Before this change, wait-for-node-init container was not able to execute
properly with SELinux enabled, due to lack of ability to access the bind
mounted file. Due to lack of ability to set the container_file_t label
through Kubernetes, the other possible solution, done in this commit, is
making the container privileged. All the other containers accessing the
bootstrap file are already privileged as well, so it should not be that
harmful.
Signed-off-by: Michal Rostecki <mrostecki@opensuse.org>
This change contains only autoregenerated patches after the update of
Cilium to 1.9.6. Those patches had to be regenerated due to upstream
changes in Cilium Helm charts.
Signed-off-by: Michal Rostecki <mrostecki@opensuse.org>
The chart is organized in subcharts to clearly delimit supported vs
non-supported customization options, as follows:
- The main rke2-cilium chart which only supplies supported customization
options through its values.yaml.
- Cilium upstream chart is pulled in as a subchart dependency and is
patched to support a system default registry as a global variable.
- A rke2-cilium-hard-defaults subchart which supplies cilium options
that change from upstream defaults for which we don't intend to
support any customization.
All cilium options are scoped & accessible, for example:
`helm install rke2-cilium --set cilium.preflight.enabled=true`
Signed-off-by: Jaime Caamaño Ruiz <jcaamano@suse.com>
Michal Rostecki
Jaime Caamaño Ruiz