The upstream Cilium chart changed the type of `eni` value to a nested
object. Adjust our rke2-cilium chart to that change.
Ref: rancher/rke2#1615
Signed-off-by: Michal Rostecki <mrostecki@opensuse.org>
Before this change, wait-for-node-init container was not able to execute
properly with SELinux enabled, due to lack of ability to access the bind
mounted file. Due to lack of ability to set the container_file_t label
through Kubernetes, the other possible solution, done in this commit, is
making the container privileged. All the other containers accessing the
bootstrap file are already privileged as well, so it should not be that
harmful.
Signed-off-by: Michal Rostecki <mrostecki@opensuse.org>
This change updates the Cilium version from 1.9.4 to 1.9.6. This release
updates Envoy to 1.17.2 to address CVE-2021-28682, CVE-2021-28683 and
CVE-2021-29258.
Signed-off-by: Michal Rostecki <mrostecki@opensuse.org>
Cilium's default ipam mode does not honor the pod CIDR set in kube-controller-manager.
The benefits of that mode are not relevant when deploying with rke2
Fixes issue rke2/891
Signed-off-by: Manuel Buil <mbuil@suse.com>
The chart is organized in subcharts to clearly delimit supported vs
non-supported customization options, as follows:
- The main rke2-cilium chart which only supplies supported customization
options through its values.yaml.
- Cilium upstream chart is pulled in as a subchart dependency and is
patched to support a system default registry as a global variable.
- A rke2-cilium-hard-defaults subchart which supplies cilium options
that change from upstream defaults for which we don't intend to
support any customization.
All cilium options are scoped & accessible, for example:
`helm install rke2-cilium --set cilium.preflight.enabled=true`
Signed-off-by: Jaime Caamaño Ruiz <jcaamano@suse.com>
Michal Rostecki
Brad Davidson
Hussein Galal
Manuel Buil
Jaime Caamaño Ruiz