chore(deps): update helm release cilium to v1.17.1 #1484
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Co-authored-by: Renovate Bot <[email protected]>
Co-authored-by: Renovate Bot <[email protected]>
Co-authored-by: Renovate Bot <[email protected]>
Co-authored-by: Renovate Bot <[email protected]>
…rator-0.x chore(deps): update helm release opentelemetry-operator to v0.79.0
Co-authored-by: Renovate Bot <[email protected]>
Signed-off-by: walnuts1018 <[email protected]>
Signed-off-by: walnuts1018 <[email protected]>
Signed-off-by: walnuts1018 <[email protected]>
Signed-off-by: walnuts1018 <[email protected]>
Co-authored-by: Renovate Bot <[email protected]>
Signed-off-by: walnuts1018 <[email protected]>
…strator Signed-off-by: walnuts1018 <[email protected]>
Signed-off-by: walnuts1018 <[email protected]>
Signed-off-by: walnuts1018 <[email protected]>
Signed-off-by: walnuts1018 <[email protected]>
Signed-off-by: walnuts1018 <[email protected]>
Signed-off-by: walnuts1018 <[email protected]>
Signed-off-by: walnuts1018 <[email protected]>
Co-authored-by: Renovate Bot <[email protected]>
Signed-off-by: walnuts1018 <[email protected]>
…es in path Signed-off-by: walnuts1018 <[email protected]>
Signed-off-by: walnuts1018 <[email protected]>
…s.yaml Signed-off-by: walnuts1018 <[email protected]>
Signed-off-by: walnuts1018 <[email protected]>
Signed-off-by: walnuts1018 <[email protected]>
Signed-off-by: walnuts1018 <[email protected]>
…nc success Signed-off-by: walnuts1018 <[email protected]>
…guration Signed-off-by: walnuts1018 <[email protected]>
…dflare webhook settings Signed-off-by: walnuts1018 <[email protected]>
Signed-off-by: walnuts1018 <[email protected]>
Signed-off-by: walnuts1018 <[email protected]>
Signed-off-by: walnuts1018 <[email protected]>
…andling in applications.yaml Signed-off-by: walnuts1018 <[email protected]>
Signed-off-by: walnuts1018 <[email protected]>
Signed-off-by: walnuts1018 <[email protected]>
Signed-off-by: walnuts1018 <[email protected]>
…om 10m to 3m in values.yaml Signed-off-by: walnuts1018 <[email protected]>
…oyment.jsonnet Signed-off-by: walnuts1018 <[email protected]>
…oject.jsonnet Signed-off-by: walnuts1018 <[email protected]>
…nnet Signed-off-by: walnuts1018 <[email protected]>
Signed-off-by: walnuts1018 <[email protected]>
Signed-off-by: walnuts1018 <[email protected]>
…sonnet Signed-off-by: walnuts1018 <[email protected]>
… and 5.86.0 respectively in .terraform.lock.hcl Signed-off-by: walnuts1018 <[email protected]>
…sonnet Signed-off-by: walnuts1018 <[email protected]>
walnuts1018
force-pushed
the
renovate/cilium-1.x
branch
from
b111ace to
d55a661
Compare
walnuts1018
changed the title
Manifest (k8s/apps) diffClick to expand--- snapshots-main/apps/cilium/helm.yaml 2025-02-16 15:34:50.280297228 +0000
+++ snapshots-head/apps/cilium/helm.yaml 2025-02-16 15:34:50.113296287 +0000
@@ -105,7 +105,7 @@
create: false
name: cilium-secrets
repoURL: https://helm.cilium.io/
- targetRevision: 1.16.6
+ targetRevision: 1.17.1
syncPolicy:
automated:
prune: true |
Helm diffClick to expand--- snapshots-main/helm/cilium-helm.yaml 2025-02-16 15:34:50.299297335 +0000
+++ snapshots-head/helm/cilium-helm.yaml 2025-02-16 15:34:50.137296422 +0000
@@ -51,7 +51,8 @@
data:
# Identity allocation mode selects how identities are shared between cilium
- # nodes by setting how they are stored. The options are "crd" or "kvstore".
+ # nodes by setting how they are stored. The options are "crd", "kvstore" or
+ # "doublewrite-readkvstore" / "doublewrite-readcrd".
# - "crd" stores identities in kubernetes as CRDs (custom resource definition).
# These can be queried with:
# kubectl get ciliumid
@@ -60,7 +61,11 @@
# backend. Upgrades from these older cilium versions should continue using
# the kvstore by commenting out the identity-allocation-mode below, or
# setting it to "kvstore".
+ # - "doublewrite" modes store identities in both the kvstore and CRDs. This is useful
+ # for seamless migrations from the kvstore mode to the crd mode. Consult the
+ # documentation for more information on how to perform the migration.
identity-allocation-mode: crd
+
identity-heartbeat-timeout: "30m0s"
identity-gc-interval: "15m0s"
cilium-endpoint-gc-interval: "5m0s"
@@ -109,6 +114,9 @@
ingress-hostnetwork-enabled: "false"
ingress-hostnetwork-shared-listener-port: "8080"
ingress-hostnetwork-nodelabelselector: ""
+ enable-policy-secrets-sync: "true"
+ policy-secrets-only-from-secrets-namespace: "true"
+ policy-secrets-namespace: "cilium-secrets"
# Enable IPv4 addressing. If enabled, all endpoints are allocated an IPv4
# address.
@@ -147,6 +155,9 @@
# backend and affinity maps.
bpf-lb-map-max: "65536"
bpf-lb-external-clusterip: "false"
+ bpf-lb-source-range-all-types: "false"
+ bpf-lb-algorithm-annotation: "false"
+ bpf-lb-mode-annotation: "false"
bpf-events-drop-enabled: "true"
bpf-events-policy-verdict-enabled: "true"
@@ -180,7 +191,7 @@
# - disabled
# - vxlan (default)
# - geneve
- # Default case
+
routing-mode: "tunnel"
tunnel-protocol: "vxlan"
service-no-backend-response: "reject"
@@ -199,6 +210,7 @@
enable-xt-socket-fallback: "true"
install-no-conntrack-iptables-rules: "false"
+ iptables-random-fully: "false"
auto-direct-node-routes: "false"
direct-routing-skip-unreachable: "false"
@@ -214,18 +226,21 @@
node-port-bind-protection: "true"
enable-auto-protect-node-port-range: "true"
bpf-lb-acceleration: "disabled"
+ enable-experimental-lb: "false"
enable-svc-source-range-check: "true"
enable-l2-neigh-discovery: "true"
arping-refresh-period: "30s"
k8s-require-ipv4-pod-cidr: "false"
k8s-require-ipv6-pod-cidr: "false"
enable-k8s-networkpolicy: "true"
+ enable-endpoint-lockdown-on-policy-overflow: "false"
# Tell the agent to generate and write a CNI configuration file
write-cni-conf-when-ready: /host/etc/cni/net.d/05-cilium.conflist
cni-exclusive: "true"
cni-log-file: "/var/run/cilium/cilium-cni.log"
enable-endpoint-health-checking: "true"
enable-health-checking: "true"
+ health-check-icmp-failure-threshold: "3"
enable-well-known-identities: "false"
enable-node-selector-labels: "false"
synchronize-k8s-nodes: "true"
@@ -259,9 +274,12 @@
hubble-tls-key-file: /var/lib/cilium/tls/hubble/server.key
hubble-tls-client-ca-files: /var/lib/cilium/tls/hubble/client-ca.crt
ipam: "cluster-pool"
+ ipam-multi-pool-pre-allocation:
ipam-cilium-node-update-rate: "15s"
cluster-pool-ipv4-cidr: "10.0.0.0/8"
cluster-pool-ipv4-mask-size: "24"
+
+ default-lb-service-ipam: "lbipam"
egress-gateway-reconciliation-trigger-interval: "1s"
enable-vtep: "false"
vtep-endpoint: ""
@@ -272,12 +290,12 @@
enable-l2-announcements: "true"
enable-bgp-control-plane: "true"
bgp-secrets-namespace: "kube-system"
+ enable-bgp-control-plane-status-report: "true"
procfs: "/host/proc"
bpf-root: "/sys/fs/bpf"
cgroup-root: "/run/cilium/cgroupv2"
enable-k8s-terminating-endpoint: "true"
enable-sctp: "false"
-
k8s-client-qps: "10"
k8s-client-burst: "20"
remove-cilium-node-taints: "true"
@@ -289,7 +307,7 @@
dnsproxy-socket-linger-timeout: "10"
tofqdns-dns-reject-response-code: "refused"
tofqdns-enable-dns-compression: "true"
- tofqdns-endpoint-max-ip-per-hostname: "50"
+ tofqdns-endpoint-max-ip-per-hostname: "1000"
tofqdns-idle-connection-grace-period: "0s"
tofqdns-max-deferred-connection-deletes: "10000"
tofqdns-proxy-response-max-delay: "100ms"
@@ -307,10 +325,12 @@
proxy-max-requests-per-connection: "0"
proxy-max-connection-duration-seconds: "0"
proxy-idle-timeout-seconds: "60"
+ proxy-max-concurrent-retries: "128"
+ http-retry-count: "3"
external-envoy-proxy: "true"
envoy-base-id: "0"
-
+ envoy-access-log-buffer-size: "4096"
envoy-keep-cap-netbindservice: "false"
max-connected-clusters: "255"
clustermesh-enable-endpoint-sync: "false"
@@ -318,6 +338,10 @@
nat-map-stats-entries: "32"
nat-map-stats-interval: "30s"
+ enable-internal-traffic-policy: "true"
+ enable-lb-ipam: "true"
+ enable-non-default-deny-policies: "true"
+ enable-source-ip-verification: "true"
# Extra config allows adding arbitrary properties to the cilium config.
# By putting it at the end of the ConfigMap, it's also possible to override existing properties.
@@ -331,7 +355,7 @@
data:
# Keep the key name as bootstrap-config.json to avoid breaking changes
bootstrap-config.json: |
- {"admin":{"address":{"pipe":{"path":"/var/run/cilium/envoy/sockets/admin.sock"}}},"bootstrapExtensions":[{"name":"envoy.bootstrap.internal_listener","typedConfig":{"@type":"type.googleapis.com/envoy.extensions.bootstrap.internal_listener.v3.InternalListener"}}],"dynamicResources":{"cdsConfig":{"apiConfigSource":{"apiType":"GRPC","grpcServices":[{"envoyGrpc":{"clusterName":"xds-grpc-cilium"}}],"setNodeOnFirstMessageOnly":true,"transportApiVersion":"V3"},"initialFetchTimeout":"30s","resourceApiVersion":"V3"},"ldsConfig":{"apiConfigSource":{"apiType":"GRPC","grpcServices":[{"envoyGrpc":{"clusterName":"xds-grpc-cilium"}}],"setNodeOnFirstMessageOnly":true,"transportApiVersion":"V3"},"initialFetchTimeout":"30s","resourceApiVersion":"V3"}},"node":{"cluster":"ingress-cluster","id":"host~127.0.0.1~no-id~localdomain"},"overloadManager":{"resourceMonitors":[{"name":"envoy.resource_monitors.global_downstream_max_connections","typedConfig":{"@type":"type.googleapis.com/envoy.extensions.resource_monitors.downstream_connections.v3.DownstreamConnectionsConfig","max_active_downstream_connections":"50000"}}]},"staticResources":{"clusters":[{"cleanupInterval":"2.500s","connectTimeout":"2s","lbPolicy":"CLUSTER_PROVIDED","name":"ingress-cluster","type":"ORIGINAL_DST","typedExtensionProtocolOptions":{"envoy.extensions.upstreams.http.v3.HttpProtocolOptions":{"@type":"type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions","commonHttpProtocolOptions":{"idleTimeout":"60s","maxConnectionDuration":"0s","maxRequestsPerConnection":0},"useDownstreamProtocolConfig":{}}}},{"cleanupInterval":"2.500s","connectTimeout":"2s","lbPolicy":"CLUSTER_PROVIDED","name":"egress-cluster-tls","transportSocket":{"name":"cilium.tls_wrapper","typedConfig":{"@type":"type.googleapis.com/cilium.UpstreamTlsWrapperContext"}},"type":"ORIGINAL_DST","typedExtensionProtocolOptions":{"envoy.extensions.upstreams.http.v3.HttpProtocolOptions":{"@type":"type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions","commonHttpProtocolOptions":{"idleTimeout":"60s","maxConnectionDuration":"0s","maxRequestsPerConnection":0},"upstreamHttpProtocolOptions":{},"useDownstreamProtocolConfig":{}}}},{"cleanupInterval":"2.500s","connectTimeout":"2s","lbPolicy":"CLUSTER_PROVIDED","name":"egress-cluster","type":"ORIGINAL_DST","typedExtensionProtocolOptions":{"envoy.extensions.upstreams.http.v3.HttpProtocolOptions":{"@type":"type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions","commonHttpProtocolOptions":{"idleTimeout":"60s","maxConnectionDuration":"0s","maxRequestsPerConnection":0},"useDownstreamProtocolConfig":{}}}},{"cleanupInterval":"2.500s","connectTimeout":"2s","lbPolicy":"CLUSTER_PROVIDED","name":"ingress-cluster-tls","transportSocket":{"name":"cilium.tls_wrapper","typedConfig":{"@type":"type.googleapis.com/cilium.UpstreamTlsWrapperContext"}},"type":"ORIGINAL_DST","typedExtensionProtocolOptions":{"envoy.extensions.upstreams.http.v3.HttpProtocolOptions":{"@type":"type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions","commonHttpProtocolOptions":{"idleTimeout":"60s","maxConnectionDuration":"0s","maxRequestsPerConnection":0},"upstreamHttpProtocolOptions":{},"useDownstreamProtocolConfig":{}}}},{"connectTimeout":"2s","loadAssignment":{"clusterName":"xds-grpc-cilium","endpoints":[{"lbEndpoints":[{"endpoint":{"address":{"pipe":{"path":"/var/run/cilium/envoy/sockets/xds.sock"}}}}]}]},"name":"xds-grpc-cilium","type":"STATIC","typedExtensionProtocolOptions":{"envoy.extensions.upstreams.http.v3.HttpProtocolOptions":{"@type":"type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions","explicitHttpConfig":{"http2ProtocolOptions":{}}}}},{"connectTimeout":"2s","loadAssignment":{"clusterName":"/envoy-admin","endpoints":[{"lbEndpoints":[{"endpoint":{"address":{"pipe":{"path":"/var/run/cilium/envoy/sockets/admin.sock"}}}}]}]},"name":"/envoy-admin","type":"STATIC"}],"listeners":[{"address":{"socketAddress":{"address":"0.0.0.0","portValue":9964}},"filterChains":[{"filters":[{"name":"envoy.filters.network.http_connection_manager","typedConfig":{"@type":"type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager","httpFilters":[{"name":"envoy.filters.http.router","typedConfig":{"@type":"type.googleapis.com/envoy.extensions.filters.http.router.v3.Router"}}],"internalAddressConfig":{"cidrRanges":[{"addressPrefix":"10.0.0.0","prefixLen":8},{"addressPrefix":"172.16.0.0","prefixLen":12},{"addressPrefix":"192.168.0.0","prefixLen":16},{"addressPrefix":"127.0.0.1","prefixLen":32}]},"routeConfig":{"virtualHosts":[{"domains":["*"],"name":"prometheus_metrics_route","routes":[{"match":{"prefix":"/metrics"},"name":"prometheus_metrics_route","route":{"cluster":"/envoy-admin","prefixRewrite":"/stats/prometheus"}}]}]},"statPrefix":"envoy-prometheus-metrics-listener","streamIdleTimeout":"0s"}}]}],"name":"envoy-prometheus-metrics-listener"},{"address":{"socketAddress":{"address":"127.0.0.1","portValue":9878}},"filterChains":[{"filters":[{"name":"envoy.filters.network.http_connection_manager","typedConfig":{"@type":"type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager","httpFilters":[{"name":"envoy.filters.http.router","typedConfig":{"@type":"type.googleapis.com/envoy.extensions.filters.http.router.v3.Router"}}],"internalAddressConfig":{"cidrRanges":[{"addressPrefix":"10.0.0.0","prefixLen":8},{"addressPrefix":"172.16.0.0","prefixLen":12},{"addressPrefix":"192.168.0.0","prefixLen":16},{"addressPrefix":"127.0.0.1","prefixLen":32}]},"routeConfig":{"virtual_hosts":[{"domains":["*"],"name":"health","routes":[{"match":{"prefix":"/healthz"},"name":"health","route":{"cluster":"/envoy-admin","prefixRewrite":"/ready"}}]}]},"statPrefix":"envoy-health-listener","streamIdleTimeout":"0s"}}]}],"name":"envoy-health-listener"}]}}
+ {"admin":{"address":{"pipe":{"path":"/var/run/cilium/envoy/sockets/admin.sock"}}},"applicationLogConfig":{"logFormat":{"textFormat":"[%Y-%m-%d %T.%e][%t][%l][%n] [%g:%#] %v"}},"bootstrapExtensions":[{"name":"envoy.bootstrap.internal_listener","typedConfig":{"@type":"type.googleapis.com/envoy.extensions.bootstrap.internal_listener.v3.InternalListener"}}],"dynamicResources":{"cdsConfig":{"apiConfigSource":{"apiType":"GRPC","grpcServices":[{"envoyGrpc":{"clusterName":"xds-grpc-cilium"}}],"setNodeOnFirstMessageOnly":true,"transportApiVersion":"V3"},"initialFetchTimeout":"30s","resourceApiVersion":"V3"},"ldsConfig":{"apiConfigSource":{"apiType":"GRPC","grpcServices":[{"envoyGrpc":{"clusterName":"xds-grpc-cilium"}}],"setNodeOnFirstMessageOnly":true,"transportApiVersion":"V3"},"initialFetchTimeout":"30s","resourceApiVersion":"V3"}},"node":{"cluster":"ingress-cluster","id":"host~127.0.0.1~no-id~localdomain"},"overloadManager":{"resourceMonitors":[{"name":"envoy.resource_monitors.global_downstream_max_connections","typedConfig":{"@type":"type.googleapis.com/envoy.extensions.resource_monitors.downstream_connections.v3.DownstreamConnectionsConfig","max_active_downstream_connections":"50000"}}]},"staticResources":{"clusters":[{"circuitBreakers":{"thresholds":[{"maxRetries":128}]},"cleanupInterval":"2.500s","connectTimeout":"2s","lbPolicy":"CLUSTER_PROVIDED","name":"ingress-cluster","type":"ORIGINAL_DST","typedExtensionProtocolOptions":{"envoy.extensions.upstreams.http.v3.HttpProtocolOptions":{"@type":"type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions","commonHttpProtocolOptions":{"idleTimeout":"60s","maxConnectionDuration":"0s","maxRequestsPerConnection":0},"useDownstreamProtocolConfig":{}}}},{"circuitBreakers":{"thresholds":[{"maxRetries":128}]},"cleanupInterval":"2.500s","connectTimeout":"2s","lbPolicy":"CLUSTER_PROVIDED","name":"egress-cluster-tls","transportSocket":{"name":"cilium.tls_wrapper","typedConfig":{"@type":"type.googleapis.com/cilium.UpstreamTlsWrapperContext"}},"type":"ORIGINAL_DST","typedExtensionProtocolOptions":{"envoy.extensions.upstreams.http.v3.HttpProtocolOptions":{"@type":"type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions","commonHttpProtocolOptions":{"idleTimeout":"60s","maxConnectionDuration":"0s","maxRequestsPerConnection":0},"upstreamHttpProtocolOptions":{},"useDownstreamProtocolConfig":{}}}},{"circuitBreakers":{"thresholds":[{"maxRetries":128}]},"cleanupInterval":"2.500s","connectTimeout":"2s","lbPolicy":"CLUSTER_PROVIDED","name":"egress-cluster","type":"ORIGINAL_DST","typedExtensionProtocolOptions":{"envoy.extensions.upstreams.http.v3.HttpProtocolOptions":{"@type":"type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions","commonHttpProtocolOptions":{"idleTimeout":"60s","maxConnectionDuration":"0s","maxRequestsPerConnection":0},"useDownstreamProtocolConfig":{}}}},{"circuitBreakers":{"thresholds":[{"maxRetries":128}]},"cleanupInterval":"2.500s","connectTimeout":"2s","lbPolicy":"CLUSTER_PROVIDED","name":"ingress-cluster-tls","transportSocket":{"name":"cilium.tls_wrapper","typedConfig":{"@type":"type.googleapis.com/cilium.UpstreamTlsWrapperContext"}},"type":"ORIGINAL_DST","typedExtensionProtocolOptions":{"envoy.extensions.upstreams.http.v3.HttpProtocolOptions":{"@type":"type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions","commonHttpProtocolOptions":{"idleTimeout":"60s","maxConnectionDuration":"0s","maxRequestsPerConnection":0},"upstreamHttpProtocolOptions":{},"useDownstreamProtocolConfig":{}}}},{"connectTimeout":"2s","loadAssignment":{"clusterName":"xds-grpc-cilium","endpoints":[{"lbEndpoints":[{"endpoint":{"address":{"pipe":{"path":"/var/run/cilium/envoy/sockets/xds.sock"}}}}]}]},"name":"xds-grpc-cilium","type":"STATIC","typedExtensionProtocolOptions":{"envoy.extensions.upstreams.http.v3.HttpProtocolOptions":{"@type":"type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions","explicitHttpConfig":{"http2ProtocolOptions":{}}}}},{"connectTimeout":"2s","loadAssignment":{"clusterName":"/envoy-admin","endpoints":[{"lbEndpoints":[{"endpoint":{"address":{"pipe":{"path":"/var/run/cilium/envoy/sockets/admin.sock"}}}}]}]},"name":"/envoy-admin","type":"STATIC"}],"listeners":[{"address":{"socketAddress":{"address":"0.0.0.0","portValue":9964}},"filterChains":[{"filters":[{"name":"envoy.filters.network.http_connection_manager","typedConfig":{"@type":"type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager","httpFilters":[{"name":"envoy.filters.http.router","typedConfig":{"@type":"type.googleapis.com/envoy.extensions.filters.http.router.v3.Router"}}],"internalAddressConfig":{"cidrRanges":[{"addressPrefix":"10.0.0.0","prefixLen":8},{"addressPrefix":"172.16.0.0","prefixLen":12},{"addressPrefix":"192.168.0.0","prefixLen":16},{"addressPrefix":"127.0.0.1","prefixLen":32}]},"routeConfig":{"virtualHosts":[{"domains":["*"],"name":"prometheus_metrics_route","routes":[{"match":{"prefix":"/metrics"},"name":"prometheus_metrics_route","route":{"cluster":"/envoy-admin","prefixRewrite":"/stats/prometheus"}}]}]},"statPrefix":"envoy-prometheus-metrics-listener","streamIdleTimeout":"0s"}}]}],"name":"envoy-prometheus-metrics-listener"},{"address":{"socketAddress":{"address":"127.0.0.1","portValue":9878}},"filterChains":[{"filters":[{"name":"envoy.filters.network.http_connection_manager","typedConfig":{"@type":"type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager","httpFilters":[{"name":"envoy.filters.http.router","typedConfig":{"@type":"type.googleapis.com/envoy.extensions.filters.http.router.v3.Router"}}],"internalAddressConfig":{"cidrRanges":[{"addressPrefix":"10.0.0.0","prefixLen":8},{"addressPrefix":"172.16.0.0","prefixLen":12},{"addressPrefix":"192.168.0.0","prefixLen":16},{"addressPrefix":"127.0.0.1","prefixLen":32}]},"routeConfig":{"virtual_hosts":[{"domains":["*"],"name":"health","routes":[{"match":{"prefix":"/healthz"},"name":"health","route":{"cluster":"/envoy-admin","prefixRewrite":"/ready"}}]}]},"statPrefix":"envoy-health-listener","streamIdleTimeout":"0s"}}]}],"name":"envoy-health-listener"}]}}
---
# Source: cilium/templates/hubble-relay/configmap.yaml
apiVersion: v1
@@ -347,7 +371,6 @@
gops: true
gops-port: "9893"
metrics-listen-address: ":9966"
- dial-timeout:
retry-timeout:
sort-buffer-len-max:
sort-buffer-drain-timeout:
@@ -704,6 +727,13 @@
- delete
- patch
- apiGroups:
+ - cilium.io
+ resources:
+ - ciliumbgpclusterconfigs/status
+ - ciliumbgppeerconfigs/status
+ verbs:
+ - update
+- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
@@ -749,6 +779,7 @@
- ciliumbgppeeringpolicies
- ciliumbgpclusterconfigs
- ciliumbgpnodeconfigoverrides
+ - ciliumbgppeerconfigs
verbs:
- get
- list
@@ -802,6 +833,7 @@
name: hubble-ui
labels:
app.kubernetes.io/part-of: cilium
+
rules:
- apiGroups:
- networking.k8s.io
@@ -880,6 +912,7 @@
name: hubble-ui
labels:
app.kubernetes.io/part-of: cilium
+
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
@@ -961,6 +994,24 @@
- list
- watch
---
+# Source: cilium/templates/cilium-agent/role.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: cilium-tlsinterception-secrets
+ namespace: "cilium-secrets"
+ labels:
+ app.kubernetes.io/part-of: cilium
+rules:
+- apiGroups:
+ - ""
+ resources:
+ - secrets
+ verbs:
+ - get
+ - list
+ - watch
+---
# Source: cilium/templates/cilium-operator/role.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
@@ -980,6 +1031,25 @@
- update
- patch
---
+# Source: cilium/templates/cilium-operator/role.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: cilium-operator-tlsinterception-secrets
+ namespace: "cilium-secrets"
+ labels:
+ app.kubernetes.io/part-of: cilium
+rules:
+- apiGroups:
+ - ""
+ resources:
+ - secrets
+ verbs:
+ - create
+ - delete
+ - update
+ - patch
+---
# Source: cilium/templates/hubble/tls-cronjob/role.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
@@ -988,6 +1058,7 @@
namespace: cilium-system
labels:
app.kubernetes.io/part-of: cilium
+
rules:
- apiGroups:
- ""
@@ -1085,6 +1156,23 @@
name: "cilium"
namespace: cilium-system
---
+# Source: cilium/templates/cilium-agent/rolebinding.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: cilium-tlsinterception-secrets
+ namespace: "cilium-secrets"
+ labels:
+ app.kubernetes.io/part-of: cilium
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: cilium-tlsinterception-secrets
+subjects:
+- kind: ServiceAccount
+ name: "cilium"
+ namespace: cilium-system
+---
# Source: cilium/templates/cilium-operator/rolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
@@ -1102,6 +1190,23 @@
name: "cilium-operator"
namespace: cilium-system
---
+# Source: cilium/templates/cilium-operator/rolebinding.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: cilium-operator-tlsinterception-secrets
+ namespace: "cilium-secrets"
+ labels:
+ app.kubernetes.io/part-of: cilium
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: cilium-operator-tlsinterception-secrets
+subjects:
+- kind: ServiceAccount
+ name: "cilium-operator"
+ namespace: cilium-system
+---
# Source: cilium/templates/hubble/tls-cronjob/rolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
@@ -1110,6 +1215,7 @@
namespace: cilium-system
labels:
app.kubernetes.io/part-of: cilium
+
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
@@ -1170,6 +1276,7 @@
namespace: cilium-system
labels:
cilium.io/ingress: "true"
+ app.kubernetes.io/part-of: cilium
spec:
ports:
- name: http
@@ -1216,6 +1323,7 @@
namespace: cilium-system
labels:
k8s-app: hubble-relay
+
spec:
clusterIP: None
type: ClusterIP
@@ -1238,6 +1346,7 @@
k8s-app: hubble-relay
app.kubernetes.io/name: hubble-relay
app.kubernetes.io/part-of: cilium
+
spec:
type: "ClusterIP"
selector:
@@ -1257,6 +1366,7 @@
k8s-app: hubble-ui
app.kubernetes.io/name: hubble-ui
app.kubernetes.io/part-of: cilium
+
spec:
type: "ClusterIP"
selector:
@@ -1276,6 +1386,7 @@
k8s-app: hubble
app.kubernetes.io/name: hubble
app.kubernetes.io/part-of: cilium
+
annotations:
spec:
clusterIP: None
@@ -1298,6 +1409,7 @@
k8s-app: cilium
app.kubernetes.io/part-of: cilium
app.kubernetes.io/name: hubble-peer
+
spec:
selector:
k8s-app: cilium
@@ -1343,7 +1455,7 @@
spec:
containers:
- name: cilium-agent
- image: "quay.io/cilium/cilium:v1.16.6@sha256:1e0896b1c4c188b4812c7e0bed7ec3f5631388ca88325c1391a0ef9172c448da"
+ image: "quay.io/cilium/cilium:v1.17.1@sha256:8969bfd9c87cbea91e40665f8ebe327268c99d844ca26d7d12165de07f702866"
imagePullPolicy: IfNotPresent
command:
- cilium-agent
@@ -1517,7 +1629,7 @@
mountPath: /tmp
initContainers:
- name: config
- image: "quay.io/cilium/cilium:v1.16.6@sha256:1e0896b1c4c188b4812c7e0bed7ec3f5631388ca88325c1391a0ef9172c448da"
+ image: "quay.io/cilium/cilium:v1.17.1@sha256:8969bfd9c87cbea91e40665f8ebe327268c99d844ca26d7d12165de07f702866"
imagePullPolicy: IfNotPresent
command:
- cilium-dbg
@@ -1544,7 +1656,7 @@
# Required to mount cgroup2 filesystem on the underlying Kubernetes node.
# We use nsenter command with host's cgroup and mount namespaces enabled.
- name: mount-cgroup
- image: "quay.io/cilium/cilium:v1.16.6@sha256:1e0896b1c4c188b4812c7e0bed7ec3f5631388ca88325c1391a0ef9172c448da"
+ image: "quay.io/cilium/cilium:v1.17.1@sha256:8969bfd9c87cbea91e40665f8ebe327268c99d844ca26d7d12165de07f702866"
imagePullPolicy: IfNotPresent
env:
- name: CGROUP_ROOT
@@ -1581,7 +1693,7 @@
drop:
- ALL
- name: apply-sysctl-overwrites
- image: "quay.io/cilium/cilium:v1.16.6@sha256:1e0896b1c4c188b4812c7e0bed7ec3f5631388ca88325c1391a0ef9172c448da"
+ image: "quay.io/cilium/cilium:v1.17.1@sha256:8969bfd9c87cbea91e40665f8ebe327268c99d844ca26d7d12165de07f702866"
imagePullPolicy: IfNotPresent
env:
- name: BIN_PATH
@@ -1619,7 +1731,7 @@
# from a privileged container because the mount propagation bidirectional
# only works from privileged containers.
- name: mount-bpf-fs
- image: "quay.io/cilium/cilium:v1.16.6@sha256:1e0896b1c4c188b4812c7e0bed7ec3f5631388ca88325c1391a0ef9172c448da"
+ image: "quay.io/cilium/cilium:v1.17.1@sha256:8969bfd9c87cbea91e40665f8ebe327268c99d844ca26d7d12165de07f702866"
imagePullPolicy: IfNotPresent
args:
- 'mount | grep "/sys/fs/bpf type bpf" || mount -t bpf bpf /sys/fs/bpf'
@@ -1635,7 +1747,7 @@
mountPath: /sys/fs/bpf
mountPropagation: Bidirectional
- name: clean-cilium-state
- image: "quay.io/cilium/cilium:v1.16.6@sha256:1e0896b1c4c188b4812c7e0bed7ec3f5631388ca88325c1391a0ef9172c448da"
+ image: "quay.io/cilium/cilium:v1.17.1@sha256:8969bfd9c87cbea91e40665f8ebe327268c99d844ca26d7d12165de07f702866"
imagePullPolicy: IfNotPresent
command:
- /init-container.sh
@@ -1686,7 +1798,7 @@
mountPath: /var/run/cilium # wait-for-kube-proxy
# Install the CNI binaries in an InitContainer so we don't have a writable host mount in the agent
- name: install-cni-binaries
- image: "quay.io/cilium/cilium:v1.16.6@sha256:1e0896b1c4c188b4812c7e0bed7ec3f5631388ca88325c1391a0ef9172c448da"
+ image: "quay.io/cilium/cilium:v1.17.1@sha256:8969bfd9c87cbea91e40665f8ebe327268c99d844ca26d7d12165de07f702866"
imagePullPolicy: IfNotPresent
command:
- "/install-plugin.sh"
@@ -1870,7 +1982,7 @@
spec:
containers:
- name: cilium-envoy
- image: "quay.io/cilium/cilium-envoy:v1.30.9-1737073743-40a016d11c0d863b772961ed0168eea6fe6b10a5@sha256:a69dfe0e54b24b0ff747385c8feeae0612cfbcae97bfcc8ee42a773bb3f69c88"
+ image: "quay.io/cilium/cilium-envoy:v1.31.5-1739264036-958bef243c6c66fcfd73ca319f2eb49fff1eb2ae@sha256:fc708bd36973d306412b2e50c924cd8333de67e0167802c9b48506f9d772f521"
imagePullPolicy: IfNotPresent
command:
- /usr/bin/cilium-envoy-starter
@@ -1879,7 +1991,6 @@
- '-c /var/run/cilium/envoy/bootstrap-config.json'
- '--base-id 0'
- '--log-level info'
- - '--log-format [%Y-%m-%d %T.%e][%t][%l][%n] [%g:%#] %v'
startupProbe:
httpGet:
host: "127.0.0.1"
@@ -1996,7 +2107,7 @@
type: DirectoryOrCreate
- name: envoy-config
configMap:
- name: cilium-envoy-config
+ name: "cilium-envoy-config"
# note: the leading zero means this number is in octal representation: do not remove it
defaultMode: 0400
items:
@@ -2048,7 +2159,7 @@
spec:
containers:
- name: cilium-operator
- image: "quay.io/cilium/operator-generic:v1.16.6@sha256:13d32071d5a52c069fb7c35959a56009c6914439adc73e99e098917646d154fc"
+ image: "quay.io/cilium/operator-generic:v1.17.1@sha256:628becaeb3e4742a1c36c4897721092375891b58bae2bfcae48bbf4420aaee97"
imagePullPolicy: IfNotPresent
command:
- cilium-operator-generic
@@ -2137,6 +2248,7 @@
k8s-app: hubble-relay
app.kubernetes.io/name: hubble-relay
app.kubernetes.io/part-of: cilium
+
spec:
replicas: 1
selector:
@@ -2165,7 +2277,7 @@
runAsGroup: 65532
runAsNonRoot: true
runAsUser: 65532
- image: "quay.io/cilium/hubble-relay:v1.16.6@sha256:ca8dcaa5a81a37743b1397ba2221d16d5d63e4a47607584f1bf50a3b0882bf3b"
+ image: "quay.io/cilium/hubble-relay:v1.17.1@sha256:397e8fbb188157f744390a7b272a1dec31234e605bcbe22d8919a166d202a3dc"
imagePullPolicy: IfNotPresent
command:
- hubble-relay
@@ -2358,7 +2470,7 @@
type: RuntimeDefault
containers:
- name: certgen
- image: "quay.io/cilium/certgen:v0.2.0@sha256:169d93fd8f2f9009db3b9d5ccd37c2b753d0989e1e7cd8fe79f9160c459eef4f"
+ image: "quay.io/cilium/certgen:v0.2.1@sha256:ab6b1928e9c5f424f6b0f51c68065b9fd85e2f8d3e5f21fbd1a3cb27e6fb9321"
imagePullPolicy: IfNotPresent
securityContext:
capabilities:
@@ -2371,7 +2483,7 @@
# line args instead of via config map. This allows users to inspect
# the values used in past runs by inspecting the completed pod.
args:
- - "--ca-generate"
+ - "--ca-generate=true"
- "--ca-reuse-secret"
- "--ca-secret-namespace=cilium-system"
- "--ca-secret-name=cilium-ca"
@@ -2401,6 +2513,7 @@
- key encipherment
- client auth
validity: 8760h
+
hostNetwork: false
serviceAccount: "hubble-generate-certs"
serviceAccountName: "hubble-generate-certs"
@@ -2425,6 +2538,7 @@
metadata:
name: cilium-ingress
namespace: cilium-system
+ labels:
subsets:
- addresses:
- ip: "192.192.192.192"
@@ -2442,7 +2556,7 @@
spec:
selector:
matchLabels:
- k8s-app: cilium
+ app.kubernetes.io/name: cilium-agent
namespaceSelector:
matchNames:
- cilium-system
@@ -2456,15 +2570,8 @@
sourceLabels:
- __meta_kubernetes_pod_node_name
targetLabel: node
- - port: envoy-metrics
- interval: "10s"
- honorLabels: true
- path: /metrics
- relabelings:
- - replacement: ${1}
- sourceLabels:
- - __meta_kubernetes_pod_node_name
- targetLabel: node
+ # If envoy DaemonSet is enabled, we'll create a separate service for it
+ # If it is not enabled, that means envoy runs inside cilium-agent and we'll monitor using same service
targetLabels:
- k8s-app
---
@@ -2591,7 +2698,7 @@
type: RuntimeDefault
containers:
- name: certgen
- image: "quay.io/cilium/certgen:v0.2.0@sha256:169d93fd8f2f9009db3b9d5ccd37c2b753d0989e1e7cd8fe79f9160c459eef4f"
+ image: "quay.io/cilium/certgen:v0.2.1@sha256:ab6b1928e9c5f424f6b0f51c68065b9fd85e2f8d3e5f21fbd1a3cb27e6fb9321"
imagePullPolicy: IfNotPresent
securityContext:
capabilities:
@@ -2604,7 +2711,7 @@
# line args instead of via config map. This allows users to inspect
# the values used in past runs by inspecting the completed pod.
args:
- - "--ca-generate"
+ - "--ca-generate=true"
- "--ca-reuse-secret"
- "--ca-secret-namespace=cilium-system"
- "--ca-secret-name=cilium-ca"
@@ -2634,6 +2741,7 @@
- key encipherment
- client auth
validity: 8760h
+
hostNetwork: false
serviceAccount: "hubble-generate-certs"
serviceAccountName: "hubble-generate-certs" |
Edited/Blocked NotificationRenovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR. You can manually request rebase by checking the rebase/retry box above. |
walnuts1018
force-pushed
the
main
branch
2 times, most recently
from
b17ea65 to
76b9669
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
1.16.6->1.17.1Release Notes
cilium/cilium (cilium)
v1.17.1Compare Source
v1.17.0: 1.17.0Compare Source
We are excited to announce the Cilium 1.17.0 release!
A total of 2761 new commits have been contributed to this release by a growing community of over 880 developers and over 20,800 GitHub stars! 🤩
To keep up to date with all the latest Cilium releases, see Announcements
Here's what's new in v1.17.0:
🚠 Networking
💂♀️ Security
🕸️ Service Mesh & Gateway API
🛰️ Observability
🌅 Scale
🏘️ Community
And finally, we would like to thank you to all contributors of Cilium that helped directly and indirectly with the project. The success of Cilium could not happen without all of you. ❤️ ❤️ ❤️
For the full changelog check https://github.com/cilium/cilium/blob/v1.17.0/CHANGELOG.md
Docker Manifests
cilium
quay.io/cilium/cilium:v1.17.0@​sha256:51f21bdd003c3975b5aaaf41bd21aee23cc08f44efaa27effc91c621bc9d8b1dquay.io/cilium/cilium:stable@sha256:51f21bdd003c3975b5aaaf41bd21aee23cc08f44efaa27effc91c621bc9d8b1dclustermesh-apiserver
quay.io/cilium/clustermesh-apiserver:v1.17.0@​sha256:05ccf79102724a943b967337a7cd45177118b76b72fb937d0c8ecb3ce136605cquay.io/cilium/clustermesh-apiserver:stable@sha256:05ccf79102724a943b967337a7cd45177118b76b72fb937d0c8ecb3ce136605cdocker-plugin
quay.io/cilium/docker-plugin:v1.17.0@​sha256:cf2a7b6779e1264c35d77a799aab25ee9bb67582764b297edf6ad62fa02a3c6fquay.io/cilium/docker-plugin:stable@sha256:cf2a7b6779e1264c35d77a799aab25ee9bb67582764b297edf6ad62fa02a3c6fhubble-relay
quay.io/cilium/hubble-relay:v1.17.0@​sha256:022c084588caad91108ac73e04340709926ea7fe12af95f57fcb794b68472e05quay.io/cilium/hubble-relay:stable@sha256:022c084588caad91108ac73e04340709926ea7fe12af95f57fcb794b68472e05operator-alibabacloud
quay.io/cilium/operator-alibabacloud:v1.17.0@​sha256:0154a855650dac844347d35404e08f3ad141c05e1d903a648558e6f15e4fef8bquay.io/cilium/operator-alibabacloud:stable@sha256:0154a855650dac844347d35404e08f3ad141c05e1d903a648558e6f15e4fef8boperator-aws
quay.io/cilium/operator-aws:v1.17.0@​sha256:a81cea10c4210589750c2588a20ece2822fd57be8529df4dc7779031cec66af7quay.io/cilium/operator-aws:stable@sha256:a81cea10c4210589750c2588a20ece2822fd57be8529df4dc7779031cec66af7operator-azure
quay.io/cilium/operator-azure:v1.17.0@​sha256:56e83fbdfbea161b2252c51c7ce03960f7141700473bbd2906bcdb53f46610d7quay.io/cilium/operator-azure:stable@sha256:56e83fbdfbea161b2252c51c7ce03960f7141700473bbd2906bcdb53f46610d7operator-generic
quay.io/cilium/operator-generic:v1.17.0@​sha256:1ce5a5a287166fc70b6a5ced3990aaa442496242d1d4930b5a3125e44cccdca8quay.io/cilium/operator-generic:stable@sha256:1ce5a5a287166fc70b6a5ced3990aaa442496242d1d4930b5a3125e44cccdca8operator
quay.io/cilium/operator:v1.17.0@​sha256:39c9221d75f47f717fe438912309a96b59b8257a74dc624fdeebebcfbd74b587quay.io/cilium/operator:stable@sha256:39c9221d75f47f717fe438912309a96b59b8257a74dc624fdeebebcfbd74b587Configuration
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Renovate Bot.