├── .editorconfig ├── .gitignore ├── .terraform.lock.hcl ├── LICENSE ├── README.md ├── Taskfile.dist.yml ├── cmd ├── cp-to-home │ └── main.go ├── kustomize │ └── main.go ├── mac-to-ip │ ├── main.go │ └── scan.go └── nodes-ready │ └── main.go ├── go.mod ├── go.sum ├── mac-to-ip.tf ├── manifests-bootstrap.tf ├── manifests-inline.tf ├── manifests ├── app-root.yaml ├── apps │ ├── argocd.yaml │ ├── cilium.yaml │ ├── kustomization.yaml │ ├── metrics-server.yaml │ └── talos-ccm.yaml ├── argocd │ ├── argocd.yaml │ ├── kustomization.yaml │ ├── kustomize-enable-helm.patch.yaml │ ├── kustomized-helm.yaml │ └── namespace.yaml ├── cilium │ ├── base │ │ ├── charts │ │ │ └── cilium │ │ │ │ ├── .helmignore │ │ │ │ ├── Chart.yaml │ │ │ │ ├── LICENSE │ │ │ │ ├── README.md │ │ │ │ ├── README.md.gotmpl │ │ │ │ ├── files │ │ │ │ ├── agent │ │ │ │ │ └── poststart-eni.bash │ │ │ │ ├── cilium-agent │ │ │ │ │ └── dashboards │ │ │ │ │ │ └── cilium-dashboard.json │ │ │ │ ├── cilium-envoy │ │ │ │ │ └── configmap │ │ │ │ │ │ └── bootstrap-config.json │ │ │ │ ├── cilium-operator │ │ │ │ │ └── dashboards │ │ │ │ │ │ └── cilium-operator-dashboard.json │ │ │ │ ├── hubble │ │ │ │ │ └── dashboards │ │ │ │ │ │ ├── hubble-dashboard.json │ │ │ │ │ │ ├── hubble-dns-namespace.json │ │ │ │ │ │ ├── hubble-l7-http-metrics-by-workload.json │ │ │ │ │ │ └── hubble-network-overview-namespace.json │ │ │ │ ├── nodeinit │ │ │ │ │ ├── prestop.bash │ │ │ │ │ └── startup.bash │ │ │ │ └── spire │ │ │ │ │ ├── init.bash │ │ │ │ │ └── wait-for-spire.bash │ │ │ │ ├── templates │ │ │ │ ├── NOTES.txt │ │ │ │ ├── _helpers.tpl │ │ │ │ ├── cilium-agent │ │ │ │ │ ├── clusterrole.yaml │ │ │ │ │ ├── clusterrolebinding.yaml │ │ │ │ │ ├── daemonset.yaml │ │ │ │ │ ├── dashboards-configmap.yaml │ │ │ │ │ ├── role.yaml │ │ │ │ │ ├── rolebinding.yaml │ │ │ │ │ ├── service.yaml │ │ │ │ │ ├── serviceaccount.yaml │ │ │ │ │ └── servicemonitor.yaml │ │ │ │ ├── cilium-ca-bundle-configmap.yaml │ │ │ │ ├── cilium-ca-secret.yaml │ │ │ │ ├── cilium-configmap.yaml │ │ │ │ ├── cilium-envoy │ │ │ │ │ ├── configmap.yaml │ │ │ │ │ ├── daemonset.yaml │ │ │ │ │ ├── service.yaml │ │ │ │ │ ├── serviceaccount.yaml │ │ │ │ │ └── servicemonitor.yaml │ │ │ │ ├── cilium-flowlog-configmap.yaml │ │ │ │ ├── cilium-gateway-api-class.yaml │ │ │ │ ├── cilium-ingress-class.yaml │ │ │ │ ├── cilium-ingress-service.yaml │ │ │ │ ├── cilium-nodeinit │ │ │ │ │ ├── daemonset.yaml │ │ │ │ │ └── serviceaccount.yaml │ │ │ │ ├── cilium-operator │ │ │ │ │ ├── _helpers.tpl │ │ │ │ │ ├── clusterrole.yaml │ │ │ │ │ ├── clusterrolebinding.yaml │ │ │ │ │ ├── dashboards-configmap.yaml │ │ │ │ │ ├── deployment.yaml │ │ │ │ │ ├── poddisruptionbudget.yaml │ │ │ │ │ ├── role.yaml │ │ │ │ │ ├── rolebinding.yaml │ │ │ │ │ ├── secret.yaml │ │ │ │ │ ├── service.yaml │ │ │ │ │ ├── serviceaccount.yaml │ │ │ │ │ └── servicemonitor.yaml │ │ │ │ ├── cilium-preflight │ │ │ │ │ ├── clusterrole.yaml │ │ │ │ │ ├── clusterrolebinding.yaml │ │ │ │ │ ├── daemonset.yaml │ │ │ │ │ ├── deployment.yaml │ │ │ │ │ ├── poddisruptionbudget.yaml │ │ │ │ │ └── serviceaccount.yaml │ │ │ │ ├── cilium-resource-quota.yaml │ │ │ │ ├── cilium-secrets-namespace.yaml │ │ │ │ ├── clustermesh-apiserver │ │ │ │ │ ├── _helpers.tpl │ │ │ │ │ ├── clusterrole.yaml │ │ │ │ │ ├── clusterrolebinding.yaml │ │ │ │ │ ├── deployment.yaml │ │ │ │ │ ├── metrics-service.yaml │ │ │ │ │ ├── poddisruptionbudget.yaml │ │ │ │ │ ├── service.yaml │ │ │ │ │ ├── serviceaccount.yaml │ │ │ │ │ ├── servicemonitor.yaml │ │ │ │ │ ├── tls-certmanager │ │ │ │ │ │ ├── admin-secret.yaml │ │ │ │ │ │ ├── client-secret.yaml │ │ │ │ │ │ ├── remote-secret.yaml │ │ │ │ │ │ └── server-secret.yaml │ │ │ │ │ ├── tls-cronjob │ │ │ │ │ │ ├── _job-spec.tpl │ │ │ │ │ │ ├── cronjob.yaml │ │ │ │ │ │ ├── job.yaml │ │ │ │ │ │ ├── role.yaml │ │ │ │ │ │ ├── rolebinding.yaml │ │ │ │ │ │ └── serviceaccount.yaml │ │ │ │ │ ├── tls-helm │ │ │ │ │ │ ├── admin-secret.yaml │ │ │ │ │ │ ├── client-secret.yaml │ │ │ │ │ │ ├── remote-secret.yaml │ │ │ │ │ │ └── server-secret.yaml │ │ │ │ │ ├── tls-provided │ │ │ │ │ │ ├── admin-secret.yaml │ │ │ │ │ │ ├── client-secret.yaml │ │ │ │ │ │ ├── remote-secret.yaml │ │ │ │ │ │ └── server-secret.yaml │ │ │ │ │ └── users-configmap.yaml │ │ │ │ ├── clustermesh-config │ │ │ │ │ ├── _helpers.tpl │ │ │ │ │ ├── clustermesh-secret.yaml │ │ │ │ │ └── kvstoremesh-secret.yaml │ │ │ │ ├── etcd-operator │ │ │ │ │ ├── cilium-etcd-operator-clusterrole.yaml │ │ │ │ │ ├── cilium-etcd-operator-clusterrolebinding.yaml │ │ │ │ │ ├── cilium-etcd-operator-deployment.yaml │ │ │ │ │ ├── cilium-etcd-operator-serviceaccount.yaml │ │ │ │ │ ├── etcd-operator-clusterrole.yaml │ │ │ │ │ ├── etcd-operator-clusterrolebinding.yaml │ │ │ │ │ ├── etcd-operator-serviceaccount.yaml │ │ │ │ │ └── poddisruptionbudget.yaml │ │ │ │ ├── hubble-relay │ │ │ │ │ ├── configmap.yaml │ │ │ │ │ ├── deployment.yaml │ │ │ │ │ ├── metrics-service.yaml │ │ │ │ │ ├── poddisruptionbudget.yaml │ │ │ │ │ ├── service.yaml │ │ │ │ │ ├── serviceaccount.yaml │ │ │ │ │ └── servicemonitor.yaml │ │ │ │ ├── hubble-ui │ │ │ │ │ ├── _nginx.tpl │ │ │ │ │ ├── clusterrole.yaml │ │ │ │ │ ├── clusterrolebinding.yaml │ │ │ │ │ ├── configmap.yaml │ │ │ │ │ ├── deployment.yaml │ │ │ │ │ ├── ingress.yaml │ │ │ │ │ ├── poddisruptionbudget.yaml │ │ │ │ │ ├── service.yaml │ │ │ │ │ └── serviceaccount.yaml │ │ │ │ ├── hubble │ │ │ │ │ ├── dashboards-configmap.yaml │ │ │ │ │ ├── metrics-service.yaml │ │ │ │ │ ├── peer-service.yaml │ │ │ │ │ ├── servicemonitor.yaml │ │ │ │ │ ├── tls-certmanager │ │ │ │ │ │ ├── relay-client-secret.yaml │ │ │ │ │ │ ├── relay-server-secret.yaml │ │ │ │ │ │ ├── server-secret.yaml │ │ │ │ │ │ └── ui-client-certs.yaml │ │ │ │ │ ├── tls-cronjob │ │ │ │ │ │ ├── _job-spec.tpl │ │ │ │ │ │ ├── clusterrole.yaml │ │ │ │ │ │ ├── clusterrolebinding.yaml │ │ │ │ │ │ ├── cronjob.yaml │ │ │ │ │ │ ├── job.yaml │ │ │ │ │ │ └── serviceaccount.yaml │ │ │ │ │ ├── tls-helm │ │ │ │ │ │ ├── _helpers.tpl │ │ │ │ │ │ ├── relay-client-secret.yaml │ │ │ │ │ │ ├── relay-server-secret.yaml │ │ │ │ │ │ ├── server-secret.yaml │ │ │ │ │ │ └── ui-client-certs.yaml │ │ │ │ │ └── tls-provided │ │ │ │ │ │ ├── relay-client-secret.yaml │ │ │ │ │ │ ├── relay-server-secret.yaml │ │ │ │ │ │ ├── server-secret.yaml │ │ │ │ │ │ └── ui-client-certs.yaml │ │ │ │ ├── spire │ │ │ │ │ ├── agent │ │ │ │ │ │ ├── clusterrole.yaml │ │ │ │ │ │ ├── clusterrolebinding.yaml │ │ │ │ │ │ ├── configmap.yaml │ │ │ │ │ │ ├── daemonset.yaml │ │ │ │ │ │ └── serviceaccount.yaml │ │ │ │ │ ├── bundle-configmap.yaml │ │ │ │ │ ├── namespace.yaml │ │ │ │ │ └── server │ │ │ │ │ │ ├── clusterrole.yaml │ │ │ │ │ │ ├── clusterrolebinding.yaml │ │ │ │ │ │ ├── configmap.yaml │ │ │ │ │ │ ├── role.yaml │ │ │ │ │ │ ├── rolebinding.yaml │ │ │ │ │ │ ├── service.yaml │ │ │ │ │ │ ├── serviceaccount.yaml │ │ │ │ │ │ └── statefulset.yaml │ │ │ │ └── validate.yaml │ │ │ │ ├── values.yaml │ │ │ │ └── values.yaml.tmpl │ │ ├── kustomization.yaml │ │ ├── kustomization.yaml.tpl │ │ ├── namespace.yaml │ │ └── values.yaml │ ├── bgp-peering-policy.yaml.tpl │ ├── high-priority-scheduling.yaml │ └── kustomization.yaml ├── kustomization.yaml ├── metrics-server │ ├── kustomization.yaml │ └── metrics-server.yaml └── talos-ccm │ ├── kustomization.yaml │ └── talos-ccm.yaml ├── nodes-ready.tf ├── output └── .gitignore ├── providers.tf ├── talos-boot.tf ├── talos-config.tf ├── talos-config ├── control-plane.yaml.tpl ├── default.yaml.tpl ├── node-labels.yaml.tpl ├── worker-node-disk.yaml.tpl └── worker-node.yaml.tpl ├── talos-image └── bare-metal.yaml ├── talos-output.tf ├── vars-cluster.tf ├── vars-harbor.tf ├── vars-iso.tf ├── vars-manifests.tf ├── vars-network.tf ├── vars-proxmox.tf ├── vars-vms.tf ├── versions.tf ├── vm-control-plane.tf └── vm-worker-node.tf /.editorconfig: -------------------------------------------------------------------------------- 1 | root = true 2 | 3 | [*] 4 | charset = utf-8 5 | end_of_line = lf 6 | insert_final_newline = true 7 | indent_size = 4 8 | indent_style = space 9 | trim_trailing_whitespace = true 10 | 11 | [*.go] 12 | indent_style = tab 13 | 14 | [*.{hcl,tf,tfvars}] 15 | indent_size = 2 16 | 17 | [*.md] 18 | trim_trailing_whitespace = false 19 | 20 | [{Makefile,**.mk}] 21 | # Use tabs for indentation (Makefiles require tabs) 22 | indent_style = tab 23 | 24 | [*.{yml,yaml,yml.tpl,yaml.tpl}] 25 | indent_size = 2 26 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | .idea 2 | .development 3 | .terraform 4 | *.tfstate* 5 | *.tfvars 6 | *.tfplan 7 | *.tmp 8 | kubeconfig.y* 9 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Copyright (c) 2023, Roel Schut. All rights reserved. 2 | 3 | Redistribution and use in source and binary forms, with or without 4 | modification, are permitted provided that the following conditions are met: 5 | 6 | 1. Redistributions of source code must retain the above copyright notice, this 7 | list of conditions and the following disclaimer. 8 | 9 | 2. Redistributions in binary form must reproduce the above copyright notice, 10 | this list of conditions and the following disclaimer in the documentation 11 | and/or other materials provided with the distribution. 12 | 13 | 3. Neither the name of the copyright holder nor the names of its 14 | contributors may be used to endorse or promote products derived from 15 | this software without specific prior written permission. 16 | 17 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 18 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 19 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 20 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 21 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 22 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 23 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 24 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 25 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 26 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 27 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | Talos cluster on Proxmox 2 | ======================== 3 | 4 | This repository contains a [Terraform](https://www.terraform.io/) configuration to create a [Talos](https://www.talos.dev/) Kubernetes cluster on servers running [Proxmox VE](https://www.proxmox.com/). 5 | It includes a basic Kubernetes configuration to run services on the cluster, which includes [Cilium](https://cilium.io/) as CNI, [Talos CCM](https://github.com/siderolabs/talos-cloud-controller-manager) and [Argo CD](https://argoproj.github.io/cd/) to deploy services in a GitOps way. 6 | 7 | 8 | ## Requirements 9 | 10 | - Proxmox server(s) 11 | - terraform 12 | - kubectl 13 | - go 14 | - nmap 15 | 16 | 17 | ## Usage 18 | 19 | - Make sure all tools are installed and are set in your PATH; 20 | - Run `task init` to initialize the Terraform providers; 21 | - Download the correct Talos release image and place it in a folder which Proxmox can access; 22 | - Change the `mac-to-ip_scan_subnets` variable to match to subnets on which Proxmox creates the VMs by default; 23 | - Optionally run `terraform plan` to see what will be created; 24 | - Run `task create` to create the VMs, boot the Talos cluster and run some basic Kubernetes services. 25 | 26 | 27 | ## How it works 28 | 29 | - Terraform creates VMs in Proxmox using a Talos release image; 30 | - Terraform creates Talos configs and applies it to the VMs running Talos; 31 | - A Talos control plane is bootstrapped and a Talos cluster is formed; 32 | - Terraform generates the inline manifests (containing Cilium and Talos CCM) which Talos installs; 33 | - Terraform waits for the nodes to be ready and installs Argo CD; 34 | - Argo CD installs all specified services and applications; 35 | - Argo CD keeps the services and applications in sync with the [manifests](manifests/) in this repository. 36 | 37 | If everything works as expected, Argo CD should automatically install metrics-server on the recently created Kubernetes cluster. 38 | 39 | 40 | ## License 41 | 42 | Copyright © 2023-2024 [Roel Schut](https://roelschut.nl). All rights reserved. 43 | 44 | This project is governed by a BSD-style license that can be found in the [LICENSE](LICENSE) file. 45 | -------------------------------------------------------------------------------- /Taskfile.dist.yml: -------------------------------------------------------------------------------- 1 | # https://taskfile.dev/installation/ 2 | version: '3' 3 | 4 | tasks: 5 | init: 6 | desc: Initialize the project 7 | cmds: 8 | - terraform init -upgrade 9 | - go mod download 10 | 11 | create: 12 | desc: Create the cluster 13 | cmds: 14 | - terraform apply -auto-approve 15 | 16 | destroy: 17 | desc: Destroy the cluster 18 | cmds: 19 | - terraform destroy -target=null_resource.talos-cluster-up -auto-approve 20 | - terraform destroy -auto-approve 21 | 22 | recreate: 23 | desc: Recreate the cluster 24 | cmds: 25 | - task destroy 26 | - task create 27 | -------------------------------------------------------------------------------- /cmd/cp-to-home/main.go: -------------------------------------------------------------------------------- 1 | // Copyright (c) 2023, Roel Schut. All rights reserved. 2 | // Use of this source code is governed by a BSD-style 3 | // license that can be found in the LICENSE file. 4 | 5 | package main 6 | 7 | import ( 8 | "github.com/go-pogo/errors" 9 | "io" 10 | "os" 11 | "path/filepath" 12 | "strings" 13 | ) 14 | 15 | const linuxHomePrefix = "~/" 16 | 17 | func main() { 18 | errors.FatalOnErr(run()) 19 | } 20 | 21 | func run() error { 22 | if len(os.Args) < 3 { 23 | return errors.WithExitCode(errors.Errorf("Usage: %s ", os.Args[0]), 1) 24 | } 25 | 26 | srcPath := os.Args[1] 27 | destPath := os.Args[2] 28 | 29 | if !filepath.IsAbs(srcPath) { 30 | if workdir, err := os.Getwd(); err == nil { 31 | srcPath = filepath.Clean(filepath.Join(workdir, srcPath)) 32 | } 33 | } 34 | 35 | if strings.HasPrefix(destPath, linuxHomePrefix) { 36 | destPath = destPath[len(linuxHomePrefix):] 37 | } else if strings.HasPrefix(destPath, "/") { 38 | destPath = destPath[1:] 39 | } 40 | 41 | home, err := os.UserHomeDir() 42 | if err != nil { 43 | return errors.WithStack(err) 44 | } 45 | destPath = filepath.Clean(filepath.Join(home, destPath)) 46 | 47 | src, err := os.Open(srcPath) 48 | if err != nil { 49 | return errors.WithStack(err) 50 | } 51 | defer src.Close() 52 | 53 | dest, err := os.Create(destPath) 54 | if err != nil { 55 | return errors.WithStack(err) 56 | } 57 | defer dest.Close() 58 | 59 | _, err = io.Copy(dest, src) 60 | if err != nil { 61 | return errors.WithStack(err) 62 | } 63 | 64 | os.Stdout.WriteString("{}") 65 | //fmt.Fprintf(os.Stdout, `{"src":"%s","dest":"%s","written":"%d"}\n`, srcPath, destPath, written) 66 | 67 | return nil 68 | } 69 | -------------------------------------------------------------------------------- /cmd/kustomize/main.go: -------------------------------------------------------------------------------- 1 | // Copyright (c) 2023, Roel Schut. All rights reserved. 2 | // Use of this source code is governed by a BSD-style 3 | // license that can be found in the LICENSE file. 4 | 5 | package main 6 | 7 | import ( 8 | "bytes" 9 | "encoding/json" 10 | "fmt" 11 | "github.com/go-pogo/errors" 12 | "os" 13 | "os/exec" 14 | "strings" 15 | ) 16 | 17 | type result struct { 18 | Dir string `json:"dir"` 19 | Manifests string `json:"manifests"` 20 | } 21 | 22 | func main() { 23 | errors.FatalOnErr(run()) 24 | } 25 | 26 | func run() error { 27 | if len(os.Args) < 2 { 28 | return errors.New("no arguments") 29 | } 30 | 31 | args := []string{"kustomize"} 32 | if os.Args[1] == "--" { 33 | args = append(args, os.Args[2:]...) 34 | } else { 35 | args = append(args, os.Args[1:]...) 36 | } 37 | 38 | var buf bytes.Buffer 39 | cmd := exec.Command("kubectl", args...) 40 | cmd.Stderr = &buf 41 | 42 | b, err := cmd.Output() 43 | if err != nil { 44 | return errors.Wrap(err, buf.String()) 45 | } 46 | 47 | if i := index(args, "-o"); i > 0 { 48 | b, err = os.ReadFile(args[i+1]) 49 | if err != nil { 50 | return errors.WithStack(err) 51 | } 52 | } 53 | 54 | out, err := json.Marshal(result{ 55 | Manifests: fmt.Sprintf("# kubectl %s\n\n%s", strings.Join(args, " "), string(b)), 56 | }) 57 | if err != nil { 58 | return errors.WithStack(err) 59 | } 60 | 61 | _, err = os.Stdout.Write(out) 62 | if err != nil { 63 | return errors.WithStack(err) 64 | } 65 | 66 | return nil 67 | } 68 | 69 | func index(list []string, item string) int { 70 | for i, v := range list { 71 | if v == item { 72 | return i 73 | } 74 | } 75 | return -1 76 | } 77 | -------------------------------------------------------------------------------- /cmd/mac-to-ip/main.go: -------------------------------------------------------------------------------- 1 | // Copyright (c) 2023, Roel Schut. All rights reserved. 2 | // Use of this source code is governed by a BSD-style 3 | // license that can be found in the LICENSE file. 4 | 5 | package main 6 | 7 | import ( 8 | "encoding/json" 9 | "flag" 10 | "github.com/go-pogo/errors" 11 | "os" 12 | "strings" 13 | ) 14 | 15 | func main() { 16 | subnet := "10.0.0.1/24" 17 | 18 | fs := flag.NewFlagSet(os.Args[0], flag.ExitOnError) 19 | fs.StringVar(&subnet, "subnet", subnet, "subnet(s) (cidr) to scan (comma separated list)") 20 | errors.FatalOnErr(fs.Parse(os.Args[1:])) 21 | 22 | res, err := scanSubnet(strings.Split(subnet, ","), fs.Args()) 23 | errors.FatalOnErr(err) 24 | 25 | // wanneer res < args, vraag om input? 26 | // of arp -a | grep mac via proxmox host 27 | 28 | out, err := json.Marshal(res) 29 | errors.FatalOnErr(err) 30 | _, _ = os.Stdout.Write(out) 31 | } 32 | -------------------------------------------------------------------------------- /cmd/mac-to-ip/scan.go: -------------------------------------------------------------------------------- 1 | // Copyright (c) 2023, Roel Schut. All rights reserved. 2 | // Use of this source code is governed by a BSD-style 3 | // license that can be found in the LICENSE file. 4 | 5 | package main 6 | 7 | import ( 8 | "bufio" 9 | "bytes" 10 | "github.com/go-pogo/errors" 11 | "os/exec" 12 | "strings" 13 | ) 14 | 15 | const ( 16 | foundHost = "Nmap scan report for " 17 | foundMac = "MAC Address: " 18 | ) 19 | 20 | func scanSubnet(cidr []string, targetMacs []string) (map[string]string, error) { 21 | b, err := exec.Command("nmap", append([]string{"-sn"}, cidr...)...).Output() 22 | if err != nil { 23 | return nil, errors.WithStack(err) 24 | } 25 | 26 | scan := bufio.NewScanner(bytes.NewBuffer(b)) 27 | scan.Split(bufio.ScanLines) 28 | 29 | hasTargets := len(targetMacs) > 0 30 | result := make(map[string]string) 31 | 32 | var foundHostLine string 33 | for scan.Scan() { 34 | line := scan.Text() 35 | if strings.HasPrefix(line, foundHost) { 36 | foundHostLine = line 37 | continue 38 | } 39 | if !strings.HasPrefix(line, foundMac) { 40 | continue 41 | } 42 | 43 | line = strings.TrimPrefix(line, foundMac) 44 | line = strings.SplitN(line, " ", 2)[0] 45 | line = strings.ToLower(line) 46 | if hasTargets && !contains(targetMacs, line) { 47 | continue 48 | } 49 | 50 | foundHostLine = strings.TrimPrefix(foundHostLine, foundHost) 51 | result[line] = foundHostLine // macaddr => ip 52 | } 53 | 54 | return result, nil 55 | } 56 | 57 | func contains(list []string, str string) bool { 58 | for _, test := range list { 59 | if test == str { 60 | return true 61 | } 62 | } 63 | return false 64 | } 65 | -------------------------------------------------------------------------------- /cmd/nodes-ready/main.go: -------------------------------------------------------------------------------- 1 | // Copyright (c) 2023, Roel Schut. All rights reserved. 2 | // Use of this source code is governed by a BSD-style 3 | // license that can be found in the LICENSE file. 4 | 5 | package main 6 | 7 | import ( 8 | "context" 9 | "github.com/go-pogo/errors" 10 | "os" 11 | "os/exec" 12 | "strings" 13 | "time" 14 | ) 15 | 16 | func main() { 17 | ctx, cancelFn := context.WithTimeout(context.Background(), 5*time.Minute) 18 | defer cancelFn() 19 | errors.FatalOnErr(run(ctx, os.Args[1:])) 20 | _, _ = os.Stdout.WriteString(`{"ready":"true","time":"` + time.Now().String() + `"}`) 21 | } 22 | 23 | func run(ctx context.Context, nodes []string) error { 24 | for { 25 | if err := ctx.Err(); err != nil { 26 | return err 27 | } 28 | 29 | time.Sleep(10 * time.Second) 30 | var ready int 31 | 32 | b, err := exec.Command("kubectl", "get", "nodes").Output() 33 | if err != nil { 34 | continue 35 | } 36 | 37 | lines := strings.Split(string(b), "\n") 38 | for _, line := range lines[1:] { 39 | if line == "" { 40 | continue 41 | } 42 | 43 | i := strings.IndexRune(line, ' ') 44 | if !contains(nodes, line[:i]) { 45 | continue 46 | } 47 | 48 | for ; i < len(line) && line[i] == ' '; i++ { 49 | } 50 | 51 | status := line[i : i+strings.IndexRune(line[i:], ' ')] 52 | if status == "Ready" { 53 | ready++ 54 | } 55 | } 56 | 57 | if ready == len(nodes) { 58 | break 59 | } 60 | } 61 | return nil 62 | } 63 | 64 | func contains(list []string, str string) bool { 65 | for _, s := range list { 66 | if s == str { 67 | return true 68 | } 69 | } 70 | return false 71 | } 72 | -------------------------------------------------------------------------------- /go.mod: -------------------------------------------------------------------------------- 1 | module talos-cluster 2 | 3 | go 1.22.5 4 | 5 | require ( 6 | github.com/go-pogo/errors v0.11.1 7 | github.com/hashicorp/hcl/v2 v2.21.0 8 | ) 9 | 10 | require ( 11 | github.com/agext/levenshtein v1.2.1 // indirect 12 | github.com/apparentlymart/go-textseg/v13 v13.0.0 // indirect 13 | github.com/apparentlymart/go-textseg/v15 v15.0.0 // indirect 14 | github.com/mitchellh/go-wordwrap v0.0.0-20150314170334-ad45545899c7 // indirect 15 | github.com/zclconf/go-cty v1.13.0 // indirect 16 | golang.org/x/mod v0.8.0 // indirect 17 | golang.org/x/sys v0.5.0 // indirect 18 | golang.org/x/text v0.11.0 // indirect 19 | golang.org/x/tools v0.6.0 // indirect 20 | golang.org/x/xerrors v0.0.0-20231012003039-104605ab7028 // indirect 21 | ) 22 | -------------------------------------------------------------------------------- /go.sum: -------------------------------------------------------------------------------- 1 | github.com/agext/levenshtein v1.2.1 h1:QmvMAjj2aEICytGiWzmxoE0x2KZvE0fvmqMOfy2tjT8= 2 | github.com/agext/levenshtein v1.2.1/go.mod h1:JEDfjyjHDjOF/1e4FlBE/PkbqA9OfWu2ki2W0IB5558= 3 | github.com/apparentlymart/go-textseg/v13 v13.0.0 h1:Y+KvPE1NYz0xl601PVImeQfFyEy6iT90AvPUL1NNfNw= 4 | github.com/apparentlymart/go-textseg/v13 v13.0.0/go.mod h1:ZK2fH7c4NqDTLtiYLvIkEghdlcqw7yxLeM89kiTRPUo= 5 | github.com/apparentlymart/go-textseg/v15 v15.0.0 h1:uYvfpb3DyLSCGWnctWKGj857c6ew1u1fNQOlOtuGxQY= 6 | github.com/apparentlymart/go-textseg/v15 v15.0.0/go.mod h1:K8XmNZdhEBkdlyDdvbmmsvpAG721bKi0joRfFdHIWJ4= 7 | github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= 8 | github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= 9 | github.com/go-pogo/errors v0.11.1 h1:q2WYtjRFrANsCT+9WnN4hGgQg1E1hyuuSDbBkM2+RrU= 10 | github.com/go-pogo/errors v0.11.1/go.mod h1:siGu70A3ZN66hrvkQuK+t3O5eB7kquLnaw52L2IBtYg= 11 | github.com/go-test/deep v1.0.3 h1:ZrJSEWsXzPOxaZnFteGEfooLba+ju3FYIbOrS+rQd68= 12 | github.com/go-test/deep v1.0.3/go.mod h1:wGDj63lr65AM2AQyKZd/NYHGb0R+1RLqB8NKt3aSFNA= 13 | github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI= 14 | github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= 15 | github.com/hashicorp/hcl/v2 v2.21.0 h1:lve4q/o/2rqwYOgUg3y3V2YPyD1/zkCLGjIV74Jit14= 16 | github.com/hashicorp/hcl/v2 v2.21.0/go.mod h1:62ZYHrXgPoX8xBnzl8QzbWq4dyDsDtfCRgIq1rbJEvA= 17 | github.com/mitchellh/go-wordwrap v0.0.0-20150314170334-ad45545899c7 h1:DpOJ2HYzCv8LZP15IdmG+YdwD2luVPHITV96TkirNBM= 18 | github.com/mitchellh/go-wordwrap v0.0.0-20150314170334-ad45545899c7/go.mod h1:ZXFpozHsX6DPmq2I0TCekCxypsnAUbP2oI0UX1GXzOo= 19 | github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= 20 | github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= 21 | github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg= 22 | github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY= 23 | github.com/zclconf/go-cty v1.13.0 h1:It5dfKTTZHe9aeppbNOda3mN7Ag7sg6QkBNm6TkyFa0= 24 | github.com/zclconf/go-cty v1.13.0/go.mod h1:YKQzy/7pZ7iq2jNFzy5go57xdxdWoLLpaEp4u238AE0= 25 | github.com/zclconf/go-cty-debug v0.0.0-20240509010212-0d6042c53940 h1:4r45xpDWB6ZMSMNJFMOjqrGHynW3DIBuR2H9j0ug+Mo= 26 | github.com/zclconf/go-cty-debug v0.0.0-20240509010212-0d6042c53940/go.mod h1:CmBdvvj3nqzfzJ6nTCIwDTPZ56aVGvDrmztiO5g3qrM= 27 | golang.org/x/mod v0.8.0 h1:LUYupSeNrTNCGzR/hVBk2NHZO4hXcVaW1k4Qx7rjPx8= 28 | golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= 29 | golang.org/x/sync v0.1.0 h1:wsuoTGHzEhffawBOhz5CYhcrV4IdKZbEyZjBMuTp12o= 30 | golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= 31 | golang.org/x/sys v0.5.0 h1:MUK/U/4lj1t1oPg0HfuXDN/Z1wv31ZJ/YcPiGccS4DU= 32 | golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= 33 | golang.org/x/text v0.11.0 h1:LAntKIrcmeSKERyiOh0XMV39LXS8IE9UL2yP7+f5ij4= 34 | golang.org/x/text v0.11.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE= 35 | golang.org/x/tools v0.6.0 h1:BOw41kyTf3PuCW1pVQf8+Cyg8pMlkYB1oo9iJ6D/lKM= 36 | golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU= 37 | golang.org/x/xerrors v0.0.0-20231012003039-104605ab7028 h1:+cNy6SZtPcJQH3LJVLOSmiC7MMxXNOb3PU/VUEz+EhU= 38 | golang.org/x/xerrors v0.0.0-20231012003039-104605ab7028/go.mod h1:NDW/Ps6MPRej6fsCIbMTohpP40sJ/P/vI1MoTEGwX90= 39 | gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= 40 | gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= 41 | -------------------------------------------------------------------------------- /mac-to-ip.tf: -------------------------------------------------------------------------------- 1 | # give the vms some time to boot before scanning for ip addresses 2 | resource "time_sleep" "wait_for_vms_to_boot" { 3 | depends_on = [ 4 | proxmox_virtual_environment_vm.talos-control-plane, 5 | proxmox_virtual_environment_vm.talos-worker-node 6 | ] 7 | 8 | create_duration = "15s" 9 | } 10 | 11 | # vms are booted, use nmap to scan the network and match the known mac 12 | # addresses with the found ip addresses 13 | data "external" "mac-to-ip" { 14 | depends_on = [time_sleep.wait_for_vms_to_boot] 15 | 16 | program = concat([ 17 | "go", 18 | "run", 19 | "${path.module}/cmd/mac-to-ip", 20 | "-subnet", 21 | join(",", var.mac-to-ip_scan_subnets), 22 | ], 23 | [for i, cfg in macaddress.talos-control-plane : cfg.address], 24 | [for i, cfg in macaddress.talos-worker-node : cfg.address], 25 | ) 26 | } 27 | 28 | output "mac-to-ip" { 29 | value = data.external.mac-to-ip.result 30 | } 31 | 32 | variable "mac-to-ip_scan_subnets" { 33 | description = "Subnets to scan MAC addresses for IP addresses." 34 | type = list(string) 35 | default = ["10.0.0.1/24"] 36 | } 37 | -------------------------------------------------------------------------------- /manifests-bootstrap.tf: -------------------------------------------------------------------------------- 1 | # download and kustomize metrics server manifests 2 | resource "synclocal_url" "metrics_server_manifest" { 3 | url = local.metrics_server_manifest_url 4 | filename = "${path.module}/manifests/metrics-server/metrics-server.yaml" 5 | } 6 | 7 | data "external" "kustomize_metrics-server" { 8 | depends_on = [synclocal_url.metrics_server_manifest] 9 | program = [ 10 | "go", 11 | "run", 12 | "${path.module}/cmd/kustomize", 13 | "--", 14 | "${path.module}/manifests/metrics-server", 15 | ] 16 | } 17 | 18 | # download and kustomize argocd manifests 19 | resource "synclocal_url" "argocd_manifest" { 20 | url = local.argocd_manifest_url 21 | filename = "${path.module}/manifests/argocd/argocd.yaml" 22 | } 23 | 24 | # prepare the bootstrap manifests and write them in the output directory 25 | data "external" "kustomize_bootstrap-manifests" { 26 | depends_on = [ 27 | data.external.talos-nodes-ready, 28 | synclocal_url.argocd_manifest, 29 | ] 30 | for_each = { 31 | for i, m in var.bootstrap_manifests: "bootstrap-manifest-${i}" => m 32 | } 33 | 34 | program = [ 35 | "go", 36 | "run", 37 | "${path.module}/cmd/kustomize", 38 | "--", 39 | "--enable-helm", 40 | "-o", 41 | "${path.module}/output/${each.key}.yaml", 42 | "${path.module}/${each.value}", 43 | ] 44 | } 45 | 46 | resource "null_resource" "apply_bootstrap-manifests" { 47 | depends_on = [data.external.kustomize_bootstrap-manifests] 48 | for_each = data.external.kustomize_bootstrap-manifests 49 | provisioner "local-exec" { 50 | command = "kubectl apply --server-side=true -f ${path.module}/output/${each.key}.yaml" 51 | } 52 | } 53 | -------------------------------------------------------------------------------- /manifests-inline.tf: -------------------------------------------------------------------------------- 1 | locals { 2 | talos_ccm_manifest_url = replace(var.talos_ccm_manifest_url, "%", var.talos_ccm_version) 3 | metrics_server_manifest_url = replace(var.metrics_server_manifest_url, "%", var.metrics_server_version) 4 | argocd_manifest_url = replace(var.argocd_manifest_url, "%", var.argocd_version) 5 | } 6 | 7 | # download and kustomize talos ccm manifests 8 | resource "synclocal_url" "talos_ccm_manifest" { 9 | url = local.talos_ccm_manifest_url 10 | filename = "${path.module}/manifests/talos-ccm/talos-ccm.yaml" 11 | } 12 | 13 | data "external" "kustomize_talos-ccm" { 14 | depends_on = [synclocal_url.talos_ccm_manifest] 15 | program = [ 16 | "go", 17 | "run", 18 | "${path.module}/cmd/kustomize", 19 | "--", 20 | "${path.module}/manifests/talos-ccm", 21 | ] 22 | } 23 | 24 | # kustomize cilium manifests 25 | resource "local_file" "cilium_kustomization" { 26 | filename = "${path.module}/manifests/cilium/base/kustomization.yaml" 27 | content = templatefile("${path.module}/manifests/cilium/base/kustomization.yaml.tpl", { 28 | cilium_version = var.cilium_version 29 | }) 30 | } 31 | 32 | data "external" "kustomize_cilium" { 33 | depends_on = [local_file.cilium_kustomization] 34 | program = [ 35 | "go", 36 | "run", 37 | "${path.module}/cmd/kustomize", 38 | "--", 39 | "--enable-helm", 40 | "${path.module}/manifests/cilium", 41 | ] 42 | } 43 | 44 | resource "local_file" "export_inline-manifests" { 45 | depends_on = [terraform_data.inline-manifests] 46 | content = yamlencode(terraform_data.inline-manifests.output) 47 | filename = "${path.module}/output/inline-manifests.yaml" 48 | } 49 | -------------------------------------------------------------------------------- /manifests/app-root.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: argoproj.io/v1alpha1 2 | kind: Application 3 | metadata: 4 | name: app-root 5 | namespace: argocd 6 | finalizers: 7 | - resources-finalizer.argocd.argoproj.io 8 | 9 | spec: 10 | project: default 11 | source: 12 | path: manifests/apps 13 | repoURL: https://github.com/roeldev/iac-talos-cluster 14 | targetRevision: HEAD 15 | destination: 16 | name: in-cluster 17 | namespace: default 18 | syncPolicy: 19 | automated: { } 20 | -------------------------------------------------------------------------------- /manifests/apps/argocd.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: argoproj.io/v1alpha1 2 | kind: Application 3 | metadata: 4 | name: argocd 5 | namespace: argocd 6 | finalizers: 7 | - resources-finalizer.argocd.argoproj.io 8 | 9 | spec: 10 | project: default 11 | source: 12 | repoURL: https://github.com/roeldev/iac-talos-cluster 13 | targetRevision: HEAD 14 | path: manifests/argocd 15 | destination: 16 | server: https://kubernetes.default.svc 17 | namespace: argocd 18 | syncPolicy: 19 | syncOptions: 20 | - CreateNamespace=true 21 | automated: 22 | selfHeal: true 23 | prune: true 24 | -------------------------------------------------------------------------------- /manifests/apps/cilium.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: argoproj.io/v1alpha1 2 | kind: Application 3 | metadata: 4 | name: cilium-system 5 | namespace: argocd 6 | finalizers: 7 | - resources-finalizer.argocd.argoproj.io 8 | 9 | spec: 10 | project: default 11 | source: 12 | repoURL: https://github.com/roeldev/iac-talos-cluster 13 | targetRevision: HEAD 14 | path: manifests/cilium 15 | destination: 16 | server: https://kubernetes.default.svc 17 | namespace: cilium-system 18 | syncPolicy: 19 | syncOptions: 20 | - CreateNamespace=true 21 | automated: 22 | selfHeal: true 23 | prune: true 24 | -------------------------------------------------------------------------------- /manifests/apps/kustomization.yaml: -------------------------------------------------------------------------------- 1 | resources: 2 | - talos-ccm.yaml 3 | - cilium.yaml 4 | - metrics-server.yaml 5 | - argocd.yaml 6 | -------------------------------------------------------------------------------- /manifests/apps/metrics-server.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: argoproj.io/v1alpha1 2 | kind: Application 3 | metadata: 4 | name: metrics-server 5 | namespace: argocd 6 | finalizers: 7 | - resources-finalizer.argocd.argoproj.io 8 | 9 | spec: 10 | project: default 11 | source: 12 | path: manifests/metrics-server 13 | repoURL: https://github.com/roeldev/iac-talos-cluster 14 | targetRevision: HEAD 15 | destination: 16 | server: https://kubernetes.default.svc 17 | namespace: kube-system 18 | syncPolicy: 19 | automated: 20 | selfHeal: true 21 | prune: false 22 | -------------------------------------------------------------------------------- /manifests/apps/talos-ccm.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: argoproj.io/v1alpha1 2 | kind: Application 3 | metadata: 4 | name: talos-ccm 5 | namespace: argocd 6 | finalizers: 7 | - resources-finalizer.argocd.argoproj.io 8 | 9 | spec: 10 | project: default 11 | source: 12 | path: manifests/talos-ccm 13 | repoURL: https://github.com/roeldev/iac-talos-cluster 14 | targetRevision: HEAD 15 | destination: 16 | server: https://kubernetes.default.svc 17 | namespace: kube-system 18 | syncPolicy: 19 | automated: 20 | selfHeal: true 21 | prune: false 22 | -------------------------------------------------------------------------------- /manifests/argocd/kustomization.yaml: -------------------------------------------------------------------------------- 1 | namespace: argocd 2 | resources: 3 | - namespace.yaml 4 | - argocd.yaml 5 | 6 | patches: 7 | - path: kustomize-enable-helm.patch.yaml 8 | target: 9 | version: v1 10 | kind: ConfigMap 11 | name: argocd-cm 12 | namespace: argocd 13 | -------------------------------------------------------------------------------- /manifests/argocd/kustomize-enable-helm.patch.yaml: -------------------------------------------------------------------------------- 1 | # https://medium.com/dzerolabs/turbocharge-argocd-with-app-of-apps-pattern-and-kustomized-helm-ea4993190e7c 2 | # Reference: https://dev.to/camptocamp-ops/use-kustomize-to-post-render-helm-charts-in-argocd-2ml6 3 | # https://argo-cd.readthedocs.io/en/stable/operator-manual/config-management-plugins/ 4 | - op: replace 5 | path: /data/kustomize.buildOptions 6 | value: --enable-helm 7 | -------------------------------------------------------------------------------- /manifests/argocd/kustomized-helm.yaml: -------------------------------------------------------------------------------- 1 | # https://medium.com/dzerolabs/turbocharge-argocd-with-app-of-apps-pattern-and-kustomized-helm-ea4993190e7c 2 | # Reference: https://dev.to/camptocamp-ops/use-kustomize-to-post-render-helm-charts-in-argocd-2ml6 3 | --- 4 | apiVersion: v1 5 | kind: ConfigMap 6 | metadata: 7 | name: argocd-cm 8 | namespace: argocd 9 | labels: 10 | app.kubernetes.io/name: argocd-cm 11 | app.kubernetes.io/part-of: argocd 12 | data: 13 | configManagementPlugins: | 14 | - name: kustomized-helm 15 | init: 16 | command: ["/bin/sh", "-c"] 17 | args: ["helm dependency build || true"] 18 | generate: 19 | command: ["/bin/sh", "-c"] 20 | args: ["helm template ../../helm_base --name-template $ARGOCD_APP_NAME --include-crds > ../../helm_base/all.yml && kustomize build"] 21 | -------------------------------------------------------------------------------- /manifests/argocd/namespace.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: argocd 6 | -------------------------------------------------------------------------------- /manifests/cilium/base/charts/cilium/.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .github/ 8 | .gitignore 9 | .bzr/ 10 | .bzrignore 11 | .hg/ 12 | .hgignore 13 | .svn/ 14 | # Common backup files 15 | *.swp 16 | *.bak 17 | *.tmp 18 | *.orig 19 | *~ 20 | # Various IDEs 21 | .project 22 | .idea/ 23 | *.tmproj 24 | .vscode/ 25 | -------------------------------------------------------------------------------- /manifests/cilium/base/charts/cilium/README.md.gotmpl: -------------------------------------------------------------------------------- 1 | {{ template "chart.header" . }} 2 | 3 | {{ template "chart.deprecationWarning" . }} 4 | 5 | {{ template "chart.versionBadge" . }}{{ template "chart.typeBadge" . }}{{ template "chart.appVersionBadge" . }} 6 | 7 | Cilium is open source software for providing and transparently securing 8 | network connectivity and loadbalancing between application workloads such as 9 | application containers or processes. Cilium operates at Layer 3/4 to provide 10 | traditional networking and security services as well as Layer 7 to protect and 11 | secure use of modern application protocols such as HTTP, gRPC and Kafka. 12 | 13 | A new Linux kernel technology called eBPF is at the foundation of Cilium. 14 | It supports dynamic insertion of eBPF bytecode into the Linux kernel at various 15 | integration points such as: network IO, application sockets, and tracepoints 16 | to implement security, networking and visibility logic. eBPF is highly 17 | efficient and flexible. 18 | 19 | ![Cilium feature overview](https://raw.githubusercontent.com/cilium/cilium/main/Documentation/images/cilium_overview.png) 20 | 21 | ## Prerequisites 22 | 23 | * Kubernetes: `{{ template "chart.kubeVersion" . }}` 24 | * Helm: `>= 3.0` 25 | 26 | ## Getting Started 27 | 28 | Try Cilium on any Kubernetes distribution in under 15 minutes: 29 | 30 | | Minikube | Self-Managed K8s | Amazon EKS | Google GKE | Microsoft AKS | 31 | |:-:|:-:|:-:|:-:|:-:| 32 | | [![Minikube](https://raw.githubusercontent.com/cilium/charts/master/images/minikube.svg)](https://docs.cilium.io/en/stable/gettingstarted/k8s-install-default/) | [![Self-Managed Kubernetes](https://raw.githubusercontent.com/cilium/charts/master/images/k8s.png)](https://docs.cilium.io/en/stable/gettingstarted/k8s-install-default/) | [![Amazon EKS](https://raw.githubusercontent.com/cilium/charts/master/images/aws.svg)](https://docs.cilium.io/en/stable/gettingstarted/k8s-install-default/) | [![Google GKE](https://raw.githubusercontent.com/cilium/charts/master/images/google-cloud.svg)](https://docs.cilium.io/en/stable/gettingstarted/k8s-install-default/) | [![Microsoft AKS](https://raw.githubusercontent.com/cilium/charts/master/images/azure.svg)](https://docs.cilium.io/en/stable/gettingstarted/k8s-install-default/) | 33 | 34 | Or, for a quick install with the default configuration: 35 | 36 | ``` 37 | $ helm repo add cilium https://helm.cilium.io/ 38 | $ helm install cilium cilium/cilium --namespace=kube-system 39 | ``` 40 | 41 | After Cilium is installed, you can explore the features that Cilium has to 42 | offer from the [Getting Started Guides page](https://docs.cilium.io/en/stable/gettingstarted/). 43 | 44 | {{ template "chart.maintainersSection" . }} 45 | 46 | {{ template "chart.sourcesSection" . }} 47 | 48 | ## Getting Help 49 | 50 | The best way to get help if you get stuck is to ask a question on the 51 | [Cilium Slack channel](https://cilium.herokuapp.com/). With Cilium 52 | contributors across the globe, there is almost always someone available to help. 53 | 54 | {{ template "chart.valuesSection" . }} 55 | -------------------------------------------------------------------------------- /manifests/cilium/base/charts/cilium/files/agent/poststart-eni.bash: -------------------------------------------------------------------------------- 1 | set -o errexit 2 | set -o pipefail 3 | set -o nounset 4 | 5 | # When running in AWS ENI mode, it's likely that 'aws-node' has 6 | # had a chance to install SNAT iptables rules. These can result 7 | # in dropped traffic, so we should attempt to remove them. 8 | # We do it using a 'postStart' hook since this may need to run 9 | # for nodes which might have already been init'ed but may still 10 | # have dangling rules. This is safe because there are no 11 | # dependencies on anything that is part of the startup script 12 | # itself, and can be safely run multiple times per node (e.g. in 13 | # case of a restart). 14 | if [[ "$(iptables-save | grep -E -c 'AWS-SNAT-CHAIN|AWS-CONNMARK-CHAIN')" != "0" ]]; 15 | then 16 | echo 'Deleting iptables rules created by the AWS CNI VPC plugin' 17 | iptables-save | grep -E -v 'AWS-SNAT-CHAIN|AWS-CONNMARK-CHAIN' | iptables-restore 18 | fi 19 | echo 'Done!' 20 | -------------------------------------------------------------------------------- /manifests/cilium/base/charts/cilium/files/nodeinit/prestop.bash: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -o errexit 4 | set -o pipefail 5 | set -o nounset 6 | 7 | {{ .Values.nodeinit.prestop.preScript }} 8 | 9 | if stat /tmp/node-deinit.cilium.io > /dev/null 2>&1; then 10 | exit 0 11 | fi 12 | 13 | echo "Waiting on pods to stop..." 14 | if [ ! -f /etc/crictl.yaml ] || grep -q 'docker' /etc/crictl.yaml; then 15 | # Works for COS, ubuntu 16 | while docker ps | grep -v "node-init" | grep -q "POD_cilium"; do sleep 1; done 17 | else 18 | # COS-beta (with containerd). Some versions of COS have crictl in /home/kubernetes/bin. 19 | while PATH="${PATH}:/home/kubernetes/bin" crictl ps | grep -v "node-init" | grep -q "POD_cilium"; do sleep 1; done 20 | fi 21 | 22 | if ip link show cilium_host; then 23 | echo "Deleting cilium_host interface..." 24 | ip link del cilium_host 25 | fi 26 | 27 | {{- if not (eq .Values.nodeinit.bootstrapFile "") }} 28 | rm -f {{ .Values.nodeinit.bootstrapFile | quote }} 29 | {{- end }} 30 | 31 | rm -f /tmp/node-init.cilium.io 32 | touch /tmp/node-deinit.cilium.io 33 | 34 | {{- if .Values.nodeinit.reconfigureKubelet }} 35 | # Check if we're running on a GKE containerd flavor. 36 | GKE_KUBERNETES_BIN_DIR="/home/kubernetes/bin" 37 | if [[ -f "${GKE_KUBERNETES_BIN_DIR}/gke" ]] && command -v containerd &>/dev/null; then 38 | CONTAINERD_CONFIG="/etc/containerd/config.toml" 39 | echo "Reverting changes to the containerd configuration" 40 | sed -Ei "s/^\#(\s+conf_template)/\1/g" "${CONTAINERD_CONFIG}" 41 | echo "Removing the kubelet wrapper" 42 | [[ -f "${GKE_KUBERNETES_BIN_DIR}/the-kubelet" ]] && mv "${GKE_KUBERNETES_BIN_DIR}/the-kubelet" "${GKE_KUBERNETES_BIN_DIR}/kubelet" 43 | else 44 | echo "Changing kubelet configuration to --network-plugin=kubenet" 45 | sed -i "s:--network-plugin=cni\ --cni-bin-dir={{ .Values.cni.binPath }}:--network-plugin=kubenet:g" /etc/default/kubelet 46 | fi 47 | echo "Restarting the kubelet" 48 | systemctl restart kubelet 49 | {{- end }} 50 | 51 | {{- if (and .Values.gke.enabled (or .Values.enableIPv4Masquerade .Values.gke.disableDefaultSnat))}} 52 | # If the IP-MASQ chain exists, add back default jump rule from the GKE instance configure script 53 | if iptables -w -t nat -L IP-MASQ > /dev/null; then 54 | iptables -w -t nat -A POSTROUTING -m comment --comment "ip-masq: ensure nat POSTROUTING directs all non-LOCAL destination traffic to our custom IP-MASQ chain" -m addrtype ! --dst-type LOCAL -j IP-MASQ 55 | fi 56 | {{- end }} 57 | 58 | {{ .Values.nodeinit.prestop.postScript }} 59 | 60 | echo "Node de-initialization complete" 61 | -------------------------------------------------------------------------------- /manifests/cilium/base/charts/cilium/files/spire/init.bash: -------------------------------------------------------------------------------- 1 | # shellcheck disable=SC2086 2 | # shellcheck disable=SC2139 3 | set -e 4 | 5 | echo "Waiting for spire process to start" 6 | while ! pgrep spire-server > /dev/null; do sleep 5; done 7 | 8 | SPIRE_SERVER_ROOT_PATH="/proc/$(pgrep spire-server)/root" 9 | 10 | alias spire_server="${SPIRE_SERVER_ROOT_PATH}/opt/spire/bin/spire-server" 11 | SOCKET_PATH="${SPIRE_SERVER_ROOT_PATH}/tmp/spire-server/private/api.sock" 12 | SOCKET_FLAG="-socketPath ${SOCKET_PATH}" 13 | 14 | echo "Checking spire-server status" 15 | while ! spire_server entry show ${SOCKET_FLAG} &> /dev/null; do 16 | echo "Waiting for spire-server to start..." 17 | sleep 5 18 | done 19 | 20 | echo "Spire Server is up, initializing cilium spire entries..." 21 | 22 | AGENT_SPIFFE_ID="spiffe://{{ .Values.authentication.mutual.spire.trustDomain }}/ns/{{ .Values.authentication.mutual.spire.install.namespace }}/sa/spire-agent" 23 | AGENT_SELECTORS="-selector k8s_psat:agent_ns:{{ .Values.authentication.mutual.spire.install.namespace }} -selector k8s_psat:agent_sa:spire-agent" 24 | CILIUM_AGENT_SPIFFE_ID="spiffe://{{ .Values.authentication.mutual.spire.trustDomain }}/cilium-agent" 25 | CILIUM_AGENT_SELECTORS="-selector k8s:ns:{{ .Release.Namespace }} -selector k8s:sa:{{ .Values.serviceAccounts.cilium.name }}" 26 | CILIUM_OPERATOR_SPIFFE_ID="spiffe://{{ .Values.authentication.mutual.spire.trustDomain }}/cilium-operator" 27 | CILIUM_OPERATOR_SELECTORS="-selector k8s:ns:{{ .Release.Namespace }} -selector k8s:sa:{{ .Values.serviceAccounts.operator.name }}" 28 | 29 | while pgrep spire-server > /dev/null; 30 | do 31 | echo "Ensuring agent entry" 32 | if spire_server entry show ${SOCKET_FLAG} -spiffeID $AGENT_SPIFFE_ID $AGENT_SELECTORS | grep -q "Found 0 entries" &> /dev/null; then 33 | spire_server entry create ${SOCKET_FLAG} -spiffeID $AGENT_SPIFFE_ID $AGENT_SELECTORS -node 34 | fi 35 | 36 | echo "Ensuring cilium-agent entry (required for the delegated identity to work)" 37 | if spire_server entry show ${SOCKET_FLAG} -spiffeID $CILIUM_AGENT_SPIFFE_ID $CILIUM_AGENT_SELECTORS | grep -q "Found 0 entries" &> /dev/null; then 38 | spire_server entry create ${SOCKET_FLAG} -spiffeID $CILIUM_AGENT_SPIFFE_ID -parentID $AGENT_SPIFFE_ID $CILIUM_AGENT_SELECTORS 39 | fi 40 | 41 | echo "Ensuring cilium-operator entry (required for creating SPIFFE identities)" 42 | if spire_server entry show ${SOCKET_FLAG} -spiffeID $CILIUM_OPERATOR_SPIFFE_ID $CILIUM_OPERATOR_SELECTORS | grep -q "Found 0 entries" &> /dev/null; then 43 | spire_server entry create ${SOCKET_FLAG} -spiffeID $CILIUM_OPERATOR_SPIFFE_ID -parentID $AGENT_SPIFFE_ID $CILIUM_OPERATOR_SELECTORS 44 | fi 45 | 46 | echo "Cilium Spire entries are initialized successfully or already in-sync" 47 | sleep 30; 48 | done 49 | -------------------------------------------------------------------------------- /manifests/cilium/base/charts/cilium/files/spire/wait-for-spire.bash: -------------------------------------------------------------------------------- 1 | set -e 2 | 3 | echo "Waiting for spire server to be reachable to start" 4 | 5 | {{- if .Values.authentication.mutual.spire.serverAddress }} 6 | ADDR="{{ .Values.authentication.mutual.spire.serverAddress }}" 7 | {{- else }} 8 | ADDR="spire-server.{{ .Values.authentication.mutual.spire.install.namespace}}.svc:8081" 9 | {{- end }} 10 | CONN_TIMEOUT="3" 11 | TIMEOUT="60" 12 | 13 | call_tcp_endpoint_with_timeout() { 14 | local addr="$1" 15 | local timeout="$2" 16 | 17 | nc -z "$addr" -w "$timeout" &> /dev/null 18 | } 19 | 20 | # wait for SPIRE server to be reachable till $TIMEOUT is reached 21 | start_time=$(date +%s) 22 | while true; do 23 | if call_tcp_endpoint_with_timeout "$ADDR" "$CONN_TIMEOUT"; then 24 | echo "SPIRE server is reachable" 25 | break 26 | fi 27 | 28 | if [ $(( $(date +%s) - start_time )) -gt "$TIMEOUT" ]; then 29 | echo "Timed out waiting for spire server to be reachable" 30 | exit 1 31 | fi 32 | 33 | echo "Waiting for spire server to be reachable" 34 | sleep 1 35 | done 36 | -------------------------------------------------------------------------------- /manifests/cilium/base/charts/cilium/templates/NOTES.txt: -------------------------------------------------------------------------------- 1 | {{- if (and (.Values.preflight.enabled) (not (.Values.agent)) (not (.Values.operator.enabled))) }} 2 | You have successfully ran the preflight check. 3 | Now make sure to check the number of READY pods is the same as the number of running cilium pods. 4 | Then make sure the cilium preflight deployment is also marked READY 1/1. 5 | If you have an issues please refer to the CNP Validation section in the upgrade guide. 6 | {{- else if (and (.Values.hubble.enabled) (.Values.hubble.relay.enabled)) }} 7 | {{- if (.Values.hubble.ui.enabled) }} 8 | You have successfully installed {{ title .Chart.Name }} with Hubble Relay and Hubble UI. 9 | {{- else }} 10 | You have successfully installed {{ title .Chart.Name }} with Hubble Relay. 11 | {{- end }} 12 | {{- else if .Values.hubble.enabled }} 13 | You have successfully installed {{ title .Chart.Name }} with Hubble. 14 | {{- else if (and (.Values.hubble.ui.enabled) (.Values.hubble.ui.standalone.enabled)) }} 15 | You have successfully installed {{ title .Chart.Name }} with standalone Hubble UI. 16 | {{- else }} 17 | You have successfully installed {{ title .Chart.Name }}. 18 | {{- end }} 19 | 20 | Your release version is {{ .Chart.Version }}. 21 | 22 | For any further help, visit https://docs.cilium.io/en/v{{ (semver .Chart.Version).Major }}.{{ (semver .Chart.Version).Minor }}/gettinghelp 23 | -------------------------------------------------------------------------------- /manifests/cilium/base/charts/cilium/templates/cilium-agent/clusterrole.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.agent (not .Values.preflight.enabled) }} 2 | {{- /* 3 | Keep file in sync with cilium-preflight/clusterrole.yaml 4 | */ -}} 5 | apiVersion: rbac.authorization.k8s.io/v1 6 | kind: ClusterRole 7 | metadata: 8 | name: cilium 9 | {{- with .Values.annotations }} 10 | annotations: 11 | {{- toYaml . | nindent 4 }} 12 | {{- end }} 13 | labels: 14 | app.kubernetes.io/part-of: cilium 15 | rules: 16 | - apiGroups: 17 | - networking.k8s.io 18 | resources: 19 | - networkpolicies 20 | verbs: 21 | - get 22 | - list 23 | - watch 24 | - apiGroups: 25 | - discovery.k8s.io 26 | resources: 27 | - endpointslices 28 | verbs: 29 | - get 30 | - list 31 | - watch 32 | - apiGroups: 33 | - "" 34 | resources: 35 | - namespaces 36 | - services 37 | - pods 38 | - endpoints 39 | - nodes 40 | verbs: 41 | - get 42 | - list 43 | - watch 44 | {{- if .Values.annotateK8sNode }} 45 | - apiGroups: 46 | - "" 47 | resources: 48 | - nodes/status 49 | verbs: 50 | # To annotate the k8s node with Cilium's metadata 51 | - patch 52 | {{- end }} 53 | {{- if .Values.l2announcements.enabled }} 54 | - apiGroups: 55 | - coordination.k8s.io 56 | resources: 57 | - leases 58 | verbs: 59 | - create 60 | - get 61 | - update 62 | - list 63 | - delete 64 | {{- end }} 65 | - apiGroups: 66 | - apiextensions.k8s.io 67 | resources: 68 | - customresourcedefinitions 69 | verbs: 70 | - list 71 | - watch 72 | # This is used when validating policies in preflight. This will need to stay 73 | # until we figure out how to avoid "get" inside the preflight, and then 74 | # should be removed ideally. 75 | - get 76 | {{- if eq "k8s" .Values.tls.secretsBackend }} 77 | - apiGroups: 78 | - "" 79 | resources: 80 | - secrets 81 | verbs: 82 | - get 83 | {{- end }} 84 | - apiGroups: 85 | - cilium.io 86 | resources: 87 | - ciliumloadbalancerippools 88 | - ciliumbgppeeringpolicies 89 | - ciliumbgpnodeconfigs 90 | - ciliumbgpadvertisements 91 | - ciliumbgppeerconfigs 92 | - ciliumclusterwideenvoyconfigs 93 | - ciliumclusterwidenetworkpolicies 94 | - ciliumegressgatewaypolicies 95 | - ciliumendpoints 96 | - ciliumendpointslices 97 | - ciliumenvoyconfigs 98 | - ciliumidentities 99 | - ciliumlocalredirectpolicies 100 | - ciliumnetworkpolicies 101 | - ciliumnodes 102 | - ciliumnodeconfigs 103 | - ciliumcidrgroups 104 | - ciliuml2announcementpolicies 105 | - ciliumpodippools 106 | verbs: 107 | - list 108 | - watch 109 | - apiGroups: 110 | - cilium.io 111 | resources: 112 | - ciliumidentities 113 | - ciliumendpoints 114 | - ciliumnodes 115 | verbs: 116 | - create 117 | - apiGroups: 118 | - cilium.io 119 | # To synchronize garbage collection of such resources 120 | resources: 121 | - ciliumidentities 122 | verbs: 123 | - update 124 | - apiGroups: 125 | - cilium.io 126 | resources: 127 | - ciliumendpoints 128 | verbs: 129 | - delete 130 | - get 131 | - apiGroups: 132 | - cilium.io 133 | resources: 134 | - ciliumnodes 135 | - ciliumnodes/status 136 | verbs: 137 | - get 138 | - update 139 | - apiGroups: 140 | - cilium.io 141 | resources: 142 | - ciliumnetworkpolicies/status 143 | - ciliumclusterwidenetworkpolicies/status 144 | - ciliumendpoints/status 145 | - ciliumendpoints 146 | - ciliuml2announcementpolicies/status 147 | - ciliumbgpnodeconfigs/status 148 | verbs: 149 | - patch 150 | {{- end }} 151 | -------------------------------------------------------------------------------- /manifests/cilium/base/charts/cilium/templates/cilium-agent/clusterrolebinding.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.agent (not .Values.preflight.enabled) .Values.serviceAccounts.cilium.create }} 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRoleBinding 4 | metadata: 5 | name: cilium 6 | {{- with .Values.annotations }} 7 | annotations: 8 | {{- toYaml . | nindent 4 }} 9 | {{- end }} 10 | labels: 11 | app.kubernetes.io/part-of: cilium 12 | roleRef: 13 | apiGroup: rbac.authorization.k8s.io 14 | kind: ClusterRole 15 | name: cilium 16 | subjects: 17 | - kind: ServiceAccount 18 | name: {{ .Values.serviceAccounts.cilium.name | quote }} 19 | namespace: {{ .Release.Namespace }} 20 | {{- end }} 21 | -------------------------------------------------------------------------------- /manifests/cilium/base/charts/cilium/templates/cilium-agent/dashboards-configmap.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.dashboards.enabled }} 2 | {{- $files := .Files.Glob "files/cilium-agent/dashboards/*.json" }} 3 | {{- range $path, $fileContents := $files }} 4 | {{- $dashboardName := regexReplaceAll "(^.*/)(.*)\\.json$" $path "${2}" }} 5 | --- 6 | apiVersion: v1 7 | kind: ConfigMap 8 | metadata: 9 | name: {{ $dashboardName | trunc 63 | trimSuffix "-" }} 10 | namespace: {{ $.Values.dashboards.namespace | default $.Release.Namespace }} 11 | labels: 12 | k8s-app: cilium 13 | app.kubernetes.io/name: cilium-agent 14 | app.kubernetes.io/part-of: cilium 15 | {{- if $.Values.dashboards.label }} 16 | {{ $.Values.dashboards.label }}: {{ ternary $.Values.dashboards.labelValue "1" (not (empty $.Values.dashboards.labelValue)) | quote }} 17 | {{- end }} 18 | {{- if or $.Values.dashboards.annotations $.Values.annotations }} 19 | annotations: 20 | {{- with $.Values.dashboards.annotations }} 21 | {{- toYaml . | nindent 4 }} 22 | {{- end }} 23 | {{- with $.Values.annotations }} 24 | {{- toYaml . | nindent 4 }} 25 | {{- end }} 26 | {{- end }} 27 | data: 28 | {{ $dashboardName }}.json: {{ $.Files.Get $path | toJson }} 29 | {{- end }} 30 | {{- end }} 31 | -------------------------------------------------------------------------------- /manifests/cilium/base/charts/cilium/templates/cilium-agent/role.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.agent (not .Values.preflight.enabled) }} 2 | --- 3 | apiVersion: rbac.authorization.k8s.io/v1 4 | kind: Role 5 | metadata: 6 | name: cilium-config-agent 7 | namespace: {{ .Release.Namespace }} 8 | {{- with .Values.annotations }} 9 | annotations: 10 | {{- toYaml . | nindent 4 }} 11 | {{- end }} 12 | labels: 13 | app.kubernetes.io/part-of: cilium 14 | rules: 15 | - apiGroups: 16 | - "" 17 | resources: 18 | - configmaps 19 | verbs: 20 | - get 21 | - list 22 | - watch 23 | 24 | {{- end }} 25 | 26 | {{- if and .Values.agent (not .Values.preflight.enabled) .Values.serviceAccounts.cilium.create .Values.ingressController.enabled .Values.ingressController.secretsNamespace.name }} 27 | --- 28 | apiVersion: rbac.authorization.k8s.io/v1 29 | kind: Role 30 | metadata: 31 | name: cilium-ingress-secrets 32 | namespace: {{ .Values.ingressController.secretsNamespace.name | quote }} 33 | {{- with .Values.annotations }} 34 | annotations: 35 | {{- toYaml . | nindent 4 }} 36 | {{- end }} 37 | labels: 38 | app.kubernetes.io/part-of: cilium 39 | rules: 40 | - apiGroups: 41 | - "" 42 | resources: 43 | - secrets 44 | verbs: 45 | - get 46 | - list 47 | - watch 48 | {{- end }} 49 | 50 | {{- if and .Values.agent (not .Values.preflight.enabled) .Values.serviceAccounts.cilium.create .Values.gatewayAPI.enabled .Values.gatewayAPI.secretsNamespace.name }} 51 | --- 52 | apiVersion: rbac.authorization.k8s.io/v1 53 | kind: Role 54 | metadata: 55 | name: cilium-gateway-secrets 56 | namespace: {{ .Values.gatewayAPI.secretsNamespace.name | quote }} 57 | {{- with .Values.annotations }} 58 | annotations: 59 | {{- toYaml . | nindent 4 }} 60 | {{- end }} 61 | labels: 62 | app.kubernetes.io/part-of: cilium 63 | rules: 64 | - apiGroups: 65 | - "" 66 | resources: 67 | - secrets 68 | verbs: 69 | - get 70 | - list 71 | - watch 72 | {{- end}} 73 | 74 | {{- if and .Values.agent (not .Values.preflight.enabled) .Values.serviceAccounts.cilium.create .Values.envoyConfig.enabled .Values.envoyConfig.secretsNamespace.name }} 75 | --- 76 | apiVersion: rbac.authorization.k8s.io/v1 77 | kind: Role 78 | metadata: 79 | name: cilium-envoy-config-secrets 80 | namespace: {{ .Values.envoyConfig.secretsNamespace.name | quote }} 81 | {{- with .Values.annotations }} 82 | annotations: 83 | {{- toYaml . | nindent 4 }} 84 | {{- end }} 85 | labels: 86 | app.kubernetes.io/part-of: cilium 87 | rules: 88 | - apiGroups: 89 | - "" 90 | resources: 91 | - secrets 92 | verbs: 93 | - get 94 | - list 95 | - watch 96 | {{- end}} 97 | 98 | {{- if and .Values.agent (not .Values.preflight.enabled) .Values.serviceAccounts.cilium.create .Values.bgpControlPlane.enabled .Values.bgpControlPlane.secretsNamespace.name }} 99 | --- 100 | apiVersion: rbac.authorization.k8s.io/v1 101 | kind: Role 102 | metadata: 103 | name: cilium-bgp-control-plane-secrets 104 | namespace: {{ .Values.bgpControlPlane.secretsNamespace.name | quote }} 105 | labels: 106 | app.kubernetes.io/part-of: cilium 107 | rules: 108 | - apiGroups: 109 | - "" 110 | resources: 111 | - secrets 112 | verbs: 113 | - get 114 | - list 115 | - watch 116 | {{- end}} 117 | -------------------------------------------------------------------------------- /manifests/cilium/base/charts/cilium/templates/cilium-agent/service.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.agent (not .Values.preflight.enabled) .Values.prometheus.enabled }} 2 | {{- if .Values.prometheus.serviceMonitor.enabled }} 3 | apiVersion: v1 4 | kind: Service 5 | metadata: 6 | name: cilium-agent 7 | namespace: {{ .Release.Namespace }} 8 | {{- with .Values.annotations }} 9 | annotations: 10 | {{- toYaml . | nindent 4 }} 11 | {{- end }} 12 | labels: 13 | k8s-app: cilium 14 | app.kubernetes.io/name: cilium-agent 15 | app.kubernetes.io/part-of: cilium 16 | spec: 17 | clusterIP: None 18 | type: ClusterIP 19 | selector: 20 | k8s-app: cilium 21 | ports: 22 | - name: metrics 23 | port: {{ .Values.prometheus.port }} 24 | protocol: TCP 25 | targetPort: prometheus 26 | {{- if not .Values.envoy.enabled }} 27 | - name: envoy-metrics 28 | port: {{ .Values.proxy.prometheus.port | default .Values.envoy.prometheus.port }} 29 | protocol: TCP 30 | targetPort: envoy-metrics 31 | {{- end }} 32 | {{- else if and .Values.proxy.prometheus.enabled .Values.envoy.prometheus.enabled (not .Values.envoy.enabled) }} 33 | apiVersion: v1 34 | kind: Service 35 | metadata: 36 | name: cilium-agent 37 | namespace: {{ .Release.Namespace }} 38 | annotations: 39 | prometheus.io/scrape: "true" 40 | prometheus.io/port: {{ .Values.proxy.prometheus.port | default .Values.envoy.prometheus.port | quote }} 41 | labels: 42 | k8s-app: cilium 43 | app.kubernetes.io/name: cilium-agent 44 | app.kubernetes.io/part-of: cilium 45 | spec: 46 | clusterIP: None 47 | type: ClusterIP 48 | selector: 49 | k8s-app: cilium 50 | ports: 51 | - name: envoy-metrics 52 | port: {{ .Values.proxy.prometheus.port | default .Values.envoy.prometheus.port }} 53 | protocol: TCP 54 | targetPort: envoy-metrics 55 | {{- end }} 56 | {{- end }} 57 | -------------------------------------------------------------------------------- /manifests/cilium/base/charts/cilium/templates/cilium-agent/serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.agent (not .Values.preflight.enabled) .Values.serviceAccounts.cilium.create }} 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | name: {{ .Values.serviceAccounts.cilium.name | quote }} 6 | namespace: {{ .Release.Namespace }} 7 | {{- if or .Values.serviceAccounts.cilium.annotations .Values.annotations }} 8 | annotations: 9 | {{- with .Values.annotations }} 10 | {{- toYaml . | nindent 4 }} 11 | {{- end }} 12 | {{- with .Values.serviceAccounts.cilium.annotations }} 13 | {{- toYaml . | nindent 4 }} 14 | {{- end }} 15 | {{- end }} 16 | {{- end }} 17 | -------------------------------------------------------------------------------- /manifests/cilium/base/charts/cilium/templates/cilium-agent/servicemonitor.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.agent (not .Values.preflight.enabled) .Values.prometheus.enabled .Values.prometheus.serviceMonitor.enabled }} 2 | --- 3 | apiVersion: monitoring.coreos.com/v1 4 | kind: ServiceMonitor 5 | metadata: 6 | name: cilium-agent 7 | namespace: {{ .Values.prometheus.serviceMonitor.namespace | default .Release.Namespace }} 8 | labels: 9 | app.kubernetes.io/part-of: cilium 10 | {{- with .Values.prometheus.serviceMonitor.labels }} 11 | {{- toYaml . | nindent 4 }} 12 | {{- end }} 13 | {{- if or .Values.prometheus.serviceMonitor.annotations .Values.annotations }} 14 | annotations: 15 | {{- with .Values.annotations }} 16 | {{- toYaml . | nindent 4 }} 17 | {{- end }} 18 | {{- with .Values.prometheus.serviceMonitor.annotations }} 19 | {{- toYaml . | nindent 4 }} 20 | {{- end }} 21 | {{- end }} 22 | spec: 23 | selector: 24 | matchLabels: 25 | k8s-app: cilium 26 | namespaceSelector: 27 | matchNames: 28 | - {{ .Release.Namespace }} 29 | endpoints: 30 | - port: metrics 31 | interval: {{ .Values.prometheus.serviceMonitor.interval | quote }} 32 | honorLabels: true 33 | path: /metrics 34 | {{- with .Values.prometheus.serviceMonitor.relabelings }} 35 | relabelings: 36 | {{- toYaml . | nindent 4 }} 37 | {{- end }} 38 | {{- with .Values.prometheus.serviceMonitor.metricRelabelings }} 39 | metricRelabelings: 40 | {{- toYaml . | nindent 4 }} 41 | {{- end }} 42 | {{- if .Values.envoy.prometheus.serviceMonitor.enabled }} 43 | - port: envoy-metrics 44 | interval: {{ .Values.envoy.prometheus.serviceMonitor.interval | quote }} 45 | honorLabels: true 46 | path: /metrics 47 | {{- with .Values.envoy.prometheus.serviceMonitor.relabelings }} 48 | relabelings: 49 | {{- toYaml . | nindent 4 }} 50 | {{- end }} 51 | {{- with .Values.envoy.prometheus.serviceMonitor.metricRelabelings }} 52 | metricRelabelings: 53 | {{- toYaml . | nindent 4 }} 54 | {{- end }} 55 | {{- end }} 56 | targetLabels: 57 | - k8s-app 58 | {{- if .Values.prometheus.serviceMonitor.jobLabel }} 59 | jobLabel: {{ .Values.prometheus.serviceMonitor.jobLabel | quote }} 60 | {{- end }} 61 | {{- end }} 62 | -------------------------------------------------------------------------------- /manifests/cilium/base/charts/cilium/templates/cilium-ca-bundle-configmap.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.tls.caBundle.enabled .Values.tls.caBundle.content -}} 2 | --- 3 | apiVersion: v1 4 | kind: {{ .Values.tls.caBundle.useSecret | ternary "Secret" "ConfigMap" }} 5 | metadata: 6 | name: {{ .Values.tls.caBundle.name }} 7 | namespace: {{ .Release.Namespace }} 8 | {{ .Values.tls.caBundle.useSecret | ternary "stringData" "data" }}: 9 | {{ .Values.tls.caBundle.key }}: | 10 | {{- .Values.tls.caBundle.content | nindent 4 }} 11 | {{- end }} 12 | -------------------------------------------------------------------------------- /manifests/cilium/base/charts/cilium/templates/cilium-ca-secret.yaml: -------------------------------------------------------------------------------- 1 | {{- if or 2 | (and (or .Values.externalWorkloads.enabled .Values.clustermesh.useAPIServer) .Values.clustermesh.apiserver.tls.auto.enabled (eq .Values.clustermesh.apiserver.tls.auto.method "helm")) 3 | (and (or .Values.agent .Values.hubble.relay.enabled .Values.hubble.ui.enabled) .Values.hubble.enabled .Values.hubble.tls.enabled .Values.hubble.tls.auto.enabled (eq .Values.hubble.tls.auto.method "helm")) 4 | (and .Values.tls.ca.key .Values.tls.ca.cert) 5 | -}} 6 | 7 | {{- $_ := include "cilium.ca.setup" . -}} 8 | --- 9 | apiVersion: v1 10 | kind: Secret 11 | metadata: 12 | name: {{ .commonCASecretName }} 13 | namespace: {{ .Release.Namespace }} 14 | data: 15 | ca.crt: {{ .commonCA.Cert | b64enc }} 16 | ca.key: {{ .commonCA.Key | b64enc }} 17 | {{- end }} 18 | -------------------------------------------------------------------------------- /manifests/cilium/base/charts/cilium/templates/cilium-envoy/configmap.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.envoy.enabled (not .Values.preflight.enabled) }} 2 | 3 | --- 4 | apiVersion: v1 5 | kind: ConfigMap 6 | metadata: 7 | name: cilium-envoy-config 8 | namespace: {{ .Release.Namespace }} 9 | {{- with .Values.envoy.annotations }} 10 | annotations: 11 | {{- toYaml . | nindent 4 }} 12 | {{- end }} 13 | data: 14 | {{- (tpl (.Files.Glob "files/cilium-envoy/configmap/bootstrap-config.json").AsConfig .) | nindent 2 }} 15 | 16 | {{- end }} 17 | -------------------------------------------------------------------------------- /manifests/cilium/base/charts/cilium/templates/cilium-envoy/service.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.envoy.enabled (not .Values.preflight.enabled) .Values.proxy.prometheus.enabled .Values.envoy.prometheus.enabled }} 2 | apiVersion: v1 3 | kind: Service 4 | metadata: 5 | name: cilium-envoy 6 | namespace: {{ .Release.Namespace }} 7 | {{- if or (not .Values.envoy.prometheus.serviceMonitor.enabled) .Values.envoy.annotations }} 8 | annotations: 9 | {{- if not .Values.envoy.prometheus.serviceMonitor.enabled }} 10 | prometheus.io/scrape: "true" 11 | prometheus.io/port: {{ .Values.proxy.prometheus.port | default .Values.envoy.prometheus.port | quote }} 12 | {{- end }} 13 | {{- with .Values.envoy.annotations }} 14 | {{- toYaml . | nindent 4 }} 15 | {{- end }} 16 | {{- end }} 17 | labels: 18 | k8s-app: cilium-envoy 19 | app.kubernetes.io/name: cilium-envoy 20 | app.kubernetes.io/part-of: cilium 21 | io.cilium/app: proxy 22 | spec: 23 | clusterIP: None 24 | type: ClusterIP 25 | selector: 26 | k8s-app: cilium-envoy 27 | ports: 28 | - name: envoy-metrics 29 | port: {{ .Values.proxy.prometheus.port | default .Values.envoy.prometheus.port }} 30 | protocol: TCP 31 | targetPort: envoy-metrics 32 | {{- end }} 33 | -------------------------------------------------------------------------------- /manifests/cilium/base/charts/cilium/templates/cilium-envoy/serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.envoy.enabled (not .Values.preflight.enabled) .Values.serviceAccounts.envoy.create }} 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | name: {{ .Values.serviceAccounts.envoy.name | quote }} 6 | namespace: {{ .Release.Namespace }} 7 | {{- if or .Values.serviceAccounts.envoy.annotations .Values.envoy.annotations }} 8 | annotations: 9 | {{- with .Values.envoy.annotations }} 10 | {{- toYaml . | nindent 4 }} 11 | {{- end }} 12 | {{- with .Values.serviceAccounts.envoy.annotations }} 13 | {{- toYaml . | nindent 4 }} 14 | {{- end }} 15 | {{- end }} 16 | {{- end }} 17 | -------------------------------------------------------------------------------- /manifests/cilium/base/charts/cilium/templates/cilium-envoy/servicemonitor.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.envoy.enabled (not .Values.preflight.enabled) .Values.proxy.prometheus.enabled .Values.envoy.prometheus.enabled .Values.envoy.prometheus.serviceMonitor.enabled }} 2 | --- 3 | apiVersion: monitoring.coreos.com/v1 4 | kind: ServiceMonitor 5 | metadata: 6 | name: cilium-envoy 7 | namespace: {{ .Values.envoy.prometheus.serviceMonitor.namespace | default .Release.Namespace }} 8 | labels: 9 | app.kubernetes.io/part-of: cilium 10 | app.kubernetes.io/name: cilium-envoy 11 | {{- with .Values.envoy.prometheus.serviceMonitor.labels }} 12 | {{- toYaml . | nindent 4 }} 13 | {{- end }} 14 | {{- if or .Values.envoy.prometheus.serviceMonitor.annotations .Values.envoy.annotations }} 15 | annotations: 16 | {{- with .Values.envoy.annotations }} 17 | {{- toYaml . | nindent 4 }} 18 | {{- end }} 19 | {{- with .Values.envoy.prometheus.serviceMonitor.annotations }} 20 | {{- toYaml . | nindent 4 }} 21 | {{- end }} 22 | {{- end }} 23 | spec: 24 | selector: 25 | matchLabels: 26 | k8s-app: cilium-envoy 27 | namespaceSelector: 28 | matchNames: 29 | - {{ .Release.Namespace }} 30 | endpoints: 31 | - port: envoy-metrics 32 | interval: {{ .Values.envoy.prometheus.serviceMonitor.interval | quote }} 33 | honorLabels: true 34 | path: /metrics 35 | {{- with .Values.envoy.prometheus.serviceMonitor.relabelings }} 36 | relabelings: 37 | {{- toYaml . | nindent 4 }} 38 | {{- end }} 39 | {{- with .Values.envoy.prometheus.serviceMonitor.metricRelabelings }} 40 | metricRelabelings: 41 | {{- toYaml . | nindent 4 }} 42 | {{- end }} 43 | targetLabels: 44 | - k8s-app 45 | {{- end }} 46 | -------------------------------------------------------------------------------- /manifests/cilium/base/charts/cilium/templates/cilium-flowlog-configmap.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.hubble.export.dynamic.enabled .Values.hubble.export.dynamic.config.createConfigMap }} 2 | --- 3 | apiVersion: v1 4 | kind: ConfigMap 5 | metadata: 6 | name: {{ .Values.hubble.export.dynamic.config.configMapName }} 7 | namespace: {{ .Release.Namespace }} 8 | data: 9 | flowlogs.yaml: | 10 | flowLogs: 11 | {{ .Values.hubble.export.dynamic.config.content | toYaml | indent 4 }} 12 | {{- end }} 13 | -------------------------------------------------------------------------------- /manifests/cilium/base/charts/cilium/templates/cilium-gateway-api-class.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.gatewayAPI.enabled -}} 2 | {{- if .Capabilities.APIVersions.Has "gateway.networking.k8s.io/v1/GatewayClass" }} 3 | apiVersion: gateway.networking.k8s.io/v1 4 | kind: GatewayClass 5 | metadata: 6 | name: cilium 7 | spec: 8 | controllerName: io.cilium/gateway-controller 9 | {{- end}} 10 | {{- end}} 11 | -------------------------------------------------------------------------------- /manifests/cilium/base/charts/cilium/templates/cilium-ingress-class.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.ingressController.enabled -}} 2 | apiVersion: networking.k8s.io/v1 3 | kind: IngressClass 4 | metadata: 5 | name: cilium 6 | {{- if .Values.ingressController.default }} 7 | annotations: 8 | ingressclass.kubernetes.io/is-default-class: "true" 9 | {{- end}} 10 | spec: 11 | controller: cilium.io/ingress-controller 12 | {{- end}} 13 | -------------------------------------------------------------------------------- /manifests/cilium/base/charts/cilium/templates/cilium-ingress-service.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.ingressController.enabled }} 2 | apiVersion: v1 3 | kind: Service 4 | metadata: 5 | name: {{ .Values.ingressController.service.name }} 6 | namespace: {{ .Release.Namespace }} 7 | labels: 8 | cilium.io/ingress: "true" 9 | {{- if .Values.ingressController.service.labels }} 10 | {{- toYaml .Values.ingressController.service.labels | nindent 4 }} 11 | {{- end }} 12 | {{- if .Values.ingressController.service.annotations }} 13 | annotations: 14 | {{- toYaml .Values.ingressController.service.annotations | nindent 4 }} 15 | {{- end }} 16 | spec: 17 | ports: 18 | - name: http 19 | port: 80 20 | protocol: TCP 21 | nodePort: {{ .Values.ingressController.service.insecureNodePort }} 22 | - name: https 23 | port: 443 24 | protocol: TCP 25 | nodePort: {{ .Values.ingressController.service.secureNodePort }} 26 | type: {{ .Values.ingressController.service.type }} 27 | {{- if semverCompare ">=1.24-0" .Capabilities.KubeVersion.Version -}} 28 | {{- if .Values.ingressController.service.loadBalancerClass }} 29 | loadBalancerClass: {{ .Values.ingressController.service.loadBalancerClass }} 30 | {{- end }} 31 | {{- if (not (kindIs "invalid" .Values.ingressController.service.allocateLoadBalancerNodePorts)) }} 32 | allocateLoadBalancerNodePorts: {{ .Values.ingressController.service.allocateLoadBalancerNodePorts }} 33 | {{- end }} 34 | {{- end -}} 35 | {{- if .Values.ingressController.service.loadBalancerIP }} 36 | loadBalancerIP: {{ .Values.ingressController.service.loadBalancerIP }} 37 | {{- end }} 38 | --- 39 | apiVersion: v1 40 | kind: Endpoints 41 | metadata: 42 | name: {{ .Values.ingressController.service.name }} 43 | namespace: {{ .Release.Namespace }} 44 | {{- if .Values.ingressController.service.labels }} 45 | labels: 46 | {{- toYaml .Values.ingressController.service.labels | nindent 4 }} 47 | {{- end }} 48 | {{- if .Values.ingressController.service.annotations }} 49 | annotations: 50 | {{- toYaml .Values.ingressController.service.annotations | nindent 4 }} 51 | {{- end }} 52 | subsets: 53 | - addresses: 54 | - ip: "192.192.192.192" 55 | ports: 56 | - port: 9999 57 | {{- end }} 58 | -------------------------------------------------------------------------------- /manifests/cilium/base/charts/cilium/templates/cilium-nodeinit/serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.nodeinit.enabled .Values.serviceAccounts.nodeinit.enabled .Values.serviceAccounts.nodeinit.create }} 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | name: {{ .Values.serviceAccounts.nodeinit.name | quote }} 6 | namespace: {{ .Release.Namespace }} 7 | {{- if or .Values.serviceAccounts.nodeinit.annotations .Values.nodeinit.annotations }} 8 | annotations: 9 | {{- with .Values.nodeinit.annotations }} 10 | {{- toYaml . | nindent 4 }} 11 | {{- end }} 12 | {{- with .Values.serviceAccounts.nodeinit.annotations }} 13 | {{- toYaml . | nindent 4 }} 14 | {{- end }} 15 | {{- end }} 16 | {{- end }} 17 | -------------------------------------------------------------------------------- /manifests/cilium/base/charts/cilium/templates/cilium-operator/_helpers.tpl: -------------------------------------------------------------------------------- 1 | {{- define "cilium.operator.cloud" -}} 2 | {{- $cloud := "generic" -}} 3 | {{- if .Values.eni.enabled -}} 4 | {{- $cloud = "aws" -}} 5 | {{- else if .Values.azure.enabled -}} 6 | {{- $cloud = "azure" -}} 7 | {{- else if .Values.alibabacloud.enabled -}} 8 | {{- $cloud = "alibabacloud" -}} 9 | {{- end -}} 10 | {{- $cloud -}} 11 | {{- end -}} 12 | 13 | {{- define "cilium.operator.imageDigestName" -}} 14 | {{- $imageDigest := (.Values.operator.image.useDigest | default false) | ternary (printf "@%s" .Values.operator.image.genericDigest) "" -}} 15 | {{- if .Values.eni.enabled -}} 16 | {{- $imageDigest = (.Values.operator.image.useDigest | default false) | ternary (printf "@%s" .Values.operator.image.awsDigest) "" -}} 17 | {{- else if .Values.azure.enabled -}} 18 | {{- $imageDigest = (.Values.operator.image.useDigest | default false) | ternary (printf "@%s" .Values.operator.image.azureDigest) "" -}} 19 | {{- else if .Values.alibabacloud.enabled -}} 20 | {{- $imageDigest = (.Values.operator.image.useDigest | default false) | ternary (printf "@%s" .Values.operator.image.alibabacloudDigest) "" -}} 21 | {{- end -}} 22 | {{- $imageDigest -}} 23 | {{- end -}} 24 | 25 | {{/* 26 | Return cilium operator image 27 | */}} 28 | {{- define "cilium.operator.image" -}} 29 | {{- if .Values.operator.image.override -}} 30 | {{- printf "%s" .Values.operator.image.override -}} 31 | {{- else -}} 32 | {{- $cloud := include "cilium.operator.cloud" . }} 33 | {{- $imageDigest := include "cilium.operator.imageDigestName" . }} 34 | {{- printf "%s-%s%s:%s%s" .Values.operator.image.repository $cloud .Values.operator.image.suffix .Values.operator.image.tag $imageDigest -}} 35 | {{- end -}} 36 | {{- end -}} 37 | -------------------------------------------------------------------------------- /manifests/cilium/base/charts/cilium/templates/cilium-operator/clusterrolebinding.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.operator.enabled .Values.serviceAccounts.operator.create }} 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRoleBinding 4 | metadata: 5 | name: cilium-operator 6 | {{- with .Values.operator.annotations }} 7 | annotations: 8 | {{- toYaml . | nindent 4 }} 9 | {{- end }} 10 | labels: 11 | app.kubernetes.io/part-of: cilium 12 | roleRef: 13 | apiGroup: rbac.authorization.k8s.io 14 | kind: ClusterRole 15 | name: cilium-operator 16 | subjects: 17 | - kind: ServiceAccount 18 | name: {{ .Values.serviceAccounts.operator.name | quote }} 19 | namespace: {{ .Release.Namespace }} 20 | {{- end }} 21 | -------------------------------------------------------------------------------- /manifests/cilium/base/charts/cilium/templates/cilium-operator/dashboards-configmap.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.operator.dashboards.enabled }} 2 | {{- $files := .Files.Glob "files/cilium-operator/dashboards/*.json" }} 3 | {{- range $path, $fileContents := $files }} 4 | {{- $dashboardName := regexReplaceAll "(^.*/)(.*)\\.json$" $path "${2}" }} 5 | --- 6 | apiVersion: v1 7 | kind: ConfigMap 8 | metadata: 9 | name: {{ $dashboardName | trunc 63 | trimSuffix "-" }} 10 | namespace: {{ $.Values.operator.dashboards.namespace | default $.Release.Namespace }} 11 | labels: 12 | k8s-app: cilium 13 | app.kubernetes.io/name: cilium-operator 14 | app.kubernetes.io/part-of: cilium 15 | {{- if $.Values.operator.dashboards.label }} 16 | {{ $.Values.operator.dashboards.label }}: {{ ternary $.Values.operator.dashboards.labelValue "1" (not (empty $.Values.operator.dashboards.labelValue)) | quote }} 17 | {{- end }} 18 | {{- if or $.Values.operator.dashboards.annotations $.Values.operator.annotations }} 19 | annotations: 20 | {{- with $.Values.operator.dashboards.annotations }} 21 | {{- toYaml . | nindent 4 }} 22 | {{- end }} 23 | {{- with $.Values.operator.annotations }} 24 | {{- toYaml . | nindent 4 }} 25 | {{- end }} 26 | {{- end }} 27 | data: 28 | {{ $dashboardName }}.json: {{ $.Files.Get $path | toJson }} 29 | {{- end }} 30 | {{- end }} 31 | -------------------------------------------------------------------------------- /manifests/cilium/base/charts/cilium/templates/cilium-operator/poddisruptionbudget.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.operator.enabled .Values.operator.podDisruptionBudget.enabled }} 2 | {{- $component := .Values.operator.podDisruptionBudget }} 3 | apiVersion: {{ include "podDisruptionBudget.apiVersion" . }} 4 | kind: PodDisruptionBudget 5 | metadata: 6 | name: cilium-operator 7 | namespace: {{ .Release.Namespace }} 8 | {{- with .Values.operator.annotations }} 9 | annotations: 10 | {{- toYaml . | nindent 4 }} 11 | {{- end }} 12 | labels: 13 | io.cilium/app: operator 14 | name: cilium-operator 15 | app.kubernetes.io/name: cilium-operator 16 | app.kubernetes.io/part-of: cilium 17 | spec: 18 | {{- with $component.maxUnavailable }} 19 | maxUnavailable: {{ . }} 20 | {{- end }} 21 | {{- with $component.minAvailable }} 22 | minAvailable: {{ . }} 23 | {{- end }} 24 | selector: 25 | matchLabels: 26 | io.cilium/app: operator 27 | name: cilium-operator 28 | {{- end }} 29 | -------------------------------------------------------------------------------- /manifests/cilium/base/charts/cilium/templates/cilium-operator/role.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.operator.enabled .Values.serviceAccounts.operator.create .Values.ingressController.enabled .Values.ingressController.secretsNamespace.sync .Values.ingressController.secretsNamespace.name }} 2 | --- 3 | apiVersion: rbac.authorization.k8s.io/v1 4 | kind: Role 5 | metadata: 6 | name: cilium-operator-ingress-secrets 7 | namespace: {{ .Values.ingressController.secretsNamespace.name | quote }} 8 | {{- with .Values.operator.annotations }} 9 | annotations: 10 | {{- toYaml . | nindent 4 }} 11 | {{- end }} 12 | labels: 13 | app.kubernetes.io/part-of: cilium 14 | rules: 15 | - apiGroups: 16 | - "" 17 | resources: 18 | - secrets 19 | verbs: 20 | - create 21 | - delete 22 | - update 23 | - patch 24 | {{- end }} 25 | 26 | {{- if and .Values.operator.enabled .Values.serviceAccounts.operator.create .Values.gatewayAPI.enabled .Values.gatewayAPI.secretsNamespace.sync .Values.gatewayAPI.secretsNamespace.name }} 27 | --- 28 | apiVersion: rbac.authorization.k8s.io/v1 29 | kind: Role 30 | metadata: 31 | name: cilium-operator-gateway-secrets 32 | namespace: {{ .Values.gatewayAPI.secretsNamespace.name | quote }} 33 | {{- with .Values.operator.annotations }} 34 | annotations: 35 | {{- toYaml . | nindent 4 }} 36 | {{- end }} 37 | labels: 38 | app.kubernetes.io/part-of: cilium 39 | rules: 40 | - apiGroups: 41 | - "" 42 | resources: 43 | - secrets 44 | verbs: 45 | - create 46 | - delete 47 | - update 48 | - patch 49 | {{- end }} 50 | -------------------------------------------------------------------------------- /manifests/cilium/base/charts/cilium/templates/cilium-operator/rolebinding.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.operator.enabled .Values.serviceAccounts.operator.create .Values.ingressController.enabled .Values.ingressController.secretsNamespace.sync .Values.ingressController.secretsNamespace.name }} 2 | --- 3 | apiVersion: rbac.authorization.k8s.io/v1 4 | kind: RoleBinding 5 | metadata: 6 | name: cilium-operator-ingress-secrets 7 | namespace: {{ .Values.ingressController.secretsNamespace.name | quote }} 8 | {{- with .Values.operator.annotations }} 9 | annotations: 10 | {{- toYaml . | nindent 4 }} 11 | {{- end }} 12 | labels: 13 | app.kubernetes.io/part-of: cilium 14 | roleRef: 15 | apiGroup: rbac.authorization.k8s.io 16 | kind: Role 17 | name: cilium-operator-ingress-secrets 18 | subjects: 19 | - kind: ServiceAccount 20 | name: {{ .Values.serviceAccounts.operator.name | quote }} 21 | namespace: {{ .Release.Namespace }} 22 | {{- end }} 23 | 24 | {{- if and .Values.operator.enabled .Values.serviceAccounts.operator.create .Values.gatewayAPI.enabled .Values.gatewayAPI.secretsNamespace.sync .Values.gatewayAPI.secretsNamespace.name }} 25 | --- 26 | apiVersion: rbac.authorization.k8s.io/v1 27 | kind: RoleBinding 28 | metadata: 29 | name: cilium-operator-gateway-secrets 30 | namespace: {{ .Values.gatewayAPI.secretsNamespace.name | quote }} 31 | {{- with .Values.operator.annotations }} 32 | annotations: 33 | {{- toYaml . | nindent 4 }} 34 | {{- end }} 35 | labels: 36 | app.kubernetes.io/part-of: cilium 37 | roleRef: 38 | apiGroup: rbac.authorization.k8s.io 39 | kind: Role 40 | name: cilium-operator-gateway-secrets 41 | subjects: 42 | - kind: ServiceAccount 43 | name: {{ .Values.serviceAccounts.operator.name | quote }} 44 | namespace: {{ .Release.Namespace }} 45 | {{- end }} 46 | -------------------------------------------------------------------------------- /manifests/cilium/base/charts/cilium/templates/cilium-operator/secret.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.operator.enabled }} 2 | {{- if .Values.azure.enabled }} 3 | apiVersion: v1 4 | kind: Secret 5 | metadata: 6 | name: cilium-azure 7 | namespace: {{ .Release.Namespace }} 8 | {{- with .Values.operator.annotations }} 9 | annotations: 10 | {{- toYaml . | nindent 4 }} 11 | {{- end }} 12 | type: Opaque 13 | data: 14 | AZURE_CLIENT_ID: {{ default "" .Values.azure.clientID | b64enc | quote }} 15 | AZURE_CLIENT_SECRET: {{ default "" .Values.azure.clientSecret | b64enc | quote }} 16 | {{- end }} 17 | {{- end }} 18 | -------------------------------------------------------------------------------- /manifests/cilium/base/charts/cilium/templates/cilium-operator/service.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.operator.enabled .Values.operator.prometheus.enabled .Values.operator.prometheus.serviceMonitor.enabled }} 2 | kind: Service 3 | apiVersion: v1 4 | metadata: 5 | name: cilium-operator 6 | namespace: {{ .Release.Namespace }} 7 | {{- with .Values.operator.annotations }} 8 | annotations: 9 | {{- toYaml . | nindent 4 }} 10 | {{- end }} 11 | labels: 12 | io.cilium/app: operator 13 | name: cilium-operator 14 | app.kubernetes.io/part-of: cilium 15 | app.kubernetes.io/name: cilium-operator 16 | spec: 17 | clusterIP: None 18 | type: ClusterIP 19 | ports: 20 | - name: metrics 21 | port: 9963 22 | protocol: TCP 23 | targetPort: prometheus 24 | selector: 25 | io.cilium/app: operator 26 | name: cilium-operator 27 | {{- end }} 28 | -------------------------------------------------------------------------------- /manifests/cilium/base/charts/cilium/templates/cilium-operator/serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.operator.enabled .Values.serviceAccounts.operator.create }} 2 | {{- if and .Values.eni.enabled .Values.eni.iamRole }} 3 | {{ $_ := set .Values.serviceAccounts.operator.annotations "eks.amazonaws.com/role-arn" .Values.eni.iamRole }} 4 | {{- end}} 5 | --- 6 | apiVersion: v1 7 | kind: ServiceAccount 8 | metadata: 9 | name: {{ .Values.serviceAccounts.operator.name | quote }} 10 | namespace: {{ .Release.Namespace }} 11 | {{- if or .Values.serviceAccounts.operator.annotations .Values.operator.annotations }} 12 | annotations: 13 | {{- with .Values.operator.annotations }} 14 | {{- toYaml . | nindent 4 }} 15 | {{- end }} 16 | {{- with .Values.serviceAccounts.operator.annotations }} 17 | {{- toYaml . | nindent 4 }} 18 | {{- end }} 19 | {{- end }} 20 | {{- end }} 21 | -------------------------------------------------------------------------------- /manifests/cilium/base/charts/cilium/templates/cilium-operator/servicemonitor.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.operator.enabled .Values.operator.prometheus.enabled .Values.operator.prometheus.serviceMonitor.enabled }} 2 | apiVersion: monitoring.coreos.com/v1 3 | kind: ServiceMonitor 4 | metadata: 5 | name: cilium-operator 6 | namespace: {{ .Values.operator.prometheus.serviceMonitor.namespace | default .Release.Namespace }} 7 | labels: 8 | app.kubernetes.io/part-of: cilium 9 | app.kubernetes.io/name: cilium-operator 10 | {{- with .Values.operator.prometheus.serviceMonitor.labels }} 11 | {{- toYaml . | nindent 4 }} 12 | {{- end }} 13 | {{- if or .Values.operator.prometheus.serviceMonitor.annotations .Values.operator.annotations }} 14 | annotations: 15 | {{- with .Values.operator.annotations }} 16 | {{- toYaml . | nindent 4 }} 17 | {{- end }} 18 | {{- with .Values.operator.prometheus.serviceMonitor.annotations }} 19 | {{- toYaml . | nindent 4 }} 20 | {{- end }} 21 | {{- end }} 22 | spec: 23 | selector: 24 | matchLabels: 25 | io.cilium/app: operator 26 | name: cilium-operator 27 | namespaceSelector: 28 | matchNames: 29 | - {{ .Release.Namespace }} 30 | endpoints: 31 | - port: metrics 32 | interval: {{ .Values.operator.prometheus.serviceMonitor.interval | quote }} 33 | honorLabels: true 34 | path: /metrics 35 | {{- with .Values.operator.prometheus.serviceMonitor.relabelings }} 36 | relabelings: 37 | {{- toYaml . | nindent 4 }} 38 | {{- end }} 39 | {{- with .Values.operator.prometheus.serviceMonitor.metricRelabelings }} 40 | metricRelabelings: 41 | {{- toYaml . | nindent 4 }} 42 | {{- end }} 43 | targetLabels: 44 | - io.cilium/app 45 | {{- if .Values.operator.prometheus.serviceMonitor.jobLabel }} 46 | jobLabel: {{ .Values.operator.prometheus.serviceMonitor.jobLabel | quote }} 47 | {{- end }} 48 | {{- end }} 49 | -------------------------------------------------------------------------------- /manifests/cilium/base/charts/cilium/templates/cilium-preflight/clusterrole.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.preflight.enabled }} 2 | {{- /* 3 | Keep file in sync with cilium-agent/clusterrole.yaml 4 | */ -}} 5 | apiVersion: rbac.authorization.k8s.io/v1 6 | kind: ClusterRole 7 | metadata: 8 | name: cilium-pre-flight 9 | {{- with .Values.preflight.annotations }} 10 | annotations: 11 | {{- toYaml . | nindent 4 }} 12 | {{- end }} 13 | labels: 14 | app.kubernetes.io/part-of: cilium 15 | rules: 16 | - apiGroups: 17 | - networking.k8s.io 18 | resources: 19 | - networkpolicies 20 | verbs: 21 | - get 22 | - list 23 | - watch 24 | - apiGroups: 25 | - discovery.k8s.io 26 | resources: 27 | - endpointslices 28 | verbs: 29 | - get 30 | - list 31 | - watch 32 | - apiGroups: 33 | - "" 34 | resources: 35 | - namespaces 36 | - services 37 | - pods 38 | - endpoints 39 | - nodes 40 | verbs: 41 | - get 42 | - list 43 | - watch 44 | {{- if .Values.annotateK8sNode }} 45 | - apiGroups: 46 | - "" 47 | resources: 48 | - nodes/status 49 | verbs: 50 | # To annotate the k8s node with Cilium's metadata 51 | - patch 52 | {{- end }} 53 | {{- if .Values.l2announcements.enabled }} 54 | - apiGroups: 55 | - coordination.k8s.io 56 | resources: 57 | - leases 58 | verbs: 59 | - create 60 | - get 61 | - update 62 | - list 63 | - delete 64 | {{- end }} 65 | - apiGroups: 66 | - apiextensions.k8s.io 67 | resources: 68 | - customresourcedefinitions 69 | verbs: 70 | - list 71 | - watch 72 | # This is used when validating policies in preflight. This will need to stay 73 | # until we figure out how to avoid "get" inside the preflight, and then 74 | # should be removed ideally. 75 | - get 76 | {{- if eq "k8s" .Values.tls.secretsBackend }} 77 | - apiGroups: 78 | - "" 79 | resources: 80 | - secrets 81 | verbs: 82 | - get 83 | {{- end }} 84 | - apiGroups: 85 | - cilium.io 86 | resources: 87 | - ciliumloadbalancerippools 88 | - ciliumbgppeeringpolicies 89 | - ciliumbgpnodeconfigs 90 | - ciliumbgpadvertisements 91 | - ciliumbgppeerconfigs 92 | - ciliumclusterwideenvoyconfigs 93 | - ciliumclusterwidenetworkpolicies 94 | - ciliumegressgatewaypolicies 95 | - ciliumendpoints 96 | - ciliumendpointslices 97 | - ciliumenvoyconfigs 98 | - ciliumidentities 99 | - ciliumlocalredirectpolicies 100 | - ciliumnetworkpolicies 101 | - ciliumnodes 102 | - ciliumnodeconfigs 103 | - ciliumcidrgroups 104 | - ciliuml2announcementpolicies 105 | - ciliumpodippools 106 | verbs: 107 | - list 108 | - watch 109 | - apiGroups: 110 | - cilium.io 111 | resources: 112 | - ciliumidentities 113 | - ciliumendpoints 114 | - ciliumnodes 115 | verbs: 116 | - create 117 | - apiGroups: 118 | - cilium.io 119 | # To synchronize garbage collection of such resources 120 | resources: 121 | - ciliumidentities 122 | verbs: 123 | - update 124 | - apiGroups: 125 | - cilium.io 126 | resources: 127 | - ciliumendpoints 128 | verbs: 129 | - delete 130 | - get 131 | - apiGroups: 132 | - cilium.io 133 | resources: 134 | - ciliumnodes 135 | - ciliumnodes/status 136 | verbs: 137 | - get 138 | - update 139 | - apiGroups: 140 | - cilium.io 141 | resources: 142 | - ciliumnetworkpolicies/status 143 | - ciliumclusterwidenetworkpolicies/status 144 | - ciliumendpoints/status 145 | - ciliumendpoints 146 | - ciliuml2announcementpolicies/status 147 | - ciliumbgpnodeconfigs/status 148 | verbs: 149 | - patch 150 | {{- end }} 151 | -------------------------------------------------------------------------------- /manifests/cilium/base/charts/cilium/templates/cilium-preflight/clusterrolebinding.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.preflight.enabled .Values.serviceAccounts.preflight.create }} 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRoleBinding 4 | metadata: 5 | name: cilium-pre-flight 6 | {{- with .Values.preflight.annotations }} 7 | annotations: 8 | {{- toYaml . | nindent 4 }} 9 | {{- end }} 10 | labels: 11 | app.kubernetes.io/part-of: cilium 12 | roleRef: 13 | apiGroup: rbac.authorization.k8s.io 14 | kind: ClusterRole 15 | name: cilium-pre-flight 16 | subjects: 17 | - kind: ServiceAccount 18 | name: {{ .Values.serviceAccounts.preflight.name | quote }} 19 | namespace: {{ .Release.Namespace }} 20 | {{- end }} 21 | -------------------------------------------------------------------------------- /manifests/cilium/base/charts/cilium/templates/cilium-preflight/poddisruptionbudget.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.preflight.enabled .Values.preflight.validateCNPs .Values.preflight.podDisruptionBudget.enabled }} 2 | {{- $component := .Values.preflight.podDisruptionBudget }} 3 | apiVersion: {{ include "podDisruptionBudget.apiVersion" . }} 4 | kind: PodDisruptionBudget 5 | metadata: 6 | name: cilium-pre-flight-check 7 | namespace: {{ .Release.Namespace }} 8 | {{- with .Values.preflight.annotations }} 9 | annotations: 10 | {{- toYaml . | nindent 4 }} 11 | {{- end }} 12 | labels: 13 | k8s-app: cilium-pre-flight-check-deployment 14 | app.kubernetes.io/part-of: cilium 15 | app.kubernetes.io/name: cilium-pre-flight-check 16 | kubernetes.io/cluster-service: "true" 17 | spec: 18 | {{- with $component.maxUnavailable }} 19 | maxUnavailable: {{ . }} 20 | {{- end }} 21 | {{- with $component.minAvailable }} 22 | minAvailable: {{ . }} 23 | {{- end }} 24 | selector: 25 | matchLabels: 26 | k8s-app: cilium-pre-flight-check-deployment 27 | kubernetes.io/cluster-service: "true" 28 | {{- end }} 29 | -------------------------------------------------------------------------------- /manifests/cilium/base/charts/cilium/templates/cilium-preflight/serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.preflight.enabled .Values.serviceAccounts.preflight.create }} 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | name: {{ .Values.serviceAccounts.preflight.name | quote }} 6 | namespace: {{ .Release.Namespace }} 7 | {{- if or .Values.serviceAccounts.preflight.annotations .Values.preflight.annotations }} 8 | annotations: 9 | {{- with .Values.preflight.annotations }} 10 | {{- toYaml . | nindent 4 }} 11 | {{- end }} 12 | {{- with .Values.serviceAccounts.preflight.annotations }} 13 | {{- toYaml . | nindent 4 }} 14 | {{- end }} 15 | {{- end }} 16 | {{- end }} 17 | -------------------------------------------------------------------------------- /manifests/cilium/base/charts/cilium/templates/cilium-resource-quota.yaml: -------------------------------------------------------------------------------- 1 | {{- if or .Values.resourceQuotas.enabled (and (ne .Release.Namespace "kube-system") .Values.gke.enabled) }} 2 | {{- if .Values.agent }} 3 | apiVersion: v1 4 | kind: ResourceQuota 5 | metadata: 6 | name: cilium-resource-quota 7 | namespace: {{ .Release.Namespace }} 8 | spec: 9 | hard: 10 | pods: {{ .Values.resourceQuotas.cilium.hard.pods | quote }} 11 | scopeSelector: 12 | matchExpressions: 13 | - operator: In 14 | scopeName: PriorityClass 15 | values: 16 | - system-node-critical 17 | {{- end }} 18 | {{- if .Values.operator.enabled }} 19 | --- 20 | apiVersion: v1 21 | kind: ResourceQuota 22 | metadata: 23 | name: cilium-operator-resource-quota 24 | namespace: {{ .Release.Namespace }} 25 | spec: 26 | hard: 27 | pods: {{ .Values.resourceQuotas.operator.hard.pods | quote }} 28 | scopeSelector: 29 | matchExpressions: 30 | - operator: In 31 | scopeName: PriorityClass 32 | values: 33 | - system-cluster-critical 34 | {{- end }} 35 | {{- end }} 36 | -------------------------------------------------------------------------------- /manifests/cilium/base/charts/cilium/templates/cilium-secrets-namespace.yaml: -------------------------------------------------------------------------------- 1 | {{- $secretNamespaces := dict -}} 2 | {{- range $cfg := tuple .Values.ingressController .Values.gatewayAPI .Values.envoyConfig .Values.bgpControlPlane -}} 3 | {{- if and $cfg.enabled $cfg.secretsNamespace.create $cfg.secretsNamespace.name -}} 4 | {{- $_ := set $secretNamespaces $cfg.secretsNamespace.name 1 -}} 5 | {{- end -}} 6 | {{- end -}} 7 | 8 | {{- range $name, $_ := $secretNamespaces }} 9 | --- 10 | apiVersion: v1 11 | kind: Namespace 12 | metadata: 13 | name: {{ $name | quote }} 14 | {{- end}} 15 | -------------------------------------------------------------------------------- /manifests/cilium/base/charts/cilium/templates/clustermesh-apiserver/_helpers.tpl: -------------------------------------------------------------------------------- 1 | {{- define "clustermesh-apiserver-generate-certs.admin-common-name" -}} 2 | admin-{{ .Values.cluster.name }} 3 | {{- end -}} 4 | 5 | {{- define "clustermesh-apiserver-generate-certs.remote-common-name" -}} 6 | {{- if eq .Values.clustermesh.apiserver.tls.authMode "cluster" -}} 7 | remote-{{ .Values.cluster.name }} 8 | {{- else -}} 9 | remote 10 | {{- end -}} 11 | {{- end -}} 12 | -------------------------------------------------------------------------------- /manifests/cilium/base/charts/cilium/templates/clustermesh-apiserver/clusterrole.yaml: -------------------------------------------------------------------------------- 1 | {{- if and (or .Values.externalWorkloads.enabled .Values.clustermesh.useAPIServer) .Values.serviceAccounts.clustermeshApiserver.create }} 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRole 4 | metadata: 5 | name: clustermesh-apiserver 6 | labels: 7 | app.kubernetes.io/part-of: cilium 8 | {{- with .Values.clustermesh.annotations }} 9 | annotations: 10 | {{- toYaml . | nindent 4 }} 11 | {{- end }} 12 | rules: 13 | - apiGroups: 14 | - cilium.io 15 | resources: 16 | - ciliumnodes 17 | - ciliumendpoints 18 | - ciliumidentities 19 | verbs: 20 | - create 21 | - apiGroups: 22 | - cilium.io 23 | resources: 24 | - ciliumexternalworkloads/status 25 | - ciliumnodes 26 | - ciliumidentities 27 | verbs: 28 | - update 29 | - apiGroups: 30 | - cilium.io 31 | resources: 32 | - ciliumendpoints 33 | - ciliumendpoints/status 34 | verbs: 35 | - patch 36 | - apiGroups: 37 | - cilium.io 38 | resources: 39 | - ciliumidentities 40 | - ciliumexternalworkloads 41 | - ciliumendpoints 42 | - ciliumnodes 43 | verbs: 44 | - get 45 | - list 46 | - watch 47 | - apiGroups: 48 | - apiextensions.k8s.io 49 | resources: 50 | - customresourcedefinitions 51 | verbs: 52 | - list 53 | - watch 54 | - apiGroups: 55 | - "" 56 | resources: 57 | - endpoints 58 | - namespaces 59 | - services 60 | verbs: 61 | - get 62 | - list 63 | - watch 64 | - apiGroups: 65 | - discovery.k8s.io 66 | resources: 67 | - endpointslices 68 | verbs: 69 | - get 70 | - list 71 | - watch 72 | {{- end }} 73 | -------------------------------------------------------------------------------- /manifests/cilium/base/charts/cilium/templates/clustermesh-apiserver/clusterrolebinding.yaml: -------------------------------------------------------------------------------- 1 | {{- if and (or .Values.externalWorkloads.enabled .Values.clustermesh.useAPIServer) .Values.serviceAccounts.clustermeshApiserver.create }} 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRoleBinding 4 | metadata: 5 | name: clustermesh-apiserver 6 | labels: 7 | app.kubernetes.io/part-of: cilium 8 | {{- with .Values.clustermesh.annotations }} 9 | annotations: 10 | {{- toYaml . | nindent 4 }} 11 | {{- end }} 12 | roleRef: 13 | apiGroup: rbac.authorization.k8s.io 14 | kind: ClusterRole 15 | name: clustermesh-apiserver 16 | subjects: 17 | - kind: ServiceAccount 18 | name: {{ .Values.serviceAccounts.clustermeshApiserver.name | quote }} 19 | namespace: {{ .Release.Namespace }} 20 | {{- end }} 21 | -------------------------------------------------------------------------------- /manifests/cilium/base/charts/cilium/templates/clustermesh-apiserver/metrics-service.yaml: -------------------------------------------------------------------------------- 1 | {{- $kvstoreMetricsEnabled := and .Values.clustermesh.apiserver.kvstoremesh.enabled .Values.clustermesh.apiserver.metrics.kvstoremesh.enabled -}} 2 | {{- if and 3 | (or .Values.externalWorkloads.enabled .Values.clustermesh.useAPIServer) 4 | (or .Values.clustermesh.apiserver.metrics.enabled $kvstoreMetricsEnabled .Values.clustermesh.apiserver.metrics.etcd.enabled) }} 5 | apiVersion: v1 6 | kind: Service 7 | metadata: 8 | name: clustermesh-apiserver-metrics 9 | namespace: {{ .Release.Namespace }} 10 | {{- with .Values.clustermesh.annotations }} 11 | annotations: 12 | {{- toYaml . | nindent 4 }} 13 | {{- end }} 14 | labels: 15 | k8s-app: clustermesh-apiserver 16 | app.kubernetes.io/part-of: cilium 17 | app.kubernetes.io/name: clustermesh-apiserver 18 | app.kubernetes.io/component: metrics 19 | spec: 20 | clusterIP: None 21 | type: ClusterIP 22 | ports: 23 | {{- if .Values.clustermesh.apiserver.metrics.enabled }} 24 | - name: apiserv-metrics 25 | port: {{ .Values.clustermesh.apiserver.metrics.port }} 26 | protocol: TCP 27 | targetPort: apiserv-metrics 28 | {{- end }} 29 | {{- if $kvstoreMetricsEnabled }} 30 | - name: kvmesh-metrics 31 | port: {{ .Values.clustermesh.apiserver.metrics.kvstoremesh.port }} 32 | protocol: TCP 33 | targetPort: kvmesh-metrics 34 | {{- end }} 35 | {{- if .Values.clustermesh.apiserver.metrics.etcd.enabled }} 36 | - name: etcd-metrics 37 | port: {{ .Values.clustermesh.apiserver.metrics.etcd.port }} 38 | protocol: TCP 39 | targetPort: etcd-metrics 40 | {{- end }} 41 | selector: 42 | k8s-app: clustermesh-apiserver 43 | {{- end }} 44 | -------------------------------------------------------------------------------- /manifests/cilium/base/charts/cilium/templates/clustermesh-apiserver/poddisruptionbudget.yaml: -------------------------------------------------------------------------------- 1 | {{- if and (or .Values.externalWorkloads.enabled .Values.clustermesh.useAPIServer) .Values.clustermesh.apiserver.podDisruptionBudget.enabled }} 2 | {{- $component := .Values.clustermesh.apiserver.podDisruptionBudget }} 3 | apiVersion: {{ include "podDisruptionBudget.apiVersion" . }} 4 | kind: PodDisruptionBudget 5 | metadata: 6 | name: clustermesh-apiserver 7 | namespace: {{ .Release.Namespace }} 8 | {{- with .Values.clustermesh.annotations }} 9 | annotations: 10 | {{- toYaml . | nindent 4 }} 11 | {{- end }} 12 | labels: 13 | k8s-app: clustermesh-apiserver 14 | app.kubernetes.io/part-of: cilium 15 | app.kubernetes.io/name: clustermesh-apiserver 16 | spec: 17 | {{- with $component.maxUnavailable }} 18 | maxUnavailable: {{ . }} 19 | {{- end }} 20 | {{- with $component.minAvailable }} 21 | minAvailable: {{ . }} 22 | {{- end }} 23 | selector: 24 | matchLabels: 25 | k8s-app: clustermesh-apiserver 26 | {{- end }} 27 | -------------------------------------------------------------------------------- /manifests/cilium/base/charts/cilium/templates/clustermesh-apiserver/service.yaml: -------------------------------------------------------------------------------- 1 | {{- if (or .Values.externalWorkloads.enabled .Values.clustermesh.useAPIServer) }} 2 | apiVersion: v1 3 | kind: Service 4 | metadata: 5 | name: clustermesh-apiserver 6 | namespace: {{ .Release.Namespace }} 7 | labels: 8 | k8s-app: clustermesh-apiserver 9 | app.kubernetes.io/part-of: cilium 10 | app.kubernetes.io/name: clustermesh-apiserver 11 | {{- if or .Values.clustermesh.apiserver.service.annotations .Values.clustermesh.annotations }} 12 | annotations: 13 | {{- with .Values.clustermesh.annotations }} 14 | {{- toYaml . | nindent 4 }} 15 | {{- end }} 16 | {{- with .Values.clustermesh.apiserver.service.annotations }} 17 | {{- toYaml . | nindent 4 }} 18 | {{- end }} 19 | {{- end }} 20 | spec: 21 | type: {{ .Values.clustermesh.apiserver.service.type }} 22 | selector: 23 | k8s-app: clustermesh-apiserver 24 | ports: 25 | - port: 2379 26 | {{- if and (eq "NodePort" .Values.clustermesh.apiserver.service.type) .Values.clustermesh.apiserver.service.nodePort }} 27 | nodePort: {{ .Values.clustermesh.apiserver.service.nodePort }} 28 | {{- end }} 29 | {{- if and (eq "LoadBalancer" .Values.clustermesh.apiserver.service.type) .Values.clustermesh.apiserver.service.loadBalancerIP }} 30 | loadBalancerIP: {{ .Values.clustermesh.apiserver.service.loadBalancerIP }} 31 | {{- end }} 32 | {{- if .Values.clustermesh.apiserver.service.externalTrafficPolicy }} 33 | externalTrafficPolicy: {{ .Values.clustermesh.apiserver.service.externalTrafficPolicy }} 34 | {{- end }} 35 | {{- if .Values.clustermesh.apiserver.service.internalTrafficPolicy }} 36 | internalTrafficPolicy: {{ .Values.clustermesh.apiserver.service.internalTrafficPolicy }} 37 | {{- end }} 38 | {{- end }} 39 | -------------------------------------------------------------------------------- /manifests/cilium/base/charts/cilium/templates/clustermesh-apiserver/serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if and (or .Values.externalWorkloads.enabled .Values.clustermesh.useAPIServer) .Values.serviceAccounts.clustermeshApiserver.create -}} 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | name: {{ .Values.serviceAccounts.clustermeshApiserver.name | quote }} 6 | namespace: {{ .Release.Namespace }} 7 | {{- if or .Values.serviceAccounts.clustermeshApiserver.annotations .Values.clustermesh.annotations }} 8 | annotations: 9 | {{- with .Values.clustermesh.annotations }} 10 | {{- toYaml . | nindent 4 }} 11 | {{- end }} 12 | {{- with .Values.serviceAccounts.clustermeshApiserver.annotations }} 13 | {{- toYaml . | nindent 4 }} 14 | {{- end }} 15 | {{- end }} 16 | {{- end }} 17 | -------------------------------------------------------------------------------- /manifests/cilium/base/charts/cilium/templates/clustermesh-apiserver/servicemonitor.yaml: -------------------------------------------------------------------------------- 1 | {{- $kvstoreMetricsEnabled := and .Values.clustermesh.apiserver.kvstoremesh.enabled .Values.clustermesh.apiserver.metrics.kvstoremesh.enabled -}} 2 | {{- if and 3 | (or .Values.externalWorkloads.enabled .Values.clustermesh.useAPIServer) 4 | (or .Values.clustermesh.apiserver.metrics.enabled $kvstoreMetricsEnabled .Values.clustermesh.apiserver.metrics.etcd.enabled) 5 | .Values.clustermesh.apiserver.metrics.serviceMonitor.enabled }} 6 | --- 7 | apiVersion: monitoring.coreos.com/v1 8 | kind: ServiceMonitor 9 | metadata: 10 | name: clustermesh-apiserver 11 | namespace: {{ .Values.clustermesh.apiserver.metrics.serviceMonitor.namespace | default .Release.Namespace }} 12 | labels: 13 | app.kubernetes.io/part-of: cilium 14 | {{- with .Values.clustermesh.apiserver.metrics.serviceMonitor.labels }} 15 | {{- toYaml . | nindent 4 }} 16 | {{- end }} 17 | {{- if or .Values.clustermesh.apiserver.metrics.serviceMonitor.annotations .Values.clustermesh.annotations }} 18 | annotations: 19 | {{- with .Values.clustermesh.annotations }} 20 | {{- toYaml . | nindent 4 }} 21 | {{- end }} 22 | {{- with .Values.clustermesh.apiserver.metrics.serviceMonitor.annotations }} 23 | {{- toYaml . | nindent 4 }} 24 | {{- end }} 25 | {{- end }} 26 | spec: 27 | selector: 28 | matchLabels: 29 | app.kubernetes.io/name: clustermesh-apiserver 30 | app.kubernetes.io/component: metrics 31 | namespaceSelector: 32 | matchNames: 33 | - {{ .Release.Namespace }} 34 | endpoints: 35 | {{- if .Values.clustermesh.apiserver.metrics.enabled }} 36 | - port: apiserv-metrics 37 | interval: {{ .Values.clustermesh.apiserver.metrics.serviceMonitor.interval | quote }} 38 | honorLabels: true 39 | path: /metrics 40 | {{- with .Values.clustermesh.apiserver.metrics.serviceMonitor.relabelings }} 41 | relabelings: 42 | {{- toYaml . | nindent 4 }} 43 | {{- end }} 44 | {{- with .Values.clustermesh.apiserver.metrics.serviceMonitor.metricRelabelings }} 45 | metricRelabelings: 46 | {{- toYaml . | nindent 4 }} 47 | {{- end }} 48 | {{- end }} 49 | {{- if $kvstoreMetricsEnabled }} 50 | - port: kvmesh-metrics 51 | interval: {{ .Values.clustermesh.apiserver.metrics.serviceMonitor.kvstoremesh.interval | quote }} 52 | honorLabels: true 53 | path: /metrics 54 | {{- with .Values.clustermesh.apiserver.metrics.serviceMonitor.kvstoremesh.relabelings }} 55 | relabelings: 56 | {{- toYaml . | nindent 4 }} 57 | {{- end }} 58 | {{- with .Values.clustermesh.apiserver.metrics.serviceMonitor.kvstoremesh.metricRelabelings }} 59 | metricRelabelings: 60 | {{- toYaml . | nindent 4 }} 61 | {{- end }} 62 | {{- end }} 63 | {{- if .Values.clustermesh.apiserver.metrics.etcd.enabled }} 64 | - port: etcd-metrics 65 | interval: {{ .Values.clustermesh.apiserver.metrics.serviceMonitor.etcd.interval | quote }} 66 | honorLabels: true 67 | path: /metrics 68 | {{- with .Values.clustermesh.apiserver.metrics.serviceMonitor.etcd.relabelings }} 69 | relabelings: 70 | {{- toYaml . | nindent 4 }} 71 | {{- end }} 72 | {{- with .Values.clustermesh.apiserver.metrics.serviceMonitor.etcd.metricRelabelings }} 73 | metricRelabelings: 74 | {{- toYaml . | nindent 4 }} 75 | {{- end }} 76 | {{- end }} 77 | {{- end }} 78 | -------------------------------------------------------------------------------- /manifests/cilium/base/charts/cilium/templates/clustermesh-apiserver/tls-certmanager/admin-secret.yaml: -------------------------------------------------------------------------------- 1 | {{- if and (or .Values.externalWorkloads.enabled .Values.clustermesh.useAPIServer) .Values.clustermesh.apiserver.tls.auto.enabled (eq .Values.clustermesh.apiserver.tls.auto.method "certmanager") }} 2 | --- 3 | apiVersion: cert-manager.io/v1 4 | kind: Certificate 5 | metadata: 6 | name: clustermesh-apiserver-admin-cert 7 | namespace: {{ .Release.Namespace }} 8 | {{- with .Values.clustermesh.annotations }} 9 | annotations: 10 | {{- toYaml . | nindent 4 }} 11 | {{- end }} 12 | spec: 13 | issuerRef: 14 | {{- toYaml .Values.clustermesh.apiserver.tls.auto.certManagerIssuerRef | nindent 4 }} 15 | secretName: clustermesh-apiserver-admin-cert 16 | commonName: {{ include "clustermesh-apiserver-generate-certs.admin-common-name" . }} 17 | dnsNames: 18 | - localhost 19 | duration: {{ printf "%dh0m0s" (mul .Values.clustermesh.apiserver.tls.auto.certValidityDuration 24) }} 20 | {{- end }} 21 | -------------------------------------------------------------------------------- /manifests/cilium/base/charts/cilium/templates/clustermesh-apiserver/tls-certmanager/client-secret.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.externalWorkloads.enabled .Values.clustermesh.apiserver.tls.auto.enabled (eq .Values.clustermesh.apiserver.tls.auto.method "certmanager") }} 2 | --- 3 | apiVersion: cert-manager.io/v1 4 | kind: Certificate 5 | metadata: 6 | name: clustermesh-apiserver-client-cert 7 | namespace: {{ .Release.Namespace }} 8 | {{- with .Values.clustermesh.annotations }} 9 | annotations: 10 | {{- toYaml . | nindent 4 }} 11 | {{- end }} 12 | spec: 13 | issuerRef: 14 | {{- toYaml .Values.clustermesh.apiserver.tls.auto.certManagerIssuerRef | nindent 4 }} 15 | secretName: clustermesh-apiserver-client-cert 16 | commonName: externalworkload 17 | duration: {{ printf "%dh0m0s" (mul .Values.clustermesh.apiserver.tls.auto.certValidityDuration 24) }} 18 | {{- end }} 19 | -------------------------------------------------------------------------------- /manifests/cilium/base/charts/cilium/templates/clustermesh-apiserver/tls-certmanager/remote-secret.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.clustermesh.useAPIServer .Values.clustermesh.apiserver.tls.auto.enabled (eq .Values.clustermesh.apiserver.tls.auto.method "certmanager") }} 2 | --- 3 | apiVersion: cert-manager.io/v1 4 | kind: Certificate 5 | metadata: 6 | name: clustermesh-apiserver-remote-cert 7 | namespace: {{ .Release.Namespace }} 8 | {{- with .Values.clustermesh.annotations }} 9 | annotations: 10 | {{- toYaml . | nindent 4 }} 11 | {{- end }} 12 | spec: 13 | issuerRef: 14 | {{- toYaml .Values.clustermesh.apiserver.tls.auto.certManagerIssuerRef | nindent 4 }} 15 | secretName: clustermesh-apiserver-remote-cert 16 | commonName: {{ include "clustermesh-apiserver-generate-certs.remote-common-name" . }} 17 | duration: {{ printf "%dh0m0s" (mul .Values.clustermesh.apiserver.tls.auto.certValidityDuration 24) }} 18 | {{- end }} 19 | -------------------------------------------------------------------------------- /manifests/cilium/base/charts/cilium/templates/clustermesh-apiserver/tls-certmanager/server-secret.yaml: -------------------------------------------------------------------------------- 1 | {{- if and (or .Values.externalWorkloads.enabled .Values.clustermesh.useAPIServer) .Values.clustermesh.apiserver.tls.auto.enabled (eq .Values.clustermesh.apiserver.tls.auto.method "certmanager") }} 2 | --- 3 | apiVersion: cert-manager.io/v1 4 | kind: Certificate 5 | metadata: 6 | name: clustermesh-apiserver-server-cert 7 | namespace: {{ .Release.Namespace }} 8 | {{- with .Values.clustermesh.annotations }} 9 | annotations: 10 | {{- toYaml . | nindent 4 }} 11 | {{- end }} 12 | spec: 13 | issuerRef: 14 | {{- toYaml .Values.clustermesh.apiserver.tls.auto.certManagerIssuerRef | nindent 4 }} 15 | secretName: clustermesh-apiserver-server-cert 16 | commonName: clustermesh-apiserver.cilium.io 17 | dnsNames: 18 | - clustermesh-apiserver.cilium.io 19 | - "*.mesh.cilium.io" 20 | - "clustermesh-apiserver.{{ .Release.Namespace }}.svc" 21 | {{- range $dns := .Values.clustermesh.apiserver.tls.server.extraDnsNames }} 22 | - {{ $dns | quote }} 23 | {{- end }} 24 | ipAddresses: 25 | - "127.0.0.1" 26 | - "::1" 27 | {{- range $ip := .Values.clustermesh.apiserver.tls.server.extraIpAddresses }} 28 | - {{ $ip | quote }} 29 | {{- end }} 30 | duration: {{ printf "%dh0m0s" (mul .Values.clustermesh.apiserver.tls.auto.certValidityDuration 24) }} 31 | {{- end }} 32 | -------------------------------------------------------------------------------- /manifests/cilium/base/charts/cilium/templates/clustermesh-apiserver/tls-cronjob/cronjob.yaml: -------------------------------------------------------------------------------- 1 | {{- if and (or .Values.externalWorkloads.enabled .Values.clustermesh.useAPIServer) .Values.clustermesh.apiserver.tls.auto.enabled (eq .Values.clustermesh.apiserver.tls.auto.method "cronJob") .Values.clustermesh.apiserver.tls.auto.schedule }} 2 | apiVersion: {{ include "cronjob.apiVersion" . }} 3 | kind: CronJob 4 | metadata: 5 | name: clustermesh-apiserver-generate-certs 6 | namespace: {{ .Release.Namespace }} 7 | {{- with .Values.clustermesh.annotations }} 8 | annotations: 9 | {{- toYaml . | nindent 4 }} 10 | {{- end }} 11 | labels: 12 | k8s-app: clustermesh-apiserver-generate-certs 13 | app.kubernetes.io/part-of: cilium 14 | spec: 15 | schedule: {{ .Values.clustermesh.apiserver.tls.auto.schedule | quote }} 16 | concurrencyPolicy: Forbid 17 | jobTemplate: 18 | {{- include "clustermesh-apiserver-generate-certs.job.spec" . | nindent 4 }} 19 | {{- end }} 20 | -------------------------------------------------------------------------------- /manifests/cilium/base/charts/cilium/templates/clustermesh-apiserver/tls-cronjob/job.yaml: -------------------------------------------------------------------------------- 1 | {{- if and (or .Values.externalWorkloads.enabled .Values.clustermesh.useAPIServer) .Values.clustermesh.apiserver.tls.auto.enabled (eq .Values.clustermesh.apiserver.tls.auto.method "cronJob") }} 2 | --- 3 | apiVersion: batch/v1 4 | kind: Job 5 | metadata: 6 | name: clustermesh-apiserver-generate-certs 7 | namespace: {{ .Release.Namespace }} 8 | labels: 9 | k8s-app: clustermesh-apiserver-generate-certs 10 | app.kubernetes.io/part-of: cilium 11 | annotations: 12 | "helm.sh/hook": post-install,post-upgrade 13 | {{- with .Values.certgen.annotations.job }} 14 | {{- toYaml . | nindent 4 }} 15 | {{- end }} 16 | {{- with .Values.clustermesh.annotations }} 17 | {{- toYaml . | nindent 4 }} 18 | {{- end }} 19 | {{ include "clustermesh-apiserver-generate-certs.job.spec" . }} 20 | {{- end }} 21 | -------------------------------------------------------------------------------- /manifests/cilium/base/charts/cilium/templates/clustermesh-apiserver/tls-cronjob/role.yaml: -------------------------------------------------------------------------------- 1 | {{- if and (or .Values.externalWorkloads.enabled .Values.clustermesh.useAPIServer) .Values.clustermesh.apiserver.tls.auto.enabled (eq .Values.clustermesh.apiserver.tls.auto.method "cronJob") .Values.serviceAccounts.clustermeshcertgen.create }} 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: Role 4 | metadata: 5 | name: clustermesh-apiserver-generate-certs 6 | namespace: {{ .Release.Namespace }} 7 | {{- with .Values.clustermesh.annotations }} 8 | annotations: 9 | {{- toYaml . | nindent 4 }} 10 | {{- end }} 11 | labels: 12 | app.kubernetes.io/part-of: cilium 13 | rules: 14 | - apiGroups: 15 | - "" 16 | resources: 17 | - secrets 18 | verbs: 19 | - create 20 | - apiGroups: 21 | - "" 22 | resources: 23 | - secrets 24 | resourceNames: 25 | - cilium-ca 26 | verbs: 27 | - get 28 | - update 29 | - apiGroups: 30 | - "" 31 | resources: 32 | - secrets 33 | resourceNames: 34 | - clustermesh-apiserver-server-cert 35 | - clustermesh-apiserver-admin-cert 36 | - clustermesh-apiserver-remote-cert 37 | - clustermesh-apiserver-client-cert 38 | verbs: 39 | - update 40 | {{- end }} 41 | -------------------------------------------------------------------------------- /manifests/cilium/base/charts/cilium/templates/clustermesh-apiserver/tls-cronjob/rolebinding.yaml: -------------------------------------------------------------------------------- 1 | {{- if and (or .Values.externalWorkloads.enabled .Values.clustermesh.useAPIServer) .Values.clustermesh.apiserver.tls.auto.enabled (eq .Values.clustermesh.apiserver.tls.auto.method "cronJob") .Values.serviceAccounts.clustermeshcertgen.create }} 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: RoleBinding 4 | metadata: 5 | name: clustermesh-apiserver-generate-certs 6 | namespace: {{ .Release.Namespace }} 7 | {{- with .Values.clustermesh.annotations }} 8 | annotations: 9 | {{- toYaml . | nindent 4 }} 10 | {{- end }} 11 | labels: 12 | app.kubernetes.io/part-of: cilium 13 | roleRef: 14 | apiGroup: rbac.authorization.k8s.io 15 | kind: Role 16 | name: clustermesh-apiserver-generate-certs 17 | subjects: 18 | - kind: ServiceAccount 19 | name: {{ .Values.serviceAccounts.clustermeshcertgen.name | quote }} 20 | namespace: {{ .Release.Namespace }} 21 | {{- end }} 22 | -------------------------------------------------------------------------------- /manifests/cilium/base/charts/cilium/templates/clustermesh-apiserver/tls-cronjob/serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if and (or .Values.externalWorkloads.enabled .Values.clustermesh.useAPIServer) .Values.clustermesh.apiserver.tls.auto.enabled (eq .Values.clustermesh.apiserver.tls.auto.method "cronJob") .Values.serviceAccounts.clustermeshcertgen.create }} 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | name: {{ .Values.serviceAccounts.clustermeshcertgen.name | quote }} 6 | namespace: {{ .Release.Namespace }} 7 | {{- if or .Values.serviceAccounts.clustermeshcertgen.annotations .Values.clustermesh.annotations }} 8 | annotations: 9 | {{- with .Values.serviceAccounts.clustermeshcertgen.annotations }} 10 | {{- toYaml . | nindent 4 }} 11 | {{- end }} 12 | {{- with .Values.clustermesh.annotations }} 13 | {{- toYaml . | nindent 4 }} 14 | {{- end }} 15 | {{- end }} 16 | {{- end }} 17 | -------------------------------------------------------------------------------- /manifests/cilium/base/charts/cilium/templates/clustermesh-apiserver/tls-helm/admin-secret.yaml: -------------------------------------------------------------------------------- 1 | {{- if and (or .Values.externalWorkloads.enabled .Values.clustermesh.useAPIServer) .Values.clustermesh.apiserver.tls.auto.enabled (eq .Values.clustermesh.apiserver.tls.auto.method "helm") }} 2 | {{- $_ := include "cilium.ca.setup" . -}} 3 | {{- $cn := include "clustermesh-apiserver-generate-certs.admin-common-name" . -}} 4 | {{- $dns := list "localhost" }} 5 | {{- $cert := genSignedCert $cn nil $dns (.Values.clustermesh.apiserver.tls.auto.certValidityDuration | int) .commonCA -}} 6 | --- 7 | apiVersion: v1 8 | kind: Secret 9 | metadata: 10 | name: clustermesh-apiserver-admin-cert 11 | namespace: {{ .Release.Namespace }} 12 | {{- with .Values.clustermesh.annotations }} 13 | annotations: 14 | {{- toYaml . | nindent 4 }} 15 | {{- end }} 16 | type: kubernetes.io/tls 17 | data: 18 | ca.crt: {{ .commonCA.Cert | b64enc }} 19 | tls.crt: {{ $cert.Cert | b64enc }} 20 | tls.key: {{ $cert.Key | b64enc }} 21 | {{- end }} 22 | -------------------------------------------------------------------------------- /manifests/cilium/base/charts/cilium/templates/clustermesh-apiserver/tls-helm/client-secret.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.externalWorkloads.enabled .Values.clustermesh.apiserver.tls.auto.enabled (eq .Values.clustermesh.apiserver.tls.auto.method "helm") }} 2 | {{- $_ := include "cilium.ca.setup" . -}} 3 | {{- $cn := "externalworkload" }} 4 | {{- $cert := genSignedCert $cn nil nil (.Values.clustermesh.apiserver.tls.auto.certValidityDuration | int) .commonCA -}} 5 | --- 6 | apiVersion: v1 7 | kind: Secret 8 | metadata: 9 | name: clustermesh-apiserver-client-cert 10 | namespace: {{ .Release.Namespace }} 11 | {{- with .Values.clustermesh.annotations }} 12 | annotations: 13 | {{- toYaml . | nindent 4 }} 14 | {{- end }} 15 | type: kubernetes.io/tls 16 | data: 17 | ca.crt: {{ .commonCA.Cert | b64enc }} 18 | tls.crt: {{ $cert.Cert | b64enc }} 19 | tls.key: {{ $cert.Key | b64enc }} 20 | {{- end }} 21 | -------------------------------------------------------------------------------- /manifests/cilium/base/charts/cilium/templates/clustermesh-apiserver/tls-helm/remote-secret.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.clustermesh.useAPIServer .Values.clustermesh.apiserver.tls.auto.enabled (eq .Values.clustermesh.apiserver.tls.auto.method "helm") }} 2 | {{- $_ := include "cilium.ca.setup" . -}} 3 | {{- $cn := include "clustermesh-apiserver-generate-certs.remote-common-name" . -}} 4 | {{- $cert := genSignedCert $cn nil nil (.Values.clustermesh.apiserver.tls.auto.certValidityDuration | int) .commonCA -}} 5 | --- 6 | apiVersion: v1 7 | kind: Secret 8 | metadata: 9 | name: clustermesh-apiserver-remote-cert 10 | namespace: {{ .Release.Namespace }} 11 | {{- with .Values.clustermesh.annotations }} 12 | annotations: 13 | {{- toYaml . | nindent 4 }} 14 | {{- end }} 15 | type: kubernetes.io/tls 16 | data: 17 | ca.crt: {{ .commonCA.Cert | b64enc }} 18 | tls.crt: {{ $cert.Cert | b64enc }} 19 | tls.key: {{ $cert.Key | b64enc }} 20 | {{- end }} 21 | -------------------------------------------------------------------------------- /manifests/cilium/base/charts/cilium/templates/clustermesh-apiserver/tls-helm/server-secret.yaml: -------------------------------------------------------------------------------- 1 | {{- if and (or .Values.externalWorkloads.enabled .Values.clustermesh.useAPIServer) .Values.clustermesh.apiserver.tls.auto.enabled (eq .Values.clustermesh.apiserver.tls.auto.method "helm") }} 2 | {{- $_ := include "cilium.ca.setup" . -}} 3 | {{- $cn := "clustermesh-apiserver.cilium.io" }} 4 | {{- $ip := concat (list "127.0.0.1" "::1") .Values.clustermesh.apiserver.tls.server.extraIpAddresses }} 5 | {{- $dns := concat (list $cn "*.mesh.cilium.io" (printf "clustermesh-apiserver.%s.svc" .Release.Namespace)) .Values.clustermesh.apiserver.tls.server.extraDnsNames }} 6 | {{- $cert := genSignedCert $cn $ip $dns (.Values.clustermesh.apiserver.tls.auto.certValidityDuration | int) .commonCA -}} 7 | --- 8 | apiVersion: v1 9 | kind: Secret 10 | metadata: 11 | name: clustermesh-apiserver-server-cert 12 | namespace: {{ .Release.Namespace }} 13 | {{- with .Values.clustermesh.annotations }} 14 | annotations: 15 | {{- toYaml . | nindent 4 }} 16 | {{- end }} 17 | type: kubernetes.io/tls 18 | data: 19 | ca.crt: {{ .commonCA.Cert | b64enc }} 20 | tls.crt: {{ $cert.Cert | b64enc }} 21 | tls.key: {{ $cert.Key | b64enc }} 22 | {{- end }} 23 | -------------------------------------------------------------------------------- /manifests/cilium/base/charts/cilium/templates/clustermesh-apiserver/tls-provided/admin-secret.yaml: -------------------------------------------------------------------------------- 1 | {{- if and (or .Values.externalWorkloads.enabled .Values.clustermesh.useAPIServer) (not .Values.clustermesh.apiserver.tls.auto.enabled) }} 2 | apiVersion: v1 3 | kind: Secret 4 | metadata: 5 | name: clustermesh-apiserver-admin-cert 6 | namespace: {{ .Release.Namespace }} 7 | {{- with .Values.clustermesh.annotations }} 8 | annotations: 9 | {{- toYaml . | nindent 4 }} 10 | {{- end }} 11 | type: kubernetes.io/tls 12 | data: 13 | ca.crt: {{ .Values.tls.ca.cert }} 14 | tls.crt: {{ .Values.clustermesh.apiserver.tls.admin.cert | required "missing clustermesh.apiserver.tls.admin.cert" }} 15 | tls.key: {{ .Values.clustermesh.apiserver.tls.admin.key | required "missing clustermesh.apiserver.tls.admin.key" }} 16 | {{- end }} 17 | -------------------------------------------------------------------------------- /manifests/cilium/base/charts/cilium/templates/clustermesh-apiserver/tls-provided/client-secret.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.externalWorkloads.enabled (not .Values.clustermesh.apiserver.tls.auto.enabled) }} 2 | apiVersion: v1 3 | kind: Secret 4 | metadata: 5 | name: clustermesh-apiserver-client-cert 6 | namespace: {{ .Release.Namespace }} 7 | {{- with .Values.clustermesh.annotations }} 8 | annotations: 9 | {{- toYaml . | nindent 4 }} 10 | {{- end }} 11 | type: kubernetes.io/tls 12 | data: 13 | ca.crt: {{ .Values.tls.ca.cert }} 14 | tls.crt: {{ .Values.clustermesh.apiserver.tls.client.cert | required "missing clustermesh.apiserver.tls.client.cert" }} 15 | tls.key: {{ .Values.clustermesh.apiserver.tls.client.key | required "missing clustermesh.apiserver.tls.client.key" }} 16 | {{- end }} 17 | -------------------------------------------------------------------------------- /manifests/cilium/base/charts/cilium/templates/clustermesh-apiserver/tls-provided/remote-secret.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.clustermesh.useAPIServer (not .Values.clustermesh.apiserver.tls.auto.enabled) }} 2 | apiVersion: v1 3 | kind: Secret 4 | metadata: 5 | name: clustermesh-apiserver-remote-cert 6 | namespace: {{ .Release.Namespace }} 7 | {{- with .Values.clustermesh.annotations }} 8 | annotations: 9 | {{- toYaml . | nindent 4 }} 10 | {{- end }} 11 | type: kubernetes.io/tls 12 | data: 13 | ca.crt: {{ .Values.tls.ca.cert }} 14 | tls.crt: {{ .Values.clustermesh.apiserver.tls.remote.cert | required "missing clustermesh.apiserver.tls.remote.cert" }} 15 | tls.key: {{ .Values.clustermesh.apiserver.tls.remote.key | required "missing clustermesh.apiserver.tls.remote.key" }} 16 | {{- end }} 17 | -------------------------------------------------------------------------------- /manifests/cilium/base/charts/cilium/templates/clustermesh-apiserver/tls-provided/server-secret.yaml: -------------------------------------------------------------------------------- 1 | {{- if and (or .Values.externalWorkloads.enabled .Values.clustermesh.useAPIServer) (not .Values.clustermesh.apiserver.tls.auto.enabled) }} 2 | apiVersion: v1 3 | kind: Secret 4 | metadata: 5 | name: clustermesh-apiserver-server-cert 6 | namespace: {{ .Release.Namespace }} 7 | {{- with .Values.clustermesh.annotations }} 8 | annotations: 9 | {{- toYaml . | nindent 4 }} 10 | {{- end }} 11 | type: kubernetes.io/tls 12 | data: 13 | ca.crt: {{ .Values.tls.ca.cert }} 14 | tls.crt: {{ .Values.clustermesh.apiserver.tls.server.cert | required "missing clustermesh.apiserver.tls.server.cert" }} 15 | tls.key: {{ .Values.clustermesh.apiserver.tls.server.key | required "missing clustermesh.apiserver.tls.server.key" }} 16 | {{- end }} 17 | -------------------------------------------------------------------------------- /manifests/cilium/base/charts/cilium/templates/clustermesh-apiserver/users-configmap.yaml: -------------------------------------------------------------------------------- 1 | {{- if ne .Values.clustermesh.apiserver.tls.authMode "legacy" }} 2 | --- 3 | apiVersion: v1 4 | kind: ConfigMap 5 | metadata: 6 | name: clustermesh-remote-users 7 | namespace: {{ .Release.Namespace }} 8 | {{- with .Values.clustermesh.annotations }} 9 | annotations: 10 | {{- toYaml . | nindent 4 }} 11 | {{- end }} 12 | labels: 13 | app.kubernetes.io/part-of: cilium 14 | data: 15 | users.yaml: | 16 | users: 17 | {{- if .Values.clustermesh.apiserver.kvstoremesh.enabled }} 18 | - name: remote-{{ .Values.cluster.name }} 19 | role: remote 20 | {{- end }} 21 | {{- range .Values.clustermesh.config.clusters }} 22 | - name: remote-{{ .name }} 23 | role: remote 24 | {{- end }} 25 | {{- end }} 26 | -------------------------------------------------------------------------------- /manifests/cilium/base/charts/cilium/templates/clustermesh-config/_helpers.tpl: -------------------------------------------------------------------------------- 1 | {{- define "clustermesh-config-generate-etcd-cfg" }} 2 | {{- $cluster := index . 0 -}} 3 | {{- $domain := index . 1 -}} 4 | {{- $override := index . 2 -}} 5 | {{- /* The parenthesis around $cluster.tls are required, since it can be null: https://stackoverflow.com/a/68807258 */}} 6 | {{- $prefix := ternary "common-" (printf "%s." $cluster.name) (or (ne $override "") (empty ($cluster.tls).cert) (empty ($cluster.tls).key)) -}} 7 | 8 | endpoints: 9 | {{- if ne $override "" }} 10 | - {{ $override }} 11 | {{- else if $cluster.ips }} 12 | - https://{{ $cluster.name }}.{{ $domain }}:{{ $cluster.port }} 13 | {{- else }} 14 | - https://{{ $cluster.address | required "missing clustermesh.apiserver.config.clusters.address" }}:{{ $cluster.port }} 15 | {{- end }} 16 | {{- if not (empty ($cluster.tls).caCert) }} 17 | {{- /* The custom CA configuration takes effect only if a custom certificate and key are also set */}} 18 | trusted-ca-file: /var/lib/cilium/clustermesh/{{ $prefix }}etcd-client-ca.crt 19 | {{- else }} 20 | trusted-ca-file: /var/lib/cilium/clustermesh/common-etcd-client-ca.crt 21 | {{- end }} 22 | key-file: /var/lib/cilium/clustermesh/{{ $prefix }}etcd-client.key 23 | cert-file: /var/lib/cilium/clustermesh/{{ $prefix }}etcd-client.crt 24 | {{- end }} 25 | -------------------------------------------------------------------------------- /manifests/cilium/base/charts/cilium/templates/clustermesh-config/clustermesh-secret.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.clustermesh.config.enabled }} 2 | --- 3 | apiVersion: v1 4 | kind: Secret 5 | metadata: 6 | name: cilium-clustermesh 7 | namespace: {{ .Release.Namespace }} 8 | {{- with .Values.clustermesh.annotations }} 9 | annotations: 10 | {{- toYaml . | nindent 4 }} 11 | {{- end }} 12 | data: 13 | {{- $kvstoremesh := and .Values.clustermesh.useAPIServer .Values.clustermesh.apiserver.kvstoremesh.enabled }} 14 | {{- $override := ternary (printf "https://clustermesh-apiserver.%s.svc:2379" .Release.Namespace) "" $kvstoremesh }} 15 | {{- range .Values.clustermesh.config.clusters }} 16 | {{ .name }}: {{ include "clustermesh-config-generate-etcd-cfg" (list . $.Values.clustermesh.config.domain $override) | b64enc }} 17 | {{- /* The parenthesis around .tls are required, since it can be null: https://stackoverflow.com/a/68807258 */}} 18 | {{- if and (eq $override "") (.tls).cert (.tls).key }} 19 | {{- if .tls.caCert }} 20 | {{ .name }}.etcd-client-ca.crt: {{ .tls.caCert }} 21 | {{- end }} 22 | {{ .name }}.etcd-client.key: {{ .tls.key }} 23 | {{ .name }}.etcd-client.crt: {{ .tls.cert }} 24 | {{- end }} 25 | {{- end }} 26 | {{- end }} 27 | -------------------------------------------------------------------------------- /manifests/cilium/base/charts/cilium/templates/clustermesh-config/kvstoremesh-secret.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.clustermesh.useAPIServer .Values.clustermesh.config.enabled .Values.clustermesh.apiserver.kvstoremesh.enabled }} 2 | --- 3 | apiVersion: v1 4 | kind: Secret 5 | metadata: 6 | name: cilium-kvstoremesh 7 | namespace: {{ .Release.Namespace }} 8 | {{- with .Values.clustermesh.annotations }} 9 | annotations: 10 | {{- toYaml . | nindent 4 }} 11 | {{- end }} 12 | data: 13 | {{- range .Values.clustermesh.config.clusters }} 14 | {{ .name }}: {{ include "clustermesh-config-generate-etcd-cfg" (list . $.Values.clustermesh.config.domain "") | b64enc }} 15 | {{- /* The parenthesis around .tls are required, since it can be null: https://stackoverflow.com/a/68807258 */}} 16 | {{- if and (.tls).cert (.tls).key }} 17 | {{- if .tls.caCert }} 18 | {{ .name }}.etcd-client-ca.crt: {{ .tls.caCert }} 19 | {{- end }} 20 | {{ .name }}.etcd-client.key: {{ .tls.key }} 21 | {{ .name }}.etcd-client.crt: {{ .tls.cert }} 22 | {{- end }} 23 | {{- end }} 24 | {{- end }} 25 | -------------------------------------------------------------------------------- /manifests/cilium/base/charts/cilium/templates/etcd-operator/cilium-etcd-operator-clusterrole.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.etcd.managed }} 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRole 4 | metadata: 5 | name: cilium-etcd-operator 6 | {{- with .Values.etcd.annotations }} 7 | annotations: 8 | {{- toYaml . | nindent 4 }} 9 | {{- end }} 10 | labels: 11 | app.kubernetes.io/part-of: cilium 12 | rules: 13 | - apiGroups: 14 | - etcd.database.coreos.com 15 | resources: 16 | - etcdclusters 17 | verbs: 18 | - get 19 | - delete 20 | - create 21 | - update 22 | - apiGroups: 23 | - apiextensions.k8s.io 24 | resources: 25 | - customresourcedefinitions 26 | verbs: 27 | - delete 28 | - get 29 | - create 30 | - apiGroups: 31 | - "" 32 | resources: 33 | - deployments 34 | verbs: 35 | - delete 36 | - create 37 | - get 38 | - update 39 | - apiGroups: 40 | - "" 41 | resources: 42 | - pods 43 | verbs: 44 | - list 45 | - get 46 | - delete 47 | - apiGroups: 48 | - apps 49 | resources: 50 | - deployments 51 | verbs: 52 | - delete 53 | - create 54 | - get 55 | - update 56 | - apiGroups: 57 | - "" 58 | resources: 59 | - componentstatuses 60 | verbs: 61 | - get 62 | - apiGroups: 63 | - extensions 64 | resources: 65 | - deployments 66 | verbs: 67 | - delete 68 | - create 69 | - get 70 | - update 71 | - apiGroups: 72 | - "" 73 | resources: 74 | - secrets 75 | verbs: 76 | - get 77 | - create 78 | - delete 79 | {{- end }} 80 | -------------------------------------------------------------------------------- /manifests/cilium/base/charts/cilium/templates/etcd-operator/cilium-etcd-operator-clusterrolebinding.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.etcd.managed .Values.serviceAccounts.etcd.create }} 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRoleBinding 4 | metadata: 5 | name: cilium-etcd-operator 6 | {{- with .Values.etcd.annotations }} 7 | annotations: 8 | {{- toYaml . | nindent 4 }} 9 | {{- end }} 10 | labels: 11 | app.kubernetes.io/part-of: cilium 12 | roleRef: 13 | apiGroup: rbac.authorization.k8s.io 14 | kind: ClusterRole 15 | name: cilium-etcd-operator 16 | subjects: 17 | - kind: ServiceAccount 18 | name: {{ .Values.serviceAccounts.etcd.name | quote }} 19 | namespace: {{ .Release.Namespace }} 20 | {{- end }} 21 | -------------------------------------------------------------------------------- /manifests/cilium/base/charts/cilium/templates/etcd-operator/cilium-etcd-operator-serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.etcd.managed .Values.serviceAccounts.etcd.create }} 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | name: {{ .Values.serviceAccounts.etcd.name | quote }} 6 | namespace: {{ .Release.Namespace }} 7 | {{- if or .Values.serviceAccounts.etcd.annotations .Values.etcd.annotations }} 8 | annotations: 9 | {{- with .Values.etcd.annotations }} 10 | {{- toYaml . | nindent 4 }} 11 | {{- end }} 12 | {{- with .Values.serviceAccounts.etcd.annotations }} 13 | {{- toYaml . | nindent 4 }} 14 | {{- end }} 15 | {{- end }} 16 | {{- end }} 17 | -------------------------------------------------------------------------------- /manifests/cilium/base/charts/cilium/templates/etcd-operator/etcd-operator-clusterrole.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.etcd.managed }} 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRole 4 | metadata: 5 | name: etcd-operator 6 | {{- with .Values.etcd.annotations }} 7 | annotations: 8 | {{- toYaml . | nindent 4 }} 9 | {{- end }} 10 | labels: 11 | app.kubernetes.io/part-of: cilium 12 | rules: 13 | - apiGroups: 14 | - etcd.database.coreos.com 15 | resources: 16 | - etcdclusters 17 | - etcdbackups 18 | - etcdrestores 19 | verbs: 20 | - '*' 21 | - apiGroups: 22 | - apiextensions.k8s.io 23 | resources: 24 | - customresourcedefinitions 25 | verbs: 26 | - '*' 27 | - apiGroups: 28 | - "" 29 | resources: 30 | - pods 31 | - services 32 | - endpoints 33 | - persistentvolumeclaims 34 | - events 35 | - deployments 36 | verbs: 37 | - '*' 38 | - apiGroups: 39 | - apps 40 | resources: 41 | - deployments 42 | verbs: 43 | - '*' 44 | - apiGroups: 45 | - extensions 46 | resources: 47 | - deployments 48 | verbs: 49 | - create 50 | - get 51 | - list 52 | - patch 53 | - update 54 | - apiGroups: 55 | - "" 56 | resources: 57 | - secrets 58 | verbs: 59 | - get 60 | {{- end }} 61 | -------------------------------------------------------------------------------- /manifests/cilium/base/charts/cilium/templates/etcd-operator/etcd-operator-clusterrolebinding.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.etcd.managed }} 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRoleBinding 4 | metadata: 5 | name: etcd-operator 6 | {{- with .Values.etcd.annotations }} 7 | annotations: 8 | {{- toYaml . | nindent 4 }} 9 | {{- end }} 10 | labels: 11 | app.kubernetes.io/part-of: cilium 12 | roleRef: 13 | apiGroup: rbac.authorization.k8s.io 14 | kind: ClusterRole 15 | name: etcd-operator 16 | subjects: 17 | - kind: ServiceAccount 18 | name: cilium-etcd-sa 19 | namespace: {{ .Release.Namespace }} 20 | {{- end }} 21 | -------------------------------------------------------------------------------- /manifests/cilium/base/charts/cilium/templates/etcd-operator/etcd-operator-serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.etcd.managed }} 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | name: cilium-etcd-sa 6 | namespace: {{ .Release.Namespace }} 7 | {{- if or .Values.serviceAccounts.etcd.annotations .Values.etcd.annotations }} 8 | annotations: 9 | {{- with .Values.etcd.annotations }} 10 | {{- toYaml . | nindent 4 }} 11 | {{- end }} 12 | {{- with .Values.serviceAccounts.etcd.annotations }} 13 | {{- toYaml . | nindent 4 }} 14 | {{- end }} 15 | {{- end }} 16 | {{- end }} 17 | -------------------------------------------------------------------------------- /manifests/cilium/base/charts/cilium/templates/etcd-operator/poddisruptionbudget.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.etcd.managed .Values.etcd.podDisruptionBudget.enabled }} 2 | {{- $component := .Values.etcd.podDisruptionBudget }} 3 | apiVersion: {{ include "podDisruptionBudget.apiVersion" . }} 4 | kind: PodDisruptionBudget 5 | metadata: 6 | name: cilium-etcd-operator 7 | namespace: {{ .Release.Namespace }} 8 | {{- with .Values.etcd.annotations }} 9 | annotations: 10 | {{- toYaml . | nindent 4 }} 11 | {{- end }} 12 | labels: 13 | io.cilium/app: etcd-operator 14 | name: cilium-etcd-operator 15 | app.kubernetes.io/name: cilium-etcd-operator 16 | app.kubernetes.io/part-of: cilium 17 | spec: 18 | {{- with $component.maxUnavailable }} 19 | maxUnavailable: {{ . }} 20 | {{- end }} 21 | {{- with $component.minAvailable }} 22 | minAvailable: {{ . }} 23 | {{- end }} 24 | selector: 25 | matchLabels: 26 | io.cilium/app: etcd-operator 27 | name: cilium-etcd-operator 28 | {{- end }} 29 | -------------------------------------------------------------------------------- /manifests/cilium/base/charts/cilium/templates/hubble-relay/configmap.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.hubble.enabled .Values.hubble.relay.enabled }} 2 | {{- $peerSvcPort := .Values.hubble.peerService.servicePort -}} 3 | {{- if not .Values.hubble.peerService.servicePort }} 4 | {{- $peerSvcPort = (.Values.hubble.tls.enabled | ternary 443 80) -}} 5 | {{- end }} 6 | --- 7 | apiVersion: v1 8 | kind: ConfigMap 9 | metadata: 10 | name: hubble-relay-config 11 | namespace: {{ .Release.Namespace }} 12 | {{- with .Values.hubble.relay.annotations }} 13 | annotations: 14 | {{- toYaml . | nindent 4 }} 15 | {{- end }} 16 | data: 17 | config.yaml: | 18 | cluster-name: {{ .Values.cluster.name }} 19 | peer-service: "hubble-peer.{{ .Release.Namespace }}.svc.{{ .Values.hubble.peerService.clusterDomain }}:{{ $peerSvcPort }}" 20 | listen-address: {{ .Values.hubble.relay.listenHost }}:{{ .Values.hubble.relay.listenPort }} 21 | gops: {{ .Values.hubble.relay.gops.enabled }} 22 | gops-port: {{ .Values.hubble.relay.gops.port | quote }} 23 | {{- if .Values.hubble.relay.pprof.enabled }} 24 | pprof: {{ .Values.hubble.relay.pprof.enabled | quote }} 25 | pprof-address: {{ .Values.hubble.relay.pprof.address | quote }} 26 | pprof-port: {{ .Values.hubble.relay.pprof.port | quote }} 27 | {{- end }} 28 | {{- if .Values.hubble.relay.prometheus.enabled }} 29 | metrics-listen-address: ":{{ .Values.hubble.relay.prometheus.port }}" 30 | {{- end }} 31 | dial-timeout: {{ .Values.hubble.relay.dialTimeout }} 32 | retry-timeout: {{ .Values.hubble.relay.retryTimeout }} 33 | sort-buffer-len-max: {{ .Values.hubble.relay.sortBufferLenMax }} 34 | sort-buffer-drain-timeout: {{ .Values.hubble.relay.sortBufferDrainTimeout }} 35 | {{- if .Values.hubble.tls.enabled }} 36 | tls-hubble-client-cert-file: /var/lib/hubble-relay/tls/client.crt 37 | tls-hubble-client-key-file: /var/lib/hubble-relay/tls/client.key 38 | tls-hubble-server-ca-files: /var/lib/hubble-relay/tls/hubble-server-ca.crt 39 | {{- else }} 40 | disable-client-tls: true 41 | {{- end }} 42 | {{- if and .Values.hubble.tls.enabled .Values.hubble.relay.tls.server.enabled }} 43 | tls-relay-server-cert-file: /var/lib/hubble-relay/tls/server.crt 44 | tls-relay-server-key-file: /var/lib/hubble-relay/tls/server.key 45 | {{- if .Values.hubble.relay.tls.server.mtls }} 46 | tls-relay-client-ca-files: /var/lib/hubble-relay/tls/hubble-server-ca.crt 47 | {{- end }} 48 | {{- else }} 49 | disable-server-tls: true 50 | {{- end }} 51 | {{- end }} 52 | -------------------------------------------------------------------------------- /manifests/cilium/base/charts/cilium/templates/hubble-relay/metrics-service.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.hubble.enabled .Values.hubble.relay.enabled .Values.hubble.relay.prometheus.enabled }} 2 | # We use a separate service from hubble-relay which can be exposed externally 3 | kind: Service 4 | apiVersion: v1 5 | metadata: 6 | name: hubble-relay-metrics 7 | namespace: {{ .Release.Namespace }} 8 | {{- with .Values.hubble.relay.annotations }} 9 | annotations: 10 | {{- toYaml . | nindent 4 }} 11 | {{- end }} 12 | labels: 13 | k8s-app: hubble-relay 14 | spec: 15 | clusterIP: None 16 | type: ClusterIP 17 | selector: 18 | k8s-app: hubble-relay 19 | ports: 20 | - name: metrics 21 | port: {{ .Values.hubble.relay.prometheus.port }} 22 | protocol: TCP 23 | targetPort: prometheus 24 | {{- end }} 25 | -------------------------------------------------------------------------------- /manifests/cilium/base/charts/cilium/templates/hubble-relay/poddisruptionbudget.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.hubble.enabled .Values.hubble.relay.enabled .Values.hubble.relay.podDisruptionBudget.enabled }} 2 | {{- $component := .Values.hubble.relay.podDisruptionBudget }} 3 | apiVersion: {{ include "podDisruptionBudget.apiVersion" . }} 4 | kind: PodDisruptionBudget 5 | metadata: 6 | name: hubble-relay 7 | namespace: {{ .Release.Namespace }} 8 | {{- with .Values.hubble.relay.annotations }} 9 | annotations: 10 | {{- toYaml . | nindent 4 }} 11 | {{- end }} 12 | labels: 13 | k8s-app: hubble-relay 14 | app.kubernetes.io/name: hubble-relay 15 | app.kubernetes.io/part-of: cilium 16 | spec: 17 | {{- with $component.maxUnavailable }} 18 | maxUnavailable: {{ . }} 19 | {{- end }} 20 | {{- with $component.minAvailable }} 21 | minAvailable: {{ . }} 22 | {{- end }} 23 | selector: 24 | matchLabels: 25 | k8s-app: hubble-relay 26 | {{- end }} 27 | -------------------------------------------------------------------------------- /manifests/cilium/base/charts/cilium/templates/hubble-relay/service.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.hubble.enabled .Values.hubble.relay.enabled }} 2 | kind: Service 3 | apiVersion: v1 4 | metadata: 5 | name: hubble-relay 6 | namespace: {{ .Release.Namespace }} 7 | {{- with .Values.hubble.relay.annotations }} 8 | annotations: 9 | {{- toYaml . | nindent 4 }} 10 | {{- end }} 11 | labels: 12 | k8s-app: hubble-relay 13 | app.kubernetes.io/name: hubble-relay 14 | app.kubernetes.io/part-of: cilium 15 | spec: 16 | type: {{ .Values.hubble.relay.service.type | quote }} 17 | selector: 18 | k8s-app: hubble-relay 19 | ports: 20 | - protocol: TCP 21 | {{- if .Values.hubble.relay.servicePort }} 22 | port: {{ .Values.hubble.relay.servicePort }} 23 | {{- else }} 24 | port: {{ .Values.hubble.relay.tls.server.enabled | ternary 443 80 }} 25 | {{- end }} 26 | targetPort: {{ .Values.hubble.relay.listenPort }} 27 | {{- if and (eq "NodePort" .Values.hubble.relay.service.type) .Values.hubble.relay.service.nodePort }} 28 | nodePort: {{ .Values.hubble.relay.service.nodePort }} 29 | {{- end }} 30 | {{- end }} 31 | -------------------------------------------------------------------------------- /manifests/cilium/base/charts/cilium/templates/hubble-relay/serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.hubble.enabled .Values.hubble.relay.enabled .Values.serviceAccounts.relay.create }} 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | name: {{ .Values.serviceAccounts.relay.name | quote }} 6 | namespace: {{ .Release.Namespace }} 7 | {{- if or .Values.serviceAccounts.relay.annotations .Values.hubble.relay.annotations }} 8 | annotations: 9 | {{- with .Values.hubble.relay.annotations }} 10 | {{- toYaml . | nindent 4 }} 11 | {{- end }} 12 | {{- with .Values.serviceAccounts.relay.annotations }} 13 | {{- toYaml . | nindent 4 }} 14 | {{- end }} 15 | {{- end }} 16 | {{- end }} 17 | -------------------------------------------------------------------------------- /manifests/cilium/base/charts/cilium/templates/hubble-relay/servicemonitor.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.hubble.enabled .Values.hubble.relay.enabled .Values.hubble.relay.prometheus.enabled .Values.hubble.relay.prometheus.serviceMonitor.enabled }} 2 | apiVersion: monitoring.coreos.com/v1 3 | kind: ServiceMonitor 4 | metadata: 5 | name: hubble-relay 6 | namespace: {{ .Values.hubble.relay.prometheus.serviceMonitor.namespace | default .Release.Namespace }} 7 | labels: 8 | {{- with .Values.hubble.relay.prometheus.serviceMonitor.labels }} 9 | {{- toYaml . | nindent 4 }} 10 | {{- end }} 11 | {{- if or .Values.hubble.relay.prometheus.serviceMonitor.annotations .Values.hubble.relay.annotations }} 12 | annotations: 13 | {{- with .Values.hubble.relay.annotations }} 14 | {{- toYaml . | nindent 4 }} 15 | {{- end }} 16 | {{- with .Values.hubble.relay.prometheus.serviceMonitor.annotations }} 17 | {{- toYaml . | nindent 4 }} 18 | {{- end }} 19 | {{- end }} 20 | spec: 21 | selector: 22 | matchLabels: 23 | k8s-app: hubble-relay 24 | namespaceSelector: 25 | matchNames: 26 | - {{ .Release.Namespace }} 27 | endpoints: 28 | - port: metrics 29 | interval: {{ .Values.hubble.relay.prometheus.serviceMonitor.interval | quote }} 30 | path: /metrics 31 | {{- with .Values.hubble.relay.prometheus.serviceMonitor.relabelings }} 32 | relabelings: 33 | {{- toYaml . | nindent 4 }} 34 | {{- end }} 35 | {{- with .Values.hubble.relay.prometheus.serviceMonitor.metricRelabelings }} 36 | metricRelabelings: 37 | {{- toYaml . | nindent 4 }} 38 | {{- end }} 39 | {{- end }} 40 | -------------------------------------------------------------------------------- /manifests/cilium/base/charts/cilium/templates/hubble-ui/_nginx.tpl: -------------------------------------------------------------------------------- 1 | {{- define "hubble-ui.nginx.conf" }} 2 | server { 3 | listen 8081; 4 | {{- if .Values.hubble.ui.frontend.server.ipv6.enabled }} 5 | listen [::]:8081; 6 | {{- end }} 7 | server_name localhost; 8 | root /app; 9 | index index.html; 10 | client_max_body_size 1G; 11 | 12 | location / { 13 | proxy_set_header Host $host; 14 | proxy_set_header X-Real-IP $remote_addr; 15 | 16 | # CORS 17 | add_header Access-Control-Allow-Methods "GET, POST, PUT, HEAD, DELETE, OPTIONS"; 18 | add_header Access-Control-Allow-Origin *; 19 | add_header Access-Control-Max-Age 1728000; 20 | add_header Access-Control-Expose-Headers content-length,grpc-status,grpc-message; 21 | add_header Access-Control-Allow-Headers range,keep-alive,user-agent,cache-control,content-type,content-transfer-encoding,x-accept-content-transfer-encoding,x-accept-response-streaming,x-user-agent,x-grpc-web,grpc-timeout; 22 | if ($request_method = OPTIONS) { 23 | return 204; 24 | } 25 | # /CORS 26 | 27 | location {{ .Values.hubble.ui.baseUrl }}api { 28 | {{- if not (eq .Values.hubble.ui.baseUrl "/") }} 29 | rewrite ^{{ (trimSuffix "/" .Values.hubble.ui.baseUrl) }}(/.*)$ $1 break; 30 | {{- end }} 31 | proxy_http_version 1.1; 32 | proxy_pass_request_headers on; 33 | proxy_hide_header Access-Control-Allow-Origin; 34 | {{- if eq .Values.hubble.ui.baseUrl "/" }} 35 | proxy_pass http://127.0.0.1:8090; 36 | {{- else }} 37 | proxy_pass http://127.0.0.1:8090/; 38 | {{- end }} 39 | } 40 | 41 | {{- if not (eq .Values.hubble.ui.baseUrl "/") }} 42 | sub_filter_once on; 43 | sub_filter '' ''; 44 | {{- end }} 45 | location {{ .Values.hubble.ui.baseUrl }} { 46 | {{- if not (eq .Values.hubble.ui.baseUrl "/") }} 47 | rewrite ^{{ (trimSuffix "/" .Values.hubble.ui.baseUrl) }}(/.*)$ $1 break; 48 | {{- end }} 49 | # double `/index.html` is required here 50 | try_files $uri $uri/ /index.html /index.html; 51 | } 52 | 53 | # Liveness probe 54 | location /healthz { 55 | access_log off; 56 | add_header Content-Type text/plain; 57 | return 200 'ok'; 58 | } 59 | } 60 | } 61 | {{- end }} 62 | -------------------------------------------------------------------------------- /manifests/cilium/base/charts/cilium/templates/hubble-ui/clusterrole.yaml: -------------------------------------------------------------------------------- 1 | {{- if and (or .Values.hubble.enabled .Values.hubble.ui.standalone.enabled) .Values.hubble.ui.enabled .Values.serviceAccounts.ui.create }} 2 | kind: ClusterRole 3 | apiVersion: rbac.authorization.k8s.io/v1 4 | metadata: 5 | name: hubble-ui 6 | {{- with .Values.hubble.ui.annotations }} 7 | annotations: 8 | {{- toYaml . | nindent 4 }} 9 | {{- end }} 10 | labels: 11 | app.kubernetes.io/part-of: cilium 12 | rules: 13 | - apiGroups: 14 | - networking.k8s.io 15 | resources: 16 | - networkpolicies 17 | verbs: 18 | - get 19 | - list 20 | - watch 21 | - apiGroups: 22 | - "" 23 | resources: 24 | - componentstatuses 25 | - endpoints 26 | - namespaces 27 | - nodes 28 | - pods 29 | - services 30 | verbs: 31 | - get 32 | - list 33 | - watch 34 | - apiGroups: 35 | - apiextensions.k8s.io 36 | resources: 37 | - customresourcedefinitions 38 | verbs: 39 | - get 40 | - list 41 | - watch 42 | - apiGroups: 43 | - cilium.io 44 | resources: 45 | - "*" 46 | verbs: 47 | - get 48 | - list 49 | - watch 50 | {{- end }} 51 | -------------------------------------------------------------------------------- /manifests/cilium/base/charts/cilium/templates/hubble-ui/clusterrolebinding.yaml: -------------------------------------------------------------------------------- 1 | {{- if and (or .Values.hubble.enabled .Values.hubble.ui.standalone.enabled) .Values.hubble.ui.enabled .Values.serviceAccounts.ui.create }} 2 | kind: ClusterRoleBinding 3 | apiVersion: rbac.authorization.k8s.io/v1 4 | metadata: 5 | name: hubble-ui 6 | {{- with .Values.hubble.ui.annotations }} 7 | annotations: 8 | {{- toYaml . | nindent 4 }} 9 | {{- end }} 10 | labels: 11 | app.kubernetes.io/part-of: cilium 12 | roleRef: 13 | apiGroup: rbac.authorization.k8s.io 14 | kind: ClusterRole 15 | name: hubble-ui 16 | subjects: 17 | - kind: ServiceAccount 18 | name: {{ .Values.serviceAccounts.ui.name | quote }} 19 | namespace: {{ .Release.Namespace }} 20 | {{- end }} 21 | -------------------------------------------------------------------------------- /manifests/cilium/base/charts/cilium/templates/hubble-ui/configmap.yaml: -------------------------------------------------------------------------------- 1 | {{- if and (or .Values.hubble.enabled .Values.hubble.ui.standalone.enabled) .Values.hubble.ui.enabled }} 2 | --- 3 | apiVersion: v1 4 | kind: ConfigMap 5 | metadata: 6 | name: hubble-ui-nginx 7 | namespace: {{ .Release.Namespace }} 8 | {{- with .Values.hubble.ui.annotations }} 9 | annotations: 10 | {{- toYaml . | nindent 4 }} 11 | {{- end }} 12 | data: 13 | nginx.conf: {{ include "hubble-ui.nginx.conf" . | trim | quote }} 14 | {{- end }} 15 | -------------------------------------------------------------------------------- /manifests/cilium/base/charts/cilium/templates/hubble-ui/ingress.yaml: -------------------------------------------------------------------------------- 1 | {{- if and (or .Values.hubble.enabled .Values.hubble.ui.standalone.enabled) .Values.hubble.ui.enabled .Values.hubble.ui.ingress.enabled }} 2 | {{- $baseUrl := .Values.hubble.ui.baseUrl -}} 3 | apiVersion: {{ template "ingress.apiVersion" . }} 4 | kind: Ingress 5 | metadata: 6 | name: hubble-ui 7 | namespace: {{ .Release.Namespace }} 8 | labels: 9 | k8s-app: hubble-ui 10 | app.kubernetes.io/name: hubble-ui 11 | app.kubernetes.io/part-of: cilium 12 | {{- with .Values.hubble.ui.ingress.labels }} 13 | {{- toYaml . | nindent 4 }} 14 | {{- end }} 15 | {{- if or .Values.hubble.ui.ingress.annotations .Values.hubble.ui.annotations }} 16 | annotations: 17 | {{- with .Values.hubble.ui.annotations }} 18 | {{- toYaml . | nindent 4 }} 19 | {{- end }} 20 | {{- with .Values.hubble.ui.ingress.annotations }} 21 | {{- toYaml . | nindent 4 }} 22 | {{- end }} 23 | {{- end }} 24 | spec: 25 | {{- if .Values.hubble.ui.ingress.className }} 26 | ingressClassName: {{ .Values.hubble.ui.ingress.className }} 27 | {{- end }} 28 | {{- if .Values.hubble.ui.ingress.tls }} 29 | tls: 30 | {{- toYaml .Values.hubble.ui.ingress.tls | nindent 4 }} 31 | {{- end }} 32 | rules: 33 | {{- range .Values.hubble.ui.ingress.hosts }} 34 | - host: {{ . }} 35 | http: 36 | paths: 37 | - path: {{ $baseUrl | quote }} 38 | {{- include "ingress.paths" $ | nindent 12 }} 39 | {{- end }} 40 | {{- end }} 41 | -------------------------------------------------------------------------------- /manifests/cilium/base/charts/cilium/templates/hubble-ui/poddisruptionbudget.yaml: -------------------------------------------------------------------------------- 1 | {{- if and (or .Values.hubble.enabled .Values.hubble.ui.standalone.enabled) .Values.hubble.ui.enabled .Values.hubble.ui.podDisruptionBudget.enabled }} 2 | {{- $component := .Values.hubble.ui.podDisruptionBudget }} 3 | apiVersion: {{ include "podDisruptionBudget.apiVersion" . }} 4 | kind: PodDisruptionBudget 5 | metadata: 6 | name: hubble-ui 7 | namespace: {{ .Release.Namespace }} 8 | {{- with .Values.hubble.ui.annotations }} 9 | annotations: 10 | {{- toYaml . | nindent 4 }} 11 | {{- end }} 12 | labels: 13 | k8s-app: hubble-ui 14 | app.kubernetes.io/name: hubble-ui 15 | app.kubernetes.io/part-of: cilium 16 | spec: 17 | {{- with $component.maxUnavailable }} 18 | maxUnavailable: {{ . }} 19 | {{- end }} 20 | {{- with $component.minAvailable }} 21 | minAvailable: {{ . }} 22 | {{- end }} 23 | selector: 24 | matchLabels: 25 | k8s-app: hubble-ui 26 | {{- end }} 27 | -------------------------------------------------------------------------------- /manifests/cilium/base/charts/cilium/templates/hubble-ui/service.yaml: -------------------------------------------------------------------------------- 1 | {{- if and (or .Values.hubble.enabled .Values.hubble.ui.standalone.enabled) .Values.hubble.ui.enabled }} 2 | kind: Service 3 | apiVersion: v1 4 | metadata: 5 | name: hubble-ui 6 | namespace: {{ .Release.Namespace }} 7 | {{- if or .Values.hubble.ui.service.annotations .Values.hubble.ui.annotations }} 8 | annotations: 9 | {{- with .Values.hubble.ui.annotations }} 10 | {{- toYaml . | nindent 4 }} 11 | {{- end }} 12 | {{- with .Values.hubble.ui.service.annotations }} 13 | {{- toYaml . | nindent 4 }} 14 | {{- end }} 15 | {{- end }} 16 | labels: 17 | k8s-app: hubble-ui 18 | app.kubernetes.io/name: hubble-ui 19 | app.kubernetes.io/part-of: cilium 20 | spec: 21 | type: {{ .Values.hubble.ui.service.type | quote }} 22 | selector: 23 | k8s-app: hubble-ui 24 | ports: 25 | - name: http 26 | port: 80 27 | targetPort: 8081 28 | {{- if and (eq "NodePort" .Values.hubble.ui.service.type) .Values.hubble.ui.service.nodePort }} 29 | nodePort: {{ .Values.hubble.ui.service.nodePort }} 30 | {{- end }} 31 | {{- end }} 32 | -------------------------------------------------------------------------------- /manifests/cilium/base/charts/cilium/templates/hubble-ui/serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if and (or .Values.hubble.enabled .Values.hubble.ui.standalone.enabled) .Values.hubble.ui.enabled .Values.serviceAccounts.ui.create }} 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | name: {{ .Values.serviceAccounts.ui.name | quote }} 6 | namespace: {{ .Release.Namespace }} 7 | {{- if or .Values.serviceAccounts.ui.annotations .Values.hubble.ui.annotations }} 8 | annotations: 9 | {{- with .Values.hubble.ui.annotations }} 10 | {{- toYaml . | nindent 4 }} 11 | {{- end }} 12 | {{- with .Values.serviceAccounts.ui.annotations }} 13 | {{- toYaml . | nindent 4 }} 14 | {{- end }} 15 | {{- end }} 16 | {{- end }} 17 | -------------------------------------------------------------------------------- /manifests/cilium/base/charts/cilium/templates/hubble/dashboards-configmap.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.hubble.metrics.dashboards.enabled }} 2 | {{- $files := .Files.Glob "files/hubble/dashboards/*.json" }} 3 | {{- range $path, $fileContents := $files }} 4 | {{- $dashboardName := regexReplaceAll "(^.*/)(.*)\\.json$" $path "${2}" }} 5 | --- 6 | apiVersion: v1 7 | kind: ConfigMap 8 | metadata: 9 | name: {{ $dashboardName | trunc 63 | trimSuffix "-" }} 10 | namespace: {{ $.Values.hubble.metrics.dashboards.namespace | default $.Release.Namespace }} 11 | labels: 12 | k8s-app: hubble 13 | app.kubernetes.io/name: hubble 14 | app.kubernetes.io/part-of: cilium 15 | {{- if $.Values.hubble.metrics.dashboards.label }} 16 | {{ $.Values.hubble.metrics.dashboards.label }}: {{ ternary $.Values.hubble.metrics.dashboards.labelValue "1" (not (empty $.Values.hubble.metrics.dashboards.labelValue)) | quote }} 17 | {{- end }} 18 | {{- if or $.Values.hubble.metrics.dashboards.annotations $.Values.hubble.annotations }} 19 | annotations: 20 | {{- with $.Values.hubble.annotations }} 21 | {{- toYaml . | nindent 4 }} 22 | {{- end }} 23 | {{- with $.Values.hubble.metrics.dashboards.annotations }} 24 | {{- toYaml . | nindent 4 }} 25 | {{- end }} 26 | {{- end }} 27 | data: 28 | {{ $dashboardName }}.json: {{ $.Files.Get $path | toJson }} 29 | {{- end }} 30 | {{- end }} 31 | -------------------------------------------------------------------------------- /manifests/cilium/base/charts/cilium/templates/hubble/metrics-service.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.hubble.enabled .Values.hubble.metrics.enabled }} 2 | apiVersion: v1 3 | kind: Service 4 | metadata: 5 | name: hubble-metrics 6 | namespace: {{ .Release.Namespace }} 7 | labels: 8 | k8s-app: hubble 9 | app.kubernetes.io/name: hubble 10 | app.kubernetes.io/part-of: cilium 11 | annotations: 12 | {{- with .Values.hubble.annotations }} 13 | {{- toYaml . | nindent 4 }} 14 | {{- end }} 15 | {{- with .Values.hubble.metrics.serviceAnnotations }} 16 | {{- toYaml . | nindent 4 }} 17 | {{- end }} 18 | {{- if not .Values.hubble.metrics.serviceMonitor.enabled }} 19 | prometheus.io/scrape: "true" 20 | prometheus.io/port: {{ .Values.hubble.metrics.port | quote }} 21 | {{- end }} 22 | spec: 23 | clusterIP: None 24 | type: ClusterIP 25 | ports: 26 | - name: hubble-metrics 27 | port: {{ .Values.hubble.metrics.port }} 28 | protocol: TCP 29 | targetPort: hubble-metrics 30 | selector: 31 | k8s-app: cilium 32 | {{- end }} 33 | -------------------------------------------------------------------------------- /manifests/cilium/base/charts/cilium/templates/hubble/peer-service.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.agent .Values.hubble.enabled }} 2 | apiVersion: v1 3 | kind: Service 4 | metadata: 5 | name: hubble-peer 6 | namespace: {{ .Release.Namespace }} 7 | {{- with .Values.hubble.annotations }} 8 | annotations: 9 | {{- toYaml . | nindent 4 }} 10 | {{- end }} 11 | labels: 12 | k8s-app: cilium 13 | app.kubernetes.io/part-of: cilium 14 | app.kubernetes.io/name: hubble-peer 15 | spec: 16 | selector: 17 | k8s-app: cilium 18 | ports: 19 | - name: peer-service 20 | {{- if .Values.hubble.peerService.servicePort }} 21 | port: {{ .Values.hubble.peerService.servicePort }} 22 | {{- else }} 23 | port: {{ .Values.hubble.tls.enabled | ternary 443 80 }} 24 | {{- end }} 25 | protocol: TCP 26 | targetPort: {{ .Values.hubble.peerService.targetPort }} 27 | {{- if semverCompare ">=1.22-0" .Capabilities.KubeVersion.GitVersion }} 28 | internalTrafficPolicy: Local 29 | {{- end }} 30 | {{- end }} 31 | -------------------------------------------------------------------------------- /manifests/cilium/base/charts/cilium/templates/hubble/servicemonitor.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.hubble.enabled .Values.hubble.metrics.enabled .Values.hubble.metrics.serviceMonitor.enabled }} 2 | apiVersion: monitoring.coreos.com/v1 3 | kind: ServiceMonitor 4 | metadata: 5 | name: hubble 6 | namespace: {{ .Values.prometheus.serviceMonitor.namespace | default .Release.Namespace }} 7 | labels: 8 | app.kubernetes.io/part-of: cilium 9 | {{- with .Values.hubble.metrics.serviceMonitor.labels }} 10 | {{- toYaml . | nindent 4 }} 11 | {{- end }} 12 | {{- if or .Values.hubble.metrics.serviceMonitor.annotations .Values.hubble.annotations }} 13 | annotations: 14 | {{- with .Values.hubble.annotations }} 15 | {{- toYaml . | nindent 4 }} 16 | {{- end }} 17 | {{- with .Values.hubble.metrics.serviceMonitor.annotations }} 18 | {{- toYaml . | nindent 4 }} 19 | {{- end }} 20 | {{- end }} 21 | spec: 22 | selector: 23 | matchLabels: 24 | k8s-app: hubble 25 | namespaceSelector: 26 | matchNames: 27 | - {{ .Release.Namespace }} 28 | endpoints: 29 | - port: hubble-metrics 30 | interval: {{ .Values.hubble.metrics.serviceMonitor.interval | quote }} 31 | honorLabels: true 32 | path: /metrics 33 | {{- with .Values.hubble.metrics.serviceMonitor.relabelings }} 34 | relabelings: 35 | {{- toYaml . | nindent 4 }} 36 | {{- end }} 37 | {{- with .Values.hubble.metrics.serviceMonitor.metricRelabelings }} 38 | metricRelabelings: 39 | {{- toYaml . | nindent 4 }} 40 | {{- end }} 41 | {{- if .Values.hubble.metrics.serviceMonitor.jobLabel }} 42 | jobLabel: {{ .Values.hubble.metrics.serviceMonitor.jobLabel | quote }} 43 | {{- end }} 44 | {{- end }} 45 | -------------------------------------------------------------------------------- /manifests/cilium/base/charts/cilium/templates/hubble/tls-certmanager/relay-client-secret.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.hubble.enabled .Values.hubble.tls.enabled .Values.hubble.tls.auto.enabled (eq .Values.hubble.tls.auto.method "certmanager") .Values.hubble.relay.enabled }} 2 | --- 3 | apiVersion: cert-manager.io/v1 4 | kind: Certificate 5 | metadata: 6 | name: hubble-relay-client-certs 7 | namespace: {{ .Release.Namespace }} 8 | {{- with .Values.hubble.annotations }} 9 | annotations: 10 | {{- toYaml . | nindent 4 }} 11 | {{- end }} 12 | spec: 13 | issuerRef: 14 | {{- toYaml .Values.hubble.tls.auto.certManagerIssuerRef | nindent 4 }} 15 | secretName: hubble-relay-client-certs 16 | commonName: "*.hubble-relay.cilium.io" 17 | dnsNames: 18 | - "*.hubble-relay.cilium.io" 19 | duration: {{ printf "%dh0m0s" (mul .Values.hubble.tls.auto.certValidityDuration 24) }} 20 | privateKey: 21 | rotationPolicy: Always 22 | {{- end }} 23 | -------------------------------------------------------------------------------- /manifests/cilium/base/charts/cilium/templates/hubble/tls-certmanager/relay-server-secret.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.hubble.enabled .Values.hubble.tls.enabled .Values.hubble.tls.auto.enabled (eq .Values.hubble.tls.auto.method "certmanager") .Values.hubble.relay.enabled .Values.hubble.relay.tls.server.enabled }} 2 | --- 3 | apiVersion: cert-manager.io/v1 4 | kind: Certificate 5 | metadata: 6 | name: hubble-relay-server-certs 7 | namespace: {{ .Release.Namespace }} 8 | {{- with .Values.hubble.annotations }} 9 | annotations: 10 | {{- toYaml . | nindent 4 }} 11 | {{- end }} 12 | spec: 13 | issuerRef: 14 | {{- toYaml .Values.hubble.tls.auto.certManagerIssuerRef | nindent 4 }} 15 | secretName: hubble-relay-server-certs 16 | commonName: "*.hubble-relay.cilium.io" 17 | dnsNames: 18 | - "*.hubble-relay.cilium.io" 19 | {{- range $dns := .Values.hubble.relay.tls.server.extraDnsNames }} 20 | - {{ $dns | quote }} 21 | {{- end }} 22 | {{- if .Values.hubble.relay.tls.server.extraIpAddresses }} 23 | ipAddresses: 24 | {{- range $ip := .Values.hubble.relay.tls.server.extraIpAddresses }} 25 | - {{ $ip | quote }} 26 | {{- end }} 27 | {{- end }} 28 | duration: {{ printf "%dh0m0s" (mul .Values.hubble.tls.auto.certValidityDuration 24) }} 29 | privateKey: 30 | rotationPolicy: Always 31 | {{- end }} 32 | -------------------------------------------------------------------------------- /manifests/cilium/base/charts/cilium/templates/hubble/tls-certmanager/server-secret.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.hubble.enabled .Values.hubble.tls.enabled .Values.hubble.tls.auto.enabled (eq .Values.hubble.tls.auto.method "certmanager") }} 2 | {{- $cn := list "*" (.Values.cluster.name | replace "." "-") "hubble-grpc.cilium.io" | join "." }} 3 | --- 4 | apiVersion: cert-manager.io/v1 5 | kind: Certificate 6 | metadata: 7 | name: hubble-server-certs 8 | namespace: {{ .Release.Namespace }} 9 | {{- with .Values.hubble.annotations }} 10 | annotations: 11 | {{- toYaml . | nindent 4 }} 12 | {{- end }} 13 | spec: 14 | issuerRef: 15 | {{- toYaml .Values.hubble.tls.auto.certManagerIssuerRef | nindent 4 }} 16 | secretName: hubble-server-certs 17 | commonName: {{ $cn | quote }} 18 | dnsNames: 19 | - {{ $cn | quote }} 20 | {{- range $dns := .Values.hubble.tls.server.extraDnsNames }} 21 | - {{ $dns | quote }} 22 | {{- end }} 23 | {{- if .Values.hubble.tls.server.extraIpAddresses }} 24 | ipAddresses: 25 | {{- range $ip := .Values.hubble.tls.server.extraIpAddresses }} 26 | - {{ $ip | quote }} 27 | {{- end }} 28 | {{- end }} 29 | duration: {{ printf "%dh0m0s" (mul .Values.hubble.tls.auto.certValidityDuration 24) }} 30 | privateKey: 31 | rotationPolicy: Always 32 | {{- end }} 33 | -------------------------------------------------------------------------------- /manifests/cilium/base/charts/cilium/templates/hubble/tls-certmanager/ui-client-certs.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.hubble.enabled .Values.hubble.tls.enabled .Values.hubble.tls.auto.enabled (eq .Values.hubble.tls.auto.method "certmanager") .Values.hubble.ui.enabled .Values.hubble.relay.enabled .Values.hubble.relay.tls.server.enabled }} 2 | --- 3 | apiVersion: cert-manager.io/v1 4 | kind: Certificate 5 | metadata: 6 | name: hubble-ui-client-certs 7 | namespace: {{ .Release.Namespace }} 8 | {{- with .Values.hubble.annotations }} 9 | annotations: 10 | {{- toYaml . | nindent 4 }} 11 | {{- end }} 12 | spec: 13 | issuerRef: 14 | {{- toYaml .Values.hubble.tls.auto.certManagerIssuerRef | nindent 4 }} 15 | secretName: hubble-ui-client-certs 16 | commonName: "*.hubble-ui.cilium.io" 17 | dnsNames: 18 | - "*.hubble-ui.cilium.io" 19 | duration: {{ printf "%dh0m0s" (mul .Values.hubble.tls.auto.certValidityDuration 24) }} 20 | privateKey: 21 | rotationPolicy: Always 22 | {{- end }} 23 | -------------------------------------------------------------------------------- /manifests/cilium/base/charts/cilium/templates/hubble/tls-cronjob/_job-spec.tpl: -------------------------------------------------------------------------------- 1 | {{- define "hubble-generate-certs.job.spec" }} 2 | {{- $certValiditySecondsStr := printf "%ds" (mul .Values.hubble.tls.auto.certValidityDuration 24 60 60) -}} 3 | spec: 4 | template: 5 | metadata: 6 | labels: 7 | k8s-app: hubble-generate-certs 8 | {{- with .Values.certgen.podLabels }} 9 | {{- toYaml . | nindent 8 }} 10 | {{- end }} 11 | spec: 12 | containers: 13 | - name: certgen 14 | image: {{ include "cilium.image" .Values.certgen.image | quote }} 15 | imagePullPolicy: {{ .Values.certgen.image.pullPolicy }} 16 | command: 17 | - "/usr/bin/cilium-certgen" 18 | # Because this is executed as a job, we pass the values as command 19 | # line args instead of via config map. This allows users to inspect 20 | # the values used in past runs by inspecting the completed pod. 21 | args: 22 | - "--cilium-namespace={{ .Release.Namespace }}" 23 | {{- if .Values.debug.enabled }} 24 | - "--debug" 25 | {{- end }} 26 | - "--ca-generate" 27 | - "--ca-reuse-secret" 28 | {{- if and .Values.tls.ca.cert .Values.tls.ca.key }} 29 | - "--ca-secret-name=cilium-ca" 30 | {{- end }} 31 | - "--hubble-server-cert-generate" 32 | - "--hubble-server-cert-common-name={{ list "*" (.Values.cluster.name | replace "." "-") "hubble-grpc.cilium.io" | join "." }}" 33 | - "--hubble-server-cert-validity-duration={{ $certValiditySecondsStr }}" 34 | {{- if .Values.hubble.relay.enabled }} 35 | - "--hubble-relay-client-cert-generate" 36 | - "--hubble-relay-client-cert-validity-duration={{ $certValiditySecondsStr }}" 37 | {{- end }} 38 | {{- if and .Values.hubble.relay.enabled .Values.hubble.relay.tls.server.enabled }} 39 | - "--hubble-relay-server-cert-generate" 40 | - "--hubble-relay-server-cert-validity-duration={{ $certValiditySecondsStr }}" 41 | {{- end }} 42 | {{- with .Values.certgen.extraVolumeMounts }} 43 | volumeMounts: 44 | {{- toYaml . | nindent 10 }} 45 | {{- end }} 46 | hostNetwork: true 47 | {{- with .Values.certgen.tolerations }} 48 | tolerations: 49 | {{- toYaml . | nindent 8 }} 50 | {{- end }} 51 | serviceAccount: {{ .Values.serviceAccounts.hubblecertgen.name | quote }} 52 | serviceAccountName: {{ .Values.serviceAccounts.hubblecertgen.name | quote }} 53 | automountServiceAccountToken: {{ .Values.serviceAccounts.hubblecertgen.automount }} 54 | {{- with .Values.imagePullSecrets }} 55 | imagePullSecrets: 56 | {{- toYaml . | nindent 8 }} 57 | {{- end }} 58 | restartPolicy: OnFailure 59 | {{- with .Values.certgen.extraVolumes }} 60 | volumes: 61 | {{- toYaml . | nindent 6 }} 62 | {{- end }} 63 | affinity: 64 | {{- with .Values.certgen.affinity }} 65 | {{- toYaml . | nindent 8 }} 66 | {{- end }} 67 | ttlSecondsAfterFinished: {{ .Values.certgen.ttlSecondsAfterFinished }} 68 | {{- end }} 69 | -------------------------------------------------------------------------------- /manifests/cilium/base/charts/cilium/templates/hubble/tls-cronjob/clusterrole.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.hubble.enabled .Values.hubble.tls.enabled .Values.hubble.tls.auto.enabled (eq .Values.hubble.tls.auto.method "cronJob") .Values.serviceAccounts.hubblecertgen.create }} 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRole 4 | metadata: 5 | name: hubble-generate-certs 6 | {{- with .Values.hubble.annotations }} 7 | annotations: 8 | {{- toYaml . | nindent 4 }} 9 | {{- end }} 10 | labels: 11 | app.kubernetes.io/part-of: cilium 12 | rules: 13 | - apiGroups: 14 | - "" 15 | resources: 16 | - secrets 17 | verbs: 18 | - create 19 | - apiGroups: 20 | - "" 21 | resources: 22 | - secrets 23 | resourceNames: 24 | - hubble-server-certs 25 | - hubble-relay-client-certs 26 | - hubble-relay-server-certs 27 | verbs: 28 | - update 29 | - apiGroups: 30 | - "" 31 | resources: 32 | - secrets 33 | resourceNames: 34 | - cilium-ca 35 | verbs: 36 | - get 37 | - update 38 | {{- end }} 39 | -------------------------------------------------------------------------------- /manifests/cilium/base/charts/cilium/templates/hubble/tls-cronjob/clusterrolebinding.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.hubble.enabled .Values.hubble.tls.enabled .Values.hubble.tls.auto.enabled (eq .Values.hubble.tls.auto.method "cronJob") .Values.serviceAccounts.hubblecertgen.create }} 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRoleBinding 4 | metadata: 5 | name: hubble-generate-certs 6 | {{- with .Values.hubble.annotations }} 7 | annotations: 8 | {{- toYaml . | nindent 4 }} 9 | {{- end }} 10 | labels: 11 | app.kubernetes.io/part-of: cilium 12 | roleRef: 13 | apiGroup: rbac.authorization.k8s.io 14 | kind: ClusterRole 15 | name: hubble-generate-certs 16 | subjects: 17 | - kind: ServiceAccount 18 | name: {{ .Values.serviceAccounts.hubblecertgen.name | quote }} 19 | namespace: {{ .Release.Namespace }} 20 | {{- end }} 21 | -------------------------------------------------------------------------------- /manifests/cilium/base/charts/cilium/templates/hubble/tls-cronjob/cronjob.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.hubble.enabled .Values.hubble.tls.enabled .Values.hubble.tls.auto.enabled (eq .Values.hubble.tls.auto.method "cronJob") .Values.hubble.tls.auto.schedule }} 2 | apiVersion: {{ include "cronjob.apiVersion" . }} 3 | kind: CronJob 4 | metadata: 5 | name: hubble-generate-certs 6 | namespace: {{ .Release.Namespace }} 7 | labels: 8 | k8s-app: hubble-generate-certs 9 | app.kubernetes.io/name: hubble-generate-certs 10 | app.kubernetes.io/part-of: cilium 11 | {{- if or .Values.certgen.annotations.cronJob .Values.hubble.annotations }} 12 | annotations: 13 | {{- with .Values.hubble.annotations }} 14 | {{- toYaml . | nindent 4 }} 15 | {{- end }} 16 | {{- with .Values.certgen.annotations.cronJob }} 17 | {{- toYaml . | nindent 4 }} 18 | {{- end }} 19 | {{- end }} 20 | spec: 21 | schedule: {{ .Values.hubble.tls.auto.schedule | quote }} 22 | concurrencyPolicy: Forbid 23 | jobTemplate: 24 | {{- include "hubble-generate-certs.job.spec" . | nindent 4 }} 25 | {{- end }} 26 | -------------------------------------------------------------------------------- /manifests/cilium/base/charts/cilium/templates/hubble/tls-cronjob/job.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.hubble.enabled .Values.hubble.tls.enabled .Values.hubble.tls.auto.enabled (eq .Values.hubble.tls.auto.method "cronJob") }} 2 | --- 3 | apiVersion: batch/v1 4 | kind: Job 5 | metadata: 6 | name: hubble-generate-certs 7 | namespace: {{ .Release.Namespace }} 8 | labels: 9 | k8s-app: hubble-generate-certs 10 | app.kubernetes.io/name: hubble-generate-certs 11 | app.kubernetes.io/part-of: cilium 12 | annotations: 13 | "helm.sh/hook": post-install,post-upgrade 14 | {{- with .Values.certgen.annotations.job }} 15 | {{- toYaml . | nindent 4 }} 16 | {{- end }} 17 | {{- with .Values.hubble.annotations }} 18 | {{- toYaml . | nindent 4 }} 19 | {{- end }} 20 | {{ include "hubble-generate-certs.job.spec" . }} 21 | {{- end }} 22 | -------------------------------------------------------------------------------- /manifests/cilium/base/charts/cilium/templates/hubble/tls-cronjob/serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.hubble.enabled .Values.hubble.tls.enabled .Values.hubble.tls.auto.enabled (eq .Values.hubble.tls.auto.method "cronJob") .Values.serviceAccounts.hubblecertgen.create }} 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | name: {{ .Values.serviceAccounts.hubblecertgen.name | quote }} 6 | namespace: {{ .Release.Namespace }} 7 | {{- if or .Values.serviceAccounts.hubblecertgen.annotations .Values.hubble.annotations }} 8 | annotations: 9 | {{- with .Values.hubble.annotations }} 10 | {{- toYaml . | nindent 4 }} 11 | {{- end }} 12 | {{- with .Values.serviceAccounts.hubblecertgen.annotations }} 13 | {{- toYaml . | nindent 4 }} 14 | {{- end }} 15 | {{- end }} 16 | {{- end }} 17 | -------------------------------------------------------------------------------- /manifests/cilium/base/charts/cilium/templates/hubble/tls-helm/_helpers.tpl: -------------------------------------------------------------------------------- 1 | {{/* 2 | Generate TLS certificates for Hubble Server and Hubble Relay. 3 | 4 | Note: Always use this template as follows: 5 | 6 | {{- $_ := include "hubble-generate-certs.helm.setup-ca" . -}} 7 | 8 | The assignment to `$_` is required because we store the generated CI in a global `ca` variable. 9 | Please, don't try to "simplify" this, as without this trick, every generated 10 | certificate would be signed by a different CA. 11 | */}} 12 | {{- define "hubble-generate-certs.helm.setup-ca" }} 13 | {{- if not .ca }} 14 | {{- $ca := "" -}} 15 | {{- $crt := .Values.tls.ca.cert -}} 16 | {{- $key := .Values.tls.ca.key -}} 17 | {{- if and $crt $key }} 18 | {{- $ca = buildCustomCert $crt $key -}} 19 | {{- else }} 20 | {{- $_ := include "cilium.ca.setup" . -}} 21 | {{- with lookup "v1" "Secret" .Release.Namespace .commonCASecretName }} 22 | {{- $crt := index .data "ca.crt" }} 23 | {{- $key := index .data "ca.key" }} 24 | {{- $ca = buildCustomCert $crt $key -}} 25 | {{- else }} 26 | {{- $ca = .commonCA -}} 27 | {{- end }} 28 | {{- end }} 29 | {{- $_ := set . "ca" $ca -}} 30 | {{- end }} 31 | {{- end }} 32 | -------------------------------------------------------------------------------- /manifests/cilium/base/charts/cilium/templates/hubble/tls-helm/relay-client-secret.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.hubble.enabled .Values.hubble.tls.enabled .Values.hubble.tls.auto.enabled (eq .Values.hubble.tls.auto.method "helm") .Values.hubble.relay.enabled }} 2 | {{- $_ := include "hubble-generate-certs.helm.setup-ca" . -}} 3 | {{- $cn := "*.hubble-relay.cilium.io" }} 4 | {{- $dns := list $cn }} 5 | {{- $cert := genSignedCert $cn nil $dns (.Values.hubble.tls.auto.certValidityDuration | int) .ca -}} 6 | --- 7 | apiVersion: v1 8 | kind: Secret 9 | metadata: 10 | name: hubble-relay-client-certs 11 | namespace: {{ .Release.Namespace }} 12 | {{- with .Values.hubble.annotations }} 13 | annotations: 14 | {{- toYaml . | nindent 4 }} 15 | {{- end }} 16 | type: kubernetes.io/tls 17 | data: 18 | ca.crt: {{ .ca.Cert | b64enc }} 19 | tls.crt: {{ $cert.Cert | b64enc }} 20 | tls.key: {{ $cert.Key | b64enc }} 21 | {{- end }} 22 | -------------------------------------------------------------------------------- /manifests/cilium/base/charts/cilium/templates/hubble/tls-helm/relay-server-secret.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.hubble.enabled .Values.hubble.tls.enabled .Values.hubble.tls.auto.enabled (eq .Values.hubble.tls.auto.method "helm") .Values.hubble.relay.enabled .Values.hubble.relay.tls.server.enabled }} 2 | {{- $_ := include "hubble-generate-certs.helm.setup-ca" . -}} 3 | {{- $cn := "*.hubble-relay.cilium.io" }} 4 | {{- $ip := .Values.hubble.relay.tls.server.extraIpAddresses }} 5 | {{- $dns := prepend .Values.hubble.relay.tls.server.extraDnsNames $cn }} 6 | {{- $cert := genSignedCert $cn $ip $dns (.Values.hubble.tls.auto.certValidityDuration | int) .ca -}} 7 | --- 8 | apiVersion: v1 9 | kind: Secret 10 | metadata: 11 | name: hubble-relay-server-certs 12 | namespace: {{ .Release.Namespace }} 13 | {{- with .Values.hubble.annotations }} 14 | annotations: 15 | {{- toYaml . | nindent 4 }} 16 | {{- end }} 17 | type: kubernetes.io/tls 18 | data: 19 | ca.crt: {{ .ca.Cert | b64enc }} 20 | tls.crt: {{ $cert.Cert | b64enc }} 21 | tls.key: {{ $cert.Key | b64enc }} 22 | {{- end }} 23 | -------------------------------------------------------------------------------- /manifests/cilium/base/charts/cilium/templates/hubble/tls-helm/server-secret.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.agent .Values.hubble.enabled .Values.hubble.tls.enabled .Values.hubble.tls.auto.enabled (eq .Values.hubble.tls.auto.method "helm") }} 2 | {{- $_ := include "hubble-generate-certs.helm.setup-ca" . -}} 3 | {{- $cn := list "*" (.Values.cluster.name | replace "." "-") "hubble-grpc.cilium.io" | join "." }} 4 | {{- $ip := .Values.hubble.tls.server.extraIpAddresses }} 5 | {{- $dns := prepend .Values.hubble.tls.server.extraDnsNames $cn }} 6 | {{- $cert := genSignedCert $cn $ip $dns (.Values.hubble.tls.auto.certValidityDuration | int) .ca -}} 7 | --- 8 | apiVersion: v1 9 | kind: Secret 10 | metadata: 11 | name: hubble-server-certs 12 | namespace: {{ .Release.Namespace }} 13 | {{- with .Values.hubble.annotations }} 14 | annotations: 15 | {{- toYaml . | nindent 4 }} 16 | {{- end }} 17 | type: kubernetes.io/tls 18 | data: 19 | ca.crt: {{ .ca.Cert | b64enc }} 20 | tls.crt: {{ $cert.Cert | b64enc }} 21 | tls.key: {{ $cert.Key | b64enc }} 22 | {{- end }} 23 | -------------------------------------------------------------------------------- /manifests/cilium/base/charts/cilium/templates/hubble/tls-helm/ui-client-certs.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.hubble.enabled .Values.hubble.tls.enabled .Values.hubble.tls.auto.enabled (eq .Values.hubble.tls.auto.method "helm") .Values.hubble.ui.enabled .Values.hubble.relay.enabled .Values.hubble.relay.tls.server.enabled }} 2 | {{- $_ := include "hubble-generate-certs.helm.setup-ca" . -}} 3 | {{- $cn := "*.hubble-ui.cilium.io" }} 4 | {{- $dns := list $cn }} 5 | {{- $cert := genSignedCert $cn nil $dns (.Values.hubble.tls.auto.certValidityDuration | int) .ca -}} 6 | --- 7 | apiVersion: v1 8 | kind: Secret 9 | metadata: 10 | name: hubble-ui-client-certs 11 | namespace: {{ .Release.Namespace }} 12 | {{- with .Values.hubble.annotations }} 13 | annotations: 14 | {{- toYaml . | nindent 4 }} 15 | {{- end }} 16 | type: kubernetes.io/tls 17 | data: 18 | ca.crt: {{ .ca.Cert | b64enc }} 19 | tls.crt: {{ $cert.Cert | b64enc }} 20 | tls.key: {{ $cert.Key | b64enc }} 21 | {{- end }} 22 | -------------------------------------------------------------------------------- /manifests/cilium/base/charts/cilium/templates/hubble/tls-provided/relay-client-secret.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.hubble.enabled .Values.hubble.tls.enabled (not .Values.hubble.tls.auto.enabled) .Values.hubble.relay.enabled }} 2 | apiVersion: v1 3 | kind: Secret 4 | metadata: 5 | name: hubble-relay-client-certs 6 | namespace: {{ .Release.Namespace }} 7 | {{- with .Values.hubble.annotations }} 8 | annotations: 9 | {{- toYaml . | nindent 4 }} 10 | {{- end }} 11 | type: kubernetes.io/tls 12 | data: 13 | ca.crt: {{ .Values.tls.ca.cert }} 14 | tls.crt: {{ .Values.hubble.relay.tls.client.cert | required "missing hubble.relay.tls.client.cert" }} 15 | tls.key: {{ .Values.hubble.relay.tls.client.key | required "missing hubble.relay.tls.client.key" }} 16 | {{- end }} 17 | -------------------------------------------------------------------------------- /manifests/cilium/base/charts/cilium/templates/hubble/tls-provided/relay-server-secret.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.hubble.enabled .Values.hubble.tls.enabled (not .Values.hubble.tls.auto.enabled) .Values.hubble.relay.enabled .Values.hubble.relay.tls.server.enabled }} 2 | apiVersion: v1 3 | kind: Secret 4 | metadata: 5 | name: hubble-relay-server-certs 6 | namespace: {{ .Release.Namespace }} 7 | {{- with .Values.hubble.annotations }} 8 | annotations: 9 | {{- toYaml . | nindent 4 }} 10 | {{- end }} 11 | type: kubernetes.io/tls 12 | data: 13 | ca.crt: {{ .Values.tls.ca.cert }} 14 | tls.crt: {{ .Values.hubble.relay.tls.server.cert | required "missing hubble.relay.tls.server.cert" }} 15 | tls.key: {{ .Values.hubble.relay.tls.server.key | required "missing hubble.relay.tls.server.key" }} 16 | {{- end }} 17 | -------------------------------------------------------------------------------- /manifests/cilium/base/charts/cilium/templates/hubble/tls-provided/server-secret.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.agent .Values.hubble.enabled .Values.hubble.tls.enabled (not .Values.hubble.tls.auto.enabled) }} 2 | apiVersion: v1 3 | kind: Secret 4 | metadata: 5 | name: hubble-server-certs 6 | namespace: {{ .Release.Namespace }} 7 | {{- with .Values.hubble.annotations }} 8 | annotations: 9 | {{- toYaml . | nindent 4 }} 10 | {{- end }} 11 | type: kubernetes.io/tls 12 | data: 13 | ca.crt: {{ .Values.tls.ca.cert }} 14 | tls.crt: {{ .Values.hubble.tls.server.cert | required "missing hubble.tls.server.cert" }} 15 | tls.key: {{ .Values.hubble.tls.server.key | required "missing hubble.tls.server.key" }} 16 | {{- end }} 17 | -------------------------------------------------------------------------------- /manifests/cilium/base/charts/cilium/templates/hubble/tls-provided/ui-client-certs.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.hubble.enabled .Values.hubble.tls.enabled (not .Values.hubble.tls.auto.enabled) .Values.hubble.ui.enabled .Values.hubble.relay.enabled .Values.hubble.relay.tls.server.enabled }} 2 | apiVersion: v1 3 | kind: Secret 4 | metadata: 5 | name: hubble-ui-client-certs 6 | namespace: {{ .Release.Namespace }} 7 | {{- with .Values.hubble.annotations }} 8 | annotations: 9 | {{- toYaml . | nindent 4 }} 10 | {{- end }} 11 | type: kubernetes.io/tls 12 | data: 13 | ca.crt: {{ .Values.tls.ca.cert }} 14 | tls.crt: {{ .Values.hubble.ui.tls.client.cert | required "missing hubble.ui.tls.client.cert" }} 15 | tls.key: {{ .Values.hubble.ui.tls.client.key | required "missing hubble.ui.tls.client.key" }} 16 | {{- end }} 17 | -------------------------------------------------------------------------------- /manifests/cilium/base/charts/cilium/templates/spire/agent/clusterrole.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.authentication.mutual.spire.enabled .Values.authentication.mutual.spire.install.enabled .Values.authentication.mutual.spire.install.agent.serviceAccount.create -}} 2 | kind: ClusterRole 3 | apiVersion: rbac.authorization.k8s.io/v1 4 | metadata: 5 | name: {{ .Values.authentication.mutual.spire.install.agent.serviceAccount.name }} 6 | {{- with .Values.authentication.mutual.spire.annotations }} 7 | annotations: 8 | {{- toYaml . | nindent 4 }} 9 | {{- end }} 10 | rules: 11 | # Required cluster role to allow spire-agent to query k8s API server 12 | - apiGroups: [ "" ] 13 | resources: [ "pods","nodes","nodes/proxy" ] 14 | verbs: [ "get" ] 15 | {{- end }} 16 | -------------------------------------------------------------------------------- /manifests/cilium/base/charts/cilium/templates/spire/agent/clusterrolebinding.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.authentication.mutual.spire.enabled .Values.authentication.mutual.spire.install.enabled .Values.authentication.mutual.spire.install.agent.serviceAccount.create -}} 2 | --- 3 | kind: ClusterRoleBinding 4 | apiVersion: rbac.authorization.k8s.io/v1 5 | metadata: 6 | name: {{ .Values.authentication.mutual.spire.install.agent.serviceAccount.name }} 7 | {{- with .Values.authentication.mutual.spire.annotations }} 8 | annotations: 9 | {{- toYaml . | nindent 4 }} 10 | {{- end }} 11 | roleRef: 12 | kind: ClusterRole 13 | name: {{ .Values.authentication.mutual.spire.install.agent.serviceAccount.name }} 14 | apiGroup: rbac.authorization.k8s.io 15 | subjects: 16 | - kind: ServiceAccount 17 | name: {{ .Values.authentication.mutual.spire.install.agent.serviceAccount.name }} 18 | namespace: {{ .Values.authentication.mutual.spire.install.namespace }} 19 | {{- end }} 20 | -------------------------------------------------------------------------------- /manifests/cilium/base/charts/cilium/templates/spire/agent/configmap.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.authentication.mutual.spire.enabled .Values.authentication.mutual.spire.install.enabled -}} 2 | apiVersion: v1 3 | kind: ConfigMap 4 | metadata: 5 | name: spire-agent 6 | namespace: {{ .Values.authentication.mutual.spire.install.namespace }} 7 | {{- with .Values.authentication.mutual.spire.annotations }} 8 | annotations: 9 | {{- toYaml . | nindent 4 }} 10 | {{- end }} 11 | data: 12 | agent.conf: | 13 | agent { 14 | data_dir = "/run/spire" 15 | log_level = "ERROR" 16 | server_address = "spire-server" 17 | server_port = "8081" 18 | socket_path = {{ .Values.authentication.mutual.spire.agentSocketPath | quote }} 19 | admin_socket_path = {{ .Values.authentication.mutual.spire.adminSocketPath | quote }} 20 | trust_bundle_path = "/run/spire/bundle/bundle.crt" 21 | trust_domain = {{ .Values.authentication.mutual.spire.trustDomain | quote }} 22 | authorized_delegates = [ 23 | "spiffe://{{ .Values.authentication.mutual.spire.trustDomain }}/cilium-agent", 24 | ] 25 | } 26 | 27 | plugins { 28 | NodeAttestor "k8s_psat" { 29 | plugin_data { 30 | cluster = {{ .Values.cluster.name | quote }} 31 | } 32 | } 33 | 34 | KeyManager "memory" { 35 | plugin_data { 36 | } 37 | } 38 | 39 | WorkloadAttestor "k8s" { 40 | plugin_data { 41 | skip_kubelet_verification = {{ .Values.authentication.mutual.spire.install.agent.skipKubeletVerification }} 42 | } 43 | } 44 | } 45 | 46 | health_checks { 47 | listener_enabled = true 48 | bind_address = "0.0.0.0" 49 | bind_port = "4251" 50 | live_path = "/live" 51 | ready_path = "/ready" 52 | } 53 | {{- end }} 54 | -------------------------------------------------------------------------------- /manifests/cilium/base/charts/cilium/templates/spire/agent/serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.authentication.mutual.spire.enabled .Values.authentication.mutual.spire.install.enabled .Values.authentication.mutual.spire.install.agent.serviceAccount.create -}} 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | name: {{ .Values.authentication.mutual.spire.install.agent.serviceAccount.name }} 6 | namespace: {{ .Values.authentication.mutual.spire.install.namespace }} 7 | {{- with .Values.authentication.mutual.spire.annotations }} 8 | annotations: 9 | {{- toYaml . | nindent 4 }} 10 | {{- end }} 11 | {{- end }} 12 | -------------------------------------------------------------------------------- /manifests/cilium/base/charts/cilium/templates/spire/bundle-configmap.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.authentication.mutual.spire.enabled .Values.authentication.mutual.spire.install.enabled -}} 2 | apiVersion: v1 3 | kind: ConfigMap 4 | metadata: 5 | name: spire-bundle 6 | namespace: {{ .Values.authentication.mutual.spire.install.namespace }} 7 | {{- with .Values.authentication.mutual.spire.annotations }} 8 | annotations: 9 | {{- toYaml . | nindent 4 }} 10 | {{- end }} 11 | {{- end }} 12 | -------------------------------------------------------------------------------- /manifests/cilium/base/charts/cilium/templates/spire/namespace.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.authentication.mutual.spire.enabled .Values.authentication.mutual.spire.install.enabled (not .Values.authentication.mutual.spire.install.existingNamespace) -}} 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: {{ .Values.authentication.mutual.spire.install.namespace }} 6 | {{- with .Values.authentication.mutual.spire.annotations }} 7 | annotations: 8 | {{- toYaml . | nindent 4 }} 9 | {{- end }} 10 | {{- end }} 11 | -------------------------------------------------------------------------------- /manifests/cilium/base/charts/cilium/templates/spire/server/clusterrole.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.authentication.mutual.spire.enabled .Values.authentication.mutual.spire.install.enabled .Values.authentication.mutual.spire.install.server.serviceAccount.create -}} 2 | 3 | kind: ClusterRole 4 | apiVersion: rbac.authorization.k8s.io/v1 5 | metadata: 6 | name: {{ .Values.authentication.mutual.spire.install.server.serviceAccount.name }} 7 | {{- with .Values.authentication.mutual.spire.annotations }} 8 | annotations: 9 | {{- toYaml . | nindent 4 }} 10 | {{- end }} 11 | rules: 12 | # ClusterRole to allow spire-server node attestor to query Token Review API 13 | - apiGroups: [ "authentication.k8s.io" ] 14 | resources: [ "tokenreviews" ] 15 | verbs: [ "create" ] 16 | # Required cluster role to allow spire-server to query k8s API server 17 | # for pods for psat attestation 18 | - apiGroups: [ "" ] 19 | resources: [ "pods" ] 20 | verbs: [ "get" ] 21 | # Required cluster role to allow spire-server to query k8s API server 22 | # for nodes for psat attestation 23 | - apiGroups: [ "" ] 24 | resources: [ "nodes","nodes/proxy" ] 25 | verbs: [ "get" ] 26 | {{- end }} 27 | -------------------------------------------------------------------------------- /manifests/cilium/base/charts/cilium/templates/spire/server/clusterrolebinding.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.authentication.mutual.spire.enabled .Values.authentication.mutual.spire.install.enabled .Values.authentication.mutual.spire.install.server.serviceAccount.create -}} 2 | kind: ClusterRoleBinding 3 | apiVersion: rbac.authorization.k8s.io/v1 4 | metadata: 5 | name: {{ .Values.authentication.mutual.spire.install.server.serviceAccount.name }} 6 | {{- with .Values.authentication.mutual.spire.annotations }} 7 | annotations: 8 | {{- toYaml . | nindent 4 }} 9 | {{- end }} 10 | roleRef: 11 | kind: ClusterRole 12 | name: spire-server 13 | apiGroup: rbac.authorization.k8s.io 14 | subjects: 15 | - kind: ServiceAccount 16 | name: {{ .Values.authentication.mutual.spire.install.server.serviceAccount.name }} 17 | namespace: {{ .Values.authentication.mutual.spire.install.namespace }} 18 | {{- end }} 19 | -------------------------------------------------------------------------------- /manifests/cilium/base/charts/cilium/templates/spire/server/configmap.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.authentication.mutual.spire.enabled .Values.authentication.mutual.spire.install.enabled -}} 2 | apiVersion: v1 3 | kind: ConfigMap 4 | metadata: 5 | name: spire-server 6 | namespace: {{ .Values.authentication.mutual.spire.install.namespace }} 7 | {{- with .Values.authentication.mutual.spire.annotations }} 8 | annotations: 9 | {{- toYaml . | nindent 4 }} 10 | {{- end }} 11 | data: 12 | server.conf: | 13 | server { 14 | bind_address = "0.0.0.0" 15 | bind_port = "8081" 16 | socket_path = "/tmp/spire-server/private/api.sock" 17 | trust_domain = {{ .Values.authentication.mutual.spire.trustDomain | quote }} 18 | data_dir = "/run/spire/data" 19 | log_level = "INFO" 20 | ca_key_type = {{ .Values.authentication.mutual.spire.install.server.ca.keyType | quote }} 21 | 22 | ca_subject = { 23 | country = [{{ .Values.authentication.mutual.spire.install.server.ca.subject.country | quote }}], 24 | organization = [{{ .Values.authentication.mutual.spire.install.server.ca.subject.organization | quote }}], 25 | common_name = {{ .Values.authentication.mutual.spire.install.server.ca.subject.commonName | quote }}, 26 | } 27 | 28 | admin_ids = [ 29 | "spiffe://{{ .Values.authentication.mutual.spire.trustDomain }}/cilium-operator", 30 | ] 31 | } 32 | 33 | plugins { 34 | DataStore "sql" { 35 | plugin_data { 36 | database_type = "sqlite3" 37 | connection_string = "/run/spire/data/datastore.sqlite3" 38 | } 39 | } 40 | 41 | NodeAttestor "k8s_psat" { 42 | plugin_data { 43 | clusters = { 44 | {{ .Values.cluster.name | quote }} = { 45 | use_token_review_api_validation = true 46 | service_account_allow_list = ["{{ .Values.authentication.mutual.spire.install.namespace}}:{{ .Values.authentication.mutual.spire.install.agent.serviceAccount.name }}"] 47 | } 48 | } 49 | } 50 | } 51 | 52 | KeyManager "disk" { 53 | plugin_data { 54 | keys_path = "/run/spire/data/keys.json" 55 | } 56 | } 57 | 58 | Notifier "k8sbundle" { 59 | plugin_data { 60 | namespace = {{ .Values.authentication.mutual.spire.install.namespace | quote }} 61 | } 62 | } 63 | } 64 | 65 | health_checks { 66 | listener_enabled = true 67 | bind_address = "0.0.0.0" 68 | bind_port = "8080" 69 | live_path = "/live" 70 | ready_path = "/ready" 71 | } 72 | {{- end }} 73 | -------------------------------------------------------------------------------- /manifests/cilium/base/charts/cilium/templates/spire/server/role.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.authentication.mutual.spire.enabled .Values.authentication.mutual.spire.install.enabled .Values.authentication.mutual.spire.install.server.serviceAccount.create -}} 2 | kind: Role 3 | apiVersion: rbac.authorization.k8s.io/v1 4 | metadata: 5 | name: {{ .Values.authentication.mutual.spire.install.server.serviceAccount.name }} 6 | namespace: {{ .Values.authentication.mutual.spire.install.namespace }} 7 | {{- with .Values.authentication.mutual.spire.annotations }} 8 | annotations: 9 | {{- toYaml . | nindent 4 }} 10 | {{- end }} 11 | rules: 12 | # Role (namespace scoped) to be able to push certificate bundles to a configmap 13 | - apiGroups: [ "" ] 14 | resources: [ "configmaps" ] 15 | verbs: [ "patch", "get", "list" ] 16 | {{- end }} 17 | -------------------------------------------------------------------------------- /manifests/cilium/base/charts/cilium/templates/spire/server/rolebinding.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.authentication.mutual.spire.enabled .Values.authentication.mutual.spire.install.enabled -}} 2 | kind: RoleBinding 3 | apiVersion: rbac.authorization.k8s.io/v1 4 | metadata: 5 | name: {{ .Values.authentication.mutual.spire.install.server.serviceAccount.name }} 6 | namespace: {{ .Values.authentication.mutual.spire.install.namespace }} 7 | {{- with .Values.authentication.mutual.spire.annotations }} 8 | annotations: 9 | {{- toYaml . | nindent 4 }} 10 | {{- end }} 11 | roleRef: 12 | apiGroup: rbac.authorization.k8s.io 13 | kind: Role 14 | name: spire-server 15 | subjects: 16 | - kind: ServiceAccount 17 | name: {{ .Values.authentication.mutual.spire.install.server.serviceAccount.name }} 18 | namespace: {{ .Values.authentication.mutual.spire.install.namespace }} 19 | --- 20 | kind: RoleBinding 21 | apiVersion: rbac.authorization.k8s.io/v1 22 | metadata: 23 | name: {{ .Values.authentication.mutual.spire.install.server.serviceAccount.name }}-pod 24 | namespace: {{ .Values.authentication.mutual.spire.install.namespace }} 25 | {{- with .Values.authentication.mutual.spire.annotations }} 26 | annotations: 27 | {{- toYaml . | nindent 4 }} 28 | {{- end }} 29 | roleRef: 30 | apiGroup: rbac.authorization.k8s.io 31 | kind: ClusterRole 32 | name: {{ .Values.authentication.mutual.spire.install.server.serviceAccount.name }}-pod 33 | subjects: 34 | - kind: ServiceAccount 35 | name: {{ .Values.authentication.mutual.spire.install.server.serviceAccount.name }} 36 | namespace: {{ .Values.authentication.mutual.spire.install.namespace }} 37 | {{- end }} 38 | -------------------------------------------------------------------------------- /manifests/cilium/base/charts/cilium/templates/spire/server/service.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.authentication.mutual.spire.enabled .Values.authentication.mutual.spire.install.enabled -}} 2 | apiVersion: v1 3 | kind: Service 4 | metadata: 5 | name: spire-server 6 | namespace: {{ .Values.authentication.mutual.spire.install.namespace }} 7 | {{- if or .Values.authentication.mutual.spire.install.server.service.annotations .Values.authentication.mutual.spire.annotations }} 8 | annotations: 9 | {{- with .Values.authentication.mutual.spire.annotations }} 10 | {{- toYaml . | nindent 4 }} 11 | {{- end }} 12 | {{- with .Values.authentication.mutual.spire.install.server.service.annotations }} 13 | {{- toYaml . | nindent 4 }} 14 | {{- end }} 15 | {{- end }} 16 | {{- with .Values.authentication.mutual.spire.install.server.service.labels }} 17 | labels: 18 | {{- toYaml . | nindent 8 }} 19 | {{- end }} 20 | spec: 21 | type: {{ .Values.authentication.mutual.spire.install.server.service.type }} 22 | ports: 23 | - name: grpc 24 | port: 8081 25 | targetPort: grpc 26 | protocol: TCP 27 | selector: 28 | app: spire-server 29 | {{- end }} 30 | -------------------------------------------------------------------------------- /manifests/cilium/base/charts/cilium/templates/spire/server/serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.authentication.mutual.spire.enabled .Values.authentication.mutual.spire.install.enabled .Values.authentication.mutual.spire.install.server.serviceAccount.create -}} 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | name: {{ .Values.authentication.mutual.spire.install.server.serviceAccount.name }} 6 | namespace: {{ .Values.authentication.mutual.spire.install.namespace }} 7 | {{- with .Values.authentication.mutual.spire.annotations }} 8 | annotations: 9 | {{- toYaml . | nindent 4 }} 10 | {{- end }} 11 | {{- end }} 12 | -------------------------------------------------------------------------------- /manifests/cilium/base/kustomization.yaml: -------------------------------------------------------------------------------- 1 | resources: 2 | - namespace.yaml 3 | 4 | helmCharts: 5 | - name: cilium 6 | repo: https://helm.cilium.io/ 7 | version: 1.15.6 8 | releaseName: cilium 9 | namespace: cilium-system 10 | includeCRDs: true 11 | valuesFile: values.yaml 12 | -------------------------------------------------------------------------------- /manifests/cilium/base/kustomization.yaml.tpl: -------------------------------------------------------------------------------- 1 | resources: 2 | - namespace.yaml 3 | 4 | helmCharts: 5 | - name: cilium 6 | repo: https://helm.cilium.io/ 7 | version: ${cilium_version} 8 | releaseName: cilium 9 | namespace: cilium-system 10 | includeCRDs: true 11 | valuesFile: values.yaml 12 | -------------------------------------------------------------------------------- /manifests/cilium/base/namespace.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: cilium-system 6 | labels: 7 | pod-security.kubernetes.io/audit: privileged 8 | pod-security.kubernetes.io/enforce: privileged 9 | pod-security.kubernetes.io/warn: privileged 10 | -------------------------------------------------------------------------------- /manifests/cilium/base/values.yaml: -------------------------------------------------------------------------------- 1 | # https://www.talos.dev/v1.5/kubernetes-guides/network/deploying-cilium/ 2 | k8sServiceHost: localhost 3 | k8sServicePort: 7445 4 | 5 | priorityClassName: "high-priority" 6 | 7 | securityContext: 8 | capabilities: 9 | ciliumAgent: 10 | - CHOWN 11 | - KILL 12 | - NET_ADMIN 13 | - NET_RAW 14 | - IPC_LOCK 15 | - SYS_ADMIN 16 | - SYS_RESOURCE 17 | - DAC_OVERRIDE 18 | - FOWNER 19 | - SETGID 20 | - SETUID 21 | cleanCiliumState: 22 | - NET_ADMIN 23 | - SYS_ADMIN 24 | - SYS_RESOURCE 25 | 26 | # https://docs.cilium.io/en/v1.14/network/bgp-control-plane/ 27 | bgpControlPlane: 28 | enabled: true 29 | 30 | hubble: 31 | enabled: true 32 | relay: 33 | enabled: true 34 | ui: 35 | enabled: true 36 | 37 | ipam: 38 | mode: kubernetes 39 | 40 | kubeProxyReplacement: strict 41 | 42 | operator: 43 | replicas: 1 44 | priorityClassName: "high-priority" 45 | 46 | cgroup: 47 | autoMount: 48 | enabled: false 49 | hostRoot: /sys/fs/cgroup 50 | -------------------------------------------------------------------------------- /manifests/cilium/bgp-peering-policy.yaml.tpl: -------------------------------------------------------------------------------- 1 | # https://docs.cilium.io/en/v1.14/network/bgp-control-plane/ 2 | --- 3 | apiVersion: "cilium.io/v2alpha1" 4 | kind: CiliumBGPPeeringPolicy 5 | metadata: 6 | name: default 7 | namespace: cilium-system 8 | spec: 9 | # Nodes which are selected by this label selector will apply the given policy 10 | nodeSelector: 11 | matchLabels: 12 | cilium/bgp-peering-policy: default 13 | virtualRouters: 14 | - localASN: ${cilium_asn} 15 | exportPodCIDR: true 16 | neighbors: 17 | - peerAddress: ${router_ip}/32 18 | peerASN: ${router_asn} 19 | eBGPMultihopTTL: 10 20 | connectRetryTimeSeconds: 120 21 | holdTimeSeconds: 90 22 | keepAliveTimeSeconds: 30 23 | gracefulRestart: 24 | enabled: true 25 | restartTimeSeconds: 120 26 | serviceSelector: 27 | matchExpressions: 28 | - { key: somekey, operator: NotIn, values: [ 'never-used-value' ] } 29 | -------------------------------------------------------------------------------- /manifests/cilium/high-priority-scheduling.yaml: -------------------------------------------------------------------------------- 1 | # https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/ 2 | --- 3 | apiVersion: scheduling.k8s.io/v1 4 | kind: PriorityClass 5 | metadata: 6 | name: high-priority 7 | value: 1000000 8 | globalDefault: false 9 | description: "Use for critical workloads like Ingress controllers, Cilium CNI and/or Metal LB to ensure they get priority scheduling, especially when mixing stable and preemptible node pools" 10 | -------------------------------------------------------------------------------- /manifests/cilium/kustomization.yaml: -------------------------------------------------------------------------------- 1 | namespace: cilium-system 2 | resources: 3 | - base 4 | - high-priority-scheduling.yaml 5 | -------------------------------------------------------------------------------- /manifests/kustomization.yaml: -------------------------------------------------------------------------------- 1 | resources: 2 | - argocd 3 | - app-root.yaml 4 | - apps 5 | -------------------------------------------------------------------------------- /manifests/metrics-server/kustomization.yaml: -------------------------------------------------------------------------------- 1 | resources: 2 | - metrics-server.yaml 3 | -------------------------------------------------------------------------------- /manifests/talos-ccm/kustomization.yaml: -------------------------------------------------------------------------------- 1 | resources: 2 | - talos-ccm.yaml 3 | -------------------------------------------------------------------------------- /nodes-ready.tf: -------------------------------------------------------------------------------- 1 | # use kubectl to poll the readiness status of the nodes 2 | data "external" "talos-nodes-ready" { 3 | depends_on = [null_resource.talos-cluster-up] 4 | 5 | program = concat([ 6 | "go", 7 | "run", 8 | "${path.module}/cmd/nodes-ready", 9 | ], 10 | [for i, cfg in proxmox_virtual_environment_vm.talos-control-plane : cfg.name], 11 | [for i, cfg in proxmox_virtual_environment_vm.talos-worker-node : cfg.name], 12 | ) 13 | } 14 | -------------------------------------------------------------------------------- /output/.gitignore: -------------------------------------------------------------------------------- 1 | talosconfig 2 | kubeconfig 3 | *.yaml 4 | -------------------------------------------------------------------------------- /providers.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_providers { 3 | proxmox = { 4 | # https://registry.terraform.io/providers/bpg/proxmox/latest/docs 5 | source = "bpg/proxmox" 6 | version = ">= 0.56.0" 7 | } 8 | talos = { 9 | # https://registry.terraform.io/providers/siderolabs/talos/latest/docs 10 | source = "siderolabs/talos" 11 | version = ">= 0.5.0" 12 | } 13 | synclocal = { 14 | source = "justenwalker/synclocal" 15 | version = ">= 0.0.2" 16 | } 17 | macaddress = { 18 | source = "ivoronin/macaddress" 19 | version = "0.3.2" 20 | } 21 | } 22 | } 23 | 24 | provider "proxmox" { 25 | endpoint = var.proxmox_api_url 26 | api_token = "${var.proxmox_api_token_id}=${var.proxmox_api_token_secret}" 27 | insecure = true 28 | } 29 | -------------------------------------------------------------------------------- /talos-config.tf: -------------------------------------------------------------------------------- 1 | locals { 2 | cluster_endpoint = "https://${var.cluster_domain}:${var.cluster_endpoint_port}" 3 | storage_mnt = "/var/mnt/storage" 4 | 5 | # default talos_machine_configuration values 6 | talos_mc_defaults = { 7 | topology_region = var.cluster_name, 8 | talos_version = var.talos_version, 9 | network_gateway = var.network_gateway, 10 | install_disk_device = var.install_disk_device, 11 | install_image_url = replace(var.talos_machine_install_image_url, "%", var.talos_version), 12 | 13 | # harbor_url = var.harbor_url, 14 | # harbor_domain = split("://", var.harbor_url)[1] 15 | # harbor_username = var.harbor_username 16 | # harbor_password = var.harbor_password 17 | } 18 | } 19 | 20 | resource "talos_machine_secrets" "this" {} 21 | 22 | data "talos_client_configuration" "this" { 23 | //noinspection HILUnresolvedReference 24 | client_configuration = talos_machine_secrets.this.client_configuration 25 | cluster_name = var.cluster_name 26 | endpoints = concat([var.cluster_vip], [ 27 | for i in range( 28 | var.control_plane_first_ip, var.control_plane_first_ip + local.vm_control_planes_count 29 | ) : cidrhost(var.network_cidr, i) 30 | ]) 31 | } 32 | 33 | data "talos_machine_configuration" "cp" { 34 | machine_type = "controlplane" 35 | machine_secrets = talos_machine_secrets.this.machine_secrets 36 | cluster_name = var.cluster_name 37 | cluster_endpoint = local.cluster_endpoint 38 | talos_version = "v${var.talos_version}" 39 | kubernetes_version = "v${var.k8s_version}" 40 | docs = false 41 | examples = false 42 | 43 | config_patches = [ 44 | templatefile("${path.module}/talos-config/default.yaml.tpl", local.talos_mc_defaults), 45 | ] 46 | } 47 | 48 | data "talos_machine_configuration" "wn" { 49 | machine_type = "worker" 50 | machine_secrets = talos_machine_secrets.this.machine_secrets 51 | cluster_name = var.cluster_name 52 | cluster_endpoint = local.cluster_endpoint 53 | talos_version = "v${var.talos_version}" 54 | kubernetes_version = "v${var.k8s_version}" 55 | docs = false 56 | examples = false 57 | 58 | config_patches = [ 59 | templatefile("${path.module}/talos-config/default.yaml.tpl", local.talos_mc_defaults), 60 | ] 61 | } 62 | -------------------------------------------------------------------------------- /talos-config/control-plane.yaml.tpl: -------------------------------------------------------------------------------- 1 | machine: 2 | nodeLabels: 3 | topology.kubernetes.io/zone: ${topology_zone} 4 | certSANs: 5 | - ${cluster_domain} 6 | - ${ipv4_vip} 7 | - ${hostname} 8 | - ${ipv4_local} 9 | 10 | network: 11 | hostname: ${hostname} 12 | interfaces: 13 | - interface: ${network_interface} 14 | dhcp: false 15 | addresses: 16 | - ${ipv4_local}/${network_ip_prefix} 17 | routes: 18 | - network: 0.0.0.0/0 19 | gateway: ${network_gateway} 20 | vip: 21 | ip: ${ipv4_vip} 22 | 23 | extraHostEntries: 24 | - ip: 127.0.0.1 25 | aliases: 26 | - ${cluster_domain} 27 | 28 | # https://github.com/siderolabs/talos-cloud-controller-manager#node-certificate-approval 29 | features: 30 | kubernetesTalosAPIAccess: 31 | enabled: true 32 | allowedRoles: 33 | - os:reader 34 | allowedKubernetesNamespaces: 35 | - kube-system 36 | 37 | cluster: 38 | inlineManifests: ${inline_manifests} 39 | -------------------------------------------------------------------------------- /talos-config/default.yaml.tpl: -------------------------------------------------------------------------------- 1 | machine: 2 | nodeLabels: 3 | topology.kubernetes.io/region: ${topology_region} 4 | cilium/bgp-peering-policy: default 5 | 6 | kubelet: 7 | extraConfig: 8 | serverTLSBootstrap: true 9 | extraArgs: 10 | # https://github.com/siderolabs/talos-cloud-controller-manager#node-certificate-approval 11 | cloud-provider: external 12 | rotate-server-certificates: true 13 | 14 | network: 15 | nameservers: 16 | - ${network_gateway} 17 | 18 | time: 19 | servers: 20 | - ${network_gateway} 21 | - 0.ubnt.pool.ntp.org 22 | 23 | install: 24 | disk: ${install_disk_device} 25 | image: ${install_image_url} 26 | bootloader: true 27 | wipe: false 28 | 29 | systemDiskEncryption: 30 | ephemeral: 31 | provider: luks2 32 | keys: 33 | - nodeID: { } 34 | slot: 0 35 | state: 36 | provider: luks2 37 | keys: 38 | - nodeID: { } 39 | slot: 0 40 | 41 | kernel: 42 | modules: 43 | - name: br_netfilter 44 | parameters: 45 | - nf_conntrack_max=131072 46 | 47 | sysctls: 48 | net.bridge.bridge-nf-call-ip6tables: "1" 49 | net.bridge.bridge-nf-call-iptables: "1" 50 | net.ipv4.ip_forward: "1" 51 | 52 | files: 53 | - path: /var/cri/conf.d/metrics.toml 54 | op: create 55 | content: | 56 | [metrics] 57 | address = "0.0.0.0:11234" 58 | 59 | features: 60 | kubePrism: 61 | enabled: true 62 | port: 7445 63 | 64 | # https://www.talos.dev/v1.5/kubernetes-guides/network/deploying-cilium/ 65 | cluster: 66 | network: 67 | cni: 68 | name: none 69 | proxy: 70 | disabled: true 71 | -------------------------------------------------------------------------------- /talos-config/node-labels.yaml.tpl: -------------------------------------------------------------------------------- 1 | machine: 2 | nodeLabels: ${node_labels} 3 | -------------------------------------------------------------------------------- /talos-config/worker-node-disk.yaml.tpl: -------------------------------------------------------------------------------- 1 | machine: 2 | kubelet: 3 | extraMounts: 4 | - destination: ${mount_point} 5 | type: bind 6 | source: ${mount_point} 7 | options: 8 | - bind 9 | - rshared 10 | - rw 11 | 12 | disks: 13 | - device: ${disk_device} 14 | partitions: 15 | - mountpoint: ${mount_point} 16 | -------------------------------------------------------------------------------- /talos-config/worker-node.yaml.tpl: -------------------------------------------------------------------------------- 1 | machine: 2 | nodeLabels: 3 | topology.kubernetes.io/zone: ${topology_zone} 4 | certSANs: 5 | - ${hostname} 6 | - ${ipv4_local} 7 | 8 | network: 9 | hostname: ${hostname} 10 | interfaces: 11 | - interface: ${network_interface} 12 | dhcp: false 13 | addresses: 14 | - ${ipv4_local}/${network_ip_prefix} 15 | routes: 16 | - network: 0.0.0.0/0 17 | gateway: ${network_gateway} 18 | 19 | extraHostEntries: 20 | - ip: ${ipv4_vip} 21 | aliases: 22 | - ${cluster_domain} 23 | -------------------------------------------------------------------------------- /talos-image/bare-metal.yaml: -------------------------------------------------------------------------------- 1 | # https://www.talos.dev/v1.7/talos-guides/install/boot-assets/ 2 | customization: 3 | systemExtensions: 4 | # https://github.com/siderolabs/extensions 5 | officialExtensions: 6 | - siderolabs/qemu-guest-agent 7 | - siderolabs/iscsi-tools 8 | - siderolabs/util-linux-tools 9 | -------------------------------------------------------------------------------- /talos-output.tf: -------------------------------------------------------------------------------- 1 | data "talos_cluster_kubeconfig" "this" { 2 | depends_on = [talos_machine_bootstrap.this] 3 | 4 | client_configuration = data.talos_client_configuration.this.client_configuration 5 | node = cidrhost(var.network_cidr, var.control_plane_first_ip) 6 | } 7 | 8 | resource "local_sensitive_file" "export_talosconfig" { 9 | depends_on = [data.talos_client_configuration.this] 10 | content = data.talos_client_configuration.this.talos_config 11 | filename = "${path.module}/output/talosconfig" 12 | } 13 | 14 | resource "local_sensitive_file" "export_kubeconfig" { 15 | depends_on = [data.talos_cluster_kubeconfig.this] 16 | content = data.talos_cluster_kubeconfig.this.kubeconfig_raw 17 | filename = "${path.module}/output/kubeconfig" 18 | } 19 | 20 | data "external" "copy_talosconfig" { 21 | depends_on = [local_sensitive_file.export_talosconfig] 22 | 23 | program = [ 24 | "go", 25 | "run", 26 | "${path.module}/cmd/cp-to-home", 27 | "${path.module}/output/talosconfig", 28 | "~/.talos/config", 29 | ] 30 | } 31 | 32 | data "external" "copy_kubeconfig" { 33 | depends_on = [local_sensitive_file.export_kubeconfig] 34 | 35 | program = [ 36 | "go", 37 | "run", 38 | "${path.module}/cmd/cp-to-home", 39 | "${path.module}/output/kubeconfig", 40 | "~/.kube/config", 41 | ] 42 | } 43 | 44 | resource "null_resource" "talos-cluster-up" { 45 | depends_on = [ 46 | data.external.copy_talosconfig, 47 | data.external.copy_kubeconfig, 48 | ] 49 | } 50 | 51 | output "talos_client_configuration" { 52 | value = data.talos_client_configuration.this 53 | sensitive = true 54 | } 55 | 56 | output "talos_cluster_kubeconfig" { 57 | value = data.talos_cluster_kubeconfig.this 58 | sensitive = true 59 | } 60 | -------------------------------------------------------------------------------- /vars-cluster.tf: -------------------------------------------------------------------------------- 1 | variable "cluster_name" { 2 | description = "Name of the Talos Kubernetes cluster" 3 | type = string 4 | default = "talos-cluster" 5 | } 6 | 7 | variable "cluster_vip" { 8 | description = "Virtual IP of the Talos Kubernetes cluster" 9 | type = string 10 | } 11 | 12 | variable "cluster_domain" { 13 | description = "Domain name of the Talos Kubernetes cluster" 14 | type = string 15 | default = "talos-cluster.local" 16 | } 17 | 18 | variable "cluster_endpoint_port" { 19 | description = "Port of the Kubernetes API endpoint" 20 | type = number 21 | default = 6443 22 | } 23 | 24 | variable "control_plane_first_ip" { 25 | description = "First ip of a control-plane" 26 | type = number 27 | default = 111 28 | } 29 | 30 | variable "worker_node_first_ip" { 31 | description = "First ip of a worker node" 32 | type = number 33 | default = 121 34 | } 35 | 36 | variable "install_disk_device" { 37 | description = "Disk to install Talos on" 38 | type = string 39 | default = "/dev/vda" 40 | } 41 | -------------------------------------------------------------------------------- /vars-harbor.tf: -------------------------------------------------------------------------------- 1 | variable "harbor_url" { 2 | type = string 3 | default = "http://harbor.lan" 4 | } 5 | 6 | variable "harbor_username" { 7 | type = string 8 | default = "admin" 9 | } 10 | 11 | variable "harbor_password" { 12 | type = string 13 | default = "5eCr3t" 14 | } 15 | -------------------------------------------------------------------------------- /vars-iso.tf: -------------------------------------------------------------------------------- 1 | variable "talos_iso_download_url" { 2 | description = "Location to download the Talos iso image from" 3 | type = string 4 | # % is replaced by talos_version 5 | default = "https://github.com/siderolabs/talos/releases/download/v%/metal-amd64.iso" 6 | } 7 | 8 | variable "talos_iso_destination_filename" { 9 | description = "Filename of the Talos iso image to store" 10 | type = string 11 | # % is replaced by talos_version 12 | default = "talos-%-metal-amd64.iso" 13 | } 14 | 15 | variable "talos_iso_destination_server" { 16 | description = "Proxmox server to store the Talos iso image on" 17 | type = string 18 | default = "" 19 | } 20 | 21 | variable "talos_iso_destination_storage_pool" { 22 | description = "Proxmox storage to store the Talos iso image on" 23 | type = string 24 | default = "local" 25 | } 26 | -------------------------------------------------------------------------------- /vars-manifests.tf: -------------------------------------------------------------------------------- 1 | variable "bootstrap_manifests" { 2 | description = "Bootstrap manifests from directories using Kustomize" 3 | type = list(string) 4 | default = ["manifests/apps"] 5 | } 6 | 7 | variable "talos_ccm_manifest_url" { 8 | description = "Talos Cloud Controller Manager manifest to use" 9 | type = string 10 | # % is replaced by talos_ccm_version 11 | default = "https://raw.githubusercontent.com/siderolabs/talos-cloud-controller-manager/v%/docs/deploy/cloud-controller-manager.yml" 12 | } 13 | 14 | variable "argocd_manifest_url" { 15 | description = "ArgoCD manifest to use" 16 | type = string 17 | # % is replaced by metrics_server_version 18 | default = "https://raw.githubusercontent.com/argoproj/argo-cd/v%/manifests/ha/install.yaml" 19 | } 20 | 21 | variable "metrics_server_manifest_url" { 22 | description = "Kubernetes Metrics Server manifest to use" 23 | type = string 24 | # % is replaced by metrics_server_version 25 | default = "https://github.com/kubernetes-sigs/metrics-server/releases/download/v%/components.yaml" 26 | } 27 | -------------------------------------------------------------------------------- /vars-network.tf: -------------------------------------------------------------------------------- 1 | variable "network_ip_prefix" { 2 | description = "Network IP network prefix" 3 | type = number 4 | default = 24 5 | } 6 | 7 | variable "network_cidr" { 8 | description = "Network address in CIDR notation" 9 | type = string 10 | default = "10.0.0.1/24" 11 | } 12 | 13 | variable "network_gateway" { 14 | description = "Gateway of the network" 15 | type = string 16 | default = "10.0.0.1" 17 | } 18 | 19 | variable "router_ip" { 20 | description = "IP address of the router, uses network_gateway as default value" 21 | type = string 22 | default = "" 23 | } 24 | 25 | variable "router_asn" { 26 | description = "Router ASN for use with Cilium BGP" 27 | type = number 28 | default = 64501 29 | } 30 | 31 | variable "cilium_asn" { 32 | type = number 33 | default = 64500 34 | } 35 | -------------------------------------------------------------------------------- /vars-proxmox.tf: -------------------------------------------------------------------------------- 1 | variable "proxmox_api_token_id" { 2 | description = "The ID of the API token used for authentication with the Proxmox API." 3 | type = string 4 | } 5 | 6 | variable "proxmox_api_token_secret" { 7 | description = "The secret value of the token used for authentication with the Proxmox API." 8 | type = string 9 | } 10 | 11 | variable "proxmox_api_url" { 12 | description = "The URL for the Proxmox API." 13 | type = string 14 | } 15 | 16 | variable "proxmox_servers" { 17 | description = "Proxmox servers on which the talos cluster will be deployed" 18 | type = map(object({ 19 | # Number of control plane nodes to deploy on the server 20 | control_planes_count = optional(number, 1) 21 | # The name of the storage pool where virtual hard disks will be stored 22 | disk_storage_pool = string 23 | # The name of the network bridge on the Proxmox host 24 | network_bridge = optional(string, "vmbr0") 25 | # Additional kubernetes node labels to add to the nodes deployed on this server 26 | node_labels = optional(map(string), {}) 27 | })) 28 | } 29 | -------------------------------------------------------------------------------- /vars-vms.tf: -------------------------------------------------------------------------------- 1 | variable "worker_nodes" { 2 | type = list(object({ 3 | # Name of Proxmox target server on which the worker node(s) will be deployed 4 | target_server = string 5 | # Additional kubernetes node labels to add to the worker node(s) 6 | node_labels = optional(map(string), {}) 7 | # Number of worker nodes to deploy on the target server 8 | count = optional(number, 1) 9 | 10 | # The amount of CPU cores to give the worker node(s) 11 | cpu_cores = optional(number, 0) 12 | # The amount of memory in GiB to give the worker node(s) 13 | memory = optional(number, 0) 14 | # The size of the boot disk in GiB to give the worker node(s) 15 | disk_size = optional(number, 0) 16 | 17 | data_disks = optional(list(object({ 18 | device_name = string 19 | mount_point = string 20 | # The size of the data disk in GiB per worker node 21 | size = number 22 | # The name of the storage pool where the disk be stored 23 | storage_pool = optional(string, "") 24 | })), []) 25 | })) 26 | } 27 | 28 | variable "control_plane_name_prefix" { 29 | description = "Name prefix used in both VM name and hostname, for a control-plane" 30 | type = string 31 | default = "talos-control-plane" 32 | } 33 | 34 | variable "worker_node_name_prefix" { 35 | description = "Name prefix used in both VM name and hostname, for a worker node" 36 | type = string 37 | default = "talos-worker-node" 38 | } 39 | 40 | variable "control_plane_first_id" { 41 | description = "First id of a control-plane" 42 | type = number 43 | default = 8101 44 | } 45 | 46 | variable "worker_node_first_id" { 47 | description = "First id of a worker node" 48 | type = number 49 | default = 8201 50 | } 51 | 52 | variable "control_plane_cpu_cores" { 53 | description = "The default amount of CPU cores to give the control plane nodes" 54 | type = number 55 | default = 2 56 | } 57 | 58 | variable "worker_node_cpu_cores" { 59 | description = "The default amount of CPU cores to give the worker nodes" 60 | type = number 61 | default = 4 62 | } 63 | 64 | variable "control_plane_memory" { 65 | description = "The default amount of memory (GiB) to give the control plane nodes" 66 | type = number 67 | default = 4 68 | } 69 | 70 | variable "worker_node_memory" { 71 | description = "The default amount of memory (GiB) to give the worker nodes" 72 | type = number 73 | default = 16 74 | } 75 | 76 | variable "control_plane_disk_size" { 77 | description = "The size of the boot disk (GiB) to give the control plane nodes" 78 | type = number 79 | default = 8 80 | } 81 | 82 | variable "worker_node_disk_size" { 83 | description = "The default size of the boot disk (GiB) to give the worker nodes" 84 | type = number 85 | default = 16 86 | } 87 | -------------------------------------------------------------------------------- /versions.tf: -------------------------------------------------------------------------------- 1 | variable "talos_version" { 2 | # https://github.com/siderolabs/talos/releases 3 | description = "Talos version to use" 4 | type = string 5 | default = "1.7.5" 6 | } 7 | 8 | variable "talos_machine_install_image_url" { 9 | # https://www.talos.dev/v1.7/talos-guides/install/boot-assets/ 10 | description = "The URL of the Talos machine install image" 11 | type = string 12 | # % is replaced by talos_version 13 | default = "factory.talos.dev/installer/88d1f7a5c4f1d3aba7df787c448c1d3d008ed29cfb34af53fa0df4336a56040b:v%" 14 | # default = "ghcr.io/siderolabs/installer:v%" // = default, when not using system extensions 15 | } 16 | 17 | variable "k8s_version" { 18 | # https://www.talos.dev/v1.7/introduction/support-matrix/ 19 | description = "Kubernetes version to use" 20 | type = string 21 | default = "1.30.0" 22 | } 23 | 24 | variable "talos_ccm_version" { 25 | # https://github.com/siderolabs/talos-cloud-controller-manager/releases 26 | description = "Talos Cloud Controller Manager version to use" 27 | type = string 28 | default = "1.6.0" 29 | } 30 | 31 | variable "cilium_version" { 32 | # https://helm.cilium.io/ 33 | description = "Cilium Helm version to use" 34 | type = string 35 | default = "1.15.6" 36 | } 37 | 38 | variable "argocd_version" { 39 | # https://github.com/argoproj/argo-cd/releases 40 | description = "ArgoCD version to use" 41 | type = string 42 | default = "2.11.4" 43 | } 44 | 45 | variable "metrics_server_version" { 46 | # https://github.com/kubernetes-sigs/metrics-server/releases 47 | description = "Kubernetes Metrics Server version to use" 48 | type = string 49 | default = "0.7.1" 50 | } 51 | -------------------------------------------------------------------------------- /vm-control-plane.tf: -------------------------------------------------------------------------------- 1 | locals { 2 | talos_iso_image_location = "${var.talos_iso_destination_storage_pool}:iso/${replace(var.talos_iso_destination_filename, "%", var.talos_version)}" 3 | 4 | //noinspection HILUnresolvedReference 5 | vm_control_planes = flatten([ 6 | for name, host in var.proxmox_servers : [ 7 | for i in range(host.control_planes_count) : name 8 | ] 9 | ]) 10 | vm_control_planes_count = length(local.vm_control_planes) 11 | } 12 | 13 | # this keeps bitching about the file already exists... i know, just skip it then 14 | # 15 | # resource "proxmox_virtual_environment_file" "talos-iso" { 16 | # content_type = "iso" 17 | # datastore_id = var.talos_iso_destination_storage_pool 18 | # node_name = var.talos_iso_destination_server != "" ? var.talos_iso_destination_server : keys(var.proxmox_servers)[0] 19 | # overwrite = false 20 | # 21 | # source_file { 22 | # path = replace(var.talos_iso_download_url, "%", var.talos_version) 23 | # file_name = replace(var.talos_iso_destination_filename, "%", var.talos_version) 24 | # } 25 | # } 26 | 27 | resource "macaddress" "talos-control-plane" { 28 | count = length(local.vm_control_planes) 29 | } 30 | 31 | resource "proxmox_virtual_environment_vm" "talos-control-plane" { 32 | depends_on = [ 33 | # proxmox_virtual_environment_file.talos-iso, 34 | macaddress.talos-control-plane 35 | ] 36 | for_each = { 37 | for i, x in local.vm_control_planes : i => x 38 | } 39 | 40 | name = "${var.control_plane_name_prefix}-${each.key + 1}" 41 | vm_id = each.key + var.control_plane_first_id 42 | node_name = each.value 43 | on_boot = true 44 | scsi_hardware = "virtio-scsi-pci" 45 | 46 | agent { 47 | enabled = true 48 | } 49 | 50 | initialization { 51 | ip_config { 52 | ipv4 { 53 | address = "${cidrhost(var.network_cidr, each.key + var.control_plane_first_ip)}/${split("/", var.network_cidr)[1]}" 54 | gateway = var.network_gateway 55 | } 56 | } 57 | } 58 | 59 | cdrom { 60 | enabled = true 61 | file_id = replace(local.talos_iso_image_location, "%", var.talos_version) 62 | } 63 | 64 | cpu { 65 | type = "host" 66 | sockets = 1 67 | cores = var.control_plane_cpu_cores 68 | } 69 | 70 | memory { 71 | dedicated = var.control_plane_memory*1024 72 | } 73 | 74 | network_device { 75 | enabled = true 76 | model = "virtio" 77 | bridge = var.proxmox_servers[each.value].network_bridge 78 | mac_address = macaddress.talos-control-plane[each.key].address 79 | firewall = false 80 | } 81 | 82 | operating_system { 83 | type = "l26" # Linux kernel type 84 | } 85 | 86 | disk { 87 | interface = "virtio0" 88 | size = var.control_plane_disk_size 89 | datastore_id = var.proxmox_servers[each.value].disk_storage_pool 90 | file_format = "raw" 91 | cache = "writethrough" 92 | iothread = true 93 | backup = false 94 | } 95 | } 96 | 97 | output "talos_control_plane_mac_addrs" { 98 | value = macaddress.talos-control-plane 99 | } 100 | -------------------------------------------------------------------------------- /vm-worker-node.tf: -------------------------------------------------------------------------------- 1 | locals { 2 | vm_worker_nodes = flatten([ 3 | for i, worker in var.worker_nodes : [ 4 | for j in range(worker.count) : { 5 | index = i 6 | target_server = worker.target_server 7 | node_labels = merge(var.proxmox_servers[worker.target_server].node_labels, worker.node_labels) 8 | cpu_cores = worker.cpu_cores > 0 ? worker.cpu_cores : var.worker_node_cpu_cores 9 | memory = worker.memory > 0 ? worker.memory : var.worker_node_memory 10 | disk_size = worker.disk_size > 0 ? worker.disk_size : var.worker_node_disk_size 11 | data_disks = worker.data_disks 12 | } 13 | ] 14 | ]) 15 | } 16 | 17 | resource "macaddress" "talos-worker-node" { 18 | count = length(local.vm_worker_nodes) 19 | } 20 | 21 | resource "proxmox_virtual_environment_vm" "talos-worker-node" { 22 | depends_on = [ 23 | # proxmox_virtual_environment_file.talos-iso, 24 | macaddress.talos-worker-node 25 | ] 26 | for_each = { 27 | for i, x in local.vm_worker_nodes : i => x 28 | } 29 | 30 | name = "${var.worker_node_name_prefix}-${each.key + 1}" 31 | vm_id = each.key + var.worker_node_first_id 32 | node_name = each.value.target_server 33 | on_boot = true 34 | scsi_hardware = "virtio-scsi-pci" 35 | 36 | agent { 37 | enabled = true 38 | } 39 | 40 | initialization { 41 | ip_config { 42 | ipv4 { 43 | address = "${cidrhost(var.network_cidr, each.key + var.worker_node_first_ip)}/${split("/", var.network_cidr)[1]}" 44 | gateway = var.network_gateway 45 | } 46 | } 47 | } 48 | 49 | cdrom { 50 | enabled = true 51 | file_id = replace(local.talos_iso_image_location, "%", var.talos_version) 52 | } 53 | 54 | cpu { 55 | type = "host" 56 | sockets = 1 57 | cores = each.value.cpu_cores 58 | } 59 | 60 | memory { 61 | dedicated = each.value.memory*1024 62 | } 63 | 64 | network_device { 65 | enabled = true 66 | model = "virtio" 67 | bridge = var.proxmox_servers[each.value.target_server].network_bridge 68 | mac_address = macaddress.talos-worker-node[each.key].address 69 | firewall = false 70 | } 71 | 72 | operating_system { 73 | type = "l26" # Linux kernel type 74 | } 75 | 76 | disk { 77 | interface = "virtio0" 78 | size = each.value.disk_size 79 | datastore_id = var.proxmox_servers[each.value.target_server].disk_storage_pool 80 | file_format = "raw" 81 | cache = "writethrough" 82 | iothread = true 83 | backup = false 84 | } 85 | 86 | dynamic "disk" { 87 | for_each = var.worker_nodes[each.value.index].data_disks 88 | 89 | content { 90 | interface = "virtio${each.value.index+1}" 91 | size = disk.value.size 92 | datastore_id = disk.value.storage_pool != "" ? disk.value.storage_pool : var.proxmox_servers[each.value.target_server].disk_storage_pool 93 | file_format = "raw" 94 | cache = "none" 95 | iothread = true 96 | backup = false 97 | } 98 | } 99 | } 100 | 101 | output "talos_worker_node_mac_addrs" { 102 | value = macaddress.talos-worker-node 103 | } 104 | --------------------------------------------------------------------------------