166 lines
4.8 KiB
YAML
166 lines
4.8 KiB
YAML
{{- if .Values.cilium.enabled }}
|
|
apiVersion: argoproj.io/v1alpha1
|
|
kind: Application
|
|
metadata:
|
|
name: cilium
|
|
namespace: argocd
|
|
annotations:
|
|
argocd.argoproj.io/sync-wave: "-1"
|
|
spec:
|
|
destination:
|
|
namespace: kube-system
|
|
server: 'https://kubernetes.default.svc'
|
|
sources:
|
|
{{- if .Values.cilium.spire.enabled }}
|
|
- repoURL: {{ .Values.cluster_config.manifests }}
|
|
path: {{ .Values.cluster_config.policies }}/cilium-spire
|
|
targetRevision: HEAD
|
|
{{- end }}
|
|
- repoURL: 'https://helm.cilium.io'
|
|
targetRevision: {{ .Values.cilium.version }}
|
|
chart: cilium
|
|
helm:
|
|
values: |
|
|
authentication:
|
|
mutual:
|
|
spire:
|
|
enabled: {{ .Values.cilium.spire.enabled }}
|
|
cgroup:
|
|
autoMount:
|
|
enabled: false
|
|
hostRoot: /sys/fs/cgroup
|
|
dashboards:
|
|
enabled: true
|
|
namespace: prometheus
|
|
enableXTSocketFallback: false
|
|
encryption:
|
|
enabled: {{ .Values.cilium.encryption.enabled }}
|
|
type: {{ .Values.cilium.encryption.type}}
|
|
envoy:
|
|
enabled: {{ .Values.cilium.envoy.enabled }}
|
|
prometheus:
|
|
serviceMonitor:
|
|
enabled: {{ .Values.cilium.envoy.enabled }}
|
|
extraConfig:
|
|
enable-envoy-config: "true"
|
|
hubble:
|
|
enabled: true
|
|
tls:
|
|
auto:
|
|
method: cronJob
|
|
metrics:
|
|
dashboards:
|
|
enabled: true
|
|
namespace: prometheus
|
|
enabled:
|
|
- dns:query;ignoreAAAA
|
|
- drop
|
|
- tcp
|
|
- flow
|
|
- icmp
|
|
- policy:sourceContext=app|workload-name|pod|reserved-identity;destinationContext=app|workload-name|pod|dns|reserved-identity;labelsContext=source_namespace,destination_namespace
|
|
- httpV2:exemplars=false;labelsContext=source_ip,source_namespace,source_workload,destination_ip,destination_namespace,destination_workload,traffic_direction
|
|
port: 12304
|
|
serviceMonitor:
|
|
enabled: true
|
|
redact:
|
|
enabled: true
|
|
relay:
|
|
enabled: true
|
|
prometheus:
|
|
enabled: true
|
|
serviceMonitor:
|
|
enabled: true
|
|
ui:
|
|
enabled: {{ .Values.cilium.hubble.ui }}
|
|
ipam:
|
|
mode: kubernetes
|
|
kubeProxyReplacement: {{ .Values.cilium.kubeProxyReplacement }}
|
|
l2announcements:
|
|
enabled: {{ .Values.cilium.l2announcement.enabled }}
|
|
k8sServiceHost: {{ .Values.cilium.k8sServiceHost }}
|
|
k8sServicePort: {{ .Values.cilium.k8sServicePort }}
|
|
nodePort:
|
|
enabled: {{ .Values.cilium.nodePort.enabled }}
|
|
gatewayAPI:
|
|
enabled: {{ .Values.cilium.gatewayAPI.enabled }}
|
|
ingressController:
|
|
enabled: {{ .Values.cilium.ingressController.enabled }}
|
|
default: {{ .Values.cilium.ingressController.defaultClass }}
|
|
loadbalancerMode: {{ .Values.cilium.ingressController.loadbalancerMode }}
|
|
operator:
|
|
dashboards:
|
|
enabled: true
|
|
namespace: prometheus
|
|
prometheus:
|
|
enabled: true
|
|
port: 12301
|
|
serviceMointor:
|
|
enabled: true
|
|
port: 12302
|
|
rollOutPods: true
|
|
policyAuditMode: {{ .Values.cilium.policyAuditMode }}
|
|
prometheus:
|
|
enabled: true
|
|
port: 12300
|
|
serviceMonitor:
|
|
enabled: true
|
|
rollOutCiliumPods: true
|
|
securityContext:
|
|
capabilities:
|
|
ciliumAgent:
|
|
- CHOWN
|
|
- KILL
|
|
- NET_ADMIN
|
|
- NET_RAW
|
|
- IPC_LOCK
|
|
- SYS_ADMIN
|
|
- SYS_RESOURCE
|
|
- DAC_OVERRIDE
|
|
- FOWNER
|
|
- SETGID
|
|
- SETUID
|
|
cleanCiliumState:
|
|
- NET_ADMIN
|
|
- SYS_ADMIN
|
|
- SYS_RESOURCE
|
|
{{- with .Values.cilium.upgradeCompatability}}
|
|
upgradeCompatability: {{ . }}
|
|
{{- end }}
|
|
project: sys
|
|
syncPolicy:
|
|
syncOptions:
|
|
- ServerSideApply=true
|
|
{{- if .Values.cilium.autosync }}
|
|
automated:
|
|
prune: true
|
|
# selfHeal: false
|
|
{{- end }}
|
|
ignoreDifferences:
|
|
- group: apps
|
|
jqPathExpressions:
|
|
- .spec.volumeClaimTemplates
|
|
kind: StatefulSet
|
|
name: spire-server
|
|
- group: monitoring.coreos.com
|
|
jqPathExpressions:
|
|
- .spec.endpoints[]?.relabelings[]?.action
|
|
kind: ServiceMonitor
|
|
- group: ''
|
|
jsonPointers:
|
|
- /data/ca.crt
|
|
kind: ConfigMap
|
|
name: hubble-ca-cert
|
|
- group: ''
|
|
jsonPointers:
|
|
- /data/ca.crt
|
|
- /data/ca.key
|
|
kind: Secret
|
|
name: cilium-ca
|
|
- group: ''
|
|
jqPathExpressions:
|
|
- .spec.ports[]?.nodePort
|
|
kind: Service
|
|
name: cilium-ingress
|
|
{{- end }}
|