From 3ab56fe86c16edde7a5dfd15c603e73a0daba0f5 Mon Sep 17 00:00:00 2001 From: robot Date: Thu, 19 Dec 2024 20:04:46 +0000 Subject: [PATCH] robot: project cni chart upgrades from 1.17.1 to 1.24.2 Signed-off-by: robot --- charts/cni/cni/Chart.yaml | 10 +- charts/cni/cni/README.md | 43 +++- charts/cni/cni/charts/cni/Chart.yaml | 8 +- charts/cni/cni/charts/cni/README.md | 43 +++- .../cni/charts/cni/files/profile-ambient.yaml | 17 ++ .../profile-compatibility-version-1.21.yaml | 33 +++ .../profile-compatibility-version-1.22.yaml | 26 +++ .../profile-compatibility-version-1.23.yaml | 19 ++ .../cni/charts/cni/files/profile-demo.yaml | 90 ++++++++ .../cni/files/profile-platform-k3d.yaml | 7 + .../cni/files/profile-platform-k3s.yaml | 7 + .../cni/files/profile-platform-microk8s.yaml | 7 + .../cni/files/profile-platform-minikube.yaml | 6 + .../cni/files/profile-platform-openshift.yaml | 19 ++ .../cni/charts/cni/files/profile-preview.yaml | 13 ++ .../cni/charts/cni/files/profile-remote.yaml | 13 ++ .../cni/charts/cni/files/profile-stable.yaml | 8 + charts/cni/cni/charts/cni/templates/NOTES.txt | 4 +- .../cni/cni/charts/cni/templates/_helpers.tpl | 8 + .../cni/charts/cni/templates/clusterrole.yaml | 77 ++++--- .../cni/templates/clusterrolebinding.yaml | 56 ++--- .../charts/cni/templates/configmap-cni.yaml | 64 ++---- .../cni/charts/cni/templates/daemonset.yaml | 213 +++++++++++------- .../network-attachment-definition.yaml | 11 + .../charts/cni/templates/resourcequota.yaml | 9 +- .../charts/cni/templates/serviceaccount.yaml | 6 +- .../cni/templates/zzy_descope_legacy.yaml | 3 + .../cni/charts/cni/templates/zzz_profile.yaml | 74 ++++++ charts/cni/cni/charts/cni/values.yaml | 159 ++++++++----- charts/cni/cni/values.schema.json | 159 +++++++------ charts/cni/cni/values.yaml | 141 +++++++----- charts/cni/config | 2 +- 32 files changed, 970 insertions(+), 385 deletions(-) create mode 100644 charts/cni/cni/charts/cni/files/profile-ambient.yaml create mode 100644 charts/cni/cni/charts/cni/files/profile-compatibility-version-1.21.yaml create mode 100644 charts/cni/cni/charts/cni/files/profile-compatibility-version-1.22.yaml create mode 100644 charts/cni/cni/charts/cni/files/profile-compatibility-version-1.23.yaml create mode 100644 charts/cni/cni/charts/cni/files/profile-demo.yaml create mode 100644 charts/cni/cni/charts/cni/files/profile-platform-k3d.yaml create mode 100644 charts/cni/cni/charts/cni/files/profile-platform-k3s.yaml create mode 100644 charts/cni/cni/charts/cni/files/profile-platform-microk8s.yaml create mode 100644 charts/cni/cni/charts/cni/files/profile-platform-minikube.yaml create mode 100644 charts/cni/cni/charts/cni/files/profile-platform-openshift.yaml create mode 100644 charts/cni/cni/charts/cni/files/profile-preview.yaml create mode 100644 charts/cni/cni/charts/cni/files/profile-remote.yaml create mode 100644 charts/cni/cni/charts/cni/files/profile-stable.yaml create mode 100644 charts/cni/cni/charts/cni/templates/_helpers.tpl create mode 100644 charts/cni/cni/charts/cni/templates/network-attachment-definition.yaml create mode 100644 charts/cni/cni/charts/cni/templates/zzy_descope_legacy.yaml create mode 100644 charts/cni/cni/charts/cni/templates/zzz_profile.yaml diff --git a/charts/cni/cni/Chart.yaml b/charts/cni/cni/Chart.yaml index e7c2b8a4d..b701ebf54 100644 --- a/charts/cni/cni/Chart.yaml +++ b/charts/cni/cni/Chart.yaml @@ -1,5 +1,5 @@ -apiVersion: v1 -appVersion: 1.17.1 +apiVersion: v2 +appVersion: 1.24.2 description: Helm chart for istio-cni components icon: https://istio.io/latest/favicons/android-192x192.png keywords: @@ -7,9 +7,9 @@ keywords: - istio name: cni sources: - - https://github.com/istio/istio/tree/master/cni -version: 1.17.1 + - https://github.com/istio/istio +version: 1.24.2 dependencies: - name: cni - version: "1.17.1" + version: "1.24.2" repository: "https://istio-release.storage.googleapis.com/charts" diff --git a/charts/cni/cni/README.md b/charts/cni/cni/README.md index b7fbc5d52..a8b78d5bd 100644 --- a/charts/cni/cni/README.md +++ b/charts/cni/cni/README.md @@ -21,4 +21,45 @@ helm install istio-cni istio/cni -n kube-system ``` Installation in `kube-system` is recommended to ensure the [`system-node-critical`](https://kubernetes.io/docs/tasks/administer-cluster/guaranteed-scheduling-critical-addon-pods/) -`priorityClassName` can be used. +`priorityClassName` can be used. You can install in other namespace only on K8S clusters that allow +'system-node-critical' outside of kube-system. + +## Configuration + +To view support configuration options and documentation, run: + +```console +helm show values istio/istio-cni +``` + +### Profiles + +Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets. +These can be set with `--set profile=`. +For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements. + +For consistency, the same profiles are used across each chart, even if they do not impact a given chart. + +Explicitly set values have highest priority, then profile settings, then chart defaults. + +As an implementation detail of profiles, the default values for the chart are all nested under `defaults`. +When configuring the chart, you should not include this. +That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`. + +### Ambient + +To enable ambient, you can use the ambient profile: `--set profile=ambient`. + +#### Calico + +For Calico, you must also modify the settings to allow source spoofing: + +- if deployed by operator, `kubectl patch felixconfigurations default --type='json' -p='[{"op": "add", "path": "/spec/workloadSourceSpoofing", "value": "Any"}]'` +- if deployed by manifest, add env `FELIX_WORKLOADSOURCESPOOFING` with value `Any` in `spec.template.spec.containers.env` for daemonset `calico-node`. (This will allow PODs with specified annotation to skip the rpf check. ) + +### GKE notes + +On GKE, 'kube-system' is required. + +If using `helm template`, `--set cni.cniBinDir=/home/kubernetes/bin` is required - with `helm install` +it is auto-detected. diff --git a/charts/cni/cni/charts/cni/Chart.yaml b/charts/cni/cni/charts/cni/Chart.yaml index 5b366889b..912e92841 100644 --- a/charts/cni/cni/charts/cni/Chart.yaml +++ b/charts/cni/cni/charts/cni/Chart.yaml @@ -1,5 +1,5 @@ -apiVersion: v1 -appVersion: 1.17.1 +apiVersion: v2 +appVersion: 1.24.2 description: Helm chart for istio-cni components icon: https://istio.io/latest/favicons/android-192x192.png keywords: @@ -7,5 +7,5 @@ keywords: - istio name: cni sources: -- https://github.com/istio/istio/tree/master/cni -version: 1.17.1 +- https://github.com/istio/istio +version: 1.24.2 diff --git a/charts/cni/cni/charts/cni/README.md b/charts/cni/cni/charts/cni/README.md index b7fbc5d52..a8b78d5bd 100644 --- a/charts/cni/cni/charts/cni/README.md +++ b/charts/cni/cni/charts/cni/README.md @@ -21,4 +21,45 @@ helm install istio-cni istio/cni -n kube-system ``` Installation in `kube-system` is recommended to ensure the [`system-node-critical`](https://kubernetes.io/docs/tasks/administer-cluster/guaranteed-scheduling-critical-addon-pods/) -`priorityClassName` can be used. +`priorityClassName` can be used. You can install in other namespace only on K8S clusters that allow +'system-node-critical' outside of kube-system. + +## Configuration + +To view support configuration options and documentation, run: + +```console +helm show values istio/istio-cni +``` + +### Profiles + +Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets. +These can be set with `--set profile=`. +For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements. + +For consistency, the same profiles are used across each chart, even if they do not impact a given chart. + +Explicitly set values have highest priority, then profile settings, then chart defaults. + +As an implementation detail of profiles, the default values for the chart are all nested under `defaults`. +When configuring the chart, you should not include this. +That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`. + +### Ambient + +To enable ambient, you can use the ambient profile: `--set profile=ambient`. + +#### Calico + +For Calico, you must also modify the settings to allow source spoofing: + +- if deployed by operator, `kubectl patch felixconfigurations default --type='json' -p='[{"op": "add", "path": "/spec/workloadSourceSpoofing", "value": "Any"}]'` +- if deployed by manifest, add env `FELIX_WORKLOADSOURCESPOOFING` with value `Any` in `spec.template.spec.containers.env` for daemonset `calico-node`. (This will allow PODs with specified annotation to skip the rpf check. ) + +### GKE notes + +On GKE, 'kube-system' is required. + +If using `helm template`, `--set cni.cniBinDir=/home/kubernetes/bin` is required - with `helm install` +it is auto-detected. diff --git a/charts/cni/cni/charts/cni/files/profile-ambient.yaml b/charts/cni/cni/charts/cni/files/profile-ambient.yaml new file mode 100644 index 000000000..2805fe46b --- /dev/null +++ b/charts/cni/cni/charts/cni/files/profile-ambient.yaml @@ -0,0 +1,17 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed +meshConfig: + defaultConfig: + proxyMetadata: + ISTIO_META_ENABLE_HBONE: "true" +global: + variant: distroless +pilot: + env: + PILOT_ENABLE_AMBIENT: "true" +cni: + ambient: + enabled: true diff --git a/charts/cni/cni/charts/cni/files/profile-compatibility-version-1.21.yaml b/charts/cni/cni/charts/cni/files/profile-compatibility-version-1.21.yaml new file mode 100644 index 000000000..c8da4d2e1 --- /dev/null +++ b/charts/cni/cni/charts/cni/files/profile-compatibility-version-1.21.yaml @@ -0,0 +1,33 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.22 behavioral changes + ENABLE_ENHANCED_RESOURCE_SCOPING: "false" + ENABLE_RESOLUTION_NONE_TARGET_PORT: "false" + + # 1.23 behavioral changes + ENABLE_DELIMITED_STATS_TAG_REGEX: "false" + + # 1.24 behavioral changes + ENABLE_INBOUND_RETRY_POLICY: "false" + EXCLUDE_UNSAFE_503_FROM_DEFAULT_RETRY: "false" + PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICES: "false" + ENABLE_ENHANCED_DESTINATIONRULE_MERGE: "false" + PILOT_UNIFIED_SIDECAR_SCOPE: "false" + +meshConfig: + # 1.22 behavioral changes + defaultConfig: + proxyMetadata: + ISTIO_DELTA_XDS: "false" + # 1.23 behavioral changes + ENABLE_DELIMITED_STATS_TAG_REGEX: "false" + # 1.24 behaviour changes + ENABLE_DEFERRED_STATS_CREATION: "false" + BYPASS_OVERLOAD_MANAGER_FOR_STATIC_LISTENERS: "false" + tracing: + zipkin: + address: zipkin.istio-system:9411 diff --git a/charts/cni/cni/charts/cni/files/profile-compatibility-version-1.22.yaml b/charts/cni/cni/charts/cni/files/profile-compatibility-version-1.22.yaml new file mode 100644 index 000000000..70d8eb40c --- /dev/null +++ b/charts/cni/cni/charts/cni/files/profile-compatibility-version-1.22.yaml @@ -0,0 +1,26 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.23 behavioral changes + ENABLE_DELIMITED_STATS_TAG_REGEX: "false" + + # 1.24 behavioral changes + ENABLE_INBOUND_RETRY_POLICY: "false" + EXCLUDE_UNSAFE_503_FROM_DEFAULT_RETRY: "false" + PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICES: "false" + ENABLE_ENHANCED_DESTINATIONRULE_MERGE: "false" + PILOT_UNIFIED_SIDECAR_SCOPE: "false" + +meshConfig: + defaultConfig: + proxyMetadata: + # 1.22 behavioral changes + ENABLE_DEFERRED_CLUSTER_CREATION: "false" + # 1.23 behavioral changes + ENABLE_DELIMITED_STATS_TAG_REGEX: "false" + # 1.24 behaviour changes + ENABLE_DEFERRED_STATS_CREATION: "false" + BYPASS_OVERLOAD_MANAGER_FOR_STATIC_LISTENERS: "false" diff --git a/charts/cni/cni/charts/cni/files/profile-compatibility-version-1.23.yaml b/charts/cni/cni/charts/cni/files/profile-compatibility-version-1.23.yaml new file mode 100644 index 000000000..636bb6f15 --- /dev/null +++ b/charts/cni/cni/charts/cni/files/profile-compatibility-version-1.23.yaml @@ -0,0 +1,19 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.24 behavioral changes + ENABLE_INBOUND_RETRY_POLICY: "false" + EXCLUDE_UNSAFE_503_FROM_DEFAULT_RETRY: "false" + PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICES: "false" + ENABLE_ENHANCED_DESTINATIONRULE_MERGE: "false" + PILOT_UNIFIED_SIDECAR_SCOPE: "false" + +meshConfig: + defaultConfig: + proxyMetadata: + # 1.24 behaviour changes + ENABLE_DEFERRED_STATS_CREATION: "false" + BYPASS_OVERLOAD_MANAGER_FOR_STATIC_LISTENERS: "false" diff --git a/charts/cni/cni/charts/cni/files/profile-demo.yaml b/charts/cni/cni/charts/cni/files/profile-demo.yaml new file mode 100644 index 000000000..eadbde17c --- /dev/null +++ b/charts/cni/cni/charts/cni/files/profile-demo.yaml @@ -0,0 +1,90 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The demo profile enables a variety of things to try out Istio in non-production environments. +# * Lower resource utilization. +# * Some additional features are enabled by default; especially ones used in some tasks in istio.io. +# * More ports enabled on the ingress, which is used in some tasks. +meshConfig: + accessLogFile: /dev/stdout + extensionProviders: + - name: otel + envoyOtelAls: + service: opentelemetry-collector.observability.svc.cluster.local + port: 4317 + - name: skywalking + skywalking: + service: tracing.istio-system.svc.cluster.local + port: 11800 + - name: otel-tracing + opentelemetry: + port: 4317 + service: opentelemetry-collector.observability.svc.cluster.local + +cni: + resources: + requests: + cpu: 10m + memory: 40Mi + +ztunnel: + resources: + requests: + cpu: 10m + memory: 40Mi + +global: + proxy: + resources: + requests: + cpu: 10m + memory: 40Mi + waypoint: + resources: + requests: + cpu: 10m + memory: 40Mi + +pilot: + autoscaleEnabled: false + traceSampling: 100 + resources: + requests: + cpu: 10m + memory: 100Mi + +gateways: + istio-egressgateway: + autoscaleEnabled: false + resources: + requests: + cpu: 10m + memory: 40Mi + istio-ingressgateway: + autoscaleEnabled: false + ports: + ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces. + # Note that AWS ELB will by default perform health checks on the first port + # on this list. Setting this to the health check port will ensure that health + # checks always work. https://github.com/istio/istio/issues/12503 + - port: 15021 + targetPort: 15021 + name: status-port + - port: 80 + targetPort: 8080 + name: http2 + - port: 443 + targetPort: 8443 + name: https + - port: 31400 + targetPort: 31400 + name: tcp + # This is the port where sni routing happens + - port: 15443 + targetPort: 15443 + name: tls + resources: + requests: + cpu: 10m + memory: 40Mi \ No newline at end of file diff --git a/charts/cni/cni/charts/cni/files/profile-platform-k3d.yaml b/charts/cni/cni/charts/cni/files/profile-platform-k3d.yaml new file mode 100644 index 000000000..cd86d9ec5 --- /dev/null +++ b/charts/cni/cni/charts/cni/files/profile-platform-k3d.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d + cniBinDir: /bin diff --git a/charts/cni/cni/charts/cni/files/profile-platform-k3s.yaml b/charts/cni/cni/charts/cni/files/profile-platform-k3s.yaml new file mode 100644 index 000000000..f3f2884aa --- /dev/null +++ b/charts/cni/cni/charts/cni/files/profile-platform-k3s.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d + cniBinDir: /var/lib/rancher/k3s/data/current/bin/ diff --git a/charts/cni/cni/charts/cni/files/profile-platform-microk8s.yaml b/charts/cni/cni/charts/cni/files/profile-platform-microk8s.yaml new file mode 100644 index 000000000..57d7f5e3c --- /dev/null +++ b/charts/cni/cni/charts/cni/files/profile-platform-microk8s.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/snap/microk8s/current/args/cni-network + cniBinDir: /var/snap/microk8s/current/opt/cni/bin diff --git a/charts/cni/cni/charts/cni/files/profile-platform-minikube.yaml b/charts/cni/cni/charts/cni/files/profile-platform-minikube.yaml new file mode 100644 index 000000000..fa9992e20 --- /dev/null +++ b/charts/cni/cni/charts/cni/files/profile-platform-minikube.yaml @@ -0,0 +1,6 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniNetnsDir: /var/run/docker/netns diff --git a/charts/cni/cni/charts/cni/files/profile-platform-openshift.yaml b/charts/cni/cni/charts/cni/files/profile-platform-openshift.yaml new file mode 100644 index 000000000..8ddc5e165 --- /dev/null +++ b/charts/cni/cni/charts/cni/files/profile-platform-openshift.yaml @@ -0,0 +1,19 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The OpenShift profile provides a basic set of settings to run Istio on OpenShift +cni: + cniBinDir: /var/lib/cni/bin + cniConfDir: /etc/cni/multus/net.d + chained: false + cniConfFileName: "istio-cni.conf" + provider: "multus" +pilot: + cni: + enabled: true + provider: "multus" +seLinuxOptions: + type: spc_t +# Openshift requires privileged pods to run in kube-system +trustedZtunnelNamespace: "kube-system" diff --git a/charts/cni/cni/charts/cni/files/profile-preview.yaml b/charts/cni/cni/charts/cni/files/profile-preview.yaml new file mode 100644 index 000000000..181d7bda2 --- /dev/null +++ b/charts/cni/cni/charts/cni/files/profile-preview.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The preview profile contains features that are experimental. +# This is intended to explore new features coming to Istio. +# Stability, security, and performance are not guaranteed - use at your own risk. +meshConfig: + defaultConfig: + proxyMetadata: + # Enable Istio agent to handle DNS requests for known hosts + # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf + ISTIO_META_DNS_CAPTURE: "true" diff --git a/charts/cni/cni/charts/cni/files/profile-remote.yaml b/charts/cni/cni/charts/cni/files/profile-remote.yaml new file mode 100644 index 000000000..d17b9a801 --- /dev/null +++ b/charts/cni/cni/charts/cni/files/profile-remote.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile. +istiodRemote: + enabled: true +configMap: false +telemetry: + enabled: false +global: + # TODO BML maybe a different profile for a configcluster/revisit this + omitSidecarInjectorConfigMap: true diff --git a/charts/cni/cni/charts/cni/files/profile-stable.yaml b/charts/cni/cni/charts/cni/files/profile-stable.yaml new file mode 100644 index 000000000..358282e69 --- /dev/null +++ b/charts/cni/cni/charts/cni/files/profile-stable.yaml @@ -0,0 +1,8 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The stable profile deploys admission control to ensure that only stable resources and fields are used +# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE +experimental: + stableValidationPolicy: true diff --git a/charts/cni/cni/charts/cni/templates/NOTES.txt b/charts/cni/cni/charts/cni/templates/NOTES.txt index 994628240..fb35525b9 100644 --- a/charts/cni/cni/charts/cni/templates/NOTES.txt +++ b/charts/cni/cni/charts/cni/templates/NOTES.txt @@ -1,5 +1,5 @@ "{{ .Release.Name }}" successfully installed! To learn more about the release, try: - $ helm status {{ .Release.Name }} - $ helm get all {{ .Release.Name }} + $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }} + $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }} diff --git a/charts/cni/cni/charts/cni/templates/_helpers.tpl b/charts/cni/cni/charts/cni/templates/_helpers.tpl new file mode 100644 index 000000000..73cc17b2f --- /dev/null +++ b/charts/cni/cni/charts/cni/templates/_helpers.tpl @@ -0,0 +1,8 @@ +{{- define "name" -}} + istio-cni +{{- end }} + + +{{- define "istio-tag" -}} + {{ .Values.tag | default .Values.global.tag }}{{with (.Values.variant | default .Values.global.variant)}}-{{.}}{{end}} +{{- end }} diff --git a/charts/cni/cni/charts/cni/templates/clusterrole.yaml b/charts/cni/cni/charts/cni/templates/clusterrole.yaml index 7f7030de3..197e20c65 100644 --- a/charts/cni/cni/charts/cni/templates/clusterrole.yaml +++ b/charts/cni/cni/charts/cni/templates/clusterrole.yaml @@ -1,63 +1,76 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: istio-cni + name: {{ template "name" . }} labels: - app: istio-cni + app: {{ template "name" . }} release: {{ .Release.Name }} istio.io/rev: {{ .Values.revision | default "default" }} install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} operator.istio.io/component: "Cni" + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 4 }} rules: - apiGroups: [""] - resources: - - pods - - nodes - verbs: - - get + resources: ["pods","nodes","namespaces"] + verbs: ["get", "list", "watch"] +{{- if (eq (coalesce .Values.platform .Values.global.platform) "openshift") }} +- apiGroups: ["security.openshift.io"] + resources: ["securitycontextconstraints"] + resourceNames: ["privileged"] + verbs: ["use"] +{{- end }} --- -{{- if .Values.cni.repair.enabled }} +{{- if .Values.repair.enabled }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: istio-cni-repair-role + name: {{ template "name" . }}-repair-role labels: - app: istio-cni + app: {{ template "name" . }} release: {{ .Release.Name }} istio.io/rev: {{ .Values.revision | default "default" }} install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} operator.istio.io/component: "Cni" + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 4 }} rules: -- apiGroups: [""] - resources: ["pods"] - verbs: ["get", "list", "watch", "delete", "patch", "update" ] -- apiGroups: [""] - resources: ["events"] - verbs: ["get", "list", "watch", "delete", "patch", "update", "create" ] + - apiGroups: [""] + resources: ["events"] + verbs: ["create", "patch"] + - apiGroups: [""] + resources: ["pods"] + verbs: ["watch", "get", "list"] +{{- if .Values.repair.repairPods }} +{{- /* No privileges needed*/}} +{{- else if .Values.repair.deletePods }} + - apiGroups: [""] + resources: ["pods"] + verbs: ["delete"] +{{- else if .Values.repair.labelPods }} + - apiGroups: [""] + {{- /* pods/status is less privileged than the full pod, and either can label. So use the lower pods/status */}} + resources: ["pods/status"] + verbs: ["patch", "update"] +{{- end }} {{- end }} --- - {{- if .Values.cni.taint.enabled }} +{{- if .Values.ambient.enabled }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: istio-cni-taint-role + name: {{ template "name" . }}-ambient labels: - app: istio-cni + app: {{ template "name" . }} release: {{ .Release.Name }} istio.io/rev: {{ .Values.revision | default "default" }} install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} operator.istio.io/component: "Cni" + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 4 }} rules: - - apiGroups: [""] - resources: ["pods"] - verbs: ["get", "list", "watch", "patch"] - - apiGroups: [""] - resources: ["nodes"] - verbs: ["get", "list", "watch", "update", "patch"] - - apiGroups: [""] - resources: ["configmaps"] - verbs: ["get", "list"] - - apiGroups: ["coordination.k8s.io"] - resources: ["leases"] - verbs: ["get", "list", "create", "update"] - {{- end }} +- apiGroups: [""] + {{- /* pods/status is less privileged than the full pod, and either can label. So use the lower pods/status */}} + resources: ["pods/status"] + verbs: ["patch", "update"] +{{- end }} diff --git a/charts/cni/cni/charts/cni/templates/clusterrolebinding.yaml b/charts/cni/cni/charts/cni/templates/clusterrolebinding.yaml index deabd5238..032b3e3f2 100644 --- a/charts/cni/cni/charts/cni/templates/clusterrolebinding.yaml +++ b/charts/cni/cni/charts/cni/templates/clusterrolebinding.yaml @@ -1,78 +1,66 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: istio-cni + name: {{ template "name" . }} labels: - app: istio-cni + app: {{ template "name" . }} release: {{ .Release.Name }} istio.io/rev: {{ .Values.revision | default "default" }} install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} operator.istio.io/component: "Cni" + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 4 }} roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: istio-cni + name: {{ template "name" . }} subjects: - kind: ServiceAccount - name: istio-cni + name: {{ template "name" . }} namespace: {{ .Release.Namespace }} --- -{{- if .Values.cni.repair.enabled }} +{{- if .Values.repair.enabled }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: istio-cni-repair-rolebinding + name: {{ template "name" . }}-repair-rolebinding labels: - k8s-app: istio-cni-repair + k8s-app: {{ template "name" . }}-repair + release: {{ .Release.Name }} istio.io/rev: {{ .Values.revision | default "default" }} install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} operator.istio.io/component: "Cni" + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 4 }} subjects: - kind: ServiceAccount - name: istio-cni + name: {{ template "name" . }} namespace: {{ .Release.Namespace}} roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: istio-cni-repair-role + name: {{ template "name" . }}-repair-role {{- end }} --- -{{- if ne .Values.cni.psp_cluster_role "" }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: istio-cni-psp - namespace: {{ .Release.Namespace }} - labels: - istio.io/rev: {{ .Values.revision | default "default" }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "Cni" -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: {{ .Values.cni.psp_cluster_role }} -subjects: -- kind: ServiceAccount - name: istio-cni - namespace: {{ .Release.Namespace }} -{{- end }} ---- -{{- if .Values.cni.taint.enabled }} +{{- if .Values.ambient.enabled }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: istio-cni-taint-rolebinding + name: {{ template "name" . }}-ambient labels: - k8s-app: istio-cni-taint + k8s-app: {{ template "name" . }}-repair + release: {{ .Release.Name }} istio.io/rev: {{ .Values.revision | default "default" }} install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} operator.istio.io/component: "Cni" + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 4 }} subjects: - kind: ServiceAccount - name: istio-cni + name: {{ template "name" . }} namespace: {{ .Release.Namespace}} roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: istio-cni-taint-role + name: {{ template "name" . }}-ambient {{- end }} diff --git a/charts/cni/cni/charts/cni/templates/configmap-cni.yaml b/charts/cni/cni/charts/cni/templates/configmap-cni.yaml index b18a30d47..39a09fb69 100644 --- a/charts/cni/cni/charts/cni/templates/configmap-cni.yaml +++ b/charts/cni/cni/charts/cni/templates/configmap-cni.yaml @@ -1,51 +1,35 @@ -{{- $defaultBinDir := - (.Capabilities.KubeVersion.GitVersion | contains "-gke") | ternary - "/home/kubernetes/bin" - "/opt/cni/bin" -}} kind: ConfigMap apiVersion: v1 metadata: - name: istio-cni-config + name: {{ template "name" . }}-config namespace: {{ .Release.Namespace }} labels: - app: istio-cni + app: {{ template "name" . }} release: {{ .Release.Name }} istio.io/rev: {{ .Values.revision | default "default" }} install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} operator.istio.io/component: "Cni" + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 4 }} data: - # The CNI network configuration to add to the plugin chain on each node. The special - # values in this config will be automatically populated. - cni_network_config: |- - { - "cniVersion": "0.3.1", - "name": "istio-cni", - "type": "istio-cni", - "log_level": {{ quote .Values.cni.logLevel }}, - "log_uds_address": "__LOG_UDS_ADDRESS__", - "kubernetes": { - "kubeconfig": "__KUBECONFIG_FILEPATH__", - "cni_bin_dir": {{ .Values.cni.cniBinDir | default $defaultBinDir | quote }}, - "exclude_namespaces": [ {{ range $idx, $ns := .Values.cni.excludeNamespaces }}{{ if $idx }}, {{ end }}{{ quote $ns }}{{ end }} ] - } - } ---- - {{- if .Values.cni.taint.enabled }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: "istio-cni-taint-configmap" - namespace: {{ .Release.Namespace }} - labels: - app: istio-cni - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "Cni" -data: - config: | - - name: istio-cni - selector: k8s-app=istio-cni-node - namespace: {{ .Release.Namespace }} + CURRENT_AGENT_VERSION: {{ .Values.tag | default .Values.global.tag | quote }} + AMBIENT_ENABLED: {{ .Values.ambient.enabled | quote }} + AMBIENT_DNS_CAPTURE: {{ .Values.ambient.dnsCapture | default "false" | quote }} + AMBIENT_IPV6: {{ .Values.ambient.ipv6 | default "false" | quote }} + {{- if .Values.cniConfFileName }} # K8S < 1.24 doesn't like empty values + CNI_CONF_NAME: {{ .Values.cniConfFileName }} # Name of the CNI config file to create. Only override if you know the exact path your CNI requires.. + {{- end }} + CHAINED_CNI_PLUGIN: {{ .Values.chained | quote }} + EXCLUDED_NAMESPACES: "{{ range $idx, $ns := .Values.excludeNamespaces }}{{ if $idx }},{{ end }}{{ $ns }}{{ end }}" + REPAIR_ENABLED: {{ .Values.chained | quote }} + REPAIR_LABEL_PODS: {{ .Values.repair.labelPods | quote }} + REPAIR_DELETE_PODS: {{ .Values.repair.deletePods | quote }} + REPAIR_REPAIR_PODS: {{ .Values.repair.repairPods | quote }} + REPAIR_INIT_CONTAINER_NAME: {{ .Values.repair.initContainerName | quote }} + REPAIR_BROKEN_POD_LABEL_KEY: {{ .Values.repair.brokenPodLabelKey | quote }} + REPAIR_BROKEN_POD_LABEL_VALUE: {{ .Values.repair.brokenPodLabelValue | quote }} + {{- with .Values.env }} + {{- range $key, $val := . }} + {{ $key }}: "{{ $val }}" + {{- end }} {{- end }} diff --git a/charts/cni/cni/charts/cni/templates/daemonset.yaml b/charts/cni/cni/charts/cni/templates/daemonset.yaml index 7ebd7c239..e30ab0acb 100644 --- a/charts/cni/cni/charts/cni/templates/daemonset.yaml +++ b/charts/cni/cni/charts/cni/templates/daemonset.yaml @@ -9,40 +9,60 @@ kind: DaemonSet apiVersion: apps/v1 metadata: - name: istio-cni-node + name: {{ template "name" . }}-node namespace: {{ .Release.Namespace }} labels: - k8s-app: istio-cni-node + k8s-app: {{ template "name" . }}-node release: {{ .Release.Name }} istio.io/rev: {{ .Values.revision | default "default" }} install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} operator.istio.io/component: "Cni" + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 4 }} spec: selector: matchLabels: - k8s-app: istio-cni-node + k8s-app: {{ template "name" . }}-node updateStrategy: type: RollingUpdate rollingUpdate: - maxUnavailable: 1 + maxUnavailable: {{ .Values.rollingMaxUnavailable }} template: metadata: labels: - k8s-app: istio-cni-node + k8s-app: {{ template "name" . }}-node sidecar.istio.io/inject: "false" + istio.io/dataplane-mode: none + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 8 }} annotations: sidecar.istio.io/inject: "false" # Add Prometheus Scrape annotations prometheus.io/scrape: 'true' prometheus.io/port: "15014" prometheus.io/path: '/metrics' + # Add AppArmor annotation + # This is required to avoid conflicts with AppArmor profiles which block certain + # privileged pod capabilities. + # Required for Kubernetes 1.29 which does not support setting appArmorProfile in the + # securityContext which is otherwise preferred. + container.apparmor.security.beta.kubernetes.io/install-cni: unconfined # Custom annotations - {{- if .Values.cni.podAnnotations }} -{{ toYaml .Values.cni.podAnnotations | indent 8 }} + {{- if .Values.podAnnotations }} +{{ toYaml .Values.podAnnotations | indent 8 }} {{- end }} spec: +{{if .Values.ambient.enabled }} + hostNetwork: true + dnsPolicy: ClusterFirstWithHostNet +{{ end }} nodeSelector: kubernetes.io/os: linux + # Can be configured to allow for excluding istio-cni from being scheduled on specified nodes + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} tolerations: # Make sure istio-cni-node gets scheduled on all nodes. - effect: NoSchedule @@ -53,7 +73,7 @@ spec: - effect: NoExecute operator: Exists priorityClassName: system-node-critical - serviceAccountName: istio-cni + serviceAccountName: {{ template "name" . }} # Minimize downtime during a rolling upgrade or deletion; tell Kubernetes to do a "force # deletion": https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods. terminationGracePeriodSeconds: 5 @@ -61,122 +81,153 @@ spec: # This container installs the Istio CNI binaries # and CNI network config file on each node. - name: install-cni -{{- if contains "/" .Values.cni.image }} - image: "{{ .Values.cni.image }}" +{{- if contains "/" .Values.image }} + image: "{{ .Values.image }}" {{- else }} - image: "{{ .Values.cni.hub | default .Values.global.hub }}/{{ .Values.cni.image | default "install-cni" }}:{{ .Values.cni.tag | default .Values.global.tag }}{{with (.Values.cni.variant | default .Values.global.variant)}}-{{.}}{{end}}" + image: "{{ .Values.hub | default .Values.global.hub }}/{{ .Values.image | default "install-cni" }}:{{ template "istio-tag" . }}" {{- end }} -{{- if or .Values.cni.pullPolicy .Values.global.imagePullPolicy }} - imagePullPolicy: {{ .Values.cni.pullPolicy | default .Values.global.imagePullPolicy }} +{{- if or .Values.pullPolicy .Values.global.imagePullPolicy }} + imagePullPolicy: {{ .Values.pullPolicy | default .Values.global.imagePullPolicy }} {{- end }} + ports: + - containerPort: 15014 + name: metrics + protocol: TCP readinessProbe: httpGet: path: /readyz port: 8000 securityContext: + privileged: false runAsGroup: 0 runAsUser: 0 runAsNonRoot: false - privileged: {{ .Values.cni.privileged }} -{{- if .Values.cni.seccompProfile }} + # Both ambient and sidecar repair mode require elevated node privileges to function. + # But we don't need _everything_ in `privileged`, so explicitly set it to false and + # add capabilities based on feature. + capabilities: + drop: + - ALL + add: + # CAP_NET_ADMIN is required to allow ipset and route table access + - NET_ADMIN + # CAP_NET_RAW is required to allow iptables mutation of the `nat` table + - NET_RAW + # CAP_SYS_PTRACE is required for repair mode to describe the pod's network namespace + # in ambient and repair mode. + - SYS_PTRACE + # CAP_SYS_ADMIN is required for both ambient and repair, in order to open + # network namespaces in `/proc` to obtain descriptors for entering pod network + # namespaces. There does not appear to be a more granular capability for this. + - SYS_ADMIN + # While we run as a 'root' (UID/GID 0), since we drop all capabilities we lose + # the typical ability to read/write to folders owned by others. + # This can cause problems if the hostPath mounts we use, which we require write access into, + # are owned by non-root. DAC_OVERRIDE bypasses these and gives us write access into any folder. + - DAC_OVERRIDE +{{- if .Values.seLinuxOptions }} +{{ with (merge .Values.seLinuxOptions (dict "type" "spc_t")) }} + seLinuxOptions: +{{ toYaml . | trim | indent 14 }} +{{- end }} +{{- end }} +{{- if .Values.seccompProfile }} seccompProfile: -{{ toYaml .Values.cni.seccompProfile | trim | indent 14 }} +{{ toYaml .Values.seccompProfile | trim | indent 14 }} {{- end }} command: ["install-cni"] args: - {{- if .Values.global.logging.level }} - - --log_output_level={{ .Values.global.logging.level }} + {{- if or .Values.logging.level .Values.global.logging.level }} + - --log_output_level={{ coalesce .Values.logging.level .Values.global.logging.level }} {{- end}} {{- if .Values.global.logAsJson }} - --log_as_json {{- end}} + envFrom: + - configMapRef: + name: {{ template "name" . }}-config env: -{{- if .Values.cni.cniConfFileName }} - # Name of the CNI config file to create. - - name: CNI_CONF_NAME - value: "{{ .Values.cni.cniConfFileName }}" -{{- end }} - # The CNI network config to install on each node. - - name: CNI_NETWORK_CONFIG - valueFrom: - configMapKeyRef: - name: istio-cni-config - key: cni_network_config - - name: CNI_NET_DIR - value: {{ default "/etc/cni/net.d" .Values.cni.cniConfDir }} - # Deploy as a standalone CNI plugin or as chained? - - name: CHAINED_CNI_PLUGIN - value: "{{ .Values.cni.chained }}" - - name: REPAIR_ENABLED - value: "{{ .Values.cni.repair.enabled }}" - name: REPAIR_NODE_NAME valueFrom: fieldRef: fieldPath: spec.nodeName - - name: REPAIR_LABEL_PODS - value: "{{.Values.cni.repair.labelPods}}" - # Set to true to enable pod deletion - - name: REPAIR_DELETE_PODS - value: "{{.Values.cni.repair.deletePods}}" - name: REPAIR_RUN_AS_DAEMON value: "true" - name: REPAIR_SIDECAR_ANNOTATION value: "sidecar.istio.io/status" - - name: REPAIR_INIT_CONTAINER_NAME - value: "{{ .Values.cni.repair.initContainerName }}" - - name: REPAIR_BROKEN_POD_LABEL_KEY - value: "{{.Values.cni.repair.brokenPodLabelKey}}" - - name: REPAIR_BROKEN_POD_LABEL_VALUE - value: "{{.Values.cni.repair.brokenPodLabelValue}}" + - name: NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + resource: limits.memory + - name: GOMAXPROCS + valueFrom: + resourceFieldRef: + resource: limits.cpu + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace volumeMounts: - mountPath: /host/opt/cni/bin name: cni-bin-dir + {{- if or .Values.repair.repairPods .Values.ambient.enabled }} + - mountPath: /host/proc + name: cni-host-procfs + readOnly: true + {{- end }} - mountPath: /host/etc/cni/net.d name: cni-net-dir - mountPath: /var/run/istio-cni - name: cni-log-dir + name: cni-socket-dir + {{- if .Values.ambient.enabled }} + - mountPath: /host/var/run/netns + mountPropagation: HostToContainer + name: cni-netns-dir + - mountPath: /var/run/ztunnel + name: cni-ztunnel-sock-dir + {{ end }} resources: -{{- if .Values.cni.resources }} -{{ toYaml .Values.cni.resources | trim | indent 12 }} +{{- if .Values.resources }} +{{ toYaml .Values.resources | trim | indent 12 }} {{- else }} {{ toYaml .Values.global.defaultResources | trim | indent 12 }} -{{- end }} -{{- if .Values.cni.taint.enabled }} - - name: taint-controller -{{- if contains "/" .Values.cni.image }} - image: "{{ .Values.cni.image }}" -{{- else }} - image: "{{ .Values.cni.hub | default .Values.global.hub }}/{{ .Values.cni.image | default "install-cni" }}:{{ .Values.cni.tag | default .Values.global.tag }}{{with (.Values.cni.variant | default .Values.global.variant)}}-{{.}}{{end}}" -{{- end }} -{{- if or .Values.cni.pullPolicy .Values.global.imagePullPolicy }} - imagePullPolicy: {{ .Values.cni.pullPolicy | default .Values.global.imagePullPolicy }} -{{- end }} - command: ["/opt/local/bin/istio-cni-taint"] - securityContext: - runAsUser: 1337 - runAsGroup: 1337 - runAsNonRoot: true -{{- if .Values.cni.seccompProfile }} - seccompProfile: -{{ toYaml .Values.cni.seccompProfile | trim | indent 14 }} -{{- end }} - env: - - name: "TAINT_RUN-AS-DAEMON" - value: "true" - - name: "TAINT_CONFIGMAP-NAME" - value: "istio-cni-taint-configmap" - - name: "TAINT_CONFIGMAP-NAMESPACE" - value: {{ .Release.Namespace | quote }} {{- end }} volumes: # Used to install CNI. - name: cni-bin-dir hostPath: - path: {{ .Values.cni.cniBinDir | default $defaultBinDir }} + path: {{ .Values.cniBinDir | default $defaultBinDir }} + {{- if or .Values.repair.repairPods .Values.ambient.enabled }} + - name: cni-host-procfs + hostPath: + path: /proc + type: Directory + {{- end }} + {{- if .Values.ambient.enabled }} + - name: cni-ztunnel-sock-dir + hostPath: + path: /var/run/ztunnel + type: DirectoryOrCreate + {{- end }} - name: cni-net-dir hostPath: - path: {{ default "/etc/cni/net.d" .Values.cni.cniConfDir }} - # Used for UDS log - - name: cni-log-dir + path: {{ default "/etc/cni/net.d" .Values.cniConfDir }} + # Used for UDS sockets for logging, ambient eventing + - name: cni-socket-dir hostPath: path: /var/run/istio-cni + - name: cni-netns-dir + hostPath: + path: {{ .Values.cniNetnsDir | default "/var/run/netns" }} + type: DirectoryOrCreate # DirectoryOrCreate instead of Directory for the following reason - CNI may not bind mount this until a non-hostnetwork pod is scheduled on the node, + # and we don't want to block CNI agent pod creation on waiting for the first non-hostnetwork pod. + # Once the CNI does mount this, it will get populated and we're good. diff --git a/charts/cni/cni/charts/cni/templates/network-attachment-definition.yaml b/charts/cni/cni/charts/cni/templates/network-attachment-definition.yaml new file mode 100644 index 000000000..86a2eb7c0 --- /dev/null +++ b/charts/cni/cni/charts/cni/templates/network-attachment-definition.yaml @@ -0,0 +1,11 @@ +{{- if eq .Values.provider "multus" }} +apiVersion: k8s.cni.cncf.io/v1 +kind: NetworkAttachmentDefinition +metadata: + name: {{ template "name" . }} + namespace: default + labels: + operator.istio.io/component: "Cni" + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 4 }} +{{- end }} diff --git a/charts/cni/cni/charts/cni/templates/resourcequota.yaml b/charts/cni/cni/charts/cni/templates/resourcequota.yaml index 15946ae72..9a6d61ff9 100644 --- a/charts/cni/cni/charts/cni/templates/resourcequota.yaml +++ b/charts/cni/cni/charts/cni/templates/resourcequota.yaml @@ -1,12 +1,15 @@ -{{- if .Values.cni.resourceQuotas.enabled }} +{{- if .Values.resourceQuotas.enabled }} apiVersion: v1 kind: ResourceQuota metadata: - name: istio-cni-resource-quota + name: {{ template "name" . }}-resource-quota namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 4 }} spec: hard: - pods: {{ .Values.cni.resourceQuotas.pods | quote }} + pods: {{ .Values.resourceQuotas.pods | quote }} scopeSelector: matchExpressions: - operator: In diff --git a/charts/cni/cni/charts/cni/templates/serviceaccount.yaml b/charts/cni/cni/charts/cni/templates/serviceaccount.yaml index 4645db63a..41ac7dd83 100644 --- a/charts/cni/cni/charts/cni/templates/serviceaccount.yaml +++ b/charts/cni/cni/charts/cni/templates/serviceaccount.yaml @@ -7,11 +7,13 @@ imagePullSecrets: {{- end }} {{- end }} metadata: - name: istio-cni + name: {{ template "name" . }} namespace: {{ .Release.Namespace }} labels: - app: istio-cni + app: {{ template "name" . }} release: {{ .Release.Name }} istio.io/rev: {{ .Values.revision | default "default" }} install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} operator.istio.io/component: "Cni" + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 4 }} diff --git a/charts/cni/cni/charts/cni/templates/zzy_descope_legacy.yaml b/charts/cni/cni/charts/cni/templates/zzy_descope_legacy.yaml new file mode 100644 index 000000000..a9584ac29 --- /dev/null +++ b/charts/cni/cni/charts/cni/templates/zzy_descope_legacy.yaml @@ -0,0 +1,3 @@ +{{/* Copy anything under `.cni` to `.`, to avoid the need to specify a redundant prefix. +Due to the file naming, this always happens after zzz_profile.yaml */}} +{{- $_ := mustMergeOverwrite $.Values (index $.Values "cni") }} \ No newline at end of file diff --git a/charts/cni/cni/charts/cni/templates/zzz_profile.yaml b/charts/cni/cni/charts/cni/templates/zzz_profile.yaml new file mode 100644 index 000000000..35623047c --- /dev/null +++ b/charts/cni/cni/charts/cni/templates/zzz_profile.yaml @@ -0,0 +1,74 @@ +{{/* +WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY. +The original version of this file is located at /manifests directory. +If you want to make a change in this file, edit the original one and run "make gen". + +Complex logic ahead... +We have three sets of values, in order of precedence (last wins): +1. The builtin values.yaml defaults +2. The profile the user selects +3. Users input (-f or --set) + +Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2). + +However, we can workaround this by placing all of (1) under a specific key (.Values.defaults). +We can then merge the profile onto the defaults, then the user settings onto that. +Finally, we can set all of that under .Values so the chart behaves without awareness. +*/}} +{{- if $.Values.defaults}} +{{ fail (cat + "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n" + ($.Values.defaults | toYaml |nindent 4) +) }} +{{- end }} +{{- $defaults := $.Values._internal_defaults_do_not_set }} +{{- $_ := unset $.Values "_internal_defaults_do_not_set" }} +{{- $profile := dict }} +{{- with .Values.profile }} +{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}} +{{- $profile = (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown profile" $.Values.profile) }} +{{- end }} +{{- end }} +{{- with .Values.compatibilityVersion }} +{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }} +{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }} +{{- end }} +{{- end }} +{{- if ($.Values.global).platform }} +{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" ($.Values.global).platform) }} +{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown platform" ($.Values.global).platform) }} +{{- end }} +{{- end }} +{{- if $profile }} +{{- $a := mustMergeOverwrite $defaults $profile }} +{{- end }} +# Flatten globals, if defined on a per-chart basis +{{- if false }} +{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict) }} +{{- end }} +{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }} + +{{/* +Labels that should be applied to ALL resources. +*/}} +{{- define "istio.labels" -}} +{{- if .Release.Service -}} +app.kubernetes.io/managed-by: {{ .Release.Service | quote }} +{{- end }} +{{- if .Release.Name }} +app.kubernetes.io/instance: {{ .Release.Name | quote }} +{{- end }} +app.kubernetes.io/part-of: "istio" +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +{{- if and .Chart.Name .Chart.Version }} +helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end -}} diff --git a/charts/cni/cni/charts/cni/values.yaml b/charts/cni/cni/charts/cni/values.yaml index 9c3a6ef5a..1322a8aad 100644 --- a/charts/cni/cni/charts/cni/values.yaml +++ b/charts/cni/cni/charts/cni/values.yaml @@ -1,14 +1,15 @@ -cni: +# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. +# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. +_internal_defaults_do_not_set: hub: "" tag: "" variant: "" image: install-cni pullPolicy: "" - # Configuration log level of istio-cni binary - # by default istio-cni send all logs to UDS server - # if want to see them you need change global.logging.level with cni:debug - logLevel: debug + # Same as `global.logging.level`, but will override it if set + logging: + level: "" # Configuration file to insert istio-cni plugin configuration # by default this will be the first file found in the cni-conf-dir @@ -20,34 +21,59 @@ cni: cniBinDir: "" # Auto-detected based on version; defaults to /opt/cni/bin. cniConfDir: /etc/cni/net.d cniConfFileName: "" + # This directory must exist on the node, if it does not, consult your container runtime + # documentation for the appropriate path. + cniNetnsDir: # Defaults to '/var/run/netns', in minikube/docker/others can be '/var/run/docker/netns'. + excludeNamespaces: - - istio-system - kube-system + # Allows user to set custom affinity for the DaemonSet + affinity: {} + # Custom annotations on pod level, if you need them podAnnotations: {} - # If this value is set a RoleBinding will be created - # in the same namespace as the istio-cni DaemonSet is created. - # This can be used to bind a preexisting ClusterRole to the istio/cni ServiceAccount - # e.g. if you use PodSecurityPolicies - psp_cluster_role: "" - # Deploy the config files as plugin chain (value "true") or as standalone files in the conf dir (value "false")? # Some k8s flavors (e.g. OpenShift) do not support the chain approach, set to false if this is the case chained: true - # Allow the istio-cni container to run in privileged mode, needed for some platforms (e.g. OpenShift) - privileged: false + # Custom configuration happens based on the CNI provider. + # Possible values: "default", "multus" + provider: "default" + + # Configure ambient settings + ambient: + # If enabled, ambient redirection will be enabled + enabled: false + # Set ambient config dir path: defaults to /etc/ambient-config + configDir: "" + # If enabled, and ambient is enabled, DNS redirection will be enabled + dnsCapture: false + # If enabled, and ambient is enabled, enables ipv6 support + ipv6: true + repair: enabled: true hub: "" tag: "" - labelPods: true - deletePods: true + # Repair controller has 3 modes. Pick which one meets your use cases. Note only one may be used. + # This defines the action the controller will take when a pod is detected as broken. + + # labelPods will label all pods with =. + # This is only capable of identifying broken pods; the user is responsible for fixing them (generally, by deleting them). + # Note this gives the DaemonSet a relatively high privilege, as modifying pod metadata/status can have wider impacts. + labelPods: false + # deletePods will delete any broken pod. These will then be rescheduled, hopefully onto a node that is fully ready. + # Note this gives the DaemonSet a relatively high privilege, as it can delete any Pod. + deletePods: false + # repairPods will dynamically repair any broken pod by setting up the pod networking configuration even after it has started. + # Note the pod will be crashlooping, so this may take a few minutes to become fully functional based on when the retry occurs. + # This requires no RBAC privilege, but does require `securityContext.privileged/CAP_SYS_ADMIN`. + repairPods: true initContainerName: "istio-validation" @@ -57,58 +83,67 @@ cni: # Set to `type: RuntimeDefault` to use the default profile if available. seccompProfile: {} + # SELinux options to set in the istio-cni-node pods. You may need to set this to `type: spc_t` for some platforms. + seLinuxOptions: {} + resources: requests: cpu: 100m memory: 100Mi - # Experimental taint controller for further race condition mitigation - taint: - enabled: false - resourceQuotas: enabled: false pods: 5000 -# Revision is set as 'version' label and part of the resource names when installing multiple control planes. -revision: "" - -# For Helm compatibility. -ownerName: "" - -global: - # Default hub for Istio images. - # Releases are published to docker hub under 'istio' project. - # Dev builds from prow are on gcr.io - hub: docker.io/istio - - # Default tag for Istio images. - tag: 1.17.1 - - # Variant of the image to use. - # Currently supported are: [debug, distroless] - variant: "" - - # Specify image pull policy if default behavior isn't desired. - # Default behavior: latest images will be Always else IfNotPresent. - imagePullPolicy: "" - - # change cni scope level to control logging out of istio-cni-node DaemonSet - logging: - level: default:info,cni:info - - logAsJson: false - - # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace - # to use for pulling any images in pods that reference this ServiceAccount. - # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing) - # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects. - # Must be set for any cluster configured with private docker registry. - imagePullSecrets: [] - # - private-registry-key - - # Default resources allocated - defaultResources: - requests: - cpu: 100m - memory: 100Mi + # The number of pods that can be unavailable during rolling update (see + # `updateStrategy.rollingUpdate.maxUnavailable` here: + # https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/daemon-set-v1/#DaemonSetSpec). + # May be specified as a number of pods or as a percent of the total number + # of pods at the start of the update. + rollingMaxUnavailable: 1 + + # Revision is set as 'version' label and part of the resource names when installing multiple control planes. + revision: "" + + # For Helm compatibility. + ownerName: "" + + global: + # Default hub for Istio images. + # Releases are published to docker hub under 'istio' project. + # Dev builds from prow are on gcr.io + hub: docker.io/istio + + # Default tag for Istio images. + tag: 1.24.2 + + # Variant of the image to use. + # Currently supported are: [debug, distroless] + variant: "" + + # Specify image pull policy if default behavior isn't desired. + # Default behavior: latest images will be Always else IfNotPresent. + imagePullPolicy: "" + + # change cni scope level to control logging out of istio-cni-node DaemonSet + logging: + level: info + + logAsJson: false + + # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace + # to use for pulling any images in pods that reference this ServiceAccount. + # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing) + # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects. + # Must be set for any cluster configured with private docker registry. + imagePullSecrets: [] + # - private-registry-key + + # Default resources allocated + defaultResources: + requests: + cpu: 100m + memory: 100Mi + + # A `key: value` mapping of environment variables to add to the pod + env: {} diff --git a/charts/cni/cni/values.schema.json b/charts/cni/cni/values.schema.json index 3b68ce69c..cc8b43186 100644 --- a/charts/cni/cni/values.schema.json +++ b/charts/cni/cni/values.schema.json @@ -5,9 +5,29 @@ "cni": { "type": "object", "properties": { - "cni": { + "_internal_defaults_do_not_set": { "type": "object", "properties": { + "affinity": { + "type": "object" + }, + "ambient": { + "type": "object", + "properties": { + "configDir": { + "type": "string" + }, + "dnsCapture": { + "type": "boolean" + }, + "enabled": { + "type": "boolean" + }, + "ipv6": { + "type": "boolean" + } + } + }, "chained": { "type": "boolean" }, @@ -20,28 +40,86 @@ "cniConfFileName": { "type": "string" }, + "cniNetnsDir": { + "type": "null" + }, + "env": { + "type": "object" + }, "excludeNamespaces": { "type": "array", "items": { "type": "string" } }, + "global": { + "type": "object", + "properties": { + "defaultResources": { + "type": "object", + "properties": { + "requests": { + "type": "object", + "properties": { + "cpu": { + "type": "string" + }, + "memory": { + "type": "string" + } + } + } + } + }, + "hub": { + "type": "string" + }, + "imagePullPolicy": { + "type": "string" + }, + "imagePullSecrets": { + "type": "array" + }, + "logAsJson": { + "type": "boolean" + }, + "logging": { + "type": "object", + "properties": { + "level": { + "type": "string" + } + } + }, + "tag": { + "type": "string" + }, + "variant": { + "type": "string" + } + } + }, "hub": { "type": "string" }, "image": { "type": "string" }, - "logLevel": { + "logging": { + "type": "object", + "properties": { + "level": { + "type": "string" + } + } + }, + "ownerName": { "type": "string" }, "podAnnotations": { "type": "object" }, - "privileged": { - "type": "boolean" - }, - "psp_cluster_role": { + "provider": { "type": "string" }, "pullPolicy": { @@ -71,6 +149,9 @@ "labelPods": { "type": "boolean" }, + "repairPods": { + "type": "boolean" + }, "tag": { "type": "string" } @@ -103,63 +184,17 @@ } } }, - "seccompProfile": { - "type": "object" - }, - "tag": { + "revision": { "type": "string" }, - "taint": { - "type": "object", - "properties": { - "enabled": { - "type": "boolean" - } - } + "rollingMaxUnavailable": { + "type": "integer" }, - "variant": { - "type": "string" - } - } - }, - "global": { - "type": "object", - "properties": { - "defaultResources": { - "type": "object", - "properties": { - "requests": { - "type": "object", - "properties": { - "cpu": { - "type": "string" - }, - "memory": { - "type": "string" - } - } - } - } - }, - "hub": { - "type": "string" - }, - "imagePullPolicy": { - "type": "string" - }, - "imagePullSecrets": { - "type": "array" - }, - "logAsJson": { - "type": "boolean" + "seLinuxOptions": { + "type": "object" }, - "logging": { - "type": "object", - "properties": { - "level": { - "type": "string" - } - } + "seccompProfile": { + "type": "object" }, "tag": { "type": "string" @@ -168,12 +203,6 @@ "type": "string" } } - }, - "ownerName": { - "type": "string" - }, - "revision": { - "type": "string" } } } diff --git a/charts/cni/cni/values.yaml b/charts/cni/cni/values.yaml index 4add5a60f..54fbd621c 100644 --- a/charts/cni/cni/values.yaml +++ b/charts/cni/cni/values.yaml @@ -1,15 +1,16 @@ # child values cni: - cni: + # "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. + # For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. + _internal_defaults_do_not_set: hub: "" tag: "" variant: "" image: install-cni pullPolicy: "" - # Configuration log level of istio-cni binary - # by default istio-cni send all logs to UDS server - # if want to see them you need change global.logging.level with cni:debug - logLevel: debug + # Same as `global.logging.level`, but will override it if set + logging: + level: "" # Configuration file to insert istio-cni plugin configuration # by default this will be the first file found in the cni-conf-dir # Example @@ -20,76 +21,112 @@ cni: cniBinDir: "" # Auto-detected based on version; defaults to /opt/cni/bin. cniConfDir: /etc/cni/net.d cniConfFileName: "" + # This directory must exist on the node, if it does not, consult your container runtime + # documentation for the appropriate path. + cniNetnsDir: # Defaults to '/var/run/netns', in minikube/docker/others can be '/var/run/docker/netns'. excludeNamespaces: - - istio-system - kube-system + # Allows user to set custom affinity for the DaemonSet + affinity: {} # Custom annotations on pod level, if you need them podAnnotations: {} - # If this value is set a RoleBinding will be created - # in the same namespace as the istio-cni DaemonSet is created. - # This can be used to bind a preexisting ClusterRole to the istio/cni ServiceAccount - # e.g. if you use PodSecurityPolicies - psp_cluster_role: "" # Deploy the config files as plugin chain (value "true") or as standalone files in the conf dir (value "false")? # Some k8s flavors (e.g. OpenShift) do not support the chain approach, set to false if this is the case chained: true - # Allow the istio-cni container to run in privileged mode, needed for some platforms (e.g. OpenShift) - privileged: false + # Custom configuration happens based on the CNI provider. + # Possible values: "default", "multus" + provider: "default" + # Configure ambient settings + ambient: + # If enabled, ambient redirection will be enabled + enabled: false + # Set ambient config dir path: defaults to /etc/ambient-config + configDir: "" + # If enabled, and ambient is enabled, DNS redirection will be enabled + dnsCapture: false + # If enabled, and ambient is enabled, enables ipv6 support + ipv6: true repair: enabled: true hub: "" tag: "" - labelPods: true - deletePods: true + # Repair controller has 3 modes. Pick which one meets your use cases. Note only one may be used. + # This defines the action the controller will take when a pod is detected as broken. + + # labelPods will label all pods with =. + # This is only capable of identifying broken pods; the user is responsible for fixing them (generally, by deleting them). + # Note this gives the DaemonSet a relatively high privilege, as modifying pod metadata/status can have wider impacts. + labelPods: false + # deletePods will delete any broken pod. These will then be rescheduled, hopefully onto a node that is fully ready. + # Note this gives the DaemonSet a relatively high privilege, as it can delete any Pod. + deletePods: false + # repairPods will dynamically repair any broken pod by setting up the pod networking configuration even after it has started. + # Note the pod will be crashlooping, so this may take a few minutes to become fully functional based on when the retry occurs. + # This requires no RBAC privilege, but does require `securityContext.privileged/CAP_SYS_ADMIN`. + repairPods: true initContainerName: "istio-validation" brokenPodLabelKey: "cni.istio.io/uninitialized" brokenPodLabelValue: "true" # Set to `type: RuntimeDefault` to use the default profile if available. seccompProfile: {} + # SELinux options to set in the istio-cni-node pods. You may need to set this to `type: spc_t` for some platforms. + seLinuxOptions: {} resources: requests: - cpu: 10m - memory: 100Mi - limits: cpu: 100m - memory: 200Mi - # Experimental taint controller for further race condition mitigation - taint: - enabled: false + memory: 100Mi resourceQuotas: enabled: false pods: 5000 - # Revision is set as 'version' label and part of the resource names when installing multiple control planes. - revision: "" - # For Helm compatibility. - ownerName: "" + # The number of pods that can be unavailable during rolling update (see + # `updateStrategy.rollingUpdate.maxUnavailable` here: + # https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/daemon-set-v1/#DaemonSetSpec). + # May be specified as a number of pods or as a percent of the total number + # of pods at the start of the update. + rollingMaxUnavailable: 1 + # Revision is set as 'version' label and part of the resource names when installing multiple control planes. + revision: "" + # For Helm compatibility. + ownerName: "" + global: + # Default hub for Istio images. + # Releases are published to docker hub under 'istio' project. + # Dev builds from prow are on gcr.io + hub: docker.io/istio + # Default tag for Istio images. + tag: 1.24.2 + # Variant of the image to use. + # Currently supported are: [debug, distroless] + variant: "" + # Specify image pull policy if default behavior isn't desired. + # Default behavior: latest images will be Always else IfNotPresent. + imagePullPolicy: "" + # change cni scope level to control logging out of istio-cni-node DaemonSet + logging: + level: info + logAsJson: false + # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace + # to use for pulling any images in pods that reference this ServiceAccount. + # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing) + # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects. + # Must be set for any cluster configured with private docker registry. + imagePullSecrets: [] + # - private-registry-key + + # Default resources allocated + defaultResources: + requests: + cpu: 100m + memory: 100Mi + # A `key: value` mapping of environment variables to add to the pod + env: {} global: - # Default hub for Istio images. - # Releases are published to docker hub under 'istio' project. - # Dev builds from prow are on gcr.io hub: docker.m.daocloud.io/istio - # Default tag for Istio images. - tag: 1.17.1 - # Variant of the image to use. - # Currently supported are: [debug, distroless] - variant: "" - # Specify image pull policy if default behavior isn't desired. - # Default behavior: latest images will be Always else IfNotPresent. - imagePullPolicy: "" - # change cni scope level to control logging out of istio-cni-node DaemonSet - logging: - level: default:info,cni:info - logAsJson: false - # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace - # to use for pulling any images in pods that reference this ServiceAccount. - # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing) - # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects. - # Must be set for any cluster configured with private docker registry. - imagePullSecrets: [] - # - private-registry-key - - # Default resources allocated - defaultResources: + cni: + resources: requests: - cpu: 100m + cpu: 10m memory: 100Mi + limits: + cpu: 100m + memory: 200Mi diff --git a/charts/cni/config b/charts/cni/config index 5514c928b..194d39887 100644 --- a/charts/cni/config +++ b/charts/cni/config @@ -4,7 +4,7 @@ export USE_OPENSOURCE_CHART=false export REPO_URL=https://istio-release.storage.googleapis.com/charts export REPO_NAME=istio export CHART_NAME=cni -export VERSION=1.17.1 +export VERSION=1.24.2 # pr, issue, none export UPGRADE_METHOD=pr