From d796c11b412640280bbecdeac36ee6e77d400365 Mon Sep 17 00:00:00 2001 From: Philip Haupt <“der.mad.mob@gmail.com”> Date: Fri, 24 Oct 2025 22:23:43 +0200 Subject: [PATCH] cilium 1.18.2 --- cilium/cilium-preflight.yaml | 75 ++++++- cilium/main.yaml | 158 ++++++++++---- cilium/src/ip-pool.yaml | 1 - cilium/src/kustomization.yaml | 2 +- cilium/src/values.yaml | 387 +++++++++++++++++++++++++--------- 5 files changed, 473 insertions(+), 150 deletions(-) diff --git a/cilium/cilium-preflight.yaml b/cilium/cilium-preflight.yaml index 82e0544..df5750f 100644 --- a/cilium/cilium-preflight.yaml +++ b/cilium/cilium-preflight.yaml @@ -6,6 +6,17 @@ metadata: name: "cilium-pre-flight" namespace: kube-system --- +# Source: cilium/templates/cilium-envoy/configmap.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: cilium-envoy-config + namespace: kube-system +data: + # Keep the key name as bootstrap-config.json to avoid breaking changes + bootstrap-config.json: | + {"admin":{"address":{"pipe":{"path":"/var/run/cilium/envoy/sockets/admin.sock"}}},"applicationLogConfig":{"logFormat":{"textFormat":"[%Y-%m-%d %T.%e][%t][%l][%n] [%g:%#] %v"}},"bootstrapExtensions":[{"name":"envoy.bootstrap.internal_listener","typedConfig":{"@type":"type.googleapis.com/envoy.extensions.bootstrap.internal_listener.v3.InternalListener"}}],"dynamicResources":{"cdsConfig":{"apiConfigSource":{"apiType":"GRPC","grpcServices":[{"envoyGrpc":{"clusterName":"xds-grpc-cilium"}}],"setNodeOnFirstMessageOnly":true,"transportApiVersion":"V3"},"initialFetchTimeout":"30s","resourceApiVersion":"V3"},"ldsConfig":{"apiConfigSource":{"apiType":"GRPC","grpcServices":[{"envoyGrpc":{"clusterName":"xds-grpc-cilium"}}],"setNodeOnFirstMessageOnly":true,"transportApiVersion":"V3"},"initialFetchTimeout":"30s","resourceApiVersion":"V3"}},"node":{"cluster":"ingress-cluster","id":"host~127.0.0.1~no-id~localdomain"},"overloadManager":{"resourceMonitors":[{"name":"envoy.resource_monitors.global_downstream_max_connections","typedConfig":{"@type":"type.googleapis.com/envoy.extensions.resource_monitors.downstream_connections.v3.DownstreamConnectionsConfig","max_active_downstream_connections":"50000"}}]},"staticResources":{"clusters":[{"circuitBreakers":{"thresholds":[{"maxRetries":128}]},"cleanupInterval":"2.500s","connectTimeout":"2s","lbPolicy":"CLUSTER_PROVIDED","name":"ingress-cluster","type":"ORIGINAL_DST","typedExtensionProtocolOptions":{"envoy.extensions.upstreams.http.v3.HttpProtocolOptions":{"@type":"type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions","commonHttpProtocolOptions":{"idleTimeout":"60s","maxConnectionDuration":"0s","maxRequestsPerConnection":0},"useDownstreamProtocolConfig":{}}}},{"circuitBreakers":{"thresholds":[{"maxRetries":128}]},"cleanupInterval":"2.500s","connectTimeout":"2s","lbPolicy":"CLUSTER_PROVIDED","name":"egress-cluster-tls","transportSocket":{"name":"cilium.tls_wrapper","typedConfig":{"@type":"type.googleapis.com/cilium.UpstreamTlsWrapperContext"}},"type":"ORIGINAL_DST","typedExtensionProtocolOptions":{"envoy.extensions.upstreams.http.v3.HttpProtocolOptions":{"@type":"type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions","commonHttpProtocolOptions":{"idleTimeout":"60s","maxConnectionDuration":"0s","maxRequestsPerConnection":0},"upstreamHttpProtocolOptions":{},"useDownstreamProtocolConfig":{}}}},{"circuitBreakers":{"thresholds":[{"maxRetries":128}]},"cleanupInterval":"2.500s","connectTimeout":"2s","lbPolicy":"CLUSTER_PROVIDED","name":"egress-cluster","type":"ORIGINAL_DST","typedExtensionProtocolOptions":{"envoy.extensions.upstreams.http.v3.HttpProtocolOptions":{"@type":"type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions","commonHttpProtocolOptions":{"idleTimeout":"60s","maxConnectionDuration":"0s","maxRequestsPerConnection":0},"useDownstreamProtocolConfig":{}}}},{"circuitBreakers":{"thresholds":[{"maxRetries":128}]},"cleanupInterval":"2.500s","connectTimeout":"2s","lbPolicy":"CLUSTER_PROVIDED","name":"ingress-cluster-tls","transportSocket":{"name":"cilium.tls_wrapper","typedConfig":{"@type":"type.googleapis.com/cilium.UpstreamTlsWrapperContext"}},"type":"ORIGINAL_DST","typedExtensionProtocolOptions":{"envoy.extensions.upstreams.http.v3.HttpProtocolOptions":{"@type":"type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions","commonHttpProtocolOptions":{"idleTimeout":"60s","maxConnectionDuration":"0s","maxRequestsPerConnection":0},"upstreamHttpProtocolOptions":{},"useDownstreamProtocolConfig":{}}}},{"connectTimeout":"2s","loadAssignment":{"clusterName":"xds-grpc-cilium","endpoints":[{"lbEndpoints":[{"endpoint":{"address":{"pipe":{"path":"/var/run/cilium/envoy/sockets/xds.sock"}}}}]}]},"name":"xds-grpc-cilium","type":"STATIC","typedExtensionProtocolOptions":{"envoy.extensions.upstreams.http.v3.HttpProtocolOptions":{"@type":"type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions","explicitHttpConfig":{"http2ProtocolOptions":{}}}}},{"connectTimeout":"2s","loadAssignment":{"clusterName":"/envoy-admin","endpoints":[{"lbEndpoints":[{"endpoint":{"address":{"pipe":{"path":"/var/run/cilium/envoy/sockets/admin.sock"}}}}]}]},"name":"/envoy-admin","type":"STATIC"}],"listeners":[{"address":{"socketAddress":{"address":"0.0.0.0","portValue":9964}},"filterChains":[{"filters":[{"name":"envoy.filters.network.http_connection_manager","typedConfig":{"@type":"type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager","httpFilters":[{"name":"envoy.filters.http.router","typedConfig":{"@type":"type.googleapis.com/envoy.extensions.filters.http.router.v3.Router"}}],"internalAddressConfig":{"cidrRanges":[{"addressPrefix":"10.0.0.0","prefixLen":8},{"addressPrefix":"172.16.0.0","prefixLen":12},{"addressPrefix":"192.168.0.0","prefixLen":16},{"addressPrefix":"127.0.0.1","prefixLen":32}]},"routeConfig":{"virtualHosts":[{"domains":["*"],"name":"prometheus_metrics_route","routes":[{"match":{"prefix":"/metrics"},"name":"prometheus_metrics_route","route":{"cluster":"/envoy-admin","prefixRewrite":"/stats/prometheus"}}]}]},"statPrefix":"envoy-prometheus-metrics-listener","streamIdleTimeout":"300s"}}]}],"name":"envoy-prometheus-metrics-listener"},{"address":{"socketAddress":{"address":"127.0.0.1","portValue":9878}},"filterChains":[{"filters":[{"name":"envoy.filters.network.http_connection_manager","typedConfig":{"@type":"type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager","httpFilters":[{"name":"envoy.filters.http.router","typedConfig":{"@type":"type.googleapis.com/envoy.extensions.filters.http.router.v3.Router"}}],"internalAddressConfig":{"cidrRanges":[{"addressPrefix":"10.0.0.0","prefixLen":8},{"addressPrefix":"172.16.0.0","prefixLen":12},{"addressPrefix":"192.168.0.0","prefixLen":16},{"addressPrefix":"127.0.0.1","prefixLen":32}]},"routeConfig":{"virtual_hosts":[{"domains":["*"],"name":"health","routes":[{"match":{"prefix":"/healthz"},"name":"health","route":{"cluster":"/envoy-admin","prefixRewrite":"/ready"}}]}]},"statPrefix":"envoy-health-listener","streamIdleTimeout":"300s"}}]}],"name":"envoy-health-listener"}]}} +--- # Source: cilium/templates/cilium-preflight/clusterrole.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole @@ -137,7 +148,7 @@ roleRef: name: cilium-pre-flight subjects: - kind: ServiceAccount - name: "cilium-pre-flight" + name: "cilium-pre-flight" namespace: kube-system --- # Source: cilium/templates/cilium-preflight/daemonset.yaml @@ -153,6 +164,8 @@ spec: kubernetes.io/cluster-service: "true" template: metadata: + annotations: + kubectl.kubernetes.io/default-container: cilium-pre-flight-check labels: app.kubernetes.io/part-of: cilium k8s-app: cilium-pre-flight-check @@ -168,7 +181,7 @@ spec: topologyKey: kubernetes.io/hostname initContainers: - name: clean-cilium-state - image: "quay.io/cilium/cilium:v1.17.8@sha256:6d7ea72ed311eeca4c75a1f17617a3d596fb6038d30d00799090679f82a01636" + image: "quay.io/cilium/cilium:v1.18.2@sha256:858f807ea4e20e85e3ea3240a762e1f4b29f1cb5bbd0463b8aa77e7b097c0667" imagePullPolicy: IfNotPresent command: ["/bin/echo"] args: @@ -176,7 +189,7 @@ spec: terminationMessagePolicy: FallbackToLogsOnError containers: - name: cilium-pre-flight-check - image: "quay.io/cilium/cilium:v1.17.8@sha256:6d7ea72ed311eeca4c75a1f17617a3d596fb6038d30d00799090679f82a01636" + image: "quay.io/cilium/cilium:v1.18.2@sha256:858f807ea4e20e85e3ea3240a762e1f4b29f1cb5bbd0463b8aa77e7b097c0667" imagePullPolicy: IfNotPresent command: ["/bin/sh"] args: @@ -205,6 +218,42 @@ spec: volumeMounts: - name: cilium-run mountPath: /var/run/cilium + securityContext: + allowPrivilegeEscalation: false + terminationMessagePolicy: FallbackToLogsOnError + - name: cilium-pre-flight-envoy + image: "quay.io/cilium/cilium-envoy:v1.34.7-1757592137-1a52bb680a956879722f48c591a2ca90f7791324@sha256:7932d656b63f6f866b6732099d33355184322123cfe1182e6f05175a3bc2e0e0" + imagePullPolicy: IfNotPresent + command: ["/bin/sh"] + args: + - -c + - "touch /tmp/ready; sleep 1h" + livenessProbe: + exec: + command: + - cat + - /tmp/ready + initialDelaySeconds: 5 + periodSeconds: 5 + readinessProbe: + exec: + command: + - cat + - /tmp/ready + initialDelaySeconds: 5 + periodSeconds: 5 + volumeMounts: + - name: envoy-sockets + mountPath: /var/run/cilium/envoy/sockets + readOnly: false + - name: envoy-artifacts + mountPath: /var/run/cilium/envoy/artifacts + readOnly: true + - name: envoy-config + mountPath: /var/run/cilium/envoy/ + readOnly: true + securityContext: + allowPrivilegeEscalation: false terminationMessagePolicy: FallbackToLogsOnError hostNetwork: true dnsPolicy: ClusterFirstWithHostNet @@ -227,6 +276,22 @@ spec: hostPath: path: /sys/fs/bpf type: DirectoryOrCreate + - name: envoy-sockets + hostPath: + path: "/var/run/cilium/envoy/sockets" + type: DirectoryOrCreate + - name: envoy-artifacts + hostPath: + path: "/var/run/cilium/envoy/artifacts" + type: DirectoryOrCreate + - name: envoy-config + configMap: + name: "cilium-envoy-config" + # note: the leading zero means this number is in octal representation: do not remove it + defaultMode: 0400 + items: + - key: bootstrap-config.json + path: bootstrap-config.json --- # Source: cilium/templates/cilium-preflight/deployment.yaml apiVersion: apps/v1 @@ -236,7 +301,7 @@ metadata: namespace: kube-system labels: app.kubernetes.io/part-of: cilium - app.kubernetes.io/name: cilium-pre-flight-check + app.kubernetes.io/name: cilium-pre-flight-check spec: selector: matchLabels: @@ -252,7 +317,7 @@ spec: spec: containers: - name: cnp-validator - image: "quay.io/cilium/cilium:v1.17.8@sha256:6d7ea72ed311eeca4c75a1f17617a3d596fb6038d30d00799090679f82a01636" + image: "quay.io/cilium/cilium:v1.18.2@sha256:858f807ea4e20e85e3ea3240a762e1f4b29f1cb5bbd0463b8aa77e7b097c0667" imagePullPolicy: IfNotPresent command: ["/bin/sh"] args: diff --git a/cilium/main.yaml b/cilium/main.yaml index da2394a..bf203ee 100644 --- a/cilium/main.yaml +++ b/cilium/main.yaml @@ -451,7 +451,6 @@ rules: - ciliumendpoints.cilium.io - ciliumendpointslices.cilium.io - ciliumenvoyconfigs.cilium.io - - ciliumexternalworkloads.cilium.io - ciliumidentities.cilium.io - ciliumlocalredirectpolicies.cilium.io - ciliumnetworkpolicies.cilium.io @@ -460,6 +459,7 @@ rules: - ciliumcidrgroups.cilium.io - ciliuml2announcementpolicies.cilium.io - ciliumpodippools.cilium.io + - ciliumgatewayclassconfigs.cilium.io resources: - customresourcedefinitions verbs: @@ -526,6 +526,12 @@ rules: - get - list - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses + verbs: + - patch - apiGroups: - gateway.networking.k8s.io resources: @@ -537,6 +543,21 @@ rules: verbs: - update - patch +- apiGroups: + - cilium.io + resources: + - ciliumgatewayclassconfigs + verbs: + - get + - list + - watch +- apiGroups: + - cilium.io + resources: + - ciliumgatewayclassconfigs/status + verbs: + - update + - patch - apiGroups: - multicluster.x-k8s.io resources: @@ -751,7 +772,6 @@ subjects: apiVersion: v1 data: agent-not-ready-taint-key: node.cilium.io/agent-not-ready - arping-refresh-period: 30s auto-direct-node-routes: "false" bpf-distributed-lru: "false" bpf-events-drop-enabled: "true" @@ -767,6 +787,7 @@ data: bpf-lb-source-range-all-types: "false" bpf-map-dynamic-size-ratio: "0.0025" bpf-policy-map-max: "16384" + bpf-policy-stats-map-max: "65536" bpf-root: /sys/fs/bpf cgroup-root: /sys/fs/cgroup cilium-endpoint-gc-interval: 5m0s @@ -790,7 +811,6 @@ data: enable-endpoint-health-checking: "true" enable-endpoint-lockdown-on-policy-overflow: "false" enable-envoy-config: "true" - enable-experimental-lb: "false" enable-gateway-api: "true" enable-gateway-api-alpn: "false" enable-gateway-api-app-protocol: "false" @@ -812,19 +832,16 @@ data: enable-ipv6-big-tcp: "false" enable-ipv6-masquerade: "true" enable-k8s-networkpolicy: "true" - enable-k8s-terminating-endpoint: "true" enable-l2-announcements: "true" enable-l2-neigh-discovery: "true" enable-l7-proxy: "true" enable-lb-ipam: "true" - enable-local-redirect-policy: "false" enable-masquerade-to-route-source: "false" enable-metrics: "true" enable-node-selector-labels: "false" enable-non-default-deny-policies: "true" enable-policy: default enable-policy-secrets-sync: "true" - enable-runtime-device-detection: "true" enable-sctp: "false" enable-source-ip-verification: "true" enable-svc-source-range-check: "true" @@ -846,9 +863,8 @@ data: health-check-icmp-failure-threshold: "3" http-retry-count: "3" hubble-disable-tls: "false" - hubble-export-file-max-backups: "5" - hubble-export-file-max-size-mb: "10" hubble-listen-address: :4244 + hubble-network-policy-correlation-enabled: "true" hubble-socket-path: /var/run/cilium/hubble.sock hubble-tls-cert-file: /var/lib/cilium/tls/hubble/server.crt hubble-tls-client-ca-files: /var/lib/cilium/tls/hubble/client-ca.crt @@ -856,6 +872,7 @@ data: identity-allocation-mode: crd identity-gc-interval: 15m0s identity-heartbeat-timeout: 30m0s + identity-management-mode: agent ingress-default-lb-mode: shared ingress-hostnetwork-enabled: "false" ingress-hostnetwork-nodelabelselector: "" @@ -879,6 +896,7 @@ data: mesh-auth-gc-interval: 5m0s mesh-auth-queue-size: "1024" mesh-auth-rotated-identities-queue-size: "1024" + metrics-sampling-interval: 5m monitor-aggregation: medium monitor-aggregation-flags: all monitor-aggregation-interval: 5s @@ -888,6 +906,7 @@ data: nodes-gc-interval: 5m0s operator-api-serve-addr: 127.0.0.1:9234 operator-prometheus-serve-addr: :9963 + policy-default-local-cluster: "false" policy-secrets-namespace: cilium-secrets policy-secrets-only-from-secrets-namespace: "true" preallocate-bpf-maps: "false" @@ -911,6 +930,7 @@ data: tofqdns-endpoint-max-ip-per-hostname: "1000" tofqdns-idle-connection-grace-period: 0s tofqdns-max-deferred-connection-deletes: "10000" + tofqdns-preallocate-identities: "true" tofqdns-proxy-response-max-delay: 100ms tunnel-protocol: vxlan tunnel-source-port-range: 0-0 @@ -928,7 +948,7 @@ metadata: apiVersion: v1 data: bootstrap-config.json: | - {"admin":{"address":{"pipe":{"path":"/var/run/cilium/envoy/sockets/admin.sock"}}},"applicationLogConfig":{"logFormat":{"textFormat":"[%Y-%m-%d %T.%e][%t][%l][%n] [%g:%#] %v"}},"bootstrapExtensions":[{"name":"envoy.bootstrap.internal_listener","typedConfig":{"@type":"type.googleapis.com/envoy.extensions.bootstrap.internal_listener.v3.InternalListener"}}],"dynamicResources":{"cdsConfig":{"apiConfigSource":{"apiType":"GRPC","grpcServices":[{"envoyGrpc":{"clusterName":"xds-grpc-cilium"}}],"setNodeOnFirstMessageOnly":true,"transportApiVersion":"V3"},"initialFetchTimeout":"30s","resourceApiVersion":"V3"},"ldsConfig":{"apiConfigSource":{"apiType":"GRPC","grpcServices":[{"envoyGrpc":{"clusterName":"xds-grpc-cilium"}}],"setNodeOnFirstMessageOnly":true,"transportApiVersion":"V3"},"initialFetchTimeout":"30s","resourceApiVersion":"V3"}},"node":{"cluster":"ingress-cluster","id":"host~127.0.0.1~no-id~localdomain"},"overloadManager":{"resourceMonitors":[{"name":"envoy.resource_monitors.global_downstream_max_connections","typedConfig":{"@type":"type.googleapis.com/envoy.extensions.resource_monitors.downstream_connections.v3.DownstreamConnectionsConfig","max_active_downstream_connections":"50000"}}]},"staticResources":{"clusters":[{"circuitBreakers":{"thresholds":[{"maxRetries":128}]},"cleanupInterval":"2.500s","connectTimeout":"2s","lbPolicy":"CLUSTER_PROVIDED","name":"ingress-cluster","type":"ORIGINAL_DST","typedExtensionProtocolOptions":{"envoy.extensions.upstreams.http.v3.HttpProtocolOptions":{"@type":"type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions","commonHttpProtocolOptions":{"idleTimeout":"60s","maxConnectionDuration":"0s","maxRequestsPerConnection":0},"useDownstreamProtocolConfig":{}}}},{"circuitBreakers":{"thresholds":[{"maxRetries":128}]},"cleanupInterval":"2.500s","connectTimeout":"2s","lbPolicy":"CLUSTER_PROVIDED","name":"egress-cluster-tls","transportSocket":{"name":"cilium.tls_wrapper","typedConfig":{"@type":"type.googleapis.com/cilium.UpstreamTlsWrapperContext"}},"type":"ORIGINAL_DST","typedExtensionProtocolOptions":{"envoy.extensions.upstreams.http.v3.HttpProtocolOptions":{"@type":"type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions","commonHttpProtocolOptions":{"idleTimeout":"60s","maxConnectionDuration":"0s","maxRequestsPerConnection":0},"upstreamHttpProtocolOptions":{},"useDownstreamProtocolConfig":{}}}},{"circuitBreakers":{"thresholds":[{"maxRetries":128}]},"cleanupInterval":"2.500s","connectTimeout":"2s","lbPolicy":"CLUSTER_PROVIDED","name":"egress-cluster","type":"ORIGINAL_DST","typedExtensionProtocolOptions":{"envoy.extensions.upstreams.http.v3.HttpProtocolOptions":{"@type":"type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions","commonHttpProtocolOptions":{"idleTimeout":"60s","maxConnectionDuration":"0s","maxRequestsPerConnection":0},"useDownstreamProtocolConfig":{}}}},{"circuitBreakers":{"thresholds":[{"maxRetries":128}]},"cleanupInterval":"2.500s","connectTimeout":"2s","lbPolicy":"CLUSTER_PROVIDED","name":"ingress-cluster-tls","transportSocket":{"name":"cilium.tls_wrapper","typedConfig":{"@type":"type.googleapis.com/cilium.UpstreamTlsWrapperContext"}},"type":"ORIGINAL_DST","typedExtensionProtocolOptions":{"envoy.extensions.upstreams.http.v3.HttpProtocolOptions":{"@type":"type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions","commonHttpProtocolOptions":{"idleTimeout":"60s","maxConnectionDuration":"0s","maxRequestsPerConnection":0},"upstreamHttpProtocolOptions":{},"useDownstreamProtocolConfig":{}}}},{"connectTimeout":"2s","loadAssignment":{"clusterName":"xds-grpc-cilium","endpoints":[{"lbEndpoints":[{"endpoint":{"address":{"pipe":{"path":"/var/run/cilium/envoy/sockets/xds.sock"}}}}]}]},"name":"xds-grpc-cilium","type":"STATIC","typedExtensionProtocolOptions":{"envoy.extensions.upstreams.http.v3.HttpProtocolOptions":{"@type":"type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions","explicitHttpConfig":{"http2ProtocolOptions":{}}}}},{"connectTimeout":"2s","loadAssignment":{"clusterName":"/envoy-admin","endpoints":[{"lbEndpoints":[{"endpoint":{"address":{"pipe":{"path":"/var/run/cilium/envoy/sockets/admin.sock"}}}}]}]},"name":"/envoy-admin","type":"STATIC"}],"listeners":[{"address":{"socketAddress":{"address":"0.0.0.0","portValue":9964}},"filterChains":[{"filters":[{"name":"envoy.filters.network.http_connection_manager","typedConfig":{"@type":"type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager","httpFilters":[{"name":"envoy.filters.http.router","typedConfig":{"@type":"type.googleapis.com/envoy.extensions.filters.http.router.v3.Router"}}],"internalAddressConfig":{"cidrRanges":[{"addressPrefix":"10.0.0.0","prefixLen":8},{"addressPrefix":"172.16.0.0","prefixLen":12},{"addressPrefix":"192.168.0.0","prefixLen":16},{"addressPrefix":"127.0.0.1","prefixLen":32}]},"routeConfig":{"virtualHosts":[{"domains":["*"],"name":"prometheus_metrics_route","routes":[{"match":{"prefix":"/metrics"},"name":"prometheus_metrics_route","route":{"cluster":"/envoy-admin","prefixRewrite":"/stats/prometheus"}}]}]},"statPrefix":"envoy-prometheus-metrics-listener","streamIdleTimeout":"0s"}}]}],"name":"envoy-prometheus-metrics-listener"},{"address":{"socketAddress":{"address":"127.0.0.1","portValue":9878}},"filterChains":[{"filters":[{"name":"envoy.filters.network.http_connection_manager","typedConfig":{"@type":"type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager","httpFilters":[{"name":"envoy.filters.http.router","typedConfig":{"@type":"type.googleapis.com/envoy.extensions.filters.http.router.v3.Router"}}],"internalAddressConfig":{"cidrRanges":[{"addressPrefix":"10.0.0.0","prefixLen":8},{"addressPrefix":"172.16.0.0","prefixLen":12},{"addressPrefix":"192.168.0.0","prefixLen":16},{"addressPrefix":"127.0.0.1","prefixLen":32}]},"routeConfig":{"virtual_hosts":[{"domains":["*"],"name":"health","routes":[{"match":{"prefix":"/healthz"},"name":"health","route":{"cluster":"/envoy-admin","prefixRewrite":"/ready"}}]}]},"statPrefix":"envoy-health-listener","streamIdleTimeout":"0s"}}]}],"name":"envoy-health-listener"}]}} + {"admin":{"address":{"pipe":{"path":"/var/run/cilium/envoy/sockets/admin.sock"}}},"applicationLogConfig":{"logFormat":{"textFormat":"[%Y-%m-%d %T.%e][%t][%l][%n] [%g:%#] %v"}},"bootstrapExtensions":[{"name":"envoy.bootstrap.internal_listener","typedConfig":{"@type":"type.googleapis.com/envoy.extensions.bootstrap.internal_listener.v3.InternalListener"}}],"dynamicResources":{"cdsConfig":{"apiConfigSource":{"apiType":"GRPC","grpcServices":[{"envoyGrpc":{"clusterName":"xds-grpc-cilium"}}],"setNodeOnFirstMessageOnly":true,"transportApiVersion":"V3"},"initialFetchTimeout":"30s","resourceApiVersion":"V3"},"ldsConfig":{"apiConfigSource":{"apiType":"GRPC","grpcServices":[{"envoyGrpc":{"clusterName":"xds-grpc-cilium"}}],"setNodeOnFirstMessageOnly":true,"transportApiVersion":"V3"},"initialFetchTimeout":"30s","resourceApiVersion":"V3"}},"node":{"cluster":"ingress-cluster","id":"host~127.0.0.1~no-id~localdomain"},"overloadManager":{"resourceMonitors":[{"name":"envoy.resource_monitors.global_downstream_max_connections","typedConfig":{"@type":"type.googleapis.com/envoy.extensions.resource_monitors.downstream_connections.v3.DownstreamConnectionsConfig","max_active_downstream_connections":"50000"}}]},"staticResources":{"clusters":[{"circuitBreakers":{"thresholds":[{"maxRetries":128}]},"cleanupInterval":"2.500s","connectTimeout":"2s","lbPolicy":"CLUSTER_PROVIDED","name":"ingress-cluster","type":"ORIGINAL_DST","typedExtensionProtocolOptions":{"envoy.extensions.upstreams.http.v3.HttpProtocolOptions":{"@type":"type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions","commonHttpProtocolOptions":{"idleTimeout":"60s","maxConnectionDuration":"0s","maxRequestsPerConnection":0},"useDownstreamProtocolConfig":{}}}},{"circuitBreakers":{"thresholds":[{"maxRetries":128}]},"cleanupInterval":"2.500s","connectTimeout":"2s","lbPolicy":"CLUSTER_PROVIDED","name":"egress-cluster-tls","transportSocket":{"name":"cilium.tls_wrapper","typedConfig":{"@type":"type.googleapis.com/cilium.UpstreamTlsWrapperContext"}},"type":"ORIGINAL_DST","typedExtensionProtocolOptions":{"envoy.extensions.upstreams.http.v3.HttpProtocolOptions":{"@type":"type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions","commonHttpProtocolOptions":{"idleTimeout":"60s","maxConnectionDuration":"0s","maxRequestsPerConnection":0},"upstreamHttpProtocolOptions":{},"useDownstreamProtocolConfig":{}}}},{"circuitBreakers":{"thresholds":[{"maxRetries":128}]},"cleanupInterval":"2.500s","connectTimeout":"2s","lbPolicy":"CLUSTER_PROVIDED","name":"egress-cluster","type":"ORIGINAL_DST","typedExtensionProtocolOptions":{"envoy.extensions.upstreams.http.v3.HttpProtocolOptions":{"@type":"type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions","commonHttpProtocolOptions":{"idleTimeout":"60s","maxConnectionDuration":"0s","maxRequestsPerConnection":0},"useDownstreamProtocolConfig":{}}}},{"circuitBreakers":{"thresholds":[{"maxRetries":128}]},"cleanupInterval":"2.500s","connectTimeout":"2s","lbPolicy":"CLUSTER_PROVIDED","name":"ingress-cluster-tls","transportSocket":{"name":"cilium.tls_wrapper","typedConfig":{"@type":"type.googleapis.com/cilium.UpstreamTlsWrapperContext"}},"type":"ORIGINAL_DST","typedExtensionProtocolOptions":{"envoy.extensions.upstreams.http.v3.HttpProtocolOptions":{"@type":"type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions","commonHttpProtocolOptions":{"idleTimeout":"60s","maxConnectionDuration":"0s","maxRequestsPerConnection":0},"upstreamHttpProtocolOptions":{},"useDownstreamProtocolConfig":{}}}},{"connectTimeout":"2s","loadAssignment":{"clusterName":"xds-grpc-cilium","endpoints":[{"lbEndpoints":[{"endpoint":{"address":{"pipe":{"path":"/var/run/cilium/envoy/sockets/xds.sock"}}}}]}]},"name":"xds-grpc-cilium","type":"STATIC","typedExtensionProtocolOptions":{"envoy.extensions.upstreams.http.v3.HttpProtocolOptions":{"@type":"type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions","explicitHttpConfig":{"http2ProtocolOptions":{}}}}},{"connectTimeout":"2s","loadAssignment":{"clusterName":"/envoy-admin","endpoints":[{"lbEndpoints":[{"endpoint":{"address":{"pipe":{"path":"/var/run/cilium/envoy/sockets/admin.sock"}}}}]}]},"name":"/envoy-admin","type":"STATIC"}],"listeners":[{"address":{"socketAddress":{"address":"0.0.0.0","portValue":9964}},"filterChains":[{"filters":[{"name":"envoy.filters.network.http_connection_manager","typedConfig":{"@type":"type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager","httpFilters":[{"name":"envoy.filters.http.router","typedConfig":{"@type":"type.googleapis.com/envoy.extensions.filters.http.router.v3.Router"}}],"internalAddressConfig":{"cidrRanges":[{"addressPrefix":"10.0.0.0","prefixLen":8},{"addressPrefix":"172.16.0.0","prefixLen":12},{"addressPrefix":"192.168.0.0","prefixLen":16},{"addressPrefix":"127.0.0.1","prefixLen":32}]},"routeConfig":{"virtualHosts":[{"domains":["*"],"name":"prometheus_metrics_route","routes":[{"match":{"prefix":"/metrics"},"name":"prometheus_metrics_route","route":{"cluster":"/envoy-admin","prefixRewrite":"/stats/prometheus"}}]}]},"statPrefix":"envoy-prometheus-metrics-listener","streamIdleTimeout":"300s"}}]}],"name":"envoy-prometheus-metrics-listener"},{"address":{"socketAddress":{"address":"127.0.0.1","portValue":9878}},"filterChains":[{"filters":[{"name":"envoy.filters.network.http_connection_manager","typedConfig":{"@type":"type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager","httpFilters":[{"name":"envoy.filters.http.router","typedConfig":{"@type":"type.googleapis.com/envoy.extensions.filters.http.router.v3.Router"}}],"internalAddressConfig":{"cidrRanges":[{"addressPrefix":"10.0.0.0","prefixLen":8},{"addressPrefix":"172.16.0.0","prefixLen":12},{"addressPrefix":"192.168.0.0","prefixLen":16},{"addressPrefix":"127.0.0.1","prefixLen":32}]},"routeConfig":{"virtual_hosts":[{"domains":["*"],"name":"health","routes":[{"match":{"prefix":"/healthz"},"name":"health","route":{"cluster":"/envoy-admin","prefixRewrite":"/ready"}}]}]},"statPrefix":"envoy-health-listener","streamIdleTimeout":"300s"}}]}],"name":"envoy-health-listener"}]}} kind: ConfigMap metadata: name: cilium-envoy-config @@ -948,16 +968,38 @@ metadata: --- apiVersion: v1 data: - nginx.conf: "server {\n listen 8081;\n listen [::]:8081;\n server_name - \ localhost;\n root /app;\n index index.html;\n client_max_body_size - 1G;\n\n location / {\n proxy_set_header Host $host;\n proxy_set_header - X-Real-IP $remote_addr;\n\n location /api {\n proxy_http_version - 1.1;\n proxy_pass_request_headers on;\n proxy_pass http://127.0.0.1:8090;\n - \ }\n location / {\n # double `/index.html` is required - here \n try_files $uri $uri/ /index.html /index.html;\n }\n\n - \ # Liveness probe\n location /healthz {\n access_log - off;\n add_header Content-Type text/plain;\n return 200 - 'ok';\n }\n }\n}" + nginx.conf: |- + server { + listen 8081; + listen [::]:8081; + server_name localhost; + root /app; + index index.html; + client_max_body_size 1G; + + location / { + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + + location /api { + proxy_http_version 1.1; + proxy_pass_request_headers on; + proxy_pass http://127.0.0.1:8090; + } + location / { + if ($http_user_agent ~* "kube-probe") { access_log off; } + # double `/index.html` is required here + try_files $uri $uri/ /index.html /index.html; + } + + # Liveness probe + location /healthz { + access_log off; + add_header Content-Type text/plain; + return 200 'ok'; + } + } + } kind: ConfigMap metadata: name: hubble-ui-nginx @@ -965,8 +1007,8 @@ metadata: --- apiVersion: v1 data: - ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURFekNDQWZ1Z0F3SUJBZ0lRSVl0VE1lazQyektUb2pzV0I5Wm05ekFOQmdrcWhraUc5dzBCQVFzRkFEQVUKTVJJd0VBWURWUVFERXdsRGFXeHBkVzBnUTBFd0hoY05NalV4TURJek1qQTFOek0xV2hjTk1qZ3hNREl5TWpBMQpOek0xV2pBVU1SSXdFQVlEVlFRREV3bERhV3hwZFcwZ1EwRXdnZ0VpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElCCkR3QXdnZ0VLQW9JQkFRQzh2am5vbVJDL3M1VUlQQ0lrV29tcC9nWTJ3UFUwU0hIVjBzYytNRXk5TndqSy92czQKMHhkQkpTblhyai92aFcxY0RqUFZHN2hNeHZONUJtZEZZTUtIYitqREl3d0JmYkR3SVQ0SktVV0dDVi9FMVFkMwp4dHlrYUF0V2doMHFOd05Wb2VHZmZ5UDFnNHhhYStJcGRyTk03K2lSbGZ4ekQyUGx3L2RsVzZLQzFaY2ErK0VyCjdhTS82bnV3cm50ZWM5dmpJWnUxbTZvN3UxNUF0NW9GcmxVUEoyUUloS09sMUdtdUprV0NEVUtaZmRSZXdLYTQKOXpJKzBvVS8xV1RZVFJVV3k4bGFSTXNGL1FlNjZRc3BkM0JOZGxLVlhQWlgvNlgyUjdqZWNsRzdJT2FveVNLTgp2WHZwVkpBbFJFU3A2U2ZFNy9HVzJhbm4zaVBVMWkvYlhXSUJBZ01CQUFHallUQmZNQTRHQTFVZER3RUIvd1FFCkF3SUNwREFkQmdOVkhTVUVGakFVQmdnckJnRUZCUWNEQVFZSUt3WUJCUVVIQXdJd0R3WURWUjBUQVFIL0JBVXcKQXdFQi96QWRCZ05WSFE0RUZnUVVQYU1uTDdVOEEza0RtYlVOay91OTBua3dIZWN3RFFZSktvWklodmNOQVFFTApCUUFEZ2dFQkFKSlNXd0c3S0VzNzZjSFNkQVJpb2Y5VFVZK1VFK0U0TWJSMytPYmFFWlJ2bXZmMGZ4UlVIQS9RCm1VSW1RTGYvTHRlK2RDRGx5RmxFK0ZSazM0RUErT3V0eDRYczEwRElKRzY4bEFsbGRtTk1xNXRKQU5zV25DVW4KVVZTR0U0eTZwRkFxU3RzVE5neDBNeUQ3Y3cvMnQ1NlpzT2FxSW5TVXNKUXZZZWhYWGwwV1BORGpwZVhFcGNrSgpkb0k5Z3VReERHRTc3SUs5QmNvSXY2d1p2elVrSFRBUndGSWNIaC8zUjJvQ1lzTXZvN29Jd3Z0cHcybFMxU1JwCkFqcTRjejdtRzVxaC9MUE5vd1FZc0QwUDhaUG9XN0UxRTBGU3BCK0pVOTUzVTJNOW16ME5pUzJQa1VPeXl6dXQKYTdWUDZBb09VMjRHb3J3SEVCSWduaWpQMk0rYnNRVT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= - ca.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0NBUUVBdkw0NTZKa1F2N09WQ0R3aUpGcUpxZjRHTnNEMU5FaHgxZExIUGpCTXZUY0l5djc3Ck9OTVhRU1VwMTY0Lzc0VnRYQTR6MVJ1NFRNYnplUVpuUldEQ2gyL293eU1NQVgydzhDRStDU2xGaGdsZnhOVUgKZDhiY3BHZ0xWb0lkS2pjRFZhSGhuMzhqOVlPTVdtdmlLWGF6VE8vb2taWDhjdzlqNWNQM1pWdWlndFdYR3Z2aApLKzJqUCtwN3NLNTdYblBiNHlHYnRadXFPN3RlUUxlYUJhNVZEeWRrQ0lTanBkUnByaVpGZ2cxQ21YM1VYc0NtCnVQY3lQdEtGUDlWazJFMFZGc3ZKV2tUTEJmMEh1dWtMS1hkd1RYWlNsVnoyVi8rbDlrZTQzbkpSdXlEbXFNa2kKamIxNzZWU1FKVVJFcWVrbnhPL3hsdG1wNTk0ajFOWXYyMTFpQVFJREFRQUJBb0lCQUJMdURVYkwyMGN1enJxMQp0VUxxSmJaNytNbVREc1RBbzFJcndybjFCQzFTRUxxeldpVDMzdlEwc3Y2anhsdlNpUVpia2sxRWEzYWYyWm1BCnorakFiS0pDMGhpSU1sTVA5U2dRWFhWend6cFBSR0NzY1FSTldLSFFvWnA2a0V4RW1qd0RjV3FheU5OOTd4eSsKaHo5YlhWNVJEWVZVZ3E1VGs5UmVsRGlCT1VwZno1SWJFbmJpRHJkZWhvU0MxVXVsS3JLbzlvTDBoSDBFNVpqOQp1bDMzRlMxWkdrQ3VXTm10NzB5OEtPaXBWcWtab2I5UVYxNE5kY094cU9pQjVwZGZnREJqS21tSTBaL0JuYVZkCjlObkU1WXFKci9NQWhXbnNablptMVpTY0xLMXNQN2dVY0NER21nM1lPWDBqUytxSTRUNlF1NEhnaHVJTGZ6QUwKUEo5T0tyVUNnWUVBME1IU3AzV202M3VoY3BMV2xQL0RreDVwWmh3NjRQNEV5YmU5Y0k2SlRML0EwSU5ydGFsbwpHWHRxdElSRDBxYk9ETDE5c3dwWVhZMFNJVTJJMGJsWHZUaUxqaGNrOU1sRlFwS1o1NjlTM0VCNUVabUtLbjhUCkNFMnAzc2JET201Vmc2Sm1RbmJIQ0d2UjB2L0FiN2hQQ2xhdG81WGorTjJGR2t4SU1rUUM3ajhDZ1lFQTUzVG4KeFp5MDRFdE9URUtZaWxHcGlIUXdvS0VXcHZ4T1MyV0Z4aFdHZ3dRYTF1Z3gxY3g4eWV2S3V3K3haUEtpNU91Ygp1Wml6S3h5NUZYWWFtZ0VCSDFJNHpPWENSNDBZZGR5U2dqOFIzeC9Bdi9heitRdzVtWFhIYU1jY21YQXpTdDFvClc5c0lrWFpWWkMxUUVhRk5BaEtLQ3VtMCtIeDh2aVpHT1ZDc0g3OENnWUFocjFUZGZxZUxrZXh3UDI5dXBZS2EKWjZyY05pdnVDQzhmbVkxdzd4OEtpbHFEaXVGRGMrMS9SeUhsdFAzNHJML000SHE2L0MxY0V4cGMwMVVEZW1QRQovYTNQSkw3cTNOdFhMYTYxNnQxMCt0Wk9WN2NxdWt5STUzZEVvay80U3J0enZTM0JCY2VCL1Z2akx5K1BGMjl4Cm5LRHlKNHFjcXFvQ24xSjdBZXh6SXdLQmdRQy9tUk8vanRCZ0Y1YVNKRkszdFkvOGlBbzAvZ1NOYUxDN1V5Z2cKNkhLNEErN2YxY2hqTG1waWtGRDY5cXVuWC8rZU5yZHJOTStrTVp1NCsxSmNCOWJSQWJSSlVTeTVKRUNLV0hQagpZNmc4cHNGZFp6Qm1Ta3RvRUlwbzN1SjYxZGx2OE1aUnU0aGxPYXJJU1laTmdkUUlraVk1a0dzaGc1T1RxSVZiCkxyKzlhd0tCZ0VJaXNHQkxSOTAvOWJ3cmx2NjI4bTlqblR3anRqbE9rODAvbzh4S2IyV0VQd2g0T0JKR0R4WUMKbG9TV2ljaTZqT0NKSE9QSkVYcjR5eDZmLzhnQzE1UHBqbXFVWTR0NFdSeTVMWDByaWpLNGxVd0dONkNBaFJNNgozNmN5cGZBK21pRzgrcXNuZkJQSXRHNDd1c2ZOQWlTdW54bzg2bG1KRHB5VXF1WU5ZNkNOCi0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg== + ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURFekNDQWZ1Z0F3SUJBZ0lRY2xyU3JxSEw1SzNFZUdvcWI3YUlhREFOQmdrcWhraUc5dzBCQVFzRkFEQVUKTVJJd0VBWURWUVFERXdsRGFXeHBkVzBnUTBFd0hoY05NalV4TURJME1UZzFOekF6V2hjTk1qZ3hNREl6TVRnMQpOekF6V2pBVU1SSXdFQVlEVlFRREV3bERhV3hwZFcwZ1EwRXdnZ0VpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElCCkR3QXdnZ0VLQW9JQkFRQ1pMYk9hMEJUSW9RMGdweVkvbUlJN09VeGlnaGsyZk53S0I4UWtHQ1lDU1RpTmp1d0MKQVZKc0dkdEtJSDdsYTEwZkgrL0FVU2VuUEN6OEFJZUtReC9FcmFjUXdpRW9sRUxNTlNXMmMzbHRCYUs5Ymlxbwp1NEtyZTdROEpEcDRqOGI1U3NBZGdlNlFvOFh1S2JBRGZ1cFhsaHFRcjZ6MTBwbzlnbnFSaHVKN1VJSld2L0pwClZ3eTBXamFxNXg1QU5iZHFRUGlsOEQ5eGRRdEhTNEFhSHRFRTJHWkFhdVljYUF4cE0wWjl6cnpRMm8ydnFxazkKTUFlZ1FXMzVvWFFsd1N4UlhZWHYxdWo0MmVseGtOTDBMWnd6YjNvODNGcUNBY2UvWlh3ekZEbzdZUFMvc1NDcApqamNTN0JlZmRUOFN1WCtOcXJDYWFuRUhzci8xRVNlbnVzczFBZ01CQUFHallUQmZNQTRHQTFVZER3RUIvd1FFCkF3SUNwREFkQmdOVkhTVUVGakFVQmdnckJnRUZCUWNEQVFZSUt3WUJCUVVIQXdJd0R3WURWUjBUQVFIL0JBVXcKQXdFQi96QWRCZ05WSFE0RUZnUVVjaWxLQ1V1SFdBTWFqcmFranRNS3cwVXJkUnN3RFFZSktvWklodmNOQVFFTApCUUFEZ2dFQkFJQk93SitpV0ljMjQzdHpGUzNSdkNwajNnekYzb2tQQUkzQ2dpc1oxR3ZJemhjdTBYWXdUeFRHCmprVjhHWi9YaXlLdWpZd1R0Z2tpT3gra01Zc080Mk1kYWVkK1FtY2hBWXZtcTh0MDZIbkl6aGJUczNSR09ueHEKMVNZMVpvU1lya1h5WkZtUDRZOUo5UVo5bXlaR3B0MDBqWFZMdTE4Y0pTVnorNkIrbzZ2emFrNXR5bEprYmpGWgpSWUp1MGtQRFkvbVFJbTBEWDFIZ3h1L3cvb0hsTXJlVjdZVkdwTTdBRUNoSGFxMDExU3FOeW1qOGFITGU1S01SCllKSWN0SG5jRGlXcHl4OVVQRXd0Q2ZqSnhJQXd4MjZmVVFBemlxUU9CQmJGUFdpMUhTYnljN0Fra3I3bDk0SnYKMitmckJiTjB5cHZxakdEbzltZlo2dzBOVWZaSmNBcz0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= + ca.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb2dJQkFBS0NBUUVBbVMyem10QVV5S0VOSUtjbVA1aUNPemxNWW9JWk5uemNDZ2ZFSkJnbUFrazRqWTdzCkFnRlNiQm5iU2lCKzVXdGRIeC92d0ZFbnB6d3MvQUNIaWtNZnhLMm5FTUloS0pSQ3pEVWx0bk41YlFXaXZXNHEKcUx1Q3EzdTBQQ1E2ZUkvRytVckFIWUh1a0tQRjdpbXdBMzdxVjVZYWtLK3M5ZEthUFlKNmtZYmllMUNDVnIveQphVmNNdEZvMnF1Y2VRRFczYWtENHBmQS9jWFVMUjB1QUdoN1JCTmhtUUdybUhHZ01hVE5HZmM2ODBOcU5yNnFwClBUQUhvRUZ0K2FGMEpjRXNVVjJGNzlibytObnBjWkRTOUMyY00yOTZQTnhhZ2dISHYyVjhNeFE2TzJEMHY3RWcKcVk0M0V1d1huM1UvRXJsL2phcXdtbXB4QjdLLzlSRW5wN3JMTlFJREFRQUJBb0lCQUJPcFJoQnMvUDN6amhmTwozSjMxR1dJNHJKRklXYXdnd3EyVzZab29iMWlEeFhxR0NjMElGbWhCdVYvK1k4dFd5SkVpTEVmbklzdlljWDIzCkk2NmZod2hic2NINDZRQ29aeHFIQjl3dlhqcWNLcE5kL0tQRHpiWHRIdWxKVFNnRWJHbTdLb1dmRTl3RTZYYjAKYXQ5SC94Ulc4L24yVXFFSzh6bEo4aW1Ud3FaSk1GdThYMGh1eW1qUnBZdHRFTFdld1hlZDhKV0tNeFNmNVZCcwp4diswMmdlbysvRjkzbEtlaDNKa2lLUjl5MkQ5N3FNOEJSU0xGbWdNQ0RaVkVzRzF3VzhBNDBiQnhDMVo1b3VUClB0eVlmL1hYNS9LTk5HZVZ0SmM5bzlHTHdRMURzRytyUTZab2phS256Njd3V3RyZE1OTzZwMDNaOEJHYjcvMisKa2xNZFNsRUNnWUVBeGRPT3h3UW9oOUM2T0NseElRM0hTY3Y4UnF2azYyNC9scFVucm9EZUZ6SVB1K0NwZ3puNgpKNWxmZDNFQk9WR29LZS85RnpWTzFOSHo1TDdyTWhSUW8yN0tGYjhueFdaY0QzUVV5Nkdwb1lQSTFoTTF4L3R6CkszeWtNd2F1VXpFYWpLNmo3akZadjJSZVU0cXdJeGVZT3JWKzZBUm54d3JsY1VaOWVCZnd0L2NDZ1lFQXhqa0oKSm1FNUpSbE9lL3BDblZBbVpDdzVmV2VqbURlMHVqSEZuZGtxaEp5Rm1waHRScURLV0t2cTJHUmY5YmVqMnFUdwpKY3QrL2wyLzFWeGthL3NHaUg4c1EwaEVxQ243dVhGd2d3RjJWQlpHTFFqOTRwbTU4UFRtcjVMb2ovaTVKWjcvCnRLdXc0QWQrdU14V3hEeWVxVDZQLzFsNDdZL2FTS3A3Vm1kRHd6TUNnWUFmYkUxZm0yOThzMUVCSHNRVGhnYkQKMkIwSWRNRjJEQnNacGpPWmFtcmNzRjBEY05vOE4vZGVWdVJ0S293Uk9NRkhlQkZ4b0V3WFRnbzVxWUhlZ0krVwpoa0NmVjYvUGtVVEtSNXdPQkczWGRBRnd6N2haUGIyN2lKN2taQWxJdWFJSCtxMmJaa2RsT1dJcVR2dFBkNjM4CmxWdkZLdjM1QmVnUUtDeEI2VHVaWFFLQmdCblJZL2V6d2hXcTdpWUh1cFZ5MHcxSkZWUFlJOTYzb3JwOXNSZVcKS1l1TU4zcWpUOWhiS1AvVHBJcjZ4K1RoUGw1RURXTmUxZk9ia2xqZjU5U0lwWmt4dHpvc040VVBzdEc4ak1NRApkYjRPQ0tYay9leDl5Vkl4RTdyYWo1L3c3V3lSQVEwdkw2SitWMnNLY21LczRwMTRvSmpKdG81NnBodkEyTCt3ClE0c3hBb0dBWmprWm9XYzJCWTlraTZ3R21aV0RjWWtZSU83c2crZmdMdjZSSTFVTlZlc2cvZ1NYTjFKR09vbWgKb1g4T20vbXB6RzBDM1FaQlViMG5NazVnOVFhYVMrRFVwYWdvR0tPV1hSZlpkaGlabXBrTkJWR0RtR0VLd1p5bAprYlpBL2RONjJUTUlLUU9Da1lwQkxBd2J3UGl3SFRuUkFWTHJONVhNYVA2WVRmSzJORnM9Ci0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg== kind: Secret metadata: name: cilium-ca @@ -974,9 +1016,9 @@ metadata: --- apiVersion: v1 data: - ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURFekNDQWZ1Z0F3SUJBZ0lRSVl0VE1lazQyektUb2pzV0I5Wm05ekFOQmdrcWhraUc5dzBCQVFzRkFEQVUKTVJJd0VBWURWUVFERXdsRGFXeHBkVzBnUTBFd0hoY05NalV4TURJek1qQTFOek0xV2hjTk1qZ3hNREl5TWpBMQpOek0xV2pBVU1SSXdFQVlEVlFRREV3bERhV3hwZFcwZ1EwRXdnZ0VpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElCCkR3QXdnZ0VLQW9JQkFRQzh2am5vbVJDL3M1VUlQQ0lrV29tcC9nWTJ3UFUwU0hIVjBzYytNRXk5TndqSy92czQKMHhkQkpTblhyai92aFcxY0RqUFZHN2hNeHZONUJtZEZZTUtIYitqREl3d0JmYkR3SVQ0SktVV0dDVi9FMVFkMwp4dHlrYUF0V2doMHFOd05Wb2VHZmZ5UDFnNHhhYStJcGRyTk03K2lSbGZ4ekQyUGx3L2RsVzZLQzFaY2ErK0VyCjdhTS82bnV3cm50ZWM5dmpJWnUxbTZvN3UxNUF0NW9GcmxVUEoyUUloS09sMUdtdUprV0NEVUtaZmRSZXdLYTQKOXpJKzBvVS8xV1RZVFJVV3k4bGFSTXNGL1FlNjZRc3BkM0JOZGxLVlhQWlgvNlgyUjdqZWNsRzdJT2FveVNLTgp2WHZwVkpBbFJFU3A2U2ZFNy9HVzJhbm4zaVBVMWkvYlhXSUJBZ01CQUFHallUQmZNQTRHQTFVZER3RUIvd1FFCkF3SUNwREFkQmdOVkhTVUVGakFVQmdnckJnRUZCUWNEQVFZSUt3WUJCUVVIQXdJd0R3WURWUjBUQVFIL0JBVXcKQXdFQi96QWRCZ05WSFE0RUZnUVVQYU1uTDdVOEEza0RtYlVOay91OTBua3dIZWN3RFFZSktvWklodmNOQVFFTApCUUFEZ2dFQkFKSlNXd0c3S0VzNzZjSFNkQVJpb2Y5VFVZK1VFK0U0TWJSMytPYmFFWlJ2bXZmMGZ4UlVIQS9RCm1VSW1RTGYvTHRlK2RDRGx5RmxFK0ZSazM0RUErT3V0eDRYczEwRElKRzY4bEFsbGRtTk1xNXRKQU5zV25DVW4KVVZTR0U0eTZwRkFxU3RzVE5neDBNeUQ3Y3cvMnQ1NlpzT2FxSW5TVXNKUXZZZWhYWGwwV1BORGpwZVhFcGNrSgpkb0k5Z3VReERHRTc3SUs5QmNvSXY2d1p2elVrSFRBUndGSWNIaC8zUjJvQ1lzTXZvN29Jd3Z0cHcybFMxU1JwCkFqcTRjejdtRzVxaC9MUE5vd1FZc0QwUDhaUG9XN0UxRTBGU3BCK0pVOTUzVTJNOW16ME5pUzJQa1VPeXl6dXQKYTdWUDZBb09VMjRHb3J3SEVCSWduaWpQMk0rYnNRVT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= - tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURTRENDQWpDZ0F3SUJBZ0lRWmM1b1RMUnJHNVBwYTZNN3AvSzc5ekFOQmdrcWhraUc5dzBCQVFzRkFEQVUKTVJJd0VBWURWUVFERXdsRGFXeHBkVzBnUTBFd0hoY05NalV4TURJek1qQTFOek0yV2hjTk1qWXhNREl6TWpBMQpOek0yV2pBak1TRXdId1lEVlFRRERCZ3FMbWgxWW1Kc1pTMXlaV3hoZVM1amFXeHBkVzB1YVc4d2dnRWlNQTBHCkNTcUdTSWIzRFFFQkFRVUFBNElCRHdBd2dnRUtBb0lCQVFDYUk3RG5BMTlGZCtmRmtEdEE5MGpEN2M2ZG1GKzEKTFNvblM4VU5lRlNHUlpBK3pmT3BSM3RKSGhlTGM4QjhtQVNwOFNKS09UbURFaC9Kdkk2QTJZTE8yZ1BlM0lzYwpOZDdYeitmL0tpV3NTZmc3aG4zM0ZkOThGNG9Kc3BwRk9uRE9DMFAxYnRweU1GdUxuYkNtM3ZHZ2FNV3VaM045CnNmVmtRU2dMa2hUQkhaYXlJc2ZSWTlrYVE0dW9NV2luaFNPdzR0bi9sSDYxcEo1U1RjUkY0aDNWa1A0QlVGYVUKaHRrRXRFQVhwZUlHeWR4aDZXWWY3WWU5WTVQeWFaR3M5aFVYbHNkNzIxYm9IcE5qU3JlMFY5RFhlb0F2RDlRSworUzFZWWZjY1kxTWp2dlIyZEpIN3AxRm5LODR3OG8rK0RxQ3lvMVYzbHNyRWh1NnB3UFVxMHBoUkFnTUJBQUdqCmdZWXdnWU13RGdZRFZSMFBBUUgvQkFRREFnV2dNQjBHQTFVZEpRUVdNQlFHQ0NzR0FRVUZCd01CQmdnckJnRUYKQlFjREFqQU1CZ05WSFJNQkFmOEVBakFBTUI4R0ExVWRJd1FZTUJhQUZEMmpKeSsxUEFONUE1bTFEWlA3dmRKNQpNQjNuTUNNR0ExVWRFUVFjTUJxQ0dDb3VhSFZpWW14bExYSmxiR0Y1TG1OcGJHbDFiUzVwYnpBTkJna3Foa2lHCjl3MEJBUXNGQUFPQ0FRRUFuakNmeGl0RlBONG5FSGZVS3dFelg2SWJpQ0xuenpSb0FxbXFTd0tsSDZDNzU3a1UKR2hrUXBYTC9OYWJnSEtQNm8vUnFlVlg4QkFXUGRyS21iRDEyMHZVZFZQWjFRbjJVY2lGYzRWUXJVRWhpN3J4aAoxazBwT081dFU5OTBlaWc2SGlEeE9hckVJZmI5cWpyS212MENBcFBiRXlpckNDczMyaEV4RzRFTVRLSFRBRTd5CnIybUFYWXA2QzdjZEgvRk1ETVpEcXpkdUpOT01nZGxzcHZtS0hEZXJLZlBuMEV4ZFkyaG5pY3U4TGZNUEJJU2QKVFF5bXNvWmJZcjJQbnFtaUZnckVpWnlWOEpHUkRyNnFJU0Y5VUhQOCs5WTI5UmhNT0ErUkVHaDREdGpVZmVJUApaTnlFZzYyUll1NnpjM3h3d2dyZXRteVJnazN6aW1EOFZYQzZrZz09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K - tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb2dJQkFBS0NBUUVBbWlPdzV3TmZSWGZueFpBN1FQZEl3KzNPblpoZnRTMHFKMHZGRFhoVWhrV1FQczN6CnFVZDdTUjRYaTNQQWZKZ0VxZkVpU2prNWd4SWZ5YnlPZ05tQ3p0b0QzdHlMSERYZTE4L24veW9sckVuNE80WjkKOXhYZmZCZUtDYkthUlRwd3pndEQ5VzdhY2pCYmk1MndwdDd4b0dqRnJtZHpmYkgxWkVFb0M1SVV3UjJXc2lMSAowV1BaR2tPTHFERm9wNFVqc09MWi81Uit0YVNlVWszRVJlSWQxWkQrQVZCV2xJYlpCTFJBRjZYaUJzbmNZZWxtCkgrMkh2V09UOG1tUnJQWVZGNWJIZTl0VzZCNlRZMHEzdEZmUTEzcUFMdy9VQ3ZrdFdHSDNIR05USTc3MGRuU1IKKzZkUlp5dk9NUEtQdmc2Z3NxTlZkNWJLeElidXFjRDFLdEtZVVFJREFRQUJBb0lCQUVoWklrcDhTYmFJbmxBYgo3OFFCamJUeEpQN1JxM0tWdldodVp4SjRmV3Y4c01UWjFGbUxSTEhBSHhzRWZMKytkc254ZGIvUzlreXdNQjEzCmxJZWtFSUxZeitKR01FRlFnOFZXUDdXRDZlVGhYMU5KUUV5K2hvUnZaQXBETzZmczAwL1M5OVgyYnpBVHhKUlcKc3JqUWdpZGhwZy9EWFBFTm0zbXdINFMyejJrSXFObGdVMnhrWTFzMFQzYkszTG9NOWpsWEczekovZm1HbXlGagpqUndleDZhZTIvYWl2MlpHakp5M1V6bVdVNUdsRmEvZzM4OVdvSEw5Q2xGRUh4NDNwWXJZTHVaTGNzaUovSEpmCk5ucFg5RFZrUFpzdmpiZnhjaDVmNG5laWJzWjFUUjlPM2JweGNCM1V2NE5RcitWcE1LS1JLT0ZMSTdzOUxKRVYKZFo5dS9FVUNnWUVBeVZEbWsvRTRYNjVVbTYrcnRqNU1WVzlsN2w0cythSGxtZTd4RjhFME5rTFFZblhBdXVxUwpjd3dhTk9PMmdTa1FKSW11cDJZb3lZZ3JMT2NZRnBJM2xWUEZvKzVobk96dk4xUUtWZDQwQll5cSt1dndRQ3kyCjdIeDVZOE9BUVo1UytYZ25MSG5iZlN1dTVUUllGOGJJTEdtMHRsSkx3U2p4dXhLUFBIVEhnRjhDZ1lFQXhBSTYKS0RPeGVQbkJVM1pQVzFZWGVROEU3SGFza0IvdThweWxnNkpJU3NkNExLVzZlOTl2Q1J3SHJFV2ZvQXgzU1pFdgpyL2YwOXJnUkRXK3VRUHpQb05NMC85aW4xTHFiUDhMU3NDdEJobHM2QlNWMENtb0hlelVuOFR2MzFEaDNMV1ZoCnEwMk9ZOE41WjFGT0t5OHFwQmI3MjgxMzc0dzJZMVZEN0xlejVVOENnWUFYUUJteFFtM0JWeS84WHhpVXpyTWcKTnVKdDJrQ1ZnQ1kxVmd4UU13Y2xzU2ZDQjFsLy9QRjNDaEhJdy9makNPd05YRDFvcGZyVjg3MFF6WXZScDRkMQozcHYzNStNc0xZMGZOYnlQMkQ3bjJTd3lHS2ZCc2FoYXZiR0RYU1BsOERRakRjWndjNDV1OFdtY25TUURjdmpSCmNFL25zcTkvR294NGo1Y3RZMHRiUHdLQmdESWZlNjNDSWxVVVVScTl1MmRZNmFHOGRIN2ZqaHRBLzBLdFNpb1MKT3JoY3I5K0M5ZUF0YitCOWVYelZSUStSZ0lPZ2kvaE15U2k2UXlvVGNCVVFVU3dJTnBwaVZmQ3hVM2dIb3djSAoyTGE1NTJsZmZZQVlReGQvclZva0Fxa1RVMjZaYVZONy9yaUdTU3BoZ1VMTHlmU3lKKys2YUR3cXQ5SEpBUmlzCmxXVkRBb0dBR0pHUWZwcjNVVHhwelMydmg0NjFUTS9DcnhhZkRWTGtIRFZwUHJrL2VoRU82dzhhRlBIZ1FFRW4KbTc4L2VLS290NUowdnVhaDA1S0tiaFVIS0I3Zm5zaGNqbmhCOVNTUVVERG1nOUp6aDVoblNIUjBvT1lScTcyYwpnYUVvZSs5M1JibEVjZjNXaWlBU1NnWVRqTXVjWFc2enZraHNHQWtVblR6aGJKNWk1Mnc9Ci0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg== + ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURFekNDQWZ1Z0F3SUJBZ0lRY2xyU3JxSEw1SzNFZUdvcWI3YUlhREFOQmdrcWhraUc5dzBCQVFzRkFEQVUKTVJJd0VBWURWUVFERXdsRGFXeHBkVzBnUTBFd0hoY05NalV4TURJME1UZzFOekF6V2hjTk1qZ3hNREl6TVRnMQpOekF6V2pBVU1SSXdFQVlEVlFRREV3bERhV3hwZFcwZ1EwRXdnZ0VpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElCCkR3QXdnZ0VLQW9JQkFRQ1pMYk9hMEJUSW9RMGdweVkvbUlJN09VeGlnaGsyZk53S0I4UWtHQ1lDU1RpTmp1d0MKQVZKc0dkdEtJSDdsYTEwZkgrL0FVU2VuUEN6OEFJZUtReC9FcmFjUXdpRW9sRUxNTlNXMmMzbHRCYUs5Ymlxbwp1NEtyZTdROEpEcDRqOGI1U3NBZGdlNlFvOFh1S2JBRGZ1cFhsaHFRcjZ6MTBwbzlnbnFSaHVKN1VJSld2L0pwClZ3eTBXamFxNXg1QU5iZHFRUGlsOEQ5eGRRdEhTNEFhSHRFRTJHWkFhdVljYUF4cE0wWjl6cnpRMm8ydnFxazkKTUFlZ1FXMzVvWFFsd1N4UlhZWHYxdWo0MmVseGtOTDBMWnd6YjNvODNGcUNBY2UvWlh3ekZEbzdZUFMvc1NDcApqamNTN0JlZmRUOFN1WCtOcXJDYWFuRUhzci8xRVNlbnVzczFBZ01CQUFHallUQmZNQTRHQTFVZER3RUIvd1FFCkF3SUNwREFkQmdOVkhTVUVGakFVQmdnckJnRUZCUWNEQVFZSUt3WUJCUVVIQXdJd0R3WURWUjBUQVFIL0JBVXcKQXdFQi96QWRCZ05WSFE0RUZnUVVjaWxLQ1V1SFdBTWFqcmFranRNS3cwVXJkUnN3RFFZSktvWklodmNOQVFFTApCUUFEZ2dFQkFJQk93SitpV0ljMjQzdHpGUzNSdkNwajNnekYzb2tQQUkzQ2dpc1oxR3ZJemhjdTBYWXdUeFRHCmprVjhHWi9YaXlLdWpZd1R0Z2tpT3gra01Zc080Mk1kYWVkK1FtY2hBWXZtcTh0MDZIbkl6aGJUczNSR09ueHEKMVNZMVpvU1lya1h5WkZtUDRZOUo5UVo5bXlaR3B0MDBqWFZMdTE4Y0pTVnorNkIrbzZ2emFrNXR5bEprYmpGWgpSWUp1MGtQRFkvbVFJbTBEWDFIZ3h1L3cvb0hsTXJlVjdZVkdwTTdBRUNoSGFxMDExU3FOeW1qOGFITGU1S01SCllKSWN0SG5jRGlXcHl4OVVQRXd0Q2ZqSnhJQXd4MjZmVVFBemlxUU9CQmJGUFdpMUhTYnljN0Fra3I3bDk0SnYKMitmckJiTjB5cHZxakdEbzltZlo2dzBOVWZaSmNBcz0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= + tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURTRENDQWpDZ0F3SUJBZ0lRSEpoVVVpa2M4WE42NlRrd0F0V3k2ekFOQmdrcWhraUc5dzBCQVFzRkFEQVUKTVJJd0VBWURWUVFERXdsRGFXeHBkVzBnUTBFd0hoY05NalV4TURJME1UZzFOekEwV2hjTk1qWXhNREkwTVRnMQpOekEwV2pBak1TRXdId1lEVlFRRERCZ3FMbWgxWW1Kc1pTMXlaV3hoZVM1amFXeHBkVzB1YVc4d2dnRWlNQTBHCkNTcUdTSWIzRFFFQkFRVUFBNElCRHdBd2dnRUtBb0lCQVFER2Zkb3MxTzBoQWlHd1hrcFVmWkd2UlhhdmFqSUcKaThNd0V0azJ6ZlVBdmY2LzE5M3JVRXNVbWRiN1JwMVpjUkJBK1FnRldRRlE2MmxPdnVrSGEzTnhqazhUdFl6Ygo5aEgzZmZmSHZRdVprNVNxQjgzSEtZck0yTjM5ODlHYW0xeDdNSWNYUlRBa3BtWkhaa3FocmxIOXJJZ1A2ZDUwCndpaVF0aUNTL3gvTmh5emVXUHpPOUx4MXNhU3lJTlNDc1hpZXJQUEVTbTIvTnhnMElCM1MxUXhYWmdNY0JGbjIKY3hwZTFMdmduUlgyWVFIL0pPY1BMcWZPZENYZk5jU3B5Qkk4eE0wQU1kRkhvOWZpRzVoTUtheFJFa29yN054SgpJMWQwVi9pMmdCQUw0MmxOdlVSZTNjWW9SNURjS3VJd21la01tR3dXQnpGYk1xbmdTRjZyejRUeEFnTUJBQUdqCmdZWXdnWU13RGdZRFZSMFBBUUgvQkFRREFnV2dNQjBHQTFVZEpRUVdNQlFHQ0NzR0FRVUZCd01CQmdnckJnRUYKQlFjREFqQU1CZ05WSFJNQkFmOEVBakFBTUI4R0ExVWRJd1FZTUJhQUZISXBTZ2xMaDFnREdvNjJwSTdUQ3NORgpLM1ViTUNNR0ExVWRFUVFjTUJxQ0dDb3VhSFZpWW14bExYSmxiR0Y1TG1OcGJHbDFiUzVwYnpBTkJna3Foa2lHCjl3MEJBUXNGQUFPQ0FRRUFWdmFqNEJIL2VwYUNCeFgxcGkvSHZXMVZ1ODVId1R3NUY1WHE2TVVCWWkvdTgzVHMKc2xNSDNWenJpTkJnSW5JMU9GYzlsL0s5eThJWG9pTWdVS1c2YlF5eERiV3NNOEhpY2IzSkxvYk12eDltQUxXTgpTbEtWYzRacHpWRjFuRXhBTU1zZFcrbDdBcS80MEpzYTNHQTBrMGVEa3NOaXA3TDNOL1Z5bG1pRXZ2R3dZSTY5CjFuVFZ4VWNRNy9udVE3Z1hKdVZuUmh0TTI1ZlIxNzk1c3RDcGhwclgxQUsxeDJBV3FtT1VscXZ4bjI5U2VDTFUKSGd6bC9EUHdHYWkyUEVSY2xyK1RGaXdYV1RRdmxwTDAxbkxqazBjU3ZERmhCMHg3Q0xJQ2UrbkZ2NnY0MDJ1dwpPbmtpa2VYQnhubWNlekhXSXBYNGZWSW0xRlpLRnhqTG5hbksxZz09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K + tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0NBUUVBeG4zYUxOVHRJUUloc0Y1S1ZIMlJyMFYycjJveUJvdkRNQkxaTnMzMUFMMyt2OWZkCjYxQkxGSm5XKzBhZFdYRVFRUGtJQlZrQlVPdHBUcjdwQjJ0emNZNVBFN1dNMi9ZUjkzMzN4NzBMbVpPVXFnZk4KeHltS3pOamQvZlBSbXB0Y2V6Q0hGMFV3SktabVIyWktvYTVSL2F5SUQrbmVkTUlva0xZZ2t2OGZ6WWNzM2xqOAp6dlM4ZGJHa3NpRFVnckY0bnF6enhFcHR2emNZTkNBZDB0VU1WMllESEFSWjluTWFYdFM3NEowVjltRUIveVRuCkR5Nm56blFsM3pYRXFjZ1NQTVROQURIUlI2UFg0aHVZVENtc1VSSktLK3pjU1NOWGRGZjR0b0FRQytOcFRiMUUKWHQzR0tFZVEzQ3JpTUpucERKaHNGZ2N4V3pLcDRFaGVxOCtFOFFJREFRQUJBb0lCQUJDSHZkNFdyL1pjSlBYWgpEbWZscXJhdDZtWE9xbUtlN0ZjU05NYUNoYlZGZldRWTdFVjY4dnZBMlpWazBya1dpRWZlN1c3emsvOWJFWkt5CkpibzlWYmlHNVZsQytQdC9EVTAvRDMzeUJaZXBRWnZjNlVOZE4yN2FuemMxWVZiMnVnK1UwYVZMbU9ndWR1MWEKakp2VkpvVWhvNVd1c0h6cENBT1FOVnVFbFcrU1hRdmFpZTRGWVErMGlxZUUyanFvYlpHbGxpNGtDK1l2eXJ6dAo3c1R1bWtNZ0plUHVJMEFlNFZtSWt6ZWZJb0hEUlB0OXVpazVQWDltMVU5QjJQbFdwcFAyWW9ITVhXZS80dHN6CkNnWGNKRG5VQTJia3VvZzl0OStLbUJIQjljM2c1T2VRb0NQWmxxOFVrVDRSYUlicUJXd3V2bkR3emtCUkxLd0YKNm51Mk9ya0NnWUVBejljaGhzdGhRdkQvaEJ5UHFWdjZ3OGVWVWNuQVZSRE00VklxZjJRVi8wWWRlNXpUd3NtTQo3YlBrQnprQkdqVXFuNEhWUm9wUU0xTEhVNHg5OWJtLzRiMDNKVWpJTk15Sk5XeGJxSDRHcTUvb1kyQmlxdVhDCnN0R3BtbkFhOG9DdXRMV0I3MXNMZ3BQQldnVEViQ3JuS2lNaC9WTkNnYjB4TkhOd0VxOUpyVmtDZ1lFQTlId3AKNWVuL253L0U3OUZ2U3E2elhaT01VUGd0ZmpDU2hWSUV2SCsrV0I4MlhWeHJuaE5xK1kwd1NQUEtHN0NlWU9mdApaVVRhd3pxODB1RzVHdCtjQi9lZ0VSRkxPQngxeTNmZkNTMzJFR0NSOTJkWjRuTHhxVVhSTlJmL3ZWNE5BVU1tCnJiVCtQYzJQY2ZiY1FIb21DNC94YkRha0FnUmo4b1hBeDVrSEtWa0NnWUVBeEZOQXRpVlRRSHFKd20rQVBNaEgKdmJ1L2pyeDIwMlBGUkducS90NjU4S0o0b3hWbTZxNmNVc1VFZHRZZjluT1dTWW5JdnBOVVlzYWt4b1VGVHFJaApZTWp0V0dqQnhTNFh4Y0VQYTc5djZacHBWOFhxTGVoTzI3ODA2RTlSQlJVTThtSXAxTUU1eENSeUZlZys2clkwCkdoZUp1ZE4yRlR0elNVcHA2Unh2Q2pFQ2dZQXNETEwvMmNsVXYyS2NVdi9hVk4rOFhIbExuV3VVOE90MVdmSEEKaE1PbTNQak9tWGhLWXZWRFFVMFIxOXJ5WWtBbTlhS3dQRmV1RlVjd043dENQRWZBcDcwUFZpNVhUY2xyZjQyUAorZGY3MjJweFNRM0kzeXpyY3NqZTZCUUw2b1l0VkF3RUFEaE9xbHJPRGN4aFVhREpOSVlyR1MwenI5YlNPNGNnCmIxSDdBUUtCZ0N2UDJYRFptOThIWDNHS0FOdUdCT2tySTBlZUg3Nko1SGl3S1dSdmltOFliQy9vZmJRWDBkYTIKZi83d1pHbHVvYk5rSWFBb2tOcGVVUzU0YTRXeGFteXN1RzROWXFiTTM4azAwbnAwQ0pPbm9PSEYrL01RS3JvSgp2ZTBUblI0OG1mTlhHY2U5M0c2eVVaMjRPMkZvNVRpVGJqOFF1SzJzSWV4VVNRZWdqUGgwCi0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg== kind: Secret metadata: name: hubble-relay-client-certs @@ -985,9 +1027,9 @@ type: kubernetes.io/tls --- apiVersion: v1 data: - ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURFekNDQWZ1Z0F3SUJBZ0lRSVl0VE1lazQyektUb2pzV0I5Wm05ekFOQmdrcWhraUc5dzBCQVFzRkFEQVUKTVJJd0VBWURWUVFERXdsRGFXeHBkVzBnUTBFd0hoY05NalV4TURJek1qQTFOek0xV2hjTk1qZ3hNREl5TWpBMQpOek0xV2pBVU1SSXdFQVlEVlFRREV3bERhV3hwZFcwZ1EwRXdnZ0VpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElCCkR3QXdnZ0VLQW9JQkFRQzh2am5vbVJDL3M1VUlQQ0lrV29tcC9nWTJ3UFUwU0hIVjBzYytNRXk5TndqSy92czQKMHhkQkpTblhyai92aFcxY0RqUFZHN2hNeHZONUJtZEZZTUtIYitqREl3d0JmYkR3SVQ0SktVV0dDVi9FMVFkMwp4dHlrYUF0V2doMHFOd05Wb2VHZmZ5UDFnNHhhYStJcGRyTk03K2lSbGZ4ekQyUGx3L2RsVzZLQzFaY2ErK0VyCjdhTS82bnV3cm50ZWM5dmpJWnUxbTZvN3UxNUF0NW9GcmxVUEoyUUloS09sMUdtdUprV0NEVUtaZmRSZXdLYTQKOXpJKzBvVS8xV1RZVFJVV3k4bGFSTXNGL1FlNjZRc3BkM0JOZGxLVlhQWlgvNlgyUjdqZWNsRzdJT2FveVNLTgp2WHZwVkpBbFJFU3A2U2ZFNy9HVzJhbm4zaVBVMWkvYlhXSUJBZ01CQUFHallUQmZNQTRHQTFVZER3RUIvd1FFCkF3SUNwREFkQmdOVkhTVUVGakFVQmdnckJnRUZCUWNEQVFZSUt3WUJCUVVIQXdJd0R3WURWUjBUQVFIL0JBVXcKQXdFQi96QWRCZ05WSFE0RUZnUVVQYU1uTDdVOEEza0RtYlVOay91OTBua3dIZWN3RFFZSktvWklodmNOQVFFTApCUUFEZ2dFQkFKSlNXd0c3S0VzNzZjSFNkQVJpb2Y5VFVZK1VFK0U0TWJSMytPYmFFWlJ2bXZmMGZ4UlVIQS9RCm1VSW1RTGYvTHRlK2RDRGx5RmxFK0ZSazM0RUErT3V0eDRYczEwRElKRzY4bEFsbGRtTk1xNXRKQU5zV25DVW4KVVZTR0U0eTZwRkFxU3RzVE5neDBNeUQ3Y3cvMnQ1NlpzT2FxSW5TVXNKUXZZZWhYWGwwV1BORGpwZVhFcGNrSgpkb0k5Z3VReERHRTc3SUs5QmNvSXY2d1p2elVrSFRBUndGSWNIaC8zUjJvQ1lzTXZvN29Jd3Z0cHcybFMxU1JwCkFqcTRjejdtRzVxaC9MUE5vd1FZc0QwUDhaUG9XN0UxRTBGU3BCK0pVOTUzVTJNOW16ME5pUzJQa1VPeXl6dXQKYTdWUDZBb09VMjRHb3J3SEVCSWduaWpQMk0rYnNRVT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= - tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURVakNDQWpxZ0F3SUJBZ0lRTzN5WUZQenNlajFVNEVMZjZhK2JZekFOQmdrcWhraUc5dzBCQVFzRkFEQVUKTVJJd0VBWURWUVFERXdsRGFXeHBkVzBnUTBFd0hoY05NalV4TURJek1qQTFOek0yV2hjTk1qWXhNREl6TWpBMQpOek0yV2pBb01TWXdKQVlEVlFRRERCMHFMblJoYkc5ekxtaDFZbUpzWlMxbmNuQmpMbU5wYkdsMWJTNXBiekNDCkFTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBUFNublFOckN2YWJCQ253blVyWWQ0U2UKcnVnTThrZVlrVkFFT04yRXMrMXp0Yzg5RDBETm9HdW9sN0NlZ3NROWo2OUR5Y1owZTRWZDJJZXRtbjZJRDlSZApaakIyVzlvOGV3NTJIRFByMTFKN2RVRjBXUjBUYThOWEcwNzZJbDZlanNRaHp6M1pqZmdDR0t3UDNzOEdvMkdBCm5YejBxNUZZMU1tcm9ULzVFVEZPMFRROVZCTHU0cjZReEk1dk1QTnFJZVAvSjJ1MGVrWlhDNXVpRS9uVzFjbCsKK1NxYnVJNEZPRkhBeHE4SlRuNWlSQnJzN3hWL09HZ0twdjVIcC9TZWE0ZzdJYlhXOWRkWmt2YnFXZWkrUWRPUwpycW9odmpzdGtNUHpYdWJ3V0I5YkxTdXl3T3gwQWw3ZGVPT3J5Qmd1eEpsN0ErTzhoVGlLNEg1bkRNUytXMmtDCkF3RUFBYU9CaXpDQmlEQU9CZ05WSFE4QkFmOEVCQU1DQmFBd0hRWURWUjBsQkJZd0ZBWUlLd1lCQlFVSEF3RUcKQ0NzR0FRVUZCd01DTUF3R0ExVWRFd0VCL3dRQ01BQXdId1lEVlIwakJCZ3dGb0FVUGFNbkw3VThBM2tEbWJVTgprL3U5MG5rd0hlY3dLQVlEVlIwUkJDRXdINElkS2k1MFlXeHZjeTVvZFdKaWJHVXRaM0p3WXk1amFXeHBkVzB1CmFXOHdEUVlKS29aSWh2Y05BUUVMQlFBRGdnRUJBSDdZSFJobkZ2T0paWEZTUGlRMGVPSzVLZEFSU0ZsQi9OQjUKc0tvZWROUHowMEk3bUdvNnl4bktqYTA2ZHRvRmVHVHJIUWVWOHNqRFRnWkQrZzhmU3BMSjhrZ0FVSk4zZ0tlawo5dDdCYnVKUHNWRzEwSHBkeStUeDBVMnN0TTcyM3d0NWRSaDkxN2xzL0R2Tkl5Z0FKMndKZm1kK1Arc2x3UFJDCmU5dHZkd0lnTTMvalRZRGxIOWh2bW5EYnpnamZ5LzNlUEJJSDVRWW9JcDQwb2orOEhSN3M2anp3OG9RZWN4OFcKWStLaXY0d1FZK3c3OTdDYUNOSGJkVXlRZGtQcEpsdHBKOXQrSVU4YlZBQnU2dDlmK3NvRUFkdVMyR2FEYXlsdgoxWlpoWE55THhVdUdRSklGTWx5dGdSRU9OdEFwZXp5U0ltNFZPc3hicGkzaGt0c0U2SWM9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K - tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0NBUUVBOUtlZEEyc0s5cHNFS2ZDZFN0aDNoSjZ1NkF6eVI1aVJVQVE0M1lTejdYTzF6ejBQClFNMmdhNmlYc0o2Q3hEMlByMFBKeG5SN2hWM1loNjJhZm9nUDFGMW1NSFpiMmp4N0RuWWNNK3ZYVW50MVFYUloKSFJOcncxY2JUdm9pWHA2T3hDSFBQZG1OK0FJWXJBL2V6d2FqWVlDZGZQU3JrVmpVeWF1aFAva1JNVTdSTkQxVQpFdTdpdnBERWptOHc4Mm9oNC84bmE3UjZSbGNMbTZJVCtkYlZ5WDc1S3B1NGpnVTRVY0RHcndsT2ZtSkVHdXp2CkZYODRhQXFtL2tlbjlKNXJpRHNodGRiMTExbVM5dXBaNkw1QjA1S3VxaUcrT3kyUXcvTmU1dkJZSDFzdEs3TEEKN0hRQ1h0MTQ0NnZJR0M3RW1Yc0Q0N3lGT0lyZ2ZtY014TDViYVFJREFRQUJBb0lCQUFGTjJNQnBQdjIyMnliVAphWU01OUNramVoQ0g2ODFiT3RXNldyTStQeXljMlVpVUxXaWpCVXFObml3SzF1enZoeEhnRi9YcGc3UmZubHFGCmRRcXlTYU5RSnMzMS9qZFk2eThBak5YdldUa2txZjRCL2hlY1FEbDNxcnJ1WDdzeFlvRnVkMTcvc2Q5ZDQzNXgKOXpZVFN2dW5ab1RXcVFqS294ZTZ4U1B2ZlVWT0FPbXlkNG16Vk5uOGRpS3lQVzhYcVFwVk9selI4RHdmbUNKOApvYWFwN2NwbTBFclA5MEFaMXRFZEltUXZmaXdmdFMrSDVTdHlha2ZBRUlLalhiclZtd1NiZmI3YVNuMGRsL2wzCklKUkRCemtCcU9vdHkzeTBEVTUzVTdKeUl3YzNHRjY2VlVWblBLZnArTXgzVG44d1REZ1cvbUxHY2NpYnEyWjIKc2VCTkdxRUNnWUVBL3BGVjhBUnpDS1grNTR3NzlUclVFOWZIYUFlN1hqclFtcXB2bkRCOVVsZG9obld3bFhLUgpBRC9DK3BwTDhDaDI3UHFEZVByM3lmZVNnSlY0TTI4VGtUUnFza0UrZFI2eFlvWEpzR2lPZjdjQWR3UDZIaGdWCllTN1E0RWUxTFhIaWFVdTRIZDEwWHZrcDJ2QnM3WlJESzJYMWdONktrdzcwMWxDS3Exd1NicWNDZ1lFQTlnZi8KNCs4UmJxQm15Q0V4THdUNW55YmtMenV4QWh0SXNkd2QyUWtyUWJ6aHFpL1lDYWRibTRaTlRndUt5UjdORVZWYwpQdVFkbmJVYUtGWldCbk4yN2pPdmNhVnNod1RQYzVNQjJkT0hHUXhLZFZNUjRyUUsvT0hjZ3k5NW1STjgranZNCnRzczAyTWhxeWhaWUNvVE52Z3dKajJkR0RqY3RlK25oL25zQnQyOENnWUVBK0tQbGh6QWhWMElpemZBWG8vZFkKcXlUbjNFRXBEZWx1VkpMQnZwRlI1bm4vV3MxYXN5MmFXTjd1Unkwcm5KODVRVStSMkRsd2luRG9RL1U1MlNyVgp0czYyby9LNzJWTW9PSzJxQ0VhbllERFRJR3ZmQVVQT3BnUSsrY0N3UW5ub2hhWHlhQ0VrQjV0ZitUczVlWGVGCmY3N3ZZblo2YlJaL3AxQTFrUmUxM1NNQ2dZQjRLd3dYUG91Ykp3bE1zcm1kSjZic3owZ2dzZDBSRkZaN1dQSFQKTWlGSXFJTG9aeG4wRFNRM1lHK2RzUkdHamw3SEdwUkZ1NUdqbC9OQXhIcWNDQVdNN3YzQVduWVp0SVhIQTRTaAo2aWxRV0twOWg2ZHl2VkdvbG9Eb0ttWVFHRzZ3b2tpbzk3UEdObzNDU3d1Umg3QWVKUzcrTmdrSHBIZTQwRkdyCnhGVGdUUUtCZ0ZxVHhBMzczbm05VFFleG9IRHRWVjBRS1ZYd21KL25RR3dRUW51MXB4cnl6aGVpWWhxWUlJVXMKQ1NJMkRwOExsdHNtTUpJcG9ib28vQVIvemtTWjNGUTMrSnJSd1hYdXNDZHNHdnVkd25MYXZid2xQejNEdytnNgo3T0FoUHFrdTRLa0tCbjVwZXNmeVMxTlRSQjhjVk5wMlRBdW92aGoxMGJRVUoxeWZUUjVLCi0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg== + ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURFekNDQWZ1Z0F3SUJBZ0lRY2xyU3JxSEw1SzNFZUdvcWI3YUlhREFOQmdrcWhraUc5dzBCQVFzRkFEQVUKTVJJd0VBWURWUVFERXdsRGFXeHBkVzBnUTBFd0hoY05NalV4TURJME1UZzFOekF6V2hjTk1qZ3hNREl6TVRnMQpOekF6V2pBVU1SSXdFQVlEVlFRREV3bERhV3hwZFcwZ1EwRXdnZ0VpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElCCkR3QXdnZ0VLQW9JQkFRQ1pMYk9hMEJUSW9RMGdweVkvbUlJN09VeGlnaGsyZk53S0I4UWtHQ1lDU1RpTmp1d0MKQVZKc0dkdEtJSDdsYTEwZkgrL0FVU2VuUEN6OEFJZUtReC9FcmFjUXdpRW9sRUxNTlNXMmMzbHRCYUs5Ymlxbwp1NEtyZTdROEpEcDRqOGI1U3NBZGdlNlFvOFh1S2JBRGZ1cFhsaHFRcjZ6MTBwbzlnbnFSaHVKN1VJSld2L0pwClZ3eTBXamFxNXg1QU5iZHFRUGlsOEQ5eGRRdEhTNEFhSHRFRTJHWkFhdVljYUF4cE0wWjl6cnpRMm8ydnFxazkKTUFlZ1FXMzVvWFFsd1N4UlhZWHYxdWo0MmVseGtOTDBMWnd6YjNvODNGcUNBY2UvWlh3ekZEbzdZUFMvc1NDcApqamNTN0JlZmRUOFN1WCtOcXJDYWFuRUhzci8xRVNlbnVzczFBZ01CQUFHallUQmZNQTRHQTFVZER3RUIvd1FFCkF3SUNwREFkQmdOVkhTVUVGakFVQmdnckJnRUZCUWNEQVFZSUt3WUJCUVVIQXdJd0R3WURWUjBUQVFIL0JBVXcKQXdFQi96QWRCZ05WSFE0RUZnUVVjaWxLQ1V1SFdBTWFqcmFranRNS3cwVXJkUnN3RFFZSktvWklodmNOQVFFTApCUUFEZ2dFQkFJQk93SitpV0ljMjQzdHpGUzNSdkNwajNnekYzb2tQQUkzQ2dpc1oxR3ZJemhjdTBYWXdUeFRHCmprVjhHWi9YaXlLdWpZd1R0Z2tpT3gra01Zc080Mk1kYWVkK1FtY2hBWXZtcTh0MDZIbkl6aGJUczNSR09ueHEKMVNZMVpvU1lya1h5WkZtUDRZOUo5UVo5bXlaR3B0MDBqWFZMdTE4Y0pTVnorNkIrbzZ2emFrNXR5bEprYmpGWgpSWUp1MGtQRFkvbVFJbTBEWDFIZ3h1L3cvb0hsTXJlVjdZVkdwTTdBRUNoSGFxMDExU3FOeW1qOGFITGU1S01SCllKSWN0SG5jRGlXcHl4OVVQRXd0Q2ZqSnhJQXd4MjZmVVFBemlxUU9CQmJGUFdpMUhTYnljN0Fra3I3bDk0SnYKMitmckJiTjB5cHZxakdEbzltZlo2dzBOVWZaSmNBcz0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= + tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURVekNDQWp1Z0F3SUJBZ0lSQU1zWEZBbmo2WWZNdzMyNjV3UVJ0S0l3RFFZSktvWklodmNOQVFFTEJRQXcKRkRFU01CQUdBMVVFQXhNSlEybHNhWFZ0SUVOQk1CNFhEVEkxTVRBeU5ERTROVGN3TkZvWERUSTJNVEF5TkRFNApOVGN3TkZvd0tERW1NQ1FHQTFVRUF3d2RLaTUwWVd4dmN5NW9kV0ppYkdVdFozSndZeTVqYVd4cGRXMHVhVzh3CmdnRWlNQTBHQ1NxR1NJYjNEUUVCQVFVQUE0SUJEd0F3Z2dFS0FvSUJBUURYNUVXL2pZcmo3TGRRZ3ZPd1JnR3YKNlhoZHRPcWxwSkZ2S2d4dzA5QTMrRmVsTnN2V085R0Nqa3puL3l3V1dlZmhiT2tocGdrNzRNU1FjMUVHM21tUgpnOWxEcXhOeTErWm9ueEVXa1R2anhqUEJJVjd0YmdsYTlpU0lhQ0NNRThlNEtVdU45ZlJsbHJaeDNlM0t5KyttCnhSR2llMW9NKzZjUW40ZlRvNUxnWUJhTk9LZ21XSzlWUmJEWVZZWXJva0NZRDNrbHgvYTZKZ1RhektFelVxZWkKQ2ZpeHVxcmVNeG1JR3RPMDQ3WXdyblJFZVhkY3NUL1NodzJJWGxqamlEcDNKLzMzcGZtNDAzS3BqVWE2eEFDYgpZTG85QlAxbHh3ZDd4TWMzcE5DUXgyTjdOOW9Odk1Gc0I0cUYxQ0VJNkdOaiszbVlqc0hob3I0RXAwMlZrTGZkCkFnTUJBQUdqZ1lzd2dZZ3dEZ1lEVlIwUEFRSC9CQVFEQWdXZ01CMEdBMVVkSlFRV01CUUdDQ3NHQVFVRkJ3TUIKQmdnckJnRUZCUWNEQWpBTUJnTlZIUk1CQWY4RUFqQUFNQjhHQTFVZEl3UVlNQmFBRkhJcFNnbExoMWdER282MgpwSTdUQ3NORkszVWJNQ2dHQTFVZEVRUWhNQitDSFNvdWRHRnNiM011YUhWaVlteGxMV2R5Y0dNdVkybHNhWFZ0CkxtbHZNQTBHQ1NxR1NJYjNEUUVCQ3dVQUE0SUJBUUNRdDhuZkRnVDQ0Z0owcGdiZXU0cUJyZlF4ZEZmK24zam0Kc1BGQnJkYWlTNE5yUFhOeDFTMzNXR1BCeUQrc050OVNrRFM2dWVBS08yNVUzUWFQcXJ0bnpPc0RwTCt1M1d2RwowOGpKbFRaMUh0TnNxLzJYT1lrT1NNdm44VkVnUStNcXptNzhJVmNQNlNmZEFlT3grQkNQTk5aUHU5RGFwK29wClk0NzlqaUtzaXBtNTFlaERXOUM2MnZkUmljb0VSOVN2VllzSDlBS1hMUEZEcCtMaTMvTHRGczd0bjEyWWNaOHIKemRSdDN4cXBJT3RLOTlrdlozSHM5aElZVzVKY0lMNnpCWmZKbC9wY0wvM1I4elFoTXQzQkhoOHBLamlyd0lVbgpBZWYyTTNOS3A0T0RBTk5Ja2VkVHdnb05JSC9wVDJaQkJmWjVFWVdlb25YaDV6Z0hWNzY0Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K + tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb2dJQkFBS0NBUUVBMStSRnY0Mks0K3kzVUlMenNFWUJyK2w0WGJUcXBhU1JieW9NY05QUU4vaFhwVGJMCjFqdlJnbzVNNS84c0Zsbm40V3pwSWFZSk8rREVrSE5SQnQ1cGtZUFpRNnNUY3RmbWFKOFJGcEU3NDhZendTRmUKN1c0Sld2WWtpR2dnakJQSHVDbExqZlgwWlphMmNkM3R5c3Z2cHNVUm9udGFEUHVuRUorSDA2T1M0R0FXalRpbwpKbGl2VlVXdzJGV0dLNkpBbUE5NUpjZjJ1aVlFMnN5aE0xS25vZ240c2JxcTNqTVppQnJUdE9PMk1LNTBSSGwzClhMRS8wb2NOaUY1WTQ0ZzZkeWY5OTZYNXVOTnlxWTFHdXNRQW0yQzZQUVQ5WmNjSGU4VEhONlRRa01kamV6ZmEKRGJ6QmJBZUtoZFFoQ09oalkvdDVtSTdCNGFLK0JLZE5sWkMzM1FJREFRQUJBb0lCQUFVc0hzUElIL3pncldjWgptUGFrWVBTVWp3T2JEa1VlTFNkRWtyYmxvUjVQZjlWazVrWWpPWlZOVFJhUERYbW44aWd0TlErcnJiY2ZkRkd6CkYxcjFXMWVodklQbi9ZN1NrVFBPTXlRR1RPblVoZ0l1dVJOcTQwZjkzakJlRzlZdWF3YTU2c1lSckFxcFh4TG4KczROMUFUQmorWlNvT21jckQwNTRTY1A2MGJGVTc5czN5aE5zR0NmWmMwZ3FsNWlrQTdVZmFDbXYvcFAwcjR6MApmdUREVk9KVEZwVnJoWENhdGxZdW4yeFl0NDlWa0cwVHlER0F5Ky9sWDVBam50cFpQaFRCZ3FUM2hlYjlmWlIxCmFNS1FiR0JIRHZ4UjZ6ZGlKaUFzVnZ1RDlHTnNkRjMrWVkvZmN6dzBUaDdsbHBRQTFzbHUzK3d0WS9SYjJSbHMKV2lDSzEya0NnWUVBN1Y3V1I5NUR2SnEyNnNvL2ZEdFk2djBwUW5Fbit0RTZnbEM0V2pOQXdTa0FUWGx0eXk5ZQo2V1lkUzVIZDNMcGxERC9LSnMvZUZpK2NxMXFSd29EcjFaLzNYUjRHYUsybEFPMWRMRS8vcmhuQ0VaTDdSOG1vCklGQVpHZVg4T2VjaFdQMzZkZVB3N2JtS0xCZnNtMFR4dm5uNjdYckZodG4rbjJEU0VnaXFjcWtDZ1lFQTZOWGsKUW9LRjUvUlZxUGs5M1ZGR1Ayd21sU29ib2FXRFdOdmtYR09oMy9pT01CYm93YTVBWStPUjFYWGJnNnA4Uy9LRQpVNnRiTkZ0VWN4amI1clBUc3haOWM0enZJNllXOHp4V1BObkNtUEcvNVJHYWx2bjRKdE83azFRRHlselRuM2dUCnVyQkhCa1BobFMzRmxpVTdaOUNPQUdPZ1JybEpMMC9xSHY2TTBCVUNnWUJPT2Zqb1NtbU1XSGg3dkJkYis3cjgKQmw1NGxRNFY3S29abER5TkRXTUR4VjFpS3VoeUU3UjF1cjlnemp1TnFLZndkMzFKZVN1NXFBczd0V2RmOEZqSQpXQ1dQUEh2a040V3ZYb3BjTmlrTzJWSkp0R1MzYmMvSWhsMGZXZG5id3o0TU0vYzhydGdSb0JuWEdqTlJvRkVDCjh2UXRHMDdKZUVJZmlDcnk0b1E1c1FLQmdGVTd6NWFGWDIyZEpTcDVLeXQwa0NteGRxSk9TdFV1Mk5sVGpkSkEKYXNhcG42dDlCM0czVHowQjFxWDB3Z24rQkFodFhBR2hEZjhwbTgyU2dSV0FLUFE3UEd0cllUT0Vub3dtUDArQgpTOXBmVFNjVy9hZGRGSGxxTXhWb3dRWjRXc1BhMmlZU1Y3MjBaY1VOZjNKS2FPZkZFZWFVa2R5eUFWZC9ncTRiCjh3Sk5Bb0dBZFNUMmJzV21yS1YzOU1lUEdZZWZVWU9mYnAvZzQzVVJGUFZ4aml4bXZNUXhTMnh0aE94VjljUmIKZFRxQW5waURnaEQzZU80cG5MOVM3UkcxR1dkRnBFV1N4U3I5dHkremxsekxuUm9zWThSbzZyQmxYd3owVXFwVwpvZ0FRRkFEZUM4QXJlZ0Fvc2M5ZFhicG4rWTJSVk1oRHlEcm9lQVJBN2xEbHkxc2I2UG89Ci0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg== kind: Secret metadata: name: hubble-server-certs @@ -1046,11 +1088,9 @@ spec: externalTrafficPolicy: Cluster ports: - name: http - nodePort: null port: 80 protocol: TCP - name: https - nodePort: null port: 443 protocol: TCP type: LoadBalancer @@ -1134,7 +1174,7 @@ spec: template: metadata: annotations: - cilium.io/cilium-configmap-checksum: 4f10952e95a86affe22cdebe32cd6f453b5a2a05d34475f5ada1d7ad133fc193 + cilium.io/cilium-configmap-checksum: 9927477ca7bfbac3c857bb73fb5fd939b8a53b0e777e968562ca72eb7e994b76 prometheus.io/port: "9963" prometheus.io/scrape: "true" labels: @@ -1178,7 +1218,7 @@ spec: value: localhost - name: KUBERNETES_SERVICE_PORT value: "7445" - image: quay.io/cilium/operator-generic:v1.17.8@sha256:5468807b9c31997f3a1a14558ec7c20c5b962a2df6db633b7afbe2f45a15da1c + image: quay.io/cilium/operator-generic:v1.18.2@sha256:cb4e4ffc5789fd5ff6a534e3b1460623df61cba00f5ea1c7b40153b5efb81805 imagePullPolicy: IfNotPresent livenessProbe: httpGet: @@ -1205,6 +1245,11 @@ spec: initialDelaySeconds: 0 periodSeconds: 5 timeoutSeconds: 3 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /tmp/cilium/config-map @@ -1215,9 +1260,21 @@ spec: kubernetes.io/os: linux priorityClassName: system-cluster-critical restartPolicy: Always + securityContext: + seccompProfile: + type: RuntimeDefault serviceAccountName: cilium-operator tolerations: - - operator: Exists + - key: node-role.kubernetes.io/control-plane + operator: Exists + - key: node-role.kubernetes.io/master + operator: Exists + - key: node.kubernetes.io/not-ready + operator: Exists + - key: node.cloudprovider.kubernetes.io/uninitialized + operator: Exists + - key: node.cilium.io/agent-not-ready + operator: Exists volumes: - configMap: name: cilium-config @@ -1263,7 +1320,7 @@ spec: - serve command: - hubble-relay - image: quay.io/cilium/hubble-relay:v1.17.8@sha256:2e576bf7a02291c07bffbc1ca0a66a6c70f4c3eb155480e5b3ac027bedd2858b + image: quay.io/cilium/hubble-relay:v1.18.2@sha256:6079308ee15e44dff476fb522612732f7c5c4407a1017bc3470916242b0405ac imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 12 @@ -1281,12 +1338,15 @@ spec: port: 4222 timeoutSeconds: 3 securityContext: + allowPrivilegeEscalation: false capabilities: drop: - ALL runAsGroup: 65532 runAsNonRoot: true runAsUser: 65532 + seccompProfile: + type: RuntimeDefault startupProbe: failureThreshold: 20 grpc: @@ -1307,6 +1367,8 @@ spec: restartPolicy: Always securityContext: fsGroup: 65532 + seccompProfile: + type: RuntimeDefault serviceAccountName: hubble-relay terminationGracePeriodSeconds: 1 volumes: @@ -1351,7 +1413,7 @@ spec: template: metadata: annotations: - cilium.io/hubble-ui-nginx-configmap-checksum: de069d2597e16e4de004ce684b15d74b2ab6051c717ae073d86199a76d91fcf1 + cilium.io/hubble-ui-nginx-configmap-checksum: 76283720d1bb70050debf51116121fa9a67ebc9d1cd9167c3dd9bdbfb613df37 labels: app.kubernetes.io/name: hubble-ui app.kubernetes.io/part-of: cilium @@ -1373,6 +1435,8 @@ spec: httpGet: path: / port: 8081 + securityContext: + allowPrivilegeEscalation: false terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /etc/nginx/conf.d/default.conf @@ -1391,6 +1455,8 @@ spec: ports: - containerPort: 8090 name: grpc + securityContext: + allowPrivilegeEscalation: false terminationMessagePolicy: FallbackToLogsOnError volumeMounts: null nodeSelector: @@ -1425,7 +1491,8 @@ spec: template: metadata: annotations: - cilium.io/cilium-configmap-checksum: 4f10952e95a86affe22cdebe32cd6f453b5a2a05d34475f5ada1d7ad133fc193 + cilium.io/cilium-configmap-checksum: 9927477ca7bfbac3c857bb73fb5fd939b8a53b0e777e968562ca72eb7e994b76 + kubectl.kubernetes.io/default-container: cilium-agent labels: app.kubernetes.io/name: cilium-agent app.kubernetes.io/part-of: cilium @@ -1466,7 +1533,11 @@ spec: value: localhost - name: KUBERNETES_SERVICE_PORT value: "7445" - image: quay.io/cilium/cilium:v1.17.8@sha256:6d7ea72ed311eeca4c75a1f17617a3d596fb6038d30d00799090679f82a01636 + - name: KUBE_CLIENT_BACKOFF_BASE + value: "1" + - name: KUBE_CLIENT_BACKOFF_DURATION + value: "120" + image: quay.io/cilium/cilium:v1.18.2@sha256:858f807ea4e20e85e3ea3240a762e1f4b29f1cb5bbd0463b8aa77e7b097c0667 imagePullPolicy: IfNotPresent lifecycle: postStart: @@ -1547,7 +1618,7 @@ spec: level: s0 type: spc_t startupProbe: - failureThreshold: 105 + failureThreshold: 300 httpGet: host: 127.0.0.1 httpHeaders: @@ -1613,7 +1684,7 @@ spec: value: localhost - name: KUBERNETES_SERVICE_PORT value: "7445" - image: quay.io/cilium/cilium:v1.17.8@sha256:6d7ea72ed311eeca4c75a1f17617a3d596fb6038d30d00799090679f82a01636 + image: quay.io/cilium/cilium:v1.18.2@sha256:858f807ea4e20e85e3ea3240a762e1f4b29f1cb5bbd0463b8aa77e7b097c0667 imagePullPolicy: IfNotPresent name: config terminationMessagePolicy: FallbackToLogsOnError @@ -1630,7 +1701,7 @@ spec: env: - name: BIN_PATH value: /opt/cni/bin - image: quay.io/cilium/cilium:v1.17.8@sha256:6d7ea72ed311eeca4c75a1f17617a3d596fb6038d30d00799090679f82a01636 + image: quay.io/cilium/cilium:v1.18.2@sha256:858f807ea4e20e85e3ea3240a762e1f4b29f1cb5bbd0463b8aa77e7b097c0667 imagePullPolicy: IfNotPresent name: apply-sysctl-overwrites securityContext: @@ -1656,7 +1727,7 @@ spec: - /bin/bash - -c - -- - image: quay.io/cilium/cilium:v1.17.8@sha256:6d7ea72ed311eeca4c75a1f17617a3d596fb6038d30d00799090679f82a01636 + image: quay.io/cilium/cilium:v1.18.2@sha256:858f807ea4e20e85e3ea3240a762e1f4b29f1cb5bbd0463b8aa77e7b097c0667 imagePullPolicy: IfNotPresent name: mount-bpf-fs securityContext: @@ -1691,7 +1762,7 @@ spec: value: localhost - name: KUBERNETES_SERVICE_PORT value: "7445" - image: quay.io/cilium/cilium:v1.17.8@sha256:6d7ea72ed311eeca4c75a1f17617a3d596fb6038d30d00799090679f82a01636 + image: quay.io/cilium/cilium:v1.18.2@sha256:858f807ea4e20e85e3ea3240a762e1f4b29f1cb5bbd0463b8aa77e7b097c0667 imagePullPolicy: IfNotPresent name: clean-cilium-state securityContext: @@ -1716,7 +1787,7 @@ spec: name: cilium-run - command: - /install-plugin.sh - image: quay.io/cilium/cilium:v1.17.8@sha256:6d7ea72ed311eeca4c75a1f17617a3d596fb6038d30d00799090679f82a01636 + image: quay.io/cilium/cilium:v1.18.2@sha256:858f807ea4e20e85e3ea3240a762e1f4b29f1cb5bbd0463b8aa77e7b097c0667 imagePullPolicy: IfNotPresent name: install-cni-binaries resources: @@ -1912,7 +1983,7 @@ spec: value: localhost - name: KUBERNETES_SERVICE_PORT value: "7445" - image: quay.io/cilium/cilium-envoy:v1.33.9-1757932127-3c04e8f2f1027d106b96f8ef4a0215e81dbaaece@sha256:06fbc4e55d926dd82ff2a0049919248dcc6be5354609b09012b01bc9c5b0ee28 + image: quay.io/cilium/cilium-envoy:v1.34.7-1757592137-1a52bb680a956879722f48c591a2ca90f7791324@sha256:7932d656b63f6f866b6732099d33355184322123cfe1182e6f05175a3bc2e0e0 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 10 @@ -2025,7 +2096,6 @@ apiVersion: cilium.io/v2alpha1 kind: CiliumLoadBalancerIPPool metadata: name: ip-pool - namespase: kube-system spec: blocks: - start: 192.168.0.129 diff --git a/cilium/src/ip-pool.yaml b/cilium/src/ip-pool.yaml index 6286866..150fea2 100644 --- a/cilium/src/ip-pool.yaml +++ b/cilium/src/ip-pool.yaml @@ -3,7 +3,6 @@ apiVersion: cilium.io/v2alpha1 kind: CiliumLoadBalancerIPPool metadata: name: ip-pool - namespase: kube-system spec: blocks: - start: 192.168.0.129 diff --git a/cilium/src/kustomization.yaml b/cilium/src/kustomization.yaml index 9456a3e..e0c9c89 100644 --- a/cilium/src/kustomization.yaml +++ b/cilium/src/kustomization.yaml @@ -10,7 +10,7 @@ resources: helmCharts: - name: cilium repo: https://helm.cilium.io - version: 1.17.8 + version: 1.18.2 releaseName: cilium includeCRDs: true namespace: kube-system diff --git a/cilium/src/values.yaml b/cilium/src/values.yaml index 6142cbf..a8c791a 100644 --- a/cilium/src/values.yaml +++ b/cilium/src/values.yaml @@ -20,7 +20,7 @@ commonLabels: {} # Cilium will not change critical values to ensure continued operation # This flag is not required for new installations. # For example: '1.7', '1.8', '1.9' -upgradeCompatibility: 1.17.1 +upgradeCompatibility: 1.17.8 debug: # -- Enable debug logging enabled: false @@ -40,6 +40,14 @@ debug: # - datapath # - policy verbose: ~ + # -- Set the agent-internal metrics sampling frequency. This sets the + # frequency of the internal sampling of the agent metrics. These are + # available via the "cilium-dbg shell -- metrics -s" command and are + # part of the metrics HTML page included in the sysdump. + # @schema + # type: [null, string] + # @schema + metricsSamplingInterval: "5m" rbac: # -- Enable creation of Resource-Based Access Control configuration. create: true @@ -52,6 +60,18 @@ iptablesRandomFully: false # -- (string) Kubernetes config path # @default -- `"~/.kube/config"` kubeConfigPath: "" +# -- Configure the Kubernetes service endpoint dynamically using a ConfigMap. Mutually exclusive with `k8sServiceHost`. +k8sServiceHostRef: + # @schema + # type: [string, null] + # @schema + # -- (string) name of the ConfigMap containing the Kubernetes service endpoint + name: + # @schema + # type: [string, null] + # @schema + # -- (string) Key in the ConfigMap containing the Kubernetes service endpoint + key: # -- (string) Kubernetes service host - use "auto" for automatic lookup from the cluster-info ConfigMap k8sServiceHost: localhost # @schema @@ -103,6 +123,14 @@ k8sClientRateLimit: # The rate limiter will allow short bursts with a higher rate. # @default -- 200 burst: +# -- Configure exponential backoff for client-go in Cilium agent. +k8sClientExponentialBackoff: + # -- Enable exponential backoff for client-go in Cilium agent. + enabled: true + # -- Configure base (in seconds) for exponential backoff. + backoffBaseSeconds: 1 + # -- Configure maximum duration (in seconds) for exponential backoff. + backoffMaxDurationSeconds: 120 cluster: # -- Name of the cluster. Only required for Cluster Mesh and mutual authentication with SPIRE. # It must respect the following constraints: @@ -180,7 +208,7 @@ serviceAccounts: terminationGracePeriodSeconds: 1 # -- Install the cilium agent resources. agent: true -# -- Agent container name. +# -- Agent daemonset name. name: cilium # -- Roll out cilium agent pods automatically when configmap is updated. rollOutCiliumPods: true @@ -191,10 +219,10 @@ image: # @schema override: ~ repository: "quay.io/cilium/cilium" - tag: "v1.17.8" + tag: "v1.18.2" pullPolicy: "IfNotPresent" # cilium-digest - digest: "sha256:6d7ea72ed311eeca4c75a1f17617a3d596fb6038d30d00799090679f82a01636" + digest: "sha256:858f807ea4e20e85e3ea3240a762e1f4b29f1cb5bbd0463b8aa77e7b097c0667" useDigest: true # -- Scheduling configurations for cilium pods scheduling: @@ -291,6 +319,8 @@ initResources: {} securityContext: # -- User to run the pod with # runAsUser: 0 + # -- disable privilege escalation + allowPrivilegeEscalation: false # -- Run the pod with elevated privileges privileged: false # -- SELinux options for the `cilium-agent` and init containers @@ -418,15 +448,11 @@ bandwidthManager: enabled: false # -- Activate BBR TCP congestion control for Pods bbr: false + # -- Activate BBR TCP congestion control for Pods in the host namespace only. + bbrHostNamespaceOnly: false # -- Configure standalone NAT46/NAT64 gateway nat46x64Gateway: - # -- Enable RFC8215-prefixed translation - enabled: false -# -- EnableHighScaleIPcache enables the special ipcache mode for high scale -# clusters. The ipcache content will be reduced to the strict minimum and -# traffic will be encapsulated to carry security identities. -highScaleIPcache: - # -- Enable the high scale mode for the ipcache. + # -- Enable RFC6052-prefixed translation enabled: false # -- Configure L2 announcements l2announcements: @@ -444,6 +470,8 @@ l2podAnnouncements: enabled: false # -- Interface used for sending Gratuitous ARP pod announcements interface: "eth0" + # -- A regular expression matching interfaces used for sending Gratuitous ARP pod announcements + # interfacePattern: "" # -- This feature set enables virtual BGP routers to be created via # CiliumBGPPeeringPolicy CRDs. bgpControlPlane: @@ -461,6 +489,18 @@ bgpControlPlane: # It is recommended to enable status reporting in general, but if you have any issue # such as high API server load, you can disable it by setting this to false. enabled: true + # -- BGP router-id allocation mode + routerIDAllocation: + # -- BGP router-id allocation mode. In default mode, the router-id is derived from the IPv4 address if it is available, or else it is determined by the lower 32 bits of the MAC address. + mode: "default" + # -- IP pool to allocate the BGP router-id from when the mode is ip-pool. + ipPool: "" + # -- Legacy BGP ORIGIN attribute settings (BGPv2 only) + legacyOriginAttribute: + # -- Enable/Disable advertising LoadBalancerIP routes with the legacy + # BGP ORIGIN attribute value INCOMPLETE (2) instead of the default IGP (0). + # Enable for compatibility with the legacy behavior of MetalLB integration. + enabled: false pmtuDiscovery: # -- Enable path MTU discovery to send ICMP fragmentation-needed replies to # the client. @@ -572,6 +612,11 @@ bpf: # type: [null, integer] # @schema policyMapMax: 16384 + # -- Configure the maximum number of entries in global policy stats map. + # @schema + # type: [null, integer] + # @schema + policyStatsMapMax: 65536 # @schema # type: [null, number, string] # @schema @@ -641,7 +686,7 @@ bpf: # supported kernels. # @default -- `true` enableTCX: true - # -- (string) Mode for Pod devices for the core datapath (veth, netkit, netkit-l2, lb-only) + # -- (string) Mode for Pod devices for the core datapath (veth, netkit, netkit-l2) # @default -- `veth` datapathMode: veth # -- Enable BPF clock source probing for more efficient tick retrieval. @@ -711,12 +756,15 @@ cni: # readCniConf: /host/etc/cni/net.d/05-sample.conflist.input # -- When defined, configMap will mount the provided value as ConfigMap and - # interpret the cniConf variable as CNI configuration file and write it - # when the agent starts up - # configMap: cni-configuration - + # interpret the 'cni.configMapKey' value as CNI configuration file and write it + # when the agent starts up. + configMap: "" # -- Configure the key in the CNI ConfigMap to read the contents of - # the CNI configuration from. + # the CNI configuration from. For this to be effective, the 'cni.configMap' + # parameter must be specified too. + # Note that the 'cni.configMap' parameter is the name of the ConfigMap, while + # 'cni.configMapKey' is the name of the key in the ConfigMap data containing + # the actual configuration. configMapKey: cni-config # -- Configure the path to where to mount the ConfigMap inside the agent pod. confFileMountPath: /tmp/cni-configuration @@ -730,6 +778,16 @@ cni: memory: 10Mi # -- Enable route MTU for pod netns when CNI chaining is used enableRouteMTUForCNIChaining: false + # -- Enable the removal of iptables rules created by the AWS CNI VPC plugin. + iptablesRemoveAWSRules: true +# @schema +# type: [null, number] +# @schema +# -- (float64) Ratio of the connectivity probe frequency vs resource usage, a float in +# [0, 1]. 0 will give more frequent probing, 1 will give less frequent probing. Probing +# frequency is dynamically adjusted based on the cluster size. +# @default -- `0.5` +connectivityProbeFrequencyRatio: ~ # -- (string) Configure how frequently garbage collection should occur for the datapath # connection tracking table. # @default -- `"0s"` @@ -795,13 +853,6 @@ daemon: # a non-local route. This should be used only when autodetection is not suitable. devices: eth+ -# -- Enables experimental support for the detection of new and removed datapath -# devices. When devices change the eBPF datapath is reloaded and services updated. -# If "devices" is set then only those devices, or devices matching a wildcard will -# be considered. -# -# This option has been deprecated and is a no-op. -enableRuntimeDeviceDetection: true # -- Forces the auto-detection of devices, even if specific devices are explicitly listed forceDeviceDetection: false # -- Chains to ignore when installing feeder rules. @@ -816,8 +867,7 @@ forceDeviceDetection: false # -- Enable Kubernetes EndpointSlice feature in Cilium if the cluster supports it. # enableK8sEndpointSlice: true -# -- Enable CiliumEndpointSlice feature (deprecated, please use `ciliumEndpointSlice.enabled` instead). -enableCiliumEndpointSlice: false +# -- CiliumEndpointSlice configuration options. ciliumEndpointSlice: # -- Enable Cilium EndpointSlice feature. enabled: false @@ -833,13 +883,13 @@ ciliumEndpointSlice: - nodes: 100 limit: 50 burst: 100 - # @schema - # enum: ["identity", "fcfs"] - # @schema - # -- The slicing mode to use for CiliumEndpointSlices. - # identity groups together CiliumEndpoints that share the same identity. - # fcfs groups together CiliumEndpoints in a first-come-first-serve basis, filling in the largest non-full slice first. - sliceMode: identity +# @schema +# enum: ["agent", "operator", "both"] +# @schema +# -- Control whether CiliumIdentities are created by the agent ("agent"), the operator ("operator") or both ("both"). +# "Both" should be used only to migrate between "agent" and "operator". +# Operator-managed identities is a beta feature. +identityManagementMode: "agent" envoyConfig: # -- Enable CiliumEnvoyConfig CRD # CiliumEnvoyConfig CRD can also be implicitly enabled by other options. @@ -1049,8 +1099,6 @@ endpointLockdownOnMapOverflow: false eni: # -- Enable Elastic Network Interface (ENI) integration. enabled: false - # -- Update ENI Adapter limits from the EC2 API - updateEC2AdapterLimitViaAPI: true # -- Release IPs not used from the ENI awsReleaseExcessIPs: false # -- Enable ENI prefix delegation @@ -1099,9 +1147,6 @@ healthCheckICMPFailureThreshold: 3 hostFirewall: # -- Enables the enforcement of host policies in the eBPF datapath. enabled: false -hostPort: - # -- Enable hostPort service support. - enabled: false # -- Configure socket LB socketLB: # -- Enable socket LB @@ -1125,8 +1170,8 @@ certgen: # @schema override: ~ repository: "quay.io/cilium/certgen" - tag: "v0.2.1" - digest: "sha256:ab6b1928e9c5f424f6b0f51c68065b9fd85e2f8d3e5f21fbd1a3cb27e6fb9321" + tag: "v0.2.4" + digest: "sha256:de7b97b1d19a34b674d0c4bc1da4db999f04ae355923a9a994ac3a81e1a1b5ff" useDigest: true pullPolicy: "IfNotPresent" # -- Seconds after which the completed job pod will be deleted @@ -1146,6 +1191,9 @@ certgen: # -- Node tolerations for pod assignment on nodes with taints # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ tolerations: [] + # -- Resource limits for certgen + # ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers + resources: {} # -- Additional certgen volumes. extraVolumes: [] # -- Additional certgen volumeMounts. @@ -1241,11 +1289,17 @@ hubble: jobLabel: "" # -- Interval for scrape metrics. interval: "10s" + # @schema + # type: [null, string] + # @schema + # -- Timeout after which scrape is considered to be failed. + scrapeTimeout: ~ # -- Relabeling configs for the ServiceMonitor hubble relabelings: - sourceLabels: - __meta_kubernetes_pod_node_name targetLabel: node + action: replace replacement: ${1} # @schema # type: [null, array] @@ -1285,6 +1339,10 @@ hubble: # excludeFilters: [] # -- Unix domain socket path to listen to when Hubble is enabled. socketPath: /var/run/cilium/hubble.sock + # -- Enables network policy correlation of Hubble flows, i.e. populating `egress_allowed_by`, `ingress_denied_by` fields with policy information. + networkPolicyCorrelation: + # @default -- `true` + enabled: true # -- Enables redacting sensitive information present in Layer 7 flows. redact: enabled: false @@ -1450,9 +1508,9 @@ hubble: # @schema override: ~ repository: "quay.io/cilium/hubble-relay" - tag: "v1.17.8" + tag: "v1.18.2" # hubble-relay-digest - digest: "sha256:2e576bf7a02291c07bffbc1ca0a66a6c70f4c3eb155480e5b3ac027bedd2858b" + digest: "sha256:6079308ee15e44dff476fb522612732f7c5c4407a1017bc3470916242b0405ac" useDigest: true pullPolicy: "IfNotPresent" # -- Specifies the resources for the hubble-relay pods @@ -1504,6 +1562,11 @@ hubble: # @schema # -- Maximum number/percentage of pods that may be made unavailable maxUnavailable: 1 + # @schema + # type: [null, string] + # @schema + # -- How are unhealthy, but running, pods counted for eviction + unhealthyPodEvictionPolicy: null # -- The priority class to use for hubble-relay priorityClassName: "" # -- Configure termination grace period for hubble relay Deployment. @@ -1523,12 +1586,17 @@ hubble: # -- hubble-relay pod security context podSecurityContext: fsGroup: 65532 + seccompProfile: + type: RuntimeDefault # -- hubble-relay container security context securityContext: # readOnlyRootFilesystem: true + allowPrivilegeEscalation: false runAsNonRoot: true runAsUser: 65532 runAsGroup: 65532 + seccompProfile: + type: RuntimeDefault capabilities: drop: - ALL @@ -1589,13 +1657,6 @@ hubble: # @schema # type: [null, string] # @schema - # -- Dial timeout to connect to the local hubble instance to receive peer information (e.g. "30s"). - # - # This option has been deprecated and is a no-op. - dialTimeout: ~ - # @schema - # type: [null, string] - # @schema # -- Backoff duration to retry connecting to the local hubble instance in case of failure (e.g. "30s"). retryTimeout: ~ # @schema @@ -1630,6 +1691,11 @@ hubble: annotations: {} # -- Interval for scrape metrics. interval: "10s" + # @schema + # type: [null, string] + # @schema + # -- Timeout after which scrape is considered to be failed. + scrapeTimeout: ~ # -- Specify the Kubernetes namespace where Prometheus expects to find # service monitors configured. # namespace: "" @@ -1706,7 +1772,8 @@ hubble: useDigest: true pullPolicy: "IfNotPresent" # -- Hubble-ui backend security context. - securityContext: {} + securityContext: + allowPrivilegeEscalation: false # -- Additional hubble-ui backend environment variables. extraEnv: [] # -- Additional hubble-ui backend volumes. @@ -1740,7 +1807,8 @@ hubble: useDigest: true pullPolicy: "IfNotPresent" # -- Hubble-ui frontend security context. - securityContext: {} + securityContext: + allowPrivilegeEscalation: false # -- Additional hubble-ui frontend environment variables. extraEnv: [] # -- Additional hubble-ui frontend volumes. @@ -1785,6 +1853,11 @@ hubble: # @schema # -- Maximum number/percentage of pods that may be made unavailable maxUnavailable: 1 + # @schema + # type: [null, string] + # @schema + # -- How are unhealthy, but running, pods counted for eviction + unhealthyPodEvictionPolicy: null # -- Affinity for hubble-ui affinity: {} # -- Pod topology spread constraints for hubble-ui @@ -1819,6 +1892,8 @@ hubble: service: # -- Annotations to be added for the Hubble UI service annotations: {} + # -- Labels to be added for the Hubble UI service + labels: {} # --- The type of service used for Hubble UI access, either ClusterIP or NodePort. type: ClusterIP # --- The port to use when the service type is set to NodePort. @@ -1843,10 +1918,6 @@ hubble: # - chart-example.local # -- Hubble flows export. export: - # --- Defines max file size of output file before it gets rotated. - fileMaxSizeMb: 10 - # --- Defines max number of backup/rotated files. - fileMaxBackups: 5 # --- Static exporter configuration. # Static exporter is bound to agent lifecycle. static: @@ -1862,6 +1933,12 @@ hubble: denyList: [] # - '{"source_pod":["kube-system/"]}' # - '{"destination_pod":["kube-system/"]}' + # --- Defines max file size of output file before it gets rotated. + fileMaxSizeMb: 10 + # --- Defines max number of backup/rotated files. + fileMaxBackups: 5 + # --- Enable compression of rotated files. + fileCompress: false # --- Dynamic exporters configuration. # Dynamic exporters may be reconfigured without a need of agent restarts. dynamic: @@ -1879,6 +1956,9 @@ hubble: includeFilters: [] excludeFilters: [] filePath: "/var/run/cilium/hubble/events.log" + fileMaxSizeMb: 10 + fileMaxBackups: 5 + fileCompress: false # - name: "test002" # filePath: "/var/log/network/flow-log/pa/test002.log" # fieldMask: ["source.namespace", "source.pod_name", "destination.namespace", "destination.pod_name", "verdict"] @@ -1888,6 +1968,9 @@ hubble: # - type: 1 # - destination_pod: ["frontend/nginx-975996d4c-7hhgt"] # excludeFilters: [] + # fileMaxSizeMb: 1 + # fileMaxBackups: 10 + # fileCompress: true # end: "2023-10-09T23:59:59-07:00" # -- Emit v1.Events related to pods on detection of packet drops. # This feature is alpha, please provide feedback at https://github.com/cilium/cilium/issues/33975. @@ -2002,14 +2085,17 @@ k8s: # -- requireIPv6PodCIDR enables waiting for Kubernetes to provide the PodCIDR # range via the Kubernetes node resource requireIPv6PodCIDR: false + # -- A space separated list of Kubernetes API server URLs to use with the client. + # For example "https://192.168.0.1:6443 https://192.168.0.2:6443" + # apiServerURLs: "" # -- Keep the deprecated selector labels when deploying Cilium DaemonSet. keepDeprecatedLabels: false # -- Keep the deprecated probes when deploying Cilium DaemonSet keepDeprecatedProbes: false startupProbe: # -- failure threshold of startup probe. - # 105 x 2s translates to the old behaviour of the readiness probe (120s delay + 30 x 3s) - failureThreshold: 105 + # Allow Cilium to take up to 600s to start up (300 attempts with 2s between attempts). + failureThreshold: 300 # -- interval between checks of the startup probe periodSeconds: 2 livenessProbe: @@ -2037,12 +2123,19 @@ kubeProxyReplacementHealthzBindAddr: "" l2NeighDiscovery: # -- Enable L2 neighbor discovery in the agent enabled: true - # -- Override the agent's default neighbor resolution refresh period. - refreshPeriod: "30s" # -- Enable Layer 7 network policy. l7Proxy: true -# -- Enable Local Redirect Policy. +# -- Enable Local Redirect Policy (deprecated, please use 'localRedirectPolicies.enabled' instead) localRedirectPolicy: false +localRedirectPolicies: + # -- Enable local redirect policies. + enabled: false + # -- Limit the allowed addresses in Address Matcher rule of + # Local Redirect Policies to the given CIDRs. + # @schema@ + # type: [null, array] + # @schema@ + addressMatcherCIDRs: ~ # To include or exclude matched resources from cilium identity evaluation # labels: "" @@ -2061,7 +2154,11 @@ maglev: {} # -- hashSeed is the cluster-wide base64 encoded seed for the hashing # hashSeed: -# -- Enables masquerading of IPv4 traffic leaving the node from endpoints. +# @schema +# type: [null, boolean] +# @schema +# -- (bool) Enables masquerading of IPv4 traffic leaving the node from endpoints. +# @default -- `true` unless ipam eni mode is active enableIPv4Masquerade: true # -- Enables masquerading of IPv6 traffic leaving the node from endpoints. enableIPv6Masquerade: true @@ -2142,17 +2239,14 @@ loadBalancer: # path), or best-effort (use native mode XDP acceleration on devices # that support it). acceleration: disabled - # -- dsrDispatch configures whether IP option or IPIP encapsulation is - # used to pass a service IP and port to remote backend + # -- dsrDispatch configures whether IP option (opt), IPIP encapsulation (ipip), + # Geneve Class Option (geneve) used to pass a service IP and port to remote backend # dsrDispatch: opt # -- serviceTopology enables K8s Topology Aware Hints -based service # endpoints filtering # serviceTopology: false - # -- experimental enables support for the experimental load-balancing - # control-plane. - experimental: false # -- L7 LoadBalancer l7: # -- Enable L7 service load balancing via envoy proxy. @@ -2237,6 +2331,11 @@ prometheus: jobLabel: "" # -- Interval for scrape metrics. interval: "10s" + # @schema + # type: [null, string] + # @schema + # -- Timeout after which scrape is considered to be failed. + scrapeTimeout: ~ # -- Specify the Kubernetes namespace where Prometheus expects to find # service monitors configured. # namespace: "" @@ -2245,6 +2344,7 @@ prometheus: - sourceLabels: - __meta_kubernetes_pod_node_name targetLabel: node + action: replace replacement: ${1} # @schema # type: [null, array] @@ -2347,6 +2447,9 @@ envoy: # -- Set Envoy upstream HTTP idle connection timeout seconds. # Does not apply to connections with pending requests. Default 60s idleTimeoutDurationSeconds: 60 + # -- Set Envoy the amount of time that the connection manager will allow a stream to exist with no upstream or downstream activity. + # default 5 minutes + streamIdleTimeoutDurationSeconds: 300 # -- Number of trusted hops regarding the x-forwarded-for and related HTTP headers for the ingress L7 policy enforcement Envoy listeners. xffNumTrustedHopsL7PolicyIngress: 0 # -- Number of trusted hops regarding the x-forwarded-for and related HTTP headers for the egress L7 policy enforcement Envoy listeners. @@ -2356,6 +2459,8 @@ envoy: # @schema # -- Max duration to wait for endpoint policies to be restored on restart. Default "3m". policyRestoreTimeoutDuration: null + # -- Time in seconds to block Envoy worker thread while an upstream HTTP connection is closing. If set to 0, the connection is closed immediately (with TCP RST). If set to -1, the connection is closed asynchronously in the background. + httpUpstreamLingerTimeout: null # -- Envoy container image. image: # @schema @@ -2363,9 +2468,9 @@ envoy: # @schema override: ~ repository: "quay.io/cilium/cilium-envoy" - tag: "v1.33.9-1757932127-3c04e8f2f1027d106b96f8ef4a0215e81dbaaece" + tag: "v1.34.7-1757592137-1a52bb680a956879722f48c591a2ca90f7791324" pullPolicy: "IfNotPresent" - digest: "sha256:06fbc4e55d926dd82ff2a0049919248dcc6be5354609b09012b01bc9c5b0ee28" + digest: "sha256:7932d656b63f6f866b6732099d33355184322123cfe1182e6f05175a3bc2e0e0" useDigest: true # -- Additional containers added to the cilium Envoy DaemonSet. extraContainers: [] @@ -2432,12 +2537,16 @@ envoy: # memory: 512Mi startupProbe: + # -- Enable startup probe for cilium-envoy + enabled: true # -- failure threshold of startup probe. # 105 x 2s translates to the old behaviour of the readiness probe (120s delay + 30 x 3s) failureThreshold: 105 # -- interval between checks of the startup probe periodSeconds: 2 livenessProbe: + # -- Enable liveness probe for cilium-envoy + enabled: true # -- failure threshold of liveness probe failureThreshold: 10 # -- interval between checks of the liveness probe @@ -2550,6 +2659,11 @@ envoy: annotations: {} # -- Interval for scrape metrics. interval: "10s" + # @schema + # type: [null, string] + # @schema + # -- Timeout after which scrape is considered to be failed. + scrapeTimeout: ~ # -- Specify the Kubernetes namespace where Prometheus expects to find # service monitors configured. # namespace: "" @@ -2559,6 +2673,7 @@ envoy: - sourceLabels: - __meta_kubernetes_pod_node_name targetLabel: node + action: replace replacement: ${1} # @schema # type: [null, array] @@ -2570,6 +2685,10 @@ envoy: port: "9964" # -- Enable/Disable use of node label based identity nodeSelectorLabels: false +# To include or exclude matched resources from cilium node identity evaluation +# List of labels just like --labels flag (.Values.labels) +# nodeLabels: "" + # -- Enable resource quotas for priority classes used in the cluster. resourceQuotas: enabled: false @@ -2585,6 +2704,8 @@ resourceQuotas: ################## #sessionAffinity: false +# -- Annotations to be added to all cilium-secret namespaces (resources under templates/cilium-secrets-namespace) +secretsNamespaceAnnotations: {} # -- Do not run Cilium agent when running with clean mode. Useful to completely # uninstall Cilium as it will stop Cilium from starting and create artifacts # in the node. @@ -2672,6 +2793,9 @@ tls: # - geneve # @default -- `"vxlan"` tunnelProtocol: "" +# -- IP family for the underlay. +# @default -- `"ipv4"` +underlayProtocol: "" # -- Enable native-routing mode or tunneling mode. # Possible values: # - "" @@ -2720,15 +2844,15 @@ operator: # @schema override: ~ repository: "quay.io/cilium/operator" - tag: "v1.17.8" + tag: "v1.18.2" # operator-generic-digest - genericDigest: "sha256:5468807b9c31997f3a1a14558ec7c20c5b962a2df6db633b7afbe2f45a15da1c" + genericDigest: "sha256:cb4e4ffc5789fd5ff6a534e3b1460623df61cba00f5ea1c7b40153b5efb81805" # operator-azure-digest - azureDigest: "sha256:619f9febf3efef2724a26522b253e4595cd33c274f5f49925e29a795fdc2d2d7" + azureDigest: "sha256:9696e9b8219b9a5c16987e072eda2da378d42a32f9305375e56d7380a0c2ba8e" # operator-aws-digest - awsDigest: "sha256:28012f7d0f4f23e9f6c7d6a5dd931afa326bbac3e8103f3f6f22b9670847dffa" + awsDigest: "sha256:1cb856fbe265dfbcfe816bd6aa4acaf006ecbb22dcc989116a1a81bb269ea328" # operator-alibabacloud-digest - alibabacloudDigest: "sha256:72c25a405ad8e58d2cf03f7ea2b6696ed1edcfb51716b5f85e45c6c4fcaa6056" + alibabacloudDigest: "sha256:612b1d94c179cd8ae239e571e96ebd95662bb5cccb62aacfdf79355aa9cdddc8" useDigest: true pullPolicy: "IfNotPresent" suffix: "" @@ -2771,12 +2895,19 @@ operator: kubernetes.io/os: linux # -- Node tolerations for cilium-operator scheduling to nodes with taints # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ + # Toleration for agentNotReadyTaintKey taint is always added to cilium-operator pods. + # @schema + # type: [null, array] + # @schema tolerations: - - operator: Exists - # - key: "key" - # operator: "Equal|Exists" - # value: "value" - # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" + - key: "node-role.kubernetes.io/control-plane" + operator: Exists + - key: "node-role.kubernetes.io/master" #deprecated + operator: Exists + - key: "node.kubernetes.io/not-ready" + operator: Exists + - key: "node.cloudprovider.kubernetes.io/uninitialized" + operator: Exists # -- Additional cilium-operator container arguments. extraArgs: [] # -- Additional cilium-operator environment variables. @@ -2799,7 +2930,9 @@ operator: # -- HostNetwork setting hostNetwork: true # -- Security context to be added to cilium-operator pods - podSecurityContext: {} + podSecurityContext: + seccompProfile: + type: RuntimeDefault # -- Annotations to be added to cilium-operator pods podAnnotations: {} # -- Labels to be added to cilium-operator pods @@ -2820,6 +2953,11 @@ operator: # @schema # -- Maximum number/percentage of pods that may be made unavailable maxUnavailable: 1 + # @schema + # type: [null, string] + # @schema + # -- How are unhealthy, but running, pods counted for eviction + unhealthyPodEvictionPolicy: null # -- cilium-operator resource limits & requests # ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ resources: {} @@ -2831,7 +2969,11 @@ operator: # memory: 128Mi # -- Security context to be added to cilium-operator pods - securityContext: {} + securityContext: + capabilities: + drop: + - ALL + allowPrivilegeEscalation: false # runAsUser: 0 # -- Interval for endpoint garbage collection. @@ -2868,6 +3010,11 @@ operator: # -- Interval for scrape metrics. interval: "10s" # @schema + # type: [null, string] + # @schema + # -- Timeout after which scrape is considered to be failed. + scrapeTimeout: ~ + # @schema # type: [null, array] # @schema # -- Relabeling configs for the ServiceMonitor cilium-operator @@ -2921,7 +3068,7 @@ nodeinit: override: ~ repository: "quay.io/cilium/startup-script" tag: "1755531540-60ee83e" - digest: "sha256:5bdca3c2dec2c79f58d45a7a560bf1098c2126350c901379fe850b7f78d3d757" + digest: "sha256:0c91245afb3a4ff78b5cc8c09226806e94a9a10eb0adb74a85e0eeed2a5cae8c" useDigest: true pullPolicy: "IfNotPresent" # -- The priority class to use for the nodeinit pod. @@ -2968,6 +3115,7 @@ nodeinit: memory: 100Mi # -- Security context to be added to nodeinit pods. securityContext: + allowPrivilegeEscalation: false privileged: false seLinuxOptions: level: 's0' @@ -3005,11 +3153,23 @@ preflight: # @schema override: ~ repository: "quay.io/cilium/cilium" - tag: "v1.17.8" + tag: "v1.18.2" # cilium-digest - digest: "sha256:6d7ea72ed311eeca4c75a1f17617a3d596fb6038d30d00799090679f82a01636" + digest: "sha256:858f807ea4e20e85e3ea3240a762e1f4b29f1cb5bbd0463b8aa77e7b097c0667" useDigest: true pullPolicy: "IfNotPresent" + envoy: + # -- Envoy pre-flight image. + image: + # @schema + # type: [null, string] + # @schema + override: ~ + repository: "quay.io/cilium/cilium-envoy" + tag: "v1.34.7-1757592137-1a52bb680a956879722f48c591a2ca90f7791324" + pullPolicy: "IfNotPresent" + digest: "sha256:7932d656b63f6f866b6732099d33355184322123cfe1182e6f05175a3bc2e0e0" + useDigest: true # -- The priority class to use for the preflight pod. priorityClassName: "" # -- preflight update strategy @@ -3065,6 +3225,11 @@ preflight: # @schema # -- Maximum number/percentage of pods that may be made unavailable maxUnavailable: 1 + # @schema + # type: [null, string] + # @schema + # -- How are unhealthy, but running, pods counted for eviction + unhealthyPodEvictionPolicy: null # -- preflight resource limits & requests # ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ resources: {} @@ -3081,7 +3246,8 @@ preflight: # -- interval between checks of the readiness probe periodSeconds: 5 # -- Security context to be added to preflight pods - securityContext: {} + securityContext: + allowPrivilegeEscalation: false # runAsUser: 0 # -- Path to write the `--tofqdns-pre-cache` file to. @@ -3115,6 +3281,8 @@ clustermesh: enableEndpointSliceSynchronization: false # -- Enable Multi-Cluster Services API support enableMCSAPISupport: false + # -- Control whether policy rules assume by default the local cluster if not explicitly selected + policyDefaultLocalCluster: false # -- Annotations to be added to all top-level clustermesh objects (resources under templates/clustermesh-apiserver and templates/clustermesh-config) annotations: {} # -- Clustermesh explicit configuration. @@ -3154,9 +3322,9 @@ clustermesh: # @schema override: ~ repository: "quay.io/cilium/clustermesh-apiserver" - tag: "v1.17.8" + tag: "v1.18.2" # clustermesh-apiserver-digest - digest: "sha256:3ac210d94d37a77ec010f9ac4c705edc8f15f22afa2b9a6f0e2a7d64d2360586" + digest: "sha256:cd689a07bfc7622e812fef023cb277fdc695b60a960d36f32f93614177a7a0f6" useDigest: true pullPolicy: "IfNotPresent" # -- TCP port for the clustermesh-apiserver health API. @@ -3210,7 +3378,7 @@ clustermesh: storageMedium: Disk kvstoremesh: # -- Enable KVStoreMesh. KVStoreMesh caches the information retrieved - # from the remote clusters in the local etcd instance. + # from the remote clusters in the local etcd instance (deprecated - KVStoreMesh will always be enabled once the option is removed). enabled: true # -- TCP port for the KVStoreMesh health API. healthPort: 9881 @@ -3239,6 +3407,11 @@ clustermesh: - ALL # -- lifecycle setting for the KVStoreMesh container lifecycle: {} + # -- Specify the KVStore mode when running KVStoreMesh + # Supported values: + # - "internal": remote cluster identities are cached in etcd that runs as a sidecar within ``clustermesh-apiserver`` pod. + # - "external": ``clustermesh-apiserver`` will sync remote cluster information to the etcd used as kvstore. This can't be enabled with crd identity allocation mode. + kvstoreMode: "internal" service: # -- The type of service used for apiserver access. type: NodePort @@ -3352,6 +3525,11 @@ clustermesh: # @schema # -- Maximum number/percentage of pods that may be made unavailable maxUnavailable: 1 + # @schema + # type: [null, string] + # @schema + # -- How are unhealthy, but running, pods counted for eviction + unhealthyPodEvictionPolicy: null # -- Resource requests and limits for the clustermesh-apiserver resources: {} # requests: @@ -3518,6 +3696,11 @@ clustermesh: # -- Interval for scrape metrics (apiserver metrics) interval: "10s" # @schema + # type: [null, string] + # @schema + # -- Timeout after which scrape is considered to be failed. + scrapeTimeout: ~ + # @schema # type: [null, array] # @schema # -- Relabeling configs for the ServiceMonitor clustermesh-apiserver (apiserver metrics) @@ -3531,6 +3714,11 @@ clustermesh: # -- Interval for scrape metrics (KVStoreMesh metrics) interval: "10s" # @schema + # type: [null, string] + # @schema + # -- Timeout after which scrape is considered to be failed. + scrapeTimeout: ~ + # @schema # type: [null, array] # @schema # -- Relabeling configs for the ServiceMonitor clustermesh-apiserver (KVStoreMesh metrics) @@ -3544,6 +3732,11 @@ clustermesh: # -- Interval for scrape metrics (etcd metrics) interval: "10s" # @schema + # type: [null, string] + # @schema + # -- Timeout after which scrape is considered to be failed. + scrapeTimeout: ~ + # @schema # type: [null, array] # @schema # -- Relabeling configs for the ServiceMonitor clustermesh-apiserver (etcd metrics) @@ -3553,10 +3746,6 @@ clustermesh: # @schema # -- Metrics relabeling configs for the ServiceMonitor clustermesh-apiserver (etcd metrics) metricRelabelings: ~ -# -- Configure external workloads support -externalWorkloads: - # -- Enable support for external workloads, such as VMs (false by default). - enabled: false # -- Configure cgroup related configuration cgroup: autoMount: @@ -3581,9 +3770,6 @@ cgroup: sysctlfix: # -- Enable the sysctl override. When enabled, the init container will mount the /proc of the host so that the `sysctlfix` utility can execute. enabled: true -# -- Configure whether to enable auto detect of terminating state for endpoints -# in order to support graceful termination. -enableK8sTerminatingEndpoint: true # -- Configure whether to unload DNS policy rules on graceful shutdown # dnsPolicyUnloadOnShutdown: false @@ -3616,6 +3802,9 @@ dnsProxy: proxyResponseMaxDelay: 100ms # -- DNS proxy operation mode (true/false, or unset to use version dependent defaults) # enableTransparentMode: true + # -- Pre-allocate ToFQDN identities. This reduces DNS proxy tail latency, at the potential cost of some + # unnecessary policymap entries. Disable this if you have a large (200+) number of unique ToFQDN selectors. + preAllocateIdentities: true # -- SCTP Configuration Values sctp: # -- Enable SCTP support. NOTE: Currently, SCTP support does not support rewriting ports or multihoming. @@ -3665,7 +3854,7 @@ authentication: override: ~ repository: "docker.io/library/busybox" tag: "1.37.0" - digest: "sha256:d82f458899c9696cb26a7c02d5568f81c8c8223f8661bb2a7988b269c8b9051e" + digest: "sha256:ab33eacc8251e3807b85bb6dba570e4698c3998eca6f0fc2ccb60575a563ea74" useDigest: true pullPolicy: "IfNotPresent" # SPIRE agent configuration @@ -3679,8 +3868,8 @@ authentication: # @schema override: ~ repository: "ghcr.io/spiffe/spire-agent" - tag: "1.9.6" - digest: "sha256:5106ac601272a88684db14daf7f54b9a45f31f77bb16a906bd5e87756ee7b97c" + tag: "1.12.4" + digest: "sha256:163970884fba18860cac93655dc32b6af85a5dcf2ebb7e3e119a10888eff8fcd" useDigest: true pullPolicy: "IfNotPresent" # -- SPIRE agent service account @@ -3734,8 +3923,8 @@ authentication: # @schema override: ~ repository: "ghcr.io/spiffe/spire-server" - tag: "1.9.6" - digest: "sha256:59a0b92b39773515e25e68a46c40d3b931b9c1860bc445a79ceb45a805cab8b4" + tag: "1.12.4" + digest: "sha256:34147f27066ab2be5cc10ca1d4bfd361144196467155d46c45f3519f41596e49" useDigest: true pullPolicy: "IfNotPresent" # -- SPIRE server service account