From c8a186753508a029037c7e72eb1632676cc00b6e Mon Sep 17 00:00:00 2001 From: Lars Ekman Date: Wed, 24 Jan 2024 07:56:27 +0100 Subject: [PATCH] ovl/k8s-cni-cilium: upgrade to v1.14.6 --- ovl/k8s-cni-cilium/README.md | 2 +- .../etc/kubernetes/load/quick-install.yaml | 58 +++++++++++++------ 2 files changed, 42 insertions(+), 18 deletions(-) diff --git a/ovl/k8s-cni-cilium/README.md b/ovl/k8s-cni-cilium/README.md index f0fbcaf8..ea5d3d4b 100644 --- a/ovl/k8s-cni-cilium/README.md +++ b/ovl/k8s-cni-cilium/README.md @@ -10,7 +10,7 @@ SCTP is not supported, issue [#5719](https://github.com/cilium/cilium/issues/571 A manifest (yaml) is generated with `helm` and will be used by default; ``` -ver=v1.14.0 +ver=v1.14.6 rm -rf $GOPATH/src/github.com/cilium/cilium git clone --depth 1 -b $ver https://github.com/cilium/cilium.git \ $GOPATH/src/github.com/cilium/cilium diff --git a/ovl/k8s-cni-cilium/default/etc/kubernetes/load/quick-install.yaml b/ovl/k8s-cni-cilium/default/etc/kubernetes/load/quick-install.yaml index 2ac465ec..3f2043a0 100644 --- a/ovl/k8s-cni-cilium/default/etc/kubernetes/load/quick-install.yaml +++ b/ovl/k8s-cni-cilium/default/etc/kubernetes/load/quick-install.yaml @@ -20,8 +20,8 @@ metadata: name: cilium-ca namespace: kube-system data: - ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURFekNDQWZ1Z0F3SUJBZ0lRR2ErZWxNTE04TndhZWpySE9QZy80VEFOQmdrcWhraUc5dzBCQVFzRkFEQVUKTVJJd0VBWURWUVFERXdsRGFXeHBkVzBnUTBFd0hoY05Nak13T0RBMk1UQXlOVE14V2hjTk1qWXdPREExTVRBeQpOVE14V2pBVU1SSXdFQVlEVlFRREV3bERhV3hwZFcwZ1EwRXdnZ0VpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElCCkR3QXdnZ0VLQW9JQkFRRGp0VHpqS2lOUml4YjkwenVkMzhoQXdBZjYvUWoxUFhFdFN1Yi9HL3ZtbE4wY0x1K3kKOGFENERSUW42NTRKUk5Sc2VYVGxNV0hXQkJhUmx0Y2RsbEx2M2hHUVFOSzByOFlybDFRK1doM3hvdzNEN1hXNgpaZExoa25yb01oM3ZXZ1psZ0dZcVgyaVNURVh3WWhOcVR0aWNMNTBrcklQWkpPbnJqWlJWSmVSQy9rRlV3N0hrClBzMjFoeTU0cGJoNTBVczFFMlVpbFpFK3JqQ3krU1VRUVk1TnE1NVhrSVRLUmtRM0x4dWQzTFRraGtpdU5hSU0KVzVWYnZla0R1aHhCeHl4SVZ6Kzc2T0tqS0VzeTE4Qm91cVBwSFdDU0FacWhuMVhadVlFREEyWllXWnRUbGR1NQpMbGZOdlFXNHl5dUo0aDh3eTFSakhSY3dvaGlRdFpYcklFcFhBZ01CQUFHallUQmZNQTRHQTFVZER3RUIvd1FFCkF3SUNwREFkQmdOVkhTVUVGakFVQmdnckJnRUZCUWNEQVFZSUt3WUJCUVVIQXdJd0R3WURWUjBUQVFIL0JBVXcKQXdFQi96QWRCZ05WSFE0RUZnUVVmMGdhL3Axb1ZMWlFBT3VYV3dMZThtSG1qZVF3RFFZSktvWklodmNOQVFFTApCUUFEZ2dFQkFIb05vQ2I4d3VyL1Y3QW9KVUROYk1PMFVPNEhyamYvYUR6VFZkMjVnbWpWMmVITU5DSksxOEFFCnJVZDM1SlNWRVZHdDI4alJqMVRmVnN1Y0JGZTU1c1J1dWRGSjB6WTBGODlWclFQc1BYMTZGWERzNStTNlZ3elAKcHNlNnNaeDFFVEx3YWFUVXNRT2w4azF0c3dUWnpKRVVaUURXeUNmNHM5bW1EMWl3ZWp2Z2paUWRjeUpieTBWMAo3b3l5MkpEMXpmd0RkQjVMRVBGTndvNEpWOHFiSmdHNkpmTXB1UitkalptZitrZUhHQkFJRzdmMkFON2ZxeWxaClRiVWU3U2FycXEyblUySEp1YkxFK0Z4SHUxSW1DUU1mUzd6cm5ubDN5dHRCTERvWXhyTnNZcmRpZEdEazg3dnEKS1BnMllFOFVOYWtJVlFrV3pGOS9nUUZNMk5leC9xRT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= - ca.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0NBUUVBNDdVODR5b2pVWXNXL2RNN25kL0lRTUFIK3YwSTlUMXhMVXJtL3h2NzVwVGRIQzd2CnN2R2crQTBVSit1ZUNVVFViSGwwNVRGaDFnUVdrWmJYSFpaUzc5NFJrRURTdEsvR0s1ZFVQbG9kOGFNTncrMTEKdW1YUzRaSjY2RElkNzFvR1pZQm1LbDlva2t4RjhHSVRhazdZbkMrZEpLeUQyU1RwNjQyVVZTWGtRdjVCVk1PeAo1RDdOdFljdWVLVzRlZEZMTlJObElwV1JQcTR3c3ZrbEVFR09UYXVlVjVDRXlrWkVOeThibmR5MDVJWklyaldpCkRGdVZXNzNwQTdvY1FjY3NTRmMvdStqaW95aExNdGZBYUxxajZSMWdrZ0dhb1o5VjJibUJBd05tV0ZtYlU1WGIKdVM1WHpiMEZ1TXNyaWVJZk1NdFVZeDBYTUtJWWtMV1Y2eUJLVndJREFRQUJBb0lCQUZQZ3RmNER6cURCK0lVbApZMGVEWUZPaHFRN21XSDlsMDZQWWZJQ3FnVDd0eFFrVnJRd2dmNmYvd1ZYM0wrN0FJUE9ZUmR3TE5idk5JN2NiCmRrQWEySkF0SUJFZ0g3MlpKZ2wyby95WDI0SGdDemtKNXB6ejF4dHFoc1d6ZUYxcnJ3R0NxNStlSjNvRWlKckUKdGR3cUVSWnZYNVpieWZHWjdHVHRjUjl3WnNYYUNyZWtlZ0NDaXh0Y2g5OGJkKzBVS2pFUllZQjkzOW5FUEcrOQpQZEF2TXYwMWovODJVbXBaVjk2OURvcVpjQ3lxS0xHTEhqUmhieXczVlVIdUlmaDN0RVlpalEvWE9ZR3lHUCt3CkRlMDZ5bkJTcFcrdUYvcXY0cTdZdEJreGRoUkdOMTFpdktKQWY2Rnh1Mjg1dlg2NXJ2WHh1dUJvekNDZ1VEekcKYzhPNXk3a0NnWUVBOVJpWnUvWHA4MU5EMzhTNU1SUnlkV2l4cTJrYnZPU1BRNjZTVGN0d2dROHVvMzc3Z0VRUwppeG45MDR1OGFjY3JJOUsvbGR2VUpWMC85S2ZiMiswa2JrUnROZFh6aG93NXhmb0taaU4vNlpmbTlocDdSczdZCkxZMkF2NFJsYzI3TWFzaVlISWxBNG5abENFUW1oN2E3RUVQZ2pjaTh3S0FZeWlNVnpmVFdjRzBDZ1lFQTdkYWEKbFRLMmxrTXN2U2F3L3VGUzdHK3NHK3dibGJuNUJoQ2h5T0tBM3NycWZTMFRCYytUZ3BCMmRpRVVHYzJqdExLegpMemlhVVdkN0FHR2t0b3F0MDVqTkpua1BKVmNQZmh2UEs0aXloMklkY2ZYeHdOYXIwM2MxTEJIUGJRdXNXVjBGCksyL0wyQUU3ZjFhZXpNWWc1b2JhZFNPSlljZU94NWUvZTRDdzAxTUNnWUVBalFSaGQ1Yk95M1JONmhLYTV0VTMKNGJ1aDlkaWMzL3ExUHlEVEJyV1ZmbndJdm9NU0cwT1BVNzlabm55WXBGZTJ4MzY3UW5MZnhidTRUNERBNi9HdQpjMDhsY3NNdHdXMHUxR3kvelBLQjV4bkNCamxJVW40eVBVdGNGMVVLdGZhNjRIbVhvMXVKSElNNE1DQmQ5dG01CkdXdWthSTlsb29LNm9KcTlNZW03ODZVQ2dZQS9ERDJzUVdaUGpQMG1JMFNXUEdyOERGcG1pSCtEZ0dvNEpsNk0KM3laa2FRd2lKTG0vTjVpVjZ1L01QdGFTUklZYUY2a1NZb0hlQkgyQnkyQ2JsMFdmS3dsdkluWldZcTdUc2xHSAo2OVBQdWIydWdSRVdHcEl3RzVDMzN2ektubWFReGV6aDU5LzBvZGNBMlpoOUZpU1FsN3ovZ20wZnc0UGcreVFpCmZDbmp5d0tCZ0NXZmtkMXNEekU2MVYvNVRpSzRJUlZ0TkwwN3hpT0dMeURlMW5oazQ3OCtoM0dGQWV3cXNOeDgKK2Z6TzZGV2gwUDZKa28xMEZzbjNWSFE2dGxZbUNPZWlCeHl5cUxkWW9ZbkhLK2hDVXZsZXN6TTV0MHB2blQ3UQpwZ3FtRXIwa0oxcUI5K0ZqRVdZR2RrS2xKRU55OHBac3BLUmg4YkYyUFpkTTU3dmFzMFpHCi0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg== + ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURGRENDQWZ5Z0F3SUJBZ0lSQUloWGlqRE5hVlcycmRjVlUxKzBYQ2t3RFFZSktvWklodmNOQVFFTEJRQXcKRkRFU01CQUdBMVVFQXhNSlEybHNhWFZ0SUVOQk1CNFhEVEkwTURFeU5EQTJOVEF5TlZvWERUSTNNREV5TXpBMgpOVEF5TlZvd0ZERVNNQkFHQTFVRUF4TUpRMmxzYVhWdElFTkJNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DCkFROEFNSUlCQ2dLQ0FRRUF1bHVyOGNyZi9yZ0RKVStyZUh2TjEreHlQSWZETEVPWGE4M2pLU0l4eFlac0k3NmIKZndKNXppemJxa2dnM0hJSy9rdm0zR0FaZ2YrQW5uMndmTFZPSmpzZERRUXhhbENGMGVRVytZSGtaNDZFQUViTQpRaENUMW1RZEZrblRWaTZReHZjWnBDR2FVZDB4dWJ4VWRmdkx6NmJQMDUvUHgwaXd3dEx0cDlldXlmWERJUjlPCldCbFM5VzhoR2h4T3liME5pWUM3SzVqZ0RUenBJaTZUb1N1YU5PZlFBSG1oTjYrYmZmc2RkNUlSdXNmQXNwWTUKbkpkeERoUm5uQlBhdmxCbm5RQTA1WmFESzZENktLSkh2Z3hzTzZ5bDVyTHRuVVY3cnpTVTYyZGxBNzJ3NHZtWAo3cEUrWXNGV0kyR0crMmFXSGlvU2Y2WmdkV0VEb0hYalRZTjNxUUlEQVFBQm8yRXdYekFPQmdOVkhROEJBZjhFCkJBTUNBcVF3SFFZRFZSMGxCQll3RkFZSUt3WUJCUVVIQXdFR0NDc0dBUVVGQndNQ01BOEdBMVVkRXdFQi93UUYKTUFNQkFmOHdIUVlEVlIwT0JCWUVGRStoR0RyVWdKNE1iU2NlV0VmbCs3Nld1TzRrTUEwR0NTcUdTSWIzRFFFQgpDd1VBQTRJQkFRQkxNQkFyRXI1cmM4ZDhoZ2hCTXl2MklYa0RmMmpOUmk5UUxDWkI2amxuZWNHY0g1OXhtbmRPCkNXNWRUaVZCQWN3Z0RVL1E5b2ZleG9rTHJsaXFtQ3BrQ2lYQWE4OGk4RHNaYlE2K2RrdnMwR3pHdnU3TFNzTVEKUnhYTHozdGpyU2pGZHROek02RmpKSHZPcnJjbWJFcVYxa3NsNENkZytqSE0zTzFSQm1zVVZvODhnQ2tZTkpZZAowSTF1TDE1cUk4Uy8xbktzL0wyd2pyRVE2dGdpTkRUQldaQ1lYOUFBa0V1SXRMS2ViSkdzd29xY29lclFOR2taCnRkVk5HcGk0R1ZuQTl1dUlhYnJaaVNxbklHaStBRHJKVFRKZWk5RUQyRmd0RjlCalRqRnEraGFaOU1Sd24xN3kKYlVIWHJIM05IYU8ya0NpNFh2clJpUmg4aFEyZ2pJS2oKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= + ca.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb2dJQkFBS0NBUUVBdWx1cjhjcmYvcmdESlUrcmVIdk4xK3h5UElmRExFT1hhODNqS1NJeHhZWnNJNzZiCmZ3SjV6aXpicWtnZzNISUsva3ZtM0dBWmdmK0FubjJ3ZkxWT0pqc2REUVF4YWxDRjBlUVcrWUhrWjQ2RUFFYk0KUWhDVDFtUWRGa25UVmk2UXh2Y1pwQ0dhVWQweHVieFVkZnZMejZiUDA1L1B4MGl3d3RMdHA5ZXV5ZlhESVI5TwpXQmxTOVc4aEdoeE95YjBOaVlDN0s1amdEVHpwSWk2VG9TdWFOT2ZRQUhtaE42K2JmZnNkZDVJUnVzZkFzcFk1Cm5KZHhEaFJubkJQYXZsQm5uUUEwNVphREs2RDZLS0pIdmd4c082eWw1ckx0blVWN3J6U1U2MmRsQTcydzR2bVgKN3BFK1lzRldJMkdHKzJhV0hpb1NmNlpnZFdFRG9IWGpUWU4zcVFJREFRQUJBb0lCQUQwaTdkbTQ4SnNqeXdSbQppcDVRSDB1QzZrY3BVc0ltdW5wSFpRcU5pVDUveHVKREdjZ2xDOGl6dHF5NlZPMTlERlk0bUZnYnZzS0RDN0x6CkVQOFlpN2JIRmRTN1YyckZWK0Z2cm9uVUx4WTZEdHY0WGZJZWRpR1RYbWQ5ZUxPQk8wWEtzc0xCczFxLzhodzQKeUl5Y09sUzVLTjBJUktYZ0Z2MFRMWnd1aWN6L0h5Z0o4S3FuSDA4ampoVUw2Q2tlZHRhMGM1TVdWWDdxUEhEdwpVbjFwWXRXZ0tGbTBiQVd2UTdhLytwaks2WFllbG9HajZuazVTeVdFUFNadktIZitWZ3loVWRMMUNvelZwY3JECmdSTVNnemJOY2FORVdjYVRJVmpsK2FlSVpxQ1lLYWdXVm94UDhJZDdMbmI4VTBHRUdZQTdadmhocmpuZGR6b3AKL0Z1eWZyRUNnWUVBeFpKVU9UaWFHakJsRFg5L3hMaHZqM1kwL09FTWJObXp3YTVlZDBkdXJJQTJzemNRVy8rdQpVdDBWQ1JoY09OM0ZJNlRLVjRIcVhuMWoxL0FJNFc5NHFOM1FwV25pVUF2VU1YbEJBSzRtRHN5dVJxYUNkcFlpCnN3eU9ENFRTNjNoWTJGUThJNmdjL1djS05nK1lHOGxXRCt0Uzd2aXAydkJ1dE1xNWhuYU5MWjhDZ1lFQThYaGwKSm9BS2pzSStLcjV6bk5JZDZhY2tMMTJIaVpKUmlFb3RVMHJoSzZKRmw3MW1XREo5R1lBaWFIaytyZGZSZER2cgpSTWFSWlhPeERhbmxYR0pXT0hMTVVvUWx4amw0RWZyQ2NNRGozSEVJcDRxYnFiZDl3UU81WmlPTEJNdnhzOVZmClQyRXcva055UjZGWjhWZHBtYUI0RlQzU2U1SU1RSTBLaWFNMFJiY0NnWUFEZUVsd1k5VVpCcWFQc1NDT1ZPcm8KcXh2TklTcTFzckVjZ3JKNEI5SWl4M0d1ZmhZVWQ0NFpPSGJKSFJ0cGlFT1JGN0RTRHA4T0g4ZWtJRHdYc1h4KwpBcjlLV0d5NEdTMFYzVnBONThFVlczVG9HcjZKMUtNeFg5UVM0N05NbldWNkR5aXJPNldlc2JPVk5Ycm5hZ2JQCjZzTWZIVkRtWG5palJqZ3g2MTBaWXdLQmdHdjVVdm1oUFpkU1lpd0kxM2VqT1A3MjN5WlM0ejF2OFFkSmEvVVgKd1pJYVVKWW1lZklzT1daQ3RxQVN2eVZMSVB5aG9uVXhlV2h0RUJtMUE3dUl1VmNxZGhUYnhHeGIzRVhsNURZNAorbXJqSEdTV2hUNmhyeGkweXAxU2ZXSmFzNnlmVjZ3T0lMTkJnNE5tTWVyS0ZJMCtoUk95ZmtFRk1IZFkyZ0pyCnVQOEhBb0dBYm95WWxLSlhqeGx5TE1nZ09xYXlVZW1BVXgxZXN4VmtzWE5CblR5TmJNY2tzYTNBd0Nyb3JYMisKWTRPUDZmRndNYmREYzF2S0tTWWFRRFYwMkt1S1pqbjBmdWg5Nk9ySU52VzVSWmpqZ3VVSTNIQUQrb3RDWEo4awpCMjdSR05aalVnenExdXo3UnhORTNiQ3U2NGVzbDFaUzdTY0hwNXd1REFtQmZvNkRNY0E9Ci0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg== --- # Source: cilium/templates/hubble/tls-helm/server-secret.yaml apiVersion: v1 @@ -31,9 +31,9 @@ metadata: namespace: kube-system type: kubernetes.io/tls data: - ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURFekNDQWZ1Z0F3SUJBZ0lRR2ErZWxNTE04TndhZWpySE9QZy80VEFOQmdrcWhraUc5dzBCQVFzRkFEQVUKTVJJd0VBWURWUVFERXdsRGFXeHBkVzBnUTBFd0hoY05Nak13T0RBMk1UQXlOVE14V2hjTk1qWXdPREExTVRBeQpOVE14V2pBVU1SSXdFQVlEVlFRREV3bERhV3hwZFcwZ1EwRXdnZ0VpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElCCkR3QXdnZ0VLQW9JQkFRRGp0VHpqS2lOUml4YjkwenVkMzhoQXdBZjYvUWoxUFhFdFN1Yi9HL3ZtbE4wY0x1K3kKOGFENERSUW42NTRKUk5Sc2VYVGxNV0hXQkJhUmx0Y2RsbEx2M2hHUVFOSzByOFlybDFRK1doM3hvdzNEN1hXNgpaZExoa25yb01oM3ZXZ1psZ0dZcVgyaVNURVh3WWhOcVR0aWNMNTBrcklQWkpPbnJqWlJWSmVSQy9rRlV3N0hrClBzMjFoeTU0cGJoNTBVczFFMlVpbFpFK3JqQ3krU1VRUVk1TnE1NVhrSVRLUmtRM0x4dWQzTFRraGtpdU5hSU0KVzVWYnZla0R1aHhCeHl4SVZ6Kzc2T0tqS0VzeTE4Qm91cVBwSFdDU0FacWhuMVhadVlFREEyWllXWnRUbGR1NQpMbGZOdlFXNHl5dUo0aDh3eTFSakhSY3dvaGlRdFpYcklFcFhBZ01CQUFHallUQmZNQTRHQTFVZER3RUIvd1FFCkF3SUNwREFkQmdOVkhTVUVGakFVQmdnckJnRUZCUWNEQVFZSUt3WUJCUVVIQXdJd0R3WURWUjBUQVFIL0JBVXcKQXdFQi96QWRCZ05WSFE0RUZnUVVmMGdhL3Axb1ZMWlFBT3VYV3dMZThtSG1qZVF3RFFZSktvWklodmNOQVFFTApCUUFEZ2dFQkFIb05vQ2I4d3VyL1Y3QW9KVUROYk1PMFVPNEhyamYvYUR6VFZkMjVnbWpWMmVITU5DSksxOEFFCnJVZDM1SlNWRVZHdDI4alJqMVRmVnN1Y0JGZTU1c1J1dWRGSjB6WTBGODlWclFQc1BYMTZGWERzNStTNlZ3elAKcHNlNnNaeDFFVEx3YWFUVXNRT2w4azF0c3dUWnpKRVVaUURXeUNmNHM5bW1EMWl3ZWp2Z2paUWRjeUpieTBWMAo3b3l5MkpEMXpmd0RkQjVMRVBGTndvNEpWOHFiSmdHNkpmTXB1UitkalptZitrZUhHQkFJRzdmMkFON2ZxeWxaClRiVWU3U2FycXEyblUySEp1YkxFK0Z4SHUxSW1DUU1mUzd6cm5ubDN5dHRCTERvWXhyTnNZcmRpZEdEazg3dnEKS1BnMllFOFVOYWtJVlFrV3pGOS9nUUZNMk5leC9xRT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= - tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURWekNDQWorZ0F3SUJBZ0lSQUlKdUtwcThWMUptK29wVzRBNmF3dVF3RFFZSktvWklodmNOQVFFTEJRQXcKRkRFU01CQUdBMVVFQXhNSlEybHNhWFZ0SUVOQk1CNFhEVEl6TURnd05qRXdNalV6TVZvWERUSTJNRGd3TlRFdwpNalV6TVZvd0tqRW9NQ1lHQTFVRUF3d2ZLaTVrWldaaGRXeDBMbWgxWW1Kc1pTMW5jbkJqTG1OcGJHbDFiUzVwCmJ6Q0NBU0l3RFFZSktvWklodmNOQVFFQkJRQURnZ0VQQURDQ0FRb0NnZ0VCQUsyTGhPczZPTG1HbUxSY1dFSEIKRDZURUFERWtJbk1TOWVvRm01V0oxVmgrMGx5VXpkejV5c2toczZMQnJRbk5rVzJIQXYraTN5a1lTSytWOEx3eAo3eFVSYVBCb0E1SkZLYWh6Q2U1ZVgzMFRVajlWRXRDb3MxYnAyRjZoNTdjNHdJc2Q3OCtQYkNhWDI1SjJsUjFsCmNqYnl6V1dIcXVXdEN1Mkl2SktsazgxcTdzWm5QZmdHQ3VrUGszazhWcHNMZUs5RzlrV1ZnSThZTWVOa2xPNkIKWUxCNGZRcW1EYXJzQkVVTFFUajVQdXYwUDkzYUJoMHZqaUFMblVYLytrZGNpVzhzZkhvaVkyUk56Vk5lKzM0YQpQQXdPT0hKSVJrVVhVY1ZkQWJLL1l5RHREZTc2aUw3UnJKK08wbnk5K0VtcXl5TXNJYkVSVjFwTXoxMmhiYlQ5Cmtha0NBd0VBQWFPQmpUQ0JpakFPQmdOVkhROEJBZjhFQkFNQ0JhQXdIUVlEVlIwbEJCWXdGQVlJS3dZQkJRVUgKQXdFR0NDc0dBUVVGQndNQ01Bd0dBMVVkRXdFQi93UUNNQUF3SHdZRFZSMGpCQmd3Rm9BVWYwZ2EvcDFvVkxaUQpBT3VYV3dMZThtSG1qZVF3S2dZRFZSMFJCQ013SVlJZktpNWtaV1poZFd4MExtaDFZbUpzWlMxbmNuQmpMbU5wCmJHbDFiUzVwYnpBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQVFFQVVjNCtYb2lYZDBWdmFPakorR2owNDJkU2hHd3cKb2h0UUZNdGZBc0tvckI5aXBLR2JyUm9wK2NMaTAyMisrNkNjdXZUNkc2cVRQYjZFKzZNSkRZY1RjL0ZCSnBiVgpzZDAzUnFVRUVIRjJnRVlVZ3ZVTEJDaTVXQ1lBa3Fmb0pqVWg1WG9QdUFoaDFhYjdTbXY1aTd0SjNMdmlwcTNiCllMaTkrdnAzTm5YaUN1NUVrZWtJMExvV1NEYmlYWG9YSmMvdytnOXM3S0cwdkhzNnVrRFFacHF2M0ZIekZXZXMKRXQ2Mkx4dTZBV3NwV1I0a1JZTU5BcWxnQVdnV2JqM0dyRnNGQTI2bU1SUXBSdjRwdzFTS04rTzNWb3NWNThvdwpzdllIS2RoZk43eUQvaldhNHcwWWxXc1I3ZjV4cTNPdzJJVm1iSCtXT1pQUEVPejQ1YldXZUsxbk53PT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= - tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBcll1RTZ6bzR1WWFZdEZ4WVFjRVBwTVFBTVNRaWN4TDE2Z1dibFluVldIN1NYSlROCjNQbkt5U0d6b3NHdENjMlJiWWNDLzZMZktSaElyNVh3dkRIdkZSRm84R2dEa2tVcHFITUo3bDVmZlJOU1AxVVMKMEtpelZ1bllYcUhudHpqQWl4M3Z6NDlzSnBmYmtuYVZIV1Z5TnZMTlpZZXE1YTBLN1lpOGtxV1R6V3J1eG1jOQorQVlLNlErVGVUeFdtd3Q0cjBiMlJaV0FqeGd4NDJTVTdvRmdzSGg5Q3FZTnF1d0VSUXRCT1BrKzYvUS8zZG9HCkhTK09JQXVkUmYvNlIxeUpieXg4ZWlKalpFM05VMTc3ZmhvOERBNDRja2hHUlJkUnhWMEJzcjlqSU8wTjd2cUkKdnRHc240N1NmTDM0U2FyTEl5d2hzUkZYV2t6UFhhRnR0UDJScVFJREFRQUJBb0lCQUh2NGpwcjZuRXJydTJvYwpEVy9yV2lGNVlpbTRobU50eC8zRXc3K3ZGcGlCQUFUaXg2eHpSRWtwcWdrNkVVSlBkdk9tM3AxKzI2dWZqVXpnCjczZUF0Q2w0cGw0VjczY3RzUFNFT1RQdWRvZ0NwVjVZaDNoSEN0V3Jkc1VqSTBQZlpxdjZWclVPMzFNeVo4ZlkKcmV5eDYwVVZiV1I1NWJyc1FrSXN5NGgyZjM3ZEZ3aWJWTlM2VUs0d3RBSXhMLzRXWjNFaVVsRE5YR3lZS0JvVwptREFndWpKR1dPU1I4V2ZwTEttZEgxbFd6L0JnUnJnZE9ndVNlMGY1TGNxeDJ2K0tRelkxOUtLcS9jSHcza3pQCkVucnBXakRmMURqaGhIRWllODk1dHNrN3VjSzFYWXFyUDhYMzlzbjJPRWVsdlRweDE2NS9FTmIzZ2JjVHIwT0sKWkMrTzBZRUNnWUVBM0Jmb1dGVVpOMXgyR2NJQUgrYzlPVk9vUytJdHFnZlh4bnhCZ0ZacXBRa1J2RDFySmRVRgprdnVlSUNjWEtKMFYwc1J6WStWc3FJeElZcnQ3Wk5JZmVVNmNaSVpHbnVoMFBjQi9MUVczblprSjE0Y1YrSStPCk5ONE5abG8vTyt4cVl1T2FkemVKZlVqQlBhdFBWb09GbjN2dW1hMWI0RnJHTnJ1aGFUa0hWV2NDZ1lFQXlkdUsKZGJ3S01hUzlWYjJ1WU1vckloZ3lycWlHa0FzVGdzQTE0Ty80RGZlS1kzbmhCT3FUNmI5UHJ0dXhOMWN0NnNkUAo5aWxZSHFibUd6S3RySFhvNFpSRGtSVEIzaUswSFBqOXU0UjdXZU0ydnV5bkNDT1AzYysrM0pra251YnBDQ0taCmxLdm1DWWhBaUdmdHBKS2VLTm9KTncxSmlsZHMxc3k3Q0RFajVtOENnWUVBMG9XdndlWk1RMjhXckZhcnhkaHEKOEkyN3VqSHpXZU04bXVlNXc2ZGxSTTBqQUxxQzVlSVgvZHJlQ29VNW1xaCsrbWJjdE4zN2pGRDY0QzNTdnNKYQpScTlSMnJteGpVaHQvNjlFTm0xMGo3T1YvV21DTTRvbERSNmxGSlVZVFJvN1BMSFd5MWY5RkRCbVhyV2hJdkNVCi9OTVBqRUdOVTFHZ3JUUFdGZzd0bTlzQ2dZQWx1dzJrZUNPSHAvMWorM0tPMFB0REFqYm5Bc1UwUTMzQUlPRngKVENtWG9yK1JYSVM5QUlQcFcwTXZzZ3pzQlRXbC90OXBhY3o0M2NXQksvWGVtS09SRnIrU2JNallGckNJQWRxYgpwR1hTSlhCa082UDFGNENhdTJ3M204Q0dteTdQd0hmb25FRUJZeUI4M3NCQzFNMFBZY0g3TWxhZXJ6eSs0Y0hNCkJETnJyUUtCZ1FERVVNbnA4cDd3azIzSU0rSzlQTGZ5dngzbnZtWDFrRkx2eU9hTjJOTmZoN1I3MG9DSjNZeE8KcHVLQUtXWTdrNFZZR2ZqQzhKOE96cmEzYlJlSGZ1SXhCdmoyZXZVN3JFS3RSS2g0czVIL2ZzRjF2a2hTVG1jeApoL2EzMXl1dW1ObWNmZjVMSDZjcTBGZmN3V3Fic3RleVQxNVp4UDJYTkl5YmorS05jd1IvYmc9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo= + ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURGRENDQWZ5Z0F3SUJBZ0lSQUloWGlqRE5hVlcycmRjVlUxKzBYQ2t3RFFZSktvWklodmNOQVFFTEJRQXcKRkRFU01CQUdBMVVFQXhNSlEybHNhWFZ0SUVOQk1CNFhEVEkwTURFeU5EQTJOVEF5TlZvWERUSTNNREV5TXpBMgpOVEF5TlZvd0ZERVNNQkFHQTFVRUF4TUpRMmxzYVhWdElFTkJNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DCkFROEFNSUlCQ2dLQ0FRRUF1bHVyOGNyZi9yZ0RKVStyZUh2TjEreHlQSWZETEVPWGE4M2pLU0l4eFlac0k3NmIKZndKNXppemJxa2dnM0hJSy9rdm0zR0FaZ2YrQW5uMndmTFZPSmpzZERRUXhhbENGMGVRVytZSGtaNDZFQUViTQpRaENUMW1RZEZrblRWaTZReHZjWnBDR2FVZDB4dWJ4VWRmdkx6NmJQMDUvUHgwaXd3dEx0cDlldXlmWERJUjlPCldCbFM5VzhoR2h4T3liME5pWUM3SzVqZ0RUenBJaTZUb1N1YU5PZlFBSG1oTjYrYmZmc2RkNUlSdXNmQXNwWTUKbkpkeERoUm5uQlBhdmxCbm5RQTA1WmFESzZENktLSkh2Z3hzTzZ5bDVyTHRuVVY3cnpTVTYyZGxBNzJ3NHZtWAo3cEUrWXNGV0kyR0crMmFXSGlvU2Y2WmdkV0VEb0hYalRZTjNxUUlEQVFBQm8yRXdYekFPQmdOVkhROEJBZjhFCkJBTUNBcVF3SFFZRFZSMGxCQll3RkFZSUt3WUJCUVVIQXdFR0NDc0dBUVVGQndNQ01BOEdBMVVkRXdFQi93UUYKTUFNQkFmOHdIUVlEVlIwT0JCWUVGRStoR0RyVWdKNE1iU2NlV0VmbCs3Nld1TzRrTUEwR0NTcUdTSWIzRFFFQgpDd1VBQTRJQkFRQkxNQkFyRXI1cmM4ZDhoZ2hCTXl2MklYa0RmMmpOUmk5UUxDWkI2amxuZWNHY0g1OXhtbmRPCkNXNWRUaVZCQWN3Z0RVL1E5b2ZleG9rTHJsaXFtQ3BrQ2lYQWE4OGk4RHNaYlE2K2RrdnMwR3pHdnU3TFNzTVEKUnhYTHozdGpyU2pGZHROek02RmpKSHZPcnJjbWJFcVYxa3NsNENkZytqSE0zTzFSQm1zVVZvODhnQ2tZTkpZZAowSTF1TDE1cUk4Uy8xbktzL0wyd2pyRVE2dGdpTkRUQldaQ1lYOUFBa0V1SXRMS2ViSkdzd29xY29lclFOR2taCnRkVk5HcGk0R1ZuQTl1dUlhYnJaaVNxbklHaStBRHJKVFRKZWk5RUQyRmd0RjlCalRqRnEraGFaOU1Sd24xN3kKYlVIWHJIM05IYU8ya0NpNFh2clJpUmg4aFEyZ2pJS2oKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= + tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURWekNDQWorZ0F3SUJBZ0lSQUtKMGc2ZGtIQzBHbE9pdHZqVFR3ZFl3RFFZSktvWklodmNOQVFFTEJRQXcKRkRFU01CQUdBMVVFQXhNSlEybHNhWFZ0SUVOQk1CNFhEVEkwTURFeU5EQTJOVEF5TlZvWERUSTNNREV5TXpBMgpOVEF5TlZvd0tqRW9NQ1lHQTFVRUF3d2ZLaTVrWldaaGRXeDBMbWgxWW1Kc1pTMW5jbkJqTG1OcGJHbDFiUzVwCmJ6Q0NBU0l3RFFZSktvWklodmNOQVFFQkJRQURnZ0VQQURDQ0FRb0NnZ0VCQUwxS01vUTFya1BaUFVDeHZ6aXQKMFhVdFMwWFUwTEhFQmhQeHN0M3NmY0hVR0xLTmdvMGtWQWZScGF3Z2xuSWhUMWZ3cmRSV1pPN1A2RnhQV2dHbQpjY3J4M21IRU1oSmtqc3QwWkdEZEdyU3hwbFh5UHhCUVVBYXVlelh3YlpLK21MaXluNC9XS3hDTEc0MUFUTFFZCm9Za1dINEJNSk1SblE1c21Hbkp5MzBub09PaE5xTTBRckVNQmVPNHJNNS82MDl6RmxxQ1dDM1p1Lzh0bjJiaGMKdTJyVFFzaU9qMDk4TG5YeWwzVXpGRHNnNm0xYm1ybVZhSkJuT212Z0I4N1ZpWVppd1ppZnJBR3FhYTA4SG43YwpndGg2Qi9qSkw5Y1o3dU9rdGI2T0puMytJSG44TTFaREEwQmxteCtUV3VESkdQWmRncEtjZ3VWUWVHYnZMaWg2CnltVUNBd0VBQWFPQmpUQ0JpakFPQmdOVkhROEJBZjhFQkFNQ0JhQXdIUVlEVlIwbEJCWXdGQVlJS3dZQkJRVUgKQXdFR0NDc0dBUVVGQndNQ01Bd0dBMVVkRXdFQi93UUNNQUF3SHdZRFZSMGpCQmd3Rm9BVVQ2RVlPdFNBbmd4dApKeDVZUitYN3ZwYTQ3aVF3S2dZRFZSMFJCQ013SVlJZktpNWtaV1poZFd4MExtaDFZbUpzWlMxbmNuQmpMbU5wCmJHbDFiUzVwYnpBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQVFFQU9ZRFpWWTBjLzdXTVhJdDgvSUpLSnl5cDdWRUQKejdOQUtYaVprSUorS0tuSHg0QmF5TXUvcnRoNHZSTWVMWVBCNlF3ZUI4cU93dEhYb0YyTm9qNnQ3ZktYVlNGZgpCREl4c3VmelBab3RvQmNBNEVRa2V5SHAzYkV4bTRrd0gyeTF3Y3JGL3NoR01BSEhKU2x1RHhnVVBVa05EYWpDCnl1SzRpejBTOVpHY3UrR283VXpuWXVqN0x4ZXE1WjZDOUxjYnRmbjlMS1pHdjhqbXFRU2NZNlJDNUZOUFhXcksKdnhUZDJ1SnZDK2V1SGlsaDc1MHVUOC9EbTRERzh4ZVIzTFNXWXpPR0sybFIyN21lNXVZcW5xV0U3bHlubVEzdgppTmxPVnQ4WVRGdGxRd1RjV2dkbnUvYVkzYmZRZXZoU3dpODZjb0ZvRHYxTFZyYnFkL0gwT1ZRTlF3PT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= + tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcFFJQkFBS0NBUUVBdlVveWhEV3VROWs5UUxHL09LM1JkUzFMUmRUUXNjUUdFL0d5M2V4OXdkUVlzbzJDCmpTUlVCOUdsckNDV2NpRlBWL0N0MUZaazdzL29YRTlhQWFaeHl2SGVZY1F5RW1TT3kzUmtZTjBhdExHbVZmSS8KRUZCUUJxNTdOZkJ0a3I2WXVMS2ZqOVlyRUlzYmpVQk10QmloaVJZZmdFd2t4R2REbXlZYWNuTGZTZWc0NkUybwp6UkNzUXdGNDdpc3puL3JUM01XV29KWUxkbTcveTJmWnVGeTdhdE5DeUk2UFQzd3VkZktYZFRNVU95RHFiVnVhCnVaVm9rR2M2YStBSHp0V0pobUxCbUorc0FhcHByVHdlZnR5QzJIb0grTWt2MXhudTQ2UzF2bzRtZmY0Z2Vmd3oKVmtNRFFHV2JINU5hNE1rWTlsMkNrcHlDNVZCNFp1OHVLSHJLWlFJREFRQUJBb0lCQUVzR3RhOGhkOGo4dWdLQwpjVUNONUkrRlBHaVpTWDZzSzV5TUdGRk9BeXBvWHNHbXhUQWNUaElyVG5kREUxNTVSWEdkdThpRjFjdXlMRzhxCkpJcXk1amVDVnBwNW9UOFpER0FuNmdGYW9kTXM5cmpxSTRUYjBGeFZuQkJ0RTRFdWVtbjZvclBvTjNsL0taUjYKLyt3Q04wU1d1RFdwK0lqQVJWT2hicW9lVGRLRXdpZGFZRWM5SCtxZlQrcUdSZmJPR0tBMDlycTdsc2haR01GUgpHSVAvL203VEhGR0FnM20velplclBWMGhuYm1zNWVMbHNlZHFDVS95QmpUa0FkU2gyUkU0T0krbTlheEpuNlJZCnZCVWlWbzY1a0JOTndmaUFvREgvWmNVZitvdUNMQjMraTFkdW1wemZVQ0krUWpaNFdQdjVITTZSZWE0YUM2ZGsKK0pubFB3RUNnWUVBNU1acDNQZjFqQnoxWk5WdUdDSTY0VGpjcXdhajZ0ZkVEckppQUpJSXREZnVBeFYzVy8vbQphK0I2Q3dZb0QxUERWQ3Flc2ZxRS80cVVWVklsTXJUUDREdUdKaGxnTVNENGNFbjVXWTUybllCWmJqMUNYektuCmFaQy92TUFIUDRGZ3RnekJEUy84RTFBZnFhWjJDQ2t3cVB2bWNOY0FoMmVZV0RDZDlMQ3YyNjBDZ1lFQTA5RGYKMjVXK0dhK2lVNHZkcWhEOGxUcXQ5UHlONTMvWGVnWEVaQzFDNVRyRHRjSnF6WURvWkp3QnJ4N2U2eGNLQk15WQo2TzY1aE9uTlVMc0V6SUJtMFR3dk4xNTBWSnQ2bHA1amZBZjh3MXBWYjcyWkRldDFXaXZmSS85V2F1OFdJR1IwCkQwNG02RUd5c2lYTFhNTW85Yzg5TVFsSkhmTC8ydEVvSmRqeWdKa0NnWUVBcXpqOUhvN096bkVXRU1QVXhHZEsKSGlyS3JZNG92S21FYVdPRkNkeENlMitveWRJVkpWd2Zmdm5oSGNNYjFHemlzbW03b0lWWmFWQzB1QzdrL0ZCcgpqTzIvOTEvaXFLSitqcnd1emFKY2tJRHhiaHFYUkZ6TEE2MThjNjVkUG1COG00UnNNSXlMWTRFQ1VaenVsaWtOCjdFdXNLeVFmbHpnbncwbVB6d1UyZVhrQ2dZRUF4alBrMVdmb2k4YVNnZFVXSmNaaFpBNlZxdklNb3p3NFdHRS8KSlhKSTc1RXVnMDBhZlpRTFllR3RuYjJvWUptZGNXSTJEM2tiTmlsRlN5N0ZUY3MwNnNPRGR5ODJjZGxQTzlPWQpTZjU3WWgyTVp0UW1mU1VBR2RHRnF2eUtVK1BIYzZZc0NBcGNVK2J1SE05SzNWRnRhWjV6cHdnR1dEVURmekZLCmZTZmx1N2tDZ1lFQWx0M2gwMjY5a0VSdUxzREErUldld1BITldmWW02NHFkME4yZm4zejRGa0VFTzNNVUdCQ2IKeFBIQlYwbE5aZzlrcEZwUlJvS2NEbTFZNjJLWDNKTlI3Y2ZyUWFqdkdUTEdrQjJxY0dYSDFQVnBPUUwvOE4yRwp5MC9QTkg0WkZQNTduL05OVFdjeXA5OTBWVFNpZ2NKQ0Vta1MxYlRnL0VzOWtuTFhtVDh1OGlNPQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo= --- # Source: cilium/templates/cilium-configmap.yaml apiVersion: v1 @@ -215,6 +215,8 @@ data: set-cilium-node-taints: "true" set-cilium-is-up-condition: "true" unmanaged-pod-watcher-interval: "15" + # default DNS proxy to transparent mode in non-chaining modes + dnsproxy-enable-transparent-mode: "true" tofqdns-dns-reject-response-code: "refused" tofqdns-enable-dns-compression: "true" tofqdns-endpoint-max-ip-per-hostname: "50" @@ -670,7 +672,7 @@ spec: spec: containers: - name: cilium-agent - image: "quay.io/cilium/cilium:v1.14.0" + image: "quay.io/cilium/cilium:v1.14.6" imagePullPolicy: IfNotPresent command: - cilium-agent @@ -732,6 +734,32 @@ spec: - name: KUBERNETES_SERVICE_PORT value: "6443" lifecycle: + postStart: + exec: + command: + - "bash" + - "-c" + - | + set -o errexit + set -o pipefail + set -o nounset + + # When running in AWS ENI mode, it's likely that 'aws-node' has + # had a chance to install SNAT iptables rules. These can result + # in dropped traffic, so we should attempt to remove them. + # We do it using a 'postStart' hook since this may need to run + # for nodes which might have already been init'ed but may still + # have dangling rules. This is safe because there are no + # dependencies on anything that is part of the startup script + # itself, and can be safely run multiple times per node (e.g. in + # case of a restart). + if [[ "$(iptables-save | grep -E -c 'AWS-SNAT-CHAIN|AWS-CONNMARK-CHAIN')" != "0" ]]; + then + echo 'Deleting iptables rules created by the AWS CNI VPC plugin' + iptables-save | grep -E -v 'AWS-SNAT-CHAIN|AWS-CONNMARK-CHAIN' | iptables-restore + fi + echo 'Done!' + preStop: exec: command: @@ -760,7 +788,7 @@ spec: mountPath: /tmp initContainers: - name: config - image: "quay.io/cilium/cilium:v1.14.0" + image: "quay.io/cilium/cilium:v1.14.6" imagePullPolicy: IfNotPresent command: - cilium @@ -787,7 +815,7 @@ spec: # Required to mount cgroup2 filesystem on the underlying Kubernetes node. # We use nsenter command with host's cgroup and mount namespaces enabled. - name: mount-cgroup - image: "quay.io/cilium/cilium:v1.14.0" + image: "quay.io/cilium/cilium:v1.14.6" imagePullPolicy: IfNotPresent env: - name: CGROUP_ROOT @@ -815,7 +843,7 @@ spec: securityContext: privileged: true - name: apply-sysctl-overwrites - image: "quay.io/cilium/cilium:v1.14.0" + image: "quay.io/cilium/cilium:v1.14.6" imagePullPolicy: IfNotPresent env: - name: BIN_PATH @@ -841,7 +869,7 @@ spec: securityContext: privileged: true - name: clean-cilium-state - image: "quay.io/cilium/cilium:v1.14.0" + image: "quay.io/cilium/cilium:v1.14.6" imagePullPolicy: IfNotPresent command: - /init-container.sh @@ -871,14 +899,10 @@ spec: mountPath: /run/cilium/cgroupv2 mountPropagation: HostToContainer - name: cilium-run - mountPath: /var/run/cilium - resources: - requests: - cpu: 100m - memory: 100Mi # wait-for-kube-proxy + mountPath: /var/run/cilium # wait-for-kube-proxy # Install the CNI binaries in an InitContainer so we don't have a writable host mount in the agent - name: install-cni-binaries - image: "quay.io/cilium/cilium:v1.14.0" + image: "quay.io/cilium/cilium:v1.14.6" imagePullPolicy: IfNotPresent command: - "/install-plugin.sh" @@ -1029,7 +1053,7 @@ spec: spec: containers: - name: cilium-operator - image: "quay.io/cilium/operator-generic:v1.14.0" + image: "quay.io/cilium/operator-generic:v1.14.6" imagePullPolicy: IfNotPresent command: - cilium-operator-generic