Bump v13 (#52)

* cilium-agent * cilium-agent * cilium-nodeinit * cilium-operator * cilium-operator * cilium-preflight * clustermesh-apiserver * etcd-operator * hubble * hubble-relay * hubble-ui * root * Chart.yaml * readme * values * values * values * adjust psp * adjust agent volume mounts * bump to 1.13 rc4 * bump to 1.13 rc4 * bump to 1.13.0 * fix operator image name * Enable metrics port for operator * Enable hubble * Enable hubble metrics * Enable monitoring service even if not using servicemonitor * add metrics to networkpolicy * Add Changelog * Fix certgen image * Revert "Enable metrics port for operator" This reverts commit 8610165. * Revert "Enable hubble" This reverts commit 2b1fd22. * Revert "Enable hubble metrics" This reverts commit 8954178. * Revert "Enable monitoring service even if not using servicemonitor" This reverts commit b4f25ae. * Revert "add metrics to networkpolicy" This reverts commit ad8a1c7. * Revert "Add Changelog" This reverts commit 97a67a2. * Fix changelog --------- Co-authored-by: paurosello <pau@giantswarm.io> Co-authored-by: Pau <paurosello@gmail.com>
giantswarm · Mar 7, 2023 · 19bea1a · 19bea1a
1 parent b04ad3b
commit 19bea1a
Show file tree

Hide file tree

Showing 86 changed files with 3,050 additions and 724 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -7,12 +7,17 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+### Changed
+
+- Bump all manifests to upstream version 1.13.
+
 ## [0.7.0] - 2023-02-10
 
 ### Changed
 
 - Enable LocalRedirectPolicy for node-local-cache and kiam. 
 
+
 ## [0.6.1] - 2022-11-22
 
 ### Changed

diff --git a/helm/cilium/Chart.yaml b/helm/cilium/Chart.yaml
@@ -3,9 +3,9 @@ name: cilium
 displayName: Cilium
 home: https://cilium.io/
 version: 0.7.0
-appVersion: 1.11.2
+appVersion: 1.13.0
 kubeVersion: ">= 1.16.0-0"
-icon: https://cdn.jsdelivr.net/gh/cilium/cilium@v1.11.2/Documentation/images/logo-solo.svg
+icon: https://cdn.jsdelivr.net/gh/cilium/cilium@v1.13/Documentation/images/logo-solo.svg
 description: eBPF-based Networking, Security, and Observability
 keywords:
   - BPF
@@ -84,10 +84,44 @@ annotations:
         Cilium Endpoint Slice represents the status of groups of pods or nodes
         in the cluster which are managed by Cilium, including enforcement status,
         IP addressing and whether the networking is succesfully operational.
-    - kind: CiliumEgressNATPolicy
-      version: v2alpha1
-      name: ciliumegressnatpolicies.cilium.io
-      displayName: Cilium Egress NAT Policy
+    - kind: CiliumEgressGatewayPolicy
+      version: v2
+      name: ciliumegressgatewaypolicies.cilium.io
+      displayName: Cilium Egress Gateway Policy
       description: |
-        Cilium Egress NAT Policy provides control over the way that traffic
+        Cilium Egress Gateway Policy provides control over the way that traffic
         leaves the cluster and which source addresses to use for that traffic.
+    - kind: CiliumClusterwideEnvoyConfig
+      version: v2
+      name: ciliumclusterwideenvoyconfigs.cilium.io
+      displayName: Cilium Clusterwide Envoy Config
+      description: |
+        Cilium Clusterwide Envoy Config specifies Envoy resources and K8s service mappings
+        to be provisioned into Cilium host proxy instances in cluster context.
+    - kind: CiliumEnvoyConfig
+      version: v2
+      name: ciliumenvoyconfigs.cilium.io
+      displayName: Cilium Envoy Config
+      description: |
+        Cilium Envoy Config specifies Envoy resources and K8s service mappings
+        to be provisioned into Cilium host proxy instances in namespace context.
+    - kind: CiliumBGPPeeringPolicy
+      version: v2alpha1
+      name: ciliumbgppeeringpolicies.cilium.io
+      displayName: Cilium BGP Peering Policy
+      description: |
+        Cilium BGP Peering Policy instructs Cilium to create specific BGP peering
+        configurations.
+    - kind: CiliumLoadBalancerIPPool
+      version: v2alpha1
+      name: ciliumloadbalancerippools.cilium.io
+      displayName: Cilium Load Balancer IP Pool
+      description: |
+        Defining a Cilium Load Balancer IP Pool instructs Cilium to assign IPs to LoadBalancer Services.
+    - kind: CiliumNodeConfig
+      version: v2alpha1
+      name: ciliumnodeconfigs.cilium.io
+      displayName: Cilium Node Configuration
+      description: |
+        CiliumNodeConfig is a list of configuration key-value pairs. It is applied to
+        nodes indicated by a label selector.
diff --git a/helm/cilium/README.md b/helm/cilium/README.md
diff --git a/helm/cilium/README.md.gotmpl b/helm/cilium/README.md.gotmpl
@@ -39,7 +39,7 @@ $ helm install cilium cilium/cilium --namespace=kube-system
 ```
 
 After Cilium is installed, you can explore the features that Cilium has to
-offer from the [Getting Started Guides page](https://docs.cilium.io/en/latest/gettingstarted/).
+offer from the [Getting Started Guides page](https://docs.cilium.io/en/stable/gettingstarted/).
 
 {{ template "chart.maintainersSection" . }}
 

diff --git a/helm/cilium/files/nodeinit/startup.bash b/helm/cilium/files/nodeinit/startup.bash
@@ -60,6 +60,15 @@ set -euo pipefail
 CNI_CONF_DIR="/etc/cni/net.d"
 CONTAINERD_CONFIG="/etc/containerd/config.toml"
 
+# kubelet version string format is "Kubernetes v1.24-gke.900"
+K8S_VERSION=$(/home/kubernetes/bin/the-kubelet --version)
+
+# Helper to check if a version string, passed as first parameter, is greater than or
+# equal the one passed as second parameter.
+function version_gte() {
+	[[ "$(printf '%s\n' "${2}" "${1}" | sort -V | head -n1)" = "${2}" ]] && return
+}
+
 # Only stop and start containerd if the Cilium CNI configuration does not exist,
 # or if the 'conf_template' property is present in the containerd config file,
 # in order to avoid unnecessarily restarting containerd.
@@ -84,23 +93,48 @@ then
   echo "Fixing containerd configuration"
   sed -Ei 's/^(\s+conf_template)/\#\1/g' "${CONTAINERD_CONFIG}"
 
+  if version_gte "${K8S_VERSION#"Kubernetes "}" "v1.24"; then
+    # Starting from GKE node version 1.24, containerd version used is 1.6.
+    # Since that version containerd no longer allows missing configuration for the CNI,
+    # not even for pods with hostNetwork set to true. Thus, we add a temporary one.
+    # This will be replaced with the real config by cni-install.sh script from the
+    # agent pod.
+    echo -e "{\n\t"cniVersion": "0.3.1",\n\t"name": "cilium",\n\t"type": "cilium-cni"\n}" > /etc/cni/net.d/05-cilium.conf
+  fi
+
   # Start containerd. It won't create it's CNI configuration file anymore.
   echo "Enabling and starting containerd"
   systemctl enable --now containerd
 fi
 
-# Become the real kubelet, and pass it some additionally required flags (and
-# place these last so they have precedence).
-exec /home/kubernetes/bin/the-kubelet "${@}" --network-plugin=cni --cni-bin-dir={{ .Values.cni.binPath }}
+# Become the real kubelet and, for k8s < 1.24, pass it additional dockershim
+# flags (and place these last so they have precedence).
+if version_gte "${K8S_VERSION#"Kubernetes "}" "v1.24"; then
+  exec /home/kubernetes/bin/the-kubelet "${@}"
+else
+  exec /home/kubernetes/bin/the-kubelet "${@}" --network-plugin=cni --cni-bin-dir={{ .Values.cni.binPath }}
+fi
 EOF
   else
     echo "Kubelet wrapper already exists, skipping..."
   fi
 else
-  # (Generic) Alter the kubelet configuration to run in CNI mode
-  echo "Changing kubelet configuration to --network-plugin=cni --cni-bin-dir={{ .Values.cni.binPath }}"
-  mkdir -p {{ .Values.cni.binPath }}
-  sed -i "s:--network-plugin=kubenet:--network-plugin=cni\ --cni-bin-dir={{ .Values.cni.binPath }}:g" "${KUBELET_DEFAULTS_FILE}"
+  # kubelet version string format is "Kubernetes v1.24-gke.900"
+  K8S_VERSION=$(kubelet --version)
+
+  # Helper to check if a version string, passed as first parameter, is greater than or
+  # equal the one passed as second parameter.
+  function version_gte() {
+    [[ "$(printf '%s\n' "${2}" "${1}" | sort -V | head -n1)" = "${2}" ]] && return
+  }
+
+  # Dockershim flags have been removed since k8s 1.24.
+  if ! version_gte "${K8S_VERSION#"Kubernetes "}" "v1.24"; then
+    # (Generic) Alter the kubelet configuration to run in CNI mode
+    echo "Changing kubelet configuration to --network-plugin=cni --cni-bin-dir={{ .Values.cni.binPath }}"
+    mkdir -p {{ .Values.cni.binPath }}
+    sed -i "s:--network-plugin=kubenet:--network-plugin=cni\ --cni-bin-dir={{ .Values.cni.binPath }}:g" "${KUBELET_DEFAULTS_FILE}"
+  fi
 fi
 echo "Restarting the kubelet..."
 systemctl restart kubelet

diff --git a/helm/cilium/templates/_helpers.tpl b/helm/cilium/templates/_helpers.tpl
@@ -90,3 +90,67 @@ Return the appropriate apiVersion for cronjob.
 {{- print "batch/v1beta1" -}}
 {{- end -}}
 {{- end -}}
+
+{{/*
+Return the appropriate apiVersion for podDisruptionBudget.
+*/}}
+{{- define "podDisruptionBudget.apiVersion" -}}
+{{- if semverCompare ">=1.21-0" .Capabilities.KubeVersion.Version -}}
+{{- print "policy/v1" -}}
+{{- else -}}
+{{- print "policy/v1beta1" -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Generate TLS CA for Cilium
+Note: Always use this template as follows:
+    {{- $_ := include "cilium.ca.setup" . -}}
+
+The assignment to `$_` is required because we store the generated CI in a global `commonCA`
+and `commonCASecretName` variables.
+
+*/}}
+{{- define "cilium.ca.setup" }}
+  {{- if not .commonCA -}}
+    {{- $ca := "" -}}
+    {{- $secretName := "cilium-ca" -}}
+    {{- $crt := .Values.tls.ca.cert -}}
+    {{- $key := .Values.tls.ca.key -}}
+    {{- if and $crt $key }}
+      {{- $ca = buildCustomCert $crt $key -}}
+    {{- else }}
+      {{- with lookup "v1" "Secret" .Release.Namespace $secretName }}
+        {{- $crt := index .data "ca.crt" }}
+        {{- $key := index .data "ca.key" }}
+        {{- $ca = buildCustomCert $crt $key -}}
+      {{- else }}
+        {{- $validity := ( .Values.tls.ca.certValidityDuration | int) -}}
+        {{- $ca = genCA "Cilium CA" $validity -}}
+      {{- end }}
+    {{- end -}}
+    {{- $_ := set (set . "commonCA" $ca) "commonCASecretName" $secretName -}}
+  {{- end -}}
+{{- end -}}
+
+{{/*
+Check if duration is non zero value, return duration, empty when zero.
+*/}}
+{{- define "hasDuration" }}
+{{- $now := now }}
+{{- if ne $now ($now | dateModify (toString .)) }}
+{{- . }}
+{{- end }}
+{{- end }}
+
+{{/*
+Validate duration field, return validated duration, 0s when provided duration is empty.
+*/}}
+{{- define "validateDuration" }}
+{{- if . }}
+{{- $_ := now | mustDateModify (toString .) }}
+{{- . }}
+{{- else -}}
+0s
+{{- end }}
+{{- end }}
diff --git a/helm/cilium/templates/cilium-agent/clusterrole.yaml b/helm/cilium/templates/cilium-agent/clusterrole.yaml
@@ -6,6 +6,8 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   name: cilium
+  labels:
+    app.kubernetes.io/part-of: cilium
 rules:
 - apiGroups:
   - networking.k8s.io
@@ -49,12 +51,8 @@ rules:
   resources:
   - customresourcedefinitions
   verbs:
-  # Deprecated for removal in v1.10
-  - create
   - list
   - watch
-  - update
-
   # This is used when validating policies in preflight. This will need to stay
   # until we figure out how to avoid "get" inside the preflight, and then
   # should be removed ideally.
@@ -70,19 +68,59 @@ rules:
 - apiGroups:
   - cilium.io
   resources:
-  - ciliumnetworkpolicies
-  - ciliumnetworkpolicies/status
+  - ciliumloadbalancerippools
+  - ciliumbgppeeringpolicies
+  - ciliumclusterwideenvoyconfigs
   - ciliumclusterwidenetworkpolicies
-  - ciliumclusterwidenetworkpolicies/status
+  - ciliumegressgatewaypolicies
   - ciliumendpoints
-  - ciliumendpoints/status
-  - ciliumnodes
-  - ciliumnodes/status
+  - ciliumendpointslices
+  - ciliumenvoyconfigs
   - ciliumidentities
   - ciliumlocalredirectpolicies
-  - ciliumlocalredirectpolicies/status
-  - ciliumegressnatpolicies
-  - ciliumendpointslices
+  - ciliumnetworkpolicies
+  - ciliumnodes
+  - ciliumnodeconfigs
+  verbs:
+  - list
+  - watch
+- apiGroups:
+  - cilium.io
+  resources:
+  - ciliumidentities
+  - ciliumendpoints
+  - ciliumnodes
   verbs:
-  - '*'
+  - create
+- apiGroups:
+  - cilium.io
+  # To synchronize garbage collection of such resources
+  resources:
+  - ciliumidentities
+  verbs:
+  - update
+- apiGroups:
+  - cilium.io
+  resources:
+  - ciliumendpoints
+  verbs:
+  - delete
+  - get
+- apiGroups:
+  - cilium.io
+  resources:
+  - ciliumnodes
+  - ciliumnodes/status
+  verbs:
+  - get
+  - update
+- apiGroups:
+  - cilium.io
+  resources:
+  - ciliumnetworkpolicies/status
+  - ciliumclusterwidenetworkpolicies/status
+  - ciliumendpoints/status
+  - ciliumendpoints
+  verbs:
+  - patch
 {{- end }}
diff --git a/helm/cilium/templates/cilium-agent/clusterrolebinding.yaml b/helm/cilium/templates/cilium-agent/clusterrolebinding.yaml
@@ -3,6 +3,8 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   name: cilium
+  labels:
+    app.kubernetes.io/part-of: cilium
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole