diff --git a/create_cilium_sysext.sh b/create_cilium_sysext.sh new file mode 100755 index 0000000..db06d80 --- /dev/null +++ b/create_cilium_sysext.sh @@ -0,0 +1,75 @@ +#!/usr/bin/env bash +set -euo pipefail + +export ARCH="${ARCH-x86-64}" +SCRIPTFOLDER="$(dirname "$(readlink -f "$0")")" + +if [ $# -lt 2 ] || [ "$1" = "-h" ] || [ "$1" = "--help" ]; then + echo "Usage: $0 VERSION SYSEXTNAME" + echo "The script will download cilium release binaries (e.g., for v0.16.24) and create a sysext squashfs image with the name SYSEXTNAME.raw in the current folder." + echo "A temporary directory named SYSEXTNAME in the current folder will be created and deleted again." + echo "All files in the sysext image will be owned by root." + echo "To use arm64 pass 'ARCH=arm64' as environment variable (current value is '${ARCH}')." + "${SCRIPTFOLDER}"/bake.sh --help + exit 1 +fi + +VERSION="$1" +SYSEXTNAME="$2" + +if [ "${ARCH}" = "x86_64" ] || [ "${ARCH}" = "x86-64" ]; then + ARCH="amd64" +elif [ "${ARCH}" = "aarch64" ]; then + ARCH="arm64" +fi + +VERSION="v${VERSION#v}" + +TARBALL="cilium-linux-${ARCH}.tar.gz" +SHASUM="${TARBALL}.sha256sum" + +TARBALL_URL="https://github.com/cilium/cilium-cli/releases/download/${VERSION}/${TARBALL}" +SHASUM_URL="https://github.com/cilium/cilium-cli/releases/download/${VERSION}/${SHASUM}" + +rm -rf "${SYSEXTNAME}" + +TMP_DIR="${SYSEXTNAME}/tmp" +mkdir -p "${TMP_DIR}" + +curl --parallel --fail --silent --show-error --location \ + --output "${TMP_DIR}/${TARBALL}" "${TARBALL_URL}" \ + --output "${TMP_DIR}/${SHASUM}" "${SHASUM_URL}" + +pushd "${TMP_DIR}" > /dev/null +grep "${TARBALL}$" "${SHASUM}" | sha256sum -c - +popd > /dev/null + +mkdir -p "${SYSEXTNAME}/usr/local/bin" + +tar --force-local -xf "${TMP_DIR}/${TARBALL}" -C "${SYSEXTNAME}/usr/local/bin" +chmod +x "${SYSEXTNAME}/usr/local/bin/cilium" + +mkdir -p "${SYSEXTNAME}/usr/lib/systemd/system" +cat > "${SYSEXTNAME}/usr/lib/systemd/system/cilium.service" <<-'EOF' +[Unit] +Description=Install cilium to running k8s cluster +Documentation=https://docs.cilium.io/en/stable +Wants=network-online.target +After=network-online.target + +[Service] +Environment=KUBECONFIG='/home/core/.kube/config' +ExecStart=/opt/bin/cilium install ${CILIUM_INSTALL_ARGS} +Restart=always + +[Install] +WantedBy=multi-user.target +EOF + +mkdir -p "${SYSEXTNAME}"/usr/lib/systemd/system/multi-user.target.d +{ echo "[Unit]"; echo "Upholds=cilium.service"; } > "${SYSEXTNAME}"/usr/lib/systemd/system/multi-user.target.d/10-cilium.conf + +rm -rf "${TMP_DIR}" + +RELOAD=1 "${SCRIPTFOLDER}"/bake.sh "${SYSEXTNAME}" +rm -rf "${SYSEXTNAME}" diff --git a/docs/cilium.md b/docs/cilium.md new file mode 100644 index 0000000..70897db --- /dev/null +++ b/docs/cilium.md @@ -0,0 +1,57 @@ +# Cilium sysext + +This sysext ships the [Cilium CLI](https://github.com/cilium/cilium-cli). + +This sysext includes a service unit file to start cilium at boot. + +## Usage + +Download and merge the sysext at provisioning time using the below butane +snippet. Additional install flags can be passed to cilium using the +CILIUM_INSTALL_ARGS environment variable. + +The snippet includes automated updates via systemd-sysupdate. +Sysupdate will stage updates and request a reboot by creating a flag file at `/run/reboot-required`. +You can deactivate updates by changing `enabled: true` to `enabled: false` in `systemd-sysupdate.timer`. + +```yaml +variant: flatcar +version: 1.1.0 + +storage: + files: + - path: /opt/extensions/cilium/cilium-v0.16.24-x86-64.raw + contents: + source: https://github.com/flatcar/sysext-bakery/releases/download/latest/cilium-v0.16.24-x86-64.raw + - path: /etc/sysupdate.cilium.d/cilium.conf + contents: + source: https://github.com/flatcar/sysext-bakery/releases/download/latest/clium.conf + - path: /etc/sysupdate.d/noop.conf + contents: + source: https://github.com/flatcar/sysext-bakery/releases/download/latest/noop.conf + links: + - target: /opt/extensions/cilium/cilium-v0.16.24-x86-64.raw + path: /etc/extensions/cilium.raw + hard: false + +systemd: + units: + - name: ollama.service + enabled: true + dropins: + - name: 10-cilium-env-override.conf + contents: | + [Service] + Environment=CILIUM_INSTALL_ARGS="--set kubeProxyReplacement=true --namespace=kube-system" + - name: systemd-sysupdate.timer + enabled: true + - name: systemd-sysupdate.service + dropins: + - name: cilium.conf + contents: | + [Service] + ExecStartPre=/usr/bin/sh -c "readlink --canonicalize /etc/extensions/cilium.raw > /tmp/cilium" + ExecStartPre=/usr/lib/systemd/systemd-sysupdate -C cilium update + ExecStartPost=/usr/bin/sh -c "readlink --canonicalize /etc/extensions/cilium.raw > /tmp/cilium-new" + ExecStartPost=/usr/bin/sh -c "if ! cmp --silent /tmp/cilium /tmp/cilium-new; then touch /run/reboot-required; fi" +``` diff --git a/docs/index.md b/docs/index.md index c0cd6f6..9f6b791 100644 --- a/docs/index.md +++ b/docs/index.md @@ -45,6 +45,7 @@ Check out the README files of specific extensions for detailed usage instruction | Extension | Availability | Documentation | | ---------------- | ------------ | ------------- | | `crio` | released | [crio.md](docs/crio.md) | +| `cilium` | released | [cilium.md](docs/cilium.md) | | `docker` | released | [docker.md](docs/docker.md) | | `docker_compose` | released | [docker_compose.md](docs/docker_compose.md) | | `falco` | released | [falco.md](docs/falco.md) | diff --git a/release_build_versions.txt b/release_build_versions.txt index cf967f1..cf82fee 100644 --- a/release_build_versions.txt +++ b/release_build_versions.txt @@ -37,3 +37,5 @@ containerd-2.0.0 wasmedge-0.14.1 llamaedge-0.14.16 + +cilium-v0.16.24