-
Notifications
You must be signed in to change notification settings - Fork 20
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(helm): update chart cilium to 1.16.5 #734
base: main
Are you sure you want to change the base?
Conversation
Path: @@ -1,1309 +1 @@
----
-# Source: cilium/templates/cilium-agent/serviceaccount.yaml
-apiVersion: v1
-kind: ServiceAccount
-metadata:
- name: "cilium"
- namespace: default
----
-# Source: cilium/templates/cilium-operator/serviceaccount.yaml
-apiVersion: v1
-kind: ServiceAccount
-metadata:
- name: "cilium-operator"
- namespace: default
----
-# Source: cilium/templates/hubble-relay/serviceaccount.yaml
-apiVersion: v1
-kind: ServiceAccount
-metadata:
- name: "hubble-relay"
- namespace: default
----
-# Source: cilium/templates/hubble-ui/serviceaccount.yaml
-apiVersion: v1
-kind: ServiceAccount
-metadata:
- name: "hubble-ui"
- namespace: default
----
-# Source: cilium/templates/cilium-ca-secret.yaml
-apiVersion: v1
-kind: Secret
-metadata:
- name: cilium-ca
- namespace: default
-data:
- ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURFekNDQWZ1Z0F3SUJBZ0lRQjRtQmpSd0pqWVFKSGZOenpuM1JyREFOQmdrcWhraUc5dzBCQVFzRkFEQVUKTVJJd0VBWURWUVFERXdsRGFXeHBkVzBnUTBFd0hoY05NalF4TWpFNE1ERXlNelF5V2hjTk1qY3hNakU0TURFeQpNelF5V2pBVU1SSXdFQVlEVlFRREV3bERhV3hwZFcwZ1EwRXdnZ0VpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElCCkR3QXdnZ0VLQW9JQkFRQzdlVUZXck5ldDlmRUN0WFpFY1ZRVHRsMUpETXpSK1NHNHYxQzZ6bVB0dVVqUXFURWkKQXJlSjRuSHpuUVRSMndHbmFjd0trV0wvcWVVcmZHNDZmMHg1VzF1T05yUHBqeTZ4WncwaStWQkNiNkR1NzdYdApYc0hWenVUa0tyK25IUk5qZDhzWloxaVZiSnZlb29uRUNxb0Y2VW5sMDFCLzByWnVFYnQ1MVllY1FHNzRJSU5YCjREUHBNTXc1NVhkRVJnK1pQVVFLeTdVZXg5RWx3b2djalluYndFcnBxai9UenpqNnVrTE9pNGpBcVMvS25wRDMKajJ2Q3BQM0NPVWNrTmR6Y0pUMDdoZWVKaEozaGNCVXRFemtqNzZwVEMzVE8vekQyKzM1V2JIY1VLbGcxRFdKbAo2RXFlTDc2L1Z1ckVjeTRGcnp1ZDFQSVF5bWZkOS91Q1V4d3RBZ01CQUFHallUQmZNQTRHQTFVZER3RUIvd1FFCkF3SUNwREFkQmdOVkhTVUVGakFVQmdnckJnRUZCUWNEQVFZSUt3WUJCUVVIQXdJd0R3WURWUjBUQVFIL0JBVXcKQXdFQi96QWRCZ05WSFE0RUZnUVViYlROZHozeVNEWTN0Q3JRU3pVQjRJQXc1T293RFFZSktvWklodmNOQVFFTApCUUFEZ2dFQkFJdDFDYWgrMXEyOGEwL3NMKzZjSWdaeG81NVM2WTZiT21mOVlxOXJHUTdvVEZSRWNtYzdtY21jCjlJVTQrdjdTRExWeWRFd0NJbGpDcS8zaWFONXZQNlNoVTR1QVhEWXlISDBwbXRJRUNqMzE0cTYxdlhHQWRpNzkKNzFERnZSTTdHYjJaNUVpSHdoYk1mTVlObTBkUkhnUGd2ZFdKY1MvQ2F5M1FZWTdtRnVMNUk2d3hlUmlhUDUxYgpHTm5uYzBYNWNFc0h3SlY0WnBWWW4xbGI5Y1BqZEtac3dMaW41WHl0M1VXUzNnTUpoTmNONlN1c2htcEVwclJXClVqMlFVeFJOcitDN1JlWlg2WjRLM0diWVpERWJsUUtFUlhCb1Jjck5xVnIwWGdSTTE2ZVB2SFcwS0ozSzRuY0EKd3FhWGIrMHJiOFFRVzlMaTlTNEJXa0x6U25LSTlvUT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
- ca.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBdTNsQlZxelhyZlh4QXJWMlJIRlVFN1pkU1F6TTBma2h1TDlRdXM1ajdibEkwS2t4CklnSzNpZUp4ODUwRTBkc0JwMm5NQ3BGaS82bmxLM3h1T245TWVWdGJqamF6Nlk4dXNXY05JdmxRUW0rZzd1KzEKN1Y3QjFjN2s1Q3EvcHgwVFkzZkxHV2RZbFd5YjNxS0p4QXFxQmVsSjVkTlFmOUsyYmhHN2VkV0huRUJ1K0NDRApWK0F6NlRETU9lVjNSRVlQbVQxRUNzdTFIc2ZSSmNLSUhJMkoyOEJLNmFvLzA4ODQrcnBDem91SXdLa3Z5cDZRCjk0OXJ3cVQ5d2psSEpEWGMzQ1U5TzRYbmlZU2Q0WEFWTFJNNUkrK3FVd3QwenY4dzl2dCtWbXgzRkNwWU5RMWkKWmVoS25pKyt2MWJxeEhNdUJhODduZFR5RU1wbjNmZjdnbE1jTFFJREFRQUJBb0lCQUNiTkJkVG1tUTBNSmdHbApoUUROWTlWZ25SWU5iQ2JaSlQyVGV5WHVxWWYrSFMveWxKU3hjME02ZHRNdzRGcCt0V3pzM0tvalJSWWRGNjFVClo0djc1TndKS0gzYW5JbnVkSCtMRUpENGdMLy9VcE9oVVVuN25xcWQwNG5Wdnl6Yk83UU9peDZLNFM2cjkrYXcKUlVzcDJkNjNWZkFYT0VYOFduMlZkZlBWV2VmZ28yZmVRUlBnTGhIVXV0NEVRZGEra1dZbXRqcTJDTUJpdjdrZQpHRTByYndRRTRNMUNEN01zSnNGeU9BMXFsZ2dlQXBvTU1zcmtZMkNGWis4aHpTUFIyMzVMaGQzT2Ntb3c0TlNjClBxUnJrN2lXRG4rMExiZWNMOWVpdkVWbXZ4aEFJMGxBbEhUMVdWY3lqTmdwY0hPU3dRWEVPSTZzRWh3S0poSnAKYW5hUzRKRUNnWUVBMitxQUkxVmo0Qk9tN3hXaVM0RVFMVDZLV3gwRzF6Ry9wZXJib29aREFNejM3WitBWDJ5MgpDTEFxa1R6SmFRVTg0YkNwd1ZrK0hFMHVPYlExVjB4TkZmbG1YNGRnVC9xMW95QmViMnU1Q25UV2wwUktVQkJoCmpBWDRNa0RISE9HZVJTUFU4THV2MmtjS0ZKV3BEeE1VeEdIN0UwMGpyRjg4cjNlbENscjhmbk1DZ1lFQTJqd0cKSDM5bmg2a1lZaHd6ZUk4SlZ3M3JYMGJGZXlKWER0ak5EUldVTnNlWUNHVG83d1o0REZOemdZL2xpb0ZLdkFUOQoycnV6UWpydysyRzBsbTJPcG11aWVpMTFyOXJZSWZ1aHg1Qmo2eDBpYy9WcDJIL3JmU2pVYXM3WjR3THN5bjNJCmg1ckpIZ3FzZndFcjJKUVhsb3h0bWk1VXM2K3BUNjNUa1ROM3N0OENnWUFEcHFENTlURHpSMkErRjkzWjR3cWgKdGFnV1d5VUI3WkdBNzZVMXpZVFBQcGZmR2diSGpzWjIzblhXYzJ2a2tuR3dUWDZEOXpkUXdQZERmZnBrdUorTwovZFQxUVFvWVNkRTZKQTl0U2h5SVQraEFHcUloTWlSc2JxendLS01sbDVsSkRJODhiK0U3Zm5Kc1pRK3BjR2VuCjJ2aVFHWGUrSk5hZEV4OXFUSmhrZ1FLQmdRQ1pORG80TW9ERHcvblNKbW9iNEk1MkJ0ZU44Mmovb0lQdGNGWEQKTWJyekdmdXBLTzQ5bnhUMzBqM3NYdENPQTJZcnlIVk44U2RPLzRIZGVDSUcyTEtrTWp2RitkUDh1RzJ5cmF4TgpKUmlBSGR2cC9BZHFiYU1zSWxXOUJhb0FyRFQva240TWRLVnI2YUpmSnJ0Wk45MjNXcTQyNXYrZmhWb2ZEYkRRCjVvakprUUtCZ1FDZXVERE8vcVZRZnk4ZEl6Y3VXTmhnc2VmYTNydlhjU1JYNUVUQ2pLSTE2QWZtdXZuVVd3anIKVmxodkRvUmpwd1hFT0JWaGUzcWFETEJyeGZmcnhyU1JXa3hLQU1zTTl0M0VjYit5b0VCMFdXUXZ6SFVOenplWQoxZVlHcXFSOGE5YTIxWlo3cG4wTnVHaDdQUCtqZkpFME9WdGZiVm5GQnFiOVU2S3UrMHMvNFE9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=
----
-# Source: cilium/templates/hubble/tls-helm/ca-secret.yaml
-apiVersion: v1
-kind: Secret
-metadata:
- name: hubble-ca-secret
- namespace: default
-data:
- ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURFekNDQWZ1Z0F3SUJBZ0lRQjRtQmpSd0pqWVFKSGZOenpuM1JyREFOQmdrcWhraUc5dzBCQVFzRkFEQVUKTVJJd0VBWURWUVFERXdsRGFXeHBkVzBnUTBFd0hoY05NalF4TWpFNE1ERXlNelF5V2hjTk1qY3hNakU0TURFeQpNelF5V2pBVU1SSXdFQVlEVlFRREV3bERhV3hwZFcwZ1EwRXdnZ0VpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElCCkR3QXdnZ0VLQW9JQkFRQzdlVUZXck5ldDlmRUN0WFpFY1ZRVHRsMUpETXpSK1NHNHYxQzZ6bVB0dVVqUXFURWkKQXJlSjRuSHpuUVRSMndHbmFjd0trV0wvcWVVcmZHNDZmMHg1VzF1T05yUHBqeTZ4WncwaStWQkNiNkR1NzdYdApYc0hWenVUa0tyK25IUk5qZDhzWloxaVZiSnZlb29uRUNxb0Y2VW5sMDFCLzByWnVFYnQ1MVllY1FHNzRJSU5YCjREUHBNTXc1NVhkRVJnK1pQVVFLeTdVZXg5RWx3b2djalluYndFcnBxai9UenpqNnVrTE9pNGpBcVMvS25wRDMKajJ2Q3BQM0NPVWNrTmR6Y0pUMDdoZWVKaEozaGNCVXRFemtqNzZwVEMzVE8vekQyKzM1V2JIY1VLbGcxRFdKbAo2RXFlTDc2L1Z1ckVjeTRGcnp1ZDFQSVF5bWZkOS91Q1V4d3RBZ01CQUFHallUQmZNQTRHQTFVZER3RUIvd1FFCkF3SUNwREFkQmdOVkhTVUVGakFVQmdnckJnRUZCUWNEQVFZSUt3WUJCUVVIQXdJd0R3WURWUjBUQVFIL0JBVXcKQXdFQi96QWRCZ05WSFE0RUZnUVViYlROZHozeVNEWTN0Q3JRU3pVQjRJQXc1T293RFFZSktvWklodmNOQVFFTApCUUFEZ2dFQkFJdDFDYWgrMXEyOGEwL3NMKzZjSWdaeG81NVM2WTZiT21mOVlxOXJHUTdvVEZSRWNtYzdtY21jCjlJVTQrdjdTRExWeWRFd0NJbGpDcS8zaWFONXZQNlNoVTR1QVhEWXlISDBwbXRJRUNqMzE0cTYxdlhHQWRpNzkKNzFERnZSTTdHYjJaNUVpSHdoYk1mTVlObTBkUkhnUGd2ZFdKY1MvQ2F5M1FZWTdtRnVMNUk2d3hlUmlhUDUxYgpHTm5uYzBYNWNFc0h3SlY0WnBWWW4xbGI5Y1BqZEtac3dMaW41WHl0M1VXUzNnTUpoTmNONlN1c2htcEVwclJXClVqMlFVeFJOcitDN1JlWlg2WjRLM0diWVpERWJsUUtFUlhCb1Jjck5xVnIwWGdSTTE2ZVB2SFcwS0ozSzRuY0EKd3FhWGIrMHJiOFFRVzlMaTlTNEJXa0x6U25LSTlvUT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
- ca.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBdTNsQlZxelhyZlh4QXJWMlJIRlVFN1pkU1F6TTBma2h1TDlRdXM1ajdibEkwS2t4CklnSzNpZUp4ODUwRTBkc0JwMm5NQ3BGaS82bmxLM3h1T245TWVWdGJqamF6Nlk4dXNXY05JdmxRUW0rZzd1KzEKN1Y3QjFjN2s1Q3EvcHgwVFkzZkxHV2RZbFd5YjNxS0p4QXFxQmVsSjVkTlFmOUsyYmhHN2VkV0huRUJ1K0NDRApWK0F6NlRETU9lVjNSRVlQbVQxRUNzdTFIc2ZSSmNLSUhJMkoyOEJLNmFvLzA4ODQrcnBDem91SXdLa3Z5cDZRCjk0OXJ3cVQ5d2psSEpEWGMzQ1U5TzRYbmlZU2Q0WEFWTFJNNUkrK3FVd3QwenY4dzl2dCtWbXgzRkNwWU5RMWkKWmVoS25pKyt2MWJxeEhNdUJhODduZFR5RU1wbjNmZjdnbE1jTFFJREFRQUJBb0lCQUNiTkJkVG1tUTBNSmdHbApoUUROWTlWZ25SWU5iQ2JaSlQyVGV5WHVxWWYrSFMveWxKU3hjME02ZHRNdzRGcCt0V3pzM0tvalJSWWRGNjFVClo0djc1TndKS0gzYW5JbnVkSCtMRUpENGdMLy9VcE9oVVVuN25xcWQwNG5Wdnl6Yk83UU9peDZLNFM2cjkrYXcKUlVzcDJkNjNWZkFYT0VYOFduMlZkZlBWV2VmZ28yZmVRUlBnTGhIVXV0NEVRZGEra1dZbXRqcTJDTUJpdjdrZQpHRTByYndRRTRNMUNEN01zSnNGeU9BMXFsZ2dlQXBvTU1zcmtZMkNGWis4aHpTUFIyMzVMaGQzT2Ntb3c0TlNjClBxUnJrN2lXRG4rMExiZWNMOWVpdkVWbXZ4aEFJMGxBbEhUMVdWY3lqTmdwY0hPU3dRWEVPSTZzRWh3S0poSnAKYW5hUzRKRUNnWUVBMitxQUkxVmo0Qk9tN3hXaVM0RVFMVDZLV3gwRzF6Ry9wZXJib29aREFNejM3WitBWDJ5MgpDTEFxa1R6SmFRVTg0YkNwd1ZrK0hFMHVPYlExVjB4TkZmbG1YNGRnVC9xMW95QmViMnU1Q25UV2wwUktVQkJoCmpBWDRNa0RISE9HZVJTUFU4THV2MmtjS0ZKV3BEeE1VeEdIN0UwMGpyRjg4cjNlbENscjhmbk1DZ1lFQTJqd0cKSDM5bmg2a1lZaHd6ZUk4SlZ3M3JYMGJGZXlKWER0ak5EUldVTnNlWUNHVG83d1o0REZOemdZL2xpb0ZLdkFUOQoycnV6UWpydysyRzBsbTJPcG11aWVpMTFyOXJZSWZ1aHg1Qmo2eDBpYy9WcDJIL3JmU2pVYXM3WjR3THN5bjNJCmg1ckpIZ3FzZndFcjJKUVhsb3h0bWk1VXM2K3BUNjNUa1ROM3N0OENnWUFEcHFENTlURHpSMkErRjkzWjR3cWgKdGFnV1d5VUI3WkdBNzZVMXpZVFBQcGZmR2diSGpzWjIzblhXYzJ2a2tuR3dUWDZEOXpkUXdQZERmZnBrdUorTwovZFQxUVFvWVNkRTZKQTl0U2h5SVQraEFHcUloTWlSc2JxendLS01sbDVsSkRJODhiK0U3Zm5Kc1pRK3BjR2VuCjJ2aVFHWGUrSk5hZEV4OXFUSmhrZ1FLQmdRQ1pORG80TW9ERHcvblNKbW9iNEk1MkJ0ZU44Mmovb0lQdGNGWEQKTWJyekdmdXBLTzQ5bnhUMzBqM3NYdENPQTJZcnlIVk44U2RPLzRIZGVDSUcyTEtrTWp2RitkUDh1RzJ5cmF4TgpKUmlBSGR2cC9BZHFiYU1zSWxXOUJhb0FyRFQva240TWRLVnI2YUpmSnJ0Wk45MjNXcTQyNXYrZmhWb2ZEYkRRCjVvakprUUtCZ1FDZXVERE8vcVZRZnk4ZEl6Y3VXTmhnc2VmYTNydlhjU1JYNUVUQ2pLSTE2QWZtdXZuVVd3anIKVmxodkRvUmpwd1hFT0JWaGUzcWFETEJyeGZmcnhyU1JXa3hLQU1zTTl0M0VjYit5b0VCMFdXUXZ6SFVOenplWQoxZVlHcXFSOGE5YTIxWlo3cG4wTnVHaDdQUCtqZkpFME9WdGZiVm5GQnFiOVU2S3UrMHMvNFE9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=
----
-# Source: cilium/templates/hubble/tls-helm/relay-client-secret.yaml
-apiVersion: v1
-kind: Secret
-metadata:
- name: hubble-relay-client-certs
- namespace: default
-type: kubernetes.io/tls
-data:
- ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURFekNDQWZ1Z0F3SUJBZ0lRQjRtQmpSd0pqWVFKSGZOenpuM1JyREFOQmdrcWhraUc5dzBCQVFzRkFEQVUKTVJJd0VBWURWUVFERXdsRGFXeHBkVzBnUTBFd0hoY05NalF4TWpFNE1ERXlNelF5V2hjTk1qY3hNakU0TURFeQpNelF5V2pBVU1SSXdFQVlEVlFRREV3bERhV3hwZFcwZ1EwRXdnZ0VpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElCCkR3QXdnZ0VLQW9JQkFRQzdlVUZXck5ldDlmRUN0WFpFY1ZRVHRsMUpETXpSK1NHNHYxQzZ6bVB0dVVqUXFURWkKQXJlSjRuSHpuUVRSMndHbmFjd0trV0wvcWVVcmZHNDZmMHg1VzF1T05yUHBqeTZ4WncwaStWQkNiNkR1NzdYdApYc0hWenVUa0tyK25IUk5qZDhzWloxaVZiSnZlb29uRUNxb0Y2VW5sMDFCLzByWnVFYnQ1MVllY1FHNzRJSU5YCjREUHBNTXc1NVhkRVJnK1pQVVFLeTdVZXg5RWx3b2djalluYndFcnBxai9UenpqNnVrTE9pNGpBcVMvS25wRDMKajJ2Q3BQM0NPVWNrTmR6Y0pUMDdoZWVKaEozaGNCVXRFemtqNzZwVEMzVE8vekQyKzM1V2JIY1VLbGcxRFdKbAo2RXFlTDc2L1Z1ckVjeTRGcnp1ZDFQSVF5bWZkOS91Q1V4d3RBZ01CQUFHallUQmZNQTRHQTFVZER3RUIvd1FFCkF3SUNwREFkQmdOVkhTVUVGakFVQmdnckJnRUZCUWNEQVFZSUt3WUJCUVVIQXdJd0R3WURWUjBUQVFIL0JBVXcKQXdFQi96QWRCZ05WSFE0RUZnUVViYlROZHozeVNEWTN0Q3JRU3pVQjRJQXc1T293RFFZSktvWklodmNOQVFFTApCUUFEZ2dFQkFJdDFDYWgrMXEyOGEwL3NMKzZjSWdaeG81NVM2WTZiT21mOVlxOXJHUTdvVEZSRWNtYzdtY21jCjlJVTQrdjdTRExWeWRFd0NJbGpDcS8zaWFONXZQNlNoVTR1QVhEWXlISDBwbXRJRUNqMzE0cTYxdlhHQWRpNzkKNzFERnZSTTdHYjJaNUVpSHdoYk1mTVlObTBkUkhnUGd2ZFdKY1MvQ2F5M1FZWTdtRnVMNUk2d3hlUmlhUDUxYgpHTm5uYzBYNWNFc0h3SlY0WnBWWW4xbGI5Y1BqZEtac3dMaW41WHl0M1VXUzNnTUpoTmNONlN1c2htcEVwclJXClVqMlFVeFJOcitDN1JlWlg2WjRLM0diWVpERWJsUUtFUlhCb1Jjck5xVnIwWGdSTTE2ZVB2SFcwS0ozSzRuY0EKd3FhWGIrMHJiOFFRVzlMaTlTNEJXa0x6U25LSTlvUT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
- tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURTRENDQWpDZ0F3SUJBZ0lRTHI3bnhHYTRsWnkxQUIzQkRLbCtyVEFOQmdrcWhraUc5dzBCQVFzRkFEQVUKTVJJd0VBWURWUVFERXdsRGFXeHBkVzBnUTBFd0hoY05NalF4TWpFNE1ERXlNelF5V2hjTk1qY3hNakU0TURFeQpNelF5V2pBak1TRXdId1lEVlFRRERCZ3FMbWgxWW1Kc1pTMXlaV3hoZVM1amFXeHBkVzB1YVc4d2dnRWlNQTBHCkNTcUdTSWIzRFFFQkFRVUFBNElCRHdBd2dnRUtBb0lCQVFERUZpWloyQ3I0RWJGem00cGI2L29DdE91NFRacGcKeTBGZ2lyN0pzUm8rMmdHbGVkY0Z0Q20xdWJZQUZWV0JJQnRweDczdXJpNXVRb1Zoa0xQalpKblZGZHZNOVhlZgo2MWRwRFNSZzBmQjJpc2Fpa0dyckwzcTJCVEdMWU44dkI4OFlQc203cGVEN0NCcTFZTXU1eG1yT3lhdjlPdjQ0CmxFTTJGWUgydVB2VktCczVwalg0TWRGWnZRd2I4OXJ3VFNJRzhhTXhIQ2Y0WWN5QXJhbEpWd1lBazVYZkNvK0EKeVp1MllIUnlzUnNSNVhvanBnYXd3cXhkNkRCSEdqeUdmODhVUHhNdXhOUXVKKzlwNldTM29SMVFzNGtUMGd3VQo0ZzNhdXFDYmloSG1pNVlyanBHU1lUWlRqS0p1NmZtSGx3bDczWmx3UCtXNVBQaVlMRW41YkRsTEFnTUJBQUdqCmdZWXdnWU13RGdZRFZSMFBBUUgvQkFRREFnV2dNQjBHQTFVZEpRUVdNQlFHQ0NzR0FRVUZCd01CQmdnckJnRUYKQlFjREFqQU1CZ05WSFJNQkFmOEVBakFBTUI4R0ExVWRJd1FZTUJhQUZHMjB6WGM5OGtnMk43UXEwRXMxQWVDQQpNT1RxTUNNR0ExVWRFUVFjTUJxQ0dDb3VhSFZpWW14bExYSmxiR0Y1TG1OcGJHbDFiUzVwYnpBTkJna3Foa2lHCjl3MEJBUXNGQUFPQ0FRRUFSYVNMS2dwaTBWSXNta0RPc2duOExXNG56aGRyOTNDTHZVNUxQdEJjYXdta2dyZFIKLytQUkt2KzZOWEg2SjRadldOMjRpQlhaKzBnRWF1enQzS21udlBOZjBQMm1MMHoySzF2OGt0cU5Md3JUMHNMcgpnSUh1R0Z5aEZZalBWNm83ZkM3bjZwK2s1Vmk0KzZWMG1KVnNodlovK29VcFJhTWxmS1BZRzl4S0FNMmdqWDFLCmFMTW92OGRmTFVvclNJK3JLM01jVXhMdWRxRlNqbk5jNnVuQ2hrRUJRL3JhdzZ0OWM1WmNBZk5oeTRFQ1VKWjQKbG1BT2N4MjJlckorOVVROVdESzF5amIxa1B2cFN5UHJZMEd5T1hjOXY5QkZrWGFpM1QzNTJSdVZVMUNWYmlXOApaV0hhNE5ObWtnbEoxTndScFpYckVsR2FnQndIdGtuUkZmajNYdz09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
- tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcFFJQkFBS0NBUUVBeEJZbVdkZ3ErQkd4YzV1S1crdjZBclRydUUyYVlNdEJZSXEreWJFYVB0b0JwWG5YCkJiUXB0Ym0yQUJWVmdTQWJhY2U5N3E0dWJrS0ZZWkN6NDJTWjFSWGJ6UFYzbit0WGFRMGtZTkh3ZG9yR29wQnEKNnk5NnRnVXhpMkRmTHdmUEdEN0p1NlhnK3dnYXRXREx1Y1pxenNtci9UcitPSlJETmhXQjlyajcxU2diT2FZMQorREhSV2IwTUcvUGE4RTBpQnZHak1Sd24rR0hNZ0sycFNWY0dBSk9WM3dxUGdNbWJ0bUIwY3JFYkVlVjZJNllHCnNNS3NYZWd3UnhvOGhuL1BGRDhUTHNUVUxpZnZhZWxrdDZFZFVMT0pFOUlNRk9JTjJycWdtNG9SNW91V0s0NlIKa21FMlU0eWlidW41aDVjSmU5MlpjRC9sdVR6NG1DeEorV3c1U3dJREFRQUJBb0lCQVFDRGlraFg1UWVPT25CTQpHWCtMZ3BYSTB3MStLYkR5VmVlWmwvbTgyNjI3bEF1ZXNrbG9iaCs4NU1RTzhrRFZ5bkFaV2dFejZHMEZVbUtmCnZLNndVSUJSemNRUmptbWRRZ2IxVmZlZGE3aGdEV0NMRlU1a1R3bUdxWjArM3RGWmYyZVI0Q3o4VUo3SVIvdUMKeVZoaFc1V3krdDhCbFYyTkh3aW5jMjRuMEpnL3VPYUNJaUlwN1laTE9QeUFRb0kzbXR4ZnQrV1AzNDVnRGMwLwpSUjk0cW05bXU5RHU1NnhzTTI0UmhqdlZJZzkzTFR0a2lRSnl1ZHNGOHBtckUzTDQzVmZLU0ZOTi9Wcndkdk9sCmVNMXdETEpQd1RLYWl3MUxEck0xWkNIUy9LSWtvQ1JvOHJTMGM4WFJWMWRRK0pMNGpBN1FwSkw4R3EreFQyOEoKZHh0d0tNdkJBb0dCQVBFVElVVzhiblp5Zm10OVdiN2JqbUJoOTQvZzRVeHpFY05WT0FPTys3M1NtZXltQml1LwpPaFV0Y2dTNHR6Z1RSSzhRUVo5UWtjYk02UFVSanQwaENuMjJCaFVLc001NmU5VjZ6cU4zdUZKa1BqeHV3bFVhClc0di9ZNHZBRitFTHZCczBieG5SKzhxWSt4eDNMVElnSHhwREJzUzczMEIvcDZuaDdQL09vUHhKQW9HQkFOQTUKL012VCtncjhIa2JZZ3RtZUJVaTR4ZmJhS0VmbVVtZHM1VXJQU09lRENwaVpqdHo5bFoxZzZoS3Q4bEE1MU8yNQpRQ3J2WXhxSWRuYlRqS1JLcGNqRGtJT1c0U3ZBQVlMNlBFRTdxR2FDbVpNQ3dTMENWQVZRcWlyM1c4MEUwTWRWCkxpZS95YTNCSnowenpyeTY0Y3loTUo5MHBEZFBuMUluWXQvU05zRHpBb0dCQU5HbFlqMEVCa2dwZjNrNDFIQWUKL1cwaUpTbFJWbnltWVI4dW4veXdQb3F3ZUQyTmtEWkJJV0REV2JGemRacGxYMGlpNlg2RGtaS0NKbURnK1EyaQpxejN4cXM1bnNxU05iZDJUNDluU3hrK1liMnNjb3hGaFQ1V3E3a1hkTXFiNkRvYldEWHcxMlRNeDRNYTdlV2xxCjk4RmQ0cWY1L2NkWWZGVkhiVlIwdkJsSkFvR0JBTTA0aVlVZUMyN3VJcXp5VUt4SUNLOHVwTFZ4TjRmOVlUUGIKNkhSOXJUMjNNaWRLR0xxSEZ3RC85bEtvcTR3VUkxNlVXTUM0SkxXT3p5cTN2d0poSzltZG5QMkVJN0pwejFPVwphdkpqNk1uM1o0S3prVTVaNEJOSStCM1dvdHlDSlg1LzNqaUExalZ3aThyUEY2OThoSFNZWFFLYkJBb2JhRXVnCjA5c0NKTUt2QW9HQUZGQVRLeW9Wc3paOEpGY2hhRGQyK1U0SC9hNzh3QzdoZjI0cnBiT2hhdUYvMCtHMWg5NEIKWXQ3NEpwV2FUWndsdUk0a2xLZnVoTWI0TzQ1aHIwMUR4WjFJc2JEU0pOdVl4cDU4QzNLRlRLQTUvZTNCc2RybAp3cjl1M2JEUW1TNUNYcGtvdXcwYy9mSWFidTI3S0w5RmhXK01JdWtLdWFwdERYRElmTFRpVk1FPQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=
----
-# Source: cilium/templates/hubble/tls-helm/server-secret.yaml
-apiVersion: v1
-kind: Secret
-metadata:
- name: hubble-server-certs
- namespace: default
-type: kubernetes.io/tls
-data:
- ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURFekNDQWZ1Z0F3SUJBZ0lRQjRtQmpSd0pqWVFKSGZOenpuM1JyREFOQmdrcWhraUc5dzBCQVFzRkFEQVUKTVJJd0VBWURWUVFERXdsRGFXeHBkVzBnUTBFd0hoY05NalF4TWpFNE1ERXlNelF5V2hjTk1qY3hNakU0TURFeQpNelF5V2pBVU1SSXdFQVlEVlFRREV3bERhV3hwZFcwZ1EwRXdnZ0VpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElCCkR3QXdnZ0VLQW9JQkFRQzdlVUZXck5ldDlmRUN0WFpFY1ZRVHRsMUpETXpSK1NHNHYxQzZ6bVB0dVVqUXFURWkKQXJlSjRuSHpuUVRSMndHbmFjd0trV0wvcWVVcmZHNDZmMHg1VzF1T05yUHBqeTZ4WncwaStWQkNiNkR1NzdYdApYc0hWenVUa0tyK25IUk5qZDhzWloxaVZiSnZlb29uRUNxb0Y2VW5sMDFCLzByWnVFYnQ1MVllY1FHNzRJSU5YCjREUHBNTXc1NVhkRVJnK1pQVVFLeTdVZXg5RWx3b2djalluYndFcnBxai9UenpqNnVrTE9pNGpBcVMvS25wRDMKajJ2Q3BQM0NPVWNrTmR6Y0pUMDdoZWVKaEozaGNCVXRFemtqNzZwVEMzVE8vekQyKzM1V2JIY1VLbGcxRFdKbAo2RXFlTDc2L1Z1ckVjeTRGcnp1ZDFQSVF5bWZkOS91Q1V4d3RBZ01CQUFHallUQmZNQTRHQTFVZER3RUIvd1FFCkF3SUNwREFkQmdOVkhTVUVGakFVQmdnckJnRUZCUWNEQVFZSUt3WUJCUVVIQXdJd0R3WURWUjBUQVFIL0JBVXcKQXdFQi96QWRCZ05WSFE0RUZnUVViYlROZHozeVNEWTN0Q3JRU3pVQjRJQXc1T293RFFZSktvWklodmNOQVFFTApCUUFEZ2dFQkFJdDFDYWgrMXEyOGEwL3NMKzZjSWdaeG81NVM2WTZiT21mOVlxOXJHUTdvVEZSRWNtYzdtY21jCjlJVTQrdjdTRExWeWRFd0NJbGpDcS8zaWFONXZQNlNoVTR1QVhEWXlISDBwbXRJRUNqMzE0cTYxdlhHQWRpNzkKNzFERnZSTTdHYjJaNUVpSHdoYk1mTVlObTBkUkhnUGd2ZFdKY1MvQ2F5M1FZWTdtRnVMNUk2d3hlUmlhUDUxYgpHTm5uYzBYNWNFc0h3SlY0WnBWWW4xbGI5Y1BqZEtac3dMaW41WHl0M1VXUzNnTUpoTmNONlN1c2htcEVwclJXClVqMlFVeFJOcitDN1JlWlg2WjRLM0diWVpERWJsUUtFUlhCb1Jjck5xVnIwWGdSTTE2ZVB2SFcwS0ozSzRuY0EKd3FhWGIrMHJiOFFRVzlMaTlTNEJXa0x6U25LSTlvUT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
- tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURaakNDQWs2Z0F3SUJBZ0lRRTNWNGthd3lJS2pPZE1KREx2N3VnREFOQmdrcWhraUc5dzBCQVFzRkFEQVUKTVJJd0VBWURWUVFERXdsRGFXeHBkVzBnUTBFd0hoY05NalF4TWpFNE1ERXlNelF5V2hjTk1qY3hNakU0TURFeQpNelF5V2pBeU1UQXdMZ1lEVlFRRERDY3FMaVI3UTB4VlUxUkZVbDlPUVUxRmZTNW9kV0ppYkdVdFozSndZeTVqCmFXeHBkVzB1YVc4d2dnRWlNQTBHQ1NxR1NJYjNEUUVCQVFVQUE0SUJEd0F3Z2dFS0FvSUJBUUNhRE1YZnVMYWQKMzFvMU4rNGZhRGZyNjFQc254SXRFTk1pOXpZUzY3dk83UlZwRkl5R3VHYWZGQ2tmbmZST0NmWkZNN0JrZkkyQgp6cGZKWGlwTGkyZ3FFTm1BRllLU0k0OW8zeXptV3VMZWNIZlFnZzJ1ZTlPb0crS1VnOGlUNHVZTFl1UGN4YUpVCm5uY0kxbWRWc3ZjZjRMOEJtME4zYk0vSTFST3BMd0NQUGt1TkpGZWFiQVBiR0hyKzBlT0FiS1BEdzZjR0JzRkcKR0NtQVJDYStLUUFUQ0lpUWxjYUtscUlMYTdxL21uNXU0Y3JEMVVIRGRPeHZnVlNlYUt6SzVKVlBYUTFGYVRqagp0MTNnb1hrT1hVUDhiU0Z6cmV6dUdlRWMrVCtDSXc3KzNMQ0FxV0xyUXB0N2VXSlUwSmNXaWpNZ1UxQmo3ZTJTCnJLalcwaFYySWZLTEFnTUJBQUdqZ1pVd2daSXdEZ1lEVlIwUEFRSC9CQVFEQWdXZ01CMEdBMVVkSlFRV01CUUcKQ0NzR0FRVUZCd01CQmdnckJnRUZCUWNEQWpBTUJnTlZIUk1CQWY4RUFqQUFNQjhHQTFVZEl3UVlNQmFBRkcyMAp6WGM5OGtnMk43UXEwRXMxQWVDQU1PVHFNRElHQTFVZEVRUXJNQ21DSnlvdUpIdERURlZUVkVWU1gwNUJUVVY5CkxtaDFZbUpzWlMxbmNuQmpMbU5wYkdsMWJTNXBiekFOQmdrcWhraUc5dzBCQVFzRkFBT0NBUUVBZUhQQzFqczYKa3NKK0UwdGFUc25Oc1N1WDVYNWM1VE5xcG44dUN6UXAyRkQzLzlaa1R1OHhRM3AwcmVRLzB3eEFEcmVMdmp4cwphcUNITDRDazNLRjhZZi9YWXVJRTlySk54Q2IyMHNFQk9pa1dsZUd0U2RrWW4yenhPZTQ2ZU1qS29ocnBReG0zCk9XTml3S0Y4VHNDckhTVEpKNTJVVjNib2dWOFV0SmhOczd0K2FQVVNQS25QOHZ5Szl2cnovUkZBM2U0TWZVZUgKbXlUNndlbEd0aHJVNStWS2FIZytRdDhOQkluSXNYMW5yR0NmZmpjQnU1bjUvV1VPdFR6SVN1MWRKV0dpMUl0UgptQUxPaDNveDUxQjNlM1VmSHkxNHRyL2pDR3RuSk8wQm4wUW5hdFBUK3JzMjM4QzdCODRmL2xRbk0wN004UXJhCjNBU1MzVFhKTmF3RGN3PT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
- tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb2dJQkFBS0NBUUVBbWd6RjM3aTJuZDlhTlRmdUgyZzM2K3RUN0o4U0xSRFRJdmMyRXV1N3p1MFZhUlNNCmhyaG1ueFFwSDUzMFRnbjJSVE93Wkh5TmdjNlh5VjRxUzR0b0toRFpnQldDa2lPUGFOOHM1bHJpM25CMzBJSU4Kcm52VHFCdmlsSVBJaytMbUMyTGozTVdpVko1M0NOWm5WYkwzSCtDL0FadERkMnpQeU5VVHFTOEFqejVMalNSWAptbXdEMnhoNi90SGpnR3lqdzhPbkJnYkJSaGdwZ0VRbXZpa0FFd2lJa0pYR2lwYWlDMnU2djVwK2J1SEt3OVZCCnczVHNiNEZVbm1pc3l1U1ZUMTBOUldrNDQ3ZGQ0S0Y1RGwxRC9HMGhjNjNzN2huaEhQay9naU1PL3R5d2dLbGkKNjBLYmUzbGlWTkNYRm9veklGTlFZKzN0a3F5bzF0SVZkaUh5aXdJREFRQUJBb0lCQUZZaDNDVXBueG1JUDJUUQpIOWo1cVlMRU1rbHo2M0s5SElCSlhyZVhqSXUzTGFoeUw5eEhrRUZUd1dhSEo0aldzeGFnUHZrQVZ4S0VFNFFvCm5WZGQyK0RoU09yL20rRGY5eGc0NkY3bjVEOWcvT3pkT284YmR3MWdnZ0J0NnFFZFZXaDZZMU1XUVp3MGVmTzgKQlV6NllvZzFYamFrdkVVeTFyN0F2RngxQmtnUU80ejI5b0dnTDNxRFAzcitheWQ0RVpoeGZvK1MxWTRmdFYzUApKYllxTGhHRkt2RjJhbkovUmtVdjNnckNndGg0VkxuQ1ZtY0hKQkVQa01vNnJWaXlkNXRPR1UzN2xvQVlHaE9YCk81NVdDd0loYThMcS9tbkkrRmVLUnU3MXpZNG1xMXZ1ZGVQT0dEZUUvdlZPY3FzRER3cTY0UVZXcFo2WFJUaEkKZm1oYUVXRUNnWUVBd3g4L0g2bzk5bEdIcjFyTXZhVzJFRFdzdG1PQXJTY2k2eWVrRjZ5eWNvYjlxb1gzeG9KdgpZMVBXZENLQXVJRmV6VGlscUtBTjBJMk5qNFExS0lmWm9wcFZyOXUvS05yeDVsNkdRYnJnRTIyd21yS2JwRzRICnZNeVppb3ZKTy9HWWhNNlNoUWtCREtxenNVdFhydFdyRTZqQkRMRnVMcGJYVmJyM3ZvTS9qWnNDZ1lFQXloMEUKb0REcERpQlc1bHJQbzNna083dTdESDBtcjdhMmtOWk9RSmVVbEJveERTY2lBNit4d2U1Y3FET0lqUlpQZzRiZgoreHJoOUxIbFZsUWRXRkovY1dZWG9iME1BQ1pLbHhGUFZTa25mR24xR0c1RG9kNzAzSHZrOUN4RjhBOHpMdkNxCnlGSjRlR0tXNFR2S3ZzbE5iOGlMSG9IczVwU2dBMmVvRXo3TzlkRUNnWUE5UjBUbHh1dHF2alFrcUJtQXZkZ3QKd3cyWXdpc1pOaDlMUnNuTC9acVZTVHZGSUFtdXVDd1BQN2NzQmVIekQvNGI2Vnh0VnNhLzVwUzhxOEtlRmZ3TgppdmE2SWdNbzY0bm8xV3JJbmMzZGpDZFlqaHMvU3FiM2JqSVNSdEJPR1JQVE1hVG1UdXViZE1pMk4zazBHVHAvCkZCSjgwQVJRY1dMek02SzJuRFdMWFFLQmdGek5iaTVQeHZNaGprVS9OVkFOL2pVZlFnZTkvMkYzTitUUlFpVU8KZEw1OE9FR2QwbFIyKzl2Y0l0ZG9zaTUyTEJSc2ZiUEM2RFYrNlpyMkRITmRqZjczcmFvcUw3Ung0SlgwOE1SZApuUy9YUng3c29rbFZJb0dLc2RvYjZoRU1LYWhJQVdMeDJ6Y0xyZFBGckpabHdCU3Z0SkZSZndGeEJQZ0xSSFZ4CnhYM0JBb0dBYjVROC9ML0M0TDgyUk1SK2ZKRDVVbFhFSDdwc0NGSGJWMjhERW42MDJqbXBxdHBlSHdxT2pBK0EKcXYxcFh4YnhHRk93SkJ5dWEybUVYQUNBQmVDdDdBZUwxdkJtUTRvSVgxYldLK2VqVEV5Y01PVUkzQkRjcTBVZAp5dzF3bGY4U2RJdWZ2R3NGUWF5dysyYXRvdnFZZDVIOGYreHpQTW00aEF4NkIvNVJyUTA9Ci0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg==
----
-# Source: cilium/templates/cilium-configmap.yaml
-apiVersion: v1
-kind: ConfigMap
-metadata:
- name: cilium-config
- namespace: default
-data:
- # Identity allocation mode selects how identities are shared between cilium
- # nodes by setting how they are stored. The options are "crd" or "kvstore".
- # - "crd" stores identities in kubernetes as CRDs (custom resource definition).
- # These can be queried with:
- # kubectl get ciliumid
- # - "kvstore" stores identities in an etcd kvstore, that is
- # configured below. Cilium versions before 1.6 supported only the kvstore
- # backend. Upgrades from these older cilium versions should continue using
- # the kvstore by commenting out the identity-allocation-mode below, or
- # setting it to "kvstore".
- identity-allocation-mode: crd
- cilium-endpoint-gc-interval: "5m0s"
- nodes-gc-interval: "5m0s"
- # Disable the usage of CiliumEndpoint CRD
- disable-endpoint-crd: "false"
- # If you want to run cilium in debug mode change this value to true
- debug: "false"
- # The agent can be put into the following three policy enforcement modes
- # default, always and never.
- # https://docs.cilium.io/en/latest/policy/intro/#policy-enforcement-modes
- enable-policy: "default"
- # Enable IPv4 addressing. If enabled, all endpoints are allocated an IPv4
- # address.
- enable-ipv4: "true"
- # Enable IPv6 addressing. If enabled, all endpoints are allocated an IPv6
- # address.
- enable-ipv6: "false"
- # Users who wish to specify their own custom CNI configuration file must set
- # custom-cni-conf to "true", otherwise Cilium may overwrite the configuration.
- custom-cni-conf: "false"
- enable-bpf-clock-probe: "true"
- # If you want cilium monitor to aggregate tracing for packets, set this level
- # to "low", "medium", or "maximum". The higher the level, the less packets
- # that will be seen in monitor output.
- monitor-aggregation: medium
- # The monitor aggregation interval governs the typical time between monitor
- # notification events for each allowed connection.
- #
- # Only effective when monitor aggregation is set to "medium" or higher.
- monitor-aggregation-interval: 5s
- # The monitor aggregation flags determine which TCP flags which, upon the
- # first observation, cause monitor notifications to be generated.
- #
- # Only effective when monitor aggregation is set to "medium" or higher.
- monitor-aggregation-flags: all
- # Specifies the ratio (0.0-1.0) of total system memory to use for dynamic
- # sizing of the TCP CT, non-TCP CT, NAT and policy BPF maps.
- bpf-map-dynamic-size-ratio: "0.0025"
- # bpf-policy-map-max specifies the maximum number of entries in endpoint
- # policy map (per endpoint)
- bpf-policy-map-max: "16384"
- # bpf-lb-map-max specifies the maximum number of entries in bpf lb service,
- # backend and affinity maps.
- bpf-lb-map-max: "65536"
- # bpf-lb-bypass-fib-lookup instructs Cilium to enable the FIB lookup bypass
- # optimization for nodeport reverse NAT handling.
- bpf-lb-external-clusterip: "false"
- # Pre-allocation of map entries allows per-packet latency to be reduced, at
- # the expense of up-front memory allocation for the entries in the maps. The
- # default value below will minimize memory usage in the default installation;
- # users who are sensitive to latency may consider setting this to "true".
- #
- # This option was introduced in Cilium 1.4. Cilium 1.3 and earlier ignore
- # this option and behave as though it is set to "true".
- #
- # If this value is modified, then during the next Cilium startup the restore
- # of existing endpoints and tracking of ongoing connections may be disrupted.
- # As a result, reply packets may be dropped and the load-balancing decisions
- # for established connections may change.
- #
- # If this option is set to "false" during an upgrade from 1.3 or earlier to
- # 1.4 or later, then it may cause one-time disruptions during the upgrade.
- preallocate-bpf-maps: "false"
- # Regular expression matching compatible Istio sidecar istio-proxy
- # container image names
- sidecar-istio-proxy-image: "cilium/istio_proxy"
- # Name of the cluster. Only relevant when building a mesh of clusters.
- cluster-name: ${CLUSTER_NAME}
- # Unique ID of the cluster. Must be unique across all conneted clusters and
- # in the range of 1 and 255. Only relevant when building a mesh of clusters.
- cluster-id: "${CLUSTER_ID}"
- # Encapsulation mode for communication between nodes
- # Possible values:
- # - disabled
- # - vxlan (default)
- # - geneve
- tunnel: "disabled"
- # Enables L7 proxy for L7 policy enforcement and visibility
- enable-l7-proxy: "true"
- enable-ipv4-masquerade: "true"
- enable-ipv6-masquerade: "true"
- enable-xt-socket-fallback: "true"
- install-iptables-rules: "true"
- install-no-conntrack-iptables-rules: "false"
- auto-direct-node-routes: "true"
- enable-local-redirect-policy: "true"
- ipv4-native-routing-cidr: ${NETWORK_K8S_CLUSTER_CIDR}
- kube-proxy-replacement: "strict"
- kube-proxy-replacement-healthz-bind-address: "0.0.0.0:10256"
- bpf-lb-sock: "false"
- enable-health-check-nodeport: "true"
- node-port-bind-protection: "true"
- enable-auto-protect-node-port-range: "true"
- bpf-lb-mode: "dsr"
- bpf-lb-algorithm: "maglev"
- enable-svc-source-range-check: "true"
- enable-l2-neigh-discovery: "true"
- arping-refresh-period: "30s"
- enable-endpoint-routes: "true"
- enable-endpoint-health-checking: "true"
- enable-health-checking: "true"
- enable-well-known-identities: "false"
- enable-remote-node-identity: "true"
- synchronize-k8s-nodes: "true"
- operator-api-serve-addr: "127.0.0.1:9234"
- # Enable Hubble gRPC service.
- enable-hubble: "true"
- # UNIX domain socket for Hubble server to listen to.
- hubble-socket-path: "/var/run/cilium/hubble.sock"
- # Address to expose Hubble metrics (e.g. ":7070"). Metrics server will be disabled if this
- # field is not set.
- hubble-metrics-server: ":9965"
- # A space separated list of metrics to enable. See [0] for available metrics.
- #
- # https://github.com/cilium/hubble/blob/master/Documentation/metrics.md
- hubble-metrics: dns:query;ignoreAAAA drop tcp flow port-distribution icmp http
- # An additional address for Hubble server to listen to (e.g. ":4244").
- hubble-listen-address: ":4244"
- hubble-disable-tls: "false"
- hubble-tls-cert-file: /var/lib/cilium/tls/hubble/server.crt
- hubble-tls-key-file: /var/lib/cilium/tls/hubble/server.key
- hubble-tls-client-ca-files: /var/lib/cilium/tls/hubble/client-ca.crt
- ipam: "kubernetes"
- disable-cnp-status-updates: "true"
- enable-vtep: "false"
- vtep-endpoint: ""
- vtep-cidr: ""
- vtep-mask: ""
- vtep-mac: ""
- bgp-announce-lb-ip: "true"
- enable-bgp-control-plane: "false"
- bpf-root: "/sys/fs/bpf"
- cgroup-root: "/run/cilium/cgroupv2"
- enable-k8s-terminating-endpoint: "true"
- remove-cilium-node-taints: "true"
- set-cilium-is-up-condition: "true"
- unmanaged-pod-watcher-interval: "15"
- tofqdns-dns-reject-response-code: "refused"
- tofqdns-enable-dns-compression: "true"
- tofqdns-endpoint-max-ip-per-hostname: "50"
- tofqdns-idle-connection-grace-period: "0s"
- tofqdns-max-deferred-connection-deletes: "10000"
- tofqdns-min-ttl: "3600"
- tofqdns-proxy-response-max-delay: "100ms"
- agent-not-ready-taint-key: "node.cilium.io/agent-not-ready"
----
-# Source: cilium/templates/hubble-relay/configmap.yaml
-apiVersion: v1
-kind: ConfigMap
-metadata:
- name: hubble-relay-config
- namespace: default
-data:
- config.yaml: "cluster-name: ${CLUSTER_NAME}\npeer-service: \"hubble-peer.default.svc.cluster.local:443\"\nlisten-address: :4245\ndial-timeout: \nretry-timeout: \nsort-buffer-len-max: \nsort-buffer-drain-timeout: \ntls-client-cert-file: /var/lib/hubble-relay/tls/client.crt\ntls-client-key-file: /var/lib/hubble-relay/tls/client.key\ntls-hubble-server-ca-files: /var/lib/hubble-relay/tls/hubble-server-ca.crt\ndisable-server-tls: true\n"
----
-# Source: cilium/templates/hubble-ui/configmap.yaml
-apiVersion: v1
-kind: ConfigMap
-metadata:
- name: hubble-ui-nginx
- namespace: default
-data:
- nginx.conf: "server {\n listen 8081;\n listen [::]:8081;\n server_name localhost;\n root /app;\n index index.html;\n client_max_body_size 1G;\n\n location / {\n proxy_set_header Host $host;\n proxy_set_header X-Real-IP $remote_addr;\n\n # CORS\n add_header Access-Control-Allow-Methods \"GET, POST, PUT, HEAD, DELETE, OPTIONS\";\n add_header Access-Control-Allow-Origin *;\n add_header Access-Control-Max-Age 1728000;\n add_header Access-Control-Expose-Headers content-length,grpc-status,grpc-message;\n add_header Access-Control-Allow-Headers range,keep-alive,user-agent,cache-control,content-type,content-transfer-encoding,x-accept-content-transfer-encoding,x-accept-response-streaming,x-user-agent,x-grpc-web,grpc-timeout;\n if ($request_method = OPTIONS) {\n return 204;\n }\n # /CORS\n\n location /api {\n proxy_http_version 1.1;\n proxy_pass_request_headers on;\n proxy_hide_header Access-Control-Allow-Origin;\n proxy_pass http://127.0.0.1:8090;\n }\n\n location / {\n try_files $uri $uri/ /index.html;\n }\n }\n}"
----
-# Source: cilium/templates/cilium-agent/clusterrole.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- name: cilium
-rules:
- - apiGroups:
- - networking.k8s.io
- resources:
- - networkpolicies
- verbs:
- - get
- - list
- - watch
- - apiGroups:
- - discovery.k8s.io
- resources:
- - endpointslices
- verbs:
- - get
- - list
- - watch
- - apiGroups:
- - ""
- resources:
- - namespaces
- - services
- - pods
- - endpoints
- - nodes
- verbs:
- - get
- - list
- - watch
- - apiGroups:
- - apiextensions.k8s.io
- resources:
- - customresourcedefinitions
- verbs:
- - list
- - watch
- # This is used when validating policies in preflight. This will need to stay
- # until we figure out how to avoid "get" inside the preflight, and then
- # should be removed ideally.
- - get
- - apiGroups:
- - cilium.io
- resources:
- - ciliumbgploadbalancerippools
- - ciliumbgppeeringpolicies
- - ciliumclusterwideenvoyconfigs
- - ciliumclusterwidenetworkpolicies
- - ciliumegressgatewaypolicies
- - ciliumegressnatpolicies
- - ciliumendpoints
- - ciliumendpointslices
- - ciliumenvoyconfigs
- - ciliumidentities
- - ciliumlocalredirectpolicies
- - ciliumnetworkpolicies
- - ciliumnodes
- verbs:
- - list
- - watch
- - apiGroups:
- - cilium.io
- resources:
- - ciliumidentities
- - ciliumendpoints
- - ciliumnodes
- verbs:
- - create
- - apiGroups:
- - cilium.io
- # To synchronize garbage collection of such resources
- resources:
- - ciliumidentities
- verbs:
- - update
- - apiGroups:
- - cilium.io
- resources:
- - ciliumendpoints
- verbs:
- - delete
- - get
- - apiGroups:
- - cilium.io
- resources:
- - ciliumnodes
- - ciliumnodes/status
- verbs:
- - get
- - update
- - apiGroups:
- - cilium.io
- resources:
- - ciliumnetworkpolicies/status
- - ciliumclusterwidenetworkpolicies/status
- - ciliumendpoints/status
- - ciliumendpoints
- verbs:
- - patch
----
-# Source: cilium/templates/cilium-operator/clusterrole.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- name: cilium-operator
-rules:
- - apiGroups:
- - ""
- resources:
- - pods
- verbs:
- - get
- - list
- - watch
- # to automatically delete [core|kube]dns pods so that are starting to being
- # managed by Cilium
- - delete
- - apiGroups:
- - ""
- resources:
- - nodes
- verbs:
- - list
- - watch
- - apiGroups:
- - ""
- resources:
- # To remove node taints
- - nodes
- # To set NetworkUnavailable false on startup
- - nodes/status
- verbs:
- - patch
- - apiGroups:
- - discovery.k8s.io
- resources:
- - endpointslices
- verbs:
- - get
- - list
- - watch
- - apiGroups:
- - ""
- resources:
- # to perform LB IP allocation for BGP
- - services/status
- verbs:
- - update
- - apiGroups:
- - ""
- resources:
- # to check apiserver connectivity
- - namespaces
- verbs:
- - get
- - list
- - watch
- - apiGroups:
- - ""
- resources:
- # to perform the translation of a CNP that contains `ToGroup` to its endpoints
- - services
- - endpoints
- verbs:
- - get
- - list
- - watch
- - apiGroups:
- - cilium.io
- resources:
- - ciliumnetworkpolicies
- - ciliumclusterwidenetworkpolicies
- verbs:
- # Create auto-generated CNPs and CCNPs from Policies that have 'toGroups'
- - create
- - update
- - deletecollection
- # To update the status of the CNPs and CCNPs
- - patch
- - get
- - list
- - watch
- - apiGroups:
- - cilium.io
- resources:
- - ciliumnetworkpolicies/status
- - ciliumclusterwidenetworkpolicies/status
- verbs:
- # Update the auto-generated CNPs and CCNPs status.
- - patch
- - update
- - apiGroups:
- - cilium.io
- resources:
- - ciliumendpoints
- - ciliumidentities
- verbs:
- # To perform garbage collection of such resources
- - delete
- - list
- - watch
- - apiGroups:
- - cilium.io
- resources:
- - ciliumidentities
- verbs:
- # To synchronize garbage collection of such resources
- - update
- - apiGroups:
- - cilium.io
- resources:
- - ciliumnodes
- verbs:
- - create
- - update
- - get
- - list
- - watch
- # To perform CiliumNode garbage collector
- - delete
- - apiGroups:
- - cilium.io
- resources:
- - ciliumnodes/status
- verbs:
- - update
- - apiGroups:
- - cilium.io
- resources:
- - ciliumendpointslices
- - ciliumenvoyconfigs
- verbs:
- - create
- - update
- - get
- - list
- - watch
- - delete
- - apiGroups:
- - apiextensions.k8s.io
- resources:
- - customresourcedefinitions
- verbs:
- - create
- - get
- - list
- - watch
- - apiGroups:
- - apiextensions.k8s.io
- resources:
- - customresourcedefinitions
- verbs:
- - update
- resourceNames:
- - ciliumbgploadbalancerippools.cilium.io
- - ciliumbgppeeringpolicies.cilium.io
- - ciliumclusterwideenvoyconfigs.cilium.io
- - ciliumclusterwidenetworkpolicies.cilium.io
- - ciliumegressgatewaypolicies.cilium.io
- - ciliumegressnatpolicies.cilium.io
- - ciliumendpoints.cilium.io
- - ciliumendpointslices.cilium.io
- - ciliumenvoyconfigs.cilium.io
- - ciliumexternalworkloads.cilium.io
- - ciliumidentities.cilium.io
- - ciliumlocalredirectpolicies.cilium.io
- - ciliumnetworkpolicies.cilium.io
- - ciliumnodes.cilium.io
- # For cilium-operator running in HA mode.
- #
- # Cilium operator running in HA mode requires the use of ResourceLock for Leader Election
- # between multiple running instances.
- # The preferred way of doing this is to use LeasesResourceLock as edits to Leases are less
- # common and fewer objects in the cluster watch "all Leases".
- - apiGroups:
- - coordination.k8s.io
- resources:
- - leases
- verbs:
- - create
- - get
- - update
----
-# Source: cilium/templates/hubble-ui/clusterrole.yaml
-kind: ClusterRole
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
- name: hubble-ui
-rules:
- - apiGroups:
- - networking.k8s.io
- resources:
- - networkpolicies
- verbs:
- - get
- - list
- - watch
- - apiGroups:
- - ""
- resources:
- - componentstatuses
- - endpoints
- - namespaces
- - nodes
- - pods
- - services
- verbs:
- - get
- - list
- - watch
- - apiGroups:
- - apiextensions.k8s.io
- resources:
- - customresourcedefinitions
- verbs:
- - get
- - list
- - watch
- - apiGroups:
- - cilium.io
- resources:
- - "*"
- verbs:
- - get
- - list
- - watch
----
-# Source: cilium/templates/cilium-agent/clusterrolebinding.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- name: cilium
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: cilium
-subjects:
- - kind: ServiceAccount
- name: "cilium"
- namespace: default
----
-# Source: cilium/templates/cilium-operator/clusterrolebinding.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- name: cilium-operator
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: cilium-operator
-subjects:
- - kind: ServiceAccount
- name: "cilium-operator"
- namespace: default
----
-# Source: cilium/templates/hubble-ui/clusterrolebinding.yaml
-kind: ClusterRoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
- name: hubble-ui
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: hubble-ui
-subjects:
- - kind: ServiceAccount
- name: "hubble-ui"
- namespace: default
----
-# Source: cilium/templates/hubble-relay/service.yaml
-kind: Service
-apiVersion: v1
-metadata:
- name: hubble-relay
- namespace: default
- labels:
- k8s-app: hubble-relay
-spec:
- type: "ClusterIP"
- selector:
- k8s-app: hubble-relay
- ports:
- - protocol: TCP
- port: 80
- targetPort: 4245
----
-# Source: cilium/templates/hubble-ui/service.yaml
-kind: Service
-apiVersion: v1
-metadata:
- name: hubble-ui
- namespace: default
- labels:
- k8s-app: hubble-ui
-spec:
- type: "ClusterIP"
- selector:
- k8s-app: hubble-ui
- ports:
- - name: http
- port: 80
- targetPort: 8081
----
-# Source: cilium/templates/hubble/metrics-service.yaml
-apiVersion: v1
-kind: Service
-metadata:
- name: hubble-metrics
- namespace: default
- labels:
- k8s-app: hubble
- annotations:
- prometheus.io/scrape: "true"
- prometheus.io/port: "9965"
-spec:
- clusterIP: None
- type: ClusterIP
- ports:
- - name: hubble-metrics
- port: 9965
- protocol: TCP
- targetPort: hubble-metrics
- selector:
- k8s-app: cilium
----
-# Source: cilium/templates/hubble/peer-service.yaml
-apiVersion: v1
-kind: Service
-metadata:
- name: hubble-peer
- namespace: default
- labels:
- k8s-app: cilium
-spec:
- selector:
- k8s-app: cilium
- ports:
- - name: peer-service
- port: 443
- protocol: TCP
- targetPort: 4244
----
-# Source: cilium/templates/cilium-agent/daemonset.yaml
-apiVersion: apps/v1
-kind: DaemonSet
-metadata:
- name: cilium
- namespace: default
- labels:
- k8s-app: cilium
-spec:
- selector:
- matchLabels:
- k8s-app: cilium
- updateStrategy:
- rollingUpdate:
- maxUnavailable: 2
- type: RollingUpdate
- template:
- metadata:
- annotations:
- # ensure pods roll when configmap updates
- cilium.io/cilium-configmap-checksum: "c94473999dcfb5bd4ee1091b33fc2d83e3d4cee71d054e8b787677e0726d01ff"
- labels:
- k8s-app: cilium
- spec:
- containers:
- - name: cilium-agent
- image: "quay.io/cilium/cilium:v1.12.0@sha256:079baa4fa1b9fe638f96084f4e0297c84dd4fb215d29d2321dcbe54273f63ade"
- imagePullPolicy: IfNotPresent
- command:
- - cilium-agent
- args:
- - --config-dir=/tmp/cilium/config-map
- startupProbe:
- httpGet:
- host: "127.0.0.1"
- path: /healthz
- port: 9879
- scheme: HTTP
- httpHeaders:
- - name: "brief"
- value: "true"
- failureThreshold: 105
- periodSeconds: 2
- successThreshold: 1
- livenessProbe:
- httpGet:
- host: "127.0.0.1"
- path: /healthz
- port: 9879
- scheme: HTTP
- httpHeaders:
- - name: "brief"
- value: "true"
- periodSeconds: 30
- successThreshold: 1
- failureThreshold: 10
- timeoutSeconds: 5
- readinessProbe:
- httpGet:
- host: "127.0.0.1"
- path: /healthz
- port: 9879
- scheme: HTTP
- httpHeaders:
- - name: "brief"
- value: "true"
- periodSeconds: 30
- successThreshold: 1
- failureThreshold: 3
- timeoutSeconds: 5
- env:
- - name: K8S_NODE_NAME
- valueFrom:
- fieldRef:
- apiVersion: v1
- fieldPath: spec.nodeName
- - name: CILIUM_K8S_NAMESPACE
- valueFrom:
- fieldRef:
- apiVersion: v1
- fieldPath: metadata.namespace
- - name: CILIUM_CLUSTERMESH_CONFIG
- value: /var/lib/cilium/clustermesh/
- - name: CILIUM_CNI_CHAINING_MODE
- valueFrom:
- configMapKeyRef:
- name: cilium-config
- key: cni-chaining-mode
- optional: true
- - name: CILIUM_CUSTOM_CNI_CONF
- valueFrom:
- configMapKeyRef:
- name: cilium-config
- key: custom-cni-conf
- optional: true
- - name: KUBERNETES_SERVICE_HOST
- value: "10.75.40.10"
- - name: KUBERNETES_SERVICE_PORT
- value: "6443"
- lifecycle:
- postStart:
- exec:
- command:
- - "/cni-install.sh"
- - "--enable-debug=false"
- - "--cni-exclusive=true"
- - "--log-file=/var/run/cilium/cilium-cni.log"
- preStop:
- exec:
- command:
- - /cni-uninstall.sh
- ports:
- - name: peer-service
- containerPort: 4244
- hostPort: 4244
- protocol: TCP
- - name: hubble-metrics
- containerPort: 9965
- hostPort: 9965
- protocol: TCP
- securityContext:
- privileged: true
- volumeMounts:
- - name: bpf-maps
- mountPath: /sys/fs/bpf
- mountPropagation: Bidirectional
- - name: cilium-run
- mountPath: /var/run/cilium
- - name: cni-path
- mountPath: /host/opt/cni/bin
- - name: etc-cni-netd
- mountPath: /host/etc/cni/net.d
- - name: clustermesh-secrets
- mountPath: /var/lib/cilium/clustermesh
- readOnly: true
- - name: cilium-config-path
- mountPath: /tmp/cilium/config-map
- readOnly: true
- # Needed to be able to load kernel modules
- - name: lib-modules
- mountPath: /lib/modules
- readOnly: true
- - name: xtables-lock
- mountPath: /run/xtables.lock
- - name: bgp-config-path
- mountPath: /var/lib/cilium/bgp
- readOnly: true
- - name: hubble-tls
- mountPath: /var/lib/cilium/tls/hubble
- readOnly: true
- initContainers:
- # Required to mount cgroup2 filesystem on the underlying Kubernetes node.
- # We use nsenter command with host's cgroup and mount namespaces enabled.
- - name: mount-cgroup
- image: "quay.io/cilium/cilium:v1.12.0@sha256:079baa4fa1b9fe638f96084f4e0297c84dd4fb215d29d2321dcbe54273f63ade"
- imagePullPolicy: IfNotPresent
- env:
- - name: CGROUP_ROOT
- value: /run/cilium/cgroupv2
- - name: BIN_PATH
- value: /opt/cni/bin
- command:
- - sh
- - -ec
- # The statically linked Go program binary is invoked to avoid any
- # dependency on utilities like sh and mount that can be missing on certain
- # distros installed on the underlying host. Copy the binary to the
- # same directory where we install cilium cni plugin so that exec permissions
- # are available.
- - |
- cp /usr/bin/cilium-mount /hostbin/cilium-mount;
- nsenter --cgroup=/hostproc/1/ns/cgroup --mount=/hostproc/1/ns/mnt "${BIN_PATH}/cilium-mount" $CGROUP_ROOT;
- rm /hostbin/cilium-mount
- volumeMounts:
- - name: hostproc
- mountPath: /hostproc
- - name: cni-path
- mountPath: /hostbin
- securityContext:
- privileged: true
- - name: apply-sysctl-overwrites
- image: "quay.io/cilium/cilium:v1.12.0@sha256:079baa4fa1b9fe638f96084f4e0297c84dd4fb215d29d2321dcbe54273f63ade"
- imagePullPolicy: IfNotPresent
- env:
- - name: BIN_PATH
- value: /opt/cni/bin
- command:
- - sh
- - -ec
- # The statically linked Go program binary is invoked to avoid any
- # dependency on utilities like sh that can be missing on certain
- # distros installed on the underlying host. Copy the binary to the
- # same directory where we install cilium cni plugin so that exec permissions
- # are available.
- - |
- cp /usr/bin/cilium-sysctlfix /hostbin/cilium-sysctlfix;
- nsenter --mount=/hostproc/1/ns/mnt "${BIN_PATH}/cilium-sysctlfix";
- rm /hostbin/cilium-sysctlfix
- volumeMounts:
- - name: hostproc
- mountPath: /hostproc
- - name: cni-path
- mountPath: /hostbin
- securityContext:
- privileged: true
- - name: clean-cilium-state
- image: "quay.io/cilium/cilium:v1.12.0@sha256:079baa4fa1b9fe638f96084f4e0297c84dd4fb215d29d2321dcbe54273f63ade"
- imagePullPolicy: IfNotPresent
- command:
- - /init-container.sh
- env:
- - name: CILIUM_ALL_STATE
- valueFrom:
- configMapKeyRef:
- name: cilium-config
- key: clean-cilium-state
- optional: true
- - name: CILIUM_BPF_STATE
- valueFrom:
- configMapKeyRef:
- name: cilium-config
- key: clean-cilium-bpf-state
- optional: true
- - name: KUBERNETES_SERVICE_HOST
- value: "10.75.40.10"
- - name: KUBERNETES_SERVICE_PORT
- value: "6443"
- securityContext:
- privileged: true
- volumeMounts:
- - name: bpf-maps
- mountPath: /sys/fs/bpf
- # Required to mount cgroup filesystem from the host to cilium agent pod
- - name: cilium-cgroup
- mountPath: /run/cilium/cgroupv2
- mountPropagation: HostToContainer
- - name: cilium-run
- mountPath: /var/run/cilium
- resources:
- requests:
- cpu: 100m
- memory: 100Mi # wait-for-kube-proxy
- restartPolicy: Always
- priorityClassName: system-node-critical
- serviceAccount: "cilium"
- serviceAccountName: "cilium"
- terminationGracePeriodSeconds: 1
- hostNetwork: true
- affinity:
- podAntiAffinity:
- requiredDuringSchedulingIgnoredDuringExecution:
- - labelSelector:
- matchLabels:
- k8s-app: cilium
- topologyKey: kubernetes.io/hostname
- nodeSelector:
- kubernetes.io/os: linux
- tolerations:
- - operator: Exists
- volumes:
- # To keep state between restarts / upgrades
- - name: cilium-run
- hostPath:
- path: /var/run/cilium
- type: DirectoryOrCreate
- # To keep state between restarts / upgrades for bpf maps
- - name: bpf-maps
- hostPath:
- path: /sys/fs/bpf
- type: DirectoryOrCreate
- # To mount cgroup2 filesystem on the host
- - name: hostproc
- hostPath:
- path: /proc
- type: Directory
- # To keep state between restarts / upgrades for cgroup2 filesystem
- - name: cilium-cgroup
- hostPath:
- path: /run/cilium/cgroupv2
- type: DirectoryOrCreate
- # To install cilium cni plugin in the host
- - name: cni-path
- hostPath:
- path: /opt/cni/bin
- type: DirectoryOrCreate
- # To install cilium cni configuration in the host
- - name: etc-cni-netd
- hostPath:
- path: /etc/cni/net.d
- type: DirectoryOrCreate
- # To be able to load kernel modules
- - name: lib-modules
- hostPath:
- path: /lib/modules
- # To access iptables concurrently with other processes (e.g. kube-proxy)
- - name: xtables-lock
- hostPath:
- path: /run/xtables.lock
- type: FileOrCreate
- # To read the clustermesh configuration
- - name: clustermesh-secrets
- secret:
- secretName: cilium-clustermesh
- # note: the leading zero means this number is in octal representation: do not remove it
- defaultMode: 0400
- optional: true
- # To read the configuration from the config map
- - name: cilium-config-path
- configMap:
- name: cilium-config
- - name: bgp-config-path
- configMap:
- name: bgp-config
- - name: hubble-tls
- projected:
- # note: the leading zero means this number is in octal representation: do not remove it
- defaultMode: 0400
- sources:
- - secret:
- name: hubble-server-certs
- optional: true
- items:
- - key: ca.crt
- path: client-ca.crt
- - key: tls.crt
- path: server.crt
- - key: tls.key
- path: server.key
----
-# Source: cilium/templates/cilium-operator/deployment.yaml
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- name: cilium-operator
- namespace: default
- labels:
- io.cilium/app: operator
- name: cilium-operator
-spec:
- # See docs on ServerCapabilities.LeasesResourceLock in file pkg/k8s/version/version.go
- # for more details.
- replicas: 2
- selector:
- matchLabels:
- io.cilium/app: operator
- name: cilium-operator
- strategy:
- rollingUpdate:
- maxSurge: 1
- maxUnavailable: 1
- type: RollingUpdate
- template:
- metadata:
- annotations:
- # ensure pods roll when configmap updates
- cilium.io/cilium-configmap-checksum: "c94473999dcfb5bd4ee1091b33fc2d83e3d4cee71d054e8b787677e0726d01ff"
- labels:
- io.cilium/app: operator
- name: cilium-operator
- spec:
- containers:
- - name: cilium-operator
- image: quay.io/cilium/operator-generic:v1.12.0@sha256:bb2a42eda766e5d4a87ee8a5433f089db81b72dd04acf6b59fcbb445a95f9410
- imagePullPolicy: IfNotPresent
- command:
- - cilium-operator-generic
- args:
- - --config-dir=/tmp/cilium/config-map
- - --debug=$(CILIUM_DEBUG)
- env:
- - name: K8S_NODE_NAME
- valueFrom:
- fieldRef:
- apiVersion: v1
- fieldPath: spec.nodeName
- - name: CILIUM_K8S_NAMESPACE
- valueFrom:
- fieldRef:
- apiVersion: v1
- fieldPath: metadata.namespace
- - name: CILIUM_DEBUG
- valueFrom:
- configMapKeyRef:
- key: debug
- name: cilium-config
- optional: true
- - name: KUBERNETES_SERVICE_HOST
- value: "10.75.40.10"
- - name: KUBERNETES_SERVICE_PORT
- value: "6443"
- livenessProbe:
- httpGet:
- host: "127.0.0.1"
- path: /healthz
- port: 9234
- scheme: HTTP
- initialDelaySeconds: 60
- periodSeconds: 10
- timeoutSeconds: 3
- volumeMounts:
- - name: cilium-config-path
- mountPath: /tmp/cilium/config-map
- readOnly: true
- - name: bgp-config-path
- mountPath: /var/lib/cilium/bgp
- readOnly: true
- hostNetwork: true
- restartPolicy: Always
- priorityClassName: system-cluster-critical
- serviceAccount: "cilium-operator"
- serviceAccountName: "cilium-operator"
- # In HA mode, cilium-operator pods must not be scheduled on the same
- # node as they will clash with each other.
- affinity:
- podAntiAffinity:
- requiredDuringSchedulingIgnoredDuringExecution:
- - labelSelector:
- matchLabels:
- io.cilium/app: operator
- topologyKey: kubernetes.io/hostname
- nodeSelector:
- kubernetes.io/os: linux
- tolerations:
- - operator: Exists
- volumes:
- # To read the configuration from the config map
- - name: cilium-config-path
- configMap:
- name: cilium-config
- - name: bgp-config-path
- configMap:
- name: bgp-config
----
-# Source: cilium/templates/hubble-relay/deployment.yaml
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- name: hubble-relay
- namespace: default
- labels:
- k8s-app: hubble-relay
-spec:
- replicas: 1
- selector:
- matchLabels:
- k8s-app: hubble-relay
- strategy:
- rollingUpdate:
- maxUnavailable: 1
- type: RollingUpdate
- template:
- metadata:
- annotations:
- # ensure pods roll when configmap updates
- cilium.io/hubble-relay-configmap-checksum: "27382c733aca8bb9cc669c794dc0ce492494af3869067092d9c0bf608d6fc0c1"
- labels:
- k8s-app: hubble-relay
- spec:
- containers:
- - name: hubble-relay
- image: "quay.io/cilium/hubble-relay:v1.12.0@sha256:ca8033ea8a3112d838f958862fa76c8d895e3c8d0f5590de849b91745af5ac4d"
- imagePullPolicy: IfNotPresent
- command:
- - hubble-relay
- args:
- - serve
- ports:
- - name: grpc
- containerPort: 4245
- readinessProbe:
- tcpSocket:
- port: grpc
- livenessProbe:
- tcpSocket:
- port: grpc
- volumeMounts:
- - name: config
- mountPath: /etc/hubble-relay
- readOnly: true
- - name: tls
- mountPath: /var/lib/hubble-relay/tls
- readOnly: true
- restartPolicy: Always
- priorityClassName:
- serviceAccount: "hubble-relay"
- serviceAccountName: "hubble-relay"
- automountServiceAccountToken: false
- terminationGracePeriodSeconds: 1
- affinity:
- podAffinity:
- requiredDuringSchedulingIgnoredDuringExecution:
- - labelSelector:
- matchLabels:
- k8s-app: cilium
- topologyKey: kubernetes.io/hostname
- nodeSelector:
- kubernetes.io/os: linux
- volumes:
- - name: config
- configMap:
- name: hubble-relay-config
- items:
- - key: config.yaml
- path: config.yaml
- - name: tls
- projected:
- # note: the leading zero means this number is in octal representation: do not remove it
- defaultMode: 0400
- sources:
- - secret:
- name: hubble-relay-client-certs
- items:
- - key: ca.crt
- path: hubble-server-ca.crt
- - key: tls.crt
- path: client.crt
- - key: tls.key
- path: client.key
----
-# Source: cilium/templates/hubble-ui/deployment.yaml
-kind: Deployment
-apiVersion: apps/v1
-metadata:
- name: hubble-ui
- namespace: default
- labels:
- k8s-app: hubble-ui
-spec:
- replicas: 1
- selector:
- matchLabels:
- k8s-app: hubble-ui
- template:
- metadata:
- annotations:
- # ensure pods roll when configmap updates
- cilium.io/hubble-ui-nginx-configmap-checksum: "435dc818f7e96a252c7345d28b626abf4015434a41f7501f53816c80b7561ee0"
- labels:
- k8s-app: hubble-ui
- spec:
- securityContext:
- fsGroup: 1001
- runAsGroup: 1001
- runAsUser: 1001
- priorityClassName:
- serviceAccount: "hubble-ui"
- serviceAccountName: "hubble-ui"
- containers:
- - name: frontend
- image: "quay.io/cilium/hubble-ui:v0.9.0@sha256:0ef04e9a29212925da6bdfd0ba5b581765e41a01f1cc30563cef9b30b457fea0"
- imagePullPolicy: IfNotPresent
- ports:
- - name: http
- containerPort: 8081
- volumeMounts:
- - name: hubble-ui-nginx-conf
- mountPath: /etc/nginx/conf.d/default.conf
- subPath: nginx.conf
- - name: tmp-dir
- mountPath: /tmp
- - name: backend
- image: "quay.io/cilium/hubble-ui-backend:v0.9.0@sha256:000df6b76719f607a9edefb9af94dfd1811a6f1b6a8a9c537cba90bf12df474b"
- imagePullPolicy: IfNotPresent
- env:
- - name: EVENTS_SERVER_PORT
- value: "8090"
- - name: FLOWS_API_ADDR
- value: "hubble-relay:80"
- ports:
- - name: grpc
- containerPort: 8090
- volumeMounts:
- nodeSelector:
- kubernetes.io/os: linux
- volumes:
- - configMap:
- defaultMode: 420
- name: hubble-ui-nginx
- name: hubble-ui-nginx-conf
- - emptyDir: {}
- name: tmp-dir
----
-# Source: cilium/templates/hubble-ui/ingress.yaml
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
- name: hubble-ui
- namespace: default
- labels:
- k8s-app: hubble-ui
- annotations:
- hajimari.io/appName: hubble
- hajimari.io/enable: "true"
- hajimari.io/icon: lan
-spec:
- tls:
- - hosts:
- - hubble.${SECRET_DOMAIN}
- rules:
- - host: hubble.${SECRET_DOMAIN}
- http:
- paths:
- - path: /
- pathType: Prefix
- backend:
- service:
- name: hubble-ui
- port:
- name: http
+ |
MegaLinter status: ❌ ERROR
See errors details in artifact MegaLinter reports on CI Job page |
9da4e39
to
bd857e1
Compare
bd857e1
to
8dc1e96
Compare
8dc1e96
to
909512c
Compare
909512c
to
8503718
Compare
8503718
to
4c61065
Compare
4c61065
to
66704ac
Compare
66704ac
to
c36d0bc
Compare
c36d0bc
to
a0ec51f
Compare
9f05683
to
d8404f2
Compare
d8404f2
to
1264984
Compare
1264984
to
41998f3
Compare
41998f3
to
e782cca
Compare
e782cca
to
4430dd9
Compare
4430dd9
to
3f28ffe
Compare
3f28ffe
to
da0f443
Compare
da0f443
to
873d4fe
Compare
This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation. |
873d4fe
to
a097f86
Compare
a097f86
to
56d3aa1
Compare
56d3aa1
to
328fb8d
Compare
328fb8d
to
999be37
Compare
999be37
to
3883b49
Compare
| datasource | package | from | to | | ---------- | ------- | ------ | ------ | | helm | cilium | 1.13.2 | 1.16.5 | | helm | cilium | 1.12.0 | 1.16.5 |
3883b49
to
0bac750
Compare
This PR contains the following updates:
1.13.2
->1.16.5
1.12.0
->1.16.5
⚠ Dependency Lookup Warnings ⚠
Warnings were logged while processing this repo. Please check the Dependency Dashboard for more information.
Release Notes
cilium/cilium
v1.16.5
Compare Source
Summary of Changes
Minor Changes:
Bugfixes:
strconv.Itoa
instead ofstring()
for the correct behavior when convertingkafka.ErrorCode
fromint32
tostring
. Add relevant unit tests for Kafka plugin and handler. (Backport PR #36066, Upstream PR #35856, @nddq)CI Changes:
Misc Changes:
147f428
(v1.16) (#36222, @cilium-renovate[bot])Other Changes:
Docker Manifests
cilium
quay.io/cilium/cilium:v1.16.5@​sha256:758ca0793f5995bb938a2fa219dcce63dc0b3fa7fc4ce5cc851125281fb7361d
quay.io/cilium/cilium:stable@sha256:758ca0793f5995bb938a2fa219dcce63dc0b3fa7fc4ce5cc851125281fb7361d
clustermesh-apiserver
quay.io/cilium/clustermesh-apiserver:v1.16.5@​sha256:37a7fdbef806b78ef63df9f1a9828fdddbf548d1f0e43b8eb10a6bdc8fa03958
quay.io/cilium/clustermesh-apiserver:stable@sha256:37a7fdbef806b78ef63df9f1a9828fdddbf548d1f0e43b8eb10a6bdc8fa03958
docker-plugin
quay.io/cilium/docker-plugin:v1.16.5@​sha256:d6b4ed076ae921535c2a543d4b5b63af474288ee4501653a1f442c935beb5768
quay.io/cilium/docker-plugin:stable@sha256:d6b4ed076ae921535c2a543d4b5b63af474288ee4501653a1f442c935beb5768
hubble-relay
quay.io/cilium/hubble-relay:v1.16.5@​sha256:6cfae1d1afa566ba941f03d4d7e141feddd05260e5cd0a1509aba1890a45ef00
quay.io/cilium/hubble-relay:stable@sha256:6cfae1d1afa566ba941f03d4d7e141feddd05260e5cd0a1509aba1890a45ef00
operator-alibabacloud
quay.io/cilium/operator-alibabacloud:v1.16.5@​sha256:c0edf4c8d089e76d6565d3c57128b98bc6c73d14bb4590126ee746aeaedba5e0
quay.io/cilium/operator-alibabacloud:stable@sha256:c0edf4c8d089e76d6565d3c57128b98bc6c73d14bb4590126ee746aeaedba5e0
operator-aws
quay.io/cilium/operator-aws:v1.16.5@​sha256:97e1fe0c2b522583033138eb10c170919d8de49d2788ceefdcff229a92210476
quay.io/cilium/operator-aws:stable@sha256:97e1fe0c2b522583033138eb10c170919d8de49d2788ceefdcff229a92210476
operator-azure
quay.io/cilium/operator-azure:v1.16.5@​sha256:265e2b78f572c76b523f91757083ea5f0b9b73b82f2d9714e5a8fb848e4048f9
quay.io/cilium/operator-azure:stable@sha256:265e2b78f572c76b523f91757083ea5f0b9b73b82f2d9714e5a8fb848e4048f9
operator-generic
quay.io/cilium/operator-generic:v1.16.5@​sha256:f7884848483bbcd7b1e0ccfd34ba4546f258b460cb4b7e2f06a1bcc96ef88039
quay.io/cilium/operator-generic:stable@sha256:f7884848483bbcd7b1e0ccfd34ba4546f258b460cb4b7e2f06a1bcc96ef88039
operator
quay.io/cilium/operator:v1.16.5@​sha256:617896e1b23a2c4504ab2c84f17964e24dade3b5845f733b11847202230ca940
quay.io/cilium/operator:stable@sha256:617896e1b23a2c4504ab2c84f17964e24dade3b5845f733b11847202230ca940
v1.16.4
Compare Source
Security Advisories
This release addresses GHSA-xg58-75qf-9r67.
Summary of Changes
Minor Changes:
hubble.tls.auto.certValidityDuration
to 365 days (Backport PR #35781, Upstream PR #35630, @chancez)Bugfixes:
timeout waiting for response
error is encountered. (Backport PR #35781, Upstream PR #35589, @bimmlerd)bpf-lb-sock-terminate-pod-connections
(Backport PR #35781, Upstream PR #35703, @solidDoWant)netlink
functions that may fail withErrDumpInterrupted
(Backport PR #35654, Upstream PR #35614, @gandro)CI Changes:
Misc Changes:
0ca97f4
(v1.16) (#35730, @cilium-renovate[bot])b274ff1
(v1.16) (#35379, @cilium-renovate[bot])Other Changes:
PolicyMatch{L3Proto,L4Only}
case (#35681, @gandro)Docker Manifests
cilium
quay.io/cilium/cilium:v1.16.4@​sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf
quay.io/cilium/cilium:stable@sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf
clustermesh-apiserver
quay.io/cilium/clustermesh-apiserver:v1.16.4@​sha256:b41ba9c1b32e31308e17287a24a5b8e8ed0931f70d168087001c9679bc6c5dd2
quay.io/cilium/clustermesh-apiserver:stable@sha256:b41ba9c1b32e31308e17287a24a5b8e8ed0931f70d168087001c9679bc6c5dd2
docker-plugin
quay.io/cilium/docker-plugin:v1.16.4@​sha256:0e55f80fa875a1bcce87d87eae9a72b32c9db1fe9741c1f8d1bf308ef4b1193e
quay.io/cilium/docker-plugin:stable@sha256:0e55f80fa875a1bcce87d87eae9a72b32c9db1fe9741c1f8d1bf308ef4b1193e
hubble-relay
quay.io/cilium/hubble-relay:v1.16.4@​sha256:fb2c7d127a1c809f6ba23c05973f3dd00f6b6a48e4aee2da95db925a4f0351d2
quay.io/cilium/hubble-relay:stable@sha256:fb2c7d127a1c809f6ba23c05973f3dd00f6b6a48e4aee2da95db925a4f0351d2
operator-alibabacloud
quay.io/cilium/operator-alibabacloud:v1.16.4@​sha256:8d59d1c9043d0ccf40f3e16361e5c81e8044cb83695d32d750b0c352f690c686
quay.io/cilium/operator-alibabacloud:stable@sha256:8d59d1c9043d0ccf40f3e16361e5c81e8044cb83695d32d750b0c352f690c686
operator-aws
quay.io/cilium/operator-aws:v1.16.4@​sha256:355051bbebab73ea3067bb7f0c28cfd43b584d127570cb826f794f468e2d31be
quay.io/cilium/operator-aws:stable@sha256:355051bbebab73ea3067bb7f0c28cfd43b584d127570cb826f794f468e2d31be
operator-azure
quay.io/cilium/operator-azure:v1.16.4@​sha256:475594628af6d6a807d58fcb6b7d48f5a82e0289f54ae372972b1d0536c0b6de
quay.io/cilium/operator-azure:stable@sha256:475594628af6d6a807d58fcb6b7d48f5a82e0289f54ae372972b1d0536c0b6de
operator-generic
quay.io/cilium/operator-generic:v1.16.4@​sha256:c55a7cbe19fe0b6b28903a085334edb586a3201add9db56d2122c8485f7a51c5
quay.io/cilium/operator-generic:stable@sha256:c55a7cbe19fe0b6b28903a085334edb586a3201add9db56d2122c8485f7a51c5
operator
quay.io/cilium/operator:v1.16.4@​sha256:c77643984bc17e1a93d83b58fa976d7e72ad1485ce722257594f8596899fdfff
quay.io/cilium/operator:stable@sha256:c77643984bc17e1a93d83b58fa976d7e72ad1485ce722257594f8596899fdfff
v1.16.3
Compare Source
Summary of Changes
Bugfixes:
CI Changes:
Misc Changes:
Configuration
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about these updates again.
This PR has been generated by Renovate Bot.