From 73ccf570d9d8a1fa0cb7f15630f241aa98f3b652 Mon Sep 17 00:00:00 2001
From: Jonas Juselius <jonas.juselius@oceanbox.io>
Date: Sun, 11 May 2025 10:19:11 +0200
Subject: [PATCH] wip: move cilium values to external dir

---
 apps/templates/cilium.yaml | 114 +++----------------------------------
 values/cilium/values.yaml  | 106 ++++++++++++++++++++++++++++++++++
 2 files changed, 113 insertions(+), 107 deletions(-)
 create mode 100644 values/cilium/values.yaml

diff --git a/apps/templates/cilium.yaml b/apps/templates/cilium.yaml
index 46a7e6cf..580ed9be 100644
--- a/apps/templates/cilium.yaml
+++ b/apps/templates/cilium.yaml
@@ -11,6 +11,9 @@ spec:
     namespace: kube-system
     server: 'https://kubernetes.default.svc'
   sources:
+  - repoURL: {{ .Values.cluster_config.manifests }}
+    targetRevision: HEAD
+    ref: manifests
   {{- if .Values.cilium.spire.enabled }}
   - repoURL: {{ .Values.cluster_config.manifests }}
     path: {{ .Values.cluster_config.policies }}/cilium-spire
@@ -20,113 +23,10 @@ spec:
     targetRevision: {{ .Values.cilium.version }}
     chart: cilium
     helm:
-      values: |
-        authentication:
-          mutual:
-            spire:
-              enabled: {{ .Values.cilium.spire.enabled }}
-        cgroup:
-          autoMount:
-            enabled: false
-          hostRoot: /sys/fs/cgroup
-        dashboards:
-          enabled: true
-          namespace: prometheus
-        enableXTSocketFallback: false
-        encryption:
-          enabled: {{ .Values.cilium.encryption.enabled }}
-          type: {{ .Values.cilium.encryption.type}}
-        envoy:
-          enabled: {{ .Values.cilium.envoy.enabled }}
-          prometheus:
-            serviceMonitor:
-              enabled: {{ .Values.cilium.envoy.enabled }}
-        extraConfig:
-          enable-envoy-config: "true"
-        hubble:
-          enabled: true
-          tls:
-            auto:
-              method: cronJob
-          metrics:
-            dashboards:
-              enabled: true
-              namespace: prometheus
-            enabled:
-            - dns:query;ignoreAAAA
-            - drop
-            - tcp
-            - flow
-            - icmp
-            - policy:sourceContext=app|workload-name|pod|reserved-identity;destinationContext=app|workload-name|pod|dns|reserved-identity;labelsContext=source_namespace,destination_namespace
-            - httpV2:exemplars=false;labelsContext=source_ip,source_namespace,source_workload,destination_ip,destination_namespace,destination_workload,traffic_direction
-            port: 12304
-            serviceMonitor:
-              enabled: true
-          redact:
-            enabled: true
-          relay:
-            enabled: true
-            prometheus:
-              enabled: true
-              serviceMonitor:
-                enabled: true
-          ui:
-            enabled: {{ .Values.cilium.hubble.ui }}
-        ipam:
-          mode: kubernetes
-        kubeProxyReplacement: {{ .Values.cilium.kubeProxyReplacement }}
-        l2announcements:
-          enabled: {{ .Values.cilium.l2announcement.enabled }}
-        k8sServiceHost: {{ .Values.cilium.k8sServiceHost }}
-        k8sServicePort: {{ .Values.cilium.k8sServicePort }}
-        nodePort:
-          enabled: {{ .Values.cilium.nodePort.enabled }}
-        gatewayAPI:
-          enabled: {{ .Values.cilium.gatewayAPI.enabled }}
-        ingressController:
-          enabled: {{ .Values.cilium.ingressController.enabled }}
-          default: {{ .Values.cilium.ingressController.defaultClass }}
-          loadbalancerMode: {{ .Values.cilium.ingressController.loadbalancerMode }}
-        operator:
-          dashboards:
-            enabled: true
-            namespace: prometheus
-          prometheus:
-            enabled: true
-            port: 12301
-            serviceMointor:
-              enabled: true
-              port: 12302
-          rollOutPods: true
-        policyAuditMode: {{ .Values.cilium.policyAuditMode }}
-        prometheus:
-          enabled: true
-          port: 12300
-          serviceMonitor:
-            enabled: true
-        rollOutCiliumPods: true
-        securityContext:
-          capabilities:
-            ciliumAgent:
-            - CHOWN
-            - KILL
-            - NET_ADMIN
-            - NET_RAW
-            - IPC_LOCK
-            - SYS_ADMIN
-            - SYS_RESOURCE
-            - DAC_OVERRIDE
-            - FOWNER
-            - SETGID
-            - SETUID
-            cleanCiliumState:
-            - NET_ADMIN
-            - SYS_ADMIN
-            - SYS_RESOURCE
-        {{- with .Values.cilium.upgradeCompatability}}
-        upgradeCompatability:  {{ . }}
-        {{- end }}
+      valuesFiles:
+      - $manifests/values/cilium/values.yaml
+      - $manifests/values/cilium/values-{{ .Values.cluster_config.name }}.yaml
+      ignoreMissingValueFiles: true
   project: sys
   syncPolicy:
     syncOptions:
diff --git a/values/cilium/values.yaml b/values/cilium/values.yaml
new file mode 100644
index 00000000..61d3d62f
--- /dev/null
+++ b/values/cilium/values.yaml
@@ -0,0 +1,106 @@
+authentication:
+  mutual:
+    spire:
+      enabled: {{ .Values.cilium.spire.enabled }}
+cgroup:
+  autoMount:
+    enabled: false
+  hostRoot: /sys/fs/cgroup
+dashboards:
+  enabled: true
+  namespace: prometheus
+enableXTSocketFallback: false
+encryption:
+  enabled: {{ .Values.cilium.encryption.enabled }}
+  type: {{ .Values.cilium.encryption.type}}
+envoy:
+  enabled: {{ .Values.cilium.envoy.enabled }}
+  prometheus:
+    serviceMonitor:
+      enabled: {{ .Values.cilium.envoy.enabled }}
+extraConfig:
+  enable-envoy-config: "true"
+hubble:
+  enabled: true
+  tls:
+    auto:
+      method: cronJob
+  metrics:
+    dashboards:
+      enabled: true
+      namespace: prometheus
+    enabled:
+    - dns:query;ignoreAAAA
+    - drop
+    - tcp
+    - flow
+    - icmp
+    - policy:sourceContext=app|workload-name|pod|reserved-identity;destinationContext=app|workload-name|pod|dns|reserved-identity;labelsContext=source_namespace,destination_namespace
+    - httpV2:exemplars=false;labelsContext=source_ip,source_namespace,source_workload,destination_ip,destination_namespace,destination_workload,traffic_direction
+    port: 12304
+    serviceMonitor:
+      enabled: true
+  redact:
+    enabled: true
+  relay:
+    enabled: true
+    prometheus:
+      enabled: true
+      serviceMonitor:
+        enabled: true
+  ui:
+    enabled: {{ .Values.cilium.hubble.ui }}
+ipam:
+  mode: kubernetes
+kubeProxyReplacement: {{ .Values.cilium.kubeProxyReplacement }}
+l2announcements:
+  enabled: {{ .Values.cilium.l2announcement.enabled }}
+k8sServiceHost: {{ .Values.cilium.k8sServiceHost }}
+k8sServicePort: {{ .Values.cilium.k8sServicePort }}
+nodePort:
+  enabled: {{ .Values.cilium.nodePort.enabled }}
+gatewayAPI:
+  enabled: {{ .Values.cilium.gatewayAPI.enabled }}
+ingressController:
+  enabled: {{ .Values.cilium.ingressController.enabled }}
+  default: {{ .Values.cilium.ingressController.defaultClass }}
+  loadbalancerMode: {{ .Values.cilium.ingressController.loadbalancerMode }}
+operator:
+  dashboards:
+    enabled: true
+    namespace: prometheus
+  prometheus:
+    enabled: true
+    port: 12301
+    serviceMointor:
+      enabled: true
+      port: 12302
+  rollOutPods: true
+policyAuditMode: {{ .Values.cilium.policyAuditMode }}
+prometheus:
+  enabled: true
+  port: 12300
+  serviceMonitor:
+    enabled: true
+rollOutCiliumPods: true
+securityContext:
+  capabilities:
+    ciliumAgent:
+    - CHOWN
+    - KILL
+    - NET_ADMIN
+    - NET_RAW
+    - IPC_LOCK
+    - SYS_ADMIN
+    - SYS_RESOURCE
+    - DAC_OVERRIDE
+    - FOWNER
+    - SETGID
+    - SETUID
+    cleanCiliumState:
+    - NET_ADMIN
+    - SYS_ADMIN
+    - SYS_RESOURCE
+{{- with .Values.cilium.upgradeCompatability}}
+upgradeCompatability:  {{ . }}
+{{- end }}