From 3d1dedcf2b4e1ef16cea6698125cf8e89918fbbd Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jaime=20Caama=C3=B1o=20Ruiz?= <jcaamano@suse.com>
Date: Fri, 5 Feb 2021 13:24:14 +0100
Subject: [PATCH] Add cilium chart
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The chart is organized in subcharts to clearly delimit supported vs
non-supported customization options, as follows:

- The main rke2-cilium chart which only supplies supported customization
  options through its values.yaml.
- Cilium upstream chart is pulled in as a subchart dependency and is
  patched to support a system default registry as a global variable.
- A rke2-cilium-hard-defaults subchart which supplies cilium options
  that change from upstream defaults for which we don't intend to
  support any customization.

All cilium options are scoped & accessible, for example:
`helm install rke2-cilium --set cilium.preflight.enabled=true`

Signed-off-by: Jaime Caamaño Ruiz <jcaamano@suse.com>
---
 ...piserver-generate-certs-job-spec.tpl.patch |  12 +
 .../patch/templates/_helpers.tpl.patch        |  15 ++
 .../_hubble-generate-certs-job-spec.tpl.patch |  12 +
 .../cilium-agent-daemonset.yaml.patch         |  39 +++
 ...cilium-etcd-operator-deployment.yaml.patch |  12 +
 .../cilium-nodeinit-daemonset.yaml.patch      |  12 +
 .../cilium-operator-deployment.yaml.patch     |  18 ++
 .../cilium-preflight-daemonset.yaml.patch     |  29 +++
 .../cilium-preflight-deployment.yaml.patch    |  12 +
 ...lustermesh-apiserver-deployment.yaml.patch |  30 +++
 .../hubble-relay-deployment.yaml.patch        |  12 +
 .../templates/hubble-ui-deployment.yaml.patch |  29 +++
 packages/cilium/package.yaml                  |   6 +
 packages/rke2-cilium/charts/Chart.yaml        |  13 +
 packages/rke2-cilium/charts/requirements.yaml |   7 +
 .../rke2-cilium/charts/values.schema.json     | 240 ++++++++++++++++++
 packages/rke2-cilium/charts/values.yaml       |  53 ++++
 .../dependencies/cilium/dependency.yaml       |   2 +
 .../charts/Chart.yaml                         |  12 +
 .../charts/values.yaml                        |  17 ++
 .../rke2-cilium-hard-defaults/dependency.yaml |   2 +
 packages/rke2-cilium/package.yaml             |   3 +
 22 files changed, 587 insertions(+)
 create mode 100644 packages/cilium/generated-changes/patch/templates/_clustermesh-apiserver-generate-certs-job-spec.tpl.patch
 create mode 100644 packages/cilium/generated-changes/patch/templates/_helpers.tpl.patch
 create mode 100644 packages/cilium/generated-changes/patch/templates/_hubble-generate-certs-job-spec.tpl.patch
 create mode 100644 packages/cilium/generated-changes/patch/templates/cilium-agent-daemonset.yaml.patch
 create mode 100644 packages/cilium/generated-changes/patch/templates/cilium-etcd-operator-deployment.yaml.patch
 create mode 100644 packages/cilium/generated-changes/patch/templates/cilium-nodeinit-daemonset.yaml.patch
 create mode 100644 packages/cilium/generated-changes/patch/templates/cilium-operator-deployment.yaml.patch
 create mode 100644 packages/cilium/generated-changes/patch/templates/cilium-preflight-daemonset.yaml.patch
 create mode 100644 packages/cilium/generated-changes/patch/templates/cilium-preflight-deployment.yaml.patch
 create mode 100644 packages/cilium/generated-changes/patch/templates/clustermesh-apiserver-deployment.yaml.patch
 create mode 100644 packages/cilium/generated-changes/patch/templates/hubble-relay-deployment.yaml.patch
 create mode 100644 packages/cilium/generated-changes/patch/templates/hubble-ui-deployment.yaml.patch
 create mode 100644 packages/cilium/package.yaml
 create mode 100644 packages/rke2-cilium/charts/Chart.yaml
 create mode 100644 packages/rke2-cilium/charts/requirements.yaml
 create mode 100644 packages/rke2-cilium/charts/values.schema.json
 create mode 100644 packages/rke2-cilium/charts/values.yaml
 create mode 100644 packages/rke2-cilium/generated-changes/dependencies/cilium/dependency.yaml
 create mode 100644 packages/rke2-cilium/generated-changes/dependencies/rke2-cilium-hard-defaults/charts/Chart.yaml
 create mode 100644 packages/rke2-cilium/generated-changes/dependencies/rke2-cilium-hard-defaults/charts/values.yaml
 create mode 100644 packages/rke2-cilium/generated-changes/dependencies/rke2-cilium-hard-defaults/dependency.yaml
 create mode 100644 packages/rke2-cilium/package.yaml

diff --git a/packages/cilium/generated-changes/patch/templates/_clustermesh-apiserver-generate-certs-job-spec.tpl.patch b/packages/cilium/generated-changes/patch/templates/_clustermesh-apiserver-generate-certs-job-spec.tpl.patch
new file mode 100644
index 0000000..9f38fdb
--- /dev/null
+++ b/packages/cilium/generated-changes/patch/templates/_clustermesh-apiserver-generate-certs-job-spec.tpl.patch
@@ -0,0 +1,12 @@
+--- charts-original/templates/_clustermesh-apiserver-generate-certs-job-spec.tpl	2021-02-04 01:17:41.000000000 +0100
++++ charts/templates/_clustermesh-apiserver-generate-certs-job-spec.tpl	2021-02-08 14:38:47.439463526 +0100
+@@ -10,7 +10,7 @@
+       serviceAccountName: clustermesh-apiserver-generate-certs
+       containers:
+         - name: certgen
+-          image: {{ .Values.certgen.image.repository }}:{{ .Values.certgen.image.tag }}
++          image: {{ template "system_default_registry" . }}{{ .Values.certgen.image.repository }}:{{ .Values.certgen.image.tag }}
+           imagePullPolicy: {{ .Values.certgen.image.pullPolicy }}
+           command:
+             - "/usr/bin/cilium-certgen"
+diff -x '*.tgz' -x '*.lock' -uNr charts-original/templates/_helpers.tpl charts/templates/_helpers.tpl
diff --git a/packages/cilium/generated-changes/patch/templates/_helpers.tpl.patch b/packages/cilium/generated-changes/patch/templates/_helpers.tpl.patch
new file mode 100644
index 0000000..b4f2058
--- /dev/null
+++ b/packages/cilium/generated-changes/patch/templates/_helpers.tpl.patch
@@ -0,0 +1,15 @@
+--- charts-original/templates/_helpers.tpl	2021-02-08 14:24:33.605473204 +0100
++++ charts/templates/_helpers.tpl	2021-02-08 14:38:47.443463553 +0100
+@@ -122,3 +122,11 @@
+ tls.crt: {{ $cert.Cert | b64enc }}
+ tls.key: {{ $cert.Key | b64enc }}
+ {{- end }}
++  
++{{- define "system_default_registry" -}}
++{{- if .Values.global.systemDefaultRegistry -}}
++{{- printf "%s/" .Values.global.systemDefaultRegistry -}}
++{{- else -}}
++{{- "" -}}
++{{- end }}
++{{- end }}
+diff -x '*.tgz' -x '*.lock' -uNr charts-original/templates/_hubble-generate-certs-job-spec.tpl charts/templates/_hubble-generate-certs-job-spec.tpl
diff --git a/packages/cilium/generated-changes/patch/templates/_hubble-generate-certs-job-spec.tpl.patch b/packages/cilium/generated-changes/patch/templates/_hubble-generate-certs-job-spec.tpl.patch
new file mode 100644
index 0000000..04d7bdf
--- /dev/null
+++ b/packages/cilium/generated-changes/patch/templates/_hubble-generate-certs-job-spec.tpl.patch
@@ -0,0 +1,12 @@
+--- charts-original/templates/_hubble-generate-certs-job-spec.tpl	2021-02-04 01:17:41.000000000 +0100
++++ charts/templates/_hubble-generate-certs-job-spec.tpl	2021-02-08 14:38:47.451463609 +0100
+@@ -10,7 +10,7 @@
+       serviceAccountName: hubble-generate-certs
+       containers:
+         - name: certgen
+-          image: {{ .Values.certgen.image.repository }}:{{ .Values.certgen.image.tag }}
++          image: {{ template "system_default_registry" . }}{{ .Values.certgen.image.repository }}:{{ .Values.certgen.image.tag }}
+           imagePullPolicy: {{ .Values.certgen.image.pullPolicy }}
+           command:
+             - "/usr/bin/cilium-certgen"
+diff -x '*.tgz' -x '*.lock' -uNr charts-original/templates/hubble-relay-deployment.yaml charts/templates/hubble-relay-deployment.yaml
diff --git a/packages/cilium/generated-changes/patch/templates/cilium-agent-daemonset.yaml.patch b/packages/cilium/generated-changes/patch/templates/cilium-agent-daemonset.yaml.patch
new file mode 100644
index 0000000..735239b
--- /dev/null
+++ b/packages/cilium/generated-changes/patch/templates/cilium-agent-daemonset.yaml.patch
@@ -0,0 +1,39 @@
+--- charts-original/templates/cilium-agent-daemonset.yaml	2021-02-04 01:17:41.000000000 +0100
++++ charts/templates/cilium-agent-daemonset.yaml	2021-02-08 14:38:47.471463747 +0100
+@@ -193,7 +193,7 @@
+ {{- with .Values.extraEnv }}
+ {{ toYaml . | trim | indent 8 }}
+ {{- end }}
+-        image: {{ .Values.image.repository }}:{{ .Values.image.tag }}
++        image: {{ template "system_default_registry" . }}{{ .Values.image.repository }}:{{ .Values.image.tag }}
+         imagePullPolicy: {{ .Values.image.pullPolicy }}
+ {{- if .Values.cni.install }}
+         lifecycle:
+@@ -311,7 +311,7 @@
+ {{- range $type := .Values.monitor.eventTypes }}
+         - --type={{ $type }}
+ {{- end }}
+-        image: {{ .Values.image.repository }}:{{ .Values.image.tag }}
++        image: {{ template "system_default_registry" . }}{{ .Values.image.repository }}:{{ .Values.image.tag }}
+         imagePullPolicy: {{ .Values.image.pullPolicy }}
+         volumeMounts:
+         - mountPath: /var/run/cilium
+@@ -331,7 +331,7 @@
+ {{- if and .Values.nodeinit.enabled (not (eq .Values.nodeinit.bootstrapFile "")) }}
+       - name: wait-for-node-init
+         command: ['sh', '-c', 'until stat {{ .Values.nodeinit.bootstrapFile }} > /dev/null 2>&1; do echo "Waiting on node-init to run..."; sleep 1; done']
+-        image: {{ .Values.image.repository }}:{{ .Values.image.tag }}
++        image: {{ template "system_default_registry" . }}{{ .Values.image.repository }}:{{ .Values.image.tag }}
+         imagePullPolicy: {{ .Values.image.pullPolicy }}
+         volumeMounts:
+         - mountPath: {{ .Values.nodeinit.bootstrapFile }}
+@@ -369,7 +369,7 @@
+ {{- if .Values.extraEnv }}
+ {{ toYaml .Values.extraEnv | indent 8 }}
+ {{- end }}
+-        image: {{ .Values.image.repository }}:{{ .Values.image.tag }}
++        image: {{ template "system_default_registry" . }}{{ .Values.image.repository }}:{{ .Values.image.tag }}
+         imagePullPolicy: {{ .Values.image.pullPolicy }}
+         name: clean-cilium-state
+         securityContext:
+diff -x '*.tgz' -x '*.lock' -uNr charts-original/templates/cilium-etcd-operator-deployment.yaml charts/templates/cilium-etcd-operator-deployment.yaml
diff --git a/packages/cilium/generated-changes/patch/templates/cilium-etcd-operator-deployment.yaml.patch b/packages/cilium/generated-changes/patch/templates/cilium-etcd-operator-deployment.yaml.patch
new file mode 100644
index 0000000..726a58e
--- /dev/null
+++ b/packages/cilium/generated-changes/patch/templates/cilium-etcd-operator-deployment.yaml.patch
@@ -0,0 +1,12 @@
+--- charts-original/templates/cilium-etcd-operator-deployment.yaml	2021-02-04 01:17:41.000000000 +0100
++++ charts/templates/cilium-etcd-operator-deployment.yaml	2021-02-08 14:38:47.511464021 +0100
+@@ -64,7 +64,7 @@
+           value: "revision"
+         - name: CILIUM_ETCD_META_ETCD_AUTO_COMPACTION_RETENTION
+           value: "25000"
+-        image: {{ .Values.etcd.image.repository }}:{{ .Values.etcd.image.tag }}
++        image: {{ template "system_default_registry" . }}{{ .Values.etcd.image.repository }}:{{ .Values.etcd.image.tag }}
+         imagePullPolicy: {{ .Values.etcd.image.pullPolicy }}
+         name: cilium-etcd-operator
+       dnsPolicy: ClusterFirst
+diff -x '*.tgz' -x '*.lock' -uNr charts-original/templates/cilium-nodeinit-daemonset.yaml charts/templates/cilium-nodeinit-daemonset.yaml
diff --git a/packages/cilium/generated-changes/patch/templates/cilium-nodeinit-daemonset.yaml.patch b/packages/cilium/generated-changes/patch/templates/cilium-nodeinit-daemonset.yaml.patch
new file mode 100644
index 0000000..7233191
--- /dev/null
+++ b/packages/cilium/generated-changes/patch/templates/cilium-nodeinit-daemonset.yaml.patch
@@ -0,0 +1,12 @@
+--- charts-original/templates/cilium-nodeinit-daemonset.yaml	2021-02-04 01:17:41.000000000 +0100
++++ charts/templates/cilium-nodeinit-daemonset.yaml	2021-02-08 14:38:47.519464077 +0100
+@@ -34,7 +34,7 @@
+ {{- end }}
+       containers:
+         - name: node-init
+-          image: {{ .Values.nodeinit.image.repository }}:{{ .Values.nodeinit.image.tag }}
++          image: {{ template "system_default_registry" . }}{{ .Values.nodeinit.image.repository }}:{{ .Values.nodeinit.image.tag }}
+           imagePullPolicy: {{ .Values.nodeinit.image.pullPolicy }}
+           securityContext:
+             privileged: true
+diff -x '*.tgz' -x '*.lock' -uNr charts-original/templates/cilium-operator-deployment.yaml charts/templates/cilium-operator-deployment.yaml
diff --git a/packages/cilium/generated-changes/patch/templates/cilium-operator-deployment.yaml.patch b/packages/cilium/generated-changes/patch/templates/cilium-operator-deployment.yaml.patch
new file mode 100644
index 0000000..e521f79
--- /dev/null
+++ b/packages/cilium/generated-changes/patch/templates/cilium-operator-deployment.yaml.patch
@@ -0,0 +1,18 @@
+--- charts-original/templates/cilium-operator-deployment.yaml	2021-02-04 01:17:41.000000000 +0100
++++ charts/templates/cilium-operator-deployment.yaml	2021-02-08 14:38:47.531464160 +0100
+@@ -136,11 +136,11 @@
+           value: {{ $value }}
+ {{- end }}
+ {{- if .Values.eni }}
+-        image: {{ .Values.operator.image.repository }}-aws:{{ .Values.operator.image.tag }}
++        image: {{ template "system_default_registry" . }}{{ .Values.operator.image.repository }}-aws:{{ .Values.operator.image.tag }}
+ {{- else if .Values.azure.enabled }}
+-        image: {{ .Values.operator.image.repository }}-azure:{{ .Values.operator.image.tag }}
++        image: {{ template "system_default_registry" . }}{{ .Values.operator.image.repository }}-azure:{{ .Values.operator.image.tag }}
+ {{- else }}
+-        image: {{ .Values.operator.image.repository }}-generic:{{ .Values.operator.image.tag }}
++        image: {{ template "system_default_registry" . }}{{ .Values.operator.image.repository }}-generic:{{ .Values.operator.image.tag }}
+ {{- end }}
+         imagePullPolicy: {{ .Values.operator.image.pullPolicy }}
+         name: cilium-operator
+diff -x '*.tgz' -x '*.lock' -uNr charts-original/templates/cilium-preflight-daemonset.yaml charts/templates/cilium-preflight-daemonset.yaml
diff --git a/packages/cilium/generated-changes/patch/templates/cilium-preflight-daemonset.yaml.patch b/packages/cilium/generated-changes/patch/templates/cilium-preflight-daemonset.yaml.patch
new file mode 100644
index 0000000..06de1ec
--- /dev/null
+++ b/packages/cilium/generated-changes/patch/templates/cilium-preflight-daemonset.yaml.patch
@@ -0,0 +1,29 @@
+--- charts-original/templates/cilium-preflight-daemonset.yaml	2021-02-04 01:17:41.000000000 +0100
++++ charts/templates/cilium-preflight-daemonset.yaml	2021-02-08 14:38:47.555464324 +0100
+@@ -25,14 +25,14 @@
+ {{- end }}
+       initContainers:
+         - name: clean-cilium-state
+-          image: {{ .Values.preflight.image.repository }}:{{ .Values.preflight.image.tag }}
++          image: {{ template "system_default_registry" . }}{{ .Values.preflight.image.repository }}:{{ .Values.preflight.image.tag }}
+           imagePullPolicy: {{ .Values.preflight.image.pullPolicy }}
+           command: ["/bin/echo"]
+           args:
+           - "hello"
+       containers:
+         - name: cilium-pre-flight-check
+-          image: {{ .Values.preflight.image.repository }}:{{ .Values.preflight.image.tag }}
++          image: {{ template "system_default_registry" . }}{{ .Values.preflight.image.repository }}:{{ .Values.preflight.image.tag }}
+           imagePullPolicy: {{ .Values.preflight.image.pullPolicy }}
+           command: ["/bin/sh"]
+           args:
+@@ -68,7 +68,7 @@
+ 
+ {{- if ne .Values.preflight.tofqdnsPreCache "" }}
+         - name: cilium-pre-flight-fqdn-precache
+-          image: {{ .Values.preflight.image.repository }}:{{ .Values.preflight.image.tag }}
++          image: {{ template "system_default_registry" . }}{{ .Values.preflight.image.repository }}:{{ .Values.preflight.image.tag }}
+           imagePullPolicy: {{ .Values.preflight.image.pullPolicy }}
+           name: cilium-pre-flight-fqdn-precache
+           command: ["/bin/sh"]
+diff -x '*.tgz' -x '*.lock' -uNr charts-original/templates/cilium-preflight-deployment.yaml charts/templates/cilium-preflight-deployment.yaml
diff --git a/packages/cilium/generated-changes/patch/templates/cilium-preflight-deployment.yaml.patch b/packages/cilium/generated-changes/patch/templates/cilium-preflight-deployment.yaml.patch
new file mode 100644
index 0000000..49de19d
--- /dev/null
+++ b/packages/cilium/generated-changes/patch/templates/cilium-preflight-deployment.yaml.patch
@@ -0,0 +1,12 @@
+--- charts-original/templates/cilium-preflight-deployment.yaml	2021-02-04 01:17:41.000000000 +0100
++++ charts/templates/cilium-preflight-deployment.yaml	2021-02-08 14:38:47.559464353 +0100
+@@ -37,7 +37,7 @@
+       containers:
+ {{- if .Values.preflight.validateCNPs }}
+         - name: cnp-validator
+-          image: {{ .Values.preflight.image.repository }}:{{ .Values.preflight.image.tag }}
++          image: {{ template "system_default_registry" . }}{{ .Values.preflight.image.repository }}:{{ .Values.preflight.image.tag }}
+           imagePullPolicy: {{ .Values.preflight.image.pullPolicy }}
+           command: ["/bin/sh"]
+           args:
+diff -x '*.tgz' -x '*.lock' -uNr charts-original/templates/clustermesh-apiserver-deployment.yaml charts/templates/clustermesh-apiserver-deployment.yaml
diff --git a/packages/cilium/generated-changes/patch/templates/clustermesh-apiserver-deployment.yaml.patch b/packages/cilium/generated-changes/patch/templates/clustermesh-apiserver-deployment.yaml.patch
new file mode 100644
index 0000000..4046812
--- /dev/null
+++ b/packages/cilium/generated-changes/patch/templates/clustermesh-apiserver-deployment.yaml.patch
@@ -0,0 +1,30 @@
+--- charts-original/templates/clustermesh-apiserver-deployment.yaml	2021-02-04 01:17:41.000000000 +0100
++++ charts/templates/clustermesh-apiserver-deployment.yaml	2021-02-08 14:38:47.591464573 +0100
+@@ -30,7 +30,7 @@
+       serviceAccount: clustermesh-apiserver
+       initContainers:
+       - name: etcd-init
+-        image: {{ .Values.clustermesh.apiserver.etcd.image.repository }}:{{ .Values.clustermesh.apiserver.etcd.image.tag }}
++        image: {{ template "system_default_registry" . }}{{ .Values.clustermesh.apiserver.etcd.image.repository }}:{{ .Values.clustermesh.apiserver.etcd.image.tag }}
+         imagePullPolicy: {{ .Values.clustermesh.apiserver.etcd.image.pullPolicy }}
+         env:
+         - name: ETCDCTL_API
+@@ -67,7 +67,7 @@
+           name: etcd-data-dir
+       containers:
+       - name: etcd
+-        image: {{ .Values.clustermesh.apiserver.etcd.image.repository }}:{{ .Values.clustermesh.apiserver.etcd.image.tag }}
++        image: {{ template "system_default_registry" . }}{{ .Values.clustermesh.apiserver.etcd.image.repository }}:{{ .Values.clustermesh.apiserver.etcd.image.tag }}
+         imagePullPolicy: {{ .Values.clustermesh.apiserver.etcd.image.pullPolicy }}
+         env:
+         - name: ETCDCTL_API
+@@ -96,7 +96,7 @@
+         - mountPath: /var/run/etcd
+           name: etcd-data-dir
+       - name: "apiserver"
+-        image: {{ .Values.clustermesh.apiserver.image.repository }}:{{ .Values.clustermesh.apiserver.image.tag }}
++        image: {{ template "system_default_registry" . }}{{ .Values.clustermesh.apiserver.image.repository }}:{{ .Values.clustermesh.apiserver.image.tag }}
+         imagePullPolicy: {{ .Values.clustermesh.apiserver.image.pullPolicy }}
+         command:
+           - /usr/bin/clustermesh-apiserver
+diff -x '*.tgz' -x '*.lock' -uNr charts-original/templates/_clustermesh-apiserver-generate-certs-job-spec.tpl charts/templates/_clustermesh-apiserver-generate-certs-job-spec.tpl
diff --git a/packages/cilium/generated-changes/patch/templates/hubble-relay-deployment.yaml.patch b/packages/cilium/generated-changes/patch/templates/hubble-relay-deployment.yaml.patch
new file mode 100644
index 0000000..8f0dd79
--- /dev/null
+++ b/packages/cilium/generated-changes/patch/templates/hubble-relay-deployment.yaml.patch
@@ -0,0 +1,12 @@
+--- charts-original/templates/hubble-relay-deployment.yaml	2021-02-04 01:17:41.000000000 +0100
++++ charts/templates/hubble-relay-deployment.yaml	2021-02-08 14:38:47.683465207 +0100
+@@ -45,7 +45,7 @@
+ {{- end }}
+       containers:
+         - name: hubble-relay
+-          image: {{ .Values.hubble.relay.image.repository }}:{{ .Values.hubble.relay.image.tag }}
++          image: {{ template "system_default_registry" . }}{{ .Values.hubble.relay.image.repository }}:{{ .Values.hubble.relay.image.tag }}
+           imagePullPolicy: {{ .Values.hubble.relay.image.pullPolicy }}
+           command:
+             - hubble-relay
+diff -x '*.tgz' -x '*.lock' -uNr charts-original/templates/hubble-ui-deployment.yaml charts/templates/hubble-ui-deployment.yaml
diff --git a/packages/cilium/generated-changes/patch/templates/hubble-ui-deployment.yaml.patch b/packages/cilium/generated-changes/patch/templates/hubble-ui-deployment.yaml.patch
new file mode 100644
index 0000000..49bccab
--- /dev/null
+++ b/packages/cilium/generated-changes/patch/templates/hubble-ui-deployment.yaml.patch
@@ -0,0 +1,29 @@
+--- charts-original/templates/hubble-ui-deployment.yaml	2021-02-04 01:17:41.000000000 +0100
++++ charts/templates/hubble-ui-deployment.yaml	2021-02-08 14:38:47.715465428 +0100
+@@ -40,7 +40,7 @@
+ {{- end }}
+       containers:
+         - name: frontend
+-          image: "{{ .Values.hubble.ui.frontend.image.repository }}:{{ .Values.hubble.ui.frontend.image.tag }}"
++          image: "{{ template "system_default_registry" . }}{{ .Values.hubble.ui.frontend.image.repository }}:{{ .Values.hubble.ui.frontend.image.tag }}"
+           imagePullPolicy: {{ .Values.hubble.ui.frontend.image.pullPolicy }}
+           ports:
+             - containerPort: 8080
+@@ -48,7 +48,7 @@
+           resources:
+             {{- toYaml .Values.hubble.ui.frontend.resources | trim | nindent 12 }}
+         - name: backend
+-          image: "{{ .Values.hubble.ui.backend.image.repository }}:{{ .Values.hubble.ui.backend.image.tag }}"
++          image: "{{ template "system_default_registry" . }}{{ .Values.hubble.ui.backend.image.repository }}:{{ .Values.hubble.ui.backend.image.tag }}"
+           imagePullPolicy: {{ .Values.hubble.ui.backend.image.pullPolicy }}
+           env:
+             - name: EVENTS_SERVER_PORT
+@@ -61,7 +61,7 @@
+           resources:
+             {{- toYaml .Values.hubble.ui.backend.resources  | trim | nindent 12 }}
+         - name: proxy
+-          image: "{{ .Values.hubble.ui.proxy.image.repository }}:{{ .Values.hubble.ui.proxy.image.tag }}"
++          image: "{{ template "system_default_registry" . }}{{ .Values.hubble.ui.proxy.image.repository }}:{{ .Values.hubble.ui.proxy.image.tag }}"
+           imagePullPolicy: {{ .Values.hubble.ui.proxy.image.pullPolicy }}
+           ports:
+             - containerPort: 8081
diff --git a/packages/cilium/package.yaml b/packages/cilium/package.yaml
new file mode 100644
index 0000000..32cad84
--- /dev/null
+++ b/packages/cilium/package.yaml
@@ -0,0 +1,6 @@
+url: https://helm.cilium.io/cilium-1.9.4.tgz
+packageVersion: 01
+releaseCandidateVersion: 00
+# This package is meant to be consumed as a subchart of another package,
+# not directly.
+doNotRelease: true
diff --git a/packages/rke2-cilium/charts/Chart.yaml b/packages/rke2-cilium/charts/Chart.yaml
new file mode 100644
index 0000000..2031aea
--- /dev/null
+++ b/packages/rke2-cilium/charts/Chart.yaml
@@ -0,0 +1,13 @@
+apiVersion: v1
+name: rke2-cilium
+description: eBPF-based Networking, Security, and Observability
+version: 1.9.4
+kubeVersion: '>= 1.12.0-0'
+home: https://cilium.io/
+keywords:
+  - cilium
+sources:
+  - https://github.com/rancher/rke2-charts
+maintainers:
+  - name: Rancher Labs
+    email: charts@rancher.com
diff --git a/packages/rke2-cilium/charts/requirements.yaml b/packages/rke2-cilium/charts/requirements.yaml
new file mode 100644
index 0000000..4da90d4
--- /dev/null
+++ b/packages/rke2-cilium/charts/requirements.yaml
@@ -0,0 +1,7 @@
+dependencies:
+- name: cilium
+  repository: file://./charts/cilium
+- import-values:
+  - defaults
+  name: rke2-cilium-hard-defaults
+  repository: file://./charts/rke2-cilium-hard-defaults
diff --git a/packages/rke2-cilium/charts/values.schema.json b/packages/rke2-cilium/charts/values.schema.json
new file mode 100644
index 0000000..ffc5493
--- /dev/null
+++ b/packages/rke2-cilium/charts/values.schema.json
@@ -0,0 +1,240 @@
+{
+    "$schema": "http://json-schema.org/draft-09/schema",
+    "type": "object",
+    "properties": {
+        "cilium": {
+            "type": "object",
+            "properties": {
+                "azure": {
+                    "type": "object",
+                    "properties": {
+                        "enabled": {
+                            "type": "boolean"
+                        }
+                    }
+                },
+                "cni": {
+                    "type": "object",
+                    "properties": {
+                        "chainingMode": {
+                            "type": "string"
+                        },
+                        "customConf": {
+                            "type": "boolean"
+                        }
+                    }
+                },
+                "eni": {
+                    "type": "boolean"
+                },
+                "image": {
+                    "type": "object",
+                    "properties": {
+                        "repository": {
+                            "type": "string"
+                        },
+                        "tag": {
+                            "type": "string"
+                        }
+                    },
+                    "required": ["repository", "tag" ]
+                },
+                "imagePullSecrets": {
+                    "type": "array"
+                },
+                "ipam": {
+                    "type": "object",
+                    "properties": {
+                        "mode": {
+                            "type": "string"
+                        }
+                    }
+                },
+                "masquerade": {
+                    "type": "boolean"
+                },
+                "nodeinit": {
+                    "type": "object",
+                    "properties": {
+                        "image": {
+                            "type": "object",
+                            "properties": {
+                                "repository": {
+                                    "type": "string"
+                                },
+                                "tag": {
+                                    "type": "string"
+                                }
+                            },
+                            "required": ["repository", "tag" ]
+                        }
+                    },
+                    "required": ["image" ]
+                },
+                "operator": {
+                    "type": "object",
+                    "properties": {
+                        "image": {
+                            "type": "object",
+                            "properties": {
+                                "repository": {
+                                    "type": "string"
+                                },
+                                "tag": {
+                                    "type": "string"
+                                }
+                            },
+                            "required": ["repository", "tag" ]
+                        }
+                    },
+                    "required": ["image" ]
+                },
+                "preflight": {
+                    "type": "object",
+                    "properties": {
+                        "enabled": {
+                            "type": "boolean"
+                        },
+                        "image": {
+                            "type": "object",
+                            "properties": {
+                                "repository": {
+                                    "type": "string"
+                                },
+                                "tag": {
+                                    "type": "string"
+                                }
+                            },
+                            "required": ["repository", "tag" ]
+                        }
+                    }
+                },
+                "tunnel": {
+                    "type": "string"
+                }
+            },
+            "required": ["image", "operator", "nodeinit" ]
+        },
+        "global": {
+            "type": "object",
+            "properties": {
+                "systemDefaultRegistry": {
+                    "type": "string"
+                }
+            }
+        }
+    },
+    "required": ["cilium"],
+    "allOf": [
+        { "$ref" : "#/$defs/azure-requires-config" },
+        { "$ref" : "#/$defs/aws-requires-config" },
+        { "$ref" : "#/$defs/azure-aws-are-exclusive" },
+        { "$ref" : "#/$defs/preflight-requires-config" }
+    ],
+    "$defs": {
+        "is-azure": {
+            "properties" : {
+                "cilium": {
+                    "properties": {
+                        "azure": {
+                            "properties": {
+                                "enabled": { "const": true }
+                            }
+                        }
+                    }
+                }
+            }
+        },
+        "azure-requires-config" : {
+            "anyOf": [
+                { "not": { "$ref": "#/$defs/is-azure" } },
+                { 
+                    "properties": {
+                        "cilium": {
+                            "properties": {
+                                "masquerade": { "const": true },
+                                "cni": {
+                                    "properties": {
+                                        "chainingMode": { "const": "generic-veth" },
+                                        "customConf": { "const": true },
+                                        "configMap": { "const": "cni-configuration"}
+                                    },
+                                    "required": [ "chainingMode", "customConf", "configMap" ]
+                                }
+                            },
+                            "required": [ "cni" ]
+                        }
+                    }
+                }
+            ]
+        },
+        "is-aws": {
+            "properties" : {
+                "cilium": {
+                    "properties": {
+                        "eni": { "const": true }
+                    }
+                }
+            }
+        },
+        "aws-requires-config": {
+            "anyOf": [
+                { "not": { "$ref": "#/$defs/is-aws" } },
+                {
+                    "properties": {
+                        "cilium": {
+                            "properties": {
+                                "tunnel": { "const": "disabled" },
+                                "egressMasqueradeInterfaces": { "const": "eth0" },
+                                "ipam": {
+                                    "properties": {
+                                        "mode": { "const": "eni" }
+                                    },
+                                    "required": [ "mode" ]
+                                }
+                            },
+                            "required": [ "tunnel", "egressMasqueradeInterfaces", "ipam" ]
+                        }
+                    }
+                }
+            ]
+        },
+        "azure-aws-are-exclusive": {
+            "not": {
+                "allOf": [
+                    { "$ref": "#/$defs/is-azure" },
+                    { "$ref": "#/$defs/is-aws" }
+                ]
+            }
+        },
+        "is-preflight": {
+            "properties" : {
+                "cilium": {
+                    "properties": {
+                        "preflight": {
+                            "properties": {
+                                "enabled": { "const": true }
+                            }
+                        }
+                    }
+                }
+            }
+        },
+        "preflight-requires-config" : {
+            "anyOf": [
+                { "not": { "$ref": "#/$defs/is-preflight" } },
+                { 
+                    "properties": {
+                        "cilium": {
+                            "properties": {
+                                "preflight": {
+                                    "required": [ "image" ]
+                                }
+                            }
+                        }
+                    }
+                }
+            ]
+        }
+    }
+}
diff --git a/packages/rke2-cilium/charts/values.yaml b/packages/rke2-cilium/charts/values.yaml
new file mode 100644
index 0000000..65ac455
--- /dev/null
+++ b/packages/rke2-cilium/charts/values.yaml
@@ -0,0 +1,53 @@
+# Cilium specific options that can be customized for RKE2
+# Set with '--set cilium.<option>=<value>'
+cilium:
+
+  # imagePullSecrets specifies the key to access the registry
+  imagePullSecrets: []
+  image:
+    repository: rancher/mirrored-cilium-cilium
+    tag: v1.9.4
+  operator:
+    image:
+      repository: rancher/mirrored-cilium-operator
+      tag: v1.9.4
+  nodeinit:
+    image:
+      repository: rancher/mirrored-cilium-startup-script
+      tag: 62bfbe88c17778aad7bef9fa57ff9e2d4a9ba0d8
+  preflight:
+    # preflight enable to optionally prepare cilium prior to an upgrade
+    enabled: false
+    image:
+      repository: rancher/mirrored-cilium-cilium
+      tag: v1.9.4
+
+  #
+  # Enable Azure integration.
+  #
+  azure:
+    enabled: false
+  cni:
+    # Set to "generic-veth" for Azure integration.
+    chainingMode: none
+    # Set to "true" for Azure integration.
+    customConf: false
+    # Set to "cni-configuration" for Azure integration.
+    # configMap: cni-configuration
+  # Set to "true" for Azure integration.
+  masquerade: true
+
+  #
+  # Enable Elastic Network Interface (ENI) for AWS integration.
+  #
+  eni: false
+  ipam:
+    # Set mode to "eni" for ENI AWS intetgration.
+    mode: "cluster-pool"
+  # Set tunnel to "disable" if ENI AWS or Azure integrations are enabled.
+  tunnel: "vxlan"
+  # Set to "eth0" for ENI AWS intetgration.
+  #egressMasqueradeInterfaces: eth0
+
+global:
+  systemDefaultRegistry: ""
diff --git a/packages/rke2-cilium/generated-changes/dependencies/cilium/dependency.yaml b/packages/rke2-cilium/generated-changes/dependencies/cilium/dependency.yaml
new file mode 100644
index 0000000..0539305
--- /dev/null
+++ b/packages/rke2-cilium/generated-changes/dependencies/cilium/dependency.yaml
@@ -0,0 +1,2 @@
+workingDir: ""
+url: packages/cilium
diff --git a/packages/rke2-cilium/generated-changes/dependencies/rke2-cilium-hard-defaults/charts/Chart.yaml b/packages/rke2-cilium/generated-changes/dependencies/rke2-cilium-hard-defaults/charts/Chart.yaml
new file mode 100644
index 0000000..6b8f437
--- /dev/null
+++ b/packages/rke2-cilium/generated-changes/dependencies/rke2-cilium-hard-defaults/charts/Chart.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+name: rke2-cilium-hard-defaults
+description: Default options for cilium in RKE2
+version: 1.0.0
+home: https://docs.rke2.io/
+keywords:
+  - cilium
+sources:
+  - https://github.com/rancher/rke2-charts
+maintainers:
+  - name: Rancher Labs
+    email: charts@rancher.com
diff --git a/packages/rke2-cilium/generated-changes/dependencies/rke2-cilium-hard-defaults/charts/values.yaml b/packages/rke2-cilium/generated-changes/dependencies/rke2-cilium-hard-defaults/charts/values.yaml
new file mode 100644
index 0000000..424330d
--- /dev/null
+++ b/packages/rke2-cilium/generated-changes/dependencies/rke2-cilium-hard-defaults/charts/values.yaml
@@ -0,0 +1,17 @@
+exports:
+  defaults:
+    # These are the default options override of cilium for RKE2
+    # for which no customization is allowed
+    cilium:
+      
+      # Enable all metrics
+      prometheus:
+        enabled: true
+      operator:
+        prometheus:
+          enabled: true
+      
+      # Enable node init to correctly setup the node as required for cilium
+      # throughout all the supported OS
+      nodeinit:
+        enabled: true
diff --git a/packages/rke2-cilium/generated-changes/dependencies/rke2-cilium-hard-defaults/dependency.yaml b/packages/rke2-cilium/generated-changes/dependencies/rke2-cilium-hard-defaults/dependency.yaml
new file mode 100644
index 0000000..7d28d19
--- /dev/null
+++ b/packages/rke2-cilium/generated-changes/dependencies/rke2-cilium-hard-defaults/dependency.yaml
@@ -0,0 +1,2 @@
+workingDir: ""
+url: local
diff --git a/packages/rke2-cilium/package.yaml b/packages/rke2-cilium/package.yaml
new file mode 100644
index 0000000..0774348
--- /dev/null
+++ b/packages/rke2-cilium/package.yaml
@@ -0,0 +1,3 @@
+url: local
+packageVersion: 01
+releaseCandidateVersion: 00