-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy pathMAINTENANCE.values.yaml
288 lines (242 loc) · 8.98 KB
/
MAINTENANCE.values.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
# Copyright (c) 2017-present SIGHUP s.r.l All rights reserved.
# Use of this source code is governed by a BSD-style
# license that can be found in the LICENSE file.
---
image:
override: ~
repository: "registry.sighup.io/fury/cilium/cilium"
tag: "v1.16.3"
useDigest: false
# -- Affinity for cilium-agent.
affinity:
podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- topologyKey: kubernetes.io/hostname
labelSelector:
matchLabels:
k8s-app: cilium
hubble:
# -- Enable Hubble (true by default).
enabled: true
tls:
# -- Enable mutual TLS for listenAddress. Setting this value to false is
# highly discouraged as the Hubble API provides access to potentially
# sensitive network flow metadata and is exposed on the host network.
enabled: true
# -- Configure automatic TLS certificates generation.
auto:
# -- Auto-generate certificates.
# When set to true, automatically generate a CA and certificates to
# enable mTLS between Hubble server and Hubble Relay instances. If set to
# false, the certs for Hubble server need to be provided by setting
# appropriate values below.
enabled: true
# -- Set the method to auto-generate certificates. Supported values:
# - helm: This method uses Helm to generate all certificates.
# - cronJob: This method uses a Kubernetes CronJob the generate any
# certificates not provided by the user at installation
# time.
# - certmanager: This method use cert-manager to generate & rotate certificates.
method: certmanager
# -- Generated certificates validity duration in days.
certValidityDuration: 1095
# -- certmanager issuer used when hubble.tls.auto.method=certmanager.
# If not specified, a CA issuer will be created.
certManagerIssuerRef:
group: cert-manager.io
kind: Issuer
name: hubble-issuer
metrics:
enableOpenMetrics: true
serviceMonitor:
enabled: true
enabled:
- dns
- drop
- tcp
- flow
- port-distribution
- icmp
- httpV2:exemplars=true;labelsContext=source_ip,source_namespace,source_workload,destination_ip,destination_namespace,destination_workload,traffic_direction
relay:
# -- Enable Hubble Relay (requires hubble.enabled=true)
enabled: true
# -- Roll out Hubble Relay pods automatically when configmap is updated.
rollOutPods: false
# -- Hubble-relay container image.
image:
override: ~
repository: "registry.sighup.io/fury/cilium/hubble-relay"
tag: "v1.16.3"
useDigest: false
pullPolicy: "IfNotPresent"
# -- Enable prometheus metrics for hubble-relay on the configured port at
# /metrics
prometheus:
enabled: true
port: 9966
serviceMonitor:
# -- Enable service monitors.
# This requires the prometheus CRDs to be available (see https://github.com/prometheus-operator/prometheus-operator/blob/master/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml)
enabled: true
# -- Labels to add to ServiceMonitor hubble-relay
labels: {}
# -- Annotations to add to ServiceMonitor hubble-relay
annotations: {}
# -- Interval for scrape metrics.
interval: "10s"
# -- Specify the Kubernetes namespace where Prometheus expects to find
# service monitors configured.
# namespace: ""
# -- Relabeling configs for the ServiceMonitor hubble-relay
relabelings: ~
# -- Metrics relabeling configs for the ServiceMonitor hubble-relay
metricRelabelings: ~
ui:
# -- Whether to enable the Hubble UI.
enabled: true
standalone:
# -- When true, it will allow installing the Hubble UI only, without checking dependencies.
# It is useful if a cluster already has cilium and Hubble relay installed and you just
# want Hubble UI to be deployed.
# When installed via helm, installing UI should be done via `helm upgrade` and when installed via the cilium cli, then `cilium hubble enable --ui`
enabled: false
backend:
# -- Hubble-ui backend image.
image:
override: ~
repository: "registry.sighup.io/fury/cilium/hubble-ui-backend"
tag: "v0.13.1"
useDigest: false
pullPolicy: "IfNotPresent"
resources: {}
# limits:
# cpu: 1000m
# memory: 1024M
# requests:
# cpu: 100m
# memory: 64Mi
frontend:
# -- Hubble-ui frontend image.
image:
override: ~
repository: "registry.sighup.io/fury/cilium/hubble-ui"
tag: "v0.13.1"
useDigest: false
pullPolicy: "IfNotPresent"
# -- Resource requests and limits for the 'frontend' container of the 'hubble-ui' deployment.
resources: {}
# limits:
# cpu: 1000m
# memory: 1024M
# requests:
# cpu: 100m
# memory: 64Mi
server:
# -- Controls server listener for ipv6
ipv6:
enabled: true
# -- Method to use for identity allocation (`crd` or `kvstore`).
identityAllocationMode: "crd"
# -- (string) Time to wait before using new identity on endpoint identity change.
# @default -- `"5s"`
identityChangeGracePeriod: ""
# -- Install Iptables rules to skip netfilter connection tracking on all pod
# traffic. This option is only effective when Cilium is running in direct
# routing and full KPR mode. Moreover, this option cannot be enabled when Cilium
# is running in a managed Kubernetes environment or in a chained CNI setup.
installNoConntrackIptablesRules: false
# -- Configure the eBPF-based ip-masq-agent
ipMasqAgent:
enabled: false
# the config of nonMasqueradeCIDRs
# config:
# nonMasqueradeCIDRs: []
# masqLinkLocal: false
# iptablesLockTimeout defines the iptables "--wait" option when invoked from Cilium.
# iptablesLockTimeout: "5s"
ipv4:
# -- Enable IPv4 support.
enabled: true
ipv6:
# -- Enable IPv6 support.
enabled: false
# -- Configure Kubernetes specific configuration
k8s: {}
# -- requireIPv4PodCIDR enables waiting for Kubernetes to provide the PodCIDR
# range via the Kubernetes node resource
# requireIPv4PodCIDR: false
# -- requireIPv6PodCIDR enables waiting for Kubernetes to provide the PodCIDR
# range via the Kubernetes node resource
# requireIPv6PodCIDR: false
# -- Enable Layer 7 network policy.
l7Proxy: true
# -- Enable Local Redirect Policy.
localRedirectPolicy: false
# To include or exclude matched resources from cilium identity evaluation
# labels: ""
# logOptions allows you to define logging options. eg:
# logOptions:
# format: json
# -- Enables periodic logging of system load
logSystemLoad: false
# -- Configure prometheus metrics on the configured port at /metrics
prometheus:
enabled: true
port: 9962
serviceMonitor:
# -- Enable service monitors.
# This requires the prometheus CRDs to be available (see https://github.com/prometheus-operator/prometheus-operator/blob/master/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml)
enabled: true
# -- Labels to add to ServiceMonitor cilium-agent
labels: {}
# -- Annotations to add to ServiceMonitor cilium-agent
annotations: {}
# -- Interval for scrape metrics.
interval: "10s"
# -- Specify the Kubernetes namespace where Prometheus expects to find
# service monitors configured.
# namespace: ""
# -- Relabeling configs for the ServiceMonitor cilium-agent
relabelings:
- sourceLabels:
- __meta_kubernetes_pod_node_name
targetLabel: node
replacement: ${1}
# -- Metrics relabeling configs for the ServiceMonitor cilium-agent
metricRelabelings: ~
# -- Metrics that should be enabled or disabled from the default metric
# list. (+metric_foo to enable metric_foo , -metric_bar to disable
# metric_bar).
# ref: https://docs.cilium.io/en/stable/operations/metrics/#exported-metrics
metrics: ~
operator:
# -- Enable the cilium-operator component (required).
enabled: true
# -- Roll out cilium-operator pods automatically when configmap is updated.
rollOutPods: false
# -- cilium-operator image.
image:
override: ~
repository: "registry.sighup.io/fury/cilium/operator"
tag: "v1.16.3"
useDigest: false
pullPolicy: "IfNotPresent"
suffix: ""
# -- Enable prometheus metrics for cilium-operator on the configured port at
# /metrics
prometheus:
enabled: true
port: 9963
serviceMonitor:
# -- Enable service monitors.
# This requires the prometheus CRDs to be available (see https://github.com/prometheus-operator/prometheus-operator/blob/master/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml)
enabled: true
nodeinit:
# -- Enable the node initialization DaemonSet
enabled: false
preflight:
# -- Enable Cilium pre-flight resources (required for upgrade)
enabled: false
envoy:
enabled: false