{{- if .Values.cilium.enabled }} apiVersion: argoproj.io/v1alpha1 kind: Application metadata: name: cilium namespace: argocd annotations: argocd.argoproj.io/sync-wave: "-1" spec: destination: namespace: kube-system server: 'https://kubernetes.default.svc' sources: {{- if .Values.cilium.spire.enabled }} - repoURL: {{ .Values.cluster_config.manifests }} path: {{ .Values.cluster_config.policies }}/cilium-spire targetRevision: HEAD {{- end }} - repoURL: 'https://helm.cilium.io' targetRevision: {{ .Values.cilium.version }} chart: cilium helm: values: | authentication: mutual: spire: enabled: {{ .Values.cilium.spire.enabled }} cgroup: autoMount: enabled: false hostRoot: /sys/fs/cgroup dashboards: enabled: true namespace: prometheus enableXTSocketFallback: false encryption: enabled: {{ .Values.cilium.encryption.enabled }} type: {{ .Values.cilium.encryption.type}} envoy: enabled: {{ .Values.cilium.envoy.enabled }} prometheus: serviceMonitor: enabled: {{ .Values.cilium.envoy.enabled }} extraConfig: enable-envoy-config: "true" hubble: enabled: true tls: auto: method: cronJob metrics: dashboards: enabled: true namespace: prometheus enabled: - dns:query;ignoreAAAA - drop - tcp - flow - icmp - policy:sourceContext=app|workload-name|pod|reserved-identity;destinationContext=app|workload-name|pod|dns|reserved-identity;labelsContext=source_namespace,destination_namespace - httpV2:exemplars=false;labelsContext=source_ip,source_namespace,source_workload,destination_ip,destination_namespace,destination_workload,traffic_direction port: 12304 serviceMonitor: enabled: true redact: enabled: true relay: enabled: true prometheus: enabled: true serviceMonitor: enabled: true ui: enabled: {{ .Values.cilium.hubble.ui }} ipam: mode: kubernetes kubeProxyReplacement: {{ .Values.cilium.kubeProxyReplacement }} l2announcements: enabled: {{ .Values.cilium.l2announcement.enabled }} k8sServiceHost: {{ .Values.cilium.k8sServiceHost }} k8sServicePort: {{ .Values.cilium.k8sServicePort }} nodePort: enabled: {{ .Values.cilium.nodePort.enabled }} gatewayAPI: enabled: {{ .Values.cilium.gatewayAPI.enabled }} ingressController: enabled: {{ .Values.cilium.ingressController.enabled }} default: {{ .Values.cilium.ingressController.defaultClass }} loadbalancerMode: {{ .Values.cilium.ingressController.loadbalancerMode }} operator: dashboards: enabled: true namespace: prometheus prometheus: enabled: true port: 12301 serviceMointor: enabled: true port: 12302 rollOutPods: true policyAuditMode: {{ .Values.cilium.policyAuditMode }} prometheus: enabled: true port: 12300 serviceMonitor: enabled: true rollOutCiliumPods: true securityContext: capabilities: ciliumAgent: - CHOWN - KILL - NET_ADMIN - NET_RAW - IPC_LOCK - SYS_ADMIN - SYS_RESOURCE - DAC_OVERRIDE - FOWNER - SETGID - SETUID cleanCiliumState: - NET_ADMIN - SYS_ADMIN - SYS_RESOURCE {{- with .Values.cilium.upgradeCompatability}} upgradeCompatability: {{ . }} {{- end }} project: sys syncPolicy: syncOptions: - ServerSideApply=true {{- if .Values.cilium.autosync }} automated: prune: true # selfHeal: false {{- end }} ignoreDifferences: - group: apps jqPathExpressions: - .spec.volumeClaimTemplates kind: StatefulSet name: spire-server - group: monitoring.coreos.com jqPathExpressions: - .spec.endpoints[]?.relabelings[]?.action kind: ServiceMonitor - group: '' jsonPointers: - /data/ca.crt kind: ConfigMap name: hubble-ca-cert - group: '' jsonPointers: - /data/ca.crt - /data/ca.key kind: Secret name: cilium-ca - group: '' jqPathExpressions: - .spec.ports[]?.nodePort kind: Service name: cilium-ingress {{- end }}