Skip to content

Commit

Permalink
Merge pull request #401 from mgfritch/update-cilium-v1.15.5
Browse files Browse the repository at this point in the history
Update Cilium to 1.14.5
  • Loading branch information
mgfritch authored Jan 31, 2024
2 parents 56596f9 + d1b368f commit 235c137
Show file tree
Hide file tree
Showing 5 changed files with 66 additions and 56 deletions.
4 changes: 2 additions & 2 deletions packages/rke2-cilium/generated-changes/patch/Chart.yaml.patch
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
+++ charts/Chart.yaml
@@ -124,8 +124,7 @@
apiVersion: v2
appVersion: 1.14.4
appVersion: 1.14.5
description: eBPF-based Networking, Security, and Observability
-home: https://cilium.io/
-icon: https://cdn.jsdelivr.net/gh/cilium/[email protected]/Documentation/images/logo-solo.svg
Expand All @@ -19,4 +19,4 @@
sources:
-- https://github.com/cilium/cilium
+- https://github.com/rancher/rke2-charts
version: 1.14.4
version: 1.14.5
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,7 @@
imagePullPolicy: {{ .Values.image.pullPolicy }}
command:
- /bin/bash
@@ -400,8 +408,18 @@
@@ -403,8 +411,18 @@
{{- toYaml .Values.extraContainers | nindent 6 }}
{{- end }}
initContainers:
Expand All @@ -50,7 +50,7 @@
imagePullPolicy: {{ .Values.image.pullPolicy }}
command:
- cilium
@@ -445,7 +463,7 @@
@@ -448,7 +466,7 @@
# Required to mount cgroup2 filesystem on the underlying Kubernetes node.
# We use nsenter command with host's cgroup and mount namespaces enabled.
- name: mount-cgroup
Expand All @@ -59,34 +59,34 @@
imagePullPolicy: {{ .Values.image.pullPolicy }}
env:
- name: CGROUP_ROOT
@@ -491,7 +509,7 @@
@@ -494,7 +512,7 @@
- ALL
{{- end}}
- name: apply-sysctl-overwrites
- image: {{ include "cilium.image" .Values.image | quote }}
+ image: "{{ template "system_default_registry" . }}{{ include "cilium.image" .Values.image }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
env:
- name: BIN_PATH
@@ -536,7 +554,7 @@
{{- with .Values.initResources }}
resources:
@@ -543,7 +561,7 @@
# from a privileged container because the mount propagation bidirectional
# only works from privileged containers.
- name: mount-bpf-fs
- image: {{ include "cilium.image" .Values.image | quote }}
+ image: "{{ template "system_default_registry" . }}{{ include "cilium.image" .Values.image }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
args:
- 'mount | grep "/sys/fs/bpf type bpf" || mount -t bpf bpf /sys/fs/bpf'
@@ -557,7 +575,7 @@
{{- with .Values.initResources }}
resources:
@@ -568,7 +586,7 @@
{{- end }}
{{- if and .Values.nodeinit.enabled .Values.nodeinit.bootstrapFile }}
- name: wait-for-node-init
- image: {{ include "cilium.image" .Values.image | quote }}
+ image: "{{ template "system_default_registry" . }}{{ include "cilium.image" .Values.image }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
command:
- sh
@@ -571,9 +589,11 @@
{{- with .Values.initResources }}
resources:
@@ -586,9 +604,11 @@
volumeMounts:
- name: cilium-bootstrap-file-dir
mountPath: "/tmp/cilium-bootstrap.d"
Expand All @@ -99,16 +99,16 @@
imagePullPolicy: {{ .Values.image.pullPolicy }}
command:
- /init-container.sh
@@ -636,7 +656,7 @@
@@ -654,7 +674,7 @@
{{- end }}
{{- if and .Values.waitForKubeProxy (ne $kubeProxyReplacement "strict") }}
- name: wait-for-kube-proxy
- image: {{ include "cilium.image" .Values.image | quote }}
+ image: "{{ template "system_default_registry" . }}{{ include "cilium.image" .Values.image }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
securityContext:
privileged: true
@@ -670,7 +690,7 @@
{{- with .Values.initResources }}
resources:
@@ -692,7 +712,7 @@
{{- if .Values.cni.install }}
# Install the CNI binaries in an InitContainer so we don't have a writable host mount in the agent
- name: install-cni-binaries
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@
imagePullPolicy: {{ .Values.clustermesh.apiserver.etcd.image.pullPolicy }}
command: ["/bin/sh", "-c"]
args:
@@ -89,7 +89,7 @@
@@ -92,7 +92,7 @@
{{- end }}
containers:
- name: etcd
Expand All @@ -18,7 +18,7 @@
imagePullPolicy: {{ .Values.clustermesh.apiserver.etcd.image.pullPolicy }}
command:
- /usr/local/bin/etcd
@@ -142,7 +142,7 @@
@@ -148,7 +148,7 @@
{{- toYaml . | nindent 10 }}
{{- end }}
- name: apiserver
Expand All @@ -27,7 +27,7 @@
imagePullPolicy: {{ .Values.clustermesh.apiserver.image.pullPolicy }}
command:
- /usr/bin/clustermesh-apiserver
@@ -220,7 +220,7 @@
@@ -226,7 +226,7 @@
{{- end }}
{{- if .Values.clustermesh.apiserver.kvstoremesh.enabled }}
- name: kvstoremesh
Expand Down
78 changes: 44 additions & 34 deletions packages/rke2-cilium/generated-changes/patch/values.yaml.patch
Original file line number Diff line number Diff line change
Expand Up @@ -6,16 +6,16 @@
override: ~
- repository: "quay.io/cilium/cilium"
+ repository: "rancher/mirrored-cilium-cilium"
tag: "v1.14.4"
tag: "v1.14.5"
pullPolicy: "IfNotPresent"
- # cilium-digest
- digest: "sha256:4981767b787c69126e190e33aee93d5a076639083c21f0e7c29596a519c64a2e"
- digest: "sha256:d3b287029755b6a47dee01420e2ea469469f1b174a2089c10af7e5e9289ef05b"
- useDigest: true
+ useDigest: false

# -- Affinity for cilium-agent.
affinity:
@@ -534,7 +532,9 @@
@@ -537,7 +535,9 @@
# - flannel
# - generic-veth
# - portmap
Expand All @@ -26,7 +26,7 @@

# -- A CNI network name in to which the Cilium plugin should be added as a chained plugin.
# This will cause the agent to watch for a CNI network with this network name. When it is
@@ -933,10 +933,9 @@
@@ -936,10 +936,9 @@
certgen:
image:
override: ~
Expand All @@ -39,7 +39,7 @@
pullPolicy: "IfNotPresent"
# -- Seconds after which the completed job pod will be deleted
ttlSecondsAfterFinished: 1800
@@ -958,7 +957,7 @@
@@ -961,7 +960,7 @@

hubble:
# -- Enable Hubble (true by default).
Expand All @@ -48,21 +48,21 @@

# -- Buffer size of the channel Hubble uses to receive monitor events. If this
# value is not set, the queue size is set to the default monitor queue size.
@@ -1109,11 +1108,9 @@
@@ -1112,11 +1111,9 @@
# -- Hubble-relay container image.
image:
override: ~
- repository: "quay.io/cilium/hubble-relay"
+ repository: "rancher/mirrored-cilium-hubble-relay"
tag: "v1.14.4"
tag: "v1.14.5"
- # hubble-relay-digest
- digest: "sha256:ca81622fd9f04c1316bf4144bde5dbce613758810f6022f6c706b14c9c0815db"
- digest: "sha256:dbef89f924a927043d02b40c18e417c1ea0e8f58b44523b80fef7e3652db24d4"
- useDigest: true
+ useDigest: false
pullPolicy: "IfNotPresent"

# -- Specifies the resources for the hubble-relay pods
@@ -1331,10 +1328,9 @@
@@ -1340,10 +1337,9 @@
# -- Hubble-ui backend image.
image:
override: ~
Expand All @@ -75,7 +75,7 @@
pullPolicy: "IfNotPresent"

# -- Hubble-ui backend security context.
@@ -1362,10 +1358,9 @@
@@ -1371,10 +1367,9 @@
# -- Hubble-ui frontend image.
image:
override: ~
Expand All @@ -88,7 +88,7 @@
pullPolicy: "IfNotPresent"

# -- Hubble-ui frontend security context.
@@ -1491,7 +1486,7 @@
@@ -1500,7 +1495,7 @@
ipam:
# -- Configure IP Address Management mode.
# ref: https://docs.cilium.io/en/stable/network/concepts/ipam/
Expand All @@ -97,7 +97,7 @@
# -- Maximum rate at which the CiliumNode custom resource is updated.
ciliumNodeUpdateRate: "15s"
operator:
@@ -1769,7 +1764,7 @@
@@ -1778,7 +1773,7 @@

# -- Configure prometheus metrics on the configured port at /metrics
prometheus:
Expand All @@ -106,21 +106,21 @@
port: 9962
serviceMonitor:
# -- Enable service monitors.
@@ -1847,11 +1842,10 @@
@@ -1856,11 +1851,10 @@
# -- Envoy container image.
image:
override: ~
- repository: "quay.io/cilium/cilium-envoy"
+ repository: "rancher/mirrored-cilium-cilium-envoy"
tag: "v1.26.6-ff0d5d3f77d610040e93c7c7a430d61a0c0b90c1"
tag: "v1.26.6-ad82c7c56e88989992fd25d8d67747de865c823b"
pullPolicy: "IfNotPresent"
- digest: "sha256:6b0f2591fef922bf17a46517d5152ea7d6270524bb0e307c77986986677dbcea"
- digest: "sha256:992998398dadfff7117bfa9fdb7c9474fefab7f0237263f7c8114e106c67baca"
- useDigest: true
+ useDigest: false

# -- Additional containers added to the cilium Envoy DaemonSet.
extraContainers: []
@@ -2139,10 +2133,9 @@
@@ -2148,10 +2142,9 @@
# -- cilium-etcd-operator image.
image:
override: ~
Expand All @@ -133,27 +133,27 @@
pullPolicy: "IfNotPresent"

# -- The priority class to use for cilium-etcd-operator
@@ -2244,17 +2237,9 @@
@@ -2253,17 +2246,9 @@
# -- cilium-operator image.
image:
override: ~
- repository: "quay.io/cilium/operator"
+ repository: "rancher/mirrored-cilium-operator"
tag: "v1.14.4"
tag: "v1.14.5"
- # operator-generic-digest
- genericDigest: "sha256:f0f05e4ba3bb1fe0e4b91144fa4fea637701aba02e6c00b23bd03b4a7e1dfd55"
- genericDigest: "sha256:303f9076bdc73b3fc32aaedee64a14f6f44c8bb08ee9e3956d443021103ebe7a"
- # operator-azure-digest
- azureDigest: "sha256:f9d1b8663b905fc2af656e61abc54667779081dde2fdbbb90a48200e7b05ff41"
- azureDigest: "sha256:9203f5583aa34e716d7a6588ebd144e43ce3b77873f578fc12b2679e33591353"
- # operator-aws-digest
- awsDigest: "sha256:757966ce5c13055089b092a86c8322a0694b0461a19b65e545e61897f6c9446c"
- awsDigest: "sha256:785ccf1267d0ed3ba9e4bd8166577cb4f9e4ce996af26b27c9d5c554a0d5b09a"
- # operator-alibabacloud-digest
- alibabacloudDigest: "sha256:2b2c71930db7901e754d5aac119c166faad10e938f73294f1c840cf36d564a3e"
- alibabacloudDigest: "sha256:e0152c498ba73c56a82eee2a706c8f400e9a6999c665af31a935bdf08e659bc3"
- useDigest: true
+ useDigest: false
pullPolicy: "IfNotPresent"
suffix: ""

@@ -2385,7 +2370,7 @@
@@ -2394,7 +2379,7 @@
# -- Enable prometheus metrics for cilium-operator on the configured port at
# /metrics
prometheus:
Expand All @@ -162,29 +162,39 @@
port: 9963
serviceMonitor:
# -- Enable service monitors.
@@ -2531,11 +2516,9 @@
@@ -2430,8 +2415,7 @@

# -- Taint nodes where Cilium is scheduled but not running. This prevents pods
# from being scheduled to nodes where Cilium is not the default CNI provider.
- # @default -- same as removeNodeTaints
- setNodeTaints: ~
+ setNodeTaints: false

# -- Set Node condition NetworkUnavailable to 'false' with the reason
# 'CiliumIsUp' for nodes that have a healthy Cilium pod.
@@ -2540,11 +2524,9 @@
# -- Cilium pre-flight image.
image:
override: ~
- repository: "quay.io/cilium/cilium"
+ repository: "rancher/mirrored-cilium-cilium"
tag: "v1.14.4"
tag: "v1.14.5"
- # cilium-digest
- digest: "sha256:4981767b787c69126e190e33aee93d5a076639083c21f0e7c29596a519c64a2e"
- digest: "sha256:d3b287029755b6a47dee01420e2ea469469f1b174a2089c10af7e5e9289ef05b"
- useDigest: true
+ useDigest: false
pullPolicy: "IfNotPresent"

# -- The priority class to use for the preflight pod.
@@ -2681,21 +2664,18 @@
@@ -2690,21 +2672,18 @@
# -- Clustermesh API server image.
image:
override: ~
- repository: "quay.io/cilium/clustermesh-apiserver"
+ repository: "rancher/mirrored-cilium-clustermesh-apiserver"
tag: "v1.14.4"
tag: "v1.14.5"
- # clustermesh-apiserver-digest
- digest: "sha256:828a74eea2a15c4196633dc50e4b92ba3a5e3ed8418c2a33e255a9281a1ce42f"
- digest: "sha256:7eaa35cf5452c43b1f7d0cde0d707823ae7e49965bcb54c053e31ea4e04c3d96"
- useDigest: true
+ useDigest: false
pullPolicy: "IfNotPresent"
Expand All @@ -202,29 +212,29 @@
pullPolicy: "IfNotPresent"

# -- Specifies the resources for etcd container in the apiserver
@@ -2728,11 +2708,9 @@
@@ -2737,11 +2716,9 @@
# -- KVStoreMesh image.
image:
override: ~
- repository: "quay.io/cilium/kvstoremesh"
+ repository: "rancher/mirrored-cilium-kvstoremesh"
tag: "v1.14.4"
tag: "v1.14.5"
- # kvstoremesh-digest
- digest: "sha256:492cde62cb2def832b3213211cb99d59bd9fe9789be32a181fb24554077368b0"
- digest: "sha256:d7137edd0efa2b1407b20088af3980a9993bb616d85bf9b55ea2891d1b99023a"
- useDigest: true
+ useDigest: false
pullPolicy: "IfNotPresent"

# -- Additional KVStoreMesh arguments.
@@ -3200,3 +3178,11 @@
@@ -3222,3 +3199,11 @@
agentSocketPath: /run/spire/sockets/agent/agent.sock
# -- SPIRE connection timeout
connectionTimeout: 30s
+
+portmapPlugin:
+ image:
+ repository: "rancher/hardened-cni-plugins"
+ tag: "v1.2.0-build20231009"
+ tag: "v1.4.0-build20240122"
+
+global:
+ systemDefaultRegistry: ""
2 changes: 1 addition & 1 deletion packages/rke2-cilium/package.yaml
Original file line number Diff line number Diff line change
@@ -1,2 +1,2 @@
url: https://helm.cilium.io/cilium-1.14.4.tgz
url: https://helm.cilium.io/cilium-1.14.5.tgz
packageVersion: 00

0 comments on commit 235c137

Please sign in to comment.