Cilium < 1.20 unconditionally registers a field indexer for TLSRoute
v1alpha2 when the Gateway API controller is enabled, but Gateway API
>= 1.5.0 ships TLSRoute v1alpha2 with served=false in the standard
channel. The result is cilium-operator CrashLoopBackOff with:
no matches for kind "TLSRoute" in version "gateway.networking.k8s.io/v1alpha2"
The fix landed in Cilium 1.20 only and will not be backported.
Add a preflight assert that triggers only when all of the following
hold: cilium_gateway_api_enabled, gateway_api_enabled, cilium_version
< 1.20.0, gateway_api_version >= 1.5.0, and gateway_api_channel ==
"standard". Users hit by this combo get a clear error and two
workarounds (pin gateway_api_version to 1.4.1, or switch
gateway_api_channel to "experimental") instead of debugging a crash
loop after the fact.
Signed-off-by: Kay Yan <kay.yan@daocloud.io>
The cilium_enable_prometheus variable was defined in defaults and
documented in sample inventory but never mapped to the Helm values
template, making it a no-op. Add the prometheus.enabled field to
values.yaml.j2 so that setting cilium_enable_prometheus: true
correctly enables Prometheus metrics on the Cilium agent.
Signed-off-by: Kay Yan <kay.yan@daocloud.io>
`cilium install` is equivalent to `helm install`, it will failed if
cilium relase exist. `cilium version` can know the release exist without
helm binary
Signed-off-by: ChengHao Yang <17496418+tico88612@users.noreply.github.com>
Give users two options: besides skip Cilium, add
`cilium_remove_old_resources`, default is `false`, when set to `true`,
it will remove the content of the old version, but it will cause the
downtime, need to be careful to use.
Signed-off-by: ChengHao Yang <17496418+tico88612@users.noreply.github.com>
This patch fixes the indentation in the `encryption` section.
Previously configuration like this:
```yml
cilium_encryption_enabled: true
cilium_encryption_type: wireguard
```
Would template to a `values.yaml` file with indentation that looks like this:
```yml
encryption:
enabled: True
type: wireguard
nodeEncryption: False
```
instead of this:
```yml
encryption:
enabled: true
type: wireguard
nodeEncryption: false
```
This syntax issue causes an error during Cilium installation.
This patch also makes all boolean values in this template file go through the `to_json` filter.
Since values like `True` and `False` are not compliant with the YAML v1.2 spec,
avoiding them is preferable.
`to_json` may be used for all other values in this template to ensure we end up with
a valid YAML document in all cases (even when various strings include special characters),
but this was left for another (future) patch.
* feat(cilium): add configurable Hubble export log rotation parameters
- Adds support for `cilium_hubble_export_file_max_backups` and `cilium_hubble_export_file_max_size_mb`
- Applies values only if `cilium_hubble_export_file_path` is defined
- Default values are set in role defaults
- Cleans up template logic by removing unnecessary conditionals
* Fix indentation for hubble export settings
* Fix undefined variable issue with ipwrap in kubeconfig override that caused pre-commit errors
* Update main.yml
rollback
- This enables ithe override of the tolerations for the cilium-operator deployment
- default behaviour is to leave the toleration as is unless the var is set
* Add vars for configuring cilium IP load balancer pools and bgp peer policies
* Cilium 1.16+ Support - Add vars for configuring cilium bgpv2 api & handle cilium_kube_proxy_replacement unsupported values
* Update cluster-role for cilium to prevent errors in agent startup
ciliumloadbalancerippools permissions exists in the cilium helm chart for version 1.13.0
https://github.com/cilium/cilium/blob/v1.13.0/install/kubernetes/cilium/templates/cilium-agent/clusterrole.yaml#L71
The agent also needs permissions to read/watch secrets for bgp auth secrets when using CiliumBGPPeeringPolicy with a secret.
* Remove list/watch permissions for secrets
* Remove secrets from list/watch permissions
Testing for group membership with group names makes Kubespray more
tolerant towards the structure of the inventory.
Where 'inventory_hostname in groups["some_group"] would fail if
"some_group" is not defined, '"some_group" in group_names' would not.
