diff --git a/class/cilium.yml b/class/cilium.yml index be817257..0c4a6bda 100644 --- a/class/cilium.yml +++ b/class/cilium.yml @@ -25,6 +25,7 @@ parameters: - input_paths: - ${_base_directory}/component/aggregated-clusterroles.jsonnet - ${_base_directory}/component/egress-gateway-policies.jsonnet + - ${_base_directory}/component/l2-announcement-policies.jsonnet - ${_base_directory}/component/bgp-control-plane.jsonnet - ${_base_directory}/component/ocp-manage-kube-proxy.jsonnet input_type: jsonnet @@ -51,6 +52,7 @@ parameters: - input_paths: - ${_base_directory}/component/aggregated-clusterroles.jsonnet - ${_base_directory}/component/egress-gateway-policies.jsonnet + - ${_base_directory}/component/l2-announcement-policies.jsonnet - ${_base_directory}/component/bgp-control-plane.jsonnet - ${_base_directory}/component/ocp-manage-kube-proxy.jsonnet input_type: jsonnet diff --git a/class/defaults.yml b/class/defaults.yml index 3fae226f..8a22360a 100644 --- a/class/defaults.yml +++ b/class/defaults.yml @@ -55,6 +55,8 @@ parameters: enabled: ${cilium:egress_gateway:enabled} bpf: masquerade: true + l2announcements: + enabled: ${cilium:l2_announcements:enabled} l7Proxy: ${cilium:_egressgw_l7proxy:${cilium:egress_gateway:enabled}} prometheus: enabled: true @@ -87,6 +89,10 @@ parameters: generate_shadow_ranges_configmap: false egress_ip_ranges: {} + l2_announcements: + enabled: false + policies: {} + bgp: enabled: false peerings: {} diff --git a/component/l2-announcement-policies.jsonnet b/component/l2-announcement-policies.jsonnet new file mode 100644 index 00000000..f0b78729 --- /dev/null +++ b/component/l2-announcement-policies.jsonnet @@ -0,0 +1,25 @@ +local com = import 'lib/commodore.libjsonnet'; +local kap = import 'lib/kapitan.libjsonnet'; +local kube = import 'lib/kube.libjsonnet'; + +local inv = kap.inventory(); +local params = inv.parameters.cilium; + +local CiliumL2AnnouncementPolicy(name) = + kube._Object('cilium.io/v2alpha1', 'CiliumL2AnnouncementPolicy', name) { + metadata+: { + annotations+: { + 'argocd.argoproj.io/sync-options': 'SkipDryRunOnMissingResource=true,Prune=false', + }, + }, + }; + +local policies = com.generateResources( + params.l2_announcements.policies, + CiliumL2AnnouncementPolicy +); + +{ + [if params.l2_announcements.enabled && std.length(params.l2_announcements.policies) > 0 then + '40_l2_announcement_policies']: policies, +} diff --git a/docs/modules/ROOT/pages/references/parameters.adoc b/docs/modules/ROOT/pages/references/parameters.adoc index e1c0c526..3dad81f8 100644 --- a/docs/modules/ROOT/pages/references/parameters.adoc +++ b/docs/modules/ROOT/pages/references/parameters.adoc @@ -542,6 +542,87 @@ spec: <2> The DaemonSet mounts the `eip-shadow-ranges` ConfigMap as a volume. <3> The DaemonSet is scheduled using the same node selector that's used for the `IsovalentEgressGatewayPolicy` resources + +== `l2_announcements` + +This section allows users to configure the [Cilium L2 Announcements / L2 Aware LB] feature. + +[NOTE] +==== +The current implementation (and therefore examples shown here) has only been tested with Cilium EE. +Please refer to the https://docs.cilium.io/en/stable/network/egress-gateway/#example-policy[example policy in the upstream documentation] for Cilium OSS. +==== + +=== `l2_announcements.enabled` + +[horizontal] +type:: boolean +default:: `false` + +This parameter allows users to set all the configurations necessary to enable the l2 announcement policy feature. + +[NOTE] +==== +It is important to adjust the client rate limit when using this feature, due to increased API usage. +See https://docs.cilium.io/en/latest/network/l2-announcements/#sizing-client-rate-limit[Sizing client rate limit] for sizing guidelines. +==== + +[NOTE] +==== +Kube Proxy replacement mode must be enabled. +==== + +==== Example + +[source,yaml] +---- +l2_announcements: + enabled: true +cilium_helm_values: + kubeProxyReplacement: true + k8sServiceHost: api-int.${openshift:baseDomain} + k8sServicePort: "6443" + k8sClientRateLimit: + qps: 35 <1> + burst: 45 <2> +---- +<1> Setting the base QPS rate. +<2> The burst QPS should be slightly higher. + +=== `l2_announcements.policies` + +[horizontal] +type:: object +default:: `{}` + +This parameter allows users to deploy `CiliumL2AnnouncementPolicy` resources. + +Each key-value pair in the parameter is converted to a `CiliumL2AnnouncementPolicy` resource. +Entries can be removed by setting the value to `null`. + +See https://docs.cilium.io/en/latest/network/l2-announcements/#policies[the upstream documentation] for further explanation. + +==== Example + +[source,yaml] +---- +l2_announcements: + policies: + color_blue: + spec: + serviceSelector: + matchLabels: + color: blue + nodeSelector: + matchExpressions: + - key: node-role.kubernetes.io/control-plane + operator: DoesNotExist + interfaces: + - ^eth[0-9]+ + externalIPs: true + loadBalancerIPs: true +---- + == `bgp` This section allows users to configure the https://docs.cilium.io/en/stable/network/bgp-control-plane/[Cilium BGP control plane]. diff --git a/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/00_cilium_namespace.yaml b/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/00_cilium_namespace.yaml new file mode 100644 index 00000000..d933cb0e --- /dev/null +++ b/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/00_cilium_namespace.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: Namespace +metadata: + annotations: {} + labels: + name: cilium + name: cilium diff --git a/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/clusterrole.yaml b/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/clusterrole.yaml new file mode 100644 index 00000000..dffb639f --- /dev/null +++ b/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/clusterrole.yaml @@ -0,0 +1,118 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/part-of: cilium + name: cilium +rules: + - apiGroups: + - networking.k8s.io + resources: + - networkpolicies + verbs: + - get + - list + - watch + - apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - list + - watch + - apiGroups: + - '' + resources: + - namespaces + - services + - pods + - endpoints + - nodes + verbs: + - get + - list + - watch + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create + - get + - update + - list + - delete + - apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - list + - watch + - get + - apiGroups: + - cilium.io + resources: + - ciliumloadbalancerippools + - ciliumbgppeeringpolicies + - ciliumbgpnodeconfigs + - ciliumbgpadvertisements + - ciliumbgppeerconfigs + - ciliumclusterwideenvoyconfigs + - ciliumclusterwidenetworkpolicies + - ciliumegressgatewaypolicies + - ciliumendpoints + - ciliumendpointslices + - ciliumenvoyconfigs + - ciliumidentities + - ciliumlocalredirectpolicies + - ciliumnetworkpolicies + - ciliumnodes + - ciliumnodeconfigs + - ciliumcidrgroups + - ciliuml2announcementpolicies + - ciliumpodippools + verbs: + - list + - watch + - apiGroups: + - cilium.io + resources: + - ciliumidentities + - ciliumendpoints + - ciliumnodes + verbs: + - create + - apiGroups: + - cilium.io + resources: + - ciliumidentities + verbs: + - update + - apiGroups: + - cilium.io + resources: + - ciliumendpoints + verbs: + - delete + - get + - apiGroups: + - cilium.io + resources: + - ciliumnodes + - ciliumnodes/status + verbs: + - get + - update + - apiGroups: + - cilium.io + resources: + - ciliumnetworkpolicies/status + - ciliumclusterwidenetworkpolicies/status + - ciliumendpoints/status + - ciliumendpoints + - ciliuml2announcementpolicies/status + - ciliumbgpnodeconfigs/status + verbs: + - patch diff --git a/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/clusterrolebinding.yaml b/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/clusterrolebinding.yaml new file mode 100644 index 00000000..b6cf96eb --- /dev/null +++ b/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/clusterrolebinding.yaml @@ -0,0 +1,14 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/part-of: cilium + name: cilium +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cilium +subjects: + - kind: ServiceAccount + name: cilium + namespace: cilium diff --git a/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/daemonset.yaml b/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/daemonset.yaml new file mode 100644 index 00000000..f1deebec --- /dev/null +++ b/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/daemonset.yaml @@ -0,0 +1,426 @@ +apiVersion: apps/v1 +kind: DaemonSet +metadata: + labels: + app.kubernetes.io/name: cilium-agent + app.kubernetes.io/part-of: cilium + k8s-app: cilium + name: cilium + namespace: cilium +spec: + selector: + matchLabels: + k8s-app: cilium + template: + metadata: + annotations: + container.apparmor.security.beta.kubernetes.io/apply-sysctl-overwrites: unconfined + container.apparmor.security.beta.kubernetes.io/cilium-agent: unconfined + container.apparmor.security.beta.kubernetes.io/clean-cilium-state: unconfined + container.apparmor.security.beta.kubernetes.io/mount-cgroup: unconfined + labels: + app.kubernetes.io/name: cilium-agent + app.kubernetes.io/part-of: cilium + k8s-app: cilium + spec: + affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: + k8s-app: cilium + topologyKey: kubernetes.io/hostname + automountServiceAccountToken: true + containers: + - args: + - --config-dir=/tmp/cilium/config-map + command: + - cilium-agent + env: + - name: K8S_NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + - name: CILIUM_K8S_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: CILIUM_CLUSTERMESH_CONFIG + value: /var/lib/cilium/clustermesh/ + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + divisor: '1' + resource: limits.memory + image: quay.io/cilium/cilium:v1.15.6@sha256:6aa840986a3a9722cd967ef63248d675a87add7e1704740902d5d3162f0c0def + imagePullPolicy: IfNotPresent + lifecycle: + postStart: + exec: + command: + - bash + - -c + - | + set -o errexit + set -o pipefail + set -o nounset + + # When running in AWS ENI mode, it's likely that 'aws-node' has + # had a chance to install SNAT iptables rules. These can result + # in dropped traffic, so we should attempt to remove them. + # We do it using a 'postStart' hook since this may need to run + # for nodes which might have already been init'ed but may still + # have dangling rules. This is safe because there are no + # dependencies on anything that is part of the startup script + # itself, and can be safely run multiple times per node (e.g. in + # case of a restart). + if [[ "$(iptables-save | grep -E -c 'AWS-SNAT-CHAIN|AWS-CONNMARK-CHAIN')" != "0" ]]; + then + echo 'Deleting iptables rules created by the AWS CNI VPC plugin' + iptables-save | grep -E -v 'AWS-SNAT-CHAIN|AWS-CONNMARK-CHAIN' | iptables-restore + fi + echo 'Done!' + preStop: + exec: + command: + - /cni-uninstall.sh + livenessProbe: + failureThreshold: 10 + httpGet: + host: 127.0.0.1 + httpHeaders: + - name: brief + value: 'true' + path: /healthz + port: 9879 + scheme: HTTP + periodSeconds: 30 + successThreshold: 1 + timeoutSeconds: 5 + name: cilium-agent + ports: + - containerPort: 4244 + hostPort: 4244 + name: peer-service + protocol: TCP + - containerPort: 9962 + hostPort: 9962 + name: prometheus + protocol: TCP + - containerPort: 9964 + hostPort: 9964 + name: envoy-metrics + protocol: TCP + - containerPort: 9965 + hostPort: 9965 + name: hubble-metrics + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + host: 127.0.0.1 + httpHeaders: + - name: brief + value: 'true' + path: /healthz + port: 9879 + scheme: HTTP + periodSeconds: 30 + successThreshold: 1 + timeoutSeconds: 5 + securityContext: + capabilities: + add: + - CHOWN + - KILL + - NET_ADMIN + - NET_RAW + - IPC_LOCK + - SYS_MODULE + - SYS_ADMIN + - SYS_RESOURCE + - DAC_OVERRIDE + - FOWNER + - SETGID + - SETUID + drop: + - ALL + seLinuxOptions: + level: s0 + type: spc_t + startupProbe: + failureThreshold: 105 + httpGet: + host: 127.0.0.1 + httpHeaders: + - name: brief + value: 'true' + path: /healthz + port: 9879 + scheme: HTTP + initialDelaySeconds: 5 + periodSeconds: 2 + successThreshold: 1 + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /host/proc/sys/net + name: host-proc-sys-net + - mountPath: /host/proc/sys/kernel + name: host-proc-sys-kernel + - mountPath: /sys/fs/bpf + mountPropagation: HostToContainer + name: bpf-maps + - mountPath: /var/run/cilium + name: cilium-run + - mountPath: /host/etc/cni/net.d + name: etc-cni-netd + - mountPath: /var/lib/cilium/clustermesh + name: clustermesh-secrets + readOnly: true + - mountPath: /lib/modules + name: lib-modules + readOnly: true + - mountPath: /run/xtables.lock + name: xtables-lock + - mountPath: /tmp + name: tmp + hostNetwork: true + initContainers: + - command: + - cilium-dbg + - build-config + env: + - name: K8S_NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + - name: CILIUM_K8S_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + image: quay.io/cilium/cilium:v1.15.6@sha256:6aa840986a3a9722cd967ef63248d675a87add7e1704740902d5d3162f0c0def + imagePullPolicy: IfNotPresent + name: config + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /tmp + name: tmp + - command: + - sh + - -ec + - | + cp /usr/bin/cilium-mount /hostbin/cilium-mount; + nsenter --cgroup=/hostproc/1/ns/cgroup --mount=/hostproc/1/ns/mnt "${BIN_PATH}/cilium-mount" $CGROUP_ROOT; + rm /hostbin/cilium-mount + env: + - name: CGROUP_ROOT + value: /run/cilium/cgroupv2 + - name: BIN_PATH + value: /var/lib/cni/bin + image: quay.io/cilium/cilium:v1.15.6@sha256:6aa840986a3a9722cd967ef63248d675a87add7e1704740902d5d3162f0c0def + imagePullPolicy: IfNotPresent + name: mount-cgroup + securityContext: + capabilities: + add: + - SYS_ADMIN + - SYS_CHROOT + - SYS_PTRACE + drop: + - ALL + seLinuxOptions: + level: s0 + type: spc_t + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /hostproc + name: hostproc + - mountPath: /hostbin + name: cni-path + - command: + - sh + - -ec + - | + cp /usr/bin/cilium-sysctlfix /hostbin/cilium-sysctlfix; + nsenter --mount=/hostproc/1/ns/mnt "${BIN_PATH}/cilium-sysctlfix"; + rm /hostbin/cilium-sysctlfix + env: + - name: BIN_PATH + value: /var/lib/cni/bin + image: quay.io/cilium/cilium:v1.15.6@sha256:6aa840986a3a9722cd967ef63248d675a87add7e1704740902d5d3162f0c0def + imagePullPolicy: IfNotPresent + name: apply-sysctl-overwrites + securityContext: + capabilities: + add: + - SYS_ADMIN + - SYS_CHROOT + - SYS_PTRACE + drop: + - ALL + seLinuxOptions: + level: s0 + type: spc_t + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /hostproc + name: hostproc + - mountPath: /hostbin + name: cni-path + - args: + - mount | grep "/sys/fs/bpf type bpf" || mount -t bpf bpf /sys/fs/bpf + command: + - /bin/bash + - -c + - -- + image: quay.io/cilium/cilium:v1.15.6@sha256:6aa840986a3a9722cd967ef63248d675a87add7e1704740902d5d3162f0c0def + imagePullPolicy: IfNotPresent + name: mount-bpf-fs + securityContext: + privileged: true + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /sys/fs/bpf + mountPropagation: Bidirectional + name: bpf-maps + - command: + - /init-container.sh + env: + - name: CILIUM_ALL_STATE + valueFrom: + configMapKeyRef: + key: clean-cilium-state + name: cilium-config + optional: true + - name: CILIUM_BPF_STATE + valueFrom: + configMapKeyRef: + key: clean-cilium-bpf-state + name: cilium-config + optional: true + - name: WRITE_CNI_CONF_WHEN_READY + valueFrom: + configMapKeyRef: + key: write-cni-conf-when-ready + name: cilium-config + optional: true + image: quay.io/cilium/cilium:v1.15.6@sha256:6aa840986a3a9722cd967ef63248d675a87add7e1704740902d5d3162f0c0def + imagePullPolicy: IfNotPresent + name: clean-cilium-state + securityContext: + capabilities: + add: + - NET_ADMIN + - SYS_MODULE + - SYS_ADMIN + - SYS_RESOURCE + drop: + - ALL + seLinuxOptions: + level: s0 + type: spc_t + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /sys/fs/bpf + name: bpf-maps + - mountPath: /run/cilium/cgroupv2 + mountPropagation: HostToContainer + name: cilium-cgroup + - mountPath: /var/run/cilium + name: cilium-run + - command: + - /install-plugin.sh + image: quay.io/cilium/cilium:v1.15.6@sha256:6aa840986a3a9722cd967ef63248d675a87add7e1704740902d5d3162f0c0def + imagePullPolicy: IfNotPresent + name: install-cni-binaries + resources: + requests: + cpu: 100m + memory: 10Mi + securityContext: + capabilities: + drop: + - ALL + seLinuxOptions: + level: s0 + type: spc_t + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /host/opt/cni/bin + name: cni-path + nodeSelector: + kubernetes.io/os: linux + priorityClassName: system-node-critical + restartPolicy: Always + serviceAccount: cilium + serviceAccountName: cilium + terminationGracePeriodSeconds: 1 + tolerations: + - operator: Exists + volumes: + - emptyDir: {} + name: tmp + - hostPath: + path: /var/run/cilium + type: DirectoryOrCreate + name: cilium-run + - hostPath: + path: /sys/fs/bpf + type: DirectoryOrCreate + name: bpf-maps + - hostPath: + path: /proc + type: Directory + name: hostproc + - hostPath: + path: /run/cilium/cgroupv2 + type: DirectoryOrCreate + name: cilium-cgroup + - hostPath: + path: /var/lib/cni/bin + type: DirectoryOrCreate + name: cni-path + - hostPath: + path: /var/run/multus/cni/net.d + type: DirectoryOrCreate + name: etc-cni-netd + - hostPath: + path: /lib/modules + name: lib-modules + - hostPath: + path: /run/xtables.lock + type: FileOrCreate + name: xtables-lock + - name: clustermesh-secrets + projected: + defaultMode: 256 + sources: + - secret: + name: cilium-clustermesh + optional: true + - secret: + items: + - key: tls.key + path: common-etcd-client.key + - key: tls.crt + path: common-etcd-client.crt + - key: ca.crt + path: common-etcd-client-ca.crt + name: clustermesh-apiserver-remote-cert + optional: true + - hostPath: + path: /proc/sys/net + type: Directory + name: host-proc-sys-net + - hostPath: + path: /proc/sys/kernel + type: Directory + name: host-proc-sys-kernel + updateStrategy: + rollingUpdate: + maxUnavailable: 2 + type: RollingUpdate diff --git a/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/role.yaml b/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/role.yaml new file mode 100644 index 00000000..6469cd59 --- /dev/null +++ b/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/role.yaml @@ -0,0 +1,16 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + app.kubernetes.io/part-of: cilium + name: cilium-config-agent + namespace: cilium +rules: + - apiGroups: + - '' + resources: + - configmaps + verbs: + - get + - list + - watch diff --git a/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/rolebinding.yaml b/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/rolebinding.yaml new file mode 100644 index 00000000..1d47a92c --- /dev/null +++ b/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/rolebinding.yaml @@ -0,0 +1,15 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app.kubernetes.io/part-of: cilium + name: cilium-config-agent + namespace: cilium +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: cilium-config-agent +subjects: + - kind: ServiceAccount + name: cilium + namespace: cilium diff --git a/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/service.yaml b/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/service.yaml new file mode 100644 index 00000000..fc9fa1ab --- /dev/null +++ b/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/service.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/name: cilium-agent + app.kubernetes.io/part-of: cilium + k8s-app: cilium + name: cilium-agent + namespace: cilium +spec: + clusterIP: None + ports: + - name: metrics + port: 9962 + protocol: TCP + targetPort: prometheus + - name: envoy-metrics + port: 9964 + protocol: TCP + targetPort: envoy-metrics + selector: + k8s-app: cilium + type: ClusterIP diff --git a/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/serviceaccount.yaml b/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/serviceaccount.yaml new file mode 100644 index 00000000..cd8696cf --- /dev/null +++ b/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/serviceaccount.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: cilium + namespace: cilium diff --git a/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/servicemonitor.yaml b/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/servicemonitor.yaml new file mode 100644 index 00000000..c22a3158 --- /dev/null +++ b/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/servicemonitor.yaml @@ -0,0 +1,26 @@ +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + labels: + app.kubernetes.io/part-of: cilium + name: cilium-agent + namespace: cilium +spec: + endpoints: + - honorLabels: true + interval: 10s + path: /metrics + port: metrics + relabelings: + - replacement: ${1} + sourceLabels: + - __meta_kubernetes_pod_node_name + targetLabel: node + namespaceSelector: + matchNames: + - cilium + selector: + matchLabels: + k8s-app: cilium + targetLabels: + - k8s-app diff --git a/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-configmap.yaml b/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-configmap.yaml new file mode 100644 index 00000000..92eac1dc --- /dev/null +++ b/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-configmap.yaml @@ -0,0 +1,124 @@ +apiVersion: v1 +data: + agent-not-ready-taint-key: node.cilium.io/agent-not-ready + arping-refresh-period: 30s + auto-direct-node-routes: 'false' + bpf-lb-acceleration: disabled + bpf-lb-external-clusterip: 'false' + bpf-lb-map-max: '65536' + bpf-lb-sock: 'false' + bpf-map-dynamic-size-ratio: '0.0025' + bpf-policy-map-max: '16384' + bpf-root: /sys/fs/bpf + cgroup-root: /run/cilium/cgroupv2 + cilium-endpoint-gc-interval: 5m0s + cluster-id: '0' + cluster-name: default + cluster-pool-ipv4-cidr: 10.128.0.0/14 + cluster-pool-ipv4-mask-size: '23' + cni-exclusive: 'true' + cni-log-file: /var/run/cilium/cilium-cni.log + controller-group-metrics: write-cni-file sync-host-ips sync-lb-maps-with-k8s-services + custom-cni-conf: 'false' + debug: 'false' + debug-verbose: '' + dnsproxy-enable-transparent-mode: 'true' + egress-gateway-reconciliation-trigger-interval: 1s + enable-auto-protect-node-port-range: 'true' + enable-bgp-control-plane: 'false' + enable-bpf-clock-probe: 'false' + enable-bpf-masquerade: 'true' + enable-endpoint-health-checking: 'true' + enable-endpoint-routes: 'true' + enable-health-check-loadbalancer-ip: 'false' + enable-health-check-nodeport: 'true' + enable-health-checking: 'true' + enable-hubble: 'true' + enable-hubble-open-metrics: 'false' + enable-ipv4: 'true' + enable-ipv4-big-tcp: 'false' + enable-ipv4-masquerade: 'true' + enable-ipv6: 'false' + enable-ipv6-big-tcp: 'false' + enable-ipv6-masquerade: 'true' + enable-k8s-networkpolicy: 'true' + enable-k8s-terminating-endpoint: 'true' + enable-l2-announcements: 'true' + enable-l2-neigh-discovery: 'true' + enable-l7-proxy: 'true' + enable-local-redirect-policy: 'false' + enable-masquerade-to-route-source: 'false' + enable-policy: default + enable-remote-node-identity: 'true' + enable-sctp: 'false' + enable-svc-source-range-check: 'true' + enable-vtep: 'false' + enable-well-known-identities: 'false' + enable-xt-socket-fallback: 'true' + external-envoy-proxy: 'false' + hubble-disable-tls: 'true' + hubble-export-file-max-backups: '5' + hubble-export-file-max-size-mb: '10' + hubble-listen-address: :4244 + hubble-metrics: httpV2:sourceContext=workload|namespace|reserved-identity;destinationContext=workload|namespace|reserved-identity + dns:sourceContext=workload|namespace|reserved-identity;destinationContext=workload|namespace|reserved-identity + drop:sourceContext=workload|namespace|reserved-identity;destinationContext=workload|namespace|reserved-identity + hubble-metrics-server: :9965 + hubble-socket-path: /var/run/cilium/hubble.sock + identity-allocation-mode: crd + identity-gc-interval: 15m0s + identity-heartbeat-timeout: 30m0s + install-no-conntrack-iptables-rules: 'false' + ipam: cluster-pool + ipam-cilium-node-update-rate: 15s + k8s-client-burst: '45' + k8s-client-qps: '35' + kube-proxy-replacement: 'true' + kube-proxy-replacement-healthz-bind-address: '' + max-connected-clusters: '255' + mesh-auth-enabled: 'true' + mesh-auth-gc-interval: 5m0s + mesh-auth-queue-size: '1024' + mesh-auth-rotated-identities-queue-size: '1024' + monitor-aggregation: medium + monitor-aggregation-flags: all + monitor-aggregation-interval: 5s + node-port-bind-protection: 'true' + nodes-gc-interval: 5m0s + operator-api-serve-addr: 127.0.0.1:9234 + policy-cidr-match-mode: '' + preallocate-bpf-maps: 'false' + procfs: /host/proc + prometheus-serve-addr: :9962 + proxy-connect-timeout: '2' + proxy-idle-timeout-seconds: '60' + proxy-max-connection-duration-seconds: '0' + proxy-max-requests-per-connection: '0' + proxy-prometheus-port: '9964' + proxy-xff-num-trusted-hops-egress: '0' + proxy-xff-num-trusted-hops-ingress: '0' + remove-cilium-node-taints: 'true' + routing-mode: tunnel + service-no-backend-response: reject + set-cilium-is-up-condition: 'true' + set-cilium-node-taints: 'true' + sidecar-istio-proxy-image: cilium/istio_proxy + skip-cnp-status-startup-clean: 'false' + synchronize-k8s-nodes: 'true' + tofqdns-dns-reject-response-code: refused + tofqdns-enable-dns-compression: 'true' + tofqdns-endpoint-max-ip-per-hostname: '50' + tofqdns-idle-connection-grace-period: 0s + tofqdns-max-deferred-connection-deletes: '10000' + tofqdns-proxy-response-max-delay: 100ms + tunnel-protocol: vxlan + unmanaged-pod-watcher-interval: '15' + vtep-cidr: '' + vtep-endpoint: '' + vtep-mac: '' + vtep-mask: '' + write-cni-conf-when-ready: /host/etc/cni/net.d/05-cilium.conflist +kind: ConfigMap +metadata: + name: cilium-config + namespace: cilium diff --git a/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/clusterrole.yaml b/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/clusterrole.yaml new file mode 100644 index 00000000..f4db2dea --- /dev/null +++ b/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/clusterrole.yaml @@ -0,0 +1,200 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/part-of: cilium + name: cilium-operator +rules: + - apiGroups: + - '' + resources: + - pods + verbs: + - get + - list + - watch + - delete + - apiGroups: + - '' + resources: + - nodes + verbs: + - list + - watch + - apiGroups: + - '' + resources: + - nodes + - nodes/status + verbs: + - patch + - apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - list + - watch + - apiGroups: + - '' + resources: + - services/status + verbs: + - update + - patch + - apiGroups: + - '' + resources: + - namespaces + verbs: + - get + - list + - watch + - apiGroups: + - '' + resources: + - services + - endpoints + verbs: + - get + - list + - watch + - apiGroups: + - cilium.io + resources: + - ciliumnetworkpolicies + - ciliumclusterwidenetworkpolicies + verbs: + - create + - update + - deletecollection + - patch + - get + - list + - watch + - apiGroups: + - cilium.io + resources: + - ciliumnetworkpolicies/status + - ciliumclusterwidenetworkpolicies/status + verbs: + - patch + - update + - apiGroups: + - cilium.io + resources: + - ciliumendpoints + - ciliumidentities + verbs: + - delete + - list + - watch + - apiGroups: + - cilium.io + resources: + - ciliumidentities + verbs: + - update + - apiGroups: + - cilium.io + resources: + - ciliumnodes + verbs: + - create + - update + - get + - list + - watch + - delete + - apiGroups: + - cilium.io + resources: + - ciliumnodes/status + verbs: + - update + - apiGroups: + - cilium.io + resources: + - ciliumendpointslices + - ciliumenvoyconfigs + - ciliumbgppeerconfigs + - ciliumbgpadvertisements + - ciliumbgpnodeconfigs + verbs: + - create + - update + - get + - list + - watch + - delete + - patch + - apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - create + - get + - list + - watch + - apiGroups: + - apiextensions.k8s.io + resourceNames: + - ciliumloadbalancerippools.cilium.io + - ciliumbgppeeringpolicies.cilium.io + - ciliumbgpclusterconfigs.cilium.io + - ciliumbgppeerconfigs.cilium.io + - ciliumbgpadvertisements.cilium.io + - ciliumbgpnodeconfigs.cilium.io + - ciliumbgpnodeconfigoverrides.cilium.io + - ciliumclusterwideenvoyconfigs.cilium.io + - ciliumclusterwidenetworkpolicies.cilium.io + - ciliumegressgatewaypolicies.cilium.io + - ciliumendpoints.cilium.io + - ciliumendpointslices.cilium.io + - ciliumenvoyconfigs.cilium.io + - ciliumexternalworkloads.cilium.io + - ciliumidentities.cilium.io + - ciliumlocalredirectpolicies.cilium.io + - ciliumnetworkpolicies.cilium.io + - ciliumnodes.cilium.io + - ciliumnodeconfigs.cilium.io + - ciliumcidrgroups.cilium.io + - ciliuml2announcementpolicies.cilium.io + - ciliumpodippools.cilium.io + resources: + - customresourcedefinitions + verbs: + - update + - apiGroups: + - cilium.io + resources: + - ciliumloadbalancerippools + - ciliumpodippools + - ciliumbgpclusterconfigs + - ciliumbgpnodeconfigoverrides + verbs: + - get + - list + - watch + - apiGroups: + - cilium.io + resources: + - ciliumpodippools + verbs: + - create + - apiGroups: + - cilium.io + resources: + - ciliumloadbalancerippools/status + verbs: + - patch + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create + - get + - update diff --git a/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/clusterrolebinding.yaml b/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/clusterrolebinding.yaml new file mode 100644 index 00000000..fa15a03c --- /dev/null +++ b/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/clusterrolebinding.yaml @@ -0,0 +1,14 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/part-of: cilium + name: cilium-operator +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cilium-operator +subjects: + - kind: ServiceAccount + name: cilium-operator + namespace: cilium diff --git a/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/deployment.yaml b/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/deployment.yaml new file mode 100644 index 00000000..c2cbc465 --- /dev/null +++ b/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/deployment.yaml @@ -0,0 +1,108 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app.kubernetes.io/name: cilium-operator + app.kubernetes.io/part-of: cilium + io.cilium/app: operator + name: cilium-operator + name: cilium-operator + namespace: cilium +spec: + replicas: 2 + selector: + matchLabels: + io.cilium/app: operator + name: cilium-operator + strategy: + rollingUpdate: + maxSurge: 25% + maxUnavailable: 50% + type: RollingUpdate + template: + metadata: + annotations: null + labels: + app.kubernetes.io/name: cilium-operator + app.kubernetes.io/part-of: cilium + io.cilium/app: operator + name: cilium-operator + spec: + affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: + io.cilium/app: operator + topologyKey: kubernetes.io/hostname + automountServiceAccountToken: true + containers: + - args: + - --config-dir=/tmp/cilium/config-map + - --debug=$(CILIUM_DEBUG) + command: + - cilium-operator-generic + env: + - name: K8S_NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + - name: CILIUM_K8S_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: CILIUM_DEBUG + valueFrom: + configMapKeyRef: + key: debug + name: cilium-config + optional: true + image: quay.io/cilium/operator-generic:v1.15.6@sha256:5789f0935eef96ad571e4f5565a8800d3a8fbb05265cf6909300cd82fd513c3d + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + host: 127.0.0.1 + path: /healthz + port: 9234 + scheme: HTTP + initialDelaySeconds: 60 + periodSeconds: 10 + timeoutSeconds: 3 + name: cilium-operator + readinessProbe: + failureThreshold: 5 + httpGet: + host: 127.0.0.1 + path: /healthz + port: 9234 + scheme: HTTP + initialDelaySeconds: 0 + periodSeconds: 5 + timeoutSeconds: 3 + resources: + limits: + cpu: 100m + memory: 250Mi + requests: + cpu: 100m + memory: 250Mi + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /tmp/cilium/config-map + name: cilium-config-path + readOnly: true + hostNetwork: true + nodeSelector: + kubernetes.io/os: linux + priorityClassName: system-cluster-critical + restartPolicy: Always + serviceAccount: cilium-operator + serviceAccountName: cilium-operator + tolerations: + - operator: Exists + volumes: + - configMap: + name: cilium-config + name: cilium-config-path diff --git a/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/serviceaccount.yaml b/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/serviceaccount.yaml new file mode 100644 index 00000000..242642c9 --- /dev/null +++ b/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/serviceaccount.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: cilium-operator + namespace: cilium diff --git a/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/configmap.yaml b/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/configmap.yaml new file mode 100644 index 00000000..7f549fea --- /dev/null +++ b/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/configmap.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +data: + config.yaml: "cluster-name: default\npeer-service: \"hubble-peer.cilium.svc.cluster.local:80\"\ + \nlisten-address: :4245\ngops: true\ngops-port: \"9893\"\ndial-timeout: \nretry-timeout:\ + \ \nsort-buffer-len-max: \nsort-buffer-drain-timeout: \ndisable-client-tls: true\n\ + disable-server-tls: true\n" +kind: ConfigMap +metadata: + name: hubble-relay-config + namespace: cilium diff --git a/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/deployment.yaml b/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/deployment.yaml new file mode 100644 index 00000000..764463f9 --- /dev/null +++ b/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/deployment.yaml @@ -0,0 +1,87 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app.kubernetes.io/name: hubble-relay + app.kubernetes.io/part-of: cilium + k8s-app: hubble-relay + name: hubble-relay + namespace: cilium +spec: + replicas: 1 + selector: + matchLabels: + k8s-app: hubble-relay + strategy: + rollingUpdate: + maxUnavailable: 1 + type: RollingUpdate + template: + metadata: + annotations: null + labels: + app.kubernetes.io/name: hubble-relay + app.kubernetes.io/part-of: cilium + k8s-app: hubble-relay + spec: + affinity: + podAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: + k8s-app: cilium + topologyKey: kubernetes.io/hostname + automountServiceAccountToken: false + containers: + - args: + - serve + command: + - hubble-relay + image: quay.io/cilium/hubble-relay:v1.15.6@sha256:a0863dd70d081b273b87b9b7ce7e2d3f99171c2f5e202cd57bc6691e51283e0c + imagePullPolicy: IfNotPresent + livenessProbe: + grpc: + port: 4222 + timeoutSeconds: 3 + name: hubble-relay + ports: + - containerPort: 4245 + name: grpc + readinessProbe: + grpc: + port: 4222 + timeoutSeconds: 3 + securityContext: + capabilities: + drop: + - ALL + runAsGroup: 65532 + runAsNonRoot: true + runAsUser: 65532 + startupProbe: + failureThreshold: 20 + grpc: + port: 4222 + periodSeconds: 3 + timeoutSeconds: 3 + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /etc/hubble-relay + name: config + readOnly: true + nodeSelector: + kubernetes.io/os: linux + priorityClassName: null + restartPolicy: Always + securityContext: + fsGroup: 65532 + serviceAccount: hubble-relay + serviceAccountName: hubble-relay + terminationGracePeriodSeconds: 1 + volumes: + - configMap: + items: + - key: config.yaml + path: config.yaml + name: hubble-relay-config + name: config diff --git a/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/service.yaml b/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/service.yaml new file mode 100644 index 00000000..da8621dc --- /dev/null +++ b/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/service.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/name: hubble-relay + app.kubernetes.io/part-of: cilium + k8s-app: hubble-relay + name: hubble-relay + namespace: cilium +spec: + ports: + - port: 80 + protocol: TCP + targetPort: 4245 + selector: + k8s-app: hubble-relay + type: ClusterIP diff --git a/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/serviceaccount.yaml b/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/serviceaccount.yaml new file mode 100644 index 00000000..3d0be37c --- /dev/null +++ b/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/serviceaccount.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: hubble-relay + namespace: cilium diff --git a/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble/metrics-service.yaml b/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble/metrics-service.yaml new file mode 100644 index 00000000..ebeaf0fd --- /dev/null +++ b/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble/metrics-service.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Service +metadata: + annotations: null + labels: + app.kubernetes.io/name: hubble + app.kubernetes.io/part-of: cilium + k8s-app: hubble + name: hubble-metrics + namespace: cilium +spec: + clusterIP: None + ports: + - name: hubble-metrics + port: 9965 + protocol: TCP + targetPort: hubble-metrics + selector: + k8s-app: cilium + type: ClusterIP diff --git a/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble/peer-service.yaml b/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble/peer-service.yaml new file mode 100644 index 00000000..e492c74f --- /dev/null +++ b/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble/peer-service.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/name: hubble-peer + app.kubernetes.io/part-of: cilium + k8s-app: cilium + name: hubble-peer + namespace: cilium +spec: + internalTrafficPolicy: Local + ports: + - name: peer-service + port: 80 + protocol: TCP + targetPort: 4244 + selector: + k8s-app: cilium diff --git a/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble/servicemonitor.yaml b/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble/servicemonitor.yaml new file mode 100644 index 00000000..d044764f --- /dev/null +++ b/tests/golden/l2-announcement/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble/servicemonitor.yaml @@ -0,0 +1,24 @@ +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + labels: + app.kubernetes.io/part-of: cilium + name: hubble + namespace: cilium +spec: + endpoints: + - honorLabels: true + interval: 10s + path: /metrics + port: hubble-metrics + relabelings: + - replacement: ${1} + sourceLabels: + - __meta_kubernetes_pod_node_name + targetLabel: node + namespaceSelector: + matchNames: + - cilium + selector: + matchLabels: + k8s-app: hubble diff --git a/tests/golden/l2-announcement/cilium/cilium/02_aggregated_clusterroles.yaml b/tests/golden/l2-announcement/cilium/cilium/02_aggregated_clusterroles.yaml new file mode 100644 index 00000000..652b0ab1 --- /dev/null +++ b/tests/golden/l2-announcement/cilium/cilium/02_aggregated_clusterroles.yaml @@ -0,0 +1,67 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + annotations: {} + labels: + name: syn-cilium-view + rbac.authorization.k8s.io/aggregate-to-admin: 'true' + rbac.authorization.k8s.io/aggregate-to-edit: 'true' + rbac.authorization.k8s.io/aggregate-to-view: 'true' + name: syn-cilium-view +rules: + - apiGroups: + - cilium.io + resources: + - ciliumnetworkpolicies + - ciliumendpoints + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + annotations: {} + labels: + name: syn-cilium-edit + rbac.authorization.k8s.io/aggregate-to-admin: 'true' + rbac.authorization.k8s.io/aggregate-to-edit: 'true' + name: syn-cilium-edit +rules: + - apiGroups: + - cilium.io + resources: + - ciliumnetworkpolicies + verbs: + - create + - delete + - deletecollection + - patch + - update +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + annotations: {} + labels: + name: syn-cilium-cluster-reader + rbac.authorization.k8s.io/aggregate-to-cluster-reader: 'true' + name: syn-cilium-cluster-reader +rules: + - apiGroups: + - cilium.io + resources: + - '*' + verbs: + - get + - list + - watch + - apiGroups: + - isovalent.com + resources: + - '*' + verbs: + - get + - list + - watch diff --git a/tests/golden/l2-announcement/cilium/cilium/40_l2_announcement_policies.yaml b/tests/golden/l2-announcement/cilium/cilium/40_l2_announcement_policies.yaml new file mode 100644 index 00000000..4225d823 --- /dev/null +++ b/tests/golden/l2-announcement/cilium/cilium/40_l2_announcement_policies.yaml @@ -0,0 +1,20 @@ +apiVersion: cilium.io/v2alpha1 +kind: CiliumL2AnnouncementPolicy +metadata: + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true,Prune=false + labels: + name: color-blue + name: color-blue +spec: + externalIPs: true + interfaces: + - ^eth[0-9]+ + loadBalancerIPs: true + nodeSelector: + matchExpressions: + - key: node-role.kubernetes.io/control-plane + operator: DoesNotExist + serviceSelector: + matchLabels: + color: blue diff --git a/tests/golden/olm-opensource/cilium/cilium/olm/cluster-network-07-cilium-ciliumconfig.yaml b/tests/golden/olm-opensource/cilium/cilium/olm/cluster-network-07-cilium-ciliumconfig.yaml index 9e9c5f67..0032d010 100644 --- a/tests/golden/olm-opensource/cilium/cilium/olm/cluster-network-07-cilium-ciliumconfig.yaml +++ b/tests/golden/olm-opensource/cilium/cilium/olm/cluster-network-07-cilium-ciliumconfig.yaml @@ -38,6 +38,8 @@ spec: k8sServiceHost: 172.30.0.1 k8sServicePort: 443 kubeProxyReplacement: 'true' + l2announcements: + enabled: false l7Proxy: true operator: prometheus: diff --git a/tests/l2-announcement.yml b/tests/l2-announcement.yml index a4da5b7b..bd34f69f 100644 --- a/tests/l2-announcement.yml +++ b/tests/l2-announcement.yml @@ -1,3 +1,23 @@ -# Overwrite parameters here +parameters: + cilium: + cilium_helm_values: + k8sClientRateLimit: + qps: 35 + burst: 45 -# parameters: {...} + l2_announcements: + enabled: true + policies: + color_blue: + spec: + serviceSelector: + matchLabels: + color: blue + nodeSelector: + matchExpressions: + - key: node-role.kubernetes.io/control-plane + operator: DoesNotExist + interfaces: + - ^eth[0-9]+ + externalIPs: true + loadBalancerIPs: true