chore(deps): update quay.io/cilium/charts/cilium docker tag to v1.19.0#3304
Merged
chore(deps): update quay.io/cilium/charts/cilium docker tag to v1.19.0#3304
Conversation
--- apps/kube-system/cilium/app Kustomization: flux-system/cilium OCIRepository: kube-system/cilium
+++ apps/kube-system/cilium/app Kustomization: flux-system/cilium OCIRepository: kube-system/cilium
@@ -10,9 +10,9 @@
spec:
interval: 30m
layerSelector:
mediaType: application/vnd.cncf.helm.chart.content.v1.tar+gzip
operation: copy
ref:
- tag: 1.18.6
+ tag: 1.19.0
url: oci://quay.io/cilium/charts/cilium
--- apps/kube-system/cilium/app Kustomization: flux-system/cilium HelmRelease: kube-system/cilium
+++ apps/kube-system/cilium/app Kustomization: flux-system/cilium HelmRelease: kube-system/cilium
@@ -16,13 +16,12 @@
bpf:
datapathMode: netkit
distributedLRU:
enabled: true
masquerade: true
preallocateMaps: true
- tproxy: true
bpfClockProbe: true
envoy:
enabled: false
hubble:
enabled: false
ipam: |
Remove tproxy configuration from Cilium helm release.
--- HelmRelease: kube-system/cilium ConfigMap: kube-system/cilium-config
+++ HelmRelease: kube-system/cilium ConfigMap: kube-system/cilium-config
@@ -22,13 +22,12 @@
policy-secrets-only-from-secrets-namespace: 'true'
policy-secrets-namespace: cilium-secrets
enable-ipv4: 'true'
enable-ipv6: 'true'
custom-cni-conf: 'false'
enable-bpf-clock-probe: 'true'
- enable-bpf-tproxy: 'true'
monitor-aggregation: medium
monitor-aggregation-interval: 5s
monitor-aggregation-flags: all
bpf-map-dynamic-size-ratio: '0.0025'
bpf-policy-map-max: '16384'
bpf-policy-stats-map-max: '65536'
@@ -45,36 +44,38 @@
cluster-name: default
cluster-id: '0'
routing-mode: tunnel
tunnel-protocol: vxlan
tunnel-source-port-range: 0-0
service-no-backend-response: reject
+ policy-deny-response: none
enable-l7-proxy: 'true'
enable-ipv4-masquerade: 'true'
enable-ipv4-big-tcp: 'false'
enable-ipv6-big-tcp: 'false'
enable-ipv6-masquerade: 'true'
+ enable-tunnel-big-tcp: 'false'
enable-tcx: 'true'
datapath-mode: netkit
enable-bpf-masquerade: 'true'
enable-masquerade-to-route-source: 'false'
enable-xt-socket-fallback: 'true'
install-no-conntrack-iptables-rules: 'false'
iptables-random-fully: 'false'
auto-direct-node-routes: 'false'
direct-routing-skip-unreachable: 'false'
kube-proxy-replacement: 'true'
kube-proxy-replacement-healthz-bind-address: ''
+ enable-no-service-endpoints-routable: 'true'
bpf-lb-sock: 'false'
nodeport-addresses: ''
enable-health-check-nodeport: 'true'
enable-health-check-loadbalancer-ip: 'false'
node-port-bind-protection: 'true'
enable-auto-protect-node-port-range: 'true'
bpf-lb-acceleration: disabled
- enable-svc-source-range-check: 'true'
enable-l2-neigh-discovery: 'false'
k8s-require-ipv4-pod-cidr: 'false'
k8s-require-ipv6-pod-cidr: 'false'
enable-k8s-networkpolicy: 'true'
enable-endpoint-lockdown-on-policy-overflow: 'false'
write-cni-conf-when-ready: /host/etc/cni/net.d/05-cilium.conflist
@@ -100,54 +101,60 @@
enable-vtep: 'false'
vtep-endpoint: ''
vtep-cidr: ''
vtep-mask: ''
vtep-mac: ''
enable-pmtu-discovery: 'true'
+ packetization-layer-pmtud-mode: blackhole
procfs: /host/proc
bpf-root: /sys/fs/bpf
cgroup-root: /run/cilium/cgroupv2
identity-management-mode: agent
enable-sctp: 'false'
remove-cilium-node-taints: 'true'
set-cilium-node-taints: 'true'
set-cilium-is-up-condition: 'true'
- unmanaged-pod-watcher-interval: '15'
+ unmanaged-pod-watcher-interval: 15s
dnsproxy-enable-transparent-mode: 'true'
dnsproxy-socket-linger-timeout: '10'
tofqdns-dns-reject-response-code: refused
tofqdns-enable-dns-compression: 'true'
tofqdns-endpoint-max-ip-per-hostname: '1000'
tofqdns-idle-connection-grace-period: 0s
tofqdns-max-deferred-connection-deletes: '10000'
tofqdns-proxy-response-max-delay: 100ms
tofqdns-preallocate-identities: 'true'
agent-not-ready-taint-key: node.cilium.io/agent-not-ready
- mesh-auth-enabled: 'true'
+ mesh-auth-enabled: 'false'
mesh-auth-queue-size: '1024'
mesh-auth-rotated-identities-queue-size: '1024'
mesh-auth-gc-interval: 5m0s
proxy-xff-num-trusted-hops-ingress: '0'
proxy-xff-num-trusted-hops-egress: '0'
proxy-connect-timeout: '2'
proxy-initial-fetch-timeout: '30'
+ proxy-max-active-downstream-connections: '50000'
proxy-max-requests-per-connection: '0'
proxy-max-connection-duration-seconds: '0'
proxy-idle-timeout-seconds: '60'
proxy-max-concurrent-retries: '128'
+ proxy-use-original-source-address: 'true'
+ proxy-cluster-max-connections: '1024'
+ proxy-cluster-max-requests: '1024'
http-retry-count: '3'
http-stream-idle-timeout: '300'
external-envoy-proxy: 'false'
envoy-base-id: '0'
envoy-access-log-buffer-size: '4096'
envoy-keep-cap-netbindservice: 'false'
max-connected-clusters: '255'
+ clustermesh-cache-ttl: 0s
clustermesh-enable-endpoint-sync: 'false'
clustermesh-enable-mcs-api: 'false'
- policy-default-local-cluster: 'false'
+ clustermesh-mcs-api-install-crds: 'true'
+ policy-default-local-cluster: 'true'
nat-map-stats-entries: '32'
nat-map-stats-interval: 30s
- enable-internal-traffic-policy: 'true'
enable-lb-ipam: 'true'
enable-non-default-deny-policies: 'true'
enable-source-ip-verification: 'true'
--- HelmRelease: kube-system/cilium ClusterRole: kube-system/cilium
+++ HelmRelease: kube-system/cilium ClusterRole: kube-system/cilium
@@ -43,13 +43,12 @@
- watch
- get
- apiGroups:
- cilium.io
resources:
- ciliumloadbalancerippools
- - ciliumbgppeeringpolicies
- ciliumbgpnodeconfigs
- ciliumbgpadvertisements
- ciliumbgppeerconfigs
- ciliumclusterwideenvoyconfigs
- ciliumclusterwidenetworkpolicies
- ciliumegressgatewaypolicies
--- HelmRelease: kube-system/cilium ClusterRole: kube-system/cilium-operator
+++ HelmRelease: kube-system/cilium ClusterRole: kube-system/cilium-operator
@@ -160,13 +160,12 @@
resources:
- customresourcedefinitions
verbs:
- update
resourceNames:
- ciliumloadbalancerippools.cilium.io
- - ciliumbgppeeringpolicies.cilium.io
- ciliumbgpclusterconfigs.cilium.io
- ciliumbgppeerconfigs.cilium.io
- ciliumbgpadvertisements.cilium.io
- ciliumbgpnodeconfigs.cilium.io
- ciliumbgpnodeconfigoverrides.cilium.io
- ciliumclusterwideenvoyconfigs.cilium.io
@@ -186,13 +185,12 @@
- ciliumgatewayclassconfigs.cilium.io
- apiGroups:
- cilium.io
resources:
- ciliumloadbalancerippools
- ciliumpodippools
- - ciliumbgppeeringpolicies
- ciliumbgpclusterconfigs
- ciliumbgpnodeconfigoverrides
- ciliumbgppeerconfigs
verbs:
- get
- list
@@ -214,7 +212,13 @@
resources:
- leases
verbs:
- create
- get
- update
+- apiGroups:
+ - cilium.io
+ resources:
+ - ciliumendpointslices
+ verbs:
+ - deletecollection
--- HelmRelease: kube-system/cilium DaemonSet: kube-system/cilium
+++ HelmRelease: kube-system/cilium DaemonSet: kube-system/cilium
@@ -16,13 +16,13 @@
rollingUpdate:
maxUnavailable: 2
type: RollingUpdate
template:
metadata:
annotations:
- cilium.io/cilium-configmap-checksum: ac82db15d533da499e4d0cd866f791beaeb3f02ad9cfc487ee917b3342153c2d
+ cilium.io/cilium-configmap-checksum: 7b2a0e21fc32014a4d97733e818e419c7165ce7c6d7ffa7a898e80e87b16eb70
kubectl.kubernetes.io/default-container: cilium-agent
labels:
k8s-app: cilium
app.kubernetes.io/name: cilium-agent
app.kubernetes.io/part-of: cilium
spec:
@@ -30,36 +30,36 @@
appArmorProfile:
type: Unconfined
seccompProfile:
type: Unconfined
containers:
- name: cilium-agent
- image: quay.io/cilium/cilium:v1.18.6@sha256:42ec562a5ff6c8a860c0639f5a7611685e253fd9eb2d2fcdade693724c9166a4
+ image: quay.io/cilium/cilium:v1.19.0@sha256:be9f8571c2e114b3e12e41f785f2356ade703b2eac936aa878805565f0468c60
imagePullPolicy: IfNotPresent
command:
- cilium-agent
args:
- --config-dir=/tmp/cilium/config-map
startupProbe:
httpGet:
host: 127.0.0.1
path: /healthz
- port: 9879
+ port: health
scheme: HTTP
httpHeaders:
- name: brief
value: 'true'
failureThreshold: 300
periodSeconds: 2
successThreshold: 1
initialDelaySeconds: 5
livenessProbe:
httpGet:
host: 127.0.0.1
path: /healthz
- port: 9879
+ port: health
scheme: HTTP
httpHeaders:
- name: brief
value: 'true'
- name: require-k8s-connectivity
value: 'false'
@@ -68,13 +68,13 @@
failureThreshold: 10
timeoutSeconds: 5
readinessProbe:
httpGet:
host: 127.0.0.1
path: /healthz
- port: 9879
+ port: health
scheme: HTTP
httpHeaders:
- name: brief
value: 'true'
periodSeconds: 30
successThreshold: 1
@@ -133,12 +133,17 @@
fi
echo 'Done!'
preStop:
exec:
command:
- /cni-uninstall.sh
+ ports:
+ - name: health
+ containerPort: 9879
+ hostPort: 9879
+ protocol: TCP
securityContext:
seLinuxOptions:
level: s0
type: spc_t
capabilities:
add:
@@ -151,12 +156,13 @@
- SYS_ADMIN
- SYS_RESOURCE
- DAC_OVERRIDE
- FOWNER
- SETGID
- SETUID
+ - SYSLOG
drop:
- ALL
terminationMessagePolicy: FallbackToLogsOnError
volumeMounts:
- mountPath: /host/proc/sys/net
name: host-proc-sys-net
@@ -181,13 +187,13 @@
- name: xtables-lock
mountPath: /run/xtables.lock
- name: tmp
mountPath: /tmp
initContainers:
- name: config
- image: quay.io/cilium/cilium:v1.18.6@sha256:42ec562a5ff6c8a860c0639f5a7611685e253fd9eb2d2fcdade693724c9166a4
+ image: quay.io/cilium/cilium:v1.19.0@sha256:be9f8571c2e114b3e12e41f785f2356ade703b2eac936aa878805565f0468c60
imagePullPolicy: IfNotPresent
command:
- cilium-dbg
- build-config
env:
- name: K8S_NODE_NAME
@@ -205,14 +211,20 @@
- name: KUBERNETES_SERVICE_PORT
value: '6443'
volumeMounts:
- name: tmp
mountPath: /tmp
terminationMessagePolicy: FallbackToLogsOnError
+ securityContext:
+ capabilities:
+ add:
+ - NET_ADMIN
+ drop:
+ - ALL
- name: mount-cgroup
- image: quay.io/cilium/cilium:v1.18.6@sha256:42ec562a5ff6c8a860c0639f5a7611685e253fd9eb2d2fcdade693724c9166a4
+ image: quay.io/cilium/cilium:v1.19.0@sha256:be9f8571c2e114b3e12e41f785f2356ade703b2eac936aa878805565f0468c60
imagePullPolicy: IfNotPresent
env:
- name: CGROUP_ROOT
value: /run/cilium/cgroupv2
- name: BIN_PATH
value: /opt/cni/bin
@@ -238,13 +250,13 @@
- SYS_ADMIN
- SYS_CHROOT
- SYS_PTRACE
drop:
- ALL
- name: apply-sysctl-overwrites
- image: quay.io/cilium/cilium:v1.18.6@sha256:42ec562a5ff6c8a860c0639f5a7611685e253fd9eb2d2fcdade693724c9166a4
+ image: quay.io/cilium/cilium:v1.19.0@sha256:be9f8571c2e114b3e12e41f785f2356ade703b2eac936aa878805565f0468c60
imagePullPolicy: IfNotPresent
env:
- name: BIN_PATH
value: /opt/cni/bin
command:
- sh
@@ -268,13 +280,13 @@
- SYS_ADMIN
- SYS_CHROOT
- SYS_PTRACE
drop:
- ALL
- name: mount-bpf-fs
- image: quay.io/cilium/cilium:v1.18.6@sha256:42ec562a5ff6c8a860c0639f5a7611685e253fd9eb2d2fcdade693724c9166a4
+ image: quay.io/cilium/cilium:v1.19.0@sha256:be9f8571c2e114b3e12e41f785f2356ade703b2eac936aa878805565f0468c60
imagePullPolicy: IfNotPresent
args:
- mount | grep "/sys/fs/bpf type bpf" || mount -t bpf bpf /sys/fs/bpf
command:
- /bin/bash
- -c
@@ -284,13 +296,13 @@
privileged: true
volumeMounts:
- name: bpf-maps
mountPath: /sys/fs/bpf
mountPropagation: Bidirectional
- name: clean-cilium-state
- image: quay.io/cilium/cilium:v1.18.6@sha256:42ec562a5ff6c8a860c0639f5a7611685e253fd9eb2d2fcdade693724c9166a4
+ image: quay.io/cilium/cilium:v1.19.0@sha256:be9f8571c2e114b3e12e41f785f2356ade703b2eac936aa878805565f0468c60
imagePullPolicy: IfNotPresent
command:
- /init-container.sh
env:
- name: CILIUM_ALL_STATE
valueFrom:
@@ -333,17 +345,20 @@
- name: cilium-cgroup
mountPath: /run/cilium/cgroupv2
mountPropagation: HostToContainer
- name: cilium-run
mountPath: /var/run/cilium
- name: install-cni-binaries
- image: quay.io/cilium/cilium:v1.18.6@sha256:42ec562a5ff6c8a860c0639f5a7611685e253fd9eb2d2fcdade693724c9166a4
+ image: quay.io/cilium/cilium:v1.19.0@sha256:be9f8571c2e114b3e12e41f785f2356ade703b2eac936aa878805565f0468c60
imagePullPolicy: IfNotPresent
command:
- /install-plugin.sh
resources:
+ limits:
+ cpu: 1
+ memory: 1Gi
requests:
cpu: 100m
memory: 10Mi
securityContext:
seLinuxOptions:
level: s0
--- HelmRelease: kube-system/cilium Deployment: kube-system/cilium-operator
+++ HelmRelease: kube-system/cilium Deployment: kube-system/cilium-operator
@@ -33,13 +33,13 @@
spec:
securityContext:
seccompProfile:
type: RuntimeDefault
containers:
- name: cilium-operator
- image: quay.io/cilium/operator-generic:v1.18.6@sha256:34a827ce9ed021c8adf8f0feca131f53b3c54a3ef529053d871d0347ec4d69af
+ image: quay.io/cilium/operator-generic:v1.19.0@sha256:5b04006015e5800307dc6314676edc4c0bb7ac2fc7848be2b94b43bb030ab648
imagePullPolicy: IfNotPresent
command:
- cilium-operator-generic
args:
- --config-dir=/tmp/cilium/config-map
- --debug=$(CILIUM_DEBUG)
@@ -62,30 +62,33 @@
optional: true
- name: KUBERNETES_SERVICE_HOST
value: homeserver.home.lucadev.de
- name: KUBERNETES_SERVICE_PORT
value: '6443'
ports:
+ - name: health
+ containerPort: 9234
+ hostPort: 9234
- name: prometheus
containerPort: 9963
hostPort: 9963
protocol: TCP
livenessProbe:
httpGet:
host: 127.0.0.1
path: /healthz
- port: 9234
+ port: health
scheme: HTTP
initialDelaySeconds: 60
periodSeconds: 10
timeoutSeconds: 3
readinessProbe:
httpGet:
host: 127.0.0.1
path: /healthz
- port: 9234
+ port: health
scheme: HTTP
initialDelaySeconds: 0
periodSeconds: 5
timeoutSeconds: 3
failureThreshold: 5
volumeMounts:
--- HelmRelease: kube-system/cilium Role: kube-system/cilium-operator-ztunnel
+++ HelmRelease: kube-system/cilium Role: kube-system/cilium-operator-ztunnel
@@ -0,0 +1,20 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: cilium-operator-ztunnel
+ namespace: kube-system
+ labels:
+ app.kubernetes.io/part-of: cilium
+rules:
+- apiGroups:
+ - apps
+ resources:
+ - daemonsets
+ verbs:
+ - create
+ - delete
+ - get
+ - list
+ - watch
+
--- HelmRelease: kube-system/cilium RoleBinding: kube-system/cilium-operator-ztunnel
+++ HelmRelease: kube-system/cilium RoleBinding: kube-system/cilium-operator-ztunnel
@@ -0,0 +1,17 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: cilium-operator-ztunnel
+ namespace: kube-system
+ labels:
+ app.kubernetes.io/part-of: cilium
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: cilium-operator-ztunnel
+subjects:
+- kind: ServiceAccount
+ name: cilium-operator
+ namespace: kube-system
+ |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
1.18.6→1.19.0Warning
Some dependencies could not be looked up. Check the Dependency Dashboard for more information.
Release Notes
cilium/cilium (quay.io/cilium/charts/cilium)
v1.19.0Compare Source
Configuration
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.