diff --git a/CHANGELOG.md b/CHANGELOG.md new file mode 100644 index 000000000000..9f6e5470c8e5 --- /dev/null +++ b/CHANGELOG.md @@ -0,0 +1,261 @@ +# Changelog + +## v1.16.0-pre.1 + +Summary of Changes +------------------ + +**Major Changes:** +* Add a readinessProbe to the kvstoremesh container that reports initial synchronization status to support configuring a separate, initial rate-limit to be used while synchronizing. Both clustermesh-apiserver and kvstoremesh now use a high initial rate-limit to decrease start time. (#30361, @thorn3r) +* bpf: introduce encrypted overlay datapath support (#31073, @ldelossa) +* multicast: add CLIs to manage multicast BPF maps (#31355, @harsimran-pabla) +* policy/k8s: Add support for CIDRGroupRef in IngressDeny and EgressDeny (#30933, @pippolo84) +* This adds a new policy field, EnableDefaultDeny, which permits the creation of network polices that do not drop non-matching traffic. (#30572, @squeed) + +**Minor Changes:** +* Add "node-map-max" to allow configuring nodemap size. (#31407, @tommyp1ckles) +* Add helm values.schema.json file for validating supplied values for correct type. (#30631, @ubergesundheit) +* Add line numbers and file names to all metrics in 'cilium-dbg bpf metrics list' (#30972, @ti-mo) +* Add support for ClusterIP service advertisement with BGP Control Plane (#30963, @chaunceyjiang) +* Add support for ExternalIP service advertisement with BGP Control Plane (#31245, @chaunceyjiang) +* agent: add several new flags to control Cilium's datapath events notifications (#30063, @mvisonneau) +* Allow the Host Firewall and IPv6 BPF masquerading to be used together. (#31511, @qmonnet) +* Allows for using AWS SGs in the ingress section of rules. (#30708, @Alex-Waring) +* bgpv1: Add Local internalTrafficPolicy support for ClusterIP advertisements (#31442, @chaunceyjiang) +* bgpv1: BGP Control Plane metrics (#31469, @YutaroHayakawa) +* bugtool: Collect hubble metrics (#31533, @chancez) +* Change Node IPAM to select all nodes if externalTrafficPolicy=Cluster and add `nodeipam.cilium.io/match-node-labels` annotation (#31406, @MrFreezeex) +* cleanup: Remove deprecated values for KPR (#31286, @sayboras) +* cni: use default logger with timestamps. (#31014, @tommyp1ckles) +* envoy: Add support for exposing Envoy Admin API (#30655, @sayboras) +* feat: Add the http return code to metric api_processed_total (#31227, @vipul-21) +* Fix Cilium default values for EKS when Cilium clustermesh-apiserver LoadBalancer fails to create NLB with AWS Load Balancer Controller with syntax error. (#31329, @oshangalwaduge) +* Fixes a bug where ToFQDN IPs may be garbage collected too early, disrupting existing connections. (#31205, @squeed) +* fqdn: avoid expensive sort/unique of names during GC (#30920, @tklauser) +* GatewayAPI supports to setting the number of trusted loadbalancer hops (#30662, @chaunceyjiang) +* helm: Bump minimum k8s version to v1.21+ (#31648, @sayboras) +* ingress: Allow strict kube-proxy-replacement (#31284, @sayboras) +* Introduce `cilium-dbg encrypt flush --stale` flag to remove XFRM states and policies with stale node IDs. (#31159, @pchaigno) +* labelsfilter: Always apply Cluster entity specific identity-relevant label (#31178, @soggiest) +* Only detach Cilium-owned legacy XDP programs when XDP is disabled (#31654, @ti-mo) +* pkg/kvstore/allocator: Standardize usage of logfields (#30526, @antonipp) +* Remove helm option `enable-remote-node-identity` after being deprecated in v1.15. (#31228, @doniacld) +* Support IPv4 fragmentation for service backends. (#31364, @julianwiedmann) +* This allows the initialDelaySeconds option to be configured. This allows users running larger clusters to extend the time it takes for preflight to become ready. (#30495, @chaunceyjiang) +* WG: Improve L7 checks (#31299, @brb) + +**Bugfixes:** +* bpf: use `bpf_htons` instead of using shift (#31247, @chez-shanpu) +* Cilium allows selecting 'lo' as a device again. (#31200, @bimmlerd) +* cilium-health: Fix broken retry loop in `cilium-health-ep` controller (#31622, @gandro) +* cni: Allow text-ts log format value (#31686, @sayboras) +* cni: Use batch endpoint deletion API in chaining plugin (#31456, @sayboras) +* envoy: register secret syncer even if only CEC is enabled (#31447, @mhofstetter) +* Fix a bug in the StateDB library that may have caused stale read after write. This may have potentially affected the L2 announcements feature and the node address selection. (#31164, @joamaki) +* Fix a bug that could cause local packet delivery to be skipped, leading to lower performance, when IPsec was enabled and `--devices` provided. (#31345, @pchaigno) +* Fix a bug where pod label updates are not reflected in endpoint labels in presence of filtered labels. (#31395, @tklauser) +* Fix the logic of the api-server connectivity check for the kubernetes probe (#31019, @tkna) +* fix: Delegated ipam not configure ipv6 if ipv6 disabled in agent (#31104, @tamilmani1989) +* Fixed issue when updated nodes were being reported with unknown connectivity status in health report (#30917, @marseel) +* Fixed issue with assigning 0 nodeID when corresponding bpf map run out of space. Potentially it could have impacted connectivity in large clusters (>4k nodes) with IPSec or Mutual Auth enabled. Otherwise, it was merely generating unnecessary error log messages. (#31380, @marseel) +* fqdn: Fixed bug that caused DNS Proxy to be overly restrictive on allowed DNS selectors. (#31328, @nathanjsweet) +* gateway-api: Ensure hostname check when set on both the HTTPRoute and the Gateway Listener (#30686, @cjvirtucio87) +* gateway-api: fixed RequestRedirect picks wrong port with multiple listeners (#31361, @chaunceyjiang) +* gateway-api: Retrieve LB service from same namespace (#31271, @sayboras) +* gateway-api: shorten the length of the value of the svc's label. (#31292, @chaunceyjiang) +* helm: Update pod affinity for cilium-envoy (#31150, @sayboras) +* hubble/relay: Fix certificate reloading in PeerManager (#31376, @glrf) +* hubble: fix parsing of invalid HTTP URLs (#31100, @kaworu) +* Hubble: fix traffic direction and is reply when IPSec is enabled (#31211, @kaworu) +* ingress/gateway-api: sort virtual hosts in CEC (#31493, @mhofstetter) +* ingress/gateway-api: stable envoy listener filterchain sort-order (#31572, @mhofstetter) +* k8s/utils: correctly filter out labels in StripPodSpecialLabels (#31421, @tklauser) +* metric: Avoid memory leak/increase in cilium-agent (#31714, @sayboras) +* metrics: Disable prometheus metrics by default (#31144, @joestringer) +* operator: fix errors/warnings metric. (#31214, @tommyp1ckles) +* Updated Kernel parsing to handle single and double digit kernel version as well (#30699, @MeherRushi) + +**CI Changes:** +* Additionally test host firewall + KPR disabled in E2E tests (#30914, @giorio94) +* AKS: avoid overlapping pod and service CIDRs (#31504, @bimmlerd) +* bgpv1: avoid object tracker vs informer race (#31010, @bimmlerd) +* bgpv1: fix Test_PodIPPoolAdvert flakiness (#31365, @rastislavs) +* bgpv2/ci: added watch reactor for bgp cluster config (#31381, @harsimran-pabla) +* bpf: fix go testdata check in ci (#31419, @mhofstetter) +* Checkout the target branch, instead of the default one, on pull_request based GHA test workflows (#31198, @giorio94) +* ci-e2e: Add e2e test with WireGuard + Host Firewall (#31594, @qmonnet) +* ci-e2e: Add matrix for bpf.tproxy and ingress-controller (#31272, @sayboras) +* ci/ipsec: Print more info to debug credentials removal check failures (#31652, @qmonnet) +* ci: Bump lvh-kind ssh-startup-wait-retries (#31387, @YutaroHayakawa) +* ci: check license of third party Go dependencies (#31129, @rolinh) +* ci: fail container scans on vulnerability scan results (#31092, @ferozsalam) +* contrib/scripts: Remove false positives from check-go-testdata.sh (#31089, @dylandreimerink) +* deflake endpointmanager tests (#31488, @bimmlerd) +* Drop legacy and superseded test from the Ginkgo suite (#31411, @giorio94) +* Drop the remaining references to the CILIUM_CLI_MODE environment variable in GHA workflows. (#31199, @giorio94) +* gateway-api: Enable GRPCRoute conformance tests (#31055, @sayboras) +* gh/workflows: Add IPsec key rotation action and use it in ci-eks / ci-ipsec-e2e (#29704, @brb) +* gh: workflows: clarify reference to issue #23283 (#31118, @julianwiedmann) +* gha: disable fail-fast on integration tests (#31420, @giorio94) +* gha: fix coredns logs retrieval in conformance-clustermesh (#31509, @giorio94) +* gha: Remove manual device setting (#31435, @sayboras) +* gha: retrieve additional coredns-related troubleshooting info (#31384, @giorio94) +* introduce ARM github workflows (#31196, @aanm) +* ipam: deepcopy interface resource correctly. (#26998, @tommyp1ckles) +* k8s_install.sh: specify the CNI version (#31182, @aanm) +* loader: fix issue where errors cancelled compile cause error logs. (#30988, @tommyp1ckles) +* Make BPF unit tests reproducible (#31526, @ti-mo) +* Make testdata build output more stable by reducing header includes (#31644, @ti-mo) +* renovate: temporarily do not update GoBGP (#31123, @rastislavs) +* slices: don't modify missed input slice in test (#31119, @bimmlerd) +* test/verifier: Keep existing environment when running make (#31632, @gentoo-root) +* test/verifier: Sort BPF program names for stable output (#31617, @gentoo-root) +* test: Update KPR value in ipsec upgrade jobs (#31649, @sayboras) +* update azure k8s versions (#31220, @brlbil) +* workflows: Cover IPsec encrypted overlay mode in end-to-end tests (#31637, @pchaigno) +* workflows: Debug info for key rotations (#31627, @pchaigno) +* workflows: ipsec-e2e: add missing key types for some configs (#31636, @julianwiedmann) + +**Misc Changes:** +* Add monitor aggregation for all events related to packets ingressing to the network-facing device. (#31015, @learnitall) +* Add the documentation for using `serviceAdvertisements` (#31331, @chaunceyjiang) +* agent: Remove redundant pod spec checks (#31105, @aditighag) +* agent: Wrap propagating errors from proxy wait group (#31398, @aditighag) +* all: remove repetitive words (#31566, @deterclosed) +* api: Upgrade go-swagger version to v0.30.5 (#31647, @sayboras) +* Avoid depending on sysctl in the kind.sh script for IPv6 determination (#31180, @giorio94) +* bgpv1: Adjust ConnectionRetryTimeSeconds to 1 in component tests (#31218, @YutaroHayakawa) +* bgpv1: Disable PodCIDR Reconciler for unsupported IPAM modes (#31181, @YutaroHayakawa) +* bgpv2: fix operator flaky test cases (#31255, @harsimran-pabla) +* bgpv2: Introducing pod cidr reconciler for bgpv2. (#30815, @harsimran-pabla) +* bgpv2: introducing PodIPPool reconciler (#31546, @harsimran-pabla) +* bgpv2: remove automatic bgp peering policy translation to new BGP CRDs. (#31252, @harsimran-pabla) +* bpf,config: Add ENABLE_LOCAL_REDIRECT_POLICY macro (#31098, @aditighag) +* bpf: add node_key to alignchecker (#31393, @julianwiedmann) +* bpf: Don't skip local delivery for plain-text packets when IPsec is enabled (#31193, @pchaigno) +* bpf: host: optimize from-host's ICMPv6 path (#31127, @julianwiedmann) +* bpf: lxc: also set from_tunnel for IPv6 CT entries (#30877, @julianwiedmann) +* bpf: nodeport: add nodeport_rev_dnat_ingress_ipv4_hook infra (#31244, @jibi) +* bpf: nodeport: clean up ct_state usage in nodeport_lb*() (#31427, @julianwiedmann) +* bpf: nodeport: don't forward host id in nodeport_lb4 (#31120, @jibi) +* bpf: nodeport: simplify CT entry validation in nodeport_lb*() (#31165, @julianwiedmann) +* bpf: update unreachable-tailcall.o after updating CILIUM_BUILDER_IMAGE (#31412, @mhofstetter) +* bpf: xdp: remove unused set_encrypt_dip() (#31367, @julianwiedmann) +* bugtool: Capture memory fragmentation info from /proc (#30966, @pchaigno) +* cec: move config property 'envoy-config-timeout' into hive config (#31086, @mhofstetter) +* chore(deps): update all github action dependencies (main) (#31282, @renovate[bot]) +* chore(deps): update all github action dependencies (main) (#31443, @renovate[bot]) +* chore(deps): update all github action dependencies (main) (#31573, @renovate[bot]) +* chore(deps): update all github action dependencies (main) (#31697, @renovate[bot]) +* chore(deps): update all github action dependencies (main) (patch) (#31130, @renovate[bot]) +* chore(deps): update all lvh-images main (main) (patch) (#31131, @renovate[bot]) +* chore(deps): update all lvh-images main (main) (patch) (#31230, @renovate[bot]) +* chore(deps): update all lvh-images main to bpf-next-20240309.012251 (main) (patch) (#31276, @renovate[bot]) +* chore(deps): update all lvh-images main to bpf-next-20240315.012542 (main) (patch) (#31440, @renovate[bot]) +* chore(deps): update all-dependencies (main) (#31275, @renovate[bot]) +* chore(deps): update cilium/cilium-cli action to v0.16.0 (main) (#31281, @renovate[bot]) +* chore(deps): update cilium/little-vm-helper action to v0.0.17 (main) (#31695, @renovate[bot]) +* chore(deps): update dependency cilium/cilium-cli to v0.16.0 (main) (#31171, @renovate[bot]) +* chore(deps): update dependency cilium/cilium-cli to v0.16.3 (main) (#31386, @renovate[bot]) +* chore(deps): update dependency cilium/cilium-cli to v0.16.4 (main) (#31673, @renovate[bot]) +* chore(deps): update docker.io/library/golang:1.22.1 docker digest to 0b55ab8 (main) (#31438, @renovate[bot]) +* chore(deps): update gcr.io/distroless/static-debian11:nonroot docker digest to 55c6361 (main) (#31439, @renovate[bot]) +* chore(deps): update github/codeql-action action to v3.24.8 (main) (#31479, @renovate[bot]) +* chore(deps): update go to v1.22.1 (main) (#31277, @renovate[bot]) +* chore(deps): update golangci/golangci-lint docker tag to v1.57.1 (main) (#31576, @renovate[bot]) +* chore(deps): update golangci/golangci-lint docker tag to v1.57.2 (main) (#31696, @renovate[bot]) +* chore(deps): update hubble cli to v0.13.2 (main) (#31320, @renovate[bot]) +* chore(deps): update module github.com/go-jose/go-jose/v3 to v3.0.3 [security] (main) (#31241, @renovate[bot]) +* chore: update json-mock image source in examples (#31373, @loomkoom) +* cilium, bpf: pkts/byte count conversion for ct (#31087, @borkmann) +* cilium-dbg: listing load-balancing configurations displays L7LB proxy port (#31503, @mhofstetter) +* cilium: Enable plain IPIP/IP6IP6 termination (#31213, @borkmann) +* config: Remove unused `ENCRYPT_IFACE` macro (#31323, @pchaigno) +* container/bitlpm: Add Lookup Boolean Return Value (#31037, @nathanjsweet) +* contrib: Add installation script for tools in devcontainer (#31534, @fujitatomoya) +* controller: Add and use lookup function for controllers (#31236, @christarazi) +* datapath, bpf: Remove unnecessary IPsec code (#31344, @pchaigno) +* dev: Enable IPv6 system setting for devcontainer environment. (#31268, @fujitatomoya) +* doc,bgpv1: Add some failure scenarios (#31249, @YutaroHayakawa) +* doc,bgpv1: Bootstrapping BGP CPlane failure scenario doc (#31153, @YutaroHayakawa) +* doc,bgpv1: More failure scenario and wording improvement (#31470, @YutaroHayakawa) +* doc: Clarified GwAPI KPR prerequisites (#31366, @PhilipSchmid) +* doc: Document APAC community meeting (#31461, @YutaroHayakawa) +* docs: aks: avoid overlapping service and pod CIDRs (#31543, @bimmlerd) +* docs: Correct dynamic hubble exporter sample configs example (#31445, @littlesheng19) +* docs: Document `No node ID found` drops in case of remote node deletion (#31635, @pchaigno) +* docs: Fix 'kubectl exec' invocations (quotes, double dash separator) in example script kafka-sw-gen-traffic.sh (#30462, @saintdle) +* docs: Fix profiling related debugging instructions (#31044, @aditighag) +* docs: Fix various typos in README.rst (#31072, @payneInTheBrian) +* docs: ipsec: document native-routing + Egress proxy case (#31478, @julianwiedmann) +* docs: Suggest using operator logs for troubleshooting (#31500, @simonfelding) +* docs: Update link to cilium/ebpf's list of eBPF program types (#31699, @haiyuewa) +* docs: Update link to USERS.md in README from RAW Github to standard Github UI (#30589, @ondrejsika) +* docs: Warn on key rotations during upgrades (#31437, @pchaigno) +* Document the process for disabling workflows (#31603, @michi-covalent) +* Downgrade L2 Neighbor Discovery failure log to Debug (#31179, @YutaroHayakawa) +* endpointmanager: Improve health reporter messages when stopped (#31231, @christarazi) +* envoy: Bump golang version to 1.21.8 (#31224, @sayboras) +* envoy: cleanup istio specifics (#31448, @mhofstetter) +* envoy: move config values from global config into hive cell (#31351, @mhofstetter) +* envoy: Remove deprecated runtime key logs (#31108, @sayboras) +* envoy: support configurable Envoy base id in embedded mode (#31449, @mhofstetter) +* fix 'mismatch' typos in error messages (#31660, @julianwiedmann) +* Fix helm template for hubble-relay prometheus annotations (#31253, @glrf) +* Fix running tests locally in kind. (#31234, @gentoo-root) +* fix(deps): update all go dependencies main (main) (#31112, @renovate[bot]) +* fix(deps): update all go dependencies main (main) (#31278, @renovate[bot]) +* fix(deps): update all go dependencies main (main) (#31441, @renovate[bot]) +* fix(deps): update all go dependencies main (main) (#31462, @renovate[bot]) +* fix(deps): update google.golang.org/genproto/googleapis/rpc digest to a219d84 (main) (#31305, @renovate[bot]) +* fix(deps): update google.golang.org/genproto/googleapis/rpc digest to c811ad7 (main) (#31322, @renovate[bot]) +* fix(deps): update module github.com/docker/docker to v25.0.5+incompatible [security] (main) (#31531, @renovate[bot]) +* gateway-api: Replace deprecated status (#31111, @sayboras) +* helm: Remove pipe in value comments to avoid breaking Helm reference (#31588, @qmonnet) +* helm: update nodeinit image using renovate (#31641, @tklauser) +* hive/cell/health: don't warn when reporting on stopped reporter. (#31262, @tommyp1ckles) +* hubble/relay/server: remove unused Server.stop chan (#31560, @tklauser) +* Ignore kvstore node events for the local node, to avoid unnecessarily increasing the ipcache_errors_total (cannot_overwrite_by_source) metric. (#31399, @giorio94) +* images/builder: get rid of annoying git ownership warnings (#31538, @ti-mo) +* images: bump cni plugins to v1.4.1 (#31347, @aanm) +* Improve compatibility with LLVM 17. (#31403, @gentoo-root) +* Improve compatibility with LLVM 17. (#31459, @gentoo-root) +* Improve insertNodeNeighbor behavior to report health (#29415, @derailed) +* Improve LocalNodeStore.Get() performance and fix possible deadlock (#31013, @giorio94) +* ingress/gateway-api: stable address order for Ingress hostnetwork listener addresses (#31477, @mhofstetter) +* ingress: sort all shared ingresses during model generation (#31494, @mhofstetter) +* ingress: Update docs with network policy example (#31060, @sayboras) +* IPAM: Refactors Node API Types to Support Separate IP Families (#30684, @danehans) +* ipam: Remove unused variable (#31401, @christarazi) +* ipcache: Remove synchronous CIDR identity allocation (#31311, @gandro) +* iptables: Manage IP sets independently with the stateDB reconciler (#31099, @pippolo84) +* iptables: Simplify proxy rules removing ingress/egress flag (#31068, @pippolo84) +* iptables: Unit tests cleanup (#31368, @pippolo84) +* kind: reset sysctl net.ipv4.ip_unprivileged_port_start to 1024 (#31370, @mhofstetter) +* lint: Remove temp variable in the 'for' loop (#31523, @sayboras) +* loader: add message if error is ENOTSUP (#31413, @kkourt) +* lxcmap: Fix comment about byte-order (#31362, @joestringer) +* Make it clear USERS.md should be production use cases (#31316, @xmulligan) +* Makefiles: Allow external input for go build/test/clean flags. (#29646, @wanlin31) +* Miscellaneous cleanups around node discovery (#31397, @giorio94) +* modularize node discovery (#31589, @dylandreimerink) +* multicast: modify list operations from iterator to batch lookup. (#31562, @harsimran-pabla) +* node: add support for injection of optional ipset filter (#31550, @giorio94) +* node: Replace ipv[46]MasqAddrs with Table[NodeAddress] (#30457, @joamaki) +* pkg/ip: Updates PrefixToIps() to Limit the Number of Returned IPs (#30921, @danehans) +* policy/k8s: Refactor and move `ToServices` translation to policy package (#31062, @gandro) +* policy: Fix missing labels from SelectorCache selectors (#31358, @christarazi) +* Prepare for release v1.16.0-pre.0 (#31121, @aanm) +* proxy: configurable portrange (#31556, @mhofstetter) +* proxy: remove unused ifaces and code for proxy <-> endpoint interaction (#31547, @mhofstetter) +* README: Update releases (#31665, @thorn3r) +* Remove `HAVE_LARGE_INSN_LIMIT` (#31094, @dylandreimerink) +* Remove Istio ambient compatibility blurb (#31525, @bleggett) +* Remove old bpf feature probes (#31096, @dylandreimerink) +* Remove tcx links created by Cilium 1.16 onwards (#31553, @ti-mo) +* renovate: Drop references to Cilium 1.12 (#31148, @joestringer) +* renovate: separate major.minor.patch for lvh images (#31126, @aanm) +* secret-sync: improve logging (#31415, @mhofstetter) +* signal: remove spare debug logs (#31723, @tklauser) +* stream: Relocate to cilium/stream (#30846, @joamaki) +* update readme with 1.16.0-pre.0 (#31128, @aanm) diff --git a/Documentation/helm-values.rst b/Documentation/helm-values.rst index d3ea13595376..199402f9d5bb 100644 --- a/Documentation/helm-values.rst +++ b/Documentation/helm-values.rst @@ -95,7 +95,7 @@ * - :spelling:ignore:`authentication.mutual.spire.install.agent.image` - SPIRE agent image - object - - ``{"digest":"sha256:99405637647968245ff9fe215f8bd2bd0ea9807be9725f8bf19fe1b21471e52b","override":null,"pullPolicy":"Always","repository":"ghcr.io/spiffe/spire-agent","tag":"1.8.5","useDigest":true}`` + - ``{"digest":"sha256:99405637647968245ff9fe215f8bd2bd0ea9807be9725f8bf19fe1b21471e52b","override":null,"pullPolicy":"IfNotPresent","repository":"ghcr.io/spiffe/spire-agent","tag":"1.8.5","useDigest":true}`` * - :spelling:ignore:`authentication.mutual.spire.install.agent.labels` - SPIRE agent labels - object @@ -135,7 +135,7 @@ * - :spelling:ignore:`authentication.mutual.spire.install.initImage` - init container image of SPIRE agent and server - object - - ``{"digest":"sha256:223ae047b1065bd069aac01ae3ac8088b3ca4a527827e283b85112f29385fb1b","override":null,"pullPolicy":"Always","repository":"docker.io/library/busybox","tag":"1.36.1","useDigest":true}`` + - ``{"digest":"sha256:223ae047b1065bd069aac01ae3ac8088b3ca4a527827e283b85112f29385fb1b","override":null,"pullPolicy":"IfNotPresent","repository":"docker.io/library/busybox","tag":"1.36.1","useDigest":true}`` * - :spelling:ignore:`authentication.mutual.spire.install.namespace` - SPIRE namespace to install into - string @@ -175,7 +175,7 @@ * - :spelling:ignore:`authentication.mutual.spire.install.server.image` - SPIRE server image - object - - ``{"digest":"sha256:28269265882048dcf0fed32fe47663cd98613727210b8d1a55618826f9bf5428","override":null,"pullPolicy":"Always","repository":"ghcr.io/spiffe/spire-server","tag":"1.8.5","useDigest":true}`` + - ``{"digest":"sha256:28269265882048dcf0fed32fe47663cd98613727210b8d1a55618826f9bf5428","override":null,"pullPolicy":"IfNotPresent","repository":"ghcr.io/spiffe/spire-server","tag":"1.8.5","useDigest":true}`` * - :spelling:ignore:`authentication.mutual.spire.install.server.initContainers` - SPIRE server init containers - list @@ -395,7 +395,7 @@ * - :spelling:ignore:`certgen` - Configure certificate generation for Hubble integration. If hubble.tls.auto.method=cronJob, these values are used for the Kubernetes CronJob which will be scheduled regularly to (re)generate any certificates not provided manually. - object - - ``{"affinity":{},"annotations":{"cronJob":{},"job":{}},"extraVolumeMounts":[],"extraVolumes":[],"image":{"digest":"sha256:89a0847753686444daabde9474b48340993bd19c7bea66a46e45b2974b82041f","override":null,"pullPolicy":"Always","repository":"quay.io/cilium/certgen","tag":"v0.1.9","useDigest":true},"podLabels":{},"tolerations":[],"ttlSecondsAfterFinished":1800}`` + - ``{"affinity":{},"annotations":{"cronJob":{},"job":{}},"extraVolumeMounts":[],"extraVolumes":[],"image":{"digest":"sha256:89a0847753686444daabde9474b48340993bd19c7bea66a46e45b2974b82041f","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/certgen","tag":"v0.1.9","useDigest":true},"podLabels":{},"tolerations":[],"ttlSecondsAfterFinished":1800}`` * - :spelling:ignore:`certgen.affinity` - Affinity for certgen - object @@ -511,7 +511,7 @@ * - :spelling:ignore:`clustermesh.apiserver.image` - Clustermesh API server image. - object - - ``{"digest":"","override":null,"pullPolicy":"Always","repository":"quay.io/cilium/clustermesh-apiserver-ci","tag":"latest","useDigest":false}`` + - ``{"digest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/clustermesh-apiserver","tag":"v1.16.0-pre.1","useDigest":false}`` * - :spelling:ignore:`clustermesh.apiserver.kvstoremesh.enabled` - Enable KVStoreMesh. KVStoreMesh caches the information retrieved from the remote clusters in the local etcd instance. - bool @@ -1171,7 +1171,7 @@ * - :spelling:ignore:`envoy.image` - Envoy container image. - object - - ``{"digest":"sha256:9c45b847f0d6689b537000257dc26a1db3799fd40cb2d430397fd0aec375a562","override":null,"pullPolicy":"Always","repository":"quay.io/cilium/cilium-envoy","tag":"v1.28.1-0a4c2d1a90a7e13116bed4b0c1d4aacaf0e49686","useDigest":true}`` + - ``{"digest":"sha256:9c45b847f0d6689b537000257dc26a1db3799fd40cb2d430397fd0aec375a562","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium-envoy","tag":"v1.28.1-0a4c2d1a90a7e13116bed4b0c1d4aacaf0e49686","useDigest":true}`` * - :spelling:ignore:`envoy.livenessProbe.failureThreshold` - failure threshold of liveness probe - int @@ -1351,7 +1351,7 @@ * - :spelling:ignore:`etcd.image` - cilium-etcd-operator image. - object - - ``{"digest":"sha256:04b8327f7f992693c2cb483b999041ed8f92efc8e14f2a5f3ab95574a65ea2dc","override":null,"pullPolicy":"Always","repository":"quay.io/cilium/cilium-etcd-operator","tag":"v2.0.7","useDigest":true}`` + - ``{"digest":"sha256:04b8327f7f992693c2cb483b999041ed8f92efc8e14f2a5f3ab95574a65ea2dc","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium-etcd-operator","tag":"v2.0.7","useDigest":true}`` * - :spelling:ignore:`etcd.k8sService` - If etcd is behind a k8s service set this option to true so that Cilium does the service translation automatically without requiring a DNS to be running. - bool @@ -1703,7 +1703,7 @@ * - :spelling:ignore:`hubble.relay.image` - Hubble-relay container image. - object - - ``{"digest":"","override":null,"pullPolicy":"Always","repository":"quay.io/cilium/hubble-relay-ci","tag":"latest","useDigest":false}`` + - ``{"digest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-relay","tag":"v1.16.0-pre.1","useDigest":false}`` * - :spelling:ignore:`hubble.relay.listenHost` - Host to listen to. Specify an empty string to bind to all the interfaces. - string @@ -1935,7 +1935,7 @@ * - :spelling:ignore:`hubble.ui.backend.image` - Hubble-ui backend image. - object - - ``{"digest":"sha256:1e7657d997c5a48253bb8dc91ecee75b63018d16ff5e5797e5af367336bc8803","override":null,"pullPolicy":"Always","repository":"quay.io/cilium/hubble-ui-backend","tag":"v0.13.0","useDigest":true}`` + - ``{"digest":"sha256:1e7657d997c5a48253bb8dc91ecee75b63018d16ff5e5797e5af367336bc8803","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-ui-backend","tag":"v0.13.0","useDigest":true}`` * - :spelling:ignore:`hubble.ui.backend.livenessProbe.enabled` - Enable liveness probe for Hubble-ui backend (requires Hubble-ui 0.12+) - bool @@ -1975,7 +1975,7 @@ * - :spelling:ignore:`hubble.ui.frontend.image` - Hubble-ui frontend image. - object - - ``{"digest":"sha256:7d663dc16538dd6e29061abd1047013a645e6e69c115e008bee9ea9fef9a6666","override":null,"pullPolicy":"Always","repository":"quay.io/cilium/hubble-ui","tag":"v0.13.0","useDigest":true}`` + - ``{"digest":"sha256:7d663dc16538dd6e29061abd1047013a645e6e69c115e008bee9ea9fef9a6666","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-ui","tag":"v0.13.0","useDigest":true}`` * - :spelling:ignore:`hubble.ui.frontend.resources` - Resource requests and limits for the 'frontend' container of the 'hubble-ui' deployment. - object @@ -2083,7 +2083,7 @@ * - :spelling:ignore:`image` - Agent container image. - object - - ``{"digest":"","override":null,"pullPolicy":"Always","repository":"quay.io/cilium/cilium-ci","tag":"latest","useDigest":false}`` + - ``{"digest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.16.0-pre.1","useDigest":false}`` * - :spelling:ignore:`imagePullSecrets` - Configure image pull secrets for pulling container images - list @@ -2471,7 +2471,7 @@ * - :spelling:ignore:`nodeinit.image` - node-init image. - object - - ``{"digest":"sha256:e1d442546e868db1a3289166c14011e0dbd32115b338b963e56f830972bc22a2","override":null,"pullPolicy":"Always","repository":"quay.io/cilium/startup-script","tag":"62093c5c233ea914bfa26a10ba41f8780d9b737f","useDigest":true}`` + - ``{"digest":"sha256:e1d442546e868db1a3289166c14011e0dbd32115b338b963e56f830972bc22a2","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/startup-script","tag":"62093c5c233ea914bfa26a10ba41f8780d9b737f","useDigest":true}`` * - :spelling:ignore:`nodeinit.nodeSelector` - Node labels for nodeinit pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector - object @@ -2567,7 +2567,7 @@ * - :spelling:ignore:`operator.image` - cilium-operator image. - object - - ``{"alibabacloudDigest":"","awsDigest":"","azureDigest":"","genericDigest":"","override":null,"pullPolicy":"Always","repository":"quay.io/cilium/operator","suffix":"-ci","tag":"latest","useDigest":false}`` + - ``{"alibabacloudDigest":"","awsDigest":"","azureDigest":"","genericDigest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/operator","suffix":"","tag":"v1.16.0-pre.1","useDigest":false}`` * - :spelling:ignore:`operator.nodeGCInterval` - Interval for cilium node garbage collection. - string @@ -2763,7 +2763,7 @@ * - :spelling:ignore:`preflight.image` - Cilium pre-flight image. - object - - ``{"digest":"","override":null,"pullPolicy":"Always","repository":"quay.io/cilium/cilium-ci","tag":"latest","useDigest":false}`` + - ``{"digest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.16.0-pre.1","useDigest":false}`` * - :spelling:ignore:`preflight.nodeSelector` - Node labels for preflight pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector - object diff --git a/VERSION b/VERSION index 1f0d2f335194..b908fdc9225b 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -1.16.0-dev +1.16.0-pre.1 diff --git a/install/kubernetes/cilium/Chart.yaml b/install/kubernetes/cilium/Chart.yaml index e1f67afebe13..e11a9a9d58d9 100644 --- a/install/kubernetes/cilium/Chart.yaml +++ b/install/kubernetes/cilium/Chart.yaml @@ -2,8 +2,8 @@ apiVersion: v2 name: cilium displayName: Cilium home: https://cilium.io/ -version: 1.16.0-dev -appVersion: 1.16.0-dev +version: 1.16.0-pre.1 +appVersion: 1.16.0-pre.1 kubeVersion: ">= 1.21.0-0" icon: https://cdn.jsdelivr.net/gh/cilium/cilium@main/Documentation/images/logo-solo.svg description: eBPF-based Networking, Security, and Observability diff --git a/install/kubernetes/cilium/README.md b/install/kubernetes/cilium/README.md index e9b6571af8c6..1e602f25f9cb 100644 --- a/install/kubernetes/cilium/README.md +++ b/install/kubernetes/cilium/README.md @@ -1,6 +1,6 @@ # cilium -![Version: 1.16.0-dev](https://img.shields.io/badge/Version-1.16.0--dev-informational?style=flat-square) ![AppVersion: 1.16.0-dev](https://img.shields.io/badge/AppVersion-1.16.0--dev-informational?style=flat-square) +![Version: 1.16.0-pre.1](https://img.shields.io/badge/Version-1.16.0--pre.1-informational?style=flat-square) ![AppVersion: 1.16.0-pre.1](https://img.shields.io/badge/AppVersion-1.16.0--pre.1-informational?style=flat-square) Cilium is open source software for providing and transparently securing network connectivity and loadbalancing between application workloads such as @@ -73,7 +73,7 @@ contributors across the globe, there is almost always someone available to help. | authentication.mutual.spire.enabled | bool | `false` | Enable SPIRE integration (beta) | | authentication.mutual.spire.install.agent.affinity | object | `{}` | SPIRE agent affinity configuration | | authentication.mutual.spire.install.agent.annotations | object | `{}` | SPIRE agent annotations | -| authentication.mutual.spire.install.agent.image | object | `{"digest":"sha256:99405637647968245ff9fe215f8bd2bd0ea9807be9725f8bf19fe1b21471e52b","override":null,"pullPolicy":"Always","repository":"ghcr.io/spiffe/spire-agent","tag":"1.8.5","useDigest":true}` | SPIRE agent image | +| authentication.mutual.spire.install.agent.image | object | `{"digest":"sha256:99405637647968245ff9fe215f8bd2bd0ea9807be9725f8bf19fe1b21471e52b","override":null,"pullPolicy":"IfNotPresent","repository":"ghcr.io/spiffe/spire-agent","tag":"1.8.5","useDigest":true}` | SPIRE agent image | | authentication.mutual.spire.install.agent.labels | object | `{}` | SPIRE agent labels | | authentication.mutual.spire.install.agent.nodeSelector | object | `{}` | SPIRE agent nodeSelector configuration ref: ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector | | authentication.mutual.spire.install.agent.podSecurityContext | object | `{}` | Security context to be added to spire agent pods. SecurityContext holds pod-level security attributes and common container settings. ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod | @@ -83,7 +83,7 @@ contributors across the globe, there is almost always someone available to help. | authentication.mutual.spire.install.agent.tolerations | list | `[{"effect":"NoSchedule","key":"node.kubernetes.io/not-ready"},{"effect":"NoSchedule","key":"node-role.kubernetes.io/master"},{"effect":"NoSchedule","key":"node-role.kubernetes.io/control-plane"},{"effect":"NoSchedule","key":"node.cloudprovider.kubernetes.io/uninitialized","value":"true"},{"key":"CriticalAddonsOnly","operator":"Exists"}]` | SPIRE agent tolerations configuration By default it follows the same tolerations as the agent itself to allow the Cilium agent on this node to connect to SPIRE. ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ | | authentication.mutual.spire.install.enabled | bool | `true` | Enable SPIRE installation. This will only take effect only if authentication.mutual.spire.enabled is true | | authentication.mutual.spire.install.existingNamespace | bool | `false` | SPIRE namespace already exists. Set to true if Helm should not create, manage, and import the SPIRE namespace. | -| authentication.mutual.spire.install.initImage | object | `{"digest":"sha256:223ae047b1065bd069aac01ae3ac8088b3ca4a527827e283b85112f29385fb1b","override":null,"pullPolicy":"Always","repository":"docker.io/library/busybox","tag":"1.36.1","useDigest":true}` | init container image of SPIRE agent and server | +| authentication.mutual.spire.install.initImage | object | `{"digest":"sha256:223ae047b1065bd069aac01ae3ac8088b3ca4a527827e283b85112f29385fb1b","override":null,"pullPolicy":"IfNotPresent","repository":"docker.io/library/busybox","tag":"1.36.1","useDigest":true}` | init container image of SPIRE agent and server | | authentication.mutual.spire.install.namespace | string | `"cilium-spire"` | SPIRE namespace to install into | | authentication.mutual.spire.install.server.affinity | object | `{}` | SPIRE server affinity configuration | | authentication.mutual.spire.install.server.annotations | object | `{}` | SPIRE server annotations | @@ -93,7 +93,7 @@ contributors across the globe, there is almost always someone available to help. | authentication.mutual.spire.install.server.dataStorage.enabled | bool | `true` | Enable SPIRE server data storage | | authentication.mutual.spire.install.server.dataStorage.size | string | `"1Gi"` | Size of the SPIRE server data storage | | authentication.mutual.spire.install.server.dataStorage.storageClass | string | `nil` | StorageClass of the SPIRE server data storage | -| authentication.mutual.spire.install.server.image | object | `{"digest":"sha256:28269265882048dcf0fed32fe47663cd98613727210b8d1a55618826f9bf5428","override":null,"pullPolicy":"Always","repository":"ghcr.io/spiffe/spire-server","tag":"1.8.5","useDigest":true}` | SPIRE server image | +| authentication.mutual.spire.install.server.image | object | `{"digest":"sha256:28269265882048dcf0fed32fe47663cd98613727210b8d1a55618826f9bf5428","override":null,"pullPolicy":"IfNotPresent","repository":"ghcr.io/spiffe/spire-server","tag":"1.8.5","useDigest":true}` | SPIRE server image | | authentication.mutual.spire.install.server.initContainers | list | `[]` | SPIRE server init containers | | authentication.mutual.spire.install.server.labels | object | `{}` | SPIRE server labels | | authentication.mutual.spire.install.server.nodeSelector | object | `{}` | SPIRE server nodeSelector configuration ref: ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector | @@ -148,7 +148,7 @@ contributors across the globe, there is almost always someone available to help. | bpf.tproxy | bool | `false` | Configure the eBPF-based TPROXY to reduce reliance on iptables rules for implementing Layer 7 policy. | | bpf.vlanBypass | list | `[]` | Configure explicitly allowed VLAN id's for bpf logic bypass. [0] will allow all VLAN id's without any filtering. | | bpfClockProbe | bool | `false` | Enable BPF clock source probing for more efficient tick retrieval. | -| certgen | object | `{"affinity":{},"annotations":{"cronJob":{},"job":{}},"extraVolumeMounts":[],"extraVolumes":[],"image":{"digest":"sha256:89a0847753686444daabde9474b48340993bd19c7bea66a46e45b2974b82041f","override":null,"pullPolicy":"Always","repository":"quay.io/cilium/certgen","tag":"v0.1.9","useDigest":true},"podLabels":{},"tolerations":[],"ttlSecondsAfterFinished":1800}` | Configure certificate generation for Hubble integration. If hubble.tls.auto.method=cronJob, these values are used for the Kubernetes CronJob which will be scheduled regularly to (re)generate any certificates not provided manually. | +| certgen | object | `{"affinity":{},"annotations":{"cronJob":{},"job":{}},"extraVolumeMounts":[],"extraVolumes":[],"image":{"digest":"sha256:89a0847753686444daabde9474b48340993bd19c7bea66a46e45b2974b82041f","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/certgen","tag":"v0.1.9","useDigest":true},"podLabels":{},"tolerations":[],"ttlSecondsAfterFinished":1800}` | Configure certificate generation for Hubble integration. If hubble.tls.auto.method=cronJob, these values are used for the Kubernetes CronJob which will be scheduled regularly to (re)generate any certificates not provided manually. | | certgen.affinity | object | `{}` | Affinity for certgen | | certgen.annotations | object | `{"cronJob":{},"job":{}}` | Annotations to be added to the hubble-certgen initial Job and CronJob | | certgen.extraVolumeMounts | list | `[]` | Additional certgen volumeMounts. | @@ -177,7 +177,7 @@ contributors across the globe, there is almost always someone available to help. | clustermesh.apiserver.extraVolumeMounts | list | `[]` | Additional clustermesh-apiserver volumeMounts. | | clustermesh.apiserver.extraVolumes | list | `[]` | Additional clustermesh-apiserver volumes. | | clustermesh.apiserver.healthPort | int | `9880` | TCP port for the clustermesh-apiserver health API. | -| clustermesh.apiserver.image | object | `{"digest":"","override":null,"pullPolicy":"Always","repository":"quay.io/cilium/clustermesh-apiserver-ci","tag":"latest","useDigest":false}` | Clustermesh API server image. | +| clustermesh.apiserver.image | object | `{"digest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/clustermesh-apiserver","tag":"v1.16.0-pre.1","useDigest":false}` | Clustermesh API server image. | | clustermesh.apiserver.kvstoremesh.enabled | bool | `false` | Enable KVStoreMesh. KVStoreMesh caches the information retrieved from the remote clusters in the local etcd instance. | | clustermesh.apiserver.kvstoremesh.extraArgs | list | `[]` | Additional KVStoreMesh arguments. | | clustermesh.apiserver.kvstoremesh.extraEnv | list | `[]` | Additional KVStoreMesh environment variables. | @@ -342,7 +342,7 @@ contributors across the globe, there is almost always someone available to help. | envoy.extraVolumes | list | `[]` | Additional envoy volumes. | | envoy.healthPort | int | `9878` | TCP port for the health API. | | envoy.idleTimeoutDurationSeconds | int | `60` | Set Envoy upstream HTTP idle connection timeout seconds. Does not apply to connections with pending requests. Default 60s | -| envoy.image | object | `{"digest":"sha256:9c45b847f0d6689b537000257dc26a1db3799fd40cb2d430397fd0aec375a562","override":null,"pullPolicy":"Always","repository":"quay.io/cilium/cilium-envoy","tag":"v1.28.1-0a4c2d1a90a7e13116bed4b0c1d4aacaf0e49686","useDigest":true}` | Envoy container image. | +| envoy.image | object | `{"digest":"sha256:9c45b847f0d6689b537000257dc26a1db3799fd40cb2d430397fd0aec375a562","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium-envoy","tag":"v1.28.1-0a4c2d1a90a7e13116bed4b0c1d4aacaf0e49686","useDigest":true}` | Envoy container image. | | envoy.livenessProbe.failureThreshold | int | `10` | failure threshold of liveness probe | | envoy.livenessProbe.periodSeconds | int | `30` | interval between checks of the liveness probe | | envoy.log.format | string | `"[%Y-%m-%d %T.%e][%t][%l][%n] [%g:%#] %v"` | The format string to use for laying out the log message metadata of Envoy. | @@ -387,7 +387,7 @@ contributors across the globe, there is almost always someone available to help. | etcd.extraArgs | list | `[]` | Additional cilium-etcd-operator container arguments. | | etcd.extraVolumeMounts | list | `[]` | Additional cilium-etcd-operator volumeMounts. | | etcd.extraVolumes | list | `[]` | Additional cilium-etcd-operator volumes. | -| etcd.image | object | `{"digest":"sha256:04b8327f7f992693c2cb483b999041ed8f92efc8e14f2a5f3ab95574a65ea2dc","override":null,"pullPolicy":"Always","repository":"quay.io/cilium/cilium-etcd-operator","tag":"v2.0.7","useDigest":true}` | cilium-etcd-operator image. | +| etcd.image | object | `{"digest":"sha256:04b8327f7f992693c2cb483b999041ed8f92efc8e14f2a5f3ab95574a65ea2dc","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium-etcd-operator","tag":"v2.0.7","useDigest":true}` | cilium-etcd-operator image. | | etcd.k8sService | bool | `false` | If etcd is behind a k8s service set this option to true so that Cilium does the service translation automatically without requiring a DNS to be running. | | etcd.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for cilium-etcd-operator pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector | | etcd.podAnnotations | object | `{}` | Annotations to be added to cilium-etcd-operator pods | @@ -475,7 +475,7 @@ contributors across the globe, there is almost always someone available to help. | hubble.relay.extraVolumes | list | `[]` | Additional hubble-relay volumes. | | hubble.relay.gops.enabled | bool | `true` | Enable gops for hubble-relay | | hubble.relay.gops.port | int | `9893` | Configure gops listen port for hubble-relay | -| hubble.relay.image | object | `{"digest":"","override":null,"pullPolicy":"Always","repository":"quay.io/cilium/hubble-relay-ci","tag":"latest","useDigest":false}` | Hubble-relay container image. | +| hubble.relay.image | object | `{"digest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-relay","tag":"v1.16.0-pre.1","useDigest":false}` | Hubble-relay container image. | | hubble.relay.listenHost | string | `""` | Host to listen to. Specify an empty string to bind to all the interfaces. | | hubble.relay.listenPort | string | `"4245"` | Port to listen to. | | hubble.relay.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector | @@ -533,7 +533,7 @@ contributors across the globe, there is almost always someone available to help. | hubble.ui.backend.extraEnv | list | `[]` | Additional hubble-ui backend environment variables. | | hubble.ui.backend.extraVolumeMounts | list | `[]` | Additional hubble-ui backend volumeMounts. | | hubble.ui.backend.extraVolumes | list | `[]` | Additional hubble-ui backend volumes. | -| hubble.ui.backend.image | object | `{"digest":"sha256:1e7657d997c5a48253bb8dc91ecee75b63018d16ff5e5797e5af367336bc8803","override":null,"pullPolicy":"Always","repository":"quay.io/cilium/hubble-ui-backend","tag":"v0.13.0","useDigest":true}` | Hubble-ui backend image. | +| hubble.ui.backend.image | object | `{"digest":"sha256:1e7657d997c5a48253bb8dc91ecee75b63018d16ff5e5797e5af367336bc8803","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-ui-backend","tag":"v0.13.0","useDigest":true}` | Hubble-ui backend image. | | hubble.ui.backend.livenessProbe.enabled | bool | `false` | Enable liveness probe for Hubble-ui backend (requires Hubble-ui 0.12+) | | hubble.ui.backend.readinessProbe.enabled | bool | `false` | Enable readiness probe for Hubble-ui backend (requires Hubble-ui 0.12+) | | hubble.ui.backend.resources | object | `{}` | Resource requests and limits for the 'backend' container of the 'hubble-ui' deployment. | @@ -543,7 +543,7 @@ contributors across the globe, there is almost always someone available to help. | hubble.ui.frontend.extraEnv | list | `[]` | Additional hubble-ui frontend environment variables. | | hubble.ui.frontend.extraVolumeMounts | list | `[]` | Additional hubble-ui frontend volumeMounts. | | hubble.ui.frontend.extraVolumes | list | `[]` | Additional hubble-ui frontend volumes. | -| hubble.ui.frontend.image | object | `{"digest":"sha256:7d663dc16538dd6e29061abd1047013a645e6e69c115e008bee9ea9fef9a6666","override":null,"pullPolicy":"Always","repository":"quay.io/cilium/hubble-ui","tag":"v0.13.0","useDigest":true}` | Hubble-ui frontend image. | +| hubble.ui.frontend.image | object | `{"digest":"sha256:7d663dc16538dd6e29061abd1047013a645e6e69c115e008bee9ea9fef9a6666","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-ui","tag":"v0.13.0","useDigest":true}` | Hubble-ui frontend image. | | hubble.ui.frontend.resources | object | `{}` | Resource requests and limits for the 'frontend' container of the 'hubble-ui' deployment. | | hubble.ui.frontend.securityContext | object | `{}` | Hubble-ui frontend security context. | | hubble.ui.frontend.server.ipv6 | object | `{"enabled":true}` | Controls server listener for ipv6 | @@ -570,7 +570,7 @@ contributors across the globe, there is almost always someone available to help. | hubble.ui.updateStrategy | object | `{"rollingUpdate":{"maxUnavailable":1},"type":"RollingUpdate"}` | hubble-ui update strategy. | | identityAllocationMode | string | `"crd"` | Method to use for identity allocation (`crd` or `kvstore`). | | identityChangeGracePeriod | string | `"5s"` | Time to wait before using new identity on endpoint identity change. | -| image | object | `{"digest":"","override":null,"pullPolicy":"Always","repository":"quay.io/cilium/cilium-ci","tag":"latest","useDigest":false}` | Agent container image. | +| image | object | `{"digest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.16.0-pre.1","useDigest":false}` | Agent container image. | | imagePullSecrets | list | `[]` | Configure image pull secrets for pulling container images | | ingressController.default | bool | `false` | Set cilium ingress controller to be the default ingress controller This will let cilium ingress controller route entries without ingress class set | | ingressController.defaultSecretName | string | `nil` | Default secret name for ingresses without .spec.tls[].secretName set. | @@ -667,7 +667,7 @@ contributors across the globe, there is almost always someone available to help. | nodeinit.extraEnv | list | `[]` | Additional nodeinit environment variables. | | nodeinit.extraVolumeMounts | list | `[]` | Additional nodeinit volumeMounts. | | nodeinit.extraVolumes | list | `[]` | Additional nodeinit volumes. | -| nodeinit.image | object | `{"digest":"sha256:e1d442546e868db1a3289166c14011e0dbd32115b338b963e56f830972bc22a2","override":null,"pullPolicy":"Always","repository":"quay.io/cilium/startup-script","tag":"62093c5c233ea914bfa26a10ba41f8780d9b737f","useDigest":true}` | node-init image. | +| nodeinit.image | object | `{"digest":"sha256:e1d442546e868db1a3289166c14011e0dbd32115b338b963e56f830972bc22a2","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/startup-script","tag":"62093c5c233ea914bfa26a10ba41f8780d9b737f","useDigest":true}` | node-init image. | | nodeinit.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for nodeinit pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector | | nodeinit.podAnnotations | object | `{}` | Annotations to be added to node-init pods. | | nodeinit.podLabels | object | `{}` | Labels to be added to node-init pods. | @@ -691,7 +691,7 @@ contributors across the globe, there is almost always someone available to help. | operator.extraVolumes | list | `[]` | Additional cilium-operator volumes. | | operator.identityGCInterval | string | `"15m0s"` | Interval for identity garbage collection. | | operator.identityHeartbeatTimeout | string | `"30m0s"` | Timeout for identity heartbeats. | -| operator.image | object | `{"alibabacloudDigest":"","awsDigest":"","azureDigest":"","genericDigest":"","override":null,"pullPolicy":"Always","repository":"quay.io/cilium/operator","suffix":"-ci","tag":"latest","useDigest":false}` | cilium-operator image. | +| operator.image | object | `{"alibabacloudDigest":"","awsDigest":"","azureDigest":"","genericDigest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/operator","suffix":"","tag":"v1.16.0-pre.1","useDigest":false}` | cilium-operator image. | | operator.nodeGCInterval | string | `"5m0s"` | Interval for cilium node garbage collection. | | operator.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for cilium-operator pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector | | operator.podAnnotations | object | `{}` | Annotations to be added to cilium-operator pods | @@ -740,7 +740,7 @@ contributors across the globe, there is almost always someone available to help. | preflight.extraEnv | list | `[]` | Additional preflight environment variables. | | preflight.extraVolumeMounts | list | `[]` | Additional preflight volumeMounts. | | preflight.extraVolumes | list | `[]` | Additional preflight volumes. | -| preflight.image | object | `{"digest":"","override":null,"pullPolicy":"Always","repository":"quay.io/cilium/cilium-ci","tag":"latest","useDigest":false}` | Cilium pre-flight image. | +| preflight.image | object | `{"digest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.16.0-pre.1","useDigest":false}` | Cilium pre-flight image. | | preflight.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for preflight pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector | | preflight.podAnnotations | object | `{}` | Annotations to be added to preflight pods | | preflight.podDisruptionBudget.enabled | bool | `false` | enable PodDisruptionBudget ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ | diff --git a/install/kubernetes/cilium/values.yaml b/install/kubernetes/cilium/values.yaml index f89f8b671c0d..d75a23845b6b 100644 --- a/install/kubernetes/cilium/values.yaml +++ b/install/kubernetes/cilium/values.yaml @@ -152,9 +152,9 @@ image: # type: [null, string] # @schema override: ~ - repository: "quay.io/cilium/cilium-ci" - tag: "latest" - pullPolicy: "Always" + repository: "quay.io/cilium/cilium" + tag: "v1.16.0-pre.1" + pullPolicy: "IfNotPresent" # cilium-digest digest: "" useDigest: false @@ -965,7 +965,7 @@ certgen: tag: "v0.1.9" digest: "sha256:89a0847753686444daabde9474b48340993bd19c7bea66a46e45b2974b82041f" useDigest: true - pullPolicy: "Always" + pullPolicy: "IfNotPresent" # -- Seconds after which the completed job pod will be deleted ttlSecondsAfterFinished: 1800 # -- Labels to be added to hubble-certgen pods @@ -1220,12 +1220,12 @@ hubble: # type: [null, string] # @schema override: ~ - repository: "quay.io/cilium/hubble-relay-ci" - tag: "latest" + repository: "quay.io/cilium/hubble-relay" + tag: "v1.16.0-pre.1" # hubble-relay-digest digest: "" useDigest: false - pullPolicy: "Always" + pullPolicy: "IfNotPresent" # -- Specifies the resources for the hubble-relay pods resources: {} # -- Number of replicas run for the hubble-relay deployment. @@ -1457,7 +1457,7 @@ hubble: tag: "v0.13.0" digest: "sha256:1e7657d997c5a48253bb8dc91ecee75b63018d16ff5e5797e5af367336bc8803" useDigest: true - pullPolicy: "Always" + pullPolicy: "IfNotPresent" # -- Hubble-ui backend security context. securityContext: {} # -- Additional hubble-ui backend environment variables. @@ -1491,7 +1491,7 @@ hubble: tag: "v0.13.0" digest: "sha256:7d663dc16538dd6e29061abd1047013a645e6e69c115e008bee9ea9fef9a6666" useDigest: true - pullPolicy: "Always" + pullPolicy: "IfNotPresent" # -- Hubble-ui frontend security context. securityContext: {} # -- Additional hubble-ui frontend environment variables. @@ -2031,7 +2031,7 @@ envoy: override: ~ repository: "quay.io/cilium/cilium-envoy" tag: "v1.28.1-0a4c2d1a90a7e13116bed4b0c1d4aacaf0e49686" - pullPolicy: "Always" + pullPolicy: "IfNotPresent" digest: "sha256:9c45b847f0d6689b537000257dc26a1db3799fd40cb2d430397fd0aec375a562" useDigest: true # -- Additional containers added to the cilium Envoy DaemonSet. @@ -2328,7 +2328,7 @@ etcd: tag: "v2.0.7" digest: "sha256:04b8327f7f992693c2cb483b999041ed8f92efc8e14f2a5f3ab95574a65ea2dc" useDigest: true - pullPolicy: "Always" + pullPolicy: "IfNotPresent" # -- The priority class to use for cilium-etcd-operator priorityClassName: "" # -- Additional cilium-etcd-operator container arguments. @@ -2429,7 +2429,7 @@ operator: # @schema override: ~ repository: "quay.io/cilium/operator" - tag: "latest" + tag: "v1.16.0-pre.1" # operator-generic-digest genericDigest: "" # operator-azure-digest @@ -2439,8 +2439,8 @@ operator: # operator-alibabacloud-digest alibabacloudDigest: "" useDigest: false - pullPolicy: "Always" - suffix: "-ci" + pullPolicy: "IfNotPresent" + suffix: "" # -- Number of replicas to run for the cilium-operator deployment replicas: 2 # -- The priority class to use for cilium-operator @@ -2629,7 +2629,7 @@ nodeinit: tag: "62093c5c233ea914bfa26a10ba41f8780d9b737f" digest: "sha256:e1d442546e868db1a3289166c14011e0dbd32115b338b963e56f830972bc22a2" useDigest: true - pullPolicy: "Always" + pullPolicy: "IfNotPresent" # -- The priority class to use for the nodeinit pod. priorityClassName: "" # -- node-init update strategy @@ -2705,12 +2705,12 @@ preflight: # type: [null, string] # @schema override: ~ - repository: "quay.io/cilium/cilium-ci" - tag: "latest" + repository: "quay.io/cilium/cilium" + tag: "v1.16.0-pre.1" # cilium-digest digest: "" useDigest: false - pullPolicy: "Always" + pullPolicy: "IfNotPresent" # -- The priority class to use for the preflight pod. priorityClassName: "" # -- preflight update strategy @@ -2859,12 +2859,12 @@ clustermesh: # type: [null, string] # @schema override: ~ - repository: "quay.io/cilium/clustermesh-apiserver-ci" - tag: "latest" + repository: "quay.io/cilium/clustermesh-apiserver" + tag: "v1.16.0-pre.1" # clustermesh-apiserver-digest digest: "" useDigest: false - pullPolicy: "Always" + pullPolicy: "IfNotPresent" # -- TCP port for the clustermesh-apiserver health API. healthPort: 9880 # -- Configuration for the clustermesh-apiserver readiness probe. @@ -3294,7 +3294,7 @@ authentication: tag: "1.36.1" digest: "sha256:223ae047b1065bd069aac01ae3ac8088b3ca4a527827e283b85112f29385fb1b" useDigest: true - pullPolicy: "Always" + pullPolicy: "IfNotPresent" # SPIRE agent configuration agent: # -- SPIRE agent image @@ -3307,7 +3307,7 @@ authentication: tag: "1.8.5" digest: "sha256:99405637647968245ff9fe215f8bd2bd0ea9807be9725f8bf19fe1b21471e52b" useDigest: true - pullPolicy: "Always" + pullPolicy: "IfNotPresent" # -- SPIRE agent service account serviceAccount: create: true @@ -3358,7 +3358,7 @@ authentication: tag: "1.8.5" digest: "sha256:28269265882048dcf0fed32fe47663cd98613727210b8d1a55618826f9bf5428" useDigest: true - pullPolicy: "Always" + pullPolicy: "IfNotPresent" # -- SPIRE server service account serviceAccount: create: true