C12s/c12s-kubespray
3
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Overhaul Cilium manifests to match the newer versions (#8717)

Browse source 
* [cilium] Separate templates for cilium, cilium-operator, and hubble installations

Signed-off-by: necatican <necaticanyildirim@gmail.com>

* [cilium] Update cilium-operator templates

Signed-off-by: necatican <necaticanyildirim@gmail.com>

* [cilium] Allow using custom args and mounting extra volumes for the Cilium Operator

Signed-off-by: necatican <necaticanyildirim@gmail.com>

* [cilium] Update the cilium configmap to filter out the deprecated variables, and add the new variables

Signed-off-by: necatican <necaticanyildirim@gmail.com>

* [cilium] Add an option to use Wireguard encryption on Cilium 1.10 and up

Signed-off-by: necatican <necaticanyildirim@gmail.com>

* [cilium] Update cilium-agent templates

Signed-off-by: necatican <necaticanyildirim@gmail.com>

* [cilium] Bump Cilium version to 1.11.3

Signed-off-by: necatican <necaticanyildirim@gmail.com>
This commit is contained in:
Necatican Yıldırım 2022-05-11 16:23:04 +03:00 committed by GitHub
parent e70c00a0fe
commit 13443b05a6
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
25 changed files with 606 additions and 192 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

86
docs/cilium.md
View file

@ -12,10 +12,51 @@ the external loadbalancer (even from a node in the control plane)
and if there is no external load balancer It will ignore any local load and if there is no external load balancer It will ignore any local load
balancer deployed by Kubespray and **only contacts the first master**. balancer deployed by Kubespray and **only contacts the first master**.
## Cilium Operator
Unlike some operators, Cilium Operator does not exist for installation purposes.
> The Cilium Operator is responsible for managing duties in the cluster which should logically be handled once for the entire cluster, rather than once for each node in the cluster.
### Adding custom flags to the Cilium Operator
You can set additional cilium-operator container arguments using `cilium_operator_custom_args`.
This is an advanced option, and you should only use it if you know what you are doing.
Accepts an array or a string.
```yml
cilium_operator_custom_args: ["--foo=bar", "--baz=qux"]
```
or
```yml
cilium_operator_custom_args: "--foo=bar"
```
You do not need to add a custom flag to enable debugging. Instead, feel free to use the `CILIUM_DEBUG` variable.
### Adding extra volumes and mounting them
You can use `cilium_operator_extra_volumes` to add extra volumes to the Cilium Operator, and use `cilium_operator_extra_volume_mounts` to mount those volumes.
This is an advanced option, and you should only use it if you know what you are doing.
```yml
cilium_operator_extra_volumes:
- configMap:
name: foo
name: foo-mount-path
cilium_operator_extra_volume_mounts:
- mountPath: /tmp/foo/bar
name: foo-mount-path
readOnly: true
```
## Choose Cilium version ## Choose Cilium version
```yml ```yml
cilium_version: v1.11.0 cilium_version: v1.11.3
``` ```
## Add variable to config ## Add variable to config
@ -39,6 +80,47 @@ Cilium currently supports two different identity allocation modes:
- These can be queried with `kubectl get ciliumid` - These can be queried with `kubectl get ciliumid`
- "kvstore" stores identities in an etcd kvstore. - "kvstore" stores identities in an etcd kvstore.
## Enable Transparent Encryption
Cilium supports the transparent encryption of Cilium-managed host traffic and
traffic between Cilium-managed endpoints either using IPsec or Wireguard.
Wireguard option is only available in Cilium 1.10.0 and newer.
### IPsec Encryption
For further information, make sure to check the official [Cilium documentation.](https://docs.cilium.io/en/stable/gettingstarted/encryption-ipsec/)
To enable IPsec encryption, you just need to set three variables.
```yml
cilium_encryption_enabled: true
cilium_encryption_type: "ipsec"
```
The third variable is `cilium_ipsec_key.` You need to create a secret key string for this variable.
Kubespray does not automate this process.
Cilium documentation currently recommends creating a key using the following command:
```shell
echo "3 rfc4106(gcm(aes)) $(echo $(dd if=/dev/urandom count=20 bs=1 2> /dev/null | xxd -p -c 64)) 128"
```
Note that Kubespray handles secret creation. So you only need to pass the key as the `cilium_ipsec_key` variable.
### Wireguard Encryption
For further information, make sure to check the official [Cilium documentation.](https://docs.cilium.io/en/stable/gettingstarted/encryption-wireguard/)
To enable Wireguard encryption, you just need to set two variables.
```yml
cilium_encryption_enabled: true
cilium_encryption_type: "wireguard"
```
Kubespray currently supports Linux distributions with Wireguard Kernel mode on Linux 5.6 and newer.
## Install Cilium Hubble ## Install Cilium Hubble
k8s-net-cilium.yml: k8s-net-cilium.yml:
@ -68,6 +150,6 @@ cilium_hubble_metrics:
- flow - flow
- icmp - icmp
- http - http
``` ```
[More](https://docs.cilium.io/en/v1.9/operations/metrics/#hubble-exported-metrics) [More](https://docs.cilium.io/en/v1.9/operations/metrics/#hubble-exported-metrics)

45
inventory/sample/group_vars/k8s_cluster/k8s-net-cilium.yml
View file

@ -1,4 +1,47 @@
# see roles/network_plugin/cilium/defaults/main.yml # see roles/network_plugin/cilium/defaults/main.yml
# cilium_version: "v1.11.0" # cilium_version: "v1.11.3"
# cilium_identity_allocation_mode: kvstore # kvstore or crd # cilium_identity_allocation_mode: kvstore # kvstore or crd
# For adding and mounting extra volumes to the cilium operator
# cilium_operator_extra_volumes: []
# cilium_operator_extra_volume_mounts: []
# Name of the cluster. Only relevant when building a mesh of clusters.
# cilium_cluster_name: default
# Unique ID of the cluster. Must be unique across all conneted clusters and
# in the range of 1 and 255. Only relevant when building a mesh of clusters.
# This value is not defined by default
# cluster-id:
# Allows to explicitly specify the IPv4 CIDR for native routing.
# When specified, Cilium assumes networking for this CIDR is preconfigured and
# hands traffic destined for that range to the Linux network stack without
# applying any SNAT.
# Generally speaking, specifying a native routing CIDR implies that Cilium can
# depend on the underlying networking stack to route packets to their
# destination. To offer a concrete example, if Cilium is configured to use
# direct routing and the Kubernetes CIDR is included in the native routing CIDR,
# the user must configure the routes to reach pods, either manually or by
# setting the auto-direct-node-routes flag.
# cilium_native_routing_cidr: ""
# Allows to explicitly specify the IPv6 CIDR for native routing.
# cilium_native_routing_cidr_ipv6: ""
# Encryption
# Enable transparent network encryption.
# cilium_encryption_enabled: false
# Encryption method. Can be either ipsec or wireguard.
# Only effective when `cilium_encryption_enabled` is set to true.
# cilium_encryption_type: "ipsec"
# Enable encryption for pure node to node traffic.
# This option is only effective when `cilium_encryption_type` is set to `ipsec`.
# cilium_ipsec_node_encryption: "false"
# Enables the fallback to the user-space implementation.
# This option is only effective when `cilium_encryption_type` is set to `wireguard`.
# cilium_wireguard_userspace_fallback: "false"

2
roles/download/defaults/main.yml
View file

@ -110,7 +110,7 @@ flannel_cni_version: "v1.0.1"
cni_version: "v1.0.1" cni_version: "v1.0.1"
weave_version: 2.8.1 weave_version: 2.8.1
pod_infra_version: "3.3" pod_infra_version: "3.3"
cilium_version: "v1.11.1" cilium_version: "v1.11.3"
kube_ovn_version: "v1.8.1" kube_ovn_version: "v1.8.1"
kube_router_version: "v1.4.0" kube_router_version: "v1.4.0"
multus_version: "v3.8" multus_version: "v3.8"

65
roles/network_plugin/cilium/defaults/main.yml
View file

@ -48,7 +48,11 @@ cilium_kube_proxy_replacement: probe
# to prevent service disruptions. See also: # to prevent service disruptions. See also:
# http://docs.cilium.io/en/stable/install/upgrade/#changes-that-may-require-action # http://docs.cilium.io/en/stable/install/upgrade/#changes-that-may-require-action
cilium_preallocate_bpf_maps: false cilium_preallocate_bpf_maps: false
# `cilium_tofqdns_enable_poller` is deprecated in 1.8, removed in 1.9
cilium_tofqdns_enable_poller: false cilium_tofqdns_enable_poller: false
# `cilium_enable_legacy_services` is deprecated in 1.6, removed in 1.9
cilium_enable_legacy_services: false cilium_enable_legacy_services: false
# Deploy cilium even if kube_network_plugin is not cilium. # Deploy cilium even if kube_network_plugin is not cilium.
@ -62,10 +66,38 @@ cilium_deploy_additionally: false
# make this work. Please refer to the cilium documentation for more # make this work. Please refer to the cilium documentation for more
# information about this kind of setups. # information about this kind of setups.
cilium_auto_direct_node_routes: false cilium_auto_direct_node_routes: false
# Allows to explicitly specify the IPv4 CIDR for native routing.
# When specified, Cilium assumes networking for this CIDR is preconfigured and
# hands traffic destined for that range to the Linux network stack without
# applying any SNAT.
# Generally speaking, specifying a native routing CIDR implies that Cilium can
# depend on the underlying networking stack to route packets to their
# destination. To offer a concrete example, if Cilium is configured to use
# direct routing and the Kubernetes CIDR is included in the native routing CIDR,
# the user must configure the routes to reach pods, either manually or by
# setting the auto-direct-node-routes flag.
cilium_native_routing_cidr: "" cilium_native_routing_cidr: ""
# IPsec based transparent encryption between nodes # Allows to explicitly specify the IPv6 CIDR for native routing.
cilium_ipsec_enabled: false cilium_native_routing_cidr_ipv6: ""
# Enable transparent network encryption.
cilium_encryption_enabled: false
# Encryption method. Can be either ipsec or wireguard.
# Only effective when `cilium_encryption_enabled` is set to true.
cilium_encryption_type: "ipsec"
# Enable encryption for pure node to node traffic.
# This option is only effective when `cilium_encryption_type` is set to `ipsec`.
cilium_ipsec_node_encryption: "false"
# If your kernel or distribution does not support WireGuard, Cilium agent can be configured to fall back on the user-space implementation.
# When this flag is enabled and Cilium detects that the kernel has no native support for WireGuard,
# it will fallback on the wireguard-go user-space implementation of WireGuard.
# This option is only effective when `cilium_encryption_type` is set to `wireguard`.
cilium_wireguard_userspace_fallback: "false"
# Hubble # Hubble
### Enable Hubble without install ### Enable Hubble without install
@ -89,6 +121,15 @@ cilium_hubble_tls_generate: false
# https://docs.cilium.io/en/v1.9/concepts/networking/ipam/ # https://docs.cilium.io/en/v1.9/concepts/networking/ipam/
cilium_ipam_mode: kubernetes cilium_ipam_mode: kubernetes
# Extra arguments for the Cilium agent
cilium_agent_custom_args: []
# For adding and mounting extra volumes to the cilium agent
cilium_agent_extra_volumes: []
cilium_agent_extra_volume_mounts: []
cilium_agent_extra_env_vars: []
# The address at which the cillium operator bind health check api # The address at which the cillium operator bind health check api
cilium_operator_api_serve_addr: "127.0.0.1:9234" cilium_operator_api_serve_addr: "127.0.0.1:9234"
@ -97,3 +138,23 @@ cilium_operator_api_serve_addr: "127.0.0.1:9234"
## var1: "value1" ## var1: "value1"
## var2: "value2" ## var2: "value2"
cilium_config_extra_vars: {} cilium_config_extra_vars: {}
# For adding and mounting extra volumes to the cilium operator
cilium_operator_extra_volumes: []
cilium_operator_extra_volume_mounts: []
# Extra arguments for the Cilium Operator
cilium_operator_custom_args: []
# Name of the cluster. Only relevant when building a mesh of clusters.
cilium_cluster_name: default
# Make Cilium take ownership over the `/etc/cni/net.d` directory on the node, renaming all non-Cilium CNI configurations to `*.cilium_bak`.
# This ensures no Pods can be scheduled using other CNI plugins during Cilium agent downtime.
# Available for Cilium v1.10 and up.
cilium_cni_exclusive: "true"
# Configure the log file for CNI logging with retention policy of 7 days.
# Disable CNI file logging by setting this field to empty explicitly.
# Available for Cilium v1.12 and up.
cilium_cni_log_file: "/var/run/cilium/cilium-cni.log"

4
roles/network_plugin/cilium/tasks/apply.yml
View file

@ -5,7 +5,7 @@
namespace: "kube-system" namespace: "kube-system"
kubectl: "{{ bin_dir }}/kubectl" kubectl: "{{ bin_dir }}/kubectl"
resource: "{{ item.item.type }}" resource: "{{ item.item.type }}"
filename: "{{ kube_config_dir }}/{{ item.item.file }}" filename: "{{ kube_config_dir }}/{{ item.item.name }}-{{ item.item.file }}"
state: "latest" state: "latest"
loop: "{{ cilium_node_manifests.results }}" loop: "{{ cilium_node_manifests.results }}"
when: inventory_hostname == groups['kube_control_plane'][0] and not item is skipped when: inventory_hostname == groups['kube_control_plane'][0] and not item is skipped
@ -25,7 +25,7 @@
namespace: "kube-system" namespace: "kube-system"
kubectl: "{{ bin_dir }}/kubectl" kubectl: "{{ bin_dir }}/kubectl"
resource: "{{ item.item.type }}" resource: "{{ item.item.type }}"
filename: "{{ kube_config_dir }}/addons/hubble/{{ item.item.file }}" filename: "{{ kube_config_dir }}/addons/hubble/{{ item.item.name }}-{{ item.item.file }}"
state: "latest" state: "latest"
loop: "{{ cilium_hubble_manifests.results }}" loop: "{{ cilium_hubble_manifests.results }}"
when: when:

58
roles/network_plugin/cilium/tasks/check.yml
View file

@ -1,14 +1,66 @@
--- ---
- name: Cilium | Check cilium_ipsec_enabled variables - name: Cilium | Check Cilium encryption `cilium_ipsec_key` for ipsec
assert: assert:
that: that:
- "cilium_ipsec_key is defined" - "cilium_ipsec_key is defined"
msg: "cilium_ipsec_key should be defined to use cilium_ipsec_enabled" msg: "cilium_ipsec_key should be defined to enable encryption using ipsec"
when: when:
- cilium_ipsec_enabled - cilium_encryption_enabled
- cilium_encryption_type == "ipsec"
- cilium_tunnel_mode in ['vxlan'] - cilium_tunnel_mode in ['vxlan']
# TODO: Clean this task up when we drop backward compatibility support for `cilium_ipsec_enabled`
- name: Stop if `cilium_ipsec_enabled` is defined and `cilium_encryption_type` is not `ipsec`
assert:
that: cilium_encryption_type == 'ipsec'
msg: >
It is not possible to use `cilium_ipsec_enabled` when `cilium_encryption_type` is set to {{ cilium_encryption_type }}.
when:
- cilium_ipsec_enabled is defined
- cilium_ipsec_enabled
- kube_network_plugin == 'cilium' or cilium_deploy_additionally | default(false) | bool
- name: Stop if kernel version is too low for Cilium Wireguard encryption
assert:
that: ansible_kernel.split('-')[0] is version('5.6.0', '>=')
when:
- kube_network_plugin == 'cilium' or cilium_deploy_additionally | default(false) | bool
- cilium_encryption_enabled
- cilium_encryption_type == "wireguard"
- not ignore_assert_errors
- name: Stop if bad Cilium identity allocation mode - name: Stop if bad Cilium identity allocation mode
assert: assert:
that: cilium_identity_allocation_mode in ['crd', 'kvstore'] that: cilium_identity_allocation_mode in ['crd', 'kvstore']
msg: "cilium_identity_allocation_mode must be either 'crd' or 'kvstore'" msg: "cilium_identity_allocation_mode must be either 'crd' or 'kvstore'"
- name: Stop if bad Cilium Cluster ID
assert:
that:
- cilium_cluster_id <= 255
- cilium_cluster_id >= 0
msg: "'cilium_cluster_id' must be between 1 and 255"
when: cilium_cluster_id is defined
- name: Stop if bad encryption type
assert:
that: cilium_encryption_type in ['ipsec', 'wireguard']
msg: "cilium_encryption_type must be either 'ipsec' or 'wireguard'"
when: cilium_encryption_enabled
- name: Stop if `cilium_encryption_type` is set to "wireguard" and cilium_version is < v1.10.0
assert:
that: cilium_version | regex_replace('v') is version('1.10', '>')
msg: "cilium_encryption_type is set to 'wireguard' but cilium_version is < v1.10.0"
when:
- cilium_encryption_enabled
- cilium_encryption_type == "wireguard"
# TODO: Clean this task up when we drop backward compatibility support for `cilium_ipsec_enabled`
- name: Set `cilium_encryption_type` to "ipsec" and if `cilium_ipsec_enabled` is true
set_fact:
cilium_encryption_type: ipsec
cilium_encryption_enabled: true
when:
- cilium_ipsec_enabled is defined
- cilium_ipsec_enabled

41
roles/network_plugin/cilium/tasks/install.yml
View file

@ -43,17 +43,20 @@
- name: Cilium | Create Cilium node manifests - name: Cilium | Create Cilium node manifests
template: template:
src: "{{ item.file }}.j2" src: "{{ item.name }}/{{ item.file }}.j2"
dest: "{{ kube_config_dir }}/{{ item.file }}" dest: "{{ kube_config_dir }}/{{ item.name }}-{{ item.file }}"
mode: 0644 mode: 0644
loop: loop:
- {name: cilium, file: cilium-config.yml, type: cm} - {name: cilium, file: config.yml, type: cm}
- {name: cilium, file: cilium-crb.yml, type: clusterrolebinding} - {name: cilium-operator, file: crb.yml, type: clusterrolebinding}
- {name: cilium, file: cilium-cr.yml, type: clusterrole} - {name: cilium-operator, file: cr.yml, type: clusterrole}
- {name: cilium, file: cilium-secret.yml, type: secret, when: "{{ cilium_ipsec_enabled }}"} - {name: cilium, file: crb.yml, type: clusterrolebinding}
- {name: cilium, file: cilium-ds.yml, type: ds} - {name: cilium, file: cr.yml, type: clusterrole}
- {name: cilium, file: cilium-deploy.yml, type: deploy} - {name: cilium, file: secret.yml, type: secret, when: "{{ cilium_encryption_enabled and cilium_encryption_type == 'ipsec' }}"}
- {name: cilium, file: cilium-sa.yml, type: sa} - {name: cilium, file: ds.yml, type: ds}
- {name: cilium-operator, file: deploy.yml, type: deploy}
- {name: cilium-operator, file: sa.yml, type: sa}
- {name: cilium, file: sa.yml, type: sa}
register: cilium_node_manifests register: cilium_node_manifests
when: when:
- inventory_hostname in groups['kube_control_plane'] - inventory_hostname in groups['kube_control_plane']
@ -61,18 +64,18 @@
- name: Cilium | Create Cilium Hubble manifests - name: Cilium | Create Cilium Hubble manifests
template: template:
src: "{{ item.file }}.j2" src: "{{ item.name }}/{{ item.file }}.j2"
dest: "{{ kube_config_dir }}/addons/hubble/{{ item.file }}" dest: "{{ kube_config_dir }}/addons/hubble/{{ item.name }}-{{ item.file }}"
mode: 0644 mode: 0644
loop: loop:
- {name: hubble, file: hubble-config.yml, type: cm} - {name: hubble, file: config.yml, type: cm}
- {name: hubble, file: hubble-crb.yml, type: clusterrolebinding} - {name: hubble, file: crb.yml, type: clusterrolebinding}
- {name: hubble, file: hubble-cr.yml, type: clusterrole} - {name: hubble, file: cr.yml, type: clusterrole}
- {name: hubble, file: hubble-cronjob.yml, type: cronjob, when: "{{ cilium_hubble_tls_generate }}"} - {name: hubble, file: cronjob.yml, type: cronjob, when: "{{ cilium_hubble_tls_generate }}"}
- {name: hubble, file: hubble-deploy.yml, type: deploy} - {name: hubble, file: deploy.yml, type: deploy}
- {name: hubble, file: hubble-job.yml, type: job, when: "{{ cilium_hubble_tls_generate }}"} - {name: hubble, file: job.yml, type: job, when: "{{ cilium_hubble_tls_generate }}"}
- {name: hubble, file: hubble-sa.yml, type: sa} - {name: hubble, file: sa.yml, type: sa}
- {name: hubble, file: hubble-service.yml, type: service} - {name: hubble, file: service.yml, type: service}
register: cilium_hubble_manifests register: cilium_hubble_manifests
when: when:
- inventory_hostname == groups['kube_control_plane'][0] - inventory_hostname == groups['kube_control_plane'][0]

130
roles/network_plugin/cilium/templates/cilium-cr.yml.j2 → roles/network_plugin/cilium/templates/cilium-operator/cr.yml.j2
View file

@ -23,6 +23,15 @@ rules:
- get - get
- list - list
- watch - watch
{% if cilium_version | regex_replace('v') is version('1.10', '>=') %}
- apiGroups:
- ""
resources:
# to perform LB IP allocation for BGP
- services/status
verbs:
- update
{% endif %}
- apiGroups: - apiGroups:
- "" - ""
resources: resources:
@ -68,9 +77,22 @@ rules:
- ciliumlocalredirectpolicies - ciliumlocalredirectpolicies
- ciliumlocalredirectpolicies/status - ciliumlocalredirectpolicies/status
- ciliumlocalredirectpolicies/finalizers - ciliumlocalredirectpolicies/finalizers
{% endif %}
{% if cilium_version | regex_replace('v') is version('1.11', '>=') %}
- ciliumendpointslices
{% endif %}
{% if cilium_version | regex_replace('v') is version('1.12', '>=') %}
- ciliumbgploadbalancerippools
- ciliumbgppeeringpolicies
- ciliumenvoyconfigs
{% endif %} {% endif %}
verbs: verbs:
- '*' - get
- list
- watch
- create
- update
- delete
- apiGroups: - apiGroups:
- apiextensions.k8s.io - apiextensions.k8s.io
resources: resources:
@ -100,109 +122,3 @@ rules:
- get - get
- update - update
{% endif %} {% endif %}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: cilium
rules:
- apiGroups:
- networking.k8s.io
resources:
{% if cilium_version | regex_replace('v') is version('1.7', '<') %}
- ingresses
{% endif %}
- networkpolicies
verbs:
- get
- list
- watch
- apiGroups:
- discovery.k8s.io
resources:
- endpointslices
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- namespaces
- services
- nodes
- endpoints
{% if cilium_version | regex_replace('v') is version('1.7', '<') %}
- componentstatuses
{% endif %}
verbs:
- get
- list
- watch
{% if cilium_version | regex_replace('v') is version('1.7', '<') %}
- apiGroups:
- extensions
resources:
- ingresses
verbs:
- create
- get
- list
- watch
{% endif %}
- apiGroups:
- ""
resources:
- pods
- nodes
verbs:
- get
- list
- watch
- update
- apiGroups:
- ""
resources:
- nodes
- nodes/status
verbs:
- patch
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- create
- get
- list
- watch
- update
- apiGroups:
- cilium.io
resources:
- ciliumnetworkpolicies
- ciliumnetworkpolicies/status
{% if cilium_version | regex_replace('v') is version('1.7', '>=') %}
- ciliumclusterwidenetworkpolicies
- ciliumclusterwidenetworkpolicies/status
{% endif %}
- ciliumendpoints
- ciliumendpoints/status
{% if cilium_version | regex_replace('v') is version('1.6', '>=') %}
- ciliumnodes
- ciliumnodes/status
- ciliumidentities
- ciliumidentities/status
{% endif %}
{% if cilium_version | regex_replace('v') is version('1.9', '>=') %}
- ciliumnetworkpolicies/finalizers
- ciliumclusterwidenetworkpolicies/finalizers
- ciliumendpoints/finalizers
- ciliumnodes/finalizers
- ciliumidentities/finalizers
- ciliumlocalredirectpolicies
- ciliumlocalredirectpolicies/status
- ciliumlocalredirectpolicies/finalizers
{% endif %}
verbs:
- '*'

13
roles/network_plugin/cilium/templates/cilium-operator/crb.yml.j2 Normal file
View file

@ -0,0 +1,13 @@
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: cilium-operator
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cilium-operator
subjects:
- kind: ServiceAccount
name: cilium-operator
namespace: kube-system

17
roles/network_plugin/cilium/templates/cilium-deploy.yml.j2 → roles/network_plugin/cilium/templates/cilium-operator/deploy.yml.j2
View file

@ -45,6 +45,13 @@ spec:
- args: - args:
- --debug=$(CILIUM_DEBUG) - --debug=$(CILIUM_DEBUG)
- --config-dir=/tmp/cilium/config-map - --config-dir=/tmp/cilium/config-map
{% if cilium_operator_custom_args is string %}
- {{ cilium_operator_custom_args }}
{% else %}
{% for flag in cilium_operator_custom_args %}
- {{ flag }}
{% endfor %}
{% endif %}
command: command:
- cilium-operator - cilium-operator
env: env:
@ -69,6 +76,9 @@ spec:
key: debug key: debug
name: cilium-config name: cilium-config
optional: true optional: true
# We are already mounting the whole ConfigMap as a directory.
# https://github.com/cilium/cilium/pull/10347
{% if cilium_version | regex_replace('v') is version('1.8', '<') %}
- name: CILIUM_CLUSTER_NAME - name: CILIUM_CLUSTER_NAME
valueFrom: valueFrom:
configMapKeyRef: configMapKeyRef:
@ -87,6 +97,7 @@ spec:
key: disable-endpoint-crd key: disable-endpoint-crd
name: cilium-config name: cilium-config
optional: true optional: true
{% endif %}
- name: AWS_ACCESS_KEY_ID - name: AWS_ACCESS_KEY_ID
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
@ -146,6 +157,9 @@ spec:
- mountPath: /tmp/cilium/config-map - mountPath: /tmp/cilium/config-map
name: cilium-config-path name: cilium-config-path
readOnly: true readOnly: true
{% for volume_mount in cilium_operator_extra_volume_mounts %}
- {{ volume_mount | to_nice_yaml(indent=2) | indent(14) }}
{% endfor %}
dnsPolicy: ClusterFirst dnsPolicy: ClusterFirst
priorityClassName: system-node-critical priorityClassName: system-node-critical
restartPolicy: Always restartPolicy: Always
@ -172,3 +186,6 @@ spec:
- configMap: - configMap:
name: cilium-config name: cilium-config
name: cilium-config-path name: cilium-config-path
{% for volume in cilium_operator_extra_volumes %}
- {{ volume | to_nice_yaml(indent=2) | indent(10) }}
{% endfor %}

6
roles/network_plugin/cilium/templates/cilium-sa.yml.j2 → roles/network_plugin/cilium/templates/cilium-operator/sa.yml.j2
View file

@ -4,9 +4,3 @@ kind: ServiceAccount
metadata: metadata:
name: cilium-operator name: cilium-operator
namespace: kube-system namespace: kube-system
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: cilium
namespace: kube-system

43
roles/network_plugin/cilium/templates/cilium-config.yml.j2 → roles/network_plugin/cilium/templates/cilium/config.yml.j2
View file

@ -118,12 +118,18 @@ data:
tunnel: "{{ cilium_tunnel_mode }}" tunnel: "{{ cilium_tunnel_mode }}"
# Name of the cluster. Only relevant when building a mesh of clusters. # Name of the cluster. Only relevant when building a mesh of clusters.
cluster-name: default cluster-name: "{{ cilium_cluster_name }}"
# Unique ID of the cluster. Must be unique across all conneted clusters and # Unique ID of the cluster. Must be unique across all conneted clusters and
# in the range of 1 and 255. Only relevant when building a mesh of clusters. # in the range of 1 and 255. Only relevant when building a mesh of clusters.
#cluster-id: 1 #cluster-id: 1
{% if cilium_cluster_id is defined %}
cluster-id: "{{ cilium_cluster_id }}"
{% endif %}
# `tofqdns-enable-poller` is deprecated in 1.8, removed in 1.9
# https://github.com/cilium/cilium/issues/8604
{% if cilium_version | regex_replace('v') is version('1.9', '<') %}
# DNS Polling periodically issues a DNS lookup for each `matchName` from # DNS Polling periodically issues a DNS lookup for each `matchName` from
# cilium-agent. The result is used to regenerate endpoint policy. # cilium-agent. The result is used to regenerate endpoint policy.
# DNS lookups are repeated with an interval of 5 seconds, and are made for # DNS lookups are repeated with an interval of 5 seconds, and are made for
@ -144,17 +150,39 @@ data:
# [0] http://docs.cilium.io/en/stable/policy/language/#dns-based # [0] http://docs.cilium.io/en/stable/policy/language/#dns-based
# [1] http://docs.cilium.io/en/stable/install/upgrade/#changes-that-may-require-action # [1] http://docs.cilium.io/en/stable/install/upgrade/#changes-that-may-require-action
tofqdns-enable-poller: "{{cilium_tofqdns_enable_poller}}" tofqdns-enable-poller: "{{cilium_tofqdns_enable_poller}}"
{% endif %}
# `wait-bpf-mount` is removed after v1.10.4
# https://github.com/cilium/cilium/commit/d2217045cb3726a7f823174e086913b69b8090da
{% if cilium_version | regex_replace('v') is version('1.10.4', '<') %}
# wait-bpf-mount makes init container wait until bpf filesystem is mounted # wait-bpf-mount makes init container wait until bpf filesystem is mounted
wait-bpf-mount: "false" wait-bpf-mount: "false"
{% endif %}
# `enable-legacy-services` is deprecated in 1.6, removed in 1.9
# https://github.com/cilium/cilium/pull/10255
{% if cilium_version | regex_replace('v') is version('1.9', '<') %}
# Enable legacy services (prior v1.5) to prevent from terminating existing # Enable legacy services (prior v1.5) to prevent from terminating existing
# connections with services when upgrading Cilium from < v1.5 to v1.5. # connections with services when upgrading Cilium from < v1.5 to v1.5.
enable-legacy-services: "{{cilium_enable_legacy_services}}" enable-legacy-services: "{{cilium_enable_legacy_services}}"
{% endif %}
kube-proxy-replacement: "{{ cilium_kube_proxy_replacement }}" kube-proxy-replacement: "{{ cilium_kube_proxy_replacement }}"
# `native-routing-cidr` is deprecated in 1.10, removed in 1.12.
# Replaced by `ipv4-native-routing-cidr`
# https://github.com/cilium/cilium/pull/16695
{% if cilium_version | regex_replace('v') is version('1.12', '<') %}
native-routing-cidr: "{{ cilium_native_routing_cidr }}" native-routing-cidr: "{{ cilium_native_routing_cidr }}"
{% else %}
{% if cilium_native_routing_cidr | length %}
ipv4-native-routing-cidr: "{{ cilium_native_routing_cidr }}"
{% endif %}
{% if cilium_native_routing_cidr_ipv6 | length %}
ipv6-native-routing-cidr: "{{ cilium_native_routing_cidr_ipv6 }}"
{% endif %}
{% endif %}
auto-direct-node-routes: "{{ cilium_auto_direct_node_routes }}" auto-direct-node-routes: "{{ cilium_auto_direct_node_routes }}"
operator-api-serve-addr: "{{ cilium_operator_api_serve_addr }}" operator-api-serve-addr: "{{ cilium_operator_api_serve_addr }}"
@ -182,11 +210,18 @@ data:
{{ key }}: "{{ value }}" {{ key }}: "{{ value }}"
{% endfor %} {% endfor %}
# IPsec based transparent encryption between nodes # Enable transparent network encryption
{% if cilium_ipsec_enabled %} {% if cilium_encryption_enabled %}
{% if cilium_encryption_type == "ipsec" %}
enable-ipsec: "true" enable-ipsec: "true"
ipsec-key-file: /etc/ipsec/keys ipsec-key-file: /etc/ipsec/keys
encrypt-node: "false" encrypt-node: "{{ cilium_ipsec_node_encryption }}"
{% endif %}
{% if cilium_encryption_type == "wireguard" %}
enable-wireguard: "true"
enable-wireguard-userspace-fallback: "{{ cilium_wireguard_userspace_fallback }}"
{% endif %}
{% endif %} {% endif %}
# IPAM settings # IPAM settings

134
roles/network_plugin/cilium/templates/cilium/cr.yml.j2 Normal file
View file

@ -0,0 +1,134 @@
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: cilium
rules:
- apiGroups:
- networking.k8s.io
resources:
{% if cilium_version | regex_replace('v') is version('1.7', '<') %}
- ingresses
{% endif %}
- networkpolicies
verbs:
- get
- list
- watch
- apiGroups:
- discovery.k8s.io
resources:
- endpointslices
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- namespaces
- services
- nodes
- endpoints
{% if cilium_version | regex_replace('v') is version('1.7', '<') %}
- componentstatuses
{% endif %}
verbs:
- get
- list
- watch
{% if cilium_version | regex_replace('v') is version('1.7', '<') %}
- apiGroups:
- extensions
resources:
- ingresses
verbs:
- create
- get
- list
- watch
{% endif %}
{% if cilium_version | regex_replace('v') is version('1.7', '>') %}
- apiGroups:
- ""
resources:
- pods/finalizers
verbs:
- update
{% endif %}
- apiGroups:
- ""
resources:
- pods
- nodes
verbs:
- get
- list
- watch
- update
- apiGroups:
- ""
resources:
- nodes
- nodes/status
verbs:
- patch
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- create
- get
- list
- watch
- update
- apiGroups:
- cilium.io
resources:
- ciliumnetworkpolicies
- ciliumnetworkpolicies/status
{% if cilium_version | regex_replace('v') is version('1.7', '>=') %}
- ciliumclusterwidenetworkpolicies
- ciliumclusterwidenetworkpolicies/status
{% endif %}
- ciliumendpoints
- ciliumendpoints/status
{% if cilium_version | regex_replace('v') is version('1.6', '>=') %}
- ciliumnodes
- ciliumnodes/status
- ciliumidentities
- ciliumidentities/status
{% endif %}
{% if cilium_version | regex_replace('v') is version('1.9', '>=') %}
- ciliumnetworkpolicies/finalizers
- ciliumclusterwidenetworkpolicies/finalizers
- ciliumendpoints/finalizers
- ciliumnodes/finalizers
- ciliumidentities/finalizers
- ciliumlocalredirectpolicies
- ciliumlocalredirectpolicies/status
- ciliumlocalredirectpolicies/finalizers
{% endif %}
{% if cilium_version | regex_replace('v') is version('1.10', '>=') %}
- ciliumegressnatpolicies
{% endif %}
{% if cilium_version | regex_replace('v') is version('1.11', '>=') %}
- ciliumendpointslices
{% endif %}
{% if cilium_version | regex_replace('v') is version('1.12', '>=') %}
- ciliumbgploadbalancerippools
- ciliumbgppeeringpolicies
{% endif %}
verbs:
- '*'
{% if cilium_version | regex_replace('v') is version('1.12', '>=') %}
- apiGroups:
- cilium.io
resources:
- ciliumclusterwideenvoyconfigs
- ciliumenvoyconfigs
verbs:
- list
- watch
{% endif %}

13
roles/network_plugin/cilium/templates/cilium-crb.yml.j2 → roles/network_plugin/cilium/templates/cilium/crb.yml.j2
View file

@ -1,19 +1,6 @@
--- ---
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding kind: ClusterRoleBinding
metadata:
name: cilium-operator
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cilium-operator
subjects:
- kind: ServiceAccount
name: cilium-operator
namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata: metadata:
name: cilium name: cilium
roleRef: roleRef:

135
roles/network_plugin/cilium/templates/cilium-ds.yml.j2 → roles/network_plugin/cilium/templates/cilium/ds.yml.j2
View file

@ -1,3 +1,4 @@
---
apiVersion: apps/v1 apiVersion: apps/v1
kind: DaemonSet kind: DaemonSet
metadata: metadata:
@ -35,6 +36,13 @@ spec:
- --config-dir=/tmp/cilium/config-map - --config-dir=/tmp/cilium/config-map
{% if cilium_mtu != "" %} {% if cilium_mtu != "" %}
- --mtu={{ cilium_mtu }} - --mtu={{ cilium_mtu }}
{% endif %}
{% if cilium_agent_custom_args is string %}
- {{ cilium_agent_custom_args }}
{% else %}
{% for flag in cilium_agent_custom_args %}
- {{ flag }}
{% endfor %}
{% endif %} {% endif %}
command: command:
- cilium-agent - cilium-agent
@ -57,6 +65,9 @@ spec:
- name: KUBERNETES_SERVICE_PORT - name: KUBERNETES_SERVICE_PORT
value: "{{ kube_apiserver_global_endpoint | urlsplit('port') }}" value: "{{ kube_apiserver_global_endpoint | urlsplit('port') }}"
{% endif %} {% endif %}
{% for env_var in cilium_agent_extra_env_vars %}
- {{ env_var | to_nice_yaml(indent=2) | indent(10) }}
{% endfor %}
image: "{{cilium_image_repo}}:{{cilium_image_tag}}" image: "{{cilium_image_repo}}:{{cilium_image_tag}}"
imagePullPolicy: {{ k8s_image_pull_policy }} imagePullPolicy: {{ k8s_image_pull_policy }}
resources: resources:
@ -70,11 +81,29 @@ spec:
postStart: postStart:
exec: exec:
command: command:
- /cni-install.sh - "/cni-install.sh"
{% if cilium_version | regex_replace('v') is version('1.10', '>=') %}
- "--cni-exclusive={{ cilium_cni_exclusive }}"
{% endif %}
{% if cilium_version | regex_replace('v') is version('1.12', '>=') %}
- "--log-file={{ cilium_cni_log_file }}"
{% endif %}
preStop: preStop:
exec: exec:
command: command:
- /cni-uninstall.sh - /cni-uninstall.sh
startupProbe:
httpGet:
host: '127.0.0.1'
path: /healthz
port: 9876
scheme: HTTP
httpHeaders:
- name: "brief"
value: "true"
failureThreshold: 105
periodSeconds: 2
successThreshold: 1
livenessProbe: livenessProbe:
httpGet: httpGet:
host: '127.0.0.1' host: '127.0.0.1'
@ -85,13 +114,23 @@ spec:
- name: "brief" - name: "brief"
value: "true" value: "true"
failureThreshold: 10 failureThreshold: 10
# The initial delay for the liveness probe is intentionally large to
# avoid an endless kill & restart cycle if in the event that the initial
# bootstrapping takes longer than expected.
initialDelaySeconds: 120
periodSeconds: 30 periodSeconds: 30
successThreshold: 1 successThreshold: 1
timeoutSeconds: 5 timeoutSeconds: 5
readinessProbe:
httpGet:
host: 127.0.0.1
path: /healthz
port: 9876
scheme: HTTP
httpHeaders:
- name: "brief"
value: "true"
initialDelaySeconds: 5
periodSeconds: 30
successThreshold: 1
failureThreshold: 3
timeoutSeconds: 5
name: cilium-agent name: cilium-agent
{% if cilium_enable_prometheus or cilium_enable_hubble_metrics %} {% if cilium_enable_prometheus or cilium_enable_hubble_metrics %}
ports: ports:
@ -108,35 +147,21 @@ spec:
name: hubble-metrics name: hubble-metrics
protocol: TCP protocol: TCP
{% endif %} {% endif %}
readinessProbe:
httpGet:
host: '127.0.0.1'
path: /healthz
port: 9876
scheme: HTTP
httpHeaders:
- name: "brief"
value: "true"
failureThreshold: 3
initialDelaySeconds: 5
periodSeconds: 30
successThreshold: 1
timeoutSeconds: 5
securityContext: securityContext:
capabilities:
add:
- NET_ADMIN
- SYS_MODULE
privileged: true privileged: true
volumeMounts: volumeMounts:
- mountPath: /sys/fs/bpf - mountPath: /sys/fs/bpf
name: bpf-maps name: bpf-maps
mountPropagation: Bidirectional
- mountPath: /var/run/cilium - mountPath: /var/run/cilium
name: cilium-run name: cilium-run
- mountPath: /host/opt/cni/bin - mountPath: /host/opt/cni/bin
name: cni-path name: cni-path
- mountPath: /host/etc/cni/net.d - mountPath: /host/etc/cni/net.d
name: etc-cni-netd name: etc-cni-netd
# pkg/workloads was depreca, removed in 1.7
# https://github.com/cilium/cilium/pull/9447
{% if cilium_version | regex_replace('v') is version('1.7', '<') %}
{% if container_manager == 'docker' %} {% if container_manager == 'docker' %}
- mountPath: /var/run/docker.sock - mountPath: /var/run/docker.sock
name: docker-socket name: docker-socket
@ -146,6 +171,7 @@ spec:
mountPath: {{ cri_socket }} mountPath: {{ cri_socket }}
readOnly: true readOnly: true
{% endif %} {% endif %}
{% endif %}
{% if cilium_identity_allocation_mode == "kvstore" %} {% if cilium_identity_allocation_mode == "kvstore" %}
- mountPath: /var/lib/etcd-config - mountPath: /var/lib/etcd-config
name: etcd-config-path name: etcd-config-path
@ -166,7 +192,7 @@ spec:
readOnly: true readOnly: true
- mountPath: /run/xtables.lock - mountPath: /run/xtables.lock
name: xtables-lock name: xtables-lock
{% if cilium_ipsec_enabled %} {% if cilium_encryption_enabled and cilium_encryption_type == "ipsec" %}
- mountPath: /etc/ipsec - mountPath: /etc/ipsec
name: cilium-ipsec-secrets name: cilium-ipsec-secrets
readOnly: true readOnly: true
@ -176,9 +202,14 @@ spec:
name: hubble-tls name: hubble-tls
readOnly: true readOnly: true
{% endif %} {% endif %}
{% for volume_mount in cilium_agent_extra_volume_mounts %}
- {{ volume_mount | to_nice_yaml(indent=2) | indent(10) }}
{% endfor %}
# In managed etcd mode, Cilium must be able to resolve the DNS name of the etcd service
{% if cilium_identity_allocation_mode == "kvstore" %}
dnsPolicy: ClusterFirstWithHostNet dnsPolicy: ClusterFirstWithHostNet
{% endif %}
hostNetwork: true hostNetwork: true
hostPID: false
initContainers: initContainers:
- command: - command:
- /init-container.sh - /init-container.sh
@ -189,18 +220,30 @@ spec:
key: clean-cilium-state key: clean-cilium-state
name: cilium-config name: cilium-config
optional: true optional: true
- name: CLEAN_CILIUM_BPF_STATE # CLEAN_CILIUM_BPF_STATE is deprecated in 1.6.
# https://github.com/cilium/cilium/pull/7478
- name: "{{ cilium_version | regex_replace('v') is version('1.6', '<')| ternary('CLEAN_CILIUM_BPF_STATE','CILIUM_BPF_STATE') }}"
valueFrom: valueFrom:
configMapKeyRef: configMapKeyRef:
key: clean-cilium-bpf-state key: clean-cilium-bpf-state
name: cilium-config name: cilium-config
optional: true optional: true
# Removed in 1.11 and up.
# https://github.com/cilium/cilium/commit/f7a3f59fd74983c600bfce9cac364b76d20849d9
{% if cilium_version | regex_replace('v') is version('1.11', '<') %}
- name: CILIUM_WAIT_BPF_MOUNT - name: CILIUM_WAIT_BPF_MOUNT
valueFrom: valueFrom:
configMapKeyRef: configMapKeyRef:
key: wait-bpf-mount key: wait-bpf-mount
name: cilium-config name: cilium-config
optional: true optional: true
{% endif %}
{% if cilium_kube_proxy_replacement == 'strict' %}
- name: KUBERNETES_SERVICE_HOST
value: "{{ kube_apiserver_global_endpoint | urlsplit('hostname') }}"
- name: KUBERNETES_SERVICE_PORT
value: "{{ kube_apiserver_global_endpoint | urlsplit('port') }}"
{% endif %}
{% if cilium_version | regex_replace('v') is version('1.9', '<') %} {% if cilium_version | regex_replace('v') is version('1.9', '<') %}
image: "{{cilium_init_image_repo}}:{{cilium_init_image_tag}}" image: "{{cilium_init_image_repo}}:{{cilium_init_image_tag}}"
{% else %} {% else %}
@ -209,13 +252,16 @@ spec:
imagePullPolicy: {{ k8s_image_pull_policy }} imagePullPolicy: {{ k8s_image_pull_policy }}
name: clean-cilium-state name: clean-cilium-state
securityContext: securityContext:
capabilities:
add:
- NET_ADMIN
privileged: true privileged: true
volumeMounts: volumeMounts:
- mountPath: /sys/fs/bpf - mountPath: /sys/fs/bpf
name: bpf-maps name: bpf-maps
{% if cilium_version | regex_replace('v') is version('1.11', '>=') %}
# Required to mount cgroup filesystem from the host to cilium agent pod
- name: cilium-cgroup
mountPath: /run/cilium/cgroupv2
mountPropagation: HostToContainer
{% endif %}
- mountPath: /var/run/cilium - mountPath: /var/run/cilium
name: cilium-run name: cilium-run
resources: resources:
@ -227,6 +273,11 @@ spec:
serviceAccount: cilium serviceAccount: cilium
serviceAccountName: cilium serviceAccountName: cilium
terminationGracePeriodSeconds: 1 terminationGracePeriodSeconds: 1
hostNetwork: true
# In managed etcd mode, Cilium must be able to resolve the DNS name of the etcd service
{% if cilium_identity_allocation_mode == "kvstore" %}
dnsPolicy: ClusterFirstWithHostNet
{% endif %}
tolerations: tolerations:
- operator: Exists - operator: Exists
volumes: volumes:
@ -240,6 +291,9 @@ spec:
path: /sys/fs/bpf path: /sys/fs/bpf
type: DirectoryOrCreate type: DirectoryOrCreate
name: bpf-maps name: bpf-maps
# pkg/workloads was deprecated in 1.6, removed in 1.7
# https://github.com/cilium/cilium/pull/9447
{% if cilium_version | regex_replace('v') is version('1.7', '<') %}
{% if container_manager == 'docker' %} {% if container_manager == 'docker' %}
# To read docker events from the node # To read docker events from the node
- hostPath: - hostPath:
@ -252,6 +306,19 @@ spec:
path: {{ cri_socket }} path: {{ cri_socket }}
type: Socket type: Socket
name: {{ container_manager }}-socket name: {{ container_manager }}-socket
{% endif %}
{% endif %}
{% if cilium_version | regex_replace('v') is version('1.11', '>=') %}
# To mount cgroup2 filesystem on the host
- name: hostproc
hostPath:
path: /proc
type: Directory
# To keep state between restarts / upgrades for cgroup2 filesystem
- name: cilium-cgroup
hostPath:
path: /run/cilium/cgroupv2
type: DirectoryOrCreate
{% endif %} {% endif %}
# To install cilium cni plugin in the host # To install cilium cni plugin in the host
- hostPath: - hostPath:
@ -275,7 +342,8 @@ spec:
{% if cilium_identity_allocation_mode == "kvstore" %} {% if cilium_identity_allocation_mode == "kvstore" %}
# To read the etcd config stored in config maps # To read the etcd config stored in config maps
- configMap: - configMap:
defaultMode: 420 # note: the leading zero means this number is in octal representation: do not remove it
defaultMode: 0400
items: items:
- key: etcd-config - key: etcd-config
path: etcd.config path: etcd.config
@ -289,14 +357,15 @@ spec:
# To read the clustermesh configuration # To read the clustermesh configuration
- name: clustermesh-secrets - name: clustermesh-secrets
secret: secret:
defaultMode: 420 # note: the leading zero means this number is in octal representation: do not remove it
defaultMode: 0400
optional: true optional: true
secretName: cilium-clustermesh secretName: cilium-clustermesh
# To read the configuration from the config map # To read the configuration from the config map
- configMap: - configMap:
name: cilium-config name: cilium-config
name: cilium-config-path name: cilium-config-path
{% if cilium_ipsec_enabled %} {% if cilium_encryption_enabled and cilium_encryption_type == "ipsec" %}
- name: cilium-ipsec-secrets - name: cilium-ipsec-secrets
secret: secret:
secretName: cilium-ipsec-keys secretName: cilium-ipsec-keys
@ -304,6 +373,8 @@ spec:
{% if cilium_hubble_install %} {% if cilium_hubble_install %}
- name: hubble-tls - name: hubble-tls
projected: projected:
# note: the leading zero means this number is in octal representation: do not remove it
defaultMode: 0400
sources: sources:
- secret: - secret:
name: hubble-server-certs name: hubble-server-certs

6
roles/network_plugin/cilium/templates/cilium/sa.yml.j2 Normal file
View file

@ -0,0 +1,6 @@
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: cilium
namespace: kube-system

0
roles/network_plugin/cilium/templates/cilium-secret.yml.j2 → roles/network_plugin/cilium/templates/cilium/secret.yml.j2
View file

0
roles/network_plugin/cilium/templates/hubble-config.yml.j2 → roles/network_plugin/cilium/templates/hubble/config.yml.j2
View file

0
roles/network_plugin/cilium/templates/hubble-cr.yml.j2 → roles/network_plugin/cilium/templates/hubble/cr.yml.j2
View file

0
roles/network_plugin/cilium/templates/hubble-crb.yml.j2 → roles/network_plugin/cilium/templates/hubble/crb.yml.j2
View file

0
roles/network_plugin/cilium/templates/hubble-cronjob.yml.j2 → roles/network_plugin/cilium/templates/hubble/cronjob.yml.j2
View file

0
roles/network_plugin/cilium/templates/hubble-deploy.yml.j2 → roles/network_plugin/cilium/templates/hubble/deploy.yml.j2
View file

0
roles/network_plugin/cilium/templates/hubble-job.yml.j2 → roles/network_plugin/cilium/templates/hubble/job.yml.j2
View file

0
roles/network_plugin/cilium/templates/hubble-sa.yml.j2 → roles/network_plugin/cilium/templates/hubble/sa.yml.j2
View file

0
roles/network_plugin/cilium/templates/hubble-service.yml.j2 → roles/network_plugin/cilium/templates/hubble/service.yml.j2
View file