diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml new file mode 100644 index 0000000000000..1972bff2e423c --- /dev/null +++ b/.github/workflows/test.yaml @@ -0,0 +1,69 @@ +name: Image Release Build + +on: + push: + branches: + - main + - ft/main/** + +permissions: + # To be able to access the repository with `actions/checkout` + contents: read + # Required to generate OIDC tokens for `sigstore/cosign-installer` authentication + id-token: write + +jobs: + image-digests: + name: Display Digests + runs-on: ubuntu-22.04 + steps: + - name: Getting image tag + id: tag + run: | + echo tag="v1.16.0-pre.3" >> $GITHUB_OUTPUT + - name: Downloading Image Digests + shell: bash + run: | + mkdir -p image-digest/ + + - name: Download digests of all images built + uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 + with: + path: image-digest/ + repository: cilium/cilium + run-id: 9357681504 + + - name: Image Digests Output + shell: bash + run: | + cd image-digest/ + find -type f -regex "image-digest.*" | sort + echo "## Docker Manifests" > ../image-digest-output.txt + echo "" >> ../image-digest-output.txt + find -type f -regex "image-digest.*" | sort | xargs -d '\n' cat >> ../image-digest-output.txt + + - name: Image Makefile Digests + shell: bash + run: | + cd image-digest/ + echo "# File generated by .github/workflows/build-images-releases.yaml; DO NOT EDIT." > ../Makefile.digests + echo "# Copyright "$(date +'%Y')" Authors of Cilium" >> ../Makefile.digests + echo "# SPDX-License-Identifier: Apache-2.0" >> ../Makefile.digests + echo "" >> ../Makefile.digests + find -type f -name "makefile-digest.txt" | sort | xargs -d '\n' awk '{print "export " $0}' >> ../Makefile.digests + + # Upload artifact digests + - name: Upload artifact digests + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 + with: + name: image-digest-output.txt-${{ steps.tag.outputs.tag }} + path: image-digest-output.txt + retention-days: 10 + + # Upload artifact digests + - name: Upload artifact digests + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 + with: + name: Makefile.digests-${{ steps.tag.outputs.tag }} + path: Makefile.digests + retention-days: 10 diff --git a/Documentation/helm-values.rst b/Documentation/helm-values.rst index 285de9bcc5dcf..a3de37c8596b0 100644 --- a/Documentation/helm-values.rst +++ b/Documentation/helm-values.rst @@ -95,7 +95,7 @@ * - :spelling:ignore:`authentication.mutual.spire.install.agent.image` - SPIRE agent image - object - - ``{"digest":"sha256:99405637647968245ff9fe215f8bd2bd0ea9807be9725f8bf19fe1b21471e52b","override":null,"pullPolicy":"Always","repository":"ghcr.io/spiffe/spire-agent","tag":"1.8.5","useDigest":true}`` + - ``{"digest":"sha256:99405637647968245ff9fe215f8bd2bd0ea9807be9725f8bf19fe1b21471e52b","override":null,"pullPolicy":"IfNotPresent","repository":"ghcr.io/spiffe/spire-agent","tag":"1.8.5","useDigest":true}`` * - :spelling:ignore:`authentication.mutual.spire.install.agent.labels` - SPIRE agent labels - object @@ -135,7 +135,7 @@ * - :spelling:ignore:`authentication.mutual.spire.install.initImage` - init container image of SPIRE agent and server - object - - ``{"digest":"sha256:223ae047b1065bd069aac01ae3ac8088b3ca4a527827e283b85112f29385fb1b","override":null,"pullPolicy":"Always","repository":"docker.io/library/busybox","tag":"1.36.1","useDigest":true}`` + - ``{"digest":"sha256:223ae047b1065bd069aac01ae3ac8088b3ca4a527827e283b85112f29385fb1b","override":null,"pullPolicy":"IfNotPresent","repository":"docker.io/library/busybox","tag":"1.36.1","useDigest":true}`` * - :spelling:ignore:`authentication.mutual.spire.install.namespace` - SPIRE namespace to install into - string @@ -175,7 +175,7 @@ * - :spelling:ignore:`authentication.mutual.spire.install.server.image` - SPIRE server image - object - - ``{"digest":"sha256:28269265882048dcf0fed32fe47663cd98613727210b8d1a55618826f9bf5428","override":null,"pullPolicy":"Always","repository":"ghcr.io/spiffe/spire-server","tag":"1.8.5","useDigest":true}`` + - ``{"digest":"sha256:28269265882048dcf0fed32fe47663cd98613727210b8d1a55618826f9bf5428","override":null,"pullPolicy":"IfNotPresent","repository":"ghcr.io/spiffe/spire-server","tag":"1.8.5","useDigest":true}`` * - :spelling:ignore:`authentication.mutual.spire.install.server.initContainers` - SPIRE server init containers - list @@ -399,7 +399,7 @@ * - :spelling:ignore:`certgen` - Configure certificate generation for Hubble integration. If hubble.tls.auto.method=cronJob, these values are used for the Kubernetes CronJob which will be scheduled regularly to (re)generate any certificates not provided manually. - object - - ``{"affinity":{},"annotations":{"cronJob":{},"job":{}},"extraVolumeMounts":[],"extraVolumes":[],"image":{"digest":"sha256:bbc5e65e9dc65bc6b58967fe536b7f3b54e12332908aeb0a96a36866b4372b4e","override":null,"pullPolicy":"Always","repository":"quay.io/cilium/certgen","tag":"v0.1.12","useDigest":true},"podLabels":{},"tolerations":[],"ttlSecondsAfterFinished":1800}`` + - ``{"affinity":{},"annotations":{"cronJob":{},"job":{}},"extraVolumeMounts":[],"extraVolumes":[],"image":{"digest":"sha256:bbc5e65e9dc65bc6b58967fe536b7f3b54e12332908aeb0a96a36866b4372b4e","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/certgen","tag":"v0.1.12","useDigest":true},"podLabels":{},"tolerations":[],"ttlSecondsAfterFinished":1800}`` * - :spelling:ignore:`certgen.affinity` - Affinity for certgen - object @@ -523,7 +523,7 @@ * - :spelling:ignore:`clustermesh.apiserver.image` - Clustermesh API server image. - object - - ``{"digest":"","override":null,"pullPolicy":"Always","repository":"quay.io/cilium/clustermesh-apiserver-ci","tag":"latest","useDigest":false}`` + - ``{"digest":"sha256:9348958f91942d81481878e57e6bda75463658240b51fedc9547c2024d848066","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/clustermesh-apiserver","tag":"v1.16.0-dev","useDigest":true}`` * - :spelling:ignore:`clustermesh.apiserver.kvstoremesh.enabled` - Enable KVStoreMesh. KVStoreMesh caches the information retrieved from the remote clusters in the local etcd instance. - bool @@ -1187,7 +1187,7 @@ * - :spelling:ignore:`envoy.image` - Envoy container image. - object - - ``{"digest":"sha256:7fcc55ed1b73e4333f8a21d82d38ca603ebd0d8d85fe1ad1c95b9af3a5e30ae9","override":null,"pullPolicy":"Always","repository":"quay.io/cilium/cilium-envoy","tag":"v1.29.4-801c612e442298b3be55f1a1089c44386570880d","useDigest":true}`` + - ``{"digest":"sha256:7fcc55ed1b73e4333f8a21d82d38ca603ebd0d8d85fe1ad1c95b9af3a5e30ae9","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium-envoy","tag":"v1.29.4-801c612e442298b3be55f1a1089c44386570880d","useDigest":true}`` * - :spelling:ignore:`envoy.livenessProbe.failureThreshold` - failure threshold of liveness probe - int @@ -1383,7 +1383,7 @@ * - :spelling:ignore:`etcd.image` - cilium-etcd-operator image. - object - - ``{"digest":"sha256:04b8327f7f992693c2cb483b999041ed8f92efc8e14f2a5f3ab95574a65ea2dc","override":null,"pullPolicy":"Always","repository":"quay.io/cilium/cilium-etcd-operator","tag":"v2.0.7","useDigest":true}`` + - ``{"digest":"sha256:04b8327f7f992693c2cb483b999041ed8f92efc8e14f2a5f3ab95574a65ea2dc","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium-etcd-operator","tag":"v2.0.7","useDigest":true}`` * - :spelling:ignore:`etcd.k8sService` - If etcd is behind a k8s service set this option to true so that Cilium does the service translation automatically without requiring a DNS to be running. - bool @@ -1775,7 +1775,7 @@ * - :spelling:ignore:`hubble.relay.image` - Hubble-relay container image. - object - - ``{"digest":"","override":null,"pullPolicy":"Always","repository":"quay.io/cilium/hubble-relay-ci","tag":"latest","useDigest":false}`` + - ``{"digest":"sha256:41964978c06687d3db7afd29ed8205a3472c5de1d9c71a7a39b9640c651d4487","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-relay","tag":"v1.16.0-dev","useDigest":true}`` * - :spelling:ignore:`hubble.relay.listenHost` - Host to listen to. Specify an empty string to bind to all the interfaces. - string @@ -2007,7 +2007,7 @@ * - :spelling:ignore:`hubble.ui.backend.image` - Hubble-ui backend image. - object - - ``{"digest":"sha256:1e7657d997c5a48253bb8dc91ecee75b63018d16ff5e5797e5af367336bc8803","override":null,"pullPolicy":"Always","repository":"quay.io/cilium/hubble-ui-backend","tag":"v0.13.0","useDigest":true}`` + - ``{"digest":"sha256:1e7657d997c5a48253bb8dc91ecee75b63018d16ff5e5797e5af367336bc8803","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-ui-backend","tag":"v0.13.0","useDigest":true}`` * - :spelling:ignore:`hubble.ui.backend.livenessProbe.enabled` - Enable liveness probe for Hubble-ui backend (requires Hubble-ui 0.12+) - bool @@ -2047,7 +2047,7 @@ * - :spelling:ignore:`hubble.ui.frontend.image` - Hubble-ui frontend image. - object - - ``{"digest":"sha256:7d663dc16538dd6e29061abd1047013a645e6e69c115e008bee9ea9fef9a6666","override":null,"pullPolicy":"Always","repository":"quay.io/cilium/hubble-ui","tag":"v0.13.0","useDigest":true}`` + - ``{"digest":"sha256:7d663dc16538dd6e29061abd1047013a645e6e69c115e008bee9ea9fef9a6666","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-ui","tag":"v0.13.0","useDigest":true}`` * - :spelling:ignore:`hubble.ui.frontend.resources` - Resource requests and limits for the 'frontend' container of the 'hubble-ui' deployment. - object @@ -2155,7 +2155,7 @@ * - :spelling:ignore:`image` - Agent container image. - object - - ``{"digest":"","override":null,"pullPolicy":"Always","repository":"quay.io/cilium/cilium-ci","tag":"latest","useDigest":false}`` + - ``{"digest":"sha256:9918241403727d99cdba7067134dc99024c8f367fc8dbeec7aa5a7c84260d8f6","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.16.0-dev","useDigest":true}`` * - :spelling:ignore:`imagePullSecrets` - Configure image pull secrets for pulling container images - list @@ -2543,7 +2543,7 @@ * - :spelling:ignore:`nodeinit.image` - node-init image. - object - - ``{"digest":"sha256:820155cb3b7f00c8d61c1cffa68c44440906cb046bdbad8ff544f5deb1103456","override":null,"pullPolicy":"Always","repository":"quay.io/cilium/startup-script","tag":"19fb149fb3d5c7a37d3edfaf10a2be3ab7386661","useDigest":true}`` + - ``{"digest":"sha256:820155cb3b7f00c8d61c1cffa68c44440906cb046bdbad8ff544f5deb1103456","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/startup-script","tag":"19fb149fb3d5c7a37d3edfaf10a2be3ab7386661","useDigest":true}`` * - :spelling:ignore:`nodeinit.nodeSelector` - Node labels for nodeinit pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector - object @@ -2651,7 +2651,7 @@ * - :spelling:ignore:`operator.image` - cilium-operator image. - object - - ``{"alibabacloudDigest":"","awsDigest":"","azureDigest":"","genericDigest":"","override":null,"pullPolicy":"Always","repository":"quay.io/cilium/operator","suffix":"-ci","tag":"latest","useDigest":false}`` + - ``{"alibabacloudDigest":"sha256:0fbbf357ae5e62f1d0777ce34c1fb6d19e1f7b5a25c5100346d34f8cf6ad1730","awsDigest":"sha256:843d6c5094655448e8d1e81b46d334e00444f58bbb9e95575bd042af6871e1f0","azureDigest":"sha256:5682ca7ad8eea47abacad4dae2ff62d98f8f1938dcd7f17a403b673599b8b258","genericDigest":"sha256:565c92df436f801fa5ff3bbb8becac65114818c43e3bcaecf956c0d4c120b5a6","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/operator","suffix":"","tag":"v1.16.0-dev","useDigest":true}`` * - :spelling:ignore:`operator.nodeGCInterval` - Interval for cilium node garbage collection. - string @@ -2851,7 +2851,7 @@ * - :spelling:ignore:`preflight.image` - Cilium pre-flight image. - object - - ``{"digest":"","override":null,"pullPolicy":"Always","repository":"quay.io/cilium/cilium-ci","tag":"latest","useDigest":false}`` + - ``{"digest":"sha256:9918241403727d99cdba7067134dc99024c8f367fc8dbeec7aa5a7c84260d8f6","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.16.0-dev","useDigest":true}`` * - :spelling:ignore:`preflight.nodeSelector` - Node labels for preflight pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector - object diff --git a/install/kubernetes/Makefile.digests b/install/kubernetes/Makefile.digests index c5944a636e0da..277792618215d 100644 --- a/install/kubernetes/Makefile.digests +++ b/install/kubernetes/Makefile.digests @@ -1,13 +1,13 @@ # File generated by .github/workflows/build-images-releases.yaml; DO NOT EDIT. -# Copyright Authors of Cilium +# Copyright 2024 Authors of Cilium # SPDX-License-Identifier: Apache-2.0 -export CILIUM_DIGEST := "" -export CLUSTERMESH_APISERVER_DIGEST := "" -export DOCKER_PLUGIN_DIGEST := "" -export HUBBLE_RELAY_DIGEST := "" -export OPERATOR_AWS_DIGEST := "" -export OPERATOR_AZURE_DIGEST := "" -export OPERATOR_ALIBABACLOUD_DIGEST := "" -export OPERATOR_GENERIC_DIGEST := "" -export OPERATOR_DIGEST := "" +export CILIUM_DIGEST := "sha256:9918241403727d99cdba7067134dc99024c8f367fc8dbeec7aa5a7c84260d8f6" +export CLUSTERMESH_APISERVER_DIGEST := "sha256:9348958f91942d81481878e57e6bda75463658240b51fedc9547c2024d848066" +export DOCKER_PLUGIN_DIGEST := "sha256:446abb18b76590edb4ad35c8c410acae308030d611cb8809b58c53547afc0733" +export HUBBLE_RELAY_DIGEST := "sha256:41964978c06687d3db7afd29ed8205a3472c5de1d9c71a7a39b9640c651d4487" +export OPERATOR_ALIBABACLOUD_DIGEST := "sha256:0fbbf357ae5e62f1d0777ce34c1fb6d19e1f7b5a25c5100346d34f8cf6ad1730" +export OPERATOR_AWS_DIGEST := "sha256:843d6c5094655448e8d1e81b46d334e00444f58bbb9e95575bd042af6871e1f0" +export OPERATOR_AZURE_DIGEST := "sha256:5682ca7ad8eea47abacad4dae2ff62d98f8f1938dcd7f17a403b673599b8b258" +export OPERATOR_GENERIC_DIGEST := "sha256:565c92df436f801fa5ff3bbb8becac65114818c43e3bcaecf956c0d4c120b5a6" +export OPERATOR_DIGEST := "sha256:2f114fc9627a43b435160d587e0128e0fe9256d5c0ff2dde4f703ddd807d9717" diff --git a/install/kubernetes/cilium/README.md b/install/kubernetes/cilium/README.md index ca7d4e3e6278d..19057814c55a2 100644 --- a/install/kubernetes/cilium/README.md +++ b/install/kubernetes/cilium/README.md @@ -73,7 +73,7 @@ contributors across the globe, there is almost always someone available to help. | authentication.mutual.spire.enabled | bool | `false` | Enable SPIRE integration (beta) | | authentication.mutual.spire.install.agent.affinity | object | `{}` | SPIRE agent affinity configuration | | authentication.mutual.spire.install.agent.annotations | object | `{}` | SPIRE agent annotations | -| authentication.mutual.spire.install.agent.image | object | `{"digest":"sha256:99405637647968245ff9fe215f8bd2bd0ea9807be9725f8bf19fe1b21471e52b","override":null,"pullPolicy":"Always","repository":"ghcr.io/spiffe/spire-agent","tag":"1.8.5","useDigest":true}` | SPIRE agent image | +| authentication.mutual.spire.install.agent.image | object | `{"digest":"sha256:99405637647968245ff9fe215f8bd2bd0ea9807be9725f8bf19fe1b21471e52b","override":null,"pullPolicy":"IfNotPresent","repository":"ghcr.io/spiffe/spire-agent","tag":"1.8.5","useDigest":true}` | SPIRE agent image | | authentication.mutual.spire.install.agent.labels | object | `{}` | SPIRE agent labels | | authentication.mutual.spire.install.agent.nodeSelector | object | `{}` | SPIRE agent nodeSelector configuration ref: ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector | | authentication.mutual.spire.install.agent.podSecurityContext | object | `{}` | Security context to be added to spire agent pods. SecurityContext holds pod-level security attributes and common container settings. ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod | @@ -83,7 +83,7 @@ contributors across the globe, there is almost always someone available to help. | authentication.mutual.spire.install.agent.tolerations | list | `[{"effect":"NoSchedule","key":"node.kubernetes.io/not-ready"},{"effect":"NoSchedule","key":"node-role.kubernetes.io/master"},{"effect":"NoSchedule","key":"node-role.kubernetes.io/control-plane"},{"effect":"NoSchedule","key":"node.cloudprovider.kubernetes.io/uninitialized","value":"true"},{"key":"CriticalAddonsOnly","operator":"Exists"}]` | SPIRE agent tolerations configuration By default it follows the same tolerations as the agent itself to allow the Cilium agent on this node to connect to SPIRE. ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ | | authentication.mutual.spire.install.enabled | bool | `true` | Enable SPIRE installation. This will only take effect only if authentication.mutual.spire.enabled is true | | authentication.mutual.spire.install.existingNamespace | bool | `false` | SPIRE namespace already exists. Set to true if Helm should not create, manage, and import the SPIRE namespace. | -| authentication.mutual.spire.install.initImage | object | `{"digest":"sha256:223ae047b1065bd069aac01ae3ac8088b3ca4a527827e283b85112f29385fb1b","override":null,"pullPolicy":"Always","repository":"docker.io/library/busybox","tag":"1.36.1","useDigest":true}` | init container image of SPIRE agent and server | +| authentication.mutual.spire.install.initImage | object | `{"digest":"sha256:223ae047b1065bd069aac01ae3ac8088b3ca4a527827e283b85112f29385fb1b","override":null,"pullPolicy":"IfNotPresent","repository":"docker.io/library/busybox","tag":"1.36.1","useDigest":true}` | init container image of SPIRE agent and server | | authentication.mutual.spire.install.namespace | string | `"cilium-spire"` | SPIRE namespace to install into | | authentication.mutual.spire.install.server.affinity | object | `{}` | SPIRE server affinity configuration | | authentication.mutual.spire.install.server.annotations | object | `{}` | SPIRE server annotations | @@ -93,7 +93,7 @@ contributors across the globe, there is almost always someone available to help. | authentication.mutual.spire.install.server.dataStorage.enabled | bool | `true` | Enable SPIRE server data storage | | authentication.mutual.spire.install.server.dataStorage.size | string | `"1Gi"` | Size of the SPIRE server data storage | | authentication.mutual.spire.install.server.dataStorage.storageClass | string | `nil` | StorageClass of the SPIRE server data storage | -| authentication.mutual.spire.install.server.image | object | `{"digest":"sha256:28269265882048dcf0fed32fe47663cd98613727210b8d1a55618826f9bf5428","override":null,"pullPolicy":"Always","repository":"ghcr.io/spiffe/spire-server","tag":"1.8.5","useDigest":true}` | SPIRE server image | +| authentication.mutual.spire.install.server.image | object | `{"digest":"sha256:28269265882048dcf0fed32fe47663cd98613727210b8d1a55618826f9bf5428","override":null,"pullPolicy":"IfNotPresent","repository":"ghcr.io/spiffe/spire-server","tag":"1.8.5","useDigest":true}` | SPIRE server image | | authentication.mutual.spire.install.server.initContainers | list | `[]` | SPIRE server init containers | | authentication.mutual.spire.install.server.labels | object | `{}` | SPIRE server labels | | authentication.mutual.spire.install.server.nodeSelector | object | `{}` | SPIRE server nodeSelector configuration ref: ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector | @@ -149,7 +149,7 @@ contributors across the globe, there is almost always someone available to help. | bpf.tproxy | bool | `false` | Configure the eBPF-based TPROXY to reduce reliance on iptables rules for implementing Layer 7 policy. | | bpf.vlanBypass | list | `[]` | Configure explicitly allowed VLAN id's for bpf logic bypass. [0] will allow all VLAN id's without any filtering. | | bpfClockProbe | bool | `false` | Enable BPF clock source probing for more efficient tick retrieval. | -| certgen | object | `{"affinity":{},"annotations":{"cronJob":{},"job":{}},"extraVolumeMounts":[],"extraVolumes":[],"image":{"digest":"sha256:bbc5e65e9dc65bc6b58967fe536b7f3b54e12332908aeb0a96a36866b4372b4e","override":null,"pullPolicy":"Always","repository":"quay.io/cilium/certgen","tag":"v0.1.12","useDigest":true},"podLabels":{},"tolerations":[],"ttlSecondsAfterFinished":1800}` | Configure certificate generation for Hubble integration. If hubble.tls.auto.method=cronJob, these values are used for the Kubernetes CronJob which will be scheduled regularly to (re)generate any certificates not provided manually. | +| certgen | object | `{"affinity":{},"annotations":{"cronJob":{},"job":{}},"extraVolumeMounts":[],"extraVolumes":[],"image":{"digest":"sha256:bbc5e65e9dc65bc6b58967fe536b7f3b54e12332908aeb0a96a36866b4372b4e","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/certgen","tag":"v0.1.12","useDigest":true},"podLabels":{},"tolerations":[],"ttlSecondsAfterFinished":1800}` | Configure certificate generation for Hubble integration. If hubble.tls.auto.method=cronJob, these values are used for the Kubernetes CronJob which will be scheduled regularly to (re)generate any certificates not provided manually. | | certgen.affinity | object | `{}` | Affinity for certgen | | certgen.annotations | object | `{"cronJob":{},"job":{}}` | Annotations to be added to the hubble-certgen initial Job and CronJob | | certgen.extraVolumeMounts | list | `[]` | Additional certgen volumeMounts. | @@ -180,7 +180,7 @@ contributors across the globe, there is almost always someone available to help. | clustermesh.apiserver.extraVolumeMounts | list | `[]` | Additional clustermesh-apiserver volumeMounts. | | clustermesh.apiserver.extraVolumes | list | `[]` | Additional clustermesh-apiserver volumes. | | clustermesh.apiserver.healthPort | int | `9880` | TCP port for the clustermesh-apiserver health API. | -| clustermesh.apiserver.image | object | `{"digest":"","override":null,"pullPolicy":"Always","repository":"quay.io/cilium/clustermesh-apiserver-ci","tag":"latest","useDigest":false}` | Clustermesh API server image. | +| clustermesh.apiserver.image | object | `{"digest":"sha256:9348958f91942d81481878e57e6bda75463658240b51fedc9547c2024d848066","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/clustermesh-apiserver","tag":"v1.16.0-dev","useDigest":true}` | Clustermesh API server image. | | clustermesh.apiserver.kvstoremesh.enabled | bool | `false` | Enable KVStoreMesh. KVStoreMesh caches the information retrieved from the remote clusters in the local etcd instance. | | clustermesh.apiserver.kvstoremesh.extraArgs | list | `[]` | Additional KVStoreMesh arguments. | | clustermesh.apiserver.kvstoremesh.extraEnv | list | `[]` | Additional KVStoreMesh environment variables. | @@ -346,7 +346,7 @@ contributors across the globe, there is almost always someone available to help. | envoy.extraVolumes | list | `[]` | Additional envoy volumes. | | envoy.healthPort | int | `9878` | TCP port for the health API. | | envoy.idleTimeoutDurationSeconds | int | `60` | Set Envoy upstream HTTP idle connection timeout seconds. Does not apply to connections with pending requests. Default 60s | -| envoy.image | object | `{"digest":"sha256:7fcc55ed1b73e4333f8a21d82d38ca603ebd0d8d85fe1ad1c95b9af3a5e30ae9","override":null,"pullPolicy":"Always","repository":"quay.io/cilium/cilium-envoy","tag":"v1.29.4-801c612e442298b3be55f1a1089c44386570880d","useDigest":true}` | Envoy container image. | +| envoy.image | object | `{"digest":"sha256:7fcc55ed1b73e4333f8a21d82d38ca603ebd0d8d85fe1ad1c95b9af3a5e30ae9","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium-envoy","tag":"v1.29.4-801c612e442298b3be55f1a1089c44386570880d","useDigest":true}` | Envoy container image. | | envoy.livenessProbe.failureThreshold | int | `10` | failure threshold of liveness probe | | envoy.livenessProbe.periodSeconds | int | `30` | interval between checks of the liveness probe | | envoy.log.format | string | `"[%Y-%m-%d %T.%e][%t][%l][%n] [%g:%#] %v"` | The format string to use for laying out the log message metadata of Envoy. | @@ -395,7 +395,7 @@ contributors across the globe, there is almost always someone available to help. | etcd.extraArgs | list | `[]` | Additional cilium-etcd-operator container arguments. | | etcd.extraVolumeMounts | list | `[]` | Additional cilium-etcd-operator volumeMounts. | | etcd.extraVolumes | list | `[]` | Additional cilium-etcd-operator volumes. | -| etcd.image | object | `{"digest":"sha256:04b8327f7f992693c2cb483b999041ed8f92efc8e14f2a5f3ab95574a65ea2dc","override":null,"pullPolicy":"Always","repository":"quay.io/cilium/cilium-etcd-operator","tag":"v2.0.7","useDigest":true}` | cilium-etcd-operator image. | +| etcd.image | object | `{"digest":"sha256:04b8327f7f992693c2cb483b999041ed8f92efc8e14f2a5f3ab95574a65ea2dc","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium-etcd-operator","tag":"v2.0.7","useDigest":true}` | cilium-etcd-operator image. | | etcd.k8sService | bool | `false` | If etcd is behind a k8s service set this option to true so that Cilium does the service translation automatically without requiring a DNS to be running. | | etcd.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for cilium-etcd-operator pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector | | etcd.podAnnotations | object | `{}` | Annotations to be added to cilium-etcd-operator pods | @@ -493,7 +493,7 @@ contributors across the globe, there is almost always someone available to help. | hubble.relay.extraVolumes | list | `[]` | Additional hubble-relay volumes. | | hubble.relay.gops.enabled | bool | `true` | Enable gops for hubble-relay | | hubble.relay.gops.port | int | `9893` | Configure gops listen port for hubble-relay | -| hubble.relay.image | object | `{"digest":"","override":null,"pullPolicy":"Always","repository":"quay.io/cilium/hubble-relay-ci","tag":"latest","useDigest":false}` | Hubble-relay container image. | +| hubble.relay.image | object | `{"digest":"sha256:41964978c06687d3db7afd29ed8205a3472c5de1d9c71a7a39b9640c651d4487","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-relay","tag":"v1.16.0-dev","useDigest":true}` | Hubble-relay container image. | | hubble.relay.listenHost | string | `""` | Host to listen to. Specify an empty string to bind to all the interfaces. | | hubble.relay.listenPort | string | `"4245"` | Port to listen to. | | hubble.relay.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector | @@ -551,7 +551,7 @@ contributors across the globe, there is almost always someone available to help. | hubble.ui.backend.extraEnv | list | `[]` | Additional hubble-ui backend environment variables. | | hubble.ui.backend.extraVolumeMounts | list | `[]` | Additional hubble-ui backend volumeMounts. | | hubble.ui.backend.extraVolumes | list | `[]` | Additional hubble-ui backend volumes. | -| hubble.ui.backend.image | object | `{"digest":"sha256:1e7657d997c5a48253bb8dc91ecee75b63018d16ff5e5797e5af367336bc8803","override":null,"pullPolicy":"Always","repository":"quay.io/cilium/hubble-ui-backend","tag":"v0.13.0","useDigest":true}` | Hubble-ui backend image. | +| hubble.ui.backend.image | object | `{"digest":"sha256:1e7657d997c5a48253bb8dc91ecee75b63018d16ff5e5797e5af367336bc8803","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-ui-backend","tag":"v0.13.0","useDigest":true}` | Hubble-ui backend image. | | hubble.ui.backend.livenessProbe.enabled | bool | `false` | Enable liveness probe for Hubble-ui backend (requires Hubble-ui 0.12+) | | hubble.ui.backend.readinessProbe.enabled | bool | `false` | Enable readiness probe for Hubble-ui backend (requires Hubble-ui 0.12+) | | hubble.ui.backend.resources | object | `{}` | Resource requests and limits for the 'backend' container of the 'hubble-ui' deployment. | @@ -561,7 +561,7 @@ contributors across the globe, there is almost always someone available to help. | hubble.ui.frontend.extraEnv | list | `[]` | Additional hubble-ui frontend environment variables. | | hubble.ui.frontend.extraVolumeMounts | list | `[]` | Additional hubble-ui frontend volumeMounts. | | hubble.ui.frontend.extraVolumes | list | `[]` | Additional hubble-ui frontend volumes. | -| hubble.ui.frontend.image | object | `{"digest":"sha256:7d663dc16538dd6e29061abd1047013a645e6e69c115e008bee9ea9fef9a6666","override":null,"pullPolicy":"Always","repository":"quay.io/cilium/hubble-ui","tag":"v0.13.0","useDigest":true}` | Hubble-ui frontend image. | +| hubble.ui.frontend.image | object | `{"digest":"sha256:7d663dc16538dd6e29061abd1047013a645e6e69c115e008bee9ea9fef9a6666","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-ui","tag":"v0.13.0","useDigest":true}` | Hubble-ui frontend image. | | hubble.ui.frontend.resources | object | `{}` | Resource requests and limits for the 'frontend' container of the 'hubble-ui' deployment. | | hubble.ui.frontend.securityContext | object | `{}` | Hubble-ui frontend security context. | | hubble.ui.frontend.server.ipv6 | object | `{"enabled":true}` | Controls server listener for ipv6 | @@ -588,7 +588,7 @@ contributors across the globe, there is almost always someone available to help. | hubble.ui.updateStrategy | object | `{"rollingUpdate":{"maxUnavailable":1},"type":"RollingUpdate"}` | hubble-ui update strategy. | | identityAllocationMode | string | `"crd"` | Method to use for identity allocation (`crd` or `kvstore`). | | identityChangeGracePeriod | string | `"5s"` | Time to wait before using new identity on endpoint identity change. | -| image | object | `{"digest":"","override":null,"pullPolicy":"Always","repository":"quay.io/cilium/cilium-ci","tag":"latest","useDigest":false}` | Agent container image. | +| image | object | `{"digest":"sha256:9918241403727d99cdba7067134dc99024c8f367fc8dbeec7aa5a7c84260d8f6","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.16.0-dev","useDigest":true}` | Agent container image. | | imagePullSecrets | list | `[]` | Configure image pull secrets for pulling container images | | ingressController.default | bool | `false` | Set cilium ingress controller to be the default ingress controller This will let cilium ingress controller route entries without ingress class set | | ingressController.defaultSecretName | string | `nil` | Default secret name for ingresses without .spec.tls[].secretName set. | @@ -685,7 +685,7 @@ contributors across the globe, there is almost always someone available to help. | nodeinit.extraEnv | list | `[]` | Additional nodeinit environment variables. | | nodeinit.extraVolumeMounts | list | `[]` | Additional nodeinit volumeMounts. | | nodeinit.extraVolumes | list | `[]` | Additional nodeinit volumes. | -| nodeinit.image | object | `{"digest":"sha256:820155cb3b7f00c8d61c1cffa68c44440906cb046bdbad8ff544f5deb1103456","override":null,"pullPolicy":"Always","repository":"quay.io/cilium/startup-script","tag":"19fb149fb3d5c7a37d3edfaf10a2be3ab7386661","useDigest":true}` | node-init image. | +| nodeinit.image | object | `{"digest":"sha256:820155cb3b7f00c8d61c1cffa68c44440906cb046bdbad8ff544f5deb1103456","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/startup-script","tag":"19fb149fb3d5c7a37d3edfaf10a2be3ab7386661","useDigest":true}` | node-init image. | | nodeinit.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for nodeinit pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector | | nodeinit.podAnnotations | object | `{}` | Annotations to be added to node-init pods. | | nodeinit.podLabels | object | `{}` | Labels to be added to node-init pods. | @@ -712,7 +712,7 @@ contributors across the globe, there is almost always someone available to help. | operator.hostNetwork | bool | `true` | HostNetwork setting | | operator.identityGCInterval | string | `"15m0s"` | Interval for identity garbage collection. | | operator.identityHeartbeatTimeout | string | `"30m0s"` | Timeout for identity heartbeats. | -| operator.image | object | `{"alibabacloudDigest":"","awsDigest":"","azureDigest":"","genericDigest":"","override":null,"pullPolicy":"Always","repository":"quay.io/cilium/operator","suffix":"-ci","tag":"latest","useDigest":false}` | cilium-operator image. | +| operator.image | object | `{"alibabacloudDigest":"sha256:0fbbf357ae5e62f1d0777ce34c1fb6d19e1f7b5a25c5100346d34f8cf6ad1730","awsDigest":"sha256:843d6c5094655448e8d1e81b46d334e00444f58bbb9e95575bd042af6871e1f0","azureDigest":"sha256:5682ca7ad8eea47abacad4dae2ff62d98f8f1938dcd7f17a403b673599b8b258","genericDigest":"sha256:565c92df436f801fa5ff3bbb8becac65114818c43e3bcaecf956c0d4c120b5a6","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/operator","suffix":"","tag":"v1.16.0-dev","useDigest":true}` | cilium-operator image. | | operator.nodeGCInterval | string | `"5m0s"` | Interval for cilium node garbage collection. | | operator.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for cilium-operator pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector | | operator.podAnnotations | object | `{}` | Annotations to be added to cilium-operator pods | @@ -762,7 +762,7 @@ contributors across the globe, there is almost always someone available to help. | preflight.extraEnv | list | `[]` | Additional preflight environment variables. | | preflight.extraVolumeMounts | list | `[]` | Additional preflight volumeMounts. | | preflight.extraVolumes | list | `[]` | Additional preflight volumes. | -| preflight.image | object | `{"digest":"","override":null,"pullPolicy":"Always","repository":"quay.io/cilium/cilium-ci","tag":"latest","useDigest":false}` | Cilium pre-flight image. | +| preflight.image | object | `{"digest":"sha256:9918241403727d99cdba7067134dc99024c8f367fc8dbeec7aa5a7c84260d8f6","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.16.0-dev","useDigest":true}` | Cilium pre-flight image. | | preflight.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for preflight pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector | | preflight.podAnnotations | object | `{}` | Annotations to be added to preflight pods | | preflight.podDisruptionBudget.enabled | bool | `false` | enable PodDisruptionBudget ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ | diff --git a/install/kubernetes/cilium/values.yaml b/install/kubernetes/cilium/values.yaml index 154e914d1f5b0..03c00e23588a7 100644 --- a/install/kubernetes/cilium/values.yaml +++ b/install/kubernetes/cilium/values.yaml @@ -152,12 +152,12 @@ image: # type: [null, string] # @schema override: ~ - repository: "quay.io/cilium/cilium-ci" - tag: "latest" - pullPolicy: "Always" + repository: "quay.io/cilium/cilium" + tag: "v1.16.0-dev" + pullPolicy: "IfNotPresent" # cilium-digest - digest: "" - useDigest: false + digest: "sha256:9918241403727d99cdba7067134dc99024c8f367fc8dbeec7aa5a7c84260d8f6" + useDigest: true # -- Affinity for cilium-agent. affinity: podAntiAffinity: @@ -989,7 +989,7 @@ certgen: tag: "v0.1.12" digest: "sha256:bbc5e65e9dc65bc6b58967fe536b7f3b54e12332908aeb0a96a36866b4372b4e" useDigest: true - pullPolicy: "Always" + pullPolicy: "IfNotPresent" # -- Seconds after which the completed job pod will be deleted ttlSecondsAfterFinished: 1800 # -- Labels to be added to hubble-certgen pods @@ -1274,12 +1274,12 @@ hubble: # type: [null, string] # @schema override: ~ - repository: "quay.io/cilium/hubble-relay-ci" - tag: "latest" + repository: "quay.io/cilium/hubble-relay" + tag: "v1.16.0-dev" # hubble-relay-digest - digest: "" - useDigest: false - pullPolicy: "Always" + digest: "sha256:41964978c06687d3db7afd29ed8205a3472c5de1d9c71a7a39b9640c651d4487" + useDigest: true + pullPolicy: "IfNotPresent" # -- Specifies the resources for the hubble-relay pods resources: {} # -- Number of replicas run for the hubble-relay deployment. @@ -1511,7 +1511,7 @@ hubble: tag: "v0.13.0" digest: "sha256:1e7657d997c5a48253bb8dc91ecee75b63018d16ff5e5797e5af367336bc8803" useDigest: true - pullPolicy: "Always" + pullPolicy: "IfNotPresent" # -- Hubble-ui backend security context. securityContext: {} # -- Additional hubble-ui backend environment variables. @@ -1545,7 +1545,7 @@ hubble: tag: "v0.13.0" digest: "sha256:7d663dc16538dd6e29061abd1047013a645e6e69c115e008bee9ea9fef9a6666" useDigest: true - pullPolicy: "Always" + pullPolicy: "IfNotPresent" # -- Hubble-ui frontend security context. securityContext: {} # -- Additional hubble-ui frontend environment variables. @@ -2098,7 +2098,7 @@ envoy: override: ~ repository: "quay.io/cilium/cilium-envoy" tag: "v1.29.4-801c612e442298b3be55f1a1089c44386570880d" - pullPolicy: "Always" + pullPolicy: "IfNotPresent" digest: "sha256:7fcc55ed1b73e4333f8a21d82d38ca603ebd0d8d85fe1ad1c95b9af3a5e30ae9" useDigest: true # -- Additional containers added to the cilium Envoy DaemonSet. @@ -2406,7 +2406,7 @@ etcd: tag: "v2.0.7" digest: "sha256:04b8327f7f992693c2cb483b999041ed8f92efc8e14f2a5f3ab95574a65ea2dc" useDigest: true - pullPolicy: "Always" + pullPolicy: "IfNotPresent" # -- The priority class to use for cilium-etcd-operator priorityClassName: "" # -- Additional cilium-etcd-operator container arguments. @@ -2507,18 +2507,18 @@ operator: # @schema override: ~ repository: "quay.io/cilium/operator" - tag: "latest" + tag: "v1.16.0-dev" # operator-generic-digest - genericDigest: "" + genericDigest: "sha256:565c92df436f801fa5ff3bbb8becac65114818c43e3bcaecf956c0d4c120b5a6" # operator-azure-digest - azureDigest: "" + azureDigest: "sha256:5682ca7ad8eea47abacad4dae2ff62d98f8f1938dcd7f17a403b673599b8b258" # operator-aws-digest - awsDigest: "" + awsDigest: "sha256:843d6c5094655448e8d1e81b46d334e00444f58bbb9e95575bd042af6871e1f0" # operator-alibabacloud-digest - alibabacloudDigest: "" - useDigest: false - pullPolicy: "Always" - suffix: "-ci" + alibabacloudDigest: "sha256:0fbbf357ae5e62f1d0777ce34c1fb6d19e1f7b5a25c5100346d34f8cf6ad1730" + useDigest: true + pullPolicy: "IfNotPresent" + suffix: "" # -- Number of replicas to run for the cilium-operator deployment replicas: 2 # -- The priority class to use for cilium-operator @@ -2709,7 +2709,7 @@ nodeinit: tag: "19fb149fb3d5c7a37d3edfaf10a2be3ab7386661" digest: "sha256:820155cb3b7f00c8d61c1cffa68c44440906cb046bdbad8ff544f5deb1103456" useDigest: true - pullPolicy: "Always" + pullPolicy: "IfNotPresent" # -- The priority class to use for the nodeinit pod. priorityClassName: "" # -- node-init update strategy @@ -2790,12 +2790,12 @@ preflight: # type: [null, string] # @schema override: ~ - repository: "quay.io/cilium/cilium-ci" - tag: "latest" + repository: "quay.io/cilium/cilium" + tag: "v1.16.0-dev" # cilium-digest - digest: "" - useDigest: false - pullPolicy: "Always" + digest: "sha256:9918241403727d99cdba7067134dc99024c8f367fc8dbeec7aa5a7c84260d8f6" + useDigest: true + pullPolicy: "IfNotPresent" # -- The priority class to use for the preflight pod. priorityClassName: "" # -- preflight update strategy @@ -2939,12 +2939,12 @@ clustermesh: # type: [null, string] # @schema override: ~ - repository: "quay.io/cilium/clustermesh-apiserver-ci" - tag: "latest" + repository: "quay.io/cilium/clustermesh-apiserver" + tag: "v1.16.0-dev" # clustermesh-apiserver-digest - digest: "" - useDigest: false - pullPolicy: "Always" + digest: "sha256:9348958f91942d81481878e57e6bda75463658240b51fedc9547c2024d848066" + useDigest: true + pullPolicy: "IfNotPresent" # -- TCP port for the clustermesh-apiserver health API. healthPort: 9880 # -- Configuration for the clustermesh-apiserver readiness probe. @@ -3410,7 +3410,7 @@ authentication: tag: "1.36.1" digest: "sha256:223ae047b1065bd069aac01ae3ac8088b3ca4a527827e283b85112f29385fb1b" useDigest: true - pullPolicy: "Always" + pullPolicy: "IfNotPresent" # SPIRE agent configuration agent: # -- SPIRE agent image @@ -3423,7 +3423,7 @@ authentication: tag: "1.8.5" digest: "sha256:99405637647968245ff9fe215f8bd2bd0ea9807be9725f8bf19fe1b21471e52b" useDigest: true - pullPolicy: "Always" + pullPolicy: "IfNotPresent" # -- SPIRE agent service account serviceAccount: create: true @@ -3474,7 +3474,7 @@ authentication: tag: "1.8.5" digest: "sha256:28269265882048dcf0fed32fe47663cd98613727210b8d1a55618826f9bf5428" useDigest: true - pullPolicy: "Always" + pullPolicy: "IfNotPresent" # -- SPIRE server service account serviceAccount: create: true