error) {
return c.BatchV1().Jobs(namespace).Get(ctx, jobName, getOpts)
}, timeout, PollingInterval).Should(WithTransform(getFailedJobs, Equal(int32(1))))
By("deleting the job once it has failed")
err = c.BatchV1().Jobs(namespace).Delete(ctx, jobName, metav1.DeleteOptions{})
Expect(err).NotTo(HaveOccurred())
By("deleting the CiliumNetworkPolicy")
dC.Resource(ciliumNetworkPolicyType).Namespace(namespace).Delete(ctx, "api-mock", metav1.DeleteOptions{})
By("deleting the mock API deployment and services")
err = c.CoreV1().Services(namespace).Delete(ctx, "api-mock", metav1.DeleteOptions{})
Expect(err).NotTo(HaveOccurred())
err = c.AppsV1().Deployments(namespace).Delete(ctx, "api-mock", metav1.DeleteOptions{})
Expect(err).NotTo(HaveOccurred())
})
})
})

57
.vib/cilium/ginkgo/go.mod Normal file
View File

@@ -0,0 +1,57 @@
module test-cilium-chart
go 1.20
replace github.com/bitnami/charts/.vib/common-tests/ginkgo-utils => ../../common-tests/ginkgo-utils
require (
github.com/bitnami/charts/.vib/common-tests/ginkgo-utils v0.0.0-00010101000000-000000000000
github.com/onsi/ginkgo/v2 v2.11.0
github.com/onsi/gomega v1.27.8
k8s.io/api v0.28.0
k8s.io/apimachinery v0.28.0
k8s.io/client-go v0.28.0
)
require (
github.com/davecgh/go-spew v1.1.1 // indirect
github.com/emicklei/go-restful/v3 v3.9.0 // indirect
github.com/go-logr/logr v1.2.4 // indirect
github.com/go-openapi/jsonpointer v0.19.6 // indirect
github.com/go-openapi/jsonreference v0.20.2 // indirect
github.com/go-openapi/swag v0.22.3 // indirect
github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 // indirect
github.com/gogo/protobuf v1.3.2 // indirect
github.com/golang/protobuf v1.5.3 // indirect
github.com/google/gnostic-models v0.6.8 // indirect
github.com/google/go-cmp v0.5.9 // indirect
github.com/google/gofuzz v1.2.0 // indirect
github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1 // indirect
github.com/google/uuid v1.3.0 // indirect
github.com/imdario/mergo v0.3.6 // indirect
github.com/josharian/intern v1.0.0 // indirect
github.com/json-iterator/go v1.1.12 // indirect
github.com/mailru/easyjson v0.7.7 // indirect
github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
github.com/modern-go/reflect2 v1.0.2 // indirect
github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
github.com/spf13/pflag v1.0.5 // indirect
golang.org/x/net v0.23.0 // indirect
golang.org/x/oauth2 v0.8.0 // indirect
golang.org/x/sys v0.18.0 // indirect
golang.org/x/term v0.18.0 // indirect
golang.org/x/text v0.14.0 // indirect
golang.org/x/time v0.3.0 // indirect
golang.org/x/tools v0.9.3 // indirect
google.golang.org/appengine v1.6.7 // indirect
google.golang.org/protobuf v1.33.0 // indirect
gopkg.in/inf.v0 v0.9.1 // indirect
gopkg.in/yaml.v2 v2.4.0 // indirect
gopkg.in/yaml.v3 v3.0.1 // indirect
k8s.io/klog/v2 v2.100.1 // indirect
k8s.io/kube-openapi v0.0.0-20230717233707-2695361300d9 // indirect
k8s.io/utils v0.0.0-20230406110748-d93618cff8a2 // indirect
sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect
sigs.k8s.io/yaml v1.3.0 // indirect
)

160
.vib/cilium/ginkgo/go.sum Normal file
View File

@@ -0,0 +1,160 @@
github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI=
github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI=
github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU=
github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
github.com/emicklei/go-restful/v3 v3.9.0 h1:XwGDlfxEnQZzuopoqxwSEllNcCOM9DhhFyhFIIGKwxE=
github.com/emicklei/go-restful/v3 v3.9.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc=
github.com/go-logr/logr v1.2.0/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
github.com/go-logr/logr v1.2.4 h1:g01GSCwiDw2xSZfjJ2/T9M+S6pFdcNtFYsp+Y43HYDQ=
github.com/go-logr/logr v1.2.4/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
github.com/go-openapi/jsonpointer v0.19.6 h1:eCs3fxoIi3Wh6vtgmLTOjdhSpiqphQ+DaPn38N2ZdrE=
github.com/go-openapi/jsonpointer v0.19.6/go.mod h1:osyAmYz/mB/C3I+WsTTSgw1ONzaLJoLCyoi6/zppojs=
github.com/go-openapi/jsonreference v0.20.2 h1:3sVjiK66+uXK/6oQ8xgcRKcFgQ5KXa2KvnJRumpMGbE=
github.com/go-openapi/jsonreference v0.20.2/go.mod h1:Bl1zwGIM8/wsvqjsOQLJ/SH+En5Ap4rVB5KVcIDZG2k=
github.com/go-openapi/swag v0.22.3 h1:yMBqmnQ0gyZvEb/+KzuWZOXgllrXT4SADYbvDaXHv/g=
github.com/go-openapi/swag v0.22.3/go.mod h1:UzaqsxGiab7freDnrUUra0MwWfN/q7tE4j+VcZ0yl14=
github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 h1:tfuBGBXKqDEevZMzYi5KSi8KkcZtzBcTgAUUtapy0OI=
github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572/go.mod h1:9Pwr4B2jHnOSGXyyzV8ROjYa2ojvAY6HCGYYfMoC3Ls=
github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk=
github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg=
github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
github.com/google/gnostic-models v0.6.8 h1:yo/ABAfM5IMRsS1VnXjTBvUb61tFIHozhlYvRgGre9I=
github.com/google/gnostic-models v0.6.8/go.mod h1:5n7qKqH0f5wFt+aWF8CW6pZLLNOfYuF5OpfBSENuI8U=
github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38=
github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0=
github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1 h1:K6RDEckDVWvDI9JAJYCmNdQXq6neHJOYx3V6jnqNEec=
github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I=
github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
github.com/imdario/mergo v0.3.6 h1:xTNEAn+kxVO7dTZGu0CegyqKZmoWFI0rF8UxjlB2d28=
github.com/imdario/mergo v0.3.6/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA=
github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY=
github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y=
github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0=
github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc=
github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg=
github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9Gz0M=
github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA=
github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
github.com/onsi/ginkgo/v2 v2.11.0 h1:WgqUCUt/lT6yXoQ8Wef0fsNn5cAuMK7+KT9UFRz2tcU=
github.com/onsi/ginkgo/v2 v2.11.0/go.mod h1:ZhrRA5XmEE3x3rhlzamx/JJvujdZoJ2uvgI7kR0iZvM=
github.com/onsi/gomega v1.27.8 h1:gegWiwZjBsf2DgiSbf5hpokZ98JVDMcWkUiigk6/KXc=
github.com/onsi/gomega v1.27.8/go.mod h1:2J8vzI/s+2shY9XHRApDkdgPo1TKT7P2u6fXeJKFnNQ=
github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
github.com/rogpeppe/go-internal v1.10.0 h1:TMyTOH3F/DB16zRVcYyreMH6GnZZrwQVAoYjRBZyWFQ=
github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
github.com/stretchr/testify v1.8.2 h1:+h33VjcLVPDHtOdpUCuF+7gSuG3yGIftsP1YvFihtJ8=
github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
golang.org/x/mod v0.10.0 h1:lFO9qtOdlre5W1jxS3r/4szv2/6iXxScdzjoBMXNhYk=
golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks=
golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
golang.org/x/net v0.23.0 h1:7EYJ93RZ9vYSZAIb2x3lnuvqO5zneoD6IvWjuhfxjTs=
golang.org/x/net v0.23.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg=
golang.org/x/oauth2 v0.8.0 h1:6dkIjl3j3LtZ/O3sTgZTMsLKSftL/B8Zgq4huOIIUu8=
golang.org/x/oauth2 v0.8.0/go.mod h1:yr7u4HXZRm1R1kBWqr/xKNqewf0plRYoB7sla+BCIXE=
golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.18.0 h1:DBdB3niSjOA/O0blCZBqDefyWNYveAYMNF1Wum0DYQ4=
golang.org/x/sys v0.18.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
golang.org/x/term v0.18.0 h1:FcHjZXDMxI8mM3nwhX9HlKop4C0YQvCVCdwYl2wOtE8=
golang.org/x/term v0.18.0/go.mod h1:ILwASektA3OnRv7amZ1xhE/KTR+u50pbXfZ03+6Nx58=
golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ=
golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
golang.org/x/time v0.3.0 h1:rg5rLMjNzMS1RkNLzCG38eapWhnYLFYXDXj2gOlr8j4=
golang.org/x/time v0.3.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
golang.org/x/tools v0.9.3 h1:Gn1I8+64MsuTb/HpH+LmQtNas23LhUVr3rYZ0eKuaMM=
golang.org/x/tools v0.9.3/go.mod h1:owI94Op576fPu3cIGQeHs3joujW/2Oc6MtlxbF5dfNc=
golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
google.golang.org/appengine v1.6.7 h1:FZR1q0exgwxzPzp/aF+VccGrSfxfPpkBqjIIEq3ru6c=
google.golang.org/appengine v1.6.7/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
google.golang.org/protobuf v1.33.0 h1:uNO2rsAINq/JlFpSdYEKIZ0uKD/R9cpdv0T+yoGwGmI=
google.golang.org/protobuf v1.33.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos=
gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc=
gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
k8s.io/api v0.28.0 h1:3j3VPWmN9tTDI68NETBWlDiA9qOiGJ7sdKeufehBYsM=
k8s.io/api v0.28.0/go.mod h1:0l8NZJzB0i/etuWnIXcwfIv+xnDOhL3lLW919AWYDuY=
k8s.io/apimachinery v0.28.0 h1:ScHS2AG16UlYWk63r46oU3D5y54T53cVI5mMJwwqFNA=
k8s.io/apimachinery v0.28.0/go.mod h1:X0xh/chESs2hP9koe+SdIAcXWcQ+RM5hy0ZynB+yEvw=
k8s.io/client-go v0.28.0 h1:ebcPRDZsCjpj62+cMk1eGNX1QkMdRmQ6lmz5BLoFWeM=
k8s.io/client-go v0.28.0/go.mod h1:0Asy9Xt3U98RypWJmU1ZrRAGKhP6NqDPmptlAzK2kMc=
k8s.io/klog/v2 v2.100.1 h1:7WCHKK6K8fNhTqfBhISHQ97KrnJNFZMcQvKp7gP/tmg=
k8s.io/klog/v2 v2.100.1/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0=
k8s.io/kube-openapi v0.0.0-20230717233707-2695361300d9 h1:LyMgNKD2P8Wn1iAwQU5OhxCKlKJy0sHc+PcDwFB24dQ=
k8s.io/kube-openapi v0.0.0-20230717233707-2695361300d9/go.mod h1:wZK2AVp1uHCp4VamDVgBP2COHZjqD1T68Rf0CM3YjSM=
k8s.io/utils v0.0.0-20230406110748-d93618cff8a2 h1:qY1Ad8PODbnymg2pRbkyMT/ylpTrCM8P2RJ0yroCyIk=
k8s.io/utils v0.0.0-20230406110748-d93618cff8a2/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo=
sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0=
sigs.k8s.io/structured-merge-diff/v4 v4.2.3 h1:PRbqxJClWWYMNV1dhaG4NsibJbArud9kFxnAMREiWFE=
sigs.k8s.io/structured-merge-diff/v4 v4.2.3/go.mod h1:qjx8mGObPmV2aSZepjQjbmb2ihdVs8cGKBraizNC69E=
sigs.k8s.io/yaml v1.3.0 h1:a2VclLzOGrwOHDiV8EfBGhvjHvP46CtW5j6POvhYGGo=
sigs.k8s.io/yaml v1.3.0/go.mod h1:GeOyir5tyXNByN85N/dRIT9es5UQNerPYEKK56eTBm8=

74
.vib/cilium/goss/goss.yaml Normal file
View File

@@ -0,0 +1,74 @@
# Copyright Broadcom, Inc. All Rights Reserved.
# SPDX-License-Identifier: APACHE-2.0
# This application performs modifications at host-level, injecting new configuration files and installing new binaries.
command:
{{- $uid := .Vars.agent.containerSecurityContext.runAsUser }}
check-user-info:
# The UID should always be either the one specified as vars (always a bigger number that the default)
# or the one randomly defined by openshift (larger values). Otherwise, the chart is still using the default value.
exec: if [ $(id -u) -lt {{ $uid }} ]; then exit 1; fi
exit-status: 0
{{ if .Vars.agent.serviceAccount.automountServiceAccountToken }}
check-sa:
exec: cat /var/run/secrets/kubernetes.io/serviceaccount/token | cut -d '.' -f 2 | xargs -I '{}' echo '{}====' | fold -w 4 | sed '$ d' | tr -d '\n' | base64 -d
exit-status: 0
stdout:
- /serviceaccount.*name.*{{ .Env.BITNAMI_APP_NAME }}/
{{ end }}
http:
http://127.0.0.1:{{ .Vars.agent.containerPorts.health }}/healthz:
status: 200
{{ if .Vars.agent.metrics.enabled }}
http://127.0.0.1:{{ .Vars.agent.containerPorts.metrics }}/metrics:
status: 200
http://cilium-agent-metrics:{{ .Vars.agent.service.ports.metrics }}/metrics:
status: 200
{{ end }}
{{ if .Vars.agent.hubbleMetrics.enabled }}
http://127.0.0.1:{{ .Vars.agent.containerPorts.hubbleMetrics }}/metrics:
status: 200
http://cilium-agent-hubble-metrics:{{ .Vars.agent.service.ports.hubbleMetrics }}/metrics:
status: 200
{{ end }}
addr:
tcp://127.0.0.1:{{ .Vars.agent.containerPorts.hubblePeer }}:
reachable: true
timeout: 500
tcp://cilium-agent-hubble-peer:{{ .Vars.agent.service.ports.hubblePeer}}:
reachable: true
timeout: 500
{{ if .Vars.agent.enablePprof }}
tcp://127.0.0.1:{{ .Vars.agent.containerPorts.pprof }}:
reachable: true
timeout: 500
{{ end }}
file:
# Sockets should be created
/opt/bitnami/cilium/var/run/cilium.sock:
exists: true
filetype: socket
mode: '0660'
/opt/bitnami/cilium/var/run/hubble.sock:
exists: true
filetype: socket
mode: '0660'
# Hubble certs are present
/certs/hubble/ca.crt:
exists: true
filetype: symlink
/certs/hubble/tls.crt:
exists: true
filetype: symlink
/certs/hubble/tls.key:
exists: true
filetype: symlink
# Cilium CNI configuration files should be present in the host
/host{{ .Vars.agent.cniPlugin.hostCNINetDir }}/05-cilium.conflist:
exists: true
filetype: file
mode: '0644'
# BPF fs should be mounted
/sys/fs/bpf:
exists: true
filetype: directory

43
.vib/cilium/runtime-parameters.yaml Normal file
View File

@@ -0,0 +1,43 @@
tls:
enabled: true
autoGenerated:
enabled: true
engine: helm
agent:
cniPlugin:
install: true
hostCNIBinDir: /home/kubernetes/bin
hostCNINetDir: /etc/cni/net.d
enablePprof: true
containerSecurityContext:
enabled: true
runAsUser: 0
allowPrivilegeEscalation: true
privileged: true
containerPorts:
health: 9879
pprof: 6060
hubblePeer: 4244
metrics: 9962
hubbleMetrics: 9965
priorityClassName: ""
serviceAccount:
create: true
automountServiceAccountToken: true
service:
ports:
hubblePeer: 4244
metrics: 9962
hubbleMetrics: 9965
metrics:
enabled: true
hubbleMetrics:
enabled: true
operator:
metrics:
enabled: true
envoy:
metrics:
enabled: true
rbac:
create: true

38
.vib/cilium/vib-publish.json Normal file
View File

@@ -0,0 +1,38 @@
{
"phases": {
"package": {
"context": {
"resources": {
"url": "{SHA_ARCHIVE}",
"path": "/bitnami/cilium"
}
},
"actions": [
{
"action_id": "helm-package"
},
{
"action_id": "helm-lint"
}
]
},
"publish": {
"actions": [
{
"action_id": "helm-publish",
"params": {
"repository": {
"kind": "S3",
"url": "{VIB_ENV_S3_URL}",
"authn": {
"access_key_id": "{VIB_ENV_S3_ACCESS_KEY_ID}",
"secret_access_key": "{VIB_ENV_S3_SECRET_ACCESS_KEY}",
"role": "{VIB_ENV_S3_ROLE_ARN}"
}
}
}
}
]
}
}
}

64
.vib/cilium/vib-verify.json Normal file
View File

@@ -0,0 +1,64 @@
{
"phases": {
"package": {
"context": {
"resources": {
"url": "{SHA_ARCHIVE}",
"path": "/bitnami/cilium"
}
},
"actions": [
{
"action_id": "helm-package"
},
{
"action_id": "helm-lint"
}
]
},
"verify": {
"context": {
"resources": {
"url": "{SHA_ARCHIVE}",
"path": "/bitnami/cilium"
},
"target_platform": {
"target_platform_id": "{VIB_ENV_TARGET_PLATFORM}",
"size": {
"name": "S4"
}
}
},
"actions": [
{
"action_id": "goss",
"params": {
"resources": {
"path": "/.vib"
},
"tests_file": "cilium/goss/goss.yaml",
"vars_file": "cilium/runtime-parameters.yaml",
"remote": {
"pod": {
"workload": "ds-cilium-agent"
}
}
}
},
{
"action_id": "ginkgo",
"params": {
"resources": {
"path": "/.vib/cilium/ginkgo"
},
"params": {
"kubeconfig": "{{kubeconfig}}",
"namespace": "{{namespace}}",
"releaseName": "cilium"
}
}
}
]
}
}
}

23
bitnami/cilium/.helmignore Normal file
View File

@@ -0,0 +1,23 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*~
# Various IDEs
.project
.idea/
*.tmproj
# Changelog
CHANGELOG.md

5
bitnami/cilium/CHANGELOG.md Normal file
View File

@@ -0,0 +1,5 @@
# Changelog
## 0.1.0 (2024-06-20)
* New chart: Cilium ([#26374](https://github.com/bitnami/charts/pull/26374))

9
bitnami/cilium/Chart.lock Normal file
View File

@@ -0,0 +1,9 @@
dependencies:
- name: etcd
repository: oci://registry-1.docker.io/bitnamicharts
version: 10.2.4
- name: common
repository: oci://registry-1.docker.io/bitnamicharts
version: 2.20.3
digest: sha256:cdbcf7ba3e9a3a6e90316ed96742c52afbe8f975fbb1950c615d55db221dc6ad
generated: "2024-06-19T13:05:46.006114+02:00"

45
bitnami/cilium/Chart.yaml Normal file
View File

@@ -0,0 +1,45 @@
# Copyright Broadcom, Inc. All Rights Reserved.
# SPDX-License-Identifier: APACHE-2.0
annotations:
category: Infrastructure
licenses: Apache-2.0
images: |
- name: cilium
image: docker.io/bitnami/cilium:1.15.6-debian-12-r1
- name: cilium-operator
image: docker.io/bitnami/cilium-operator:1.15.6-debian-12-r0
- name: envoy
image: docker.io/bitnami/cilium-proxy:1.28.4-debian-12-r0
apiVersion: v2
appVersion: 1.15.4
dependencies:
- condition: etcd.enabled
name: etcd
repository: oci://registry-1.docker.io/bitnamicharts
tags:
- cilium-database
version: 10.x.x
- name: common
repository: oci://registry-1.docker.io/bitnamicharts
tags:
- bitnami-common
version: 2.x.x
description: Cilium is an eBPF-based networking, observability, and security for Linux container management platforms like Docker and Kubernetes.
home: https://bitnami.com
icon: https://bitnami.com/assets/stacks/cilium/img/cilium-stack-220x234.png
keywords:
- cilium
- cni
- networking
- observability
- security
maintainers:
- name: Broadcom, Inc. All Rights Reserved.
url: https://github.com/bitnami/charts
name: cilium
sources:
- https://github.com/bitnami/charts/tree/main/bitnami/cilium
- https://github.com/bitnami/containers/tree/main/bitnami/cilium
- https://github.com/bitnami/containers/tree/main/bitnami/cilium-operator
version: 0.1.0

765
bitnami/cilium/README.md Normal file
View File

@@ -0,0 +1,765 @@
<!--- app-name: Cilium -->
# Bitnami package for Cilium
Cilium is an eBPF-based networking, observability, and security for Linux container management platforms like Docker and Kubernetes.
[Overview of Cilium](https://cilium.io/)
Trademarks: This software listing is packaged by Bitnami. The respective trademarks mentioned in the offering are owned by the respective companies, and use of them does not imply any affiliation or endorsement.
## TL;DR
```console
helm install my-release oci://registry-1.docker.io/bitnamicharts/cilium
```
Looking to use Cilium in production? Try [VMware Tanzu Application Catalog](https://bitnami.com/enterprise), the enterprise edition of Bitnami Application Catalog.
## Introduction
Bitnami charts for Helm are carefully engineered, actively maintained and are the quickest and easiest way to deploy containers on a Kubernetes cluster that are ready to handle production workloads.
This chart bootstraps a [Cilium](https://github.com/cilium/cilium) deployment in a [Kubernetes](https://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager.
Bitnami charts can be used with [Kubeapps](https://kubeapps.dev/) for deployment and management of Helm Charts in clusters.
## Prerequisites
- Kubernetes 1.23+
- Helm 3.8.0+
- Nodes with Linux kernel >= 4.19.57 or equivalent (e.g., 4.18 on RHEL8)
## Installing the Chart
To install the chart with the release name `my-release`:
```console
helm install my-release oci://REGISTRY_NAME/REPOSITORY_NAME/cilium
```
> Note: You need to substitute the placeholders `REGISTRY_NAME` and `REPOSITORY_NAME` with a reference to your Helm chart registry and repository. For example, in the case of Bitnami, you need to use `REGISTRY_NAME=registry-1.docker.io` and `REPOSITORY_NAME=bitnamicharts`.
The command deploys Cilium on the Kubernetes cluster in the default configuration. The [Parameters](#parameters) section lists the parameters that can be configured during installation.
> **Tip**: List all releases using `helm list`
## Configuration and installation details
### [Rolling VS Immutable tags](https://docs.vmware.com/en/VMware-Tanzu-Application-Catalog/services/tutorials/GUID-understand-rolling-tags-containers-index.html)
It is strongly recommended to use immutable tags in a production environment. This ensures your deployment does not change automatically if the same tag is updated with a different image.
Bitnami will release a new chart updating its containers if a new version of the main container, significant changes, or critical vulnerabilities exist.
### External Key-Value Store support
You may want to have Cilium connect to an external key-value store rather than installing one inside your cluster. Typical reasons for this are to use a managed service, or to share a common store for all your applications. To achieve this, the chart allows you to specify credentials for an external database with the [`externalKvstore` parameter](#parameters). You should also disable the etcd installation with the `etcd.enabled` option. Here is an example:
```console
etcd.enabled=false
externalKvstorehost.enabled=true
externalKvstorehost.endpoints[0]=external-kvstore-host-0:2379
externalKvstorehost.endpoints[1]=external-kvstore-host-1:2379
```
### Cilium CNI plugin
Please also note the chart installs the Cilium CNI plugin on the Kubernetes nodes by default. If you want to disable this behavior, set the `agent.cniPlugin.install` parameter to `false`.
It's also necessary to know the paths where the CNI binary and configuration files are located in your Kubernetes nodes. The chart assumes that the CNI binary is located in the `/opt/cni/bin` directory and the CNI configuration files are located in the `/etc/cni/net.d` directory. You can customize these paths using the `agent.cniPlugin.hostCNIBinDir` and `agent.cniPlugin.hostCNINetDir` parameters.
### TLS secrets
TLS support can be enabled in the chart by setting the `tls.enabled` parameter to `true`.
It is necessary to create a secret containing the TLS certificates and pass it to the chart via the `tls.existingCASecret` and `tls.hubble.existingSecret` parameters. Both secrets should contain a `tls.crt` and `tls.key` keys including the certificate and key files respectively. For example: create the CA secret with the certificates files:
```console
kubectl create secret generic ca-tls-secret --from-file=./tls.crt --from-file=./tls.key
```
You can manually create the required TLS certificates or relying on the chart auto-generation capabilities. The chart supports two different ways to auto-generate the required certificates:
- Using Helm capabilities. Enable this feature by setting `tls.autoGenerated.enabled` to `true` and `tls.autoGenerated.engine` to `helm`.
- Relying on CertManager (please note it's required to have CertManager installed in your K8s cluster). Enable this feature by setting `tls.autoGenerated.enabled` to `true` and `tls.autoGenerated.engine` to `cert-manager`. Please note it's supported to use an existing Issuer/ClusterIssuer for issuing the TLS certificates by setting the `tls.autoGenerated.certManager.existingIssuer` and `tls.autoGenerated.certManager.existingIssuerKind` parameters.
### Additional environment variables
In case you want to add extra environment variables (useful for advanced operations like custom init scripts), you can use the `extraEnvVars` property. For instance:
```yaml
agent:
extraEnvVars:
- name: LOG_LEVEL
value: error
```
Alternatively, you can use a ConfigMap or a Secret with the environment variables. To do so, use the `extraEnvVarsCM` or the `extraEnvVarsSecret` values.
### Sidecars
If additional containers are needed in the same pod as Ciliuma (such as additional metrics or logging exporters), they can be defined using the `agent.sidecars` parameter.
```yaml
agent:
sidecars:
- name: your-image-name
image: your-image
imagePullPolicy: Always
ports:
- name: portname
containerPort: 1234
```
If these sidecars export extra ports, extra port definitions can be added using the `agent.service.extraPorts` parameter (where available), as shown in the example below:
```yaml
agent:
service:
extraPorts:
- name: extraPort
port: 11311
targetPort: 11311
```
If additional init containers are needed in the same pod, they can be defined using the `agent.initContainers` parameter. Here is an example:
```yaml
agent:
initContainers:
- name: your-image-name
image: your-image
imagePullPolicy: Always
ports:
- name: portname
containerPort: 1234
```
Learn more about [sidecar containers](https://kubernetes.io/docs/concepts/workloads/pods/) and [init containers](https://kubernetes.io/docs/concepts/workloads/pods/init-containers/).
### Pod affinity
This chart allows you to set your custom affinity using the `affinity` parameter. Find more information about Pod affinity in the [kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity).
As an alternative, use one of the preset configurations for pod affinity, pod anti-affinity, and node affinity available at the [bitnami/common](https://github.com/bitnami/charts/tree/main/bitnami/common#affinities) chart. To do so, set the `podAffinityPreset`, `podAntiAffinityPreset`, or `nodeAffinityPreset` parameters.
## Parameters
### Global parameters
| Name | Description | Value |
| ----------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------ |
| `global.imageRegistry` | Global Docker image registry | `""` |
| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` |
| `global.storageClass` | Global StorageClass for Persistent Volume(s) | `""` |
| `global.compatibility.openshift.adaptSecurityContext` | Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) | `auto` |
### Common parameters
| Name | Description | Value |
| -------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------- | --------------- |
| `kubeVersion` | Override Kubernetes version | `""` |
| `nameOverride` | String to partially override common.names.name | `""` |
| `fullnameOverride` | String to fully override common.names.fullname | `""` |
| `namespaceOverride` | String to fully override common.names.namespace | `""` |
| `commonLabels` | Labels to add to all deployed objects | `{}` |
| `commonAnnotations` | Annotations to add to all deployed objects | `{}` |
| `clusterDomain` | Kubernetes cluster domain name | `cluster.local` |
| `extraDeploy` | Array of extra objects to deploy with the release | `[]` |
| `diagnosticMode.enabled` | Enable diagnostic mode (all probes will be disabled and the command will be overridden) | `false` |
| `diagnosticMode.command` | Command to override all containers in the chart release | `["sleep"]` |
| `diagnosticMode.args` | Args to override all containers in the chart release | `["infinity"]` |
| `configuration` | Specify content for Cilium common configuration (basic one auto-generated based on other values otherwise) | `{}` |
| `overrideConfiguration` | Cilium common configuration override. Values defined here takes precedence over the ones defined at `configuration` | `{}` |
| `existingConfigmap` | The name of an existing ConfigMap with your custom Cilium configuration | `""` |
| `tls.enabled` | Enable TLS for communications | `true` |
| `tls.autoGenerated.enabled` | Enable automatic generation of certificates for TLS | `true` |
| `tls.autoGenerated.engine` | Mechanism to generate the certificates (allowed values: helm, cert-manager) | `helm` |
| `tls.autoGenerated.certManager.existingIssuer` | The name of an existing Issuer to use for generating the certificates (only for `cert-manager` engine) | `""` |
| `tls.autoGenerated.certManager.existingIssuerKind` | Existing Issuer kind, defaults to Issuer (only for `cert-manager` engine) | `""` |
| `tls.autoGenerated.certManager.keyAlgorithm` | Key algorithm for the certificates (only for `cert-manager` engine) | `RSA` |
| `tls.autoGenerated.certManager.keySize` | Key size for the certificates (only for `cert-manager` engine) | `2048` |
| `tls.autoGenerated.certManager.duration` | Duration for the certificates (only for `cert-manager` engine) | `2160h` |
| `tls.autoGenerated.certManager.renewBefore` | Renewal period for the certificates (only for `cert-manager` engine) | `360h` |
| `tls.ca` | CA certificate for TLS. Ignored if `tls.existingCASecret` is set | `""` |
| `tls.existingCASecret` | The name of an existing Secret containing the CA certificate for TLS | `""` |
| `tls.hubble.cert` | TLS certificate for Hubble. Ignored if `tls.hubble.existingSecret` is set | `""` |
| `tls.hubble.key` | TLS key for Hubble. Ignored if `tls.hubble.existingSecret` is set | `""` |
| `tls.hubble.existingSecret` | The name of an existing Secret containing the Hubble certificates for TLS | `""` |
| `tls.client.cert` | TLS certificate for Hubble client(s). Ignored if `tls.client.existingSecret` is set | `""` |
| `tls.client.key` | TLS key for Hubble client(s). Ignored if `tls.client.existingSecret` is set | `""` |
| `tls.client.existingSecret` | The name of an existing Secret containing the Hubble client(s) certificates for TLS | `""` |
### Cilium Agent Parameters
| Name | Description | Value |
| ------------------------------------------------------------------------------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------- |
| `agent.image.registry` | Cilium Agent image registry | `REGISTRY_NAME` |
| `agent.image.repository` | Cilium Agent image repository | `REPOSITORY_NAME/cilium` |
| `agent.image.digest` | Cilium Agent image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag image tag (immutable tags are recommended) | `""` |
| `agent.image.pullPolicy` | Cilium Agent image pull policy | `IfNotPresent` |
| `agent.image.pullSecrets` | Cilium Agent image pull secrets | `[]` |
| `agent.image.debug` | Enable Cilium Agent image debug mode | `false` |
| `agent.containerPorts.health` | Cilium Agent health container port | `9879` |
| `agent.containerPorts.pprof` | Cilium Agent pprof container port | `6060` |
| `agent.containerPorts.hubblePeer` | Cilium Agent Hubble peer service container port | `4244` |
| `agent.containerPorts.metrics` | Cilium Agent metrics container port | `9962` |
| `agent.containerPorts.hubbleMetrics` | Cilium Agent Hubble metrics container port | `9965` |
| `agent.extraContainerPorts` | Optionally specify extra list of additional ports for Cilium Agent containers | `[]` |
| `agent.livenessProbe.enabled` | Enable livenessProbe on Cilium Agent containers | `true` |
| `agent.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `10` |
| `agent.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `30` |
| `agent.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `5` |
| `agent.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `10` |
| `agent.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` |
| `agent.readinessProbe.enabled` | Enable readinessProbe on Cilium Agent containers | `true` |
| `agent.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `10` |
| `agent.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `30` |
| `agent.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `5` |
| `agent.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `3` |
| `agent.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` |
| `agent.startupProbe.enabled` | Enable startupProbe on Cilium Agent containers | `false` |
| `agent.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `5` |
| `agent.startupProbe.periodSeconds` | Period seconds for startupProbe | `2` |
| `agent.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `1` |
| `agent.startupProbe.failureThreshold` | Failure threshold for startupProbe | `100` |
| `agent.startupProbe.successThreshold` | Success threshold for startupProbe | `1` |
| `agent.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` |
| `agent.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` |
| `agent.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` |
| `agent.resourcesPreset` | Set Cilium Agent container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if agent.resources is set (agent.resources is recommended for production). | `micro` |
| `agent.resources` | Set Cilium Agent container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` |
| `agent.podSecurityContext.enabled` | Enable Cilium Agent pods' Security Context | `true` |
| `agent.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy for Cilium Agent pods | `Always` |
| `agent.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface for Cilium Agent pods | `[]` |
| `agent.podSecurityContext.supplementalGroups` | Set filesystem extra groups for Cilium Agent pods | `[]` |
| `agent.podSecurityContext.fsGroup` | Set fsGroup in Cilium Agent pods' Security Context | `0` |
| `agent.containerSecurityContext.enabled` | Enabled Cilium Agent container' Security Context | `true` |
| `agent.containerSecurityContext.seLinuxOptions` | Set SELinux options in Cilium Agent container | `undefined` |
| `agent.containerSecurityContext.runAsUser` | Set runAsUser in Cilium Agent container' Security Context | `0` |
| `agent.containerSecurityContext.runAsGroup` | Set runAsUser in Cilium Agent container' Security Context | `0` |
| `agent.containerSecurityContext.runAsNonRoot` | Set runAsNonRoot in Cilium Agent container' Security Context | `false` |
| `agent.containerSecurityContext.readOnlyRootFilesystem` | Set readOnlyRootFilesystem in Cilium Agent container' Security Context | `true` |
| `agent.containerSecurityContext.privileged` | Set privileged in Cilium Agent container' Security Context | `false` |
| `agent.containerSecurityContext.allowPrivilegeEscalation` | Set allowPrivilegeEscalation in Cilium Agent container' Security Context | `false` |
| `agent.containerSecurityContext.capabilities.add` | List of capabilities to be added in Cilium Agent container | `["BPF","CHOWN","DAC_OVERRIDE","FOWNER","KILL","NET_ADMIN","NET_RAW","IPC_LOCK","PERFMON","SETGID","SETUID","SYS_ADMIN","SYS_MODULE","SYS_RESOURCE"]` |
| `agent.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped in Cilium Agent container | `["ALL"]` |
| `agent.containerSecurityContext.seccompProfile.type` | Set seccomp profile in Cilium Agent container | `RuntimeDefault` |
| `agent.bpf.autoMount` | Enable automatically mounting BPF fs on the host | `true` |
| `agent.bpf.hostRoot` | Path to the host's BPF root directory | `/sys/fs/bpf` |
| `agent.cgroup2.autoMount` | Enable automatically mounting cgroup2 filesystem on the host | `true` |
| `agent.cgroup2.hostRoot` | Path to the host's cgroup2 root directory | `/run/cilium/cgroupv2` |
| `agent.cniPlugin.install` | Enable Cilium CNI plugin installation on the host | `true` |
| `agent.cniPlugin.uninstall` | Remove the CNI plugin from the host on agent shutdown | `false` |
| `agent.cniPlugin.hostCNIBinDir` | Path to the host's CNI bin directory | `/opt/cni/bin` |
| `agent.cniPlugin.hostCNINetDir` | Path to the host's CNI net configuration directory | `/etc/cni/net.d` |
| `agent.waitForKubeProxy` | Wait for kube-proxy to be ready before starting Cilium Agent | `false` |
| `agent.enablePprof` | Enable pprof for Cilium Agent | `false` |
| `agent.command` | Override default Cilium Agent container command (useful when using custom images) | `[]` |
| `agent.args` | Override default Cilium Agent container args (useful when using custom images) | `[]` |
| `agent.automountServiceAccountToken` | Mount Service Account token in Cilium Agent pods | `true` |
| `agent.hostAliases` | Cilium Agent pods host aliases | `[]` |
| `agent.daemonsetAnnotations` | Annotations for Cilium Agent daemonset | `{}` |
| `agent.podLabels` | Extra labels for Cilium Agent pods | `{}` |
| `agent.podAnnotations` | Annotations for Cilium Agent pods | `{}` |
| `agent.nodeAffinityPreset.type` | Node affinity preset type. Ignored if `agent.affinity` is set. Allowed values: `soft` or `hard` | `""` |
| `agent.nodeAffinityPreset.key` | Node label key to match. Ignored if `agent.affinity` is set | `""` |
| `agent.nodeAffinityPreset.values` | Node label values to match. Ignored if `agent.affinity` is set | `[]` |
| `agent.affinity` | Affinity for Cilium Agent pods assignment | `{}` |
| `agent.nodeSelector` | Node labels for Cilium Agent pods assignment | `{}` |
| `agent.tolerations` | Tolerations for Cilium Agent pods assignment | `[]` |
| `agent.updateStrategy.type` | Cilium Agent daemonset update strategy type | `RollingUpdate` |
| `agent.priorityClassName` | Cilium Agent pods' priorityClassName | `system-node-critical` |
| `agent.terminationGracePeriodSeconds` | Seconds Cilium Agent pods need to terminate gracefully | `1` |
| `agent.lifecycleHooks` | for Cilium Agent containers to automate configuration before or after startup | `{}` |
| `agent.extraEnvVars` | Array with extra environment variables to add to Cilium Agent containers | `[]` |
| `agent.extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars for Cilium Agent containers | `""` |
| `agent.extraEnvVarsSecret` | Name of existing Secret containing extra env vars for Cilium Agent containers | `""` |
| `agent.extraVolumes` | Optionally specify extra list of additional volumes for the Cilium Agent pods | `[]` |
| `agent.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the Cilium Agent containers | `[]` |
| `agent.sidecars` | Add additional sidecar containers to the Cilium Agent pods | `[]` |
| `agent.initContainers` | Add additional init containers to the Cilium Agent pods | `[]` |
| `agent.defaultInitContainers.prepareWriteDirs.containerSecurityContext.enabled` | Enabled Cilium Agent init-containers' Security Context | `true` |
| `agent.defaultInitContainers.prepareWriteDirs.containerSecurityContext.seLinuxOptions` | Set SELinux options in Cilium Agent init-containers | `{}` |
| `agent.defaultInitContainers.prepareWriteDirs.containerSecurityContext.runAsUser` | Set runAsUser in Cilium Agent init-containers' Security Context | `1001` |
| `agent.defaultInitContainers.prepareWriteDirs.containerSecurityContext.runAsGroup` | Set runAsUser in Cilium Agent init-containers' Security Context | `1001` |
| `agent.defaultInitContainers.prepareWriteDirs.containerSecurityContext.runAsNonRoot` | Set runAsNonRoot in Cilium Agent init-containers' Security Context | `true` |
| `agent.defaultInitContainers.prepareWriteDirs.containerSecurityContext.readOnlyRootFilesystem` | Set readOnlyRootFilesystem in Cilium Agent init-containers' Security Context | `true` |
| `agent.defaultInitContainers.prepareWriteDirs.containerSecurityContext.privileged` | Set privileged in Cilium Agent init-containers' Security Context | `false` |
| `agent.defaultInitContainers.prepareWriteDirs.containerSecurityContext.allowPrivilegeEscalation` | Set allowPrivilegeEscalation in Cilium Agent init-containers' Security Context | `false` |
| `agent.defaultInitContainers.prepareWriteDirs.containerSecurityContext.capabilities.add` | List of capabilities to be added in Cilium Agent init-containers | `[]` |
| `agent.defaultInitContainers.prepareWriteDirs.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped in Cilium Agent init-containers | `["ALL"]` |
| `agent.defaultInitContainers.prepareWriteDirs.containerSecurityContext.seccompProfile.type` | Set seccomp profile in Cilium Agent init-containers | `RuntimeDefault` |
| `agent.defaultInitContainers.prepareWriteDirs.resourcesPreset` | Set Cilium Agent "prepare-write-dirs" init container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if agent.resources is set (agent.initContainerResources is recommended for production). | `nano` |
| `agent.defaultInitContainers.prepareWriteDirs.resources` | Set Cilium Agent "prepare-write-dirs" init container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` |
| `agent.defaultInitContainers.buildConfig.containerSecurityContext.enabled` | Enabled Cilium Agent init-containers' Security Context | `true` |
| `agent.defaultInitContainers.buildConfig.containerSecurityContext.seLinuxOptions` | Set SELinux options in Cilium Agent init-containers | `{}` |
| `agent.defaultInitContainers.buildConfig.containerSecurityContext.runAsUser` | Set runAsUser in Cilium Agent init-containers' Security Context | `1001` |
| `agent.defaultInitContainers.buildConfig.containerSecurityContext.runAsGroup` | Set runAsUser in Cilium Agent init-containers' Security Context | `1001` |
| `agent.defaultInitContainers.buildConfig.containerSecurityContext.runAsNonRoot` | Set runAsNonRoot in Cilium Agent init-containers' Security Context | `true` |
| `agent.defaultInitContainers.buildConfig.containerSecurityContext.readOnlyRootFilesystem` | Set readOnlyRootFilesystem in Cilium Agent init-containers' Security Context | `true` |
| `agent.defaultInitContainers.buildConfig.containerSecurityContext.privileged` | Set privileged in Cilium Agent init-containers' Security Context | `false` |
| `agent.defaultInitContainers.buildConfig.containerSecurityContext.allowPrivilegeEscalation` | Set allowPrivilegeEscalation in Cilium Agent init-containers' Security Context | `false` |
| `agent.defaultInitContainers.buildConfig.containerSecurityContext.capabilities.add` | List of capabilities to be added in Cilium Agent init-containers | `[]` |
| `agent.defaultInitContainers.buildConfig.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped in Cilium Agent init-containers | `["ALL"]` |
| `agent.defaultInitContainers.buildConfig.containerSecurityContext.seccompProfile.type` | Set seccomp profile in Cilium Agent init-containers | `RuntimeDefault` |
| `agent.defaultInitContainers.buildConfig.resourcesPreset` | Set Cilium Agent "build-config" init container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if agent.resources is set (agent.initContainerResources is recommended for production). | `nano` |
| `agent.defaultInitContainers.buildConfig.resources` | Set Cilium Agent "build-config" init container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` |
| `agent.defaultInitContainers.installCniPlugin.containerSecurityContext.enabled` | Enabled Cilium Agent init-containers' Security Context | `true` |
| `agent.defaultInitContainers.installCniPlugin.containerSecurityContext.seLinuxOptions` | Set SELinux options in Cilium Agent init-containers | `undefined` |
| `agent.defaultInitContainers.installCniPlugin.containerSecurityContext.runAsUser` | Set runAsUser in Cilium Agent init-containers' Security Context | `0` |
| `agent.defaultInitContainers.installCniPlugin.containerSecurityContext.runAsGroup` | Set runAsUser in Cilium Agent init-containers' Security Context | `0` |
| `agent.defaultInitContainers.installCniPlugin.containerSecurityContext.runAsNonRoot` | Set runAsNonRoot in Cilium Agent init-containers' Security Context | `false` |
| `agent.defaultInitContainers.installCniPlugin.containerSecurityContext.readOnlyRootFilesystem` | Set readOnlyRootFilesystem in Cilium Agent init-containers' Security Context | `true` |
| `agent.defaultInitContainers.installCniPlugin.containerSecurityContext.privileged` | Set privileged in Cilium Agent init-containers' Security Context | `false` |
| `agent.defaultInitContainers.installCniPlugin.containerSecurityContext.allowPrivilegeEscalation` | Set allowPrivilegeEscalation in Cilium Agent init-containers' Security Context | `false` |
| `agent.defaultInitContainers.installCniPlugin.containerSecurityContext.capabilities.add` | List of capabilities to be added in Cilium Agent init-containers | `["NET_ADMIN","SYS_ADMIN","SYS_CHROOT","SYS_MODULE","SYS_PTRACE","SYS_RESOURCE"]` |
| `agent.defaultInitContainers.installCniPlugin.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped in Cilium Agent init-containers | `["ALL"]` |
| `agent.defaultInitContainers.installCniPlugin.containerSecurityContext.seccompProfile.type` | Set seccomp profile in Cilium Agent init-containers | `RuntimeDefault` |
| `agent.defaultInitContainers.installCniPlugin.resourcesPreset` | Set Cilium Agent "install-cni-plugin" init container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if agent.resources is set (agent.initContainerResources is recommended for production). | `nano` |
| `agent.defaultInitContainers.installCniPlugin.resources` | Set Cilium Agent "install-cni-plugin" init container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` |
| `agent.defaultInitContainers.mountBpf.containerSecurityContext.enabled` | Enabled Cilium Agent init-containers' Security Context | `true` |
| `agent.defaultInitContainers.mountBpf.containerSecurityContext.seLinuxOptions` | Set SELinux options in Cilium Agent init-containers | `{}` |
| `agent.defaultInitContainers.mountBpf.containerSecurityContext.runAsUser` | Set runAsUser in Cilium Agent init-containers' Security Context | `0` |
| `agent.defaultInitContainers.mountBpf.containerSecurityContext.runAsGroup` | Set runAsUser in Cilium Agent init-containers' Security Context | `0` |
| `agent.defaultInitContainers.mountBpf.containerSecurityContext.runAsNonRoot` | Set runAsNonRoot in Cilium Agent init-containers' Security Context | `false` |
| `agent.defaultInitContainers.mountBpf.containerSecurityContext.readOnlyRootFilesystem` | Set readOnlyRootFilesystem in Cilium Agent init-containers' Security Context | `true` |
| `agent.defaultInitContainers.mountBpf.containerSecurityContext.privileged` | Set privileged in Cilium Agent init-containers' Security Context | `true` |
| `agent.defaultInitContainers.mountBpf.containerSecurityContext.allowPrivilegeEscalation` | Set allowPrivilegeEscalation in Cilium Agent init-containers' Security Context | `true` |
| `agent.defaultInitContainers.mountBpf.containerSecurityContext.capabilities.add` | List of capabilities to be added in Cilium Agent init-containers | `[]` |
| `agent.defaultInitContainers.mountBpf.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped in Cilium Agent init-containers | `[]` |
| `agent.defaultInitContainers.mountBpf.containerSecurityContext.seccompProfile.type` | Set seccomp profile in Cilium Agent init-containers | `RuntimeDefault` |
| `agent.defaultInitContainers.mountBpf.resourcesPreset` | Set Cilium Agent "host-mount-bpf" init container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if agent.resources is set (agent.initContainerResources is recommended for production). | `nano` |
| `agent.defaultInitContainers.mountBpf.resources` | Set Cilium Agent "host-mount-bpf" init container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` |
| `agent.defaultInitContainers.mountCgroup2.containerSecurityContext.enabled` | Enabled Cilium Agent init-containers' Security Context | `true` |
| `agent.defaultInitContainers.mountCgroup2.containerSecurityContext.seLinuxOptions` | Set SELinux options in Cilium Agent init-containers | `{}` |
| `agent.defaultInitContainers.mountCgroup2.containerSecurityContext.runAsUser` | Set runAsUser in Cilium Agent init-containers' Security Context | `0` |
| `agent.defaultInitContainers.mountCgroup2.containerSecurityContext.runAsGroup` | Set runAsUser in Cilium Agent init-containers' Security Context | `0` |
| `agent.defaultInitContainers.mountCgroup2.containerSecurityContext.runAsNonRoot` | Set runAsNonRoot in Cilium Agent init-containers' Security Context | `false` |
| `agent.defaultInitContainers.mountCgroup2.containerSecurityContext.readOnlyRootFilesystem` | Set readOnlyRootFilesystem in Cilium Agent init-containers' Security Context | `true` |
| `agent.defaultInitContainers.mountCgroup2.containerSecurityContext.privileged` | Set privileged in Cilium Agent init-containers' Security Context | `true` |
| `agent.defaultInitContainers.mountCgroup2.containerSecurityContext.allowPrivilegeEscalation` | Set allowPrivilegeEscalation in Cilium Agent init-containers' Security Context | `true` |
| `agent.defaultInitContainers.mountCgroup2.containerSecurityContext.capabilities.add` | List of capabilities to be added in Cilium Agent init-containers | `[]` |
| `agent.defaultInitContainers.mountCgroup2.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped in Cilium Agent init-containers | `[]` |
| `agent.defaultInitContainers.mountCgroup2.containerSecurityContext.seccompProfile.type` | Set seccomp profile in Cilium Agent init-containers | `RuntimeDefault` |
| `agent.defaultInitContainers.mountCgroup2.resourcesPreset` | Set Cilium Agent "host-mount-cgroup2" init container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if agent.resources is set (agent.initContainerResources is recommended for production). | `nano` |
| `agent.defaultInitContainers.mountCgroup2.resources` | Set Cilium Agent "host-mount-cgroup2" init container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` |
| `agent.defaultInitContainers.cleanState.containerSecurityContext.enabled` | Enabled Cilium Agent init-containers' Security Context | `true` |
| `agent.defaultInitContainers.cleanState.containerSecurityContext.seLinuxOptions` | Set SELinux options in Cilium Agent init-containers | `undefined` |
| `agent.defaultInitContainers.cleanState.containerSecurityContext.runAsUser` | Set runAsUser in Cilium Agent init-containers' Security Context | `1001` |
| `agent.defaultInitContainers.cleanState.containerSecurityContext.runAsGroup` | Set runAsUser in Cilium Agent init-containers' Security Context | `1001` |
| `agent.defaultInitContainers.cleanState.containerSecurityContext.runAsNonRoot` | Set runAsNonRoot in Cilium Agent init-containers' Security Context | `true` |
| `agent.defaultInitContainers.cleanState.containerSecurityContext.readOnlyRootFilesystem` | Set readOnlyRootFilesystem in Cilium Agent init-containers' Security Context | `true` |
| `agent.defaultInitContainers.cleanState.containerSecurityContext.privileged` | Set privileged in Cilium Agent init-containers' Security Context | `false` |
| `agent.defaultInitContainers.cleanState.containerSecurityContext.allowPrivilegeEscalation` | Set allowPrivilegeEscalation in Cilium Agent init-containers' Security Context | `false` |
| `agent.defaultInitContainers.cleanState.containerSecurityContext.capabilities.add` | List of capabilities to be added in Cilium Agent init-containers | `["NET_ADMIN","SYS_ADMIN","SYS_MODULE","SYS_RESOURCE"]` |
| `agent.defaultInitContainers.cleanState.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped in Cilium Agent init-containers | `["ALL"]` |
| `agent.defaultInitContainers.cleanState.containerSecurityContext.seccompProfile.type` | Set seccomp profile in Cilium Agent init-containers | `RuntimeDefault` |
| `agent.defaultInitContainers.cleanState.resourcesPreset` | Set Cilium Agent "clean-state" init container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if agent.resources is set (agent.initContainerResources is recommended for production). | `nano` |
| `agent.defaultInitContainers.cleanState.resources` | Set Cilium Agent "clean-state" init container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` |
| `agent.defaultInitContainers.waitForKubeProxy.containerSecurityContext.enabled` | Enabled Cilium Agent init-containers' Security Context | `true` |
| `agent.defaultInitContainers.waitForKubeProxy.containerSecurityContext.seLinuxOptions` | Set SELinux options in Cilium Agent init-containers | `{}` |
| `agent.defaultInitContainers.waitForKubeProxy.containerSecurityContext.runAsUser` | Set runAsUser in Cilium Agent init-containers' Security Context | `0` |
| `agent.defaultInitContainers.waitForKubeProxy.containerSecurityContext.runAsGroup` | Set runAsUser in Cilium Agent init-containers' Security Context | `0` |
| `agent.defaultInitContainers.waitForKubeProxy.containerSecurityContext.runAsNonRoot` | Set runAsNonRoot in Cilium Agent init-containers' Security Context | `false` |
| `agent.defaultInitContainers.waitForKubeProxy.containerSecurityContext.readOnlyRootFilesystem` | Set readOnlyRootFilesystem in Cilium Agent init-containers' Security Context | `true` |
| `agent.defaultInitContainers.waitForKubeProxy.containerSecurityContext.privileged` | Set privileged in Cilium Agent init-containers' Security Context | `true` |
| `agent.defaultInitContainers.waitForKubeProxy.containerSecurityContext.allowPrivilegeEscalation` | Set allowPrivilegeEscalation in Cilium Agent init-containers' Security Context | `true` |
| `agent.defaultInitContainers.waitForKubeProxy.containerSecurityContext.capabilities.add` | List of capabilities to be added in Cilium Agent init-containers | `[]` |
| `agent.defaultInitContainers.waitForKubeProxy.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped in Cilium Agent init-containers | `[]` |
| `agent.defaultInitContainers.waitForKubeProxy.containerSecurityContext.seccompProfile.type` | Set seccomp profile in Cilium Agent init-containers | `RuntimeDefault` |
| `agent.defaultInitContainers.waitForKubeProxy.resourcesPreset` | Set Cilium Agent "wait-for-kube-proxy" init container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if agent.resources is set (agent.initContainerResources is recommended for production). | `nano` |
| `agent.defaultInitContainers.waitForKubeProxy.resources` | Set Cilium Agent "wait-for-kube-proxy" init container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` |
| `agent.autoscaling.vpa.enabled` | Enable VPA for Cilium Agent | `false` |
| `agent.autoscaling.vpa.annotations` | Annotations for VPA resource | `{}` |
| `agent.autoscaling.vpa.controlledResources` | List of resources that the VPA can control. Defaults to cpu and memory | `[]` |
| `agent.autoscaling.vpa.maxAllowed` | VPA max allowed resources for the pod | `{}` |
| `agent.autoscaling.vpa.minAllowed` | VPA min allowed resources for the pod | `{}` |
| `agent.autoscaling.vpa.updatePolicy.updateMode` | Autoscaling update policy | `Auto` |
### Cilium Agent RBAC configuration
| Name | Description | Value |
| --------------------------------------------------- | --------------------------------------------------------------------- | ------ |
| `agent.serviceAccount.create` | Specifies whether a ServiceAccount should be created for Cilium Agent | `true` |
| `agent.serviceAccount.name` | The name of the ServiceAccount to use for Cilium Agent | `""` |
| `agent.serviceAccount.annotations` | Additional Service Account annotations (evaluated as a template) | `{}` |
| `agent.serviceAccount.automountServiceAccountToken` | Automount ServiceAccount token | `true` |
| `agent.rbac.create` | Specifies whether RBAC resources should be created for Cilium Agent | `true` |
| `agent.rbac.rules` | Custom RBAC rules to set for Cilium Agent | `[]` |
### Cilium Agent Service Parameters
| Name | Description | Value |
| ------------------------------------- | ------------------------------------------------------------------------------------ | --------- |
| `agent.service.ports.hubblePeer` | Cilium Agent service Hubble peer port | `4244` |
| `agent.service.extraPorts` | Extra ports to expose in the service (normally used with the `agent.sidecars` value) | `[]` |
| `agent.service.clusterIP` | Cilium Agent service Cluster IP | `""` |
| `agent.service.internalTrafficPolicy` | Cilium Agent service internal traffic policy | `Cluster` |
| `agent.service.annotations` | Annotations for the Cilium Agent service. | `{}` |
### Cilium Agent Network Policies Parameters
| Name | Description | Value |
| --------------------------------------------- | --------------------------------------------------------------------------------------------------------------- | ------ |
| `agent.networkPolicy.enabled` | Specifies whether a NetworkPolicy should be created for Cilium Agent | `true` |
| `agent.networkPolicy.allowExternal` | Don't require server label for connections | `true` |
| `agent.networkPolicy.allowExternalEgress` | Allow the Cilium Agent pods to access any range of port and all destinations. | `true` |
| `agent.networkPolicy.addExternalClientAccess` | Allow access from pods with client label set to "true". Ignored if `agent.networkPolicy.allowExternal` is true. | `true` |
| `agent.networkPolicy.kubeAPIServerPorts` | List of possible endpoints to kube-apiserver (limit to your cluster settings to increase security) | `[]` |
| `agent.networkPolicy.extraIngress` | Add extra ingress rules to the NetworkPolicy | `[]` |
| `agent.networkPolicy.extraEgress` | Add extra ingress rules to the NetworkPolicy (ignored if allowExternalEgress=true) | `[]` |
| `agent.networkPolicy.ingressPodMatchLabels` | Labels to match to allow traffic from other pods. Ignored if `agent.networkPolicy.allowExternal` is true. | `{}` |
| `agent.networkPolicy.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces | `{}` |
| `agent.networkPolicy.ingressNSPodMatchLabels` | Pod labels to match to allow traffic from other namespaces | `{}` |
### Cilium Agent Metrics Parameters
| Name | Description | Value |
| ------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------ | ------- |
| `agent.metrics.enabled` | Enable the export of Prometheus metrics for Cilium Agent | `false` |
| `agent.metrics.service.port` | Cilium Agent metrics service port | `9962` |
| `agent.metrics.service.annotations` | Annotations for the Cilium Agent metrics service. | `{}` |
| `agent.metrics.serviceMonitor.enabled` | if `true`, creates a Prometheus Operator ServiceMonitor (also requires `metrics.enabled` to be `true`) | `false` |
| `agent.metrics.serviceMonitor.namespace` | Namespace in which Prometheus is running | `""` |
| `agent.metrics.serviceMonitor.annotations` | Additional custom annotations for the ServiceMonitor | `{}` |
| `agent.metrics.serviceMonitor.labels` | Extra labels for the ServiceMonitor | `{}` |
| `agent.metrics.serviceMonitor.jobLabel` | The name of the label on the target service to use as the job name in Prometheus | `""` |
| `agent.metrics.serviceMonitor.honorLabels` | honorLabels chooses the metric's labels on collisions with target labels | `false` |
| `agent.metrics.serviceMonitor.interval` | Interval at which metrics should be scraped. | `""` |
| `agent.metrics.serviceMonitor.scrapeTimeout` | Timeout after which the scrape is ended | `""` |
| `agent.metrics.serviceMonitor.metricRelabelings` | Specify additional relabeling of metrics | `[]` |
| `agent.metrics.serviceMonitor.relabelings` | Specify general relabeling | `[]` |
| `agent.metrics.serviceMonitor.selector` | Prometheus instance selector labels | `{}` |
| `agent.hubbleMetrics.enabled` | Enable the export of Prometheus metrics for Hubble | `false` |
| `agent.hubbleMetrics.service.port` | Hubble metrics service port | `9965` |
| `agent.hubbleMetrics.service.annotations` | Annotations for the Hubble metrics service. | `{}` |
| `agent.hubbleMetrics.serviceMonitor.enabled` | if `true`, creates a Prometheus Operator ServiceMonitor (also requires `hubbleMetrics.enabled` to be `true`) | `false` |
| `agent.hubbleMetrics.serviceMonitor.namespace` | Namespace in which Prometheus is running | `""` |
| `agent.hubbleMetrics.serviceMonitor.annotations` | Additional custom annotations for the ServiceMonitor | `{}` |
| `agent.hubbleMetrics.serviceMonitor.labels` | Extra labels for the ServiceMonitor | `{}` |
| `agent.hubbleMetrics.serviceMonitor.jobLabel` | The name of the label on the target service to use as the job name in Prometheus | `""` |
| `agent.hubbleMetrics.serviceMonitor.honorLabels` | honorLabels chooses the metric's labels on collisions with target labels | `false` |
| `agent.hubbleMetrics.serviceMonitor.interval` | Interval at which metrics should be scraped. | `""` |
| `agent.hubbleMetrics.serviceMonitor.scrapeTimeout` | Timeout after which the scrape is ended | `""` |
| `agent.hubbleMetrics.serviceMonitor.metricRelabelings` | Specify additional relabeling of metrics | `[]` |
| `agent.hubbleMetrics.serviceMonitor.relabelings` | Specify general relabeling | `[]` |
| `agent.hubbleMetrics.serviceMonitor.selector` | Prometheus instance selector labels | `{}` |
### Cilium Operator Parameters
| Name | Description | Value |
| ------------------------------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------ |
| `operator.image.registry` | Cilium Operator image registry | `REGISTRY_NAME` |
| `operator.image.repository` | Cilium Operator image repository | `REPOSITORY_NAME/cilium` |
| `operator.image.digest` | Cilium Operator image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag image tag (immutable tags are recommended) | `""` |
| `operator.image.pullPolicy` | Cilium Operator image pull policy | `IfNotPresent` |
| `operator.image.pullSecrets` | Cilium Operator image pull secrets | `[]` |
| `operator.image.debug` | Enable Cilium Operator image debug mode | `false` |
| `operator.replicaCount` | Number of Cilium Operator replicas to deploy | `1` |
| `operator.containerPorts.api` | Cilium Operator API container port | `9234` |
| `operator.containerPorts.pprof` | Cilium Operator pprof container port | `6061` |
| `operator.containerPorts.metrics` | Cilium Operator metrics container port | `9963` |
| `operator.extraContainerPorts` | Optionally specify extra list of additional ports for Cilium Operator containers | `[]` |
| `operator.hostNetwork` | Enable Host Network | `true` |
| `operator.livenessProbe.enabled` | Enable livenessProbe on Cilium Operator containers | `true` |
| `operator.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `10` |
| `operator.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `30` |
| `operator.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `5` |
| `operator.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `10` |
| `operator.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` |
| `operator.readinessProbe.enabled` | Enable readinessProbe on Cilium Operator containers | `true` |
| `operator.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `10` |
| `operator.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `30` |
| `operator.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `5` |
| `operator.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `3` |
| `operator.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` |
| `operator.startupProbe.enabled` | Enable startupProbe on Cilium Operator containers | `false` |
| `operator.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `5` |
| `operator.startupProbe.periodSeconds` | Period seconds for startupProbe | `2` |
| `operator.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `1` |
| `operator.startupProbe.failureThreshold` | Failure threshold for startupProbe | `100` |
| `operator.startupProbe.successThreshold` | Success threshold for startupProbe | `1` |
| `operator.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` |
| `operator.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` |
| `operator.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` |
| `operator.resourcesPreset` | Set Cilium Operator container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if operator.resources is set (operator.resources is recommended for production). | `micro` |
| `operator.resources` | Set Cilium Operator container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` |
| `operator.podSecurityContext.enabled` | Enable Cilium Operator pods' Security Context | `true` |
| `operator.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy for Cilium Operator pods | `Always` |
| `operator.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface for Cilium Operator pods | `[]` |
| `operator.podSecurityContext.supplementalGroups` | Set filesystem extra groups for Cilium Operator pods | `[]` |
| `operator.podSecurityContext.fsGroup` | Set fsGroup in Cilium Operator pods' Security Context | `1001` |
| `operator.containerSecurityContext.enabled` | Enabled Cilium Operator container' Security Context | `true` |
| `operator.containerSecurityContext.seLinuxOptions` | Set SELinux options in Cilium Operator container | `{}` |
| `operator.containerSecurityContext.runAsUser` | Set runAsUser in Cilium Operator container' Security Context | `1001` |
| `operator.containerSecurityContext.runAsGroup` | Set runAsUser in Cilium Operator container' Security Context | `1001` |
| `operator.containerSecurityContext.runAsNonRoot` | Set runAsNonRoot in Cilium Operator container' Security Context | `true` |
| `operator.containerSecurityContext.readOnlyRootFilesystem` | Set readOnlyRootFilesystem in Cilium Operator container' Security Context | `true` |
| `operator.containerSecurityContext.privileged` | Set privileged in Cilium Operator container' Security Context | `false` |
| `operator.containerSecurityContext.allowPrivilegeEscalation` | Set allowPrivilegeEscalation in Cilium Operator container' Security Context | `false` |
| `operator.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped in Cilium Operator container | `["ALL"]` |
| `operator.containerSecurityContext.seccompProfile.type` | Set seccomp profile in Cilium Operator container | `RuntimeDefault` |
| `operator.enablePprof` | Enable pprof for Cilium Operator | `false` |
| `operator.command` | Override default Cilium Operator container command (useful when using custom images) | `[]` |
| `operator.args` | Override default Cilium Operator container args (useful when using custom images) | `[]` |
| `operator.automountServiceAccountToken` | Mount Service Account token in Cilium Operator pods | `true` |
| `operator.hostAliases` | Cilium Operator pods host aliases | `[]` |
| `operator.deploymentAnnotations` | Annotations for Cilium Operator deployment | `{}` |
| `operator.podLabels` | Extra labels for Cilium Operator pods | `{}` |
| `operator.podAnnotations` | Annotations for Cilium Operator pods | `{}` |
| `operator.podAffinityPreset` | Pod affinity preset. Ignored if `operator.affinity` is set. Allowed values: `soft` or `hard` | `""` |
| `operator.podAntiAffinityPreset` | Pod anti-affinity preset. Ignored if `operator.affinity` is set. Allowed values: `soft` or `hard` | `soft` |
| `operator.nodeAffinityPreset.type` | Node affinity preset type. Ignored if `operator.affinity` is set. Allowed values: `soft` or `hard` | `""` |
| `operator.nodeAffinityPreset.key` | Node label key to match. Ignored if `operator.affinity` is set | `""` |
| `operator.nodeAffinityPreset.values` | Node label values to match. Ignored if `operator.affinity` is set | `[]` |
| `operator.affinity` | Affinity for Cilium Operator pods assignment | `{}` |
| `operator.nodeSelector` | Node labels for Cilium Operator pods assignment | `{}` |
| `operator.tolerations` | Tolerations for Cilium Operator pods assignment | `[]` |
| `operator.updateStrategy.type` | Cilium Operator deployment update strategy type | `RollingUpdate` |
| `operator.priorityClassName` | Cilium Operator pods' priorityClassName | `""` |
| `operator.topologySpreadConstraints` | Topology Spread Constraints for Cilium Operator pod assignment spread across your cluster among failure-domains | `[]` |
| `operator.schedulerName` | Name of the k8s scheduler (other than default) for Cilium Operator pods | `""` |
| `operator.terminationGracePeriodSeconds` | Seconds Cilium Operator pods need to terminate gracefully | `1` |
| `operator.lifecycleHooks` | for Cilium Operator containers to automate configuration before or after startup | `{}` |
| `operator.extraEnvVars` | Array with extra environment variables to add to Cilium Operator containers | `[]` |
| `operator.extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars for Cilium Operator containers | `""` |
| `operator.extraEnvVarsSecret` | Name of existing Secret containing extra env vars for Cilium Operator containers | `""` |
| `operator.extraVolumes` | Optionally specify extra list of additional volumes for the Cilium Operator pods | `[]` |
| `operator.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the Cilium Operator containers | `[]` |
| `operator.sidecars` | Add additional sidecar containers to the Cilium Operator pods | `[]` |
| `operator.initContainers` | Add additional init containers to the Cilium Operator pods | `[]` |
| `operator.pdb.create` | Enable/disable a Pod Disruption Budget creation | `true` |
| `operator.pdb.minAvailable` | Minimum number/percentage of pods that should remain scheduled | `""` |
| `operator.pdb.maxUnavailable` | Maximum number/percentage of pods that may be made unavailable. Defaults to `1` if both `operator.pdb.minAvailable` and `operator.pdb.maxUnavailable` are empty. | `""` |
| `operator.autoscaling.vpa.enabled` | Enable VPA for Cilium Operator | `false` |
| `operator.autoscaling.vpa.annotations` | Annotations for VPA resource | `{}` |
| `operator.autoscaling.vpa.controlledResources` | List of resources that the VPA can control. Defaults to cpu and memory | `[]` |
| `operator.autoscaling.vpa.maxAllowed` | VPA max allowed resources for the pod | `{}` |
| `operator.autoscaling.vpa.minAllowed` | VPA min allowed resources for the pod | `{}` |
| `operator.autoscaling.vpa.updatePolicy.updateMode` | Autoscaling update policy | `Auto` |
| `operator.autoscaling.hpa.enabled` | Enable HPA | `false` |
| `operator.autoscaling.hpa.minReplicas` | Minimum number of replicas | `""` |
| `operator.autoscaling.hpa.maxReplicas` | Maximum number of replicas | `""` |
| `operator.autoscaling.hpa.targetCPU` | Target CPU utilization percentage | `""` |
| `operator.autoscaling.hpa.targetMemory` | Target Memory utilization percentage | `""` |
### Cilium Operator RBAC configuration
| Name | Description | Value |
| ------------------------------------------------------ | ------------------------------------------------------------------------ | ------ |
| `operator.serviceAccount.create` | Specifies whether a ServiceAccount should be created for Cilium Operator | `true` |
| `operator.serviceAccount.name` | The name of the ServiceAccount to use for Cilium Operator | `""` |
| `operator.serviceAccount.annotations` | Additional Service Account annotations (evaluated as a template) | `{}` |
| `operator.serviceAccount.automountServiceAccountToken` | Automount ServiceAccount token | `true` |
| `operator.rbac.create` | Specifies whether RBAC resources should be created for Cilium Operator | `true` |
| `operator.rbac.rules` | Custom RBAC rules to set for Cilium Operator | `[]` |
### Cilium Operator Network Policies Parameters
| Name | Description | Value |
| ------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------ | ------ |
| `operator.networkPolicy.enabled` | Specifies whether a NetworkPolicy should be created for Cilium Operator | `true` |
| `operator.networkPolicy.allowExternal` | Don't require server label for connections | `true` |
| `operator.networkPolicy.allowExternalEgress` | Allow the Cilium Operator pods to access any range of port and all destinations. | `true` |
| `operator.networkPolicy.addExternalClientAccess` | Allow access from pods with client label set to "true". Ignored if `operator.networkPolicy.allowExternal` is true. | `true` |
| `operator.networkPolicy.kubeAPIServerPorts` | List of possible endpoints to kube-apiserver (limit to your cluster settings to increase security) | `[]` |
| `operator.networkPolicy.extraIngress` | Add extra ingress rules to the NetworkPolicy | `[]` |
| `operator.networkPolicy.extraEgress` | Add extra ingress rules to the NetworkPolicy (ignored if allowExternalEgress=true) | `[]` |
| `operator.networkPolicy.ingressPodMatchLabels` | Labels to match to allow traffic from other pods. Ignored if `operator.networkPolicy.allowExternal` is true. | `{}` |
| `operator.networkPolicy.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces | `{}` |
| `operator.networkPolicy.ingressNSPodMatchLabels` | Pod labels to match to allow traffic from other namespaces | `{}` |
### Cilium Operator Metrics Parameters
| Name | Description | Value |
| --------------------------------------------------- | ------------------------------------------------------------------------------------------------------ | ------- |
| `operator.metrics.enabled` | Enable the export of Prometheus metrics | `false` |
| `operator.metrics.service.port` | Metrics service port | `9963` |
| `operator.metrics.service.annotations` | Annotations for the metrics service. | `{}` |
| `operator.metrics.serviceMonitor.enabled` | if `true`, creates a Prometheus Operator ServiceMonitor (also requires `metrics.enabled` to be `true`) | `false` |
| `operator.metrics.serviceMonitor.namespace` | Namespace in which Prometheus is running | `""` |
| `operator.metrics.serviceMonitor.annotations` | Additional custom annotations for the ServiceMonitor | `{}` |
| `operator.metrics.serviceMonitor.labels` | Extra labels for the ServiceMonitor | `{}` |
| `operator.metrics.serviceMonitor.jobLabel` | The name of the label on the target service to use as the job name in Prometheus | `""` |
| `operator.metrics.serviceMonitor.honorLabels` | honorLabels chooses the metric's labels on collisions with target labels | `false` |
| `operator.metrics.serviceMonitor.interval` | Interval at which metrics should be scraped. | `""` |
| `operator.metrics.serviceMonitor.scrapeTimeout` | Timeout after which the scrape is ended | `""` |
| `operator.metrics.serviceMonitor.metricRelabelings` | Specify additional relabeling of metrics | `[]` |
| `operator.metrics.serviceMonitor.relabelings` | Specify general relabeling | `[]` |
| `operator.metrics.serviceMonitor.selector` | Prometheus instance selector labels | `{}` |
### Cilium Envoy Parameters
| Name | Description | Value |
| --------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------- |
| `envoy.image.registry` | Cilium Proxy image registry | `REGISTRY_NAME` |
| `envoy.image.repository` | Cilium Proxy image repository | `REPOSITORY_NAME/cilium` |
| `envoy.image.digest` | Cilium Proxy image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag image tag (immutable tags are recommended) | `""` |
| `envoy.image.pullPolicy` | Cilium Proxy image pull policy | `IfNotPresent` |
| `envoy.image.pullSecrets` | Cilium Proxy image pull secrets | `[]` |
| `envoy.image.debug` | Enable Cilium Proxy image debug mode | `false` |
| `envoy.containerPorts.health` | Cilium Envoy health container port | `9878` |
| `envoy.containerPorts.metrics` | Cilium Envoy metrics container port | `9964` |
| `envoy.extraContainerPorts` | Optionally specify extra list of additional ports for Cilium Envoy containers | `[]` |
| `envoy.livenessProbe.enabled` | Enable livenessProbe on Cilium Envoy containers | `true` |
| `envoy.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `10` |
| `envoy.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `30` |
| `envoy.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `5` |
| `envoy.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `10` |
| `envoy.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` |
| `envoy.readinessProbe.enabled` | Enable readinessProbe on Cilium Envoy containers | `true` |
| `envoy.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `10` |
| `envoy.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `30` |
| `envoy.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `5` |
| `envoy.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `3` |
| `envoy.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` |
| `envoy.startupProbe.enabled` | Enable startupProbe on Cilium Envoy containers | `false` |
| `envoy.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `5` |
| `envoy.startupProbe.periodSeconds` | Period seconds for startupProbe | `2` |
| `envoy.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `1` |
| `envoy.startupProbe.failureThreshold` | Failure threshold for startupProbe | `100` |
| `envoy.startupProbe.successThreshold` | Success threshold for startupProbe | `1` |
| `envoy.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` |
| `envoy.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` |
| `envoy.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` |
| `envoy.resourcesPreset` | Set Cilium Envoy container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if envoy.resources is set (envoy.resources is recommended for production). | `micro` |
| `envoy.resources` | Set Cilium Envoy container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` |
| `envoy.podSecurityContext.enabled` | Enable Cilium Envoy pods' Security Context | `true` |
| `envoy.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy for Cilium Envoy pods | `Always` |
| `envoy.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface for Cilium Envoy pods | `[]` |
| `envoy.podSecurityContext.supplementalGroups` | Set filesystem extra groups for Cilium Envoy pods | `[]` |
| `envoy.podSecurityContext.fsGroup` | Set fsGroup in Cilium Envoy pods' Security Context | `0` |
| `envoy.containerSecurityContext.enabled` | Enabled Cilium Envoy container' Security Context | `true` |
| `envoy.containerSecurityContext.seLinuxOptions` | Set SELinux options in Cilium Envoy container | `undefined` |
| `envoy.containerSecurityContext.runAsUser` | Set runAsUser in Cilium Envoy container' Security Context | `0` |
| `envoy.containerSecurityContext.runAsGroup` | Set runAsUser in Cilium Envoy container' Security Context | `0` |
| `envoy.containerSecurityContext.runAsNonRoot` | Set runAsNonRoot in Cilium Envoy container' Security Context | `false` |
| `envoy.containerSecurityContext.readOnlyRootFilesystem` | Set readOnlyRootFilesystem in Cilium Envoy container' Security Context | `true` |
| `envoy.containerSecurityContext.privileged` | Set privileged in Cilium Envoy container' Security Context | `false` |
| `envoy.containerSecurityContext.allowPrivilegeEscalation` | Set allowPrivilegeEscalation in Cilium Envoy container' Security Context | `false` |
| `envoy.containerSecurityContext.capabilities.add` | List of capabilities to be added in Cilium Envoy container | `["BPF","NET_ADMIN","PERFMON","SYS_ADMIN"]` |
| `envoy.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped in Cilium Envoy container | `["ALL"]` |
| `envoy.containerSecurityContext.seccompProfile.type` | Set seccomp profile in Cilium Envoy container | `RuntimeDefault` |
| `envoy.configuration` | Specify content for Cilium Envoy configuration (basic one auto-generated based on other values otherwise) | `{}` |
| `envoy.overrideConfiguration` | Cilium Envoy configuration override. Values defined here takes precedence over the ones defined at `envoy.configuration` | `{}` |
| `envoy.existingConfigmap` | The name of an existing ConfigMap with your custom Cilium Envoy configuration | `""` |
| `envoy.logLevel` | Cilium Envoy log level | `info` |
| `envoy.command` | Override default Cilium Envoy container command (useful when using custom images) | `[]` |
| `envoy.args` | Override default Cilium Envoy container args (useful when using custom images) | `[]` |
| `envoy.extraArgs` | Extra args passed to Cilium Envoy container | `[]` |
| `envoy.automountServiceAccountToken` | Mount Service Account token in Cilium Envoy pods | `true` |
| `envoy.hostAliases` | Cilium Envoy pods host aliases | `[]` |
| `envoy.daemonsetAnnotations` | Annotations for Cilium Envoy daemonset | `{}` |
| `envoy.podLabels` | Extra labels for Cilium Envoy pods | `{}` |
| `envoy.podAnnotations` | Annotations for Cilium Envoy pods | `{}` |
| `envoy.nodeAffinityPreset.type` | Node affinity preset type. Ignored if `envoy.affinity` is set. Allowed values: `soft` or `hard` | `""` |
| `envoy.nodeAffinityPreset.key` | Node label key to match. Ignored if `envoy.affinity` is set | `""` |
| `envoy.nodeAffinityPreset.values` | Node label values to match. Ignored if `envoy.affinity` is set | `[]` |
| `envoy.affinity` | Affinity for Cilium Envoy pods assignment | `{}` |
| `envoy.nodeSelector` | Node labels for Cilium Envoy pods assignment | `{}` |
| `envoy.tolerations` | Tolerations for Cilium Envoy pods assignment | `[]` |
| `envoy.updateStrategy.type` | Cilium Envoy daemonset update strategy type | `RollingUpdate` |
| `envoy.priorityClassName` | Cilium Envoy pods' priorityClassName | `""` |
| `envoy.terminationGracePeriodSeconds` | Seconds Cilium Envoy pods need to terminate gracefully | `1` |
| `envoy.lifecycleHooks` | for Cilium Envoy containers to automate configuration before or after startup | `{}` |
| `envoy.extraEnvVars` | Array with extra environment variables to add to Cilium Envoy containers | `[]` |
| `envoy.extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars for Cilium Envoy containers | `""` |
| `envoy.extraEnvVarsSecret` | Name of existing Secret containing extra env vars for Cilium Envoy containers | `""` |
| `envoy.extraVolumes` | Optionally specify extra list of additional volumes for the Cilium Envoy pods | `[]` |
| `envoy.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the Cilium Envoy containers | `[]` |
| `envoy.sidecars` | Add additional sidecar containers to the Cilium Envoy pods | `[]` |
| `envoy.initContainers` | Add additional init containers to the Cilium Envoy pods | `[]` |
| `envoy.autoscaling.vpa.enabled` | Enable VPA for Cilium Envoy | `false` |
| `envoy.autoscaling.vpa.annotations` | Annotations for VPA resource | `{}` |
| `envoy.autoscaling.vpa.controlledResources` | List of resources that the VPA can control. Defaults to cpu and memory | `[]` |
| `envoy.autoscaling.vpa.maxAllowed` | VPA max allowed resources for the pod | `{}` |
| `envoy.autoscaling.vpa.minAllowed` | VPA min allowed resources for the pod | `{}` |
| `envoy.autoscaling.vpa.updatePolicy.updateMode` | Autoscaling update policy | `Auto` |
### Cilium Envoy ServiceAccount configuration
| Name | Description | Value |
| --------------------------------------------------- | --------------------------------------------------------------------- | ------ |
| `envoy.serviceAccount.create` | Specifies whether a ServiceAccount should be created for Cilium Envoy | `true` |
| `envoy.serviceAccount.name` | The name of the ServiceAccount to use for Cilium Envoy | `""` |
| `envoy.serviceAccount.annotations` | Additional Service Account annotations (evaluated as a template) | `{}` |
| `envoy.serviceAccount.automountServiceAccountToken` | Automount ServiceAccount token | `true` |
### Cilium Envoy Network Policies Parameters
| Name | Description | Value |
| --------------------------------------------- | --------------------------------------------------------------------------------------------------------------- | ------ |
| `envoy.networkPolicy.enabled` | Specifies whether a NetworkPolicy should be created for Cilium Envoy | `true` |
| `envoy.networkPolicy.allowExternal` | Don't require server label for connections | `true` |
| `envoy.networkPolicy.allowExternalEgress` | Allow the Cilium Envoy pods to access any range of port and all destinations. | `true` |
| `envoy.networkPolicy.addExternalClientAccess` | Allow access from pods with client label set to "true". Ignored if `envoy.networkPolicy.allowExternal` is true. | `true` |
| `envoy.networkPolicy.extraIngress` | Add extra ingress rules to the NetworkPolicy | `[]` |
| `envoy.networkPolicy.extraEgress` | Add extra ingress rules to the NetworkPolicy (ignored if allowExternalEgress=true) | `[]` |
| `envoy.networkPolicy.ingressPodMatchLabels` | Labels to match to allow traffic from other pods. Ignored if `envoy.networkPolicy.allowExternal` is true. | `{}` |
| `envoy.networkPolicy.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces | `{}` |
| `envoy.networkPolicy.ingressNSPodMatchLabels` | Pod labels to match to allow traffic from other namespaces | `{}` |
### Cilium Envoy Metrics Parameters
| Name | Description | Value |
| ------------------------------------------------ | ------------------------------------------------------------------------------------------------------ | ------- |
| `envoy.metrics.enabled` | Enable the export of Prometheus metrics for Cilium Envoy | `false` |
| `envoy.metrics.service.port` | Cilium Envoy metrics service port | `9964` |
| `envoy.metrics.service.annotations` | Annotations for the Cilium Envoy metrics service. | `{}` |
| `envoy.metrics.serviceMonitor.enabled` | if `true`, creates a Prometheus Operator ServiceMonitor (also requires `metrics.enabled` to be `true`) | `false` |
| `envoy.metrics.serviceMonitor.namespace` | Namespace in which Prometheus is running | `""` |
| `envoy.metrics.serviceMonitor.annotations` | Additional custom annotations for the ServiceMonitor | `{}` |
| `envoy.metrics.serviceMonitor.labels` | Extra labels for the ServiceMonitor | `{}` |
| `envoy.metrics.serviceMonitor.jobLabel` | The name of the label on the target service to use as the job name in Prometheus | `""` |
| `envoy.metrics.serviceMonitor.honorLabels` | honorLabels chooses the metric's labels on collisions with target labels | `false` |
| `envoy.metrics.serviceMonitor.interval` | Interval at which metrics should be scraped. | `""` |
| `envoy.metrics.serviceMonitor.scrapeTimeout` | Timeout after which the scrape is ended | `""` |
| `envoy.metrics.serviceMonitor.metricRelabelings` | Specify additional relabeling of metrics | `[]` |
| `envoy.metrics.serviceMonitor.relabelings` | Specify general relabeling | `[]` |
| `envoy.metrics.serviceMonitor.selector` | Prometheus instance selector labels | `{}` |
### Key-Value Store Parameters
| Name | Description | Value |
| --------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------- |
| `etcd.enabled` | Deploy etcd to satisfy the key-value store requirements | `false` |
| `etcd.replicaCount` | Number of etcd replicas | `1` |
| `etcd.auth.rbac.create` | Switch to enable RBAC authentication | `false` |
| `etcd.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production). | `micro` |
| `etcd.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` |
| `etcd.service.ports.client` | etcd client port | `2379` |
| `externalKvstore.enabled` | Use an externally managed kvstore | `false` |
| `externalKvstore.endpoints` | List of endpoints to connect to the external kvstore | `[]` |
Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`.
Alternatively, a YAML file that specifies the values for the above parameters can be provided while installing the chart. For example,
```console
helm install my-release -f values.yaml oci://REGISTRY_NAME/REPOSITORY_NAME/cilium
```
> Note: You need to substitute the placeholders `REGISTRY_NAME` and `REPOSITORY_NAME` with a reference to your Helm chart registry and repository. For example, in the case of Bitnami, you need to use `REGISTRY_NAME=registry-1.docker.io` and `REPOSITORY_NAME=bitnamicharts`.
> **Tip**: You can use the default [values.yaml](https://github.com/bitnami/charts/blob/main/template/cilium/values.yaml)
## Troubleshooting
Find more information about how to deal with common errors related to Bitnami's Helm charts in [this troubleshooting guide](https://docs.bitnami.com/general/how-to/troubleshoot-helm-chart-issues).
## License
Copyright &copy; 2024 Broadcom. The term "Broadcom" refers to Broadcom Inc. and/or its subsidiaries.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
<http://www.apache.org/licenses/LICENSE-2.0>
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.

42
bitnami/cilium/templates/NOTES.txt Normal file
View File

@@ -0,0 +1,42 @@
CHART NAME: {{ .Chart.Name }}
CHART VERSION: {{ .Chart.Version }}
APP VERSION: {{ .Chart.AppVersion }}
** Please be patient while the chart is being deployed **
{{- if .Values.diagnosticMode.enabled }}
The chart has been deployed in diagnostic mode. All probes have been disabled and the command has been overwritten with:
command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 4 }}
args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 4 }}
Get the list of pods by executing:
kubectl get pods --namespace {{ include "common.names.namespace" . | quote }} -l app.kubernetes.io/instance={{ .Release.Name }}
Access the pod you want to debug by executing
kubectl exec --namespace {{ include "common.names.namespace" . | quote }} -ti <NAME OF THE POD> -- bash
In order to replicate the container startup scripts execute this command:
cilium-agent --config-dir=/opt/bitnami/cilium/conf
{{- else }}
Watch the Cilium Agent daemonset status using the command:
kubectl get daemonset -w --namespace {{ include "common.names.namespace" . }} -l app.kubernetes.io/name={{ include "common.names.name" . }},app.kubernetes.io/instance={{ .Release.Name }}
{{- end }}
{{- if .Values.agent.cniPlugin.install }}
IMPORTANT: Please ensure that {{ .Values.agent.cniPlugin.hostCNIBinDir }} and {{ .Values.agent.cniPlugin.hostCNINetDir }} are where the CNI binary and configuration files are located in the Kubernetes nodes, otherwise the deployment will fail.
{{- end }}
{{- include "common.warnings.rollingTag" .Values.agent.image }}
{{- include "common.warnings.rollingTag" .Values.operator.image }}
{{- include "common.warnings.rollingTag" .Values.envoy.image }}
{{- include "common.warnings.resources" (dict "sections" (list "agent" "agent.defaultInitContainers.buildConfig" "agent.defaultInitContainers.installCniPlugin" "agent.defaultInitContainers.mountBpf" "agent.defaultInitContainers.mountCgroup2" "agent.defaultInitContainers.cleanState" "agent.defaultInitContainers.waitForKubeProxy" "operator" "envoy") "context" $) }}
{{- include "common.warnings.modifiedImages" (dict "images" (list .Values.agent.image .Values.operator.image) "context" $) }}
{{- include "cilium.validateValues" . }}

201
bitnami/cilium/templates/_helpers.tpl Normal file
View File

@@ -0,0 +1,201 @@
{{/*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{/*
Return the proper Cilium Agent fullname
*/}}
{{- define "cilium.agent.fullname" -}}
{{- printf "%s-agent" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Return the proper Cilium Operator fullname
*/}}
{{- define "cilium.operator.fullname" -}}
{{- printf "%s-operator" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Return the proper Cilium Envoy fullname
*/}}
{{- define "cilium.envoy.fullname" -}}
{{- printf "%s-envoy" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Return the proper Cilium Agent fullname (with namespace)
*/}}
{{- define "cilium.agent.fullname.namespace" -}}
{{- printf "%s-agent" (include "common.names.fullname.namespace" .) | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Return the proper Cilium Operator fullname (with namespace)
*/}}
{{- define "cilium.operator.fullname.namespace" -}}
{{- printf "%s-operator" (include "common.names.fullname.namespace" .) | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Return the proper Cilium key-value store fullname
*/}}
{{- define "cilium.kvstore.fullname" -}}
{{- include "common.names.dependency.fullname" (dict "chartName" "etcd" "chartValues" .Values.etcd "context" $) -}}
{{- end -}}
{{/*
Return the proper Cilium Agent image name
*/}}
{{- define "cilium.agent.image" -}}
{{ include "common.images.image" (dict "imageRoot" .Values.agent.image "global" .Values.global) }}
{{- end -}}
{{/*
Return the proper Cilium Operator image name
*/}}
{{- define "cilium.operator.image" -}}
{{ include "common.images.image" (dict "imageRoot" .Values.operator.image "global" .Values.global) }}
{{- end -}}
{{/*
Return the proper Cilium Operator image name
*/}}
{{- define "cilium.envoy.image" -}}
{{ include "common.images.image" (dict "imageRoot" .Values.envoy.image "global" .Values.global) }}
{{- end -}}
{{/*
Return the proper Docker Image Registry Secret Names
*/}}
{{- define "cilium.imagePullSecrets" -}}
{{- include "common.images.renderPullSecrets" (dict "images" (list .Values.agent.image .Values.operator.image .Values.envoy.image) "context" $) -}}
{{- end -}}
{{/*
Return the Cilium configuration configmap.
*/}}
{{- define "cilium.configmapName" -}}
{{- if .Values.existingConfigmap -}}
{{- print (tpl .Values.existingConfigmap $) -}}
{{- else -}}
{{- print (include "common.names.fullname" .) -}}
{{- end -}}
{{- end -}}
{{/*
Return the Cilium configuration configmap.
*/}}
{{- define "cilium.envoy.configmapName" -}}
{{- if .Values.envoy.existingConfigmap -}}
{{- print (tpl .Values.envoy.existingConfigmap $) -}}
{{- else -}}
{{- print (include "cilium.envoy.fullname" .) -}}
{{- end -}}
{{- end -}}
{{/*
Create the name of the service account to use for Cilium Agent
*/}}
{{- define "cilium.agent.serviceAccountName" -}}
{{- if .Values.agent.serviceAccount.create -}}
{{ default (include "cilium.agent.fullname" .) .Values.agent.serviceAccount.name }}
{{- else -}}
{{ default "default" .Values.agent.serviceAccount.name }}
{{- end -}}
{{- end -}}
{{/*
Create the name of the service account to use for Cilium Operator
*/}}
{{- define "cilium.operator.serviceAccountName" -}}
{{- if .Values.operator.serviceAccount.create -}}
{{ default (include "cilium.operator.fullname" .) .Values.operator.serviceAccount.name }}
{{- else -}}
{{ default "default" .Values.operator.serviceAccount.name }}
{{- end -}}
{{- end -}}
{{/*
Create the name of the service account to use for Cilium Envoy
*/}}
{{- define "cilium.envoy.serviceAccountName" -}}
{{- if .Values.envoy.serviceAccount.create -}}
{{ default (include "cilium.envoy.fullname" .) .Values.envoy.serviceAccount.name }}
{{- else -}}
{{ default "default" .Values.envoy.serviceAccount.name }}
{{- end -}}
{{- end -}}
{{/*
Return the name of the secret containing the TLS certificates for Hubble
*/}}
{{- define "cilium.tls.hubble.secretName" -}}
{{- if or .Values.tls.autoGenerated.enabled (and (not (empty .Values.tls.hubble.cert)) (not (empty .Values.tls.hubble.key))) -}}
{{- printf "%s-hubble-crt" (include "cilium.agent.fullname" .) -}}
{{- else -}}
{{- required "An existing hubble secret name must be provided if hubble cert and key are not provided!" (tpl .Values.tls.hubble.existingSecret .) -}}
{{- end -}}
{{- end -}}
{{/*
Return the name of the secret containing the TLS certificates for Hubble client(s)
*/}}
{{- define "cilium.tls.client.secretName" -}}
{{- if or .Values.tls.autoGenerated.enabled (and (not (empty .Values.tls.client.cert)) (not (empty .Values.tls.client.key))) -}}
{{- printf "%s-client-crt" (include "common.names.fullname" .) -}}
{{- else -}}
{{- required "An existing secret name must be provided with TLS certs for Hubble client(s) if cert and key are not provided!" (tpl .Values.tls.client.existingSecret .) -}}
{{- end -}}
{{- end -}}
{{/*
Return the key-value store endpoints
*/}}
{{- define "cilium.kvstore.endpoints" -}}
{{- if .Values.etcd.enabled -}}
{{- $svcName := include "cilium.kvstore.fullname" . -}}
{{- $port := int .Values.etcd.service.ports.client -}}
{{- printf "- http://%s:%d" $svcName $port -}}
{{- else if .Values.externalKvstore.enabled -}}
{{- range $endpoint := .Values.externalKvstore.endpoints -}}
{{- printf "- http://%s" $endpoint -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{/*
Return the key-value store port
*/}}
{{- define "cilium.kvstore.port" -}}
{{- if .Values.etcd.enabled -}}
{{- printf "%d" int .Values.etcd.service.ports.client -}}
{{- else if .Values.externalKvstore.enabled -}}
{{- print "2379" -}}
{{- end -}}
{{- end -}}
{{/*
Compile all warnings into a single message.
*/}}
{{- define "cilium.validateValues" -}}
{{- $messages := list -}}
{{- $messages := append $messages (include "cilium.validateValues.kvstore" .) -}}
{{- $messages := without $messages "" -}}
{{- $message := join "\n" $messages -}}
{{- if $message -}}
{{- printf "\nVALUES VALIDATION:\n%s" $message -}}
{{- end -}}
{{- end -}}
{{/*
Validate values of Cilium - KeyValue Store
*/}}
{{- define "cilium.validateValues.kvstore" -}}
{{- if and .Values.etcd.enabled .Values.externalKvstore.enabled -}}
etcd.enabled and externalKvstore.enabled
Both etcd and externalKvstore are enabled. Please enable only one key-value store.
{{- end -}}
{{- end -}}

234
bitnami/cilium/templates/agent/_init_containers.tpl Normal file
View File

@@ -0,0 +1,234 @@
{{/*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{/*
Returns an init-container that copies some dirs to an empty dir volume to make them writable
*/}}
{{- define "cilium.agent.defaultInitContainers.prepareWriteDirs" -}}
- name: prepare-write-dirs
image: {{ include "cilium.agent.image" . }}
imagePullPolicy: {{ .Values.agent.image.pullPolicy }}
{{- if .Values.agent.defaultInitContainers.prepareWriteDirs.containerSecurityContext.enabled }}
securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.agent.defaultInitContainers.prepareWriteDirs.containerSecurityContext "context" $) | nindent 4 }}
{{- end }}
{{- if .Values.agent.defaultInitContainers.prepareWriteDirs.resources }}
resources: {{- toYaml .Values.agent.defaultInitContainers.prepareWriteDirs.resources | nindent 4 }}
{{- else if ne .Values.agent.defaultInitContainers.prepareWriteDirs.resourcesPreset "none" }}
resources: {{- include "common.resources.preset" (dict "type" .Values.agent.defaultInitContainers.prepareWriteDirs.resourcesPreset) | nindent 4 }}
{{- end }}
command:
- /bin/bash
args:
- -ec
- |
. /opt/bitnami/scripts/liblog.sh
info "Copying writable dirs to empty dir"
# In order to not break the application functionality we need to make some
# directories writable, so we need to copy it to an empty dir volume
cp -r --preserve=mode /opt/bitnami/cilium/var/lib/bpf /emptydir/bpf-lib-dir
info "Copy operation completed"
volumeMounts:
- name: empty-dir
mountPath: /emptydir
{{- end -}}
{{/*
Returns an init-container that generate the Cilium configuration
*/}}
{{- define "cilium.agent.defaultInitContainers.buildConfig" -}}
- name: build-config
image: {{ include "cilium.agent.image" . }}
imagePullPolicy: {{ .Values.agent.image.pullPolicy }}
{{- if .Values.agent.defaultInitContainers.buildConfig.containerSecurityContext.enabled }}
securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.agent.defaultInitContainers.buildConfig.containerSecurityContext "context" $) | nindent 4 }}
{{- end }}
{{- if .Values.agent.defaultInitContainers.buildConfig.resources }}
resources: {{- toYaml .Values.agent.defaultInitContainers.buildConfig.resources | nindent 4 }}
{{- else if ne .Values.agent.defaultInitContainers.buildConfig.resourcesPreset "none" }}
resources: {{- include "common.resources.preset" (dict "type" .Values.agent.defaultInitContainers.buildConfig.resourcesPreset) | nindent 4 }}
{{- end }}
command:
- cilium-dbg
args:
- build-config
- --dest
- /config
- --source
- {{ printf "config-map:%s/%s" (include "common.names.namespace" .) (include "cilium.configmapName" .) }}
env:
- name: K8S_NODE_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: spec.nodeName
- name: CILIUM_K8S_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
volumeMounts:
- name: empty-dir
mountPath: /config
subPath: config-dir
{{- end -}}
{{/*
Returns an init-container that installs Cilium CNI plugin in the host
*/}}
{{- define "cilium.agent.defaultInitContainers.installCniPlugin" -}}
- name: install-cni-plugin
image: {{ include "cilium.agent.image" . }}
imagePullPolicy: {{ .Values.agent.image.pullPolicy }}
{{- if .Values.agent.defaultInitContainers.installCniPlugin.containerSecurityContext.enabled }}
securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.agent.defaultInitContainers.installCniPlugin.containerSecurityContext "context" $) | nindent 4 }}
{{- end }}
{{- if .Values.agent.defaultInitContainers.installCniPlugin.resources }}
resources: {{- toYaml .Values.agent.defaultInitContainers.installCniPlugin.resources | nindent 4 }}
{{- else if ne .Values.agent.defaultInitContainers.installCniPlugin.resourcesPreset "none" }}
resources: {{- include "common.resources.preset" (dict "type" .Values.agent.defaultInitContainers.installCniPlugin.resourcesPreset) | nindent 4 }}
{{- end }}
args:
- /opt/bitnami/scripts/cilium/install-cni-plugin.sh
- /host
env:
- name: HOST_CNI_BIN_DIR
value: {{ .Values.agent.cniPlugin.hostCNIBinDir }}
volumeMounts:
- name: host-cni-bin
mountPath: {{ printf "/host%s" .Values.agent.cniPlugin.hostCNIBinDir }}
{{- end -}}
{{/*
Returns an init-container that mount bpf fs in the host
*/}}
{{- define "cilium.agent.defaultInitContainers.mountBpf" -}}
- name: host-mount-bpf
image: {{ include "cilium.agent.image" . }}
imagePullPolicy: {{ .Values.agent.image.pullPolicy }}
{{- if .Values.agent.defaultInitContainers.mountBpf.containerSecurityContext.enabled }}
securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.agent.defaultInitContainers.mountBpf.containerSecurityContext "context" $) | nindent 4 }}
{{- end }}
{{- if .Values.agent.defaultInitContainers.mountBpf.resources }}
resources: {{- toYaml .Values.agent.defaultInitContainers.mountBpf.resources | nindent 4 }}
{{- else if ne .Values.agent.defaultInitContainers.mountBpf.resourcesPreset "none" }}
resources: {{- include "common.resources.preset" (dict "type" .Values.agent.defaultInitContainers.mountBpf.resourcesPreset) | nindent 4 }}
{{- end }}
command:
- bash
args:
- -ec
- |
mount | grep "{{ .Values.agent.bpf.hostRoot }} type bpf" || mount -t bpf bpf {{ .Values.agent.bpf.hostRoot }}
volumeMounts:
- name: bpf-maps
mountPath: {{ .Values.agent.bpf.hostRoot }}
mountPropagation: Bidirectional
{{- end -}}
{{/*
Returns an init-container that mount cgroup2 filesystem in the host
*/}}
{{- define "cilium.agent.defaultInitContainers.mountCgroup2" -}}
- name: host-mount-cgroup2
image: {{ include "cilium.agent.image" . }}
imagePullPolicy: {{ .Values.agent.image.pullPolicy }}
{{- if .Values.agent.defaultInitContainers.mountCgroup2.containerSecurityContext.enabled }}
securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.agent.defaultInitContainers.mountCgroup2.containerSecurityContext "context" $) | nindent 4 }}
{{- end }}
{{- if .Values.agent.defaultInitContainers.mountCgroup2.resources }}
resources: {{- toYaml .Values.agent.defaultInitContainers.mountCgroup2.resources | nindent 4 }}
{{- else if ne .Values.agent.defaultInitContainers.mountCgroup2.resourcesPreset "none" }}
resources: {{- include "common.resources.preset" (dict "type" .Values.agent.defaultInitContainers.mountCgroup2.resourcesPreset) | nindent 4 }}
{{- end }}
args:
- /opt/bitnami/scripts/cilium/mount-cgroup2.sh
- /host
- {{ .Values.agent.cgroup2.hostRoot }}
env:
- name: HOST_CNI_BIN_DIR
value: {{ .Values.agent.cniPlugin.hostCNIBinDir }}
volumeMounts:
- name: host-cni-bin
mountPath: {{ printf "/host%s" .Values.agent.cniPlugin.hostCNIBinDir }}
- name: host-proc
mountPath: /host/proc
{{- end -}}
{{/*
Returns an init-container that cleans up the Cilium state
*/}}
{{- define "cilium.agent.defaultInitContainers.cleanState" -}}
- name: clean-state
image: {{ include "cilium.agent.image" . }}
imagePullPolicy: {{ .Values.agent.image.pullPolicy }}
{{- if .Values.agent.defaultInitContainers.cleanState.containerSecurityContext.enabled }}
securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.agent.defaultInitContainers.cleanState.containerSecurityContext "context" $) | nindent 4 }}
{{- end }}
{{- if .Values.agent.defaultInitContainers.cleanState.resources }}
resources: {{- toYaml .Values.agent.defaultInitContainers.cleanState.resources | nindent 4 }}
{{- else if ne .Values.agent.defaultInitContainers.cleanState.resourcesPreset "none" }}
resources: {{- include "common.resources.preset" (dict "type" .Values.agent.defaultInitContainers.cleanState.resourcesPreset) | nindent 4 }}
{{- end }}
command:
- bash
args:
- -ec
- |
if [[ "$CLEAN_CILIUM_BPF_STATE" = "true" ]]; then
cilium-dbg post-uninstall-cleanup -f --bpf-state
fi
if [[ "$CLEAN_CILIUM_STATE" = "true" ]]; then
cilium-dbg post-uninstall-cleanup -f --all-state
fi
env:
- name: CLEAN_CILIUM_STATE
valueFrom:
configMapKeyRef:
name: {{ template "cilium.configmapName" . }}
key: clean-cilium-state
optional: true
- name: CLEAN_CILIUM_BPF_STATE
valueFrom:
configMapKeyRef:
name: {{ template "cilium.configmapName" . }}
key: clean-cilium-bpf-state
optional: true
- name: WRITE_CNI_CONF_WHEN_READY
valueFrom:
configMapKeyRef:
name: {{ template "cilium.configmapName" . }}
key: write-cni-conf-when-ready
optional: true
volumeMounts:
{{- if .Values.agent.bpf.autoMount }}
- name: bpf-maps
mountPath: {{ .Values.agent.bpf.hostRoot }}
{{- end }}
- name: cilium-run
mountPath: /opt/bitnami/cilium/var/run
- name: host-cgroup-root
mountPath: {{ .Values.agent.cgroup2.hostRoot }}
mountPropagation: HostToContainer
{{- end -}}
{{/*
Returns an init-container that waits for kube-proxy to be ready
*/}}
{{- define "cilium.agent.defaultInitContainers.waitForKubeProxy" -}}
- name: wait-for-kube-proxy
image: {{ include "cilium.agent.image" . }}
imagePullPolicy: {{ .Values.agent.image.pullPolicy }}
{{- if .Values.agent.defaultInitContainers.waitForKubeProxy.containerSecurityContext.enabled }}
securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.agent.defaultInitContainers.waitForKubeProxy.containerSecurityContext "context" $) | nindent 4 }}
{{- end }}
{{- if .Values.agent.defaultInitContainers.waitForKubeProxy.resources }}
resources: {{- toYaml .Values.agent.defaultInitContainers.waitForKubeProxy.resources | nindent 4 }}
{{- else if ne .Values.agent.defaultInitContainers.waitForKubeProxy.resourcesPreset "none" }}
resources: {{- include "common.resources.preset" (dict "type" .Values.agent.defaultInitContainers.waitForKubeProxy.resourcesPreset) | nindent 4 }}
{{- end }}
args:
- /opt/bitnami/scripts/cilium/wait-for-kube-proxy.sh
{{- end -}}

40
bitnami/cilium/templates/agent/cert.yaml Normal file
View File

@@ -0,0 +1,40 @@
{{- /*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{- if and .Values.tls.enabled .Values.tls.autoGenerated.enabled (eq .Values.tls.autoGenerated.engine "cert-manager") }}
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: {{ printf "%s-hubble-crt" (include "cilium.agent.fullname" .) }}
namespace: {{ include "common.names.namespace" . | quote }}
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
app.kubernetes.io/part-of: cilium
app.kubernetes.io/component: agent
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
spec:
secretName: {{ template "cilium.tls.hubble.secretName" . }}
commonName: {{ printf "%s.%s.svc.%s" (include "cilium.agent.fullname" .) (include "common.names.namespace" .) .Values.clusterDomain }}
issuerRef:
name: {{ printf "%s-ca-issuer" (include "common.names.fullname" .) }}
kind: Issuer
subject:
organizations:
- "Cilium"
dnsNames:
- '*.{{ include "common.names.namespace" . }}'
- '*.{{ include "common.names.namespace" . }}.svc'
- '*.{{ include "common.names.namespace" . }}.svc.{{ .Values.clusterDomain }}'
- '*.{{ include "cilium.agent.fullname" . }}'
- '*.{{ include "cilium.agent.fullname" . }}.{{ include "common.names.namespace" . }}'
- '*.{{ include "cilium.agent.fullname" . }}.{{ include "common.names.namespace" . }}.svc'
- '*.{{ include "cilium.agent.fullname" . }}.{{ include "common.names.namespace" . }}.svc.{{ .Values.clusterDomain }}'
privateKey:
algorithm: {{ .Values.tls.autoGenerated.certManager.keyAlgorithm }}
size: {{ int .Values.tls.autoGenerated.certManager.keySize }}
duration: {{ .Values.tls.autoGenerated.certManager.duration }}
renewBefore: {{ .Values.tls.autoGenerated.certManager.renewBefore }}
{{- end }}

354
bitnami/cilium/templates/agent/daemonset.yaml Normal file
View File

@@ -0,0 +1,354 @@
{{- /*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
apiVersion: {{ include "common.capabilities.daemonset.apiVersion" . }}
kind: DaemonSet
metadata:
name: {{ template "cilium.agent.fullname" . }}
namespace: {{ include "common.names.namespace" . | quote }}
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
app.kubernetes.io/part-of: cilium
app.kubernetes.io/component: agent
{{- if or .Values.agent.daemonsetAnnotations .Values.commonAnnotations }}
{{- $annotations := include "common.tplvalues.merge" (dict "values" (list .Values.agent.daemonsetAnnotations .Values.commonAnnotations) "context" .) }}
annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $ ) | nindent 4 }}
{{- end }}
spec:
{{- if .Values.agent.updateStrategy }}
updateStrategy: {{- toYaml .Values.agent.updateStrategy | nindent 4 }}
{{- end }}
{{- $podLabels := include "common.tplvalues.merge" (dict "values" (list .Values.agent.podLabels .Values.commonLabels) "context" .) }}
selector:
matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }}
app.kubernetes.io/part-of: cilium
app.kubernetes.io/component: agent
template:
metadata:
annotations:
{{- if semverCompare "<1.30-0" (include "common.capabilities.kubeVersion" .) }}
container.apparmor.security.beta.kubernetes.io/cilium-agent: "unconfined"
container.apparmor.security.beta.kubernetes.io/clean-state: "unconfined"
{{- if .Values.agent.cgroup2.autoMount }}
container.apparmor.security.beta.kubernetes.io/host-mount-cgroup2: "unconfined"
{{- end }}
{{- end }}
{{- if not .Values.existingConfigmap }}
checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
{{- end }}
{{- if .Values.agent.podAnnotations }}
{{- include "common.tplvalues.render" (dict "value" .Values.agent.podAnnotations "context" $) | nindent 8 }}
{{- end }}
labels: {{- include "common.labels.standard" ( dict "customLabels" $podLabels "context" $ ) | nindent 8 }}
app.kubernetes.io/part-of: cilium
app.kubernetes.io/component: agent
spec:
{{- include "cilium.imagePullSecrets" . | nindent 6 }}
serviceAccountName: {{ template "cilium.agent.serviceAccountName" . }}
automountServiceAccountToken: {{ .Values.agent.automountServiceAccountToken }}
hostNetwork: true
dnsPolicy: ClusterFirstWithHostNet
restartPolicy: Always
{{- if .Values.agent.hostAliases }}
hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.agent.hostAliases "context" $) | nindent 8 }}
{{- end }}
{{- if .Values.agent.affinity }}
affinity: {{- include "common.tplvalues.render" ( dict "value" .Values.agent.affinity "context" $) | nindent 8 }}
{{- else if not (empty .Values.agent.nodeAffinityPreset.type) }}
affinity:
nodeAffinity: {{- include "common.affinities.nodes" (dict "type" .Values.agent.nodeAffinityPreset.type "key" .Values.agent.nodeAffinityPreset.key "values" .Values.agent.nodeAffinityPreset.values) | nindent 10 }}
{{- end }}
{{- if .Values.agent.nodeSelector }}
nodeSelector: {{- include "common.tplvalues.render" ( dict "value" .Values.agent.nodeSelector "context" $) | nindent 8 }}
{{- end }}
{{- if .Values.agent.tolerations }}
tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.agent.tolerations "context" .) | nindent 8 }}
{{- end }}
{{- if .Values.agent.priorityClassName }}
priorityClassName: {{ .Values.agent.priorityClassName | quote }}
{{- end }}
{{- if .Values.agent.podSecurityContext.enabled }}
securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.agent.podSecurityContext "context" $) | nindent 8 }}
{{- end }}
{{- if .Values.agent.terminationGracePeriodSeconds }}
terminationGracePeriodSeconds: {{ .Values.agent.terminationGracePeriodSeconds }}
{{- end }}
initContainers:
{{- include "cilium.agent.defaultInitContainers.prepareWriteDirs" . | nindent 8}}
{{- include "cilium.agent.defaultInitContainers.buildConfig" . | nindent 8 }}
{{- if .Values.agent.cgroup2.autoMount }}
{{- include "cilium.agent.defaultInitContainers.mountCgroup2" . | nindent 8 }}
{{- end }}
{{- if .Values.agent.bpf.autoMount }}
{{- include "cilium.agent.defaultInitContainers.mountBpf" . | nindent 8 }}
{{- end }}
{{- include "cilium.agent.defaultInitContainers.cleanState" . | nindent 8 }}
{{- if .Values.agent.waitForKubeProxy }}
{{- include "cilium.agent.defaultInitContainers.waitForKubeProxy" . | nindent 8 }}
{{- end }}
{{- if .Values.agent.cniPlugin.install }}
{{- include "cilium.agent.defaultInitContainers.installCniPlugin" . | nindent 8 }}
{{- end }}
{{- if .Values.agent.initContainers }}
{{- include "common.tplvalues.render" (dict "value" .Values.agent.initContainers "context" $) | nindent 8 }}
{{- end }}
containers:
- name: cilium-agent
image: {{ include "cilium.agent.image" . }}
imagePullPolicy: {{ .Values.agent.image.pullPolicy }}
{{- if .Values.agent.containerSecurityContext.enabled }}
securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.agent.containerSecurityContext "context" $) | nindent 12 }}
{{- end }}
command:
{{- if .Values.diagnosticMode.enabled }}
{{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }}
{{- else if .Values.agent.command }}
{{- include "common.tplvalues.render" (dict "value" .Values.agent.command "context" $) | nindent 12 }}
{{- else }}
- cilium-agent
{{- end }}
args:
{{- if .Values.diagnosticMode.enabled }}
{{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 12 }}
{{- else if .Values.agent.args }}
{{- include "common.tplvalues.render" (dict "value" .Values.agent.args "context" $) | nindent 12 }}
{{- else }}
- --config-dir=/opt/bitnami/cilium/conf
{{- end }}
env:
- name: BITNAMI_DEBUG
value: {{ ternary "true" "false" (or .Values.agent.image.debug .Values.diagnosticMode.enabled) | quote }}
- name: K8S_NODE_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: spec.nodeName
- name: CILIUM_K8S_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: GOMEMLIMIT
valueFrom:
resourceFieldRef:
resource: limits.memory
divisor: '1'
# Required for uninstalling the CNI plugin in lifecycle preStop hook
- name: HOST_CNI_BIN_DIR
value: {{ .Values.agent.cniPlugin.hostCNIBinDir }}
- name: HOST_CNI_CONF_DIR
value: {{ .Values.agent.cniPlugin.hostCNINetDir }}
{{- if .Values.agent.extraEnvVars }}
{{- include "common.tplvalues.render" (dict "value" .Values.agent.extraEnvVars "context" $) | nindent 12 }}
{{- end }}
{{- if or .Values.agent.extraEnvVarsCM .Values.agent.extraEnvVarsSecret }}
envFrom:
{{- if .Values.agent.extraEnvVarsCM }}
- configMapRef:
name: {{ include "common.tplvalues.render" (dict "value" .Values.agent.extraEnvVarsCM "context" $) }}
{{- end }}
{{- if .Values.agent.extraEnvVarsSecret }}
- secretRef:
name: {{ include "common.tplvalues.render" (dict "value" .Values.agent.extraEnvVarsSecret "context" $) }}
{{- end }}
{{- end }}
{{- if .Values.agent.resources }}
resources: {{- toYaml .Values.agent.resources | nindent 12 }}
{{- else if ne .Values.agent.resourcesPreset "none" }}
resources: {{- include "common.resources.preset" (dict "type" .Values.agent.resourcesPreset) | nindent 12 }}
{{- end }}
ports:
- name: health
containerPort: {{ .Values.agent.containerPorts.health }}
{{- if .Values.agent.enablePprof }}
- name: pprof
containerPort: {{ .Values.agent.containerPorts.pprof }}
{{- end }}
- name: hubble-peer
containerPort: {{ .Values.agent.containerPorts.hubblePeer }}
{{- if .Values.agent.metrics.enabled }}
- name: metrics
containerPort: {{ .Values.agent.containerPorts.metrics }}
{{- end }}
{{- if .Values.agent.hubbleMetrics.enabled }}
- name: hubble-metrics
containerPort: {{ .Values.agent.containerPorts.hubbleMetrics }}
{{- end }}
{{- if .Values.agent.extraContainerPorts }}
{{- include "common.tplvalues.render" (dict "value" .Values.agent.extraContainerPorts "context" $) | nindent 12 }}
{{- end }}
{{- if not .Values.diagnosticMode.enabled }}
{{- if .Values.agent.customLivenessProbe }}
livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.agent.customLivenessProbe "context" $) | nindent 12 }}
{{- else if .Values.agent.livenessProbe.enabled }}
livenessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.agent.livenessProbe "enabled") "context" $) | nindent 12 }}
tcpSocket:
host: localhost
port: health
{{- end }}
{{- if .Values.agent.customReadinessProbe }}
readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.agent.customReadinessProbe "context" $) | nindent 12 }}
{{- else if .Values.agent.readinessProbe.enabled }}
readinessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.agent.readinessProbe "enabled") "context" $) | nindent 12 }}
httpGet:
host: localhost
path: /healthz
port: health
scheme: HTTP
httpHeaders:
- name: "brief"
value: "true"
{{- end }}
{{- if .Values.agent.customStartupProbe }}
startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.agent.customStartupProbe "context" $) | nindent 12 }}
{{- else if .Values.agent.startupProbe.enabled }}
startupProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.agent.startupProbe "enabled") "context" $) | nindent 12 }}
tcpSocket:
host: localhost
port: health
{{- end }}
{{- end }}
lifecycle:
{{- if .Values.agent.lifecycleHooks }}
{{- include "common.tplvalues.render" (dict "value" .Values.agent.lifecycleHooks "context" $) | nindent 12 }}
{{- else if .Values.agent.cniPlugin.uninstall }}
preStop:
exec:
command:
- /opt/bitnami/scripts/cilium/uninstall-cni-plugin.sh
- /host
{{- end }}
volumeMounts:
- name: empty-dir
mountPath: /tmp
subPath: tmp-dir
- name: empty-dir
mountPath: /.config
subPath: gops-config-dir
- name: empty-dir
mountPath: /opt/bitnami/cilium/conf
subPath: config-dir
- name: empty-dir
mountPath: /opt/bitnami/cilium/var/lib/bpf
subPath: bpf-lib-dir
{{- if or .Values.etcd.enabled .Values.externalKvstore.enabled }}
- name: etcd-config
mountPath: /opt/bitnami/cilium/var/lib/etcd
readOnly: true
{{- end }}
- name: cilium-run
mountPath: /opt/bitnami/cilium/var/run
- name: envoy-sockets
mountPath: /opt/bitnami/cilium/var/run/envoy/sockets
- name: host-cni-bin
mountPath: {{ printf "/host%s" .Values.agent.cniPlugin.hostCNIBinDir }}
- name: host-cni-conf
mountPath: {{ printf "/host%s" .Values.agent.cniPlugin.hostCNINetDir }}
{{- if .Values.agent.bpf.autoMount }}
- name: bpf-maps
mountPath: {{ .Values.agent.bpf.hostRoot }}
mountPropagation: HostToContainer
{{- end }}
- name: host-lib-modules
mountPath: /lib/modules
readOnly: true
- name: host-proc-sys-net
mountPath: /host/proc/sys/net
- name: host-proc-sys-kernel
mountPath: /host/proc/sys/kernel
- name: host-xtables-lock
mountPath: /run/xtables.lock
{{- if .Values.tls.enabled }}
- name: hubble-cert
readOnly: true
mountPath: /certs/hubble
{{- end }}
{{- if .Values.agent.extraVolumeMounts }}
{{- include "common.tplvalues.render" (dict "value" .Values.agent.extraVolumeMounts "context" $) | nindent 12 }}
{{- end }}
## TODO: add support for "cilium-monitor" sidecar
{{- if .Values.agent.sidecars }}
{{- include "common.tplvalues.render" ( dict "value" .Values.agent.sidecars "context" $) | nindent 8 }}
{{- end }}
volumes:
- name: empty-dir
emptyDir: {}
{{- if or .Values.etcd.enabled .Values.externalKvstore.enabled }}
- name: etcd-config
configMap:
name: {{ template "cilium.configmapName" . }}
defaultMode: 0400
items:
- key: etcd-config
path: etcd.config
{{- end }}
- name: cilium-run
hostPath:
path: /var/run/cilium
type: DirectoryOrCreate
- name: envoy-sockets
hostPath:
path: /var/run/cilium/envoy/sockets
type: DirectoryOrCreate
{{- if .Values.agent.bpf.autoMount }}
# To mount bpf fs on the host
- name: bpf-maps
hostPath:
path: {{ .Values.agent.bpf.hostRoot }}
type: DirectoryOrCreate
{{- end }}
# To install cilium CNI plugin in the host
- name: host-cni-bin
hostPath:
path: {{ .Values.agent.cniPlugin.hostCNIBinDir }}
type: DirectoryOrCreate
# To install cilium CNI plugin configuration in the host
- name: host-cni-conf
hostPath:
path: {{ .Values.agent.cniPlugin.hostCNINetDir }}
type: DirectoryOrCreate
# To mount cgroup2 filesystem on the host
{{- if .Values.agent.cgroup2.autoMount }}
- name: host-proc
hostPath:
path: /proc
type: Directory
{{- end }}
- name: host-cgroup-root
hostPath:
path: {{ .Values.agent.cgroup2.hostRoot }}
type: DirectoryOrCreate
# To load host kernel modules
- name: host-lib-modules
hostPath:
path: /lib/modules
- name: host-proc-sys-net
hostPath:
path: /proc/sys/net
type: Directory
- name: host-proc-sys-kernel
hostPath:
path: /proc/sys/kernel
type: Directory
# To access iptables concurrently with other processes (e.g. kube-proxy)
- name: host-xtables-lock
hostPath:
path: /run/xtables.lock
type: FileOrCreate
{{- if .Values.tls.enabled }}
- name: hubble-cert
secret:
secretName: {{ template "cilium.tls.hubble.secretName" . }}
items:
- key: ca.crt
path: ca.crt
- key: tls.crt
path: tls.crt
- key: tls.key
path: tls.key
{{- end }}
{{- if .Values.agent.extraVolumes }}
{{- include "common.tplvalues.render" (dict "value" .Values.agent.extraVolumes "context" $) | nindent 8 }}
{{- end }}

31
bitnami/cilium/templates/agent/hubble-metrics-service.yaml Normal file
View File

@@ -0,0 +1,31 @@
{{- /*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{- if .Values.agent.hubbleMetrics.enabled }}
apiVersion: v1
kind: Service
metadata:
name: {{ printf "%s-hubble-metrics" (include "cilium.agent.fullname" .) }}
namespace: {{ include "common.names.namespace" . | quote }}
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
app.kubernetes.io/part-of: cilium
app.kubernetes.io/component: hubble
prometheus.io/scrape: "true"
{{- if or .Values.agent.hubbleMetrics.service.annotations .Values.commonAnnotations }}
{{- $annotations := include "common.tplvalues.merge" (dict "values" (list .Values.agent.hubbleMetrics.service.annotations .Values.commonAnnotations) "context" .) }}
annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $ ) | nindent 4 }}
{{- end }}
spec:
type: ClusterIP
ports:
- name: tcp-hubble-metrics
port: {{ .Values.agent.hubbleMetrics.service.port }}
targetPort: hubble-metrics
protocol: TCP
{{- $podLabels := include "common.tplvalues.merge" (dict "values" (list .Values.agent.podLabels .Values.commonLabels) "context" .) | fromYaml }}
selector: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 4 }}
app.kubernetes.io/part-of: cilium
app.kubernetes.io/component: agent
{{- end }}

37
bitnami/cilium/templates/agent/hubble-peer-service.yaml Normal file
View File

@@ -0,0 +1,37 @@
{{- /*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
apiVersion: v1
kind: Service
metadata:
name: {{ printf "%s-hubble-peer" (include "cilium.agent.fullname" .) }}
namespace: {{ include "common.names.namespace" . | quote }}
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
app.kubernetes.io/part-of: cilium
app.kubernetes.io/component: hubble
{{- if or .Values.agent.service.annotations .Values.commonAnnotations }}
{{- $annotations := include "common.tplvalues.merge" (dict "values" (list .Values.agent.service.annotations .Values.commonAnnotations) "context" .) }}
annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $ ) | nindent 4 }}
{{- end }}
spec:
# There's no reason to support LoadBalancer nor NodePort (and their associated customizations)
# given Hubble Peer service is only used for Hubble Relay to connect to Hubble Peer servers internally.
type: ClusterIP
{{- if .Values.agent.service.clusterIP }}
clusterIP: {{ .Values.agent.service.clusterIP }}
{{- end }}
internalTrafficPolicy: {{ .Values.agent.service.internalTrafficPolicy }}
ports:
- name: tcp-hubble-peer
port: {{ .Values.agent.service.ports.hubblePeer }}
targetPort: hubble-peer
protocol: TCP
{{- if .Values.agent.service.extraPorts }}
{{- include "common.tplvalues.render" (dict "value" .Values.agent.service.extraPorts "context" $) | nindent 4 }}
{{- end }}
{{- $podLabels := include "common.tplvalues.merge" (dict "values" (list .Values.agent.podLabels .Values.commonLabels) "context" .) | fromYaml }}
selector: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 4 }}
app.kubernetes.io/part-of: cilium
app.kubernetes.io/component: agent

51
bitnami/cilium/templates/agent/hubble-servicemonitor.yaml Normal file
View File

@@ -0,0 +1,51 @@
{{- /*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{- if and .Values.agent.hubbleMetrics.enabled .Values.agent.hubbleMetrics.serviceMonitor.enabled }}
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: {{ printf "%s-hubble" (include "cilium.agent.fullname" .) }}
namespace: {{ default (include "common.names.namespace" .) .Values.agent.hubbleMetrics.serviceMonitor.namespace | quote }}
{{- $labels := include "common.tplvalues.merge" (dict "values" (list .Values.agent.hubbleMetrics.serviceMonitor.labels .Values.commonLabels) "context" .) }}
labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }}
app.kubernetes.io/part-of: cilium
app.kubernetes.io/component: hubble
{{- if or .Values.agent.hubbleMetrics.serviceMonitor.annotations .Values.commonAnnotations }}
{{- $annotations := include "common.tplvalues.merge" (dict "values" (list .Values.agent.hubbleMetrics.serviceMonitor.annotations .Values.commonAnnotations) "context" .) }}
annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $ ) | nindent 4 }}
{{- end }}
spec:
jobLabel: {{ .Values.agent.hubbleMetrics.serviceMonitor.jobLabel | quote }}
selector:
matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 6 }}
app.kubernetes.io/part-of: cilium
app.kubernetes.io/component: hubble
prometheus.io/scrape: "true"
{{- if .Values.agent.hubbleMetrics.serviceMonitor.selector }}
{{- include "common.tplvalues.render" (dict "value" .Values.agent.hubbleMetrics.serviceMonitor.selector "context" $) | nindent 6 }}
{{- end }}
endpoints:
- port: tcp-hubble-metrics
path: "/metrics"
{{- if .Values.agent.hubbleMetrics.serviceMonitor.interval }}
interval: {{ .Values.agent.hubbleMetrics.serviceMonitor.interval }}
{{- end }}
{{- if .Values.agent.hubbleMetrics.serviceMonitor.scrapeTimeout }}
scrapeTimeout: {{ .Values.agent.hubbleMetrics.serviceMonitor.scrapeTimeout }}
{{- end }}
{{- if .Values.agent.hubbleMetrics.serviceMonitor.honorLabels }}
honorLabels: {{ .Values.agent.hubbleMetrics.serviceMonitor.honorLabels }}
{{- end }}
{{- if .Values.agent.hubbleMetrics.serviceMonitor.metricRelabelings }}
metricRelabelings: {{- include "common.tplvalues.render" ( dict "value" .Values.agent.hubbleMetrics.serviceMonitor.metricRelabelings "context" $) | nindent 8 }}
{{- end }}
{{- if .Values.agent.hubbleMetrics.serviceMonitor.relabelings }}
relabelings: {{- include "common.tplvalues.render" ( dict "value" .Values.agent.hubbleMetrics.serviceMonitor.relabelings "context" $) | nindent 8 }}
{{- end }}
namespaceSelector:
matchNames:
- {{ include "common.names.namespace" . | quote }}
{{- end }}

31
bitnami/cilium/templates/agent/metrics-service.yaml Normal file
View File

@@ -0,0 +1,31 @@
{{- /*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{- if .Values.agent.metrics.enabled }}
apiVersion: v1
kind: Service
metadata:
name: {{ printf "%s-metrics" (include "cilium.agent.fullname" .) }}
namespace: {{ include "common.names.namespace" . | quote }}
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
app.kubernetes.io/part-of: cilium
app.kubernetes.io/component: agent
prometheus.io/scrape: "true"
{{- if or .Values.agent.metrics.service.annotations .Values.commonAnnotations }}
{{- $annotations := include "common.tplvalues.merge" (dict "values" (list .Values.agent.metrics.service.annotations .Values.commonAnnotations) "context" .) }}
annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $ ) | nindent 4 }}
{{- end }}
spec:
type: ClusterIP
ports:
- name: tcp-metrics
port: {{ .Values.agent.metrics.service.port }}
targetPort: metrics
protocol: TCP
{{- $podLabels := include "common.tplvalues.merge" (dict "values" (list .Values.agent.podLabels .Values.commonLabels) "context" .) | fromYaml }}
selector: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 4 }}
app.kubernetes.io/part-of: cilium
app.kubernetes.io/component: agent
{{- end }}

94
bitnami/cilium/templates/agent/networkpolicy.yaml Normal file
View File

@@ -0,0 +1,94 @@
{{- /*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{- if .Values.agent.networkPolicy.enabled }}
kind: NetworkPolicy
apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }}
metadata:
name: {{ template "cilium.agent.fullname" . }}
namespace: {{ include "common.names.namespace" . | quote }}
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
app.kubernetes.io/part-of: cilium
app.kubernetes.io/component: agent
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
spec:
{{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.agent.podLabels .Values.commonLabels ) "context" . ) }}
podSelector:
matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }}
app.kubernetes.io/part-of: cilium
app.kubernetes.io/component: agent
policyTypes:
- Ingress
- Egress
egress:
{{- if .Values.agent.networkPolicy.allowExternalEgress }}
- {}
{{- else }}
- ports:
# Allow dns resolution
- port: 53
protocol: UDP
- port: 53
protocol: TCP
# Allow access to kube-apiserver
{{- range $port := .Values.agent.networkPolicy.kubeAPIServerPorts }}
- port: {{ $port }}
{{- end }}
{{- if or .Values.etcd.enabled .Values.externalKvstore.enabled }}
# Allow outbound connections to key-value store
- ports:
- port: {{ include "cilium.kvstore.port" . }}
protocol: TCP
{{- if .Values.etcd.enabled }}
to:
- podSelector:
matchLabels:
app.kubernetes.io/name: etcd
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}
{{- end }}
{{- if .Values.agent.networkPolicy.extraEgress }}
{{- include "common.tplvalues.render" ( dict "value" .Values.agent.networkPolicy.extraEgress "context" $ ) | nindent 4 }}
{{- end }}
{{- end }}
ingress:
- ports:
- port: {{ .Values.agent.containerPorts.hubblePeer }}
{{- if .Values.agent.metrics.enabled }}
- port: {{ .Values.agent.containerPorts.metrics }}
- port: {{ .Values.agent.containerPorts.hubbleMetrics }}
{{- end }}
{{- range .Values.agent.extraContainerPorts }}
- port: {{ .containerPort }}
{{- end }}
{{- if not .Values.agent.networkPolicy.allowExternal }}
from:
- podSelector:
matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }}
{{- if .Values.agent.networkPolicy.addExternalClientAccess }}
- podSelector:
matchLabels:
{{ template "common.names.fullname" . }}-client: "true"
{{- end }}
{{- if .Values.agent.networkPolicy.ingressPodMatchLabels }}
- podSelector:
matchLabels: {{- include "common.tplvalues.render" (dict "value" .Values.agent.networkPolicy.ingressPodMatchLabels "context" $ ) | nindent 14 }}
{{- end }}
{{- if .Values.agent.networkPolicy.ingressNSMatchLabels }}
- namespaceSelector:
matchLabels: {{- include "common.tplvalues.render" (dict "value" .Values.agent.networkPolicy.ingressNSMatchLabels "context" $ ) | nindent 14 }}
{{- if .Values.agent.networkPolicy.ingressNSPodMatchLabels }}
podSelector:
matchLabels:
matchLabels: {{- include "common.tplvalues.render" (dict "value" .Values.agent.networkPolicy.ingressNSPodMatchLabels "context" $ ) | nindent 14 }}
{{- end }}
{{- end }}
{{- end }}
{{- if .Values.agent.networkPolicy.extraIngress }}
{{- include "common.tplvalues.render" ( dict "value" .Values.agent.networkPolicy.extraIngress "context" $ ) | nindent 4 }}
{{- end }}
{{- end }}

206
bitnami/cilium/templates/agent/rbac.yaml Normal file
View File

@@ -0,0 +1,206 @@
{{- /*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{- if .Values.agent.rbac.create }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "cilium.agent.fullname.namespace" . }}
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
app.kubernetes.io/part-of: cilium
app.kubernetes.io/component: agent
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
rules:
- apiGroups:
- networking.k8s.io
resources:
- networkpolicies
verbs:
- get
- list
- watch
- apiGroups:
- discovery.k8s.io
resources:
- endpointslices
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- namespaces
- services
- pods
- endpoints
- nodes
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
- apiGroups:
- ""
resources:
- nodes/status
verbs:
# To annotate the k8s node with Cilium's metadata
- patch
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- create
- get
- update
- list
- delete
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- list
- watch
- get
- apiGroups:
- cilium.io
resources:
- ciliumloadbalancerippools
- ciliumbgppeeringpolicies
- ciliumbgpnodeconfigs
- ciliumbgpadvertisements
- ciliumbgppeerconfigs
- ciliumclusterwideenvoyconfigs
- ciliumclusterwidenetworkpolicies
- ciliumegressgatewaypolicies
- ciliumendpoints
- ciliumendpointslices
- ciliumenvoyconfigs
- ciliumidentities
- ciliumlocalredirectpolicies
- ciliumnetworkpolicies
- ciliumnodes
- ciliumnodeconfigs
- ciliumcidrgroups
- ciliuml2announcementpolicies
- ciliumpodippools
verbs:
- list
- watch
- apiGroups:
- cilium.io
resources:
- ciliumidentities
- ciliumendpoints
- ciliumnodes
verbs:
- create
- apiGroups:
- cilium.io
resources:
- ciliumidentities
verbs:
- update
- apiGroups:
- cilium.io
resources:
- ciliumendpoints
verbs:
- delete
- get
- apiGroups:
- cilium.io
resources:
- ciliumnodes
- ciliumnodes/status
verbs:
- get
- update
- apiGroups:
- cilium.io
resources:
- ciliumnetworkpolicies/status
- ciliumclusterwidenetworkpolicies/status
- ciliumendpoints/status
- ciliumendpoints
- ciliuml2announcementpolicies/status
- ciliumbgpnodeconfigs/status
verbs:
- patch
{{- if .Values.agent.rbac.rules }}
{{- include "common.tplvalues.render" ( dict "value" .Values.agent.rbac.rules "context" $ ) | nindent 2 }}
{{- end }}
---
kind: ClusterRoleBinding
apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }}
metadata:
name: {{ template "cilium.agent.fullname.namespace" . }}
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
app.kubernetes.io/part-of: cilium
app.kubernetes.io/component: agent
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ template "cilium.agent.fullname.namespace" . }}
subjects:
- kind: ServiceAccount
name: {{ template "cilium.agent.serviceAccountName" . }}
namespace: {{ include "common.names.namespace" . | quote }}
---
kind: Role
apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }}
metadata:
name: {{ printf "%s-config" (include "cilium.agent.fullname" .) }}
namespace: {{ include "common.names.namespace" . | quote }}
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
app.kubernetes.io/part-of: cilium
app.kubernetes.io/component: agent
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
rules:
- apiGroups:
- ""
resources:
- configmaps
verbs:
- get
- list
- watch
---
kind: RoleBinding
apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }}
metadata:
name: {{ printf "%s-config" (include "cilium.agent.fullname" .) }}
namespace: {{ include "common.names.namespace" . | quote }}
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
app.kubernetes.io/part-of: cilium
app.kubernetes.io/component: agent
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ printf "%s-config" (include "cilium.agent.fullname" .) }}
subjects:
- kind: ServiceAccount
name: {{ template "cilium.agent.serviceAccountName" . }}
namespace: {{ include "common.names.namespace" . | quote }}
{{- end }}

20
bitnami/cilium/templates/agent/service-account.yaml Normal file
View File

@@ -0,0 +1,20 @@
{{- /*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{- if .Values.agent.serviceAccount.create }}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "cilium.agent.serviceAccountName" . }}
namespace: {{ include "common.names.namespace" . | quote }}
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
app.kubernetes.io/part-of: cilium
app.kubernetes.io/component: agent
{{- if or .Values.agent.serviceAccount.annotations .Values.commonAnnotations }}
{{- $annotations := include "common.tplvalues.merge" (dict "values" (list .Values.agent.serviceAccount.annotations .Values.commonAnnotations) "context" .) }}
annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $ ) | nindent 4 }}
{{- end }}
automountServiceAccountToken: {{ .Values.agent.serviceAccount.automountServiceAccountToken }}
{{- end }}

51
bitnami/cilium/templates/agent/servicemonitor.yaml Normal file
View File

@@ -0,0 +1,51 @@
{{- /*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{- if and .Values.agent.metrics.enabled .Values.agent.metrics.serviceMonitor.enabled }}
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: {{ template "cilium.agent.fullname" . }}
namespace: {{ default (include "common.names.namespace" .) .Values.agent.metrics.serviceMonitor.namespace | quote }}
{{- $labels := include "common.tplvalues.merge" (dict "values" (list .Values.agent.metrics.serviceMonitor.labels .Values.commonLabels) "context" .) }}
labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }}
app.kubernetes.io/part-of: cilium
app.kubernetes.io/component: agent
{{- if or .Values.agent.metrics.serviceMonitor.annotations .Values.commonAnnotations }}
{{- $annotations := include "common.tplvalues.merge" (dict "values" (list .Values.agent.metrics.serviceMonitor.annotations .Values.commonAnnotations) "context" .) }}
annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $ ) | nindent 4 }}
{{- end }}
spec:
jobLabel: {{ .Values.agent.metrics.serviceMonitor.jobLabel | quote }}
selector:
matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 6 }}
app.kubernetes.io/part-of: cilium
app.kubernetes.io/component: agent
prometheus.io/scrape: "true"
{{- if .Values.agent.metrics.serviceMonitor.selector }}
{{- include "common.tplvalues.render" (dict "value" .Values.agent.metrics.serviceMonitor.selector "context" $) | nindent 6 }}
{{- end }}
endpoints:
- port: tcp-metrics
path: "/metrics"
{{- if .Values.agent.metrics.serviceMonitor.interval }}
interval: {{ .Values.agent.metrics.serviceMonitor.interval }}
{{- end }}
{{- if .Values.agent.metrics.serviceMonitor.scrapeTimeout }}
scrapeTimeout: {{ .Values.agent.metrics.serviceMonitor.scrapeTimeout }}
{{- end }}
{{- if .Values.agent.metrics.serviceMonitor.honorLabels }}
honorLabels: {{ .Values.agent.metrics.serviceMonitor.honorLabels }}
{{- end }}
{{- if .Values.agent.metrics.serviceMonitor.metricRelabelings }}
metricRelabelings: {{- include "common.tplvalues.render" ( dict "value" .Values.agent.metrics.serviceMonitor.metricRelabelings "context" $) | nindent 8 }}
{{- end }}
{{- if .Values.agent.metrics.serviceMonitor.relabelings }}
relabelings: {{- include "common.tplvalues.render" ( dict "value" .Values.agent.metrics.serviceMonitor.relabelings "context" $) | nindent 8 }}
{{- end }}
namespaceSelector:
matchNames:
- {{ include "common.names.namespace" . | quote }}
{{- end }}

45
bitnami/cilium/templates/agent/vpa.yaml Normal file
View File

@@ -0,0 +1,45 @@
{{- /*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{- if and (.Capabilities.APIVersions.Has "autoscaling.k8s.io/v1/VerticalPodAutoscaler") .Values.agent.autoscaling.vpa.enabled }}
apiVersion: autoscaling.k8s.io/v1
kind: VerticalPodAutoscaler
metadata:
name: {{ template "cilium.agent.fullname" . }}
namespace: {{ include "common.names.namespace" . | quote }}
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
app.kubernetes.io/part-of: cilium
app.kubernetes.io/component: agent
{{- if or .Values.agent.autoscaling.vpa.annotations .Values.commonAnnotations }}
{{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.agent.autoscaling.vpa.annotations .Values.commonAnnotations ) "context" . ) }}
annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }}
{{- end }}
spec:
resourcePolicy:
containerPolicies:
- containerName: cilium-agent
{{- with .Values.agent.autoscaling.vpa.controlledResources }}
controlledResources:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.agent.autoscaling.vpa.maxAllowed }}
maxAllowed:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.agent.autoscaling.vpa.minAllowed }}
minAllowed:
{{- toYaml . | nindent 8 }}
{{- end }}
targetRef:
apiVersion: {{ include "common.capabilities.daemonset.apiVersion" . }}
kind: DaemonSet
name: {{ include "cilium.agent.fullname" . }}
{{- if .Values.agent.autoscaling.vpa.updatePolicy }}
updatePolicy:
{{- with .Values.agent.autoscaling.vpa.updatePolicy.updateMode }}
updateMode: {{ . }}
{{- end }}
{{- end }}
{{- end }}

53
bitnami/cilium/templates/ca-cert.yaml Normal file
View File

@@ -0,0 +1,53 @@
{{- /*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{- if and .Values.tls.enabled .Values.tls.autoGenerated.enabled (eq .Values.tls.autoGenerated.engine "cert-manager") }}
{{- if empty .Values.tls.autoGenerated.certManager.existingIssuer }}
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: {{ printf "%s-clusterissuer" (include "common.names.fullname" .) }}
namespace: {{ include "common.names.namespace" . | quote }}
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
app.kubernetes.io/part-of: cilium
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
spec:
selfSigned: {}
---
{{- end }}
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: {{ printf "%s-ca-crt" (include "common.names.fullname" .) }}
namespace: {{ include "common.names.namespace" . | quote }}
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
app.kubernetes.io/part-of: cilium
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
spec:
secretName: {{ printf "%s-ca-crt" (include "common.names.fullname" .) }}
commonName: {{ printf "%s-root-ca" (include "common.names.fullname" .) }}
isCA: true
issuerRef:
name: {{ default (printf "%s-clusterissuer" (include "common.names.fullname" .)) .Values.tls.autoGenerated.certManager.existingIssuer }}
kind: {{ default "Issuer" .Values.tls.autoGenerated.certManager.existingIssuerKind }}
---
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: {{ printf "%s-ca-issuer" (include "common.names.fullname" .) }}
namespace: {{ include "common.names.namespace" . | quote }}
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
app.kubernetes.io/part-of: cilium
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
spec:
ca:
secretName: {{ printf "%s-ca-crt" (include "common.names.fullname" .) }}
{{- end }}

36
bitnami/cilium/templates/client-cert.yaml Normal file
View File

@@ -0,0 +1,36 @@
{{- /*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{- if and .Values.tls.enabled .Values.tls.autoGenerated.enabled (eq .Values.tls.autoGenerated.engine "cert-manager") }}
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: {{ printf "%s-client-crt" (include "common.names.fullname" .) }}
namespace: {{ include "common.names.namespace" . | quote }}
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
app.kubernetes.io/part-of: cilium
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
spec:
secretName: {{ template "cilium.tls.client.secretName" . }}
commonName: {{ printf "%s-client" (include "common.names.fullname" .) }}
issuerRef:
name: {{ printf "%s-ca-issuer" (include "common.names.fullname" .) }}
kind: Issuer
subject:
organizations:
- "Cilium"
dnsNames:
- '*.{{ include "common.names.namespace" . }}'
- '*.{{ include "common.names.namespace" . }}.svc'
- '*.{{ include "common.names.namespace" . }}.svc.{{ .Values.clusterDomain }}'
privateKey:
algorithm: {{ .Values.tls.autoGenerated.certManager.keyAlgorithm }}
size: {{ int .Values.tls.autoGenerated.certManager.keySize }}
duration: {{ .Values.tls.autoGenerated.certManager.duration }}
renewBefore: {{ .Values.tls.autoGenerated.certManager.renewBefore }}
{{- end }}

136
bitnami/cilium/templates/configmap.yaml Normal file
View File

@@ -0,0 +1,136 @@
{{- /*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{/*
Return the Cilium common configuration.
ref: https://docs.cilium.io/en/stable/network/kubernetes/configuration/
*/}}
{{- define "cilium.configuration" -}}
{{- if .Values.configuration }}
{{- include "common.tplvalues.render" (dict "value" .Values.configuration "context" .) }}
{{- else }}
debug: {{ ternary "true" "false" (or .Values.agent.image.debug .Values.operator.image.debug .Values.diagnosticMode.enabled) | quote }}
certificates-directory: /certs
lib-dir: /opt/bitnami/cilium/var/lib
state-dir: /opt/bitnami/cilium/var/run
socket-path: /opt/bitnami/cilium/var/run/cilium.sock
# Name & ID of the cluster
cluster-name: default
cluster-id: "0"
{{- if or .Values.etcd.enabled .Values.externalKvstore.enabled }}
# KeyValue Store configuration
kvstore-opt: '{"etcd.config": "/opt/bitnami/cilium/var/lib/etcd/etcd.config"}'
etcd-config: |-
---
endpoints: {{- include "cilium.kvstore.endpoints" . | nindent 4 }}
{{- end }}
# Remove state from the filesystem on startup
clean-cilium-state: "false"
clean-cilium-bpf-state: "false"
# IP addressing
enable-ipv4: "true"
enable-ipv6: "false"
# IP Address Management (IPAM)
# https://docs.cilium.io/en/stable/network/concepts/ipam
routing-mode: "tunnel"
tunnel-protocol: "vxlan"
tunnel-port: "8472"
# Health checking and Pprof
enable-endpoint-health-checking: "true"
enable-health-checking: "true"
agent-health-port: {{ printf "%d" (int .Values.agent.containerPorts.health) | quote }}
pprof: {{ ternary "true" "false" .Values.agent.enablePprof | quote }}
{{- if .Values.agent.enablePprof }}
pprof-address: "localhost"
pprof-port: {{ printf "%d" (int .Values.agent.containerPorts.pprof) | quote }}
{{- end }}
operator-pprof: {{ ternary "true" "false" .Values.operator.enablePprof | quote }}
{{- if .Values.operator.enablePprof }}
operator-pprof-address: "localhost"
operator-pprof-port: {{ printf "%d" (int .Values.operator.containerPorts.pprof) | quote }}
{{- end }}
# Monitor aggregation
monitor-aggregation: medium
monitor-aggregation-interval: "5s"
monitor-aggregation-flags: all
# BPF configuration
bpf-root: /sys/fs/bpf
preallocate-bpf-maps: "false"
# CNI configuration
cni-exclusive: "true"
custom-cni-conf: "false"
cni-log-file: "/opt/bitnami/cilium/var/run/cni.log"
write-cni-conf-when-ready: {{ printf "/host%s/05-cilium.conflist" .Values.agent.cniPlugin.hostCNINetDir }}
cni-uninstall: {{ ternary "true" "false" .Values.agent.cniPlugin.uninstall | quote }}
# Operator configuration
operator-api-serve-addr: {{ printf ":%d" (int .Values.operator.containerPorts.api) | quote }}
disable-endpoint-crd: "false"
skip-crd-creation: "false"
identity-allocation-mode: crd
ipam: "cluster-pool"
cluster-pool-ipv4-cidr: "10.0.0.0/8"
cluster-pool-ipv4-mask-size: "24"
# Hubble configuration
enable-hubble: "true"
hubble-socket-path: "/opt/bitnami/cilium/var/run/hubble.sock"
hubble-export-file-max-size-mb: "10"
hubble-export-file-max-backups: "5"
hubble-listen-address: {{ printf ":%d" (int .Values.agent.containerPorts.hubblePeer) | quote }}
hubble-disable-tls: {{ ternary "false" "true" .Values.tls.enabled | quote }}
{{- if .Values.tls.enabled }}
hubble-tls-cert-file: /certs/hubble/tls.crt
hubble-tls-key-file: /certs/hubble/tls.key
hubble-tls-client-ca-files: /certs/hubble/ca.crt
{{- end }}
{{- if or .Values.agent.metrics.enabled .Values.agent.hubbleMetrics.enabled .Values.operator.metrics.enabled }}
# Prometheus metrics
enable-metrics: "true"
{{- if .Values.agent.metrics.enabled }}
prometheus-serve-addr: {{ printf ":%d" (int .Values.agent.containerPorts.metrics) | quote }}
controllerGroupMetrics: all
metrics: ~
{{- end }}
{{- if .Values.agent.hubbleMetrics.enabled }}
hubble-metrics-server: {{ printf ":%d" (int .Values.agent.containerPorts.hubbleMetrics) | quote }}
hubble-metrics: ~
{{- end }}
{{- if .Values.operator.metrics.enabled }}
operator-prometheus-serve-addr: {{ printf ":%d" (int .Values.operator.containerPorts.metrics) | quote }}
{{- end }}
{{- if .Values.envoy.metrics.enabled }}
proxy-prometheus-port: {{ printf "%d" (int .Values.envoy.containerPorts.metrics) | quote }}
{{- end }}
{{- end }}
# Envoy configuration
external-envoy-proxy: "true"
disable-envoy-version-check: "true"
# Other configuration
enable-k8s-networkpolicy: "true"
synchronize-k8s-nodes: "true"
remove-cilium-node-taints: "true"
set-cilium-node-taints: "true"
set-cilium-is-up-condition: "true"
agent-not-ready-taint-key: "node.cilium.io/agent-not-ready"
{{- end }}
{{- end }}
{{- if not .Values.existingConfigmap }}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ template "common.names.fullname" . }}
namespace: {{ include "common.names.namespace" . | quote }}
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
app.kubernetes.io/part-of: cilium
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
{{- $configuration := include "cilium.configuration" . | fromYaml -}}
{{- if .Values.overrideConfiguration }}
{{- $overrideConfiguration := include "common.tplvalues.render" (dict "value" .Values.overrideConfiguration "context" .) | fromYaml }}
{{- $configuration = mustMergeOverwrite $configuration $overrideConfiguration }}
{{- end }}
data: {{- $configuration | toYaml | nindent 2 }}
{{- end }}

355
bitnami/cilium/templates/envoy/configmap.yaml Normal file
View File

@@ -0,0 +1,355 @@
{{- /*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{/*
Return the Envoy configuration.
*/}}
{{- define "cilium.envoy.configuration" -}}
{{- if .Values.envoy.configuration }}
{{- include "common.tplvalues.render" (dict "value" .Values.envoy.configuration "context" .) }}
{{- else }}
{
"node": {
"id": "host~127.0.0.1~no-id~localdomain",
"cluster": "ingress-cluster"
},
"staticResources": {
"listeners": [
{{- if .Values.envoy.metrics.enabled }}
{
"name": "envoy-metrics-listener",
"address": {
"socket_address": {
"address": "0.0.0.0",
"port_value": {{ .Values.envoy.containerPorts.metrics }}
}
},
"filter_chains": [
{
"filters": [
{
"name": "envoy.filters.network.http_connection_manager",
"typed_config": {
"@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager",
"stat_prefix": "envoy-metrics-listener",
"route_config": {
"virtual_hosts": [
{
"name": "prometheus_metrics_route",
"domains": [
"*"
],
"routes": [
{
"name": "prometheus_metrics_route",
"match": {
"prefix": "/metrics"
},
"route": {
"cluster": "/envoy-admin",
"prefix_rewrite": "/stats/prometheus"
}
}
]
}
]
},
"http_filters": [
{
"name": "envoy.filters.http.router",
"typed_config": {
"@type": "type.googleapis.com/envoy.extensions.filters.http.router.v3.Router"
}
}
],
"stream_idle_timeout": "0s"
}
}
]
}
]
},
{{- end }}
{
"name": "envoy-health-listener",
"address": {
"socket_address": {
"address": "127.0.0.1",
"port_value": {{ .Values.envoy.containerPorts.health }}
}
},
"filter_chains": [
{
"filters": [
{
"name": "envoy.filters.network.http_connection_manager",
"typed_config": {
"@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager",
"stat_prefix": "envoy-health-listener",
"route_config": {
"virtual_hosts": [
{
"name": "health",
"domains": [
"*"
],
"routes": [
{
"name": "health",
"match": {
"prefix": "/healthz"
},
"route": {
"cluster": "/envoy-admin",
"prefix_rewrite": "/ready"
}
}
]
}
]
},
"http_filters": [
{
"name": "envoy.filters.http.router",
"typed_config": {
"@type": "type.googleapis.com/envoy.extensions.filters.http.router.v3.Router"
}
}
],
"stream_idle_timeout": "0s"
}
}
]
}
]
}
],
"clusters": [
{
"name": "ingress-cluster",
"type": "ORIGINAL_DST",
"connectTimeout": "2s",
"lbPolicy": "CLUSTER_PROVIDED",
"typedExtensionProtocolOptions": {
"envoy.extensions.upstreams.http.v3.HttpProtocolOptions": {
"@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions",
"commonHttpProtocolOptions": {
"idleTimeout": "60s",
"maxConnectionDuration": "0s",
"maxRequestsPerConnection": 0
},
"useDownstreamProtocolConfig": {}
}
},
"cleanupInterval": "2.500s"
},
{
"name": "ingress-cluster-tls",
"type": "ORIGINAL_DST",
"connectTimeout": "2s",
"lbPolicy": "CLUSTER_PROVIDED",
"typedExtensionProtocolOptions": {
"envoy.extensions.upstreams.http.v3.HttpProtocolOptions": {
"@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions",
"commonHttpProtocolOptions": {
"idleTimeout": "60s",
"maxConnectionDuration": "0s",
"maxRequestsPerConnection": 0
},
"upstreamHttpProtocolOptions": {},
"useDownstreamProtocolConfig": {}
}
},
"cleanupInterval": "2.500s",
"transportSocket": {
"name": "cilium.tls_wrapper",
"typedConfig": {
"@type": "type.googleapis.com/cilium.UpstreamTlsWrapperContext"
}
}
},
{
"name": "egress-cluster",
"type": "ORIGINAL_DST",
"connectTimeout": "2s",
"lbPolicy": "CLUSTER_PROVIDED",
"typedExtensionProtocolOptions": {
"envoy.extensions.upstreams.http.v3.HttpProtocolOptions": {
"@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions",
"commonHttpProtocolOptions": {
"idleTimeout": "60s",
"maxConnectionDuration": "0s",
"maxRequestsPerConnection": 0
},
"useDownstreamProtocolConfig": {}
}
},
"cleanupInterval": "2.500s"
},
{
"name": "egress-cluster-tls",
"type": "ORIGINAL_DST",
"connectTimeout": "2s",
"lbPolicy": "CLUSTER_PROVIDED",
"typedExtensionProtocolOptions": {
"envoy.extensions.upstreams.http.v3.HttpProtocolOptions": {
"@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions",
"commonHttpProtocolOptions": {
"idleTimeout": "60s",
"maxConnectionDuration": "0s",
"maxRequestsPerConnection": 0
},
"upstreamHttpProtocolOptions": {},
"useDownstreamProtocolConfig": {}
}
},
"cleanupInterval": "2.500s",
"transportSocket": {
"name": "cilium.tls_wrapper",
"typedConfig": {
"@type": "type.googleapis.com/cilium.UpstreamTlsWrapperContext"
}
}
},
{
"name": "xds-grpc-cilium",
"type": "STATIC",
"connectTimeout": "2s",
"loadAssignment": {
"clusterName": "xds-grpc-cilium",
"endpoints": [
{
"lbEndpoints": [
{
"endpoint": {
"address": {
"pipe": {
"path": "/sockets/xds.sock"
}
}
}
}
]
}
]
},
"typedExtensionProtocolOptions": {
"envoy.extensions.upstreams.http.v3.HttpProtocolOptions": {
"@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions",
"explicitHttpConfig": {
"http2ProtocolOptions": {}
}
}
}
},
{
"name": "/envoy-admin",
"type": "STATIC",
"connectTimeout": "2s",
"loadAssignment": {
"clusterName": "/envoy-admin",
"endpoints": [
{
"lbEndpoints": [
{
"endpoint": {
"address": {
"pipe": {
"path": "/sockets/admin.sock"
}
}
}
}
]
}
]
}
}
]
},
"dynamicResources": {
"ldsConfig": {
"apiConfigSource": {
"apiType": "GRPC",
"transportApiVersion": "V3",
"grpcServices": [
{
"envoyGrpc": {
"clusterName": "xds-grpc-cilium"
}
}
],
"setNodeOnFirstMessageOnly": true
},
"resourceApiVersion": "V3"
},
"cdsConfig": {
"apiConfigSource": {
"apiType": "GRPC",
"transportApiVersion": "V3",
"grpcServices": [
{
"envoyGrpc": {
"clusterName": "xds-grpc-cilium"
}
}
],
"setNodeOnFirstMessageOnly": true
},
"resourceApiVersion": "V3"
}
},
"bootstrapExtensions": [
{
"name": "envoy.bootstrap.internal_listener",
"typed_config": {
"@type": "type.googleapis.com/envoy.extensions.bootstrap.internal_listener.v3.InternalListener"
}
}
],
"layeredRuntime": {
"layers": [
{
"name": "static_layer_0",
"staticLayer": {
"overload": {
"global_downstream_max_connections": 50000
}
}
}
]
},
"admin": {
"address": {
"pipe": {
"path": "/sockets/admin.sock"
}
}
}
}
{{- end }}
{{- end }}
{{- if not .Values.envoy.existingConfigmap }}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ template "cilium.envoy.fullname" . }}
namespace: {{ include "common.names.namespace" . | quote }}
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
app.kubernetes.io/part-of: cilium
app.kubernetes.io/component: envoy
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
{{- $configuration := include "cilium.envoy.configuration" . | fromJson -}}
{{- if .Values.envoy.overrideConfiguration }}
{{- $overrideConfiguration := include "common.tplvalues.render" (dict "value" .Values.envoy.overrideConfiguration "context" .) | fromJson }}
{{- $configuration = mergeOverwrite $configuration $overrideConfiguration }}
{{- end }}
data:
envoy.json: |-
{{- $configuration | toPrettyJson | nindent 4 }}
{{- end }}

215
bitnami/cilium/templates/envoy/daemonset.yaml Normal file
View File

@@ -0,0 +1,215 @@
{{- /*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
apiVersion: {{ include "common.capabilities.daemonset.apiVersion" . }}
kind: DaemonSet
metadata:
name: {{ template "cilium.envoy.fullname" . }}
namespace: {{ include "common.names.namespace" . | quote }}
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
app.kubernetes.io/part-of: cilium
app.kubernetes.io/component: envoy
{{- if or .Values.envoy.daemonsetAnnotations .Values.commonAnnotations }}
{{- $annotations := include "common.tplvalues.merge" (dict "values" (list .Values.envoy.daemonsetAnnotations .Values.commonAnnotations) "context" .) }}
annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $ ) | nindent 4 }}
{{- end }}
spec:
{{- if .Values.envoy.updateStrategy }}
updateStrategy: {{- toYaml .Values.envoy.updateStrategy | nindent 4 }}
{{- end }}
{{- $podLabels := include "common.tplvalues.merge" (dict "values" (list .Values.envoy.podLabels .Values.commonLabels) "context" .) }}
selector:
matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }}
app.kubernetes.io/part-of: cilium
app.kubernetes.io/component: envoy
template:
metadata:
annotations:
{{- if semverCompare "<1.30-0" (include "common.capabilities.kubeVersion" .) }}
container.apparmor.security.beta.kubernetes.io/cilium-envoy: "unconfined"
{{- end }}
{{- if not .Values.envoy.existingConfigmap }}
checksum/config: {{ include (print $.Template.BasePath "/envoy/configmap.yaml") . | sha256sum }}
{{- end }}
{{- if .Values.envoy.podAnnotations }}
{{- include "common.tplvalues.render" (dict "value" .Values.envoy.podAnnotations "context" $) | nindent 8 }}
{{- end }}
labels: {{- include "common.labels.standard" ( dict "customLabels" $podLabels "context" $ ) | nindent 8 }}
app.kubernetes.io/part-of: cilium
app.kubernetes.io/component: envoy
spec:
{{- include "cilium.imagePullSecrets" . | nindent 6 }}
serviceAccountName: {{ template "cilium.envoy.serviceAccountName" . }}
automountServiceAccountToken: {{ .Values.envoy.automountServiceAccountToken }}
hostNetwork: true
dnsPolicy: ClusterFirstWithHostNet
restartPolicy: Always
{{- if .Values.envoy.hostAliases }}
hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.envoy.hostAliases "context" $) | nindent 8 }}
{{- end }}
{{- if .Values.envoy.affinity }}
affinity: {{- include "common.tplvalues.render" ( dict "value" .Values.envoy.affinity "context" $) | nindent 8 }}
{{- else if not (empty .Values.envoy.nodeAffinityPreset.type) }}
affinity:
nodeAffinity: {{- include "common.affinities.nodes" (dict "type" .Values.envoy.nodeAffinityPreset.type "key" .Values.envoy.nodeAffinityPreset.key "values" .Values.envoy.nodeAffinityPreset.values) | nindent 10 }}
{{- end }}
{{- if .Values.envoy.nodeSelector }}
nodeSelector: {{- include "common.tplvalues.render" ( dict "value" .Values.envoy.nodeSelector "context" $) | nindent 8 }}
{{- end }}
{{- if .Values.envoy.tolerations }}
tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.envoy.tolerations "context" .) | nindent 8 }}
{{- end }}
{{- if .Values.envoy.priorityClassName }}
priorityClassName: {{ .Values.envoy.priorityClassName | quote }}
{{- end }}
{{- if .Values.envoy.podSecurityContext.enabled }}
securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.envoy.podSecurityContext "context" $) | nindent 8 }}
{{- end }}
{{- if .Values.envoy.terminationGracePeriodSeconds }}
terminationGracePeriodSeconds: {{ .Values.envoy.terminationGracePeriodSeconds }}
{{- end }}
{{- if .Values.envoy.initContainers }}
initContainers: {{- include "common.tplvalues.render" (dict "value" .Values.envoy.initContainers "context" $) | nindent 8 }}
{{- end }}
containers:
- name: cilium-envoy
image: {{ include "cilium.envoy.image" . }}
imagePullPolicy: {{ .Values.envoy.image.pullPolicy }}
{{- if .Values.envoy.containerSecurityContext.enabled }}
securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.envoy.containerSecurityContext "context" $) | nindent 12 }}
{{- end }}
command:
{{- if .Values.diagnosticMode.enabled }}
{{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }}
{{- else if .Values.envoy.command }}
{{- include "common.tplvalues.render" (dict "value" .Values.envoy.command "context" $) | nindent 12 }}
{{- else }}
- cilium-envoy-starter
{{- end }}
args:
{{- if .Values.diagnosticMode.enabled }}
{{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 12 }}
{{- else if .Values.envoy.args }}
{{- include "common.tplvalues.render" (dict "value" .Values.envoy.args "context" $) | nindent 12 }}
{{- else }}
- -c
- /config/envoy.json
- --log-level
- {{ .Values.envoy.logLevel }}
{{- if .Values.envoy.extraArgs }}
{{- include "common.tplvalues.render" (dict "value" .Values.envoy.extraArgs "context" $) | nindent 12 }}
{{- end }}
{{- end }}
env:
- name: ENVOY_POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
- name: CILIUM_K8S_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
{{- if .Values.envoy.extraEnvVars }}
{{- include "common.tplvalues.render" (dict "value" .Values.envoy.extraEnvVars "context" $) | nindent 12 }}
{{- end }}
{{- if or .Values.envoy.extraEnvVarsCM .Values.envoy.extraEnvVarsSecret }}
envFrom:
{{- if .Values.envoy.extraEnvVarsCM }}
- configMapRef:
name: {{ include "common.tplvalues.render" (dict "value" .Values.envoy.extraEnvVarsCM "context" $) }}
{{- end }}
{{- if .Values.envoy.extraEnvVarsSecret }}
- secretRef:
name: {{ include "common.tplvalues.render" (dict "value" .Values.envoy.extraEnvVarsSecret "context" $) }}
{{- end }}
{{- end }}
{{- if .Values.envoy.resources }}
resources: {{- toYaml .Values.envoy.resources | nindent 12 }}
{{- else if ne .Values.envoy.resourcesPreset "none" }}
resources: {{- include "common.resources.preset" (dict "type" .Values.envoy.resourcesPreset) | nindent 12 }}
{{- end }}
ports:
- name: health
containerPort: {{ .Values.envoy.containerPorts.health }}
{{- if .Values.envoy.metrics.enabled }}
- name: metrics
containerPort: {{ .Values.envoy.containerPorts.metrics }}
{{- end }}
{{- if .Values.envoy.extraContainerPorts }}
{{- include "common.tplvalues.render" (dict "value" .Values.envoy.extraContainerPorts "context" $) | nindent 12 }}
{{- end }}
{{- if not .Values.diagnosticMode.enabled }}
{{- if .Values.envoy.customLivenessProbe }}
livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.envoy.customLivenessProbe "context" $) | nindent 12 }}
{{- else if .Values.envoy.livenessProbe.enabled }}
livenessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.envoy.livenessProbe "enabled") "context" $) | nindent 12 }}
tcpSocket:
host: "127.0.0.1"
port: health
{{- end }}
{{- if .Values.envoy.customReadinessProbe }}
readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.envoy.customReadinessProbe "context" $) | nindent 12 }}
{{- else if .Values.envoy.readinessProbe.enabled }}
readinessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.envoy.readinessProbe "enabled") "context" $) | nindent 12 }}
httpGet:
host: "127.0.0.1"
path: /healthz
port: health
{{- end }}
{{- if .Values.envoy.customStartupProbe }}
startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.envoy.customStartupProbe "context" $) | nindent 12 }}
{{- else if .Values.envoy.startupProbe.enabled }}
startupProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.envoy.startupProbe "enabled") "context" $) | nindent 12 }}
tcpSocket:
host: "127.0.0.1"
port: health
{{- end }}
{{- end }}
{{- if .Values.envoy.lifecycleHooks }}
lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.envoy.lifecycleHooks "context" $) | nindent 12 }}
{{- end }}
volumeMounts:
- name: empty-dir
mountPath: /tmp
subPath: tmp-dir
- name: config
mountPath: /config
readOnly: true
- name: envoy-sockets
mountPath: /sockets
{{- if .Values.agent.bpf.autoMount }}
- name: bpf-maps
mountPath: {{ .Values.agent.bpf.hostRoot }}
mountPropagation: HostToContainer
{{- end }}
{{- if .Values.envoy.extraVolumeMounts }}
{{- include "common.tplvalues.render" (dict "value" .Values.envoy.extraVolumeMounts "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.envoy.sidecars }}
{{- include "common.tplvalues.render" ( dict "value" .Values.envoy.sidecars "context" $) | nindent 8 }}
{{- end }}
volumes:
- name: empty-dir
emptyDir: {}
- name: config
configMap:
name: {{ template "cilium.envoy.configmapName" . }}
- name: envoy-sockets
hostPath:
path: /var/run/cilium/envoy/sockets
type: DirectoryOrCreate
{{- if .Values.agent.bpf.autoMount }}
# To mount bpf fs on the host
- name: bpf-maps
hostPath:
path: {{ .Values.agent.bpf.hostRoot }}
type: DirectoryOrCreate
{{- end }}
{{- if .Values.envoy.extraVolumes }}
{{- include "common.tplvalues.render" (dict "value" .Values.envoy.extraVolumes "context" $) | nindent 8 }}
{{- end }}

31
bitnami/cilium/templates/envoy/metrics-service.yaml Normal file
View File

@@ -0,0 +1,31 @@
{{- /*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{- if .Values.envoy.metrics.enabled }}
apiVersion: v1
kind: Service
metadata:
name: {{ printf "%s-metrics" (include "cilium.envoy.fullname" .) }}
namespace: {{ include "common.names.namespace" . | quote }}
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
app.kubernetes.io/part-of: cilium
app.kubernetes.io/component: envoy
prometheus.io/scrape: "true"
{{- if or .Values.envoy.metrics.service.annotations .Values.commonAnnotations }}
{{- $annotations := include "common.tplvalues.merge" (dict "values" (list .Values.envoy.metrics.service.annotations .Values.commonAnnotations) "context" .) }}
annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $ ) | nindent 4 }}
{{- end }}
spec:
type: ClusterIP
ports:
- name: tcp-metrics
port: {{ .Values.envoy.metrics.service.port }}
targetPort: metrics
protocol: TCP
{{- $podLabels := include "common.tplvalues.merge" (dict "values" (list .Values.envoy.podLabels .Values.commonLabels) "context" .) | fromYaml }}
selector: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 4 }}
app.kubernetes.io/part-of: cilium
app.kubernetes.io/component: envoy
{{- end }}

81
bitnami/cilium/templates/envoy/networkpolicy.yaml Normal file
View File

@@ -0,0 +1,81 @@
{{- /*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{- if .Values.envoy.networkPolicy.enabled }}
kind: NetworkPolicy
apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }}
metadata:
name: {{ template "cilium.envoy.fullname" . }}
namespace: {{ include "common.names.namespace" . | quote }}
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
app.kubernetes.io/part-of: cilium
app.kubernetes.io/component: envoy
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
spec:
{{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.envoy.podLabels .Values.commonLabels ) "context" . ) }}
podSelector:
matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }}
app.kubernetes.io/part-of: cilium
app.kubernetes.io/component: envoy
policyTypes:
{{- if or .Values.envoy.metrics.enabled .Values.envoy.extraContainerPorts .Values.envoy.networkPolicy.extraIngress }}
- Ingress
{{- end }}
- Egress
egress:
{{- if .Values.envoy.networkPolicy.allowExternalEgress }}
- {}
{{- else }}
- ports:
# Allow dns resolution
- port: 53
protocol: UDP
- port: 53
protocol: TCP
{{- if .Values.envoy.networkPolicy.extraEgress }}
{{- include "common.tplvalues.render" ( dict "value" .Values.envoy.networkPolicy.extraEgress "context" $ ) | nindent 4 }}
{{- end }}
{{- end }}
{{- if or .Values.envoy.metrics.enabled .Values.envoy.extraContainerPorts .Values.envoy.networkPolicy.extraIngress }}
ingress:
{{- if or .Values.envoy.metrics.enabled .Values.envoy.extraContainerPorts }}
- ports:
{{- if .Values.envoy.metrics.enabled }}
- port: {{ .Values.envoy.containerPorts.metrics }}
{{- end }}
{{- range .Values.envoy.extraContainerPorts }}
- port: {{ .containerPort }}
{{- end }}
{{- if not .Values.envoy.networkPolicy.allowExternal }}
from:
- podSelector:
matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }}
{{- if .Values.envoy.networkPolicy.addExternalClientAccess }}
- podSelector:
matchLabels:
{{ template "common.names.fullname" . }}-client: "true"
{{- end }}
{{- if .Values.envoy.networkPolicy.ingressPodMatchLabels }}
- podSelector:
matchLabels: {{- include "common.tplvalues.render" (dict "value" .Values.envoy.networkPolicy.ingressPodMatchLabels "context" $ ) | nindent 14 }}
{{- end }}
{{- if .Values.envoy.networkPolicy.ingressNSMatchLabels }}
- namespaceSelector:
matchLabels: {{- include "common.tplvalues.render" (dict "value" .Values.envoy.networkPolicy.ingressNSMatchLabels "context" $ ) | nindent 14 }}
{{- if .Values.envoy.networkPolicy.ingressNSPodMatchLabels }}
podSelector:
matchLabels:
matchLabels: {{- include "common.tplvalues.render" (dict "value" .Values.envoy.networkPolicy.ingressNSPodMatchLabels "context" $ ) | nindent 14 }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- if .Values.envoy.networkPolicy.extraIngress }}
{{- include "common.tplvalues.render" ( dict "value" .Values.envoy.networkPolicy.extraIngress "context" $ ) | nindent 4 }}
{{- end }}
{{- end }}
{{- end }}

20
bitnami/cilium/templates/envoy/service-account.yaml Normal file
View File

@@ -0,0 +1,20 @@
{{- /*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{- if .Values.envoy.serviceAccount.create }}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "cilium.envoy.serviceAccountName" . }}
namespace: {{ include "common.names.namespace" . | quote }}
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
app.kubernetes.io/part-of: cilium
app.kubernetes.io/component: envoy
{{- if or .Values.envoy.serviceAccount.annotations .Values.commonAnnotations }}
{{- $annotations := include "common.tplvalues.merge" (dict "values" (list .Values.envoy.serviceAccount.annotations .Values.commonAnnotations) "context" .) }}
annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $ ) | nindent 4 }}
{{- end }}
automountServiceAccountToken: {{ .Values.envoy.serviceAccount.automountServiceAccountToken }}
{{- end }}

51
bitnami/cilium/templates/envoy/servicemonitor.yaml Normal file
View File

@@ -0,0 +1,51 @@
{{- /*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{- if and .Values.envoy.metrics.enabled .Values.envoy.metrics.serviceMonitor.enabled }}
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: {{ template "cilium.envoy.fullname" . }}
namespace: {{ default (include "common.names.namespace" .) .Values.envoy.metrics.serviceMonitor.namespace | quote }}
{{- $labels := include "common.tplvalues.merge" (dict "values" (list .Values.envoy.metrics.serviceMonitor.labels .Values.commonLabels) "context" .) }}
labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }}
app.kubernetes.io/part-of: cilium
app.kubernetes.io/component: envoy
{{- if or .Values.envoy.metrics.serviceMonitor.annotations .Values.commonAnnotations }}
{{- $annotations := include "common.tplvalues.merge" (dict "values" (list .Values.envoy.metrics.serviceMonitor.annotations .Values.commonAnnotations) "context" .) }}
annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $ ) | nindent 4 }}
{{- end }}
spec:
jobLabel: {{ .Values.envoy.metrics.serviceMonitor.jobLabel | quote }}
selector:
matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 6 }}
app.kubernetes.io/part-of: cilium
app.kubernetes.io/component: envoy
prometheus.io/scrape: "true"
{{- if .Values.envoy.metrics.serviceMonitor.selector }}
{{- include "common.tplvalues.render" (dict "value" .Values.envoy.metrics.serviceMonitor.selector "context" $) | nindent 6 }}
{{- end }}
endpoints:
- port: tcp-metrics
path: "/metrics"
{{- if .Values.envoy.metrics.serviceMonitor.interval }}
interval: {{ .Values.envoy.metrics.serviceMonitor.interval }}
{{- end }}
{{- if .Values.envoy.metrics.serviceMonitor.scrapeTimeout }}
scrapeTimeout: {{ .Values.envoy.metrics.serviceMonitor.scrapeTimeout }}
{{- end }}
{{- if .Values.envoy.metrics.serviceMonitor.honorLabels }}
honorLabels: {{ .Values.envoy.metrics.serviceMonitor.honorLabels }}
{{- end }}
{{- if .Values.envoy.metrics.serviceMonitor.metricRelabelings }}
metricRelabelings: {{- include "common.tplvalues.render" ( dict "value" .Values.envoy.metrics.serviceMonitor.metricRelabelings "context" $) | nindent 8 }}
{{- end }}
{{- if .Values.envoy.metrics.serviceMonitor.relabelings }}
relabelings: {{- include "common.tplvalues.render" ( dict "value" .Values.envoy.metrics.serviceMonitor.relabelings "context" $) | nindent 8 }}
{{- end }}
namespaceSelector:
matchNames:
- {{ include "common.names.namespace" . | quote }}
{{- end }}

45
bitnami/cilium/templates/envoy/vpa.yaml Normal file
View File

@@ -0,0 +1,45 @@
{{- /*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{- if and (.Capabilities.APIVersions.Has "autoscaling.k8s.io/v1/VerticalPodAutoscaler") .Values.envoy.autoscaling.vpa.enabled }}
apiVersion: autoscaling.k8s.io/v1
kind: VerticalPodAutoscaler
metadata:
name: {{ template "cilium.envoy.fullname" . }}
namespace: {{ include "common.names.namespace" . | quote }}
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
app.kubernetes.io/part-of: cilium
app.kubernetes.io/component: envoy
{{- if or .Values.envoy.autoscaling.vpa.annotations .Values.commonAnnotations }}
{{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.envoy.autoscaling.vpa.annotations .Values.commonAnnotations ) "context" . ) }}
annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }}
{{- end }}
spec:
resourcePolicy:
containerPolicies:
- containerName: envoy
{{- with .Values.envoy.autoscaling.vpa.controlledResources }}
controlledResources:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.envoy.autoscaling.vpa.maxAllowed }}
maxAllowed:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.envoy.autoscaling.vpa.minAllowed }}
minAllowed:
{{- toYaml . | nindent 8 }}
{{- end }}
targetRef:
apiVersion: {{ include "common.capabilities.daemonset.apiVersion" . }}
kind: DaemonSet
name: {{ include "cilium.envoy.fullname" . }}
{{- if .Values.envoy.autoscaling.vpa.updatePolicy }}
updatePolicy:
{{- with .Values.envoy.autoscaling.vpa.updatePolicy.updateMode }}
updateMode: {{ . }}
{{- end }}
{{- end }}
{{- end }}

9
bitnami/cilium/templates/extra-list.yaml Normal file
View File

@@ -0,0 +1,9 @@
{{- /*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{- range .Values.extraDeploy }}
---
{{ include "common.tplvalues.render" (dict "value" . "context" $) }}
{{- end }}

216
bitnami/cilium/templates/operator/deployment.yaml Normal file
View File

@@ -0,0 +1,216 @@
{{- /*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
apiVersion: {{ include "common.capabilities.deployment.apiVersion" . }}
kind: Deployment
metadata:
name: {{ template "cilium.operator.fullname" . }}
namespace: {{ include "common.names.namespace" . | quote }}
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
app.kubernetes.io/part-of: cilium
app.kubernetes.io/component: operator
{{- if or .Values.operator.deploymentAnnotations .Values.commonAnnotations }}
{{- $annotations := include "common.tplvalues.merge" (dict "values" (list .Values.operator.deploymentAnnotations .Values.commonAnnotations) "context" .) }}
annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $ ) | nindent 4 }}
{{- end }}
spec:
{{- if not .Values.operator.autoscaling.hpa.enabled }}
replicas: {{ .Values.operator.replicaCount }}
{{- end }}
{{- if .Values.operator.updateStrategy }}
updateStrategy: {{- toYaml .Values.operator.updateStrategy | nindent 4 }}
{{- end }}
{{- $podLabels := include "common.tplvalues.merge" (dict "values" (list .Values.operator.podLabels .Values.commonLabels) "context" .) }}
selector:
matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }}
app.kubernetes.io/part-of: cilium
app.kubernetes.io/component: operator
template:
metadata:
annotations:
{{- if not .Values.existingConfigmap }}
checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
{{- end }}
{{- if .Values.operator.podAnnotations }}
{{- include "common.tplvalues.render" (dict "value" .Values.operator.podAnnotations "context" $) | nindent 8 }}
{{- end }}
labels: {{- include "common.labels.standard" ( dict "customLabels" $podLabels "context" $ ) | nindent 8 }}
app.kubernetes.io/part-of: cilium
app.kubernetes.io/component: operator
spec:
{{- include "cilium.imagePullSecrets" . | nindent 6 }}
serviceAccountName: {{ template "cilium.operator.serviceAccountName" . }}
automountServiceAccountToken: {{ .Values.operator.automountServiceAccountToken }}
{{- if .Values.operator.hostNetwork }}
hostNetwork: true
dnsPolicy: ClusterFirstWithHostNet
{{- end }}
restartPolicy: Always
{{- if .Values.operator.hostAliases }}
hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.operator.hostAliases "context" $) | nindent 8 }}
{{- end }}
{{- if .Values.operator.affinity }}
affinity: {{- include "common.tplvalues.render" ( dict "value" .Values.operator.affinity "context" $) | nindent 8 }}
{{- else }}
affinity:
{{- if not (empty .Values.operator.podAffinityPreset) }}
podAffinity: {{- include "common.affinities.pods" (dict "type" .Values.operator.podAffinityPreset "component" "operator" "customLabels" $podLabels "context" $) | nindent 10 }}
{{- end }}
{{- if not (empty .Values.operator.podAntiAffinityPreset) }}
podAntiAffinity: {{- include "common.affinities.pods" (dict "type" .Values.operator.podAntiAffinityPreset "component" "operator" "customLabels" $podLabels "context" $) | nindent 10 }}
{{- end }}
{{- if not (empty .Values.operator.nodeAffinityPreset.type) }}
nodeAffinity: {{- include "common.affinities.nodes" (dict "type" .Values.operator.nodeAffinityPreset.type "key" .Values.operator.nodeAffinityPreset.key "values" .Values.operator.nodeAffinityPreset.values) | nindent 10 }}
{{- end }}
{{- end }}
{{- if .Values.operator.nodeSelector }}
nodeSelector: {{- include "common.tplvalues.render" ( dict "value" .Values.operator.nodeSelector "context" $) | nindent 8 }}
{{- end }}
{{- if .Values.operator.tolerations }}
tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.operator.tolerations "context" .) | nindent 8 }}
{{- end }}
{{- if .Values.operator.priorityClassName }}
priorityClassName: {{ .Values.operator.priorityClassName | quote }}
{{- end }}
{{- if .Values.operator.schedulerName }}
schedulerName: {{ .Values.operator.schedulerName | quote }}
{{- end }}
{{- if .Values.operator.topologySpreadConstraints }}
topologySpreadConstraints: {{- include "common.tplvalues.render" (dict "value" .Values.operator.topologySpreadConstraints "context" .) | nindent 8 }}
{{- end }}
{{- if .Values.operator.podSecurityContext.enabled }}
securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.operator.podSecurityContext "context" $) | nindent 8 }}
{{- end }}
{{- if .Values.operator.terminationGracePeriodSeconds }}
terminationGracePeriodSeconds: {{ .Values.operator.terminationGracePeriodSeconds }}
{{- end }}
{{- if .Values.operator.initContainers }}
initContainers:
{{- include "common.tplvalues.render" (dict "value" .Values.operator.initContainers "context" $) | nindent 8 }}
{{- end }}
containers:
- name: cilium-operator
image: {{ include "cilium.operator.image" . }}
imagePullPolicy: {{ .Values.operator.image.pullPolicy }}
{{- if .Values.operator.containerSecurityContext.enabled }}
securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.operator.containerSecurityContext "context" $) | nindent 12 }}
{{- end }}
command:
{{- if .Values.diagnosticMode.enabled }}
{{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }}
{{- else if .Values.operator.command }}
{{- include "common.tplvalues.render" (dict "value" .Values.operator.command "context" $) | nindent 12 }}
{{- else }}
- cilium-operator-generic
{{- end }}
args:
{{- if .Values.diagnosticMode.enabled }}
{{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 12 }}
{{- else if .Values.operator.args }}
{{- include "common.tplvalues.render" (dict "value" .Values.operator.args "context" $) | nindent 12 }}
{{- else }}
- --config-dir=/opt/bitnami/cilium-operator/conf
{{- end }}
env:
- name: BITNAMI_DEBUG
value: {{ ternary "true" "false" (or .Values.operator.image.debug .Values.diagnosticMode.enabled) | quote }}
- name: K8S_NODE_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: spec.nodeName
- name: CILIUM_K8S_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
{{- if .Values.operator.extraEnvVars }}
{{- include "common.tplvalues.render" (dict "value" .Values.operator.extraEnvVars "context" $) | nindent 12 }}
{{- end }}
{{- if or .Values.operator.extraEnvVarsCM .Values.operator.extraEnvVarsSecret }}
envFrom:
{{- if .Values.operator.extraEnvVarsCM }}
- configMapRef:
name: {{ include "common.tplvalues.render" (dict "value" .Values.operator.extraEnvVarsCM "context" $) }}
{{- end }}
{{- if .Values.operator.extraEnvVarsSecret }}
- secretRef:
name: {{ include "common.tplvalues.render" (dict "value" .Values.operator.extraEnvVarsSecret "context" $) }}
{{- end }}
{{- end }}
{{- if .Values.operator.resources }}
resources: {{- toYaml .Values.operator.resources | nindent 12 }}
{{- else if ne .Values.operator.resourcesPreset "none" }}
resources: {{- include "common.resources.preset" (dict "type" .Values.operator.resourcesPreset) | nindent 12 }}
{{- end }}
ports:
- name: api
containerPort: {{ .Values.operator.containerPorts.api }}
{{- if .Values.operator.enablePprof }}
- name: pprof
containerPort: {{ .Values.operator.containerPorts.pprof }}
{{- end }}
{{- if .Values.operator.metrics.enabled }}
- name: metrics
containerPort: {{ .Values.operator.containerPorts.metrics }}
{{- end }}
{{- if .Values.operator.extraContainerPorts }}
{{- include "common.tplvalues.render" (dict "value" .Values.operator.extraContainerPorts "context" $) | nindent 12 }}
{{- end }}
{{- if not .Values.diagnosticMode.enabled }}
{{- if .Values.operator.customLivenessProbe }}
livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.operator.customLivenessProbe "context" $) | nindent 12 }}
{{- else if .Values.operator.livenessProbe.enabled }}
livenessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.operator.livenessProbe "enabled") "context" $) | nindent 12 }}
tcpSocket:
port: api
{{- end }}
{{- if .Values.operator.customReadinessProbe }}
readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.operator.customReadinessProbe "context" $) | nindent 12 }}
{{- else if .Values.operator.readinessProbe.enabled }}
readinessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.operator.readinessProbe "enabled") "context" $) | nindent 12 }}
httpGet:
path: /healthz
port: api
scheme: HTTP
{{- end }}
{{- if .Values.operator.customStartupProbe }}
startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.operator.customStartupProbe "context" $) | nindent 12 }}
{{- else if .Values.operator.startupProbe.enabled }}
startupProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.operator.startupProbe "enabled") "context" $) | nindent 12 }}
tcpSocket:
port: api
{{- end }}
{{- end }}
lifecycle:
{{- if .Values.operator.lifecycleHooks }}
{{- include "common.tplvalues.render" (dict "value" .Values.operator.lifecycleHooks "context" $) | nindent 12 }}
{{- end }}
volumeMounts:
- name: empty-dir
mountPath: /tmp
subPath: tmp-dir
- name: empty-dir
mountPath: /.config
subPath: gops-config-dir
- name: config
mountPath: /opt/bitnami/cilium-operator/conf
readOnly: true
{{- if .Values.operator.extraVolumeMounts }}
{{- include "common.tplvalues.render" (dict "value" .Values.operator.extraVolumeMounts "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.operator.sidecars }}
{{- include "common.tplvalues.render" ( dict "value" .Values.operator.sidecars "context" $) | nindent 8 }}
{{- end }}
volumes:
- name: empty-dir
emptyDir: {}
- name: config
configMap:
name: {{ template "cilium.configmapName" . }}
{{- if .Values.operator.extraVolumes }}
{{- include "common.tplvalues.render" (dict "value" .Values.operator.extraVolumes "context" $) | nindent 8 }}
{{- end }}

50
bitnami/cilium/templates/operator/hpa.yaml Normal file
View File

@@ -0,0 +1,50 @@
{{- /*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{- if .Values.operator.autoscaling.hpa.enabled }}
apiVersion: {{ include "common.capabilities.hpa.apiVersion" ( dict "context" $ ) }}
kind: HorizontalPodAutoscaler
metadata:
name: {{ include "cilium.operator.fullname" . }}
namespace: {{ include "common.names.namespace" . | quote }}
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
app.kubernetes.io/part-of: cilium
app.kubernetes.io/component: operator
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
spec:
scaleTargetRef:
apiVersion: {{ include "common.capabilities.deployment.apiVersion" . }}
kind: Deployment
name: {{ printf "%s-replicas" (include "common.names.fullname" .) }}
minReplicas: {{ .Values.operator.autoscaling.hpa.minReplicas }}
maxReplicas: {{ .Values.operator.autoscaling.hpa.maxReplicas }}
metrics:
{{- if .Values.operator.autoscaling.hpa.targetCPU }}
- type: Resource
resource:
name: cpu
{{- if semverCompare "<1.23-0" (include "common.capabilities.kubeVersion" .) }}
targetAverageUtilization: {{ .Values.operator.autoscaling.hpa.targetCPU }}
{{- else }}
target:
type: Utilization
averageUtilization: {{ .Values.operator.autoscaling.hpa.targetCPU }}
{{- end }}
{{- end }}
{{- if .Values.operator.autoscaling.hpa.targetMemory }}
- type: Resource
resource:
name: memory
{{- if semverCompare "<1.23-0" (include "common.capabilities.kubeVersion" .) }}
targetAverageUtilization: {{ .Values.operator.autoscaling.hpa.targetMemory }}
{{- else }}
target:
type: Utilization
averageUtilization: {{ .Values.operator.autoscaling.hpa.targetMemory }}
{{- end }}
{{- end }}
{{- end }}

31
bitnami/cilium/templates/operator/metrics-service.yaml Normal file
View File

@@ -0,0 +1,31 @@
{{- /*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{- if .Values.operator.metrics.enabled }}
apiVersion: v1
kind: Service
metadata:
name: {{ printf "%s-metrics" (include "cilium.operator.fullname" .) }}
namespace: {{ include "common.names.namespace" . | quote }}
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
app.kubernetes.io/part-of: cilium
app.kubernetes.io/component: operator
prometheus.io/scrape: "true"
{{- if or .Values.operator.metrics.service.annotations .Values.commonAnnotations }}
{{- $annotations := include "common.tplvalues.merge" (dict "values" (list .Values.operator.metrics.service.annotations .Values.commonAnnotations) "context" .) }}
annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $ ) | nindent 4 }}
{{- end }}
spec:
type: ClusterIP
ports:
- name: tcp-metrics
port: {{ .Values.operator.metrics.service.port }}
targetPort: metrics
protocol: TCP
{{- $podLabels := include "common.tplvalues.merge" (dict "values" (list .Values.operator.podLabels .Values.commonLabels) "context" .) | fromYaml }}
selector: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 4 }}
app.kubernetes.io/part-of: cilium
app.kubernetes.io/component: operator
{{- end }}

80
bitnami/cilium/templates/operator/networkpolicy.yaml Normal file
View File

@@ -0,0 +1,80 @@
{{- /*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{- if .Values.operator.networkPolicy.enabled }}
kind: NetworkPolicy
apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }}
metadata:
name: {{ template "cilium.operator.fullname" . }}
namespace: {{ include "common.names.namespace" . | quote }}
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
app.kubernetes.io/part-of: cilium
app.kubernetes.io/component: operator
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
spec:
{{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.operator.podLabels .Values.commonLabels ) "context" . ) }}
podSelector:
matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }}
app.kubernetes.io/part-of: cilium
app.kubernetes.io/component: operator
policyTypes:
- Ingress
- Egress
egress:
{{- if .Values.operator.networkPolicy.allowExternalEgress }}
- {}
{{- else }}
- ports:
# Allow dns resolution
- port: 53
protocol: UDP
- port: 53
protocol: TCP
# Allow access to kube-apiserver
{{- range $port := .Values.operator.networkPolicy.kubeAPIServerPorts }}
- port: {{ $port }}
{{- end }}
{{- if .Values.operator.networkPolicy.extraEgress }}
{{- include "common.tplvalues.render" ( dict "value" .Values.operator.networkPolicy.extraEgress "context" $ ) | nindent 4 }}
{{- end }}
{{- end }}
ingress:
- ports:
- port: {{ .Values.operator.containerPorts.api }}
{{- if .Values.operator.metrics.enabled }}
- port: {{ .Values.operator.containerPorts.metrics }}
{{- end }}
{{- range .Values.operator.extraContainerPorts }}
- port: {{ .containerPort }}
{{- end }}
{{- if not .Values.operator.networkPolicy.allowExternal }}
from:
- podSelector:
matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }}
{{- if .Values.operator.networkPolicy.addExternalClientAccess }}
- podSelector:
matchLabels:
{{ template "common.names.fullname" . }}-client: "true"
{{- end }}
{{- if .Values.operator.networkPolicy.ingressPodMatchLabels }}
- podSelector:
matchLabels: {{- include "common.tplvalues.render" (dict "value" .Values.operator.networkPolicy.ingressPodMatchLabels "context" $ ) | nindent 14 }}
{{- end }}
{{- if .Values.operator.networkPolicy.ingressNSMatchLabels }}
- namespaceSelector:
matchLabels: {{- include "common.tplvalues.render" (dict "value" .Values.operator.networkPolicy.ingressNSMatchLabels "context" $ ) | nindent 14 }}
{{- if .Values.operator.networkPolicy.ingressNSPodMatchLabels }}
podSelector:
matchLabels:
matchLabels: {{- include "common.tplvalues.render" (dict "value" .Values.operator.networkPolicy.ingressNSPodMatchLabels "context" $ ) | nindent 14 }}
{{- end }}
{{- end }}
{{- end }}
{{- if .Values.operator.networkPolicy.extraIngress }}
{{- include "common.tplvalues.render" ( dict "value" .Values.operator.networkPolicy.extraIngress "context" $ ) | nindent 4 }}
{{- end }}
{{- end }}

30
bitnami/cilium/templates/operator/pdb.yaml Normal file
View File

@@ -0,0 +1,30 @@
{{- /*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{- if .Values.operator.pdb.create }}
apiVersion: {{ include "common.capabilities.policy.apiVersion" . }}
kind: PodDisruptionBudget
metadata:
name: {{ template "cilium.operator.fullname" . }}
namespace: {{ include "common.names.namespace" . | quote }}
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
app.kubernetes.io/part-of: cilium
app.kubernetes.io/component: operator
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
spec:
{{- if .Values.operator.pdb.minAvailable }}
minAvailable: {{ .Values.operator.pdb.minAvailable }}
{{- end }}
{{- if or .Values.operator.pdb.maxUnavailable (not .Values.operator.pdb.minAvailable) }}
maxUnavailable: {{ .Values.operator.pdb.maxUnavailable | default 1 }}
{{- end }}
{{- $podLabels := include "common.tplvalues.merge" (dict "values" (list .Values.operator.podLabels .Values.commonLabels) "context" .) }}
selector:
matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }}
app.kubernetes.io/part-of: cilium
app.kubernetes.io/component: operator
{{- end }}

234
bitnami/cilium/templates/operator/rbac.yaml Normal file
View File

@@ -0,0 +1,234 @@
{{- /*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{- if .Values.operator.rbac.create }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "cilium.operator.fullname.namespace" . }}
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
app.kubernetes.io/part-of: cilium
app.kubernetes.io/component: operator
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- list
- watch
- delete
- apiGroups:
- ""
resources:
- nodes
verbs:
- list
- watch
- apiGroups:
- ""
resources:
- nodes
- nodes/status
verbs:
- patch
- apiGroups:
- discovery.k8s.io
resources:
- endpointslices
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- services/status
verbs:
- update
- patch
- apiGroups:
- ""
resources:
- namespaces
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- services
- endpoints
verbs:
- get
- list
- watch
- apiGroups:
- cilium.io
resources:
- ciliumnetworkpolicies
- ciliumclusterwidenetworkpolicies
verbs:
- create
- update
- deletecollection
- patch
- get
- list
- watch
- apiGroups:
- cilium.io
resources:
- ciliumnetworkpolicies/status
- ciliumclusterwidenetworkpolicies/status
verbs:
- patch
- update
- apiGroups:
- cilium.io
resources:
- ciliumendpoints
- ciliumidentities
verbs:
- delete
- list
- watch
- apiGroups:
- cilium.io
resources:
- ciliumidentities
verbs:
- update
- apiGroups:
- cilium.io
resources:
- ciliumnodes
verbs:
- create
- update
- get
- list
- watch
- delete
- apiGroups:
- cilium.io
resources:
- ciliumnodes/status
verbs:
- update
- apiGroups:
- cilium.io
resources:
- ciliumendpointslices
- ciliumenvoyconfigs
- ciliumbgppeerconfigs
- ciliumbgpadvertisements
- ciliumbgpnodeconfigs
verbs:
- create
- update
- get
- list
- watch
- delete
- patch
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- create
- get
- list
- watch
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- update
resourceNames:
- ciliumloadbalancerippools.cilium.io
- ciliumbgppeeringpolicies.cilium.io
- ciliumbgpclusterconfigs.cilium.io
- ciliumbgppeerconfigs.cilium.io
- ciliumbgpadvertisements.cilium.io
- ciliumbgpnodeconfigs.cilium.io
- ciliumbgpnodeconfigoverrides.cilium.io
- ciliumclusterwideenvoyconfigs.cilium.io
- ciliumclusterwidenetworkpolicies.cilium.io
- ciliumegressgatewaypolicies.cilium.io
- ciliumendpoints.cilium.io
- ciliumendpointslices.cilium.io
- ciliumenvoyconfigs.cilium.io
- ciliumexternalworkloads.cilium.io
- ciliumidentities.cilium.io
- ciliumlocalredirectpolicies.cilium.io
- ciliumnetworkpolicies.cilium.io
- ciliumnodes.cilium.io
- ciliumnodeconfigs.cilium.io
- ciliumcidrgroups.cilium.io
- ciliuml2announcementpolicies.cilium.io
- ciliumpodippools.cilium.io
- apiGroups:
- cilium.io
resources:
- ciliumloadbalancerippools
- ciliumpodippools
- ciliumbgppeeringpolicies
- ciliumbgpclusterconfigs
- ciliumbgpnodeconfigoverrides
verbs:
- get
- list
- watch
- apiGroups:
- cilium.io
resources:
- ciliumpodippools
verbs:
- create
- apiGroups:
- cilium.io
resources:
- ciliumloadbalancerippools/status
verbs:
- patch
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- create
- get
- update
{{- if .Values.operator.rbac.rules }}
{{- include "common.tplvalues.render" ( dict "value" .Values.operator.rbac.rules "context" $ ) | nindent 2 }}
{{- end }}
---
kind: ClusterRoleBinding
apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }}
metadata:
name: {{ template "cilium.operator.fullname.namespace" . }}
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
app.kubernetes.io/part-of: cilium
app.kubernetes.io/component: operator
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ template "cilium.operator.fullname.namespace" . }}
subjects:
- kind: ServiceAccount
name: {{ template "cilium.operator.serviceAccountName" . }}
namespace: {{ include "common.names.namespace" . | quote }}
{{- end }}

20
bitnami/cilium/templates/operator/service-account.yaml Normal file
View File

@@ -0,0 +1,20 @@
{{- /*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{- if .Values.operator.serviceAccount.create }}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "cilium.operator.serviceAccountName" . }}
namespace: {{ include "common.names.namespace" . | quote }}
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
app.kubernetes.io/part-of: cilium
app.kubernetes.io/component: operator
{{- if or .Values.operator.serviceAccount.annotations .Values.commonAnnotations }}
{{- $annotations := include "common.tplvalues.merge" (dict "values" (list .Values.operator.serviceAccount.annotations .Values.commonAnnotations) "context" .) }}
annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $ ) | nindent 4 }}
{{- end }}
automountServiceAccountToken: {{ .Values.operator.serviceAccount.automountServiceAccountToken }}
{{- end }}

51
bitnami/cilium/templates/operator/servicemonitor.yaml Normal file
View File

@@ -0,0 +1,51 @@
{{- /*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{- if and .Values.operator.metrics.enabled .Values.operator.metrics.serviceMonitor.enabled }}
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: {{ template "cilium.operator.fullname" . }}
namespace: {{ default (include "common.names.namespace" .) .Values.operator.metrics.serviceMonitor.namespace | quote }}
{{- $labels := include "common.tplvalues.merge" (dict "values" (list .Values.operator.metrics.serviceMonitor.labels .Values.commonLabels) "context" .) }}
labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }}
app.kubernetes.io/part-of: cilium
app.kubernetes.io/component: operator
{{- if or .Values.operator.metrics.serviceMonitor.annotations .Values.commonAnnotations }}
{{- $annotations := include "common.tplvalues.merge" (dict "values" (list .Values.operator.metrics.serviceMonitor.annotations .Values.commonAnnotations) "context" .) }}
annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $ ) | nindent 4 }}
{{- end }}
spec:
jobLabel: {{ .Values.operator.metrics.serviceMonitor.jobLabel | quote }}
selector:
matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 6 }}
app.kubernetes.io/part-of: cilium
app.kubernetes.io/component: operator
prometheus.io/scrape: "true"
{{- if .Values.operator.metrics.serviceMonitor.selector }}
{{- include "common.tplvalues.render" (dict "value" .Values.operator.metrics.serviceMonitor.selector "context" $) | nindent 6 }}
{{- end }}
endpoints:
- port: tcp-metrics
path: "/metrics"
{{- if .Values.operator.metrics.serviceMonitor.interval }}
interval: {{ .Values.operator.metrics.serviceMonitor.interval }}
{{- end }}
{{- if .Values.operator.metrics.serviceMonitor.scrapeTimeout }}
scrapeTimeout: {{ .Values.operator.metrics.serviceMonitor.scrapeTimeout }}
{{- end }}
{{- if .Values.operator.metrics.serviceMonitor.honorLabels }}
honorLabels: {{ .Values.operator.metrics.serviceMonitor.honorLabels }}
{{- end }}
{{- if .Values.operator.metrics.serviceMonitor.metricRelabelings }}
metricRelabelings: {{- include "common.tplvalues.render" ( dict "value" .Values.operator.metrics.serviceMonitor.metricRelabelings "context" $) | nindent 8 }}
{{- end }}
{{- if .Values.operator.metrics.serviceMonitor.relabelings }}
relabelings: {{- include "common.tplvalues.render" ( dict "value" .Values.operator.metrics.serviceMonitor.relabelings "context" $) | nindent 8 }}
{{- end }}
namespaceSelector:
matchNames:
- {{ include "common.names.namespace" . | quote }}
{{- end }}

45
bitnami/cilium/templates/operator/vpa.yaml Normal file
View File

@@ -0,0 +1,45 @@
{{- /*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{- if and (.Capabilities.APIVersions.Has "autoscaling.k8s.io/v1/VerticalPodAutoscaler") .Values.operator.autoscaling.vpa.enabled }}
apiVersion: autoscaling.k8s.io/v1
kind: VerticalPodAutoscaler
metadata:
name: {{ template "cilium.operator.fullname" . }}
namespace: {{ include "common.names.namespace" . | quote }}
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
app.kubernetes.io/part-of: cilium
app.kubernetes.io/component: operator
{{- if or .Values.operator.autoscaling.vpa.annotations .Values.commonAnnotations }}
{{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.operator.autoscaling.vpa.annotations .Values.commonAnnotations ) "context" . ) }}
annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }}
{{- end }}
spec:
resourcePolicy:
containerPolicies:
- containerName: cilium-operator
{{- with .Values.operator.autoscaling.vpa.controlledResources }}
controlledResources:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.operator.autoscaling.vpa.maxAllowed }}
maxAllowed:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.operator.autoscaling.vpa.minAllowed }}
minAllowed:
{{- toYaml . | nindent 8 }}
{{- end }}
targetRef:
apiVersion: {{ include "common.capabilities.deployment.apiVersion" . }}
kind: Deployment
name: {{ include "cilium.operator.fullname" . }}
{{- if .Values.operator.autoscaling.vpa.updatePolicy }}
updatePolicy:
{{- with .Values.operator.autoscaling.vpa.updatePolicy.updateMode }}
updateMode: {{ . }}
{{- end }}
{{- end }}
{{- end }}

82
bitnami/cilium/templates/tls-secret.yaml Normal file
View File

@@ -0,0 +1,82 @@
{{- /*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{- if and .Values.tls.enabled .Values.tls.autoGenerated.enabled (eq .Values.tls.autoGenerated.engine "helm") -}}
{{- $ca := genCA "cilium-ca" 365 }}
{{- $releaseNamespace := include "common.names.namespace" . }}
{{- $clusterDomain := .Values.clusterDomain }}
{{- $hubbleFullname := include "cilium.agent.fullname" . -}}
{{- $hubbleAltNames := list (printf "%s.%s.svc.%s" $hubbleFullname $releaseNamespace $clusterDomain) $hubbleFullname "127.0.0.1" "localhost" }}
{{- $hubbleCert := genSignedCert $hubbleFullname nil $hubbleAltNames 365 $ca }}
{{- $hubbleSecretName := include "cilium.tls.hubble.secretName" . }}
apiVersion: v1
kind: Secret
metadata:
name: {{ $hubbleSecretName }}
namespace: {{ include "common.names.namespace" . | quote }}
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
app.kubernetes.io/part-of: cilium
app.kubernetes.io/component: agent
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
type: kubernetes.io/tls
data:
ca.crt: {{ include "common.secrets.lookup" (dict "secret" $hubbleSecretName "key" "ca.crt" "defaultValue" $ca.Cert "context" $) }}
tls.crt: {{ include "common.secrets.lookup" (dict "secret" $hubbleSecretName "key" "tls.crt" "defaultValue" $hubbleCert.Cert "context" $) }}
tls.key: {{ include "common.secrets.lookup" (dict "secret" $hubbleSecretName "key" "tls.key" "defaultValue" $hubbleCert.Key "context" $) }}
---
{{- $clientCert := genSignedCert (printf "%s-client" (include "common.names.fullname" .)) nil nil 365 $ca }}
{{- $clientSecretName := include "cilium.tls.client.secretName" . }}
apiVersion: v1
kind: Secret
metadata:
name: {{ $clientSecretName }}
namespace: {{ include "common.names.namespace" . | quote }}
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
app.kubernetes.io/part-of: cilium
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
type: kubernetes.io/tls
data:
ca.crt: {{ include "common.secrets.lookup" (dict "secret" $clientSecretName "key" "ca.crt" "defaultValue" $ca.Cert "context" $) }}
tls.crt: {{ include "common.secrets.lookup" (dict "secret" $clientSecretName "key" "tls.crt" "defaultValue" $clientCert.Cert "context" $) }}
tls.key: {{ include "common.secrets.lookup" (dict "secret" $clientSecretName "key" "tls.key" "defaultValue" $clientCert.Key "context" $) }}
{{- else if and .Values.tls.enabled (not .Values.tls.autoGenerated.enabled) (empty .Values.tls.existingCASecret) (empty .Values.tls.hubble.existingSecret) (empty .Values.tls.client.existingSecret) -}}
apiVersion: v1
kind: Secret
metadata:
name: {{ template "cilium.tls.hubble.secretName" . }}
namespace: {{ include "common.names.namespace" . | quote }}
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
app.kubernetes.io/part-of: cilium
app.kubernetes.io/component: agent
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
type: kubernetes.io/tls
data:
ca.crt: {{ required "A valid .Values.tls.ca entry required!" .Values.tls.ca | b64enc | quote }}
tls.crt: {{ required "A valid .Values.tls.hubble.cert entry required!" .Values.tls.hubble.cert | b64enc | quote }}
tls.key: {{ required "A valid .Values.tls.hubble.key entry required!" .Values.tls.hubble.key | b64enc | quote }}
---
apiVersion: v1
kind: Secret
metadata:
name: {{ template "cilium.tls.client.secretName" . }}
namespace: {{ include "common.names.namespace" . | quote }}
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
app.kubernetes.io/part-of: cilium
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
type: kubernetes.io/tls
data:
ca.crt: {{ required "A valid .Values.tls.ca entry required!" .Values.tls.ca | b64enc | quote }}
tls.crt: {{ required "A valid .Values.tls.client.cert entry required!" .Values.tls.client.cert | b64enc | quote }}
tls.key: {{ required "A valid .Values.tls.client.key entry required!" .Values.tls.client.key | b64enc | quote }}
{{- end }}

2086
bitnami/cilium/values.yaml Normal file
View File

File diff suppressed because it is too large Load Diff