chore: bundled more helm charts
diff --git a/charts/cilium/values.yaml b/charts/cilium/values.yaml
new file mode 100644
index 0000000..ff1e3b9
--- /dev/null
+++ b/charts/cilium/values.yaml
@@ -0,0 +1,1697 @@
+# upgradeCompatibility helps users upgrading to ensure that the configMap for
+# Cilium will not change critical values to ensure continued operation
+# This is flag is not required for new installations.
+# For example: 1.7, 1.8, 1.9
+# upgradeCompatibility: '1.8'
+
+debug:
+ # -- Enable debug logging
+ enabled: false
+ # verbose:
+
+rbac:
+ # -- Enable creation of Resource-Based Access Control configuration.
+ create: true
+
+# -- Configure image pull secrets for pulling container images
+imagePullSecrets:
+# - name: "image-pull-secret"
+
+# kubeConfigPath: ~/.kube/config
+# k8sServiceHost:
+# k8sServicePort:
+
+cluster:
+ # -- Name of the cluster. Only required for Cluster Mesh.
+ name: default
+ # -- (int) Unique ID of the cluster. Must be unique across all connected
+ # clusters and in the range of 1 to 255. Only required for Cluster Mesh.
+ id:
+
+# -- Define serviceAccount names for components.
+# @default -- Component's fully qualified name.
+serviceAccounts:
+ cilium:
+ create: true
+ name: cilium
+ annotations: {}
+ etcd:
+ create: true
+ name: cilium-etcd-operator
+ annotations: {}
+ operator:
+ create: true
+ name: cilium-operator
+ annotations: {}
+ preflight:
+ create: true
+ name: cilium-pre-flight
+ annotations: {}
+ relay:
+ create: true
+ name: hubble-relay
+ annotations: {}
+ ui:
+ create: true
+ name: hubble-ui
+ annotations: {}
+ clustermeshApiserver:
+ create: true
+ name: clustermesh-apiserver
+ annotations: {}
+ # -- Clustermeshcertgen is used if clustermesh.apiserver.tls.auto.method=cronJob
+ clustermeshcertgen:
+ create: true
+ name: clustermesh-apiserver-generate-certs
+ annotations: {}
+ # -- Hubblecertgen is used if hubble.tls.auto.method=cronJob
+ hubblecertgen:
+ create: true
+ name: hubble-generate-certs
+ annotations: {}
+
+# -- Install the cilium agent resources.
+agent: true
+
+# -- Agent container name.
+name: cilium
+
+# -- Roll out cilium agent pods automatically when configmap is updated.
+rollOutCiliumPods: false
+
+# -- Agent container image.
+image:
+ repository: quay.io/cilium/cilium
+ tag: v1.10.7
+ pullPolicy: IfNotPresent
+ # cilium-digest
+ digest: "sha256:e23f55e80e1988db083397987a89967aa204ad6fc32da243b9160fbcea29b0ca"
+ useDigest: true
+
+# -- Pod affinity for cilium-agent.
+affinity:
+ nodeAffinity:
+ requiredDuringSchedulingIgnoredDuringExecution:
+ nodeSelectorTerms:
+ - matchExpressions:
+ - key: kubernetes.io/os
+ operator: In
+ values:
+ - linux
+ # Compatible with Kubernetes 1.12.x and 1.13.x
+ - matchExpressions:
+ - key: beta.kubernetes.io/os
+ operator: In
+ values:
+ - linux
+ podAntiAffinity:
+ requiredDuringSchedulingIgnoredDuringExecution:
+ - labelSelector:
+ matchExpressions:
+ - key: k8s-app
+ operator: In
+ values:
+ - cilium
+ topologyKey: kubernetes.io/hostname
+
+# -- The priority class to use for cilium-agent.
+priorityClassName: ""
+
+# -- Additional agent container arguments.
+extraArgs: []
+
+# -- Additional agent container environment variables.
+extraEnv: {}
+
+# -- Additional InitContainers to initialize the pod.
+extraInitContainers: []
+
+# -- Additional agent hostPath mounts.
+extraHostPathMounts: []
+ # - name: host-mnt-data
+ # mountPath: /host/mnt/data
+ # hostPath: /mnt/data
+ # hostPathType: Directory
+ # readOnly: true
+ # mountPropagation: HostToContainer
+
+# -- Additional agent ConfigMap mounts.
+extraConfigmapMounts: []
+ # - name: certs-configmap
+ # mountPath: /certs
+ # configMap: certs-configmap
+ # readOnly: true
+
+# -- extraConfig allows you to specify additional configuration parameters to be
+# included in the cilium-config configmap.
+extraConfig: {}
+# my-config-a: "1234"
+# my-config-b: |-
+# test 1
+# test 2
+# test 3
+
+# -- Node tolerations for agent scheduling to nodes with taints
+# ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
+tolerations:
+- operator: Exists
+ # - key: "key"
+ # operator: "Equal|Exists"
+ # value: "value"
+ # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)"
+
+# -- Annotations to be added to agent pods
+podAnnotations: {}
+
+# -- Labels to be added to agent pods
+podLabels: {}
+
+# -- PodDisruptionBudget settings
+# ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/
+podDisruptionBudget:
+ enabled: true
+ maxUnavailable: 2
+
+# -- Agent resource limits & requests
+# ref: https://kubernetes.io/docs/user-guide/compute-resources/
+resources: {}
+ # limits:
+ # cpu: 4000m
+ # memory: 4Gi
+ # requests:
+ # cpu: 100m
+ # memory: 512Mi
+
+# -- Security context to be added to agent pods
+securityContext: {}
+ # runAsUser: 0
+
+# -- Cilium agent update strategy
+updateStrategy:
+ rollingUpdate:
+ maxUnavailable: 2
+ type: RollingUpdate
+
+# Configuration Values for cilium-agent
+
+# -- Enable installation of PodCIDR routes between worker
+# nodes if worker nodes share a common L2 network segment.
+autoDirectNodeRoutes: false
+
+azure:
+ # -- Enable Azure integration
+ enabled: false
+ # resourceGroup: group1
+ # subscriptionID: 00000000-0000-0000-0000-000000000000
+ # tenantID: 00000000-0000-0000-0000-000000000000
+ # clientID: 00000000-0000-0000-0000-000000000000
+ # clientSecret: 00000000-0000-0000-0000-000000000000
+ # userAssignedIdentityID: 00000000-0000-0000-0000-000000000000
+
+alibabacloud:
+ # -- Enable AlibabaCloud ENI integration
+ enabled: false
+
+# -- Optimize TCP and UDP workloads and enable rate-limiting traffic from
+# individual Pods with EDT (Earliest Departure Time)
+# through the "kubernetes.io/egress-bandwidth" Pod annotation.
+bandwidthManager: false
+
+# -- Configure BGP
+bgp:
+ # -- Enable BGP support inside Cilium; embeds a new ConfigMap for BGP inside
+ # cilium-agent and cilium-operator
+ enabled: false
+ announce:
+ # -- Enable allocation and announcement of service LoadBalancer IPs
+ loadbalancerIP: false
+
+bpf:
+ # -- Enable BPF clock source probing for more efficient tick retrieval.
+ clockProbe: false
+
+ # -- Enables pre-allocation of eBPF map values. This increases
+ # memory usage but can reduce latency.
+ preallocateMaps: false
+
+ # -- Configure the maximum number of entries in the TCP connection tracking
+ # table.
+ # ctTcpMax: '524288'
+
+ # -- Configure the maximum number of entries for the non-TCP connection
+ # tracking table.
+ # ctAnyMax: '262144'
+
+ # -- Configure the maximum number of service entries in the
+ # load balancer maps.
+ lbMapMax: 65536
+
+ # -- Configure the maximum number of entries for the NAT table.
+ # natMax: 524288
+
+ # -- Configure the maximum number of entries for the neighbor table.
+ # neighMax: 524288
+
+ # -- Configure the maximum number of entries in endpoint policy map (per endpoint).
+ policyMapMax: 16384
+
+ # -- Configure auto-sizing for all BPF maps based on available memory.
+ # ref: https://docs.cilium.io/en/stable/concepts/ebpf/maps/#ebpf-maps
+ #mapDynamicSizeRatio: 0.0025
+
+ # -- Configure the level of aggregation for monitor notifications.
+ # Valid options are none, low, medium, maximum.
+ monitorAggregation: medium
+
+ # -- Configure the typical time between monitor notifications for
+ # active connections.
+ monitorInterval: "5s"
+
+ # -- Configure which TCP flags trigger notifications when seen for the
+ # first time in a connection.
+ monitorFlags: "all"
+
+ # -- Allow cluster external access to ClusterIP services.
+ lbExternalClusterIP: false
+
+ # -- Enable native IP masquerade support in eBPF
+ #masquerade: false
+
+ # -- Configure whether direct routing mode should route traffic via
+ # host stack (true) or directly and more efficiently out of BPF (false) if
+ # the kernel supports it. The latter has the implication that it will also
+ # bypass netfilter in the host namespace.
+ #hostRouting: true
+
+ # -- Configure the eBPF-based TPROXY to reduce reliance on iptables rules
+ # for implementing Layer 7 policy.
+ # tproxy: true
+
+ # -- Configure the FIB lookup bypass optimization for nodeport reverse
+ # NAT handling.
+ # lbBypassFIBLookup: true
+
+# -- Clean all eBPF datapath state from the initContainer of the cilium-agent
+# DaemonSet.
+#
+# WARNING: Use with care!
+cleanBpfState: false
+
+# -- Clean all local Cilium state from the initContainer of the cilium-agent
+# DaemonSet. Implies cleanBpfState: true.
+#
+# WARNING: Use with care!
+cleanState: false
+
+cni:
+ # -- Install the CNI configuration and binary files into the filesystem.
+ install: true
+
+ # -- Configure chaining on top of other CNI plugins. Possible values:
+ # - none
+ # - generic-veth
+ # - aws-cni
+ # - portmap
+ chainingMode: none
+
+ # -- Make Cilium take ownership over the `/etc/cni/net.d` directory on the
+ # node, renaming all non-Cilium CNI configurations to `*.cilium_bak`.
+ # This ensures no Pods can be scheduled using other CNI plugins during Cilium
+ # agent downtime.
+ exclusive: true
+
+ # -- Skip writing of the CNI configuration. This can be used if
+ # writing of the CNI configuration is performed by external automation.
+ customConf: false
+
+ # -- Configure the path to the CNI configuration directory on the host.
+ confPath: /etc/cni/net.d
+
+ # -- Configure the path to the CNI binary directory on the host.
+ binPath: /opt/cni/bin
+
+ # -- Specify the path to a CNI config to read from on agent start.
+ # This can be useful if you want to manage your CNI
+ # configuration outside of a Kubernetes environment. This parameter is
+ # mutually exclusive with the 'cni.configMap' parameter.
+ # readCniConf: /host/etc/cni/net.d/05-cilium.conf
+
+ # -- When defined, configMap will mount the provided value as ConfigMap and
+ # interpret the cniConf variable as CNI configuration file and write it
+ # when the agent starts up
+ # configMap: cni-configuration
+
+ # -- Configure the key in the CNI ConfigMap to read the contents of
+ # the CNI configuration from.
+ configMapKey: cni-config
+
+ # -- Configure the path to where to mount the ConfigMap inside the agent pod.
+ confFileMountPath: /tmp/cni-configuration
+
+ # -- Configure the path to where the CNI configuration directory is mounted
+ # inside the agent pod.
+ hostConfDirMountPath: /host/etc/cni/net.d
+
+# -- Configure how frequently garbage collection should occur for the datapath
+# connection tracking table.
+# conntrackGCInterval: "0s"
+
+# -- Configure container runtime specific integration.
+containerRuntime:
+ # -- Enables specific integrations for container runtimes.
+ # Supported values:
+ # - containerd
+ # - crio
+ # - docker
+ # - none
+ # - auto (automatically detect the container runtime)
+ integration: none
+ # -- Configure the path to the container runtime control socket.
+ # socketPath: /path/to/runtime.sock
+
+# crdWaitTimeout: ""
+
+# -- Tail call hooks for custom eBPF programs.
+customCalls:
+ # -- Enable tail call hooks for custom eBPF programs.
+ enabled: false
+
+# -- Configure which datapath mode should be used for configuring container
+# connectivity. Valid options are "veth" or "ipvlan".
+datapathMode: veth
+
+daemon:
+ # -- Configure where Cilium runtime state should be stored.
+ runPath: "/var/run/cilium"
+
+# -- Specify which network interfaces can run the eBPF datapath. This means
+# that a packet sent from a pod to a destination outside the cluster will be
+# masqueraded (to an output device IPv4 address), if the output device runs the
+# program. When not specified, probing will automatically detect devices.
+# devices: ""
+
+# -- Chains to ignore when installing feeder rules.
+# disableIptablesFeederRules: ""
+
+# -- Limit egress masquerading to interface selector.
+# egressMasqueradeInterfaces: ""
+
+# -- Whether to enable CNP status updates.
+enableCnpStatusUpdates: false
+
+# -- Configures the use of the KVStore to optimize Kubernetes event handling by
+# mirroring it into the KVstore for reduced overhead in large clusters.
+enableK8sEventHandover: false
+
+# TODO: Add documentation
+# enableIdentityMark: false
+
+# enableK8sEndpointSlice: false
+
+# -- Enables the fallback compatibility solution for when the xt_socket kernel
+# module is missing and it is needed for the datapath L7 redirection to work
+# properly. See documentation for details on when this can be disabled:
+# http://docs.cilium.io/en/stable/install/system_requirements/#admin-kernel-version.
+enableXTSocketFallback: true
+
+encryption:
+ # -- Enable transparent network encryption.
+ enabled: false
+
+ # -- Encryption method. Can be either ipsec or wireguard.
+ type: ipsec
+
+ # -- Enable encryption for pure node to node traffic.
+ # This option is only effective when encryption.type is set to ipsec.
+ nodeEncryption: false
+
+ ipsec:
+ # -- Name of the key file inside the Kubernetes secret configured via secretName.
+ keyFile: ""
+
+ # -- Path to mount the secret inside the Cilium pod.
+ mountPath: ""
+
+ # -- Name of the Kubernetes secret containing the encryption keys.
+ secretName: ""
+
+ # -- The interface to use for encrypted traffic.
+ interface: ""
+
+ # -- Deprecated in favor of encryption.ipsec.keyFile.
+ # Name of the key file inside the Kubernetes secret configured via secretName.
+ # This option is only effective when encryption.type is set to ipsec.
+ keyFile: keys
+
+ # -- Deprecated in favor of encryption.ipsec.mountPath.
+ # Path to mount the secret inside the Cilium pod.
+ # This option is only effective when encryption.type is set to ipsec.
+ mountPath: /etc/ipsec
+
+ # -- Deprecated in favor of encryption.ipsec.secretName.
+ # Name of the Kubernetes secret containing the encryption keys.
+ # This option is only effective when encryption.type is set to ipsec.
+ secretName: cilium-ipsec-keys
+
+ # -- Deprecated in favor of encryption.ipsec.interface.
+ # The interface to use for encrypted traffic.
+ # This option is only effective when encryption.type is set to ipsec.
+ interface: ""
+
+endpointHealthChecking:
+ # -- Enable connectivity health checking between virtual endpoints.
+ enabled: true
+
+# -- Enable endpoint status.
+# Status can be: policy, health, controllers, logs and / or state. For 2 or more options use a comma.
+endpointStatus:
+ enabled: false
+ status: ""
+
+endpointRoutes:
+ # -- Enable use of per endpoint routes instead of routing via
+ # the cilium_host interface.
+ enabled: false
+
+eni:
+ # -- Enable Elastic Network Interface (ENI) integration.
+ enabled: false
+ # -- Update ENI Adapter limits from the EC2 API
+ updateEC2AdapterLimitViaAPI: false
+ # -- Release IPs not used from the ENI
+ awsReleaseExcessIPs: false
+ # -- EC2 API endpoint to use
+ ec2APIEndpoint: ""
+ # -- Tags to apply to the newly created ENIs
+ eniTags: {}
+ # -- If using IAM role for Service Accounts will not try to
+ # inject identity values from cilium-aws kubernetes secret.
+ # Adds annotation to service account if managed by Helm.
+ # See https://github.com/aws/amazon-eks-pod-identity-webhook
+ iamRole: ""
+ # -- Filter via subnet IDs which will dictate which subnets are going to be used to create new ENIs
+ subnetIDsFilter: ""
+ # -- Filter via tags (k=v) which will dictate which subnets are going to be used to create new ENIs
+ subnetTagsFilter: ""
+
+externalIPs:
+ # -- Enable ExternalIPs service support.
+ enabled: false
+
+# fragmentTracking enables IPv4 fragment tracking support in the datapath.
+# fragmentTracking: true
+
+gke:
+ # -- Enable Google Kubernetes Engine integration
+ enabled: false
+
+# -- Enable connectivity health checking.
+healthChecking: true
+
+# -- TCP port for the agent health API. This is not the port for cilium-health.
+healthPort: 9876
+
+# -- Enables the enforcement of host policies in the eBPF datapath.
+hostFirewall: false
+
+hostPort:
+ # -- Enable hostPort service support.
+ enabled: false
+
+# -- Configure ClusterIP service handling in the host namespace (the node).
+hostServices:
+ # -- Enable host reachable services.
+ enabled: false
+
+ # -- Supported list of protocols to apply ClusterIP translation to.
+ protocols: tcp,udp
+
+ # -- Disable socket lb for non-root ns. This is used to enable Istio routing rules.
+ # hostNamespaceOnly: false
+
+# -- Configure certificate generation for Hubble integration.
+# If hubble.tls.auto.method=cronJob, these values are used
+# for the Kubernetes CronJob which will be scheduled regularly to
+# (re)generate any certificates not provided manually.
+certgen:
+ image:
+ repository: quay.io/cilium/certgen
+ tag: v0.1.5
+ pullPolicy: IfNotPresent
+ # -- Seconds after which the completed job pod will be deleted
+ ttlSecondsAfterFinished: 1800
+ # -- Labels to be added to hubble-certgen pods
+ podLabels: {}
+
+hubble:
+ # -- Enable Hubble (true by default).
+ enabled: true
+
+ # -- Buffer size of the channel Hubble uses to receive monitor events. If this
+ # value is not set, the queue size is set to the default monitor queue size.
+ # eventQueueSize: ""
+
+ # -- Number of recent flows for Hubble to cache. Defaults to 4095.
+ # Possible values are:
+ # 1, 3, 7, 15, 31, 63, 127, 255, 511, 1023,
+ # 2047, 4095, 8191, 16383, 32767, 65535
+ # eventBufferCapacity: "4095"
+
+ # -- Hubble metrics configuration.
+ # See https://docs.cilium.io/en/stable/configuration/metrics/#hubble-metrics
+ # for more comprehensive documentation about Hubble metrics.
+ metrics:
+ # -- Configures the list of metrics to collect. If empty or null, metrics
+ # are disabled.
+ # Example:
+ #
+ # enabled:
+ # - dns:query;ignoreAAAA
+ # - drop
+ # - tcp
+ # - flow
+ # - icmp
+ # - http
+ #
+ # You can specify the list of metrics from the helm CLI:
+ #
+ # --set metrics.enabled="{dns:query;ignoreAAAA,drop,tcp,flow,icmp,http}"
+ #
+ enabled: ~
+ # -- Configure the port the hubble metric server listens on.
+ port: 9091
+ serviceMonitor:
+ # -- Create ServiceMonitor resources for Prometheus Operator.
+ # This requires the prometheus CRDs to be available.
+ # ref: https://github.com/prometheus-operator/prometheus-operator/blob/master/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml)
+ enabled: false
+ # -- Labels to add to ServiceMonitor hubble
+ labels: {}
+
+ # -- Unix domain socket path to listen to when Hubble is enabled.
+ socketPath: /var/run/cilium/hubble.sock
+
+ # -- An additional address for Hubble to listen to.
+ # Set this field ":4244" if you are enabling Hubble Relay, as it assumes that
+ # Hubble is listening on port 4244.
+ listenAddress: ":4244"
+
+ # -- TLS configuration for Hubble
+ tls:
+ # -- Enable mutual TLS for listenAddress. Setting this value to false is
+ # highly discouraged as the Hubble API provides access to potentially
+ # sensitive network flow metadata and is exposed on the host network.
+ enabled: true
+ # -- Configure automatic TLS certificates generation.
+ auto:
+ # -- Auto-generate certificates.
+ # When set to true, automatically generate a CA and certificates to
+ # enable mTLS between Hubble server and Hubble Relay instances. If set to
+ # false, the certs for Hubble server need to be provided by setting
+ # appropriate values below.
+ enabled: true
+ # -- Set the method to auto-generate certificates. Supported values:
+ # - helm: This method uses Helm to generate all certificates.
+ # - cronJob: This method uses a Kubernetes CronJob the generate any
+ # certificates not provided by the user at installation
+ # time.
+ method: helm
+ # -- Generated certificates validity duration in days.
+ certValidityDuration: 1095
+ # -- Schedule for certificates regeneration (regardless of their expiration date).
+ # Only used if method is "cronJob". If nil, then no recurring job will be created.
+ # Instead, only the one-shot job is deployed to generate the certificates at
+ # installation time.
+ #
+ # Defaults to midnight of the first day of every fourth month. For syntax, see
+ # https://kubernetes.io/docs/tasks/job/automated-tasks-with-cron-jobs/#schedule
+ schedule: "0 0 1 */4 *"
+ # -- base64 encoded PEM values for the Hubble CA certificate and private key.
+ ca:
+ cert: ""
+ # -- The CA private key (optional). If it is provided, then it will be
+ # used by hubble.tls.auto.method=cronJob to generate all other certificates.
+ # Otherwise, a ephemeral CA is generated if hubble.tls.auto.enabled=true.
+ key: ""
+ # -- base64 encoded PEM values for the Hubble server certificate and private key
+ server:
+ cert: ""
+ key: ""
+
+ relay:
+ # -- Enable Hubble Relay (requires hubble.enabled=true)
+ enabled: false
+
+ # -- Roll out Hubble Relay pods automatically when configmap is updated.
+ rollOutPods: false
+
+ # -- Hubble-relay container image.
+ image:
+ repository: quay.io/cilium/hubble-relay
+ tag: v1.10.7
+ # hubble-relay-digest
+ digest: "sha256:385fcc4fa315eb6b66626c3e5f607b6b6514c8c3a863c47c2b2dbc97790acb47"
+ useDigest: true
+ pullPolicy: IfNotPresent
+
+ # -- Specifies the resources for the hubble-relay pods
+ resources: {}
+
+ # -- Number of replicas run for the hubble-relay deployment.
+ replicas: 1
+
+ # -- Node labels for pod assignment
+ # ref: https://kubernetes.io/docs/user-guide/node-selection/
+ nodeSelector: {}
+
+ # -- Annotations to be added to hubble-relay pods
+ podAnnotations: {}
+
+ # -- Labels to be added to hubble-relay pods
+ podLabels: {}
+
+ # -- Node tolerations for pod assignment on nodes with taints
+ # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
+ #
+ tolerations: []
+
+ # -- hubble-relay update strategy
+ updateStrategy:
+ rollingUpdate:
+ maxUnavailable: 1
+ type: RollingUpdate
+
+ # -- Host to listen to. Specify an empty string to bind to all the interfaces.
+ listenHost: ""
+
+ # -- Port to listen to.
+ listenPort: "4245"
+
+ # -- TLS configuration for Hubble Relay
+ tls:
+ # -- base64 encoded PEM values for the hubble-relay client certificate and private key
+ # This keypair is presented to Hubble server instances for mTLS
+ # authentication and is required when hubble.tls.enabled is true.
+ # These values need to be set manually if hubble.tls.auto.enabled is false.
+ client:
+ cert: ""
+ key: ""
+ # -- base64 encoded PEM values for the hubble-relay server certificate and private key
+ server:
+ # When set to true, enable TLS on for Hubble Relay server
+ # (ie: for clients connecting to the Hubble Relay API).
+ enabled: false
+ # These values need to be set manually if hubble.tls.auto.enabled is false.
+ cert: ""
+ key: ""
+
+ # -- Dial timeout to connect to the local hubble instance to receive peer information (e.g. "30s").
+ dialTimeout: ~
+
+ # -- Backoff duration to retry connecting to the local hubble instance in case of failure (e.g. "30s").
+ retryTimeout: ~
+
+ # -- Max number of flows that can be buffered for sorting before being sent to the
+ # client (per request) (e.g. 100).
+ sortBufferLenMax: ~
+
+ # -- When the per-request flows sort buffer is not full, a flow is drained every
+ # time this timeout is reached (only affects requests in follow-mode) (e.g. "1s").
+ sortBufferDrainTimeout: ~
+
+ # -- Port to use for the k8s service backed by hubble-relay pods.
+ # If not set, it is dynamically assigned to port 443 if TLS is enabled and to
+ # port 80 if not.
+ # servicePort: 80
+
+ ui:
+ # -- Whether to enable the Hubble UI.
+ enabled: false
+
+ # -- Roll out Hubble-ui pods automatically when configmap is updated.
+ rollOutPods: false
+
+ backend:
+ # -- Hubble-ui backend image.
+ image:
+ repository: quay.io/cilium/hubble-ui-backend
+ tag: v0.8.5@sha256:2bce50cf6c32719d072706f7ceccad654bfa907b2745a496da99610776fe31ed
+ pullPolicy: IfNotPresent
+ # [Example]
+ # resources:
+ # limits:
+ # cpu: 1000m
+ # memory: 1024M
+ # requests:
+ # cpu: 100m
+ # memory: 64Mi
+ # -- Resource requests and limits for the 'backend' container of the 'hubble-ui' deployment.
+ resources: {}
+
+ frontend:
+ # -- Hubble-ui frontend image.
+ image:
+ repository: quay.io/cilium/hubble-ui
+ tag: v0.8.5@sha256:4eaca1ec1741043cfba6066a165b3bf251590cf4ac66371c4f63fbed2224ebb4
+ pullPolicy: IfNotPresent
+ # [Example]
+ # resources:
+ # limits:
+ # cpu: 1000m
+ # memory: 1024M
+ # requests:
+ # cpu: 100m
+ # memory: 64Mi
+ # -- Resource requests and limits for the 'frontend' container of the 'hubble-ui' deployment.
+ resources: {}
+
+ proxy:
+ # -- Hubble-ui ingress proxy image.
+ image:
+ repository: docker.io/envoyproxy/envoy
+ tag: v1.18.4@sha256:e5c2bb2870d0e59ce917a5100311813b4ede96ce4eb0c6bfa879e3fbe3e83935
+ pullPolicy: IfNotPresent
+ # [Example]
+ # resources:
+ # limits:
+ # cpu: 1000m
+ # memory: 1024M
+ # requests:
+ # cpu: 100m
+ # memory: 64Mi
+ # -- Resource requests and limits for the 'proxy' container of the 'hubble-ui' deployment.
+ resources: {}
+
+ # -- The number of replicas of Hubble UI to deploy.
+ replicas: 1
+
+ # -- Annotations to be added to hubble-ui pods
+ podAnnotations: {}
+
+ # -- Labels to be added to hubble-ui pods
+ podLabels: {}
+
+ # -- Node labels for pod assignment
+ # ref: https://kubernetes.io/docs/user-guide/node-selection/
+ nodeSelector: {}
+
+ # -- Node tolerations for pod assignment on nodes with taints
+ # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
+ #
+ tolerations: []
+
+ # -- hubble-ui update strategy.
+ updateStrategy:
+ rollingUpdate:
+ maxUnavailable: 1
+ type: RollingUpdate
+
+ securityContext:
+ # -- Whether to set the security context on the Hubble UI pods.
+ enabled: true
+
+ # -- hubble-ui ingress configuration.
+ ingress:
+ enabled: false
+ annotations: {}
+ # kubernetes.io/ingress.class: nginx
+ # kubernetes.io/tls-acme: "true"
+ hosts:
+ - chart-example.local
+ tls: []
+ # - secretName: chart-example-tls
+ # hosts:
+ # - chart-example.local
+
+
+# -- Method to use for identity allocation (`crd` or `kvstore`).
+identityAllocationMode: "crd"
+
+# TODO: Add documentation
+# identityChangeGracePeriod: "5s"
+
+# TODO: Add documentation
+# identityGCInterval:
+
+# TODO: Add documentation
+# identityHeartbeatTimeout: ""
+
+
+# -- Configure whether to install iptables rules to allow for TPROXY
+# (L7 proxy injection), iptables-based masquerading and compatibility
+# with kube-proxy.
+installIptablesRules: true
+
+# -- Install Iptables rules to skip netfilter connection tracking on all pod
+# traffic. This option is only effective when Cilium is running in direct
+# routing and full KPR mode. Moreover, this option cannot be enabled when Cilium
+# is running in a managed Kubernetes environment or in a chained CNI setup.
+installNoConntrackIptablesRules: false
+
+ipam:
+ # -- Configure IP Address Management mode.
+ # ref: https://docs.cilium.io/en/stable/concepts/networking/ipam/
+ mode: "cluster-pool"
+ operator:
+ # -- IPv4 CIDR range to delegate to individual nodes for IPAM.
+ clusterPoolIPv4PodCIDR: "10.0.0.0/8"
+ # -- IPv4 CIDR mask size to delegate to individual nodes for IPAM.
+ clusterPoolIPv4MaskSize: 24
+ # -- IPv6 CIDR range to delegate to individual nodes for IPAM.
+ clusterPoolIPv6PodCIDR: "fd00::/104"
+ # -- IPv6 CIDR mask size to delegate to individual nodes for IPAM.
+ clusterPoolIPv6MaskSize: 120
+
+# -- Configure the eBPF-based ip-masq-agent
+ipMasqAgent:
+ enabled: false
+
+# iptablesLockTimeout defines the iptables "--wait" option when invoked from Cilium.
+# iptablesLockTimeout: "5s"
+
+ipv4:
+ # -- Enable IPv4 support.
+ enabled: true
+
+ipv6:
+ # -- Enable IPv6 support.
+ enabled: false
+
+ipvlan:
+ # -- Enable the IPVLAN datapath
+ enabled: false
+
+ # -- masterDevice is the name of the device to use to attach secondary IPVLAN
+ # devices
+ # masterDevice: eth0
+
+# -- Configure Kubernetes specific configuration
+k8s: {}
+ # -- requireIPv4PodCIDR enables waiting for Kubernetes to provide the PodCIDR
+ # range via the Kubernetes node resource
+ # requireIPv4PodCIDR: false
+
+ # -- requireIPv6PodCIDR enables waiting for Kubernetes to provide the PodCIDR
+ # range via the Kubernetes node resource
+ # requireIPv6PodCIDR: false
+
+# -- Keep the deprecated selector labels when deploying Cilium DaemonSet.
+keepDeprecatedLabels: false
+
+# -- Keep the deprecated probes when deploying Cilium DaemonSet
+keepDeprecatedProbes: false
+
+startupProbe:
+ # -- failure threshold of startup probe.
+ # 105 x 2s translates to the old behaviour of the readiness probe (120s delay + 30 x 3s)
+ failureThreshold: 105
+ # -- interval between checks of the startup probe
+ periodSeconds: 2
+livenessProbe:
+ # -- failure threshold of liveness probe
+ failureThreshold: 10
+ # -- interval between checks of the liveness probe
+ periodSeconds: 30
+readinessProbe:
+ # -- failure threshold of readiness probe
+ failureThreshold: 3
+ # -- interval between checks of the readiness probe
+ periodSeconds: 30
+
+# -- Configure the kube-proxy replacement in Cilium BPF datapath
+# Valid options are "disabled", "probe", "partial", "strict".
+# ref: https://docs.cilium.io/en/stable/gettingstarted/kubeproxy-free/
+#kubeProxyReplacement: "disabled"
+
+# -- healthz server bind address for the kube-proxy replacement.
+# To enable set the value to '0.0.0.0:10256' for all ipv4
+# addresses and this '[::]:10256' for all ipv6 addresses.
+# By default it is disabled.
+kubeProxyReplacementHealthzBindAddr: ""
+
+l2NeighDiscovery:
+ # -- Enable L2 neighbour discovery in the agent
+ enabled: true
+ # -- Set period for arping
+ arping-refresh-period: "5m"
+
+# -- Enable Layer 7 network policy.
+l7Proxy: true
+
+# -- Enable Local Redirect Policy.
+localRedirectPolicy: false
+
+# To include or exclude matched resources from cilium identity evaluation
+# labels: ""
+
+# logOptions allows you to define logging options. eg:
+# logOptions:
+# format: json
+
+# -- Enables periodic logging of system load
+logSystemLoad: false
+
+
+# -- Configure maglev consistent hashing
+maglev: {}
+ # -- tableSize is the size (parameter M) for the backend table of one
+ # service entry
+ # tableSize:
+
+ # -- hashSeed is the cluster-wide base64 encoded seed for the hashing
+ # hashSeed:
+
+# -- Enables masquerading of IPv4 traffic leaving the node from endpoints.
+enableIPv4Masquerade: true
+
+# -- Enables masquerading of IPv6 traffic leaving the node from endpoints.
+enableIPv6Masquerade: true
+
+# -- Enables egress gateway (beta) to redirect and SNAT the traffic that
+# leaves the cluster.
+egressGateway:
+ enabled: false
+
+# -- Specify the CIDR for native routing (ie to avoid IP masquerade for).
+# This value corresponds to the configured cluster-cidr.
+# nativeRoutingCIDR:
+
+monitor:
+ # -- Enable the cilium-monitor sidecar.
+ enabled: false
+
+# -- Configure service load balancing
+# loadBalancer:
+ # -- standalone enables the standalone L4LB which does not connect to
+ # kube-apiserver.
+ # standalone: false
+
+ # -- algorithm is the name of the load balancing algorithm for backend
+ # selection e.g. random or maglev
+ # algorithm: random
+
+ # -- mode is the operation mode of load balancing for remote backends
+ # e.g. snat, dsr, hybrid
+ # mode: snat
+
+ # -- acceleration is the option to accelerate service handling via XDP
+ # e.g. native, disabled
+ # acceleration: disabled
+
+ # -- dsrDispatch configures whether IP option or IPIP encapsulation is
+ # used to pass a service IP and port to remote backend
+ # dsrDispatch: opt
+
+# -- Configure N-S k8s service loadbalancing
+nodePort:
+ # -- Enable the Cilium NodePort service implementation.
+ enabled: false
+
+ # -- Port range to use for NodePort services.
+ # range: "30000,32767"
+
+ # -- Set to true to prevent applications binding to service ports.
+ bindProtection: true
+
+ # -- Append NodePort range to ip_local_reserved_ports if clash with ephemeral
+ # ports is detected.
+ autoProtectPortRange: true
+
+ # -- Enable healthcheck nodePort server for NodePort services
+ enableHealthCheck: true
+
+# policyAuditMode: false
+
+# -- The agent can be put into one of the three policy enforcement modes:
+# default, always and never.
+# ref: https://docs.cilium.io/en/stable/policy/intro/#policy-enforcement-modes
+policyEnforcementMode: "default"
+
+pprof:
+ # -- Enable Go pprof debugging
+ enabled: false
+
+# -- Configure prometheus metrics on the configured port at /metrics
+prometheus:
+ enabled: false
+ port: 9090
+ serviceMonitor:
+ # -- Enable service monitors.
+ # This requires the prometheus CRDs to be available (see https://github.com/prometheus-operator/prometheus-operator/blob/master/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml)
+ #
+ enabled: false
+ # -- Labels to add to ServiceMonitor cilium-agent
+ labels: {}
+ # -- Specify the Kubernetes namespace where Prometheus expects to find
+ # service monitors configured.
+ # namespace: ""
+ # -- Metrics that should be enabled or disabled from the default metric
+ # list. (+metric_foo to enable metric_foo , -metric_bar to disable
+ # metric_bar).
+ # ref: https://docs.cilium.io/en/stable/operations/metrics/#exported-metrics
+ metrics: ~
+
+# -- Configure Istio proxy options.
+proxy:
+ prometheus:
+ enabled: true
+ port: "9095"
+ # -- Regular expression matching compatible Istio sidecar istio-proxy
+ # container image names
+ sidecarImageRegex: "cilium/istio_proxy"
+
+# -- Enable use of the remote node identity.
+# ref: https://docs.cilium.io/en/v1.7/install/upgrade/#configmap-remote-node-identity
+remoteNodeIdentity: true
+
+# -- Enable resource quotas for priority classes used in the cluster.
+resourceQuotas:
+ enabled: false
+ cilium:
+ hard:
+ # 5k nodes * 2 DaemonSets (Cilium and cilium node init)
+ pods: "10k"
+ operator:
+ hard:
+ # 15 "clusterwide" Cilium Operator pods for HA
+ pods: "15"
+
+# Need to document default
+##################
+#sessionAffinity: false
+
+# -- Do not run Cilium agent when running with clean mode. Useful to completely
+# uninstall Cilium as it will stop Cilium from starting and create artifacts
+# in the node.
+sleepAfterInit: false
+
+# -- Configure BPF socket operations configuration
+sockops:
+ # enabled enables installation of socket options acceleration.
+ enabled: false
+
+# TODO: Add documentation, default value
+# svcSourceRangeCheck:
+
+# synchronizeK8sNodes: true
+
+# -- Configure TLS configuration in the agent.
+tls:
+ enabled: true
+ secretsBackend: local
+
+# -- Configure the encapsulation configuration for communication between nodes.
+# Possible values:
+# - disabled
+# - vxlan (default)
+# - geneve
+tunnel: "vxlan"
+
+wellKnownIdentities:
+ # -- Enable the use of well-known identities.
+ enabled: false
+
+
+etcd:
+ # -- Enable etcd mode for the agent.
+ enabled: false
+
+ # -- cilium-etcd-operator image.
+ image:
+ repository: quay.io/cilium/cilium-etcd-operator
+ tag: v2.0.7
+ pullPolicy: IfNotPresent
+
+ # -- cilium-etcd-operator priorityClassName
+ priorityClassName: ""
+
+ # -- Additional cilium-etcd-operator container arguments.
+ extraArgs: []
+
+ # -- Additional InitContainers to initialize the pod.
+ extraInitContainers: []
+
+ # -- Additional cilium-etcd-operator hostPath mounts.
+ extraHostPathMounts: []
+ # - name: textfile-dir
+ # mountPath: /srv/txt_collector
+ # hostPath: /var/lib/cilium-etcd-operator
+ # readOnly: true
+ # mountPropagation: HostToContainer
+
+ # -- Additional cilium-etcd-operator ConfigMap mounts.
+ extraConfigmapMounts: []
+ # - name: certs-configmap
+ # mountPath: /certs
+ # configMap: certs-configmap
+ # readOnly: true
+
+ # -- Node tolerations for cilium-etcd-operator scheduling to nodes with taints
+ # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
+ tolerations:
+ - operator: Exists
+ # - key: "key"
+ # operator: "Equal|Exists"
+ # value: "value"
+ # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)"
+
+ # -- Node labels for cilium-etcd-operator pod assignment
+ # ref: https://kubernetes.io/docs/user-guide/node-selection/
+ nodeSelector: {}
+
+ # -- Annotations to be added to cilium-etcd-operator pods
+ podAnnotations: {}
+
+ # -- Labels to be added to cilium-etcd-operator pods
+ podLabels: {}
+
+ # -- PodDisruptionBudget settings
+ # ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/
+ #
+ podDisruptionBudget:
+ enabled: true
+ maxUnavailable: 2
+
+ # -- cilium-etcd-operator resource limits & requests
+ # ref: https://kubernetes.io/docs/user-guide/compute-resources/
+ #
+ resources: {}
+ # limits:
+ # cpu: 4000m
+ # memory: 4Gi
+ # requests:
+ # cpu: 100m
+ # memory: 512Mi
+
+ # -- Security context to be added to cilium-etcd-operator pods
+ #
+ securityContext: {}
+ # runAsUser: 0
+
+ # -- cilium-etcd-operator update strategy
+ updateStrategy:
+ rollingUpdate:
+ maxSurge: 1
+ maxUnavailable: 1
+ type: RollingUpdate
+
+ # -- If etcd is behind a k8s service set this option to true so that Cilium
+ # does the service translation automatically without requiring a DNS to be
+ # running.
+ k8sService: false
+
+ # -- Cluster domain for cilium-etcd-operator.
+ clusterDomain: cluster.local
+
+ # -- List of etcd endpoints (not needed when using managed=true).
+ endpoints:
+ - https://CHANGE-ME:2379
+
+ # -- Enable use of TLS/SSL for connectivity to etcd. (auto-enabled if
+ # managed=true)
+ ssl: false
+
+operator:
+ # -- Enable the cilium-operator component (required).
+ enabled: true
+
+ # -- Roll out cilium-operator pods automatically when configmap is updated.
+ rollOutPods: false
+
+ # -- cilium-operator image.
+ image:
+ repository: quay.io/cilium/operator
+ tag: v1.10.7
+ # operator-generic-digest
+ genericDigest: "sha256:d0b491d8d8cb45862ed7f0410f65e7c141832f0f95262643fa5ff1edfcddcafe"
+ # operator-azure-digest
+ azureDigest: "sha256:556d692b2f08822101c159d9d6f731efe6c437d2b80f0ef96813e8745203c852"
+ # operator-aws-digest
+ awsDigest: "sha256:97b378e0e3b6b5ade6ae1706024c7a25fe6fc48e00102b65a6b7ac51d6327f40"
+ # operator-alibabacloud-digest
+ alibabacloudDigest: "sha256:7a6ccc99195ae6a8216d2a1e1e0cc05d49c2d263b194895da264899fe9d0f45a"
+ useDigest: true
+ pullPolicy: IfNotPresent
+ suffix: ""
+
+ # -- Number of replicas to run for the cilium-operator deployment
+ replicas: 2
+
+ # -- For using with an existing serviceAccount.
+ serviceAccountName: cilium-operator
+
+ # -- cilium-operator priorityClassName
+ priorityClassName: ""
+
+ # -- cilium-operator update strategy
+ updateStrategy:
+ rollingUpdate:
+ maxSurge: 1
+ maxUnavailable: 1
+ type: RollingUpdate
+
+ # -- cilium-operator affinity
+ affinity:
+ podAntiAffinity:
+ requiredDuringSchedulingIgnoredDuringExecution:
+ - labelSelector:
+ matchExpressions:
+ - key: io.cilium/app
+ operator: In
+ values:
+ - operator
+ topologyKey: kubernetes.io/hostname
+
+
+ # -- Additional cilium-operator container arguments.
+ extraArgs: []
+
+ # -- Additional cilium-operator environment variables.
+ extraEnv: {}
+
+ # -- Additional InitContainers to initialize the pod.
+ extraInitContainers: []
+
+ # -- Additional cilium-operator hostPath mounts.
+ extraHostPathMounts: []
+ # - name: host-mnt-data
+ # mountPath: /host/mnt/data
+ # hostPath: /mnt/data
+ # hostPathType: Directory
+ # readOnly: true
+ # mountPropagation: HostToContainer
+
+ # -- Additional cilium-operator ConfigMap mounts.
+ extraConfigmapMounts: []
+ # - name: certs-configmap
+ # mountPath: /certs
+ # configMap: certs-configmap
+ # readOnly: true
+
+ # -- Node tolerations for cilium-operator scheduling to nodes with taints
+ # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
+ tolerations:
+ - operator: Exists
+ # - key: "key"
+ # operator: "Equal|Exists"
+ # value: "value"
+ # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)"
+
+ # -- Node labels for cilium-operator pod assignment
+ # ref: https://kubernetes.io/docs/user-guide/node-selection/
+ #
+ nodeSelector: {}
+
+ # -- Annotations to be added to cilium-operator pods
+ podAnnotations: {}
+
+ # -- Labels to be added to cilium-operator pods
+ podLabels: {}
+
+ # -- PodDisruptionBudget settings
+ # ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/
+ #
+ podDisruptionBudget:
+ enabled: false
+ maxUnavailable: 1
+
+ # -- cilium-operator resource limits & requests
+ # ref: https://kubernetes.io/docs/user-guide/compute-resources/
+ #
+ resources: {}
+ # limits:
+ # cpu: 1000m
+ # memory: 1Gi
+ # requests:
+ # cpu: 100m
+ # memory: 128Mi
+
+ # -- Security context to be added to cilium-operator pods
+ #
+ securityContext: {}
+ # runAsUser: 0
+
+ # -- Interval for endpoint garbage collection.
+ endpointGCInterval: "5m0s"
+
+ # -- Interval for identity garbage collection.
+ identityGCInterval: "15m0s"
+
+ # -- Timeout for identity heartbeats.
+ identityHeartbeatTimeout: "30m0s"
+
+ # -- Enable prometheus metrics for cilium-operator on the configured port at
+ # /metrics
+ prometheus:
+ enabled: false
+ port: 6942
+ serviceMonitor:
+ # -- Enable service monitors.
+ # This requires the prometheus CRDs to be available (see https://github.com/prometheus-operator/prometheus-operator/blob/master/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml)
+ ##
+ enabled: false
+ # -- Labels to add to ServiceMonitor cilium-operator
+ labels: {}
+
+ # -- Skip CRDs creation for cilium-operator
+ skipCRDCreation: false
+
+
+nodeinit:
+ # -- Enable the node initialization DaemonSet
+ enabled: false
+
+ # -- node-init image.
+ image:
+ repository: quay.io/cilium/startup-script
+ tag: 62bfbe88c17778aad7bef9fa57ff9e2d4a9ba0d8
+ pullPolicy: IfNotPresent
+
+ # -- The priority class to use for the nodeinit pod.
+ priorityClassName: ""
+
+ # -- node-init update strategy
+ updateStrategy:
+ type: RollingUpdate
+
+ # -- Additional nodeinit environment variables.
+ extraEnv: {}
+
+ # -- Additional nodeinit init containers.
+ extraInitContainers: []
+
+ # -- Additional nodeinit host path mounts.
+ extraHostPathMounts: []
+ # - name: textfile-dir
+ # mountPath: /srv/txt_collector
+ # hostPath: /var/lib/nodeinit
+ # readOnly: true
+ # mountPropagation: HostToContainer
+
+ # -- Additional nodeinit ConfigMap mounts.
+ extraConfigmapMounts: []
+ # - name: certs-configmap
+ # mountPath: /certs
+ # configMap: certs-configmap
+ # readOnly: true
+
+ # -- Node tolerations for nodeinit scheduling to nodes with taints
+ # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
+ #
+ tolerations:
+ - operator: Exists
+ # - key: "key"
+ # operator: "Equal|Exists"
+ # value: "value"
+ # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)"
+
+ # -- Node labels for nodeinit pod assignment
+ # ref: https://kubernetes.io/docs/user-guide/node-selection/
+ #
+ nodeSelector: {}
+
+ # -- Annotations to be added to node-init pods.
+ podAnnotations: {}
+
+ # -- Labels to be added to node-init pods.
+ podLabels: {}
+
+ # -- PodDisruptionBudget settings
+ # ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/
+ #
+ podDisruptionBudget:
+ enabled: true
+ maxUnavailable: 2
+
+ # -- nodeinit resource limits & requests
+ # ref: https://kubernetes.io/docs/user-guide/compute-resources/
+ #
+ resources:
+ requests:
+ cpu: 100m
+ memory: 100Mi
+
+ # -- Security context to be added to nodeinit pods.
+ #
+ securityContext: {}
+ # runAsUser: 0
+
+ # -- bootstrapFile is the location of the file where the bootstrap timestamp is
+ # written by the node-init DaemonSet
+ bootstrapFile: "/tmp/cilium-bootstrap-time"
+
+preflight:
+ # -- Enable Cilium pre-flight resources (required for upgrade)
+ enabled: false
+
+ # -- Cilium pre-flight image.
+ image:
+ repository: quay.io/cilium/cilium
+ tag: v1.10.7
+ # cilium-digest
+ digest: "sha256:e23f55e80e1988db083397987a89967aa204ad6fc32da243b9160fbcea29b0ca"
+ useDigest: true
+ pullPolicy: IfNotPresent
+
+ # -- The priority class to use for the preflight pod.
+ priorityClassName: ""
+
+ # -- preflight update strategy
+ updateStrategy:
+ type: RollingUpdate
+
+ # -- Additional preflight environment variables.
+ extraEnv: {}
+
+ # -- Additional preflight init containers.
+ extraInitContainers: []
+
+ # -- Additional preflight host path mounts.
+ extraHostPathMounts: []
+ # - name: textfile-dir
+ # mountPath: /srv/txt_collector
+ # hostPath: /var/lib/preflight
+ # readOnly: true
+ # mountPropagation: HostToContainer
+
+ # -- Additional preflight ConfigMap mounts.
+ extraConfigmapMounts: []
+ # - name: certs-configmap
+ # mountPath: /certs
+ # configMap: certs-configmap
+ # readOnly: true
+
+ # -- Node tolerations for preflight scheduling to nodes with taints
+ # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
+ #
+ tolerations:
+ - effect: NoSchedule
+ key: node.kubernetes.io/not-ready
+ - effect: NoSchedule
+ key: node-role.kubernetes.io/master
+ - effect: NoSchedule
+ key: node.cloudprovider.kubernetes.io/uninitialized
+ value: "true"
+ - key: CriticalAddonsOnly
+ operator: "Exists"
+ # - key: "key"
+ # operator: "Equal|Exists"
+ # value: "value"
+ # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)"
+
+ # -- Node labels for preflight pod assignment
+ # ref: https://kubernetes.io/docs/user-guide/node-selection/
+ #
+ nodeSelector: {}
+
+ # -- Annotations to be added to preflight pods
+ podAnnotations: {}
+
+ # -- Labels to be added to the preflight pod.
+ podLabels: {}
+
+ # -- PodDisruptionBudget settings
+ # ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/
+ #
+ podDisruptionBudget:
+ enabled: true
+ maxUnavailable: 2
+
+ # -- preflight resource limits & requests
+ # ref: https://kubernetes.io/docs/user-guide/compute-resources/
+ #
+ resources: {}
+ # limits:
+ # cpu: 4000m
+ # memory: 4Gi
+ # requests:
+ # cpu: 100m
+ # memory: 512Mi
+
+ # -- Security context to be added to preflight pods
+ #
+ securityContext: {}
+ # runAsUser: 0
+
+ # -- Path to write the `--tofqdns-pre-cache` file to.
+ tofqdnsPreCache: ""
+ # -- By default we should always validate the installed CNPs before upgrading
+ # Cilium. This will make sure the user will have the policies deployed in the
+ # cluster with the right schema.
+ validateCNPs: true
+
+# -- Explicitly enable or disable priority class.
+# .Capabilities.KubeVersion is unsettable in `helm template` calls,
+# it depends on k8s libraries version that Helm was compiled against.
+# This option allows to explicitly disable setting the priority class, which
+# is useful for rendering charts for gke clusters in advance.
+enableCriticalPriorityClass: true
+
+# disableEnvoyVersionCheck removes the check for Envoy, which can be useful
+# on AArch64 as the images do not currently ship a version of Envoy.
+#disableEnvoyVersionCheck: false
+
+clustermesh:
+ # -- Deploy clustermesh-apiserver for clustermesh
+ useAPIServer: false
+
+ apiserver:
+ # -- Clustermesh API server image.
+ image:
+ repository: quay.io/cilium/clustermesh-apiserver
+ tag: v1.10.7
+ # clustermesh-apiserver-digest
+ digest: "sha256:9afb0a15afffdf84812c8174df9de86e35239fb87a6ffd9539877a9e643d8132"
+ useDigest: true
+ pullPolicy: IfNotPresent
+
+ etcd:
+ # -- Clustermesh API server etcd image.
+ image:
+ repository: quay.io/coreos/etcd
+ tag: v3.4.13
+ pullPolicy: IfNotPresent
+
+ service:
+ # -- The type of service used for apiserver access.
+ type: NodePort
+ # -- Optional port to use as the node port for apiserver access.
+ nodePort: 32379
+ # -- Optional loadBalancer IP address to use with type LoadBalancer.
+ # loadBalancerIP:
+
+ # -- Annotations for the clustermesh-apiserver
+ # For GKE LoadBalancer, use annotation cloud.google.com/load-balancer-type: "Internal"
+ # For EKS LoadBalancer, use annotation service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0
+ annotations: {}
+
+ # -- Number of replicas run for the clustermesh-apiserver deployment.
+ replicas: 1
+
+ # -- Node labels for pod assignment
+ # ref: https://kubernetes.io/docs/user-guide/node-selection/
+ nodeSelector: {}
+
+ # -- Annotations to be added to clustermesh-apiserver pods
+ podAnnotations: {}
+
+ # -- Labels to be added to clustermesh-apiserver pods
+ podLabels: {}
+
+ # -- Resource requests and limits for the clustermesh-apiserver container of the clustermesh-apiserver deployment, such as
+ # resources:
+ # limits:
+ # cpu: 1000m
+ # memory: 1024M
+ # requests:
+ # cpu: 100m
+ # memory: 64Mi
+ resources: {}
+
+ # -- Node tolerations for pod assignment on nodes with taints
+ # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
+ tolerations: []
+
+ # -- clustermesh-apiserver update strategy
+ updateStrategy:
+ rollingUpdate:
+ maxUnavailable: 1
+ type: RollingUpdate
+
+ tls:
+ # -- Configure automatic TLS certificates generation.
+ # A Kubernetes CronJob is used the generate any
+ # certificates not provided by the user at installation
+ # time.
+ auto:
+ # -- When set to true, automatically generate a CA and certificates to
+ # enable mTLS between clustermesh-apiserver and external workload instances.
+ # If set to false, the certs to be provided by setting appropriate values below.
+ enabled: true
+ # Sets the method to auto-generate certificates. Supported values:
+ # - helm: This method uses Helm to generate all certificates.
+ # - cronJob: This method uses a Kubernetes CronJob the generate any
+ # certificates not provided by the user at installation
+ # time.
+ method: helm
+ # -- Generated certificates validity duration in days.
+ certValidityDuration: 1095
+ # -- Schedule for certificates regeneration (regardless of their expiration date).
+ # Only used if method is "cronJob". If nil, then no recurring job will be created.
+ # Instead, only the one-shot job is deployed to generate the certificates at
+ # installation time.
+ #
+ # Due to the out-of-band distribution of client certs to external workloads the
+ # CA is (re)regenerated only if it is not provided as a helm value and the k8s
+ # secret is manually deleted.
+ #
+ # Defaults to none. Commented syntax gives midnight of the first day of every
+ # fourth month. For syntax, see
+ # https://kubernetes.io/docs/tasks/job/automated-tasks-with-cron-jobs/#schedule
+ # schedule: "0 0 1 */4 *"
+ # -- base64 encoded PEM values for the ExternalWorkload CA certificate and private key.
+ ca:
+ # -- Optional CA cert. If it is provided, it will be used by the 'cronJob' method to
+ # generate all other certificates. Otherwise, an ephemeral CA is generated.
+ cert: ""
+ # -- Optional CA private key. If it is provided, it will be used by the 'cronJob' method to
+ # generate all other certificates. Otherwise, an ephemeral CA is generated.
+ key: ""
+ # -- base64 encoded PEM values for the clustermesh-apiserver server certificate and private key.
+ # Used if 'auto' is not enabled.
+ server:
+ cert: ""
+ key: ""
+ # -- base64 encoded PEM values for the clustermesh-apiserver admin certificate and private key.
+ # Used if 'auto' is not enabled.
+ admin:
+ cert: ""
+ key: ""
+ # -- base64 encoded PEM values for the clustermesh-apiserver client certificate and private key.
+ # Used if 'auto' is not enabled.
+ client:
+ cert: ""
+ key: ""
+ # -- base64 encoded PEM values for the clustermesh-apiserver remote cluster certificate and private key.
+ # Used if 'auto' is not enabled.
+ remote:
+ cert: ""
+ key: ""
+
+# -- Configure external workloads support
+externalWorkloads:
+ # -- Enable support for external workloads, such as VMs (false by default).
+ enabled: false
+
+# -- Configure cgroup related configuration
+cgroup:
+ autoMount:
+ # -- Enable auto mount of cgroup2 filesystem.
+ # When `autoMount` is enabled, cgroup2 filesystem is mounted at
+ # `cgroup.hostRoot` path on the underlying host and inside the cilium agent pod.
+ # If users disable `autoMount`, it's expected that users have mounted
+ # cgroup2 filesystem at the specified `cgroup.hostRoot` volume, and then the
+ # volume will be mounted inside the cilium agent pod at the same path.
+ enabled: true
+ # -- Configure cgroup root where cgroup2 filesystem is mounted on the host (see also: `cgroup.autoMount`)
+ hostRoot: /run/cilium/cgroupv2