External-Mirrors/kubespray
2
0
Fork 0
mirror of https://github.com/kubernetes-sigs/kubespray.git synced 2026-05-06 08:57:37 -02:30
Code Issues Packages Projects Releases Wiki Activity

Upgrade cilium role (#7521)

Browse Source 
* Upgrade cilium roles

* Del old test result

* Add hubble ui examples

* Refactor hubble metrics

* Markdown fix pipeline errors

* yamllint check and fix

* refactor install from https://github.com/kubernetes-sigs/kubespray/pull/7520

* Docs syntax change (fix)

* Cilium set default 1.8.9

* Update cilium version in Readme
This commit is contained in:
bac-w
2021-04-30 18:09:59 +03:00
committed by GitHub
parent d29ea386d6
commit 2556eb2733
21 changed files with 772 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
roles/network_plugin/cilium/templates/cilium-config.yml.j2
View File

@@ -154,13 +154,26 @@ data:
# Hubble settings
{% if cilium_enable_hubble %}
enable-hubble: "true"
hubble-metrics: "{{ cilium_hubble_metrics }}"
hubble-listen-address: ":4244"
{% if cilium_enable_hubble_metrics %}
hubble-metrics-server: ":9091"
hubble-metrics:
{% for hubble_metrics_cycle in cilium_hubble_metrics %}
{{ hubble_metrics_cycle }}
{% endfor %}
{% endif %}
hubble-listen-address: ":4244"
{% if cilium_enable_hubble and cilium_hubble_install %}
hubble-disable-tls: "false"
hubble-tls-cert-file: /var/lib/cilium/tls/hubble/server.crt
hubble-tls-key-file: /var/lib/cilium/tls/hubble/server.key
hubble-tls-client-ca-files: /var/lib/cilium/tls/hubble/client-ca.crt
{% endif %}
{% endif %}
{% for key, value in cilium_config_extra_vars.items() %}
{{ key }}: "{{ value }}"
{% endfor %}
# IPsec based transparent encryption between nodes
{% if cilium_ipsec_enabled %}
enable-ipsec: "true"

20
roles/network_plugin/cilium/templates/cilium-cr.yml.j2
View File

@@ -58,6 +58,16 @@ rules:
- ciliumnodes/status
- ciliumidentities
- ciliumidentities/status
{% endif %}
{% if cilium_version | regex_replace('v') is version('1.9', '>=') %}
- ciliumnetworkpolicies/finalizers
- ciliumclusterwidenetworkpolicies/finalizers
- ciliumendpoints/finalizers
- ciliumnodes/finalizers
- ciliumidentities/finalizers
- ciliumlocalredirectpolicies
- ciliumlocalredirectpolicies/status
- ciliumlocalredirectpolicies/finalizers
{% endif %}
verbs:
- '*'
@@ -183,6 +193,16 @@ rules:
- ciliumnodes/status
- ciliumidentities
- ciliumidentities/status
{% endif %}
{% if cilium_version | regex_replace('v') is version('1.9', '>=') %}
- ciliumnetworkpolicies/finalizers
- ciliumclusterwidenetworkpolicies/finalizers
- ciliumendpoints/finalizers
- ciliumnodes/finalizers
- ciliumidentities/finalizers
- ciliumlocalredirectpolicies
- ciliumlocalredirectpolicies/status
- ciliumlocalredirectpolicies/finalizers
{% endif %}
verbs:
- '*'

2
roles/network_plugin/cilium/templates/cilium-crb.yml.j2
View File

@@ -24,6 +24,8 @@ subjects:
- kind: ServiceAccount
name: cilium
namespace: kube-system
{% if cilium_version | regex_replace('v') is version('1.9', '<') %}
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: system:nodes
{% endif %}

28
roles/network_plugin/cilium/templates/cilium-ds.yml.j2
View File

@@ -170,6 +170,11 @@ spec:
- mountPath: /etc/ipsec
name: cilium-ipsec-secrets
readOnly: true
{% endif %}
{% if cilium_hubble_install %}
- mountPath: /var/lib/cilium/tls/hubble
name: hubble-tls
readOnly: true
{% endif %}
dnsPolicy: ClusterFirstWithHostNet
hostNetwork: true
@@ -196,7 +201,11 @@ spec:
key: wait-bpf-mount
name: cilium-config
optional: true
{% if cilium_version | regex_replace('v') is version('1.9', '<') %}
image: "{{cilium_init_image_repo}}:{{cilium_init_image_tag}}"
{% else %}
image: "{{cilium_image_repo}}:{{cilium_image_tag}}"
{% endif %}
imagePullPolicy: {{ k8s_image_pull_policy }}
name: clean-cilium-state
securityContext:
@@ -289,6 +298,25 @@ spec:
- name: cilium-ipsec-secrets
secret:
secretName: cilium-ipsec-keys
{% endif %}
{% if cilium_hubble_install %}
- name: hubble-tls
projected:
sources:
- secret:
name: hubble-server-certs
items:
- key: tls.crt
path: server.crt
- key: tls.key
path: server.key
optional: true
- configMap:
name: hubble-ca-cert
items:
- key: ca.crt
path: client-ca.crt
optional: true
{% endif %}
updateStrategy:
rollingUpdate:

86
roles/network_plugin/cilium/templates/hubble-config.yml.j2 Normal file
View File

@@ -0,0 +1,86 @@
---
# Source: cilium/templates/hubble-relay-configmap.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: hubble-relay-config
namespace: kube-system
data:
config.yaml: |
peer-service: unix:///var/run/cilium/hubble.sock
listen-address: :4245
dial-timeout:
retry-timeout:
sort-buffer-len-max:
sort-buffer-drain-timeout:
tls-client-cert-file: /var/lib/hubble-relay/tls/client.crt
tls-client-key-file: /var/lib/hubble-relay/tls/client.key
tls-hubble-server-ca-files: /var/lib/hubble-relay/tls/hubble-server-ca.crt
disable-server-tls: true
---
# Source: cilium/templates/hubble-ui-configmap.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: hubble-ui-envoy
namespace: kube-system
data:
envoy.yaml: |
static_resources:
listeners:
- name: listener_hubble_ui
address:
socket_address:
address: 0.0.0.0
port_value: 8081
filter_chains:
- filters:
- name: envoy.filters.network.http_connection_manager
config:
codec_type: auto
stat_prefix: ingress_http
route_config:
name: local_route
virtual_hosts:
- name: local_service
domains: ['*']
routes:
- match:
prefix: '/api/'
route:
cluster: backend
max_grpc_timeout: 0s
prefix_rewrite: '/'
- match:
prefix: '/'
route:
cluster: frontend
cors:
allow_origin_string_match:
- prefix: '*'
allow_methods: GET, PUT, DELETE, POST, OPTIONS
allow_headers: keep-alive,user-agent,cache-control,content-type,content-transfer-encoding,x-accept-content-transfer-encoding,x-accept-response-streaming,x-user-agent,x-grpc-web,grpc-timeout
max_age: '1728000'
expose_headers: grpc-status,grpc-message
http_filters:
- name: envoy.filters.http.grpc_web
- name: envoy.filters.http.cors
- name: envoy.filters.http.router
clusters:
- name: frontend
connect_timeout: 0.25s
type: strict_dns
lb_policy: round_robin
hosts:
- socket_address:
address: 127.0.0.1
port_value: 8080
- name: backend
connect_timeout: 0.25s
type: logical_dns
lb_policy: round_robin
http2_protocol_options: {}
hosts:
- socket_address:
address: 127.0.0.1
port_value: 8090

106
roles/network_plugin/cilium/templates/hubble-cr.yml.j2 Normal file
View File

@@ -0,0 +1,106 @@
{% if cilium_hubble_tls_generate %}
---
# Source: cilium/templates/hubble-generate-certs-clusterrole.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: hubble-generate-certs
rules:
- apiGroups:
- ""
resources:
- secrets
- configmaps
verbs:
- create
- apiGroups:
- ""
resources:
- secrets
resourceNames:
- hubble-server-certs
- hubble-relay-client-certs
- hubble-relay-server-certs
verbs:
- update
- apiGroups:
- ""
resources:
- configmaps
resourceNames:
- hubble-ca-cert
verbs:
- update
- apiGroups:
- ""
resources:
- secrets
resourceNames:
- hubble-ca-secret
verbs:
- get
{% endif %}
---
# Source: cilium/templates/hubble-relay-clusterrole.yaml
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: hubble-relay
rules:
- apiGroups:
- ""
resources:
- componentstatuses
- endpoints
- namespaces
- nodes
- pods
- services
verbs:
- get
- list
- watch
---
# Source: cilium/templates/hubble-ui-clusterrole.yaml
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: hubble-ui
rules:
- apiGroups:
- networking.k8s.io
resources:
- networkpolicies
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- componentstatuses
- endpoints
- namespaces
- nodes
- pods
- services
verbs:
- get
- list
- watch
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- get
- list
- watch
- apiGroups:
- cilium.io
resources:
- "*"
verbs:
- get
- list
- watch

44
roles/network_plugin/cilium/templates/hubble-crb.yml.j2 Normal file
View File

@@ -0,0 +1,44 @@
{% if cilium_hubble_tls_generate %}
---
# Source: cilium/templates/hubble-generate-certs-clusterrolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: hubble-generate-certs
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: hubble-generate-certs
subjects:
- kind: ServiceAccount
name: hubble-generate-certs
namespace: kube-system
{% endif %}
---
# Source: cilium/templates/hubble-relay-clusterrolebinding.yaml
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: hubble-relay
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: hubble-relay
subjects:
- kind: ServiceAccount
namespace: kube-system
name: hubble-relay
---
# Source: cilium/templates/hubble-ui-clusterrolebinding.yaml
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: hubble-ui
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: hubble-ui
subjects:
- kind: ServiceAccount
namespace: kube-system
name: hubble-ui

49
roles/network_plugin/cilium/templates/hubble-cronjob.yml.j2 Normal file
View File

@@ -0,0 +1,49 @@
---
# Source: cilium/templates/hubble-generate-certs-cronjob.yaml
apiVersion: batch/v1beta1
kind: CronJob
metadata:
name: hubble-generate-certs
namespace: kube-system
labels:
k8s-app: hubble-generate-certs
spec:
schedule: "0 0 1 */4 *"
concurrencyPolicy: Forbid
jobTemplate:
spec:
template:
metadata:
labels:
k8s-app: hubble-generate-certs
spec:
serviceAccount: hubble-generate-certs
serviceAccountName: hubble-generate-certs
containers:
- name: certgen
image: "{{ cilium_hubble_certgen_image_repo }}:{{ cilium_hubble_certgen_image_tag }}"
imagePullPolicy: {{ k8s_image_pull_policy }}
command:
- "/usr/bin/cilium-certgen"
# Because this is executed as a job, we pass the values as command
# line args instead of via config map. This allows users to inspect
# the values used in past runs by inspecting the completed pod.
args:
- "--cilium-namespace=kube-system"
- "--hubble-ca-reuse-secret=true"
- "--hubble-ca-secret-name=hubble-ca-secret"
- "--hubble-ca-generate=true"
- "--hubble-ca-validity-duration=94608000s"
- "--hubble-ca-config-map-create=true"
- "--hubble-ca-config-map-name=hubble-ca-cert"
- "--hubble-server-cert-generate=true"
- "--hubble-server-cert-common-name=*.default.hubble-grpc.cilium.io"
- "--hubble-server-cert-validity-duration=94608000s"
- "--hubble-server-cert-secret-name=hubble-server-certs"
- "--hubble-relay-client-cert-generate=true"
- "--hubble-relay-client-cert-validity-duration=94608000s"
- "--hubble-relay-client-cert-secret-name=hubble-relay-client-certs"
- "--hubble-relay-server-cert-generate=false"
hostNetwork: true
restartPolicy: OnFailure
ttlSecondsAfterFinished: 1800

161
roles/network_plugin/cilium/templates/hubble-deploy.yml.j2 Normal file
View File

@@ -0,0 +1,161 @@
---
# Source: cilium/templates/hubble-relay-deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: hubble-relay
labels:
k8s-app: hubble-relay
namespace: kube-system
spec:
replicas: 1
selector:
matchLabels:
k8s-app: hubble-relay
strategy:
rollingUpdate:
maxUnavailable: 1
type: RollingUpdate
template:
metadata:
annotations:
labels:
k8s-app: hubble-relay
spec:
affinity:
podAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchExpressions:
- key: "k8s-app"
operator: In
values:
- cilium
topologyKey: "kubernetes.io/hostname"
containers:
- name: hubble-relay
image: "{{ cilium_hubble_relay_image_repo }}:{{ cilium_hubble_relay_image_tag }}"
imagePullPolicy: {{ k8s_image_pull_policy }}
command:
- hubble-relay
args:
- serve
ports:
- name: grpc
containerPort: 4245
readinessProbe:
tcpSocket:
port: grpc
livenessProbe:
tcpSocket:
port: grpc
volumeMounts:
- mountPath: /var/run/cilium
name: hubble-sock-dir
readOnly: true
- mountPath: /etc/hubble-relay
name: config
readOnly: true
- mountPath: /var/lib/hubble-relay/tls
name: tls
readOnly: true
restartPolicy: Always
serviceAccount: hubble-relay
serviceAccountName: hubble-relay
terminationGracePeriodSeconds: 0
volumes:
- configMap:
name: hubble-relay-config
items:
- key: config.yaml
path: config.yaml
name: config
- hostPath:
path: /var/run/cilium
type: Directory
name: hubble-sock-dir
- projected:
sources:
- secret:
name: hubble-relay-client-certs
items:
- key: tls.crt
path: client.crt
- key: tls.key
path: client.key
- configMap:
name: hubble-ca-cert
items:
- key: ca.crt
path: hubble-server-ca.crt
name: tls
---
# Source: cilium/templates/hubble-ui-deployment.yaml
kind: Deployment
apiVersion: apps/v1
metadata:
namespace: kube-system
labels:
k8s-app: hubble-ui
name: hubble-ui
spec:
replicas: 1
selector:
matchLabels:
k8s-app: hubble-ui
template:
metadata:
annotations:
labels:
k8s-app: hubble-ui
spec:
securityContext:
runAsUser: 1001
serviceAccount: hubble-ui
serviceAccountName: hubble-ui
containers:
- name: frontend
image: "{{ cilium_hubble_ui_image_repo }}:{{ cilium_hubble_ui_image_tag }}"
imagePullPolicy: {{ k8s_image_pull_policy }}
ports:
- containerPort: 8080
name: http
resources:
{}
- name: backend
image: "{{ cilium_hubble_ui_backend_image_repo }}:{{ cilium_hubble_ui_backend_image_tag }}"
imagePullPolicy: {{ k8s_image_pull_policy }}
env:
- name: EVENTS_SERVER_PORT
value: "8090"
- name: FLOWS_API_ADDR
value: "hubble-relay:80"
ports:
- containerPort: 8090
name: grpc
resources:
{}
- name: proxy
image: "{{ cilium_hubble_envoy_image_repo }}:{{ cilium_hubble_envoy_image_tag }}"
imagePullPolicy: {{ k8s_image_pull_policy }}
ports:
- containerPort: 8081
name: http
resources:
{}
command: ["envoy"]
args:
[
"-c",
"/etc/envoy.yaml",
"-l",
"info"
]
volumeMounts:
- name: hubble-ui-envoy-yaml
mountPath: /etc/envoy.yaml
subPath: envoy.yaml
volumes:
- name: hubble-ui-envoy-yaml
configMap:
name: hubble-ui-envoy

45
roles/network_plugin/cilium/templates/hubble-job.yml.j2 Normal file
View File

@@ -0,0 +1,45 @@
---
# Source: cilium/templates/hubble-generate-certs-job.yaml
apiVersion: batch/v1
kind: Job
metadata:
name: hubble-generate-certs
namespace: kube-system
labels:
k8s-app: hubble-generate-certs
spec:
template:
metadata:
labels:
k8s-app: hubble-generate-certs
spec:
serviceAccount: hubble-generate-certs
serviceAccountName: hubble-generate-certs
containers:
- name: certgen
image: "{{ cilium_hubble_certgen_image_repo }}:{{ cilium_hubble_certgen_image_tag }}"
imagePullPolicy: {{ k8s_image_pull_policy }}
command:
- "/usr/bin/cilium-certgen"
# Because this is executed as a job, we pass the values as command
# line args instead of via config map. This allows users to inspect
# the values used in past runs by inspecting the completed pod.
args:
- "--cilium-namespace=kube-system"
- "--hubble-ca-reuse-secret=true"
- "--hubble-ca-secret-name=hubble-ca-secret"
- "--hubble-ca-generate=true"
- "--hubble-ca-validity-duration=94608000s"
- "--hubble-ca-config-map-create=true"
- "--hubble-ca-config-map-name=hubble-ca-cert"
- "--hubble-server-cert-generate=true"
- "--hubble-server-cert-common-name=*.default.hubble-grpc.cilium.io"
- "--hubble-server-cert-validity-duration=94608000s"
- "--hubble-server-cert-secret-name=hubble-server-certs"
- "--hubble-relay-client-cert-generate=true"
- "--hubble-relay-client-cert-validity-duration=94608000s"
- "--hubble-relay-client-cert-secret-name=hubble-relay-client-certs"
- "--hubble-relay-server-cert-generate=false"
hostNetwork: true
restartPolicy: OnFailure
ttlSecondsAfterFinished: 1800

23
roles/network_plugin/cilium/templates/hubble-sa.yml.j2 Normal file
View File

@@ -0,0 +1,23 @@
{% if cilium_hubble_tls_generate %}
---
# Source: cilium/templates/hubble-generate-certs-serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: hubble-generate-certs
namespace: kube-system
{% endif %}
---
# Source: cilium/templates/hubble-relay-serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: hubble-relay
namespace: kube-system
---
# Source: cilium/templates/hubble-ui-serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: hubble-ui
namespace: kube-system

58
roles/network_plugin/cilium/templates/hubble-service.yml.j2 Normal file
View File

@@ -0,0 +1,58 @@
{% if cilium_enable_prometheus or cilium_enable_hubble_metrics %}
---
# Source: cilium/templates/cilium-agent-service.yaml
kind: Service
apiVersion: v1
metadata:
name: hubble-metrics
namespace: kube-system
annotations:
prometheus.io/scrape: 'true'
prometheus.io/port: "9091"
labels:
k8s-app: hubble
spec:
clusterIP: None
type: ClusterIP
ports:
- name: hubble-metrics
port: 9091
protocol: TCP
targetPort: hubble-metrics
selector:
k8s-app: cilium
{% endif %}
---
# Source: cilium/templates/hubble-relay-service.yaml
kind: Service
apiVersion: v1
metadata:
name: hubble-relay
namespace: kube-system
labels:
k8s-app: hubble-relay
spec:
type: ClusterIP
selector:
k8s-app: hubble-relay
ports:
- protocol: TCP
port: 80
targetPort: 4245
---
# Source: cilium/templates/hubble-ui-service.yaml
kind: Service
apiVersion: v1
metadata:
name: hubble-ui
labels:
k8s-app: hubble-ui
namespace: kube-system
spec:
selector:
k8s-app: hubble-ui
ports:
- name: http
port: 80
targetPort: 8081
type: ClusterIP