cilium 1.17.8

cilium/src/values1.17.8.yaml

@@ -20,7 +20,7 @@ commonLabels: {}
 # Cilium will not change critical values to ensure continued operation
 # This flag is not required for new installations.
 # For example: '1.7', '1.8', '1.9'
-upgradeCompatibility: null
+upgradeCompatibility: 1.17.1
 debug:
   # -- Enable debug logging
   enabled: false
@@ -53,12 +53,12 @@ iptablesRandomFully: false
 # @default -- `"~/.kube/config"`
 kubeConfigPath: ""
 # -- (string) Kubernetes service host - use "auto" for automatic lookup from the cluster-info ConfigMap
-k8sServiceHost: ""
+k8sServiceHost: localhost
 # @schema
 # type: [string, integer]
 # @schema
 # -- (string) Kubernetes service port
-k8sServicePort: ""
+k8sServicePort: 7445
 # @schema
 # type: [null, string]
 # @schema
@@ -80,14 +80,14 @@ k8sClientRateLimit:
   # @schema
   # -- (int) The sustained request rate in requests per second.
   # @default -- 10
-  qps:
+  qps: 20
   # @schema
   # type: [null, integer]
   # @schema
   # -- (int) The burst request rate in requests per second.
   # The rate limiter will allow short bursts with a higher rate.
   # @default -- 20
-  burst:
+  burst: 100
   # -- Configure the client side rate limit for the Cilium Operator
   operator:
     # @schema
@@ -110,11 +110,11 @@ cluster:
   # * It must begin and end with a lower case alphanumeric character;
   # * It may contain lower case alphanumeric characters and dashes between.
   # The "default" name cannot be used if the Cluster ID is different from 0.
-  name: default
+  name: talos
   # -- (int) Unique ID of the cluster. Must be unique across all connected
   # clusters and in the range of 1 to 255. Only required for Cluster Mesh,
   # may be 0 if Cluster Mesh is not used.
-  id: 0
+  id: 1
 # -- Define serviceAccount names for components.
 # @default -- Component's fully qualified name.
 serviceAccounts:
@@ -183,7 +183,7 @@ agent: true
 # -- Agent container name.
 name: cilium
 # -- Roll out cilium agent pods automatically when configmap is updated.
-rollOutCiliumPods: false
+rollOutCiliumPods: true
 # -- Agent container image.
 image:
   # @schema
@@ -314,7 +314,7 @@ securityContext:
       # Used since cilium monitor uses mmap
       - IPC_LOCK
       # Used in iptables. Consider removing once we are iptables-free
-      - SYS_MODULE
+      #- SYS_MODULE
       # Needed to switch network namespaces (used for health endpoint, socket-LB).
       # We need it for now but might not need it for >= 5.11 specially
       # for the 'SYS_RESOURCE'.
@@ -358,7 +358,7 @@ securityContext:
       # Used since cilium modifies routing tables, etc...
       - NET_ADMIN
       # Used in iptables. Consider removing once we are iptables-free
-      - SYS_MODULE
+      #- SYS_MODULE
       # We need it for now but might not need it for >= 5.11 specially
       # for the 'SYS_RESOURCE'.
       # In >= 5.8 there's already BPF and PERMON capabilities
@@ -431,7 +431,7 @@ highScaleIPcache:
 # -- Configure L2 announcements
 l2announcements:
   # -- Enable L2 announcements
-  enabled: false
+  enabled: true
   # -- If a lease is not renewed for X duration, the current leader is considered dead, a new leader is picked
   # leaseDuration: 15s
   # -- The interval at which the leader will renew the lease
@@ -619,7 +619,7 @@ bpf:
   # the kernel supports it. The latter has the implication that it will also
   # bypass netfilter in the host namespace.
   # @default -- `false`
-  hostLegacyRouting: ~
+  hostLegacyRouting: true
   # @schema
   # type: [null, boolean]
   # @schema
@@ -793,7 +793,7 @@ daemon:
 # masqueraded (to an output device IPv4 address), if the output device runs the
 # program. When not specified, probing will automatically detect devices that have
 # a non-local route. This should be used only when autodetection is not suitable.
-# devices: ""
+devices: eth+
 
 # -- Enables experimental support for the detection of new and removed datapath
 # devices. When devices change the eBPF datapath is reloaded and services updated.
@@ -855,15 +855,15 @@ envoyConfig:
 ingressController:
   # -- Enable cilium ingress controller
   # This will automatically set enable-envoy-config as well.
-  enabled: false
+  enabled: true
   # -- Set cilium ingress controller to be the default ingress controller
   # This will let cilium ingress controller route entries without ingress class set
-  default: false
+  default: true
   # -- Default ingress load balancer mode
   # Supported values: shared, dedicated
   # For granular control, use the following annotations on the ingress resource:
   # "ingress.cilium.io/loadbalancer-mode: dedicated" (or "shared").
-  loadbalancerMode: dedicated
+  loadbalancerMode: shared
   # -- Enforce https for host having matching TLS host in Ingress.
   # Incoming traffic to http listener will return 308 http error code with respective location in header.
   enforceHttps: true
@@ -898,7 +898,8 @@ ingressController:
     # -- Labels to be added for the shared LB service
     labels: {}
     # -- Annotations to be added for the shared LB service
-    annotations: {}
+    annotations:
+      io.cilium/lb-ipam-ips: 192.168.0.180
     # -- Service type for the shared LB service
     type: LoadBalancer
     # @schema
@@ -948,7 +949,7 @@ ingressController:
 gatewayAPI:
   # -- Enable support for Gateway API in cilium
   # This will automatically set enable-envoy-config as well.
-  enabled: false
+  enabled: true
   # -- Enable proxy protocol for all GatewayAPI listeners. Note that _only_ Proxy protocol traffic will be accepted once this is enabled.
   enableProxyProtocol: false
   # -- Enable Backend Protocol selection support (GEP-1911) for Gateway API via appProtocol.
@@ -1439,9 +1440,9 @@ hubble:
       extraIpAddresses: []
   relay:
     # -- Enable Hubble Relay (requires hubble.enabled=true)
-    enabled: false
+    enabled: true
     # -- Roll out Hubble Relay pods automatically when configmap is updated.
-    rollOutPods: false
+    rollOutPods: true
     # -- Hubble-relay container image.
     image:
       # @schema
@@ -1656,7 +1657,7 @@ hubble:
       port: 6062
   ui:
     # -- Whether to enable the Hubble UI.
-    enabled: false
+    enabled: true
     standalone:
       # -- When true, it will allow installing the Hubble UI only, without checking dependencies.
       # It is useful if a cluster already has cilium and Hubble relay installed and you just
@@ -1680,7 +1681,7 @@ hubble:
         #         - key: ca.crt
         #           path: hubble-relay-ca.crt
     # -- Roll out Hubble-ui pods automatically when configmap is updated.
-    rollOutPods: false
+    rollOutPods: true
     tls:
       client:
         # -- Name of the Secret containing the client certificate and key for Hubble UI
@@ -1912,7 +1913,7 @@ installNoConntrackIptablesRules: false
 ipam:
   # -- Configure IP Address Management mode.
   # ref: https://docs.cilium.io/en/stable/network/concepts/ipam/
-  mode: "cluster-pool"
+  mode: kubernetes
   # -- Maximum rate at which the CiliumNode custom resource is updated.
   ciliumNodeUpdateRate: "15s"
   # -- Pre-allocation settings for IPAM in Multi-Pool mode
@@ -2026,7 +2027,7 @@ readinessProbe:
 # -- Configure the kube-proxy replacement in Cilium BPF datapath
 # Valid options are "true" or "false".
 # ref: https://docs.cilium.io/en/stable/network/kubernetes/kubeproxy-free/
-#kubeProxyReplacement: "false"
+kubeProxyReplacement: true
 
 # -- healthz server bind address for the kube-proxy replacement.
 # To enable set the value to '0.0.0.0:10256' for all ipv4
@@ -2129,7 +2130,7 @@ loadBalancer:
 
   # -- algorithm is the name of the load balancing algorithm for backend
   # selection e.g. random or maglev
-  # algorithm: random
+  algorithm: maglev
 
   # -- mode is the operation mode of load balancing for remote backends
   # e.g. snat, dsr, hybrid
@@ -2472,14 +2473,14 @@ envoy:
         # We need it for now but might not need it for >= 5.11 specially
         # for the 'SYS_RESOURCE'.
         # In >= 5.8 there's already BPF and PERMON capabilities
-        - SYS_ADMIN
+        #- SYS_ADMIN
         # Both PERFMON and BPF requires kernel 5.8, container runtime
         # cri-o >= v1.22.0 or containerd >= v1.5.0.
         # If available, SYS_ADMIN can be removed.
-        #- PERFMON
-        #- BPF
+        - PERFMON
+        - BPF
       # -- Keep capability `NET_BIND_SERVICE` for Envoy process.
-      keepCapNetBindService: false
+      keepCapNetBindService: true
   # -- Affinity for cilium-envoy.
   affinity:
     podAntiAffinity:
@@ -2711,7 +2712,7 @@ operator:
   # -- Enable the cilium-operator component (required).
   enabled: true
   # -- Roll out cilium-operator pods automatically when configmap is updated.
-  rollOutPods: false
+  rollOutPods: true
   # -- cilium-operator image.
   image:
     # @schema
@@ -3565,7 +3566,7 @@ cgroup:
     # If users disable `autoMount`, it's expected that users have mounted
     # cgroup2 filesystem at the specified `cgroup.hostRoot` volume, and then the
     # volume will be mounted inside the cilium agent pod at the same path.
-    enabled: true
+    enabled: false
     # -- Init Container Cgroup Automount resource limits & requests
     resources: {}
     #   limits:
@@ -3575,7 +3576,7 @@ cgroup:
     #     cpu: 100m
     #     memory: 128Mi
   # -- Configure cgroup root where cgroup2 filesystem is mounted on the host (see also: `cgroup.autoMount`)
-  hostRoot: /run/cilium/cgroupv2
+  hostRoot: /sys/fs/cgroup
 # -- Configure sysctl override described in #20072.
 sysctlfix:
   # -- Enable the sysctl override. When enabled, the init container will mount the /proc of the host so that the `sysctlfix` utility can execute.

cilium/src/values1.18.2.yaml

@@ -20,7 +20,7 @@ commonLabels: {}
 # Cilium will not change critical values to ensure continued operation
 # This flag is not required for new installations.
 # For example: '1.7', '1.8', '1.9'
-upgradeCompatibility: null
+upgradeCompatibility: 1.17.8
 debug:
   # -- Enable debug logging
   enabled: false