helm: bump Cilium version to v1.15.19-edg.0 (#3894)

* helm: generate cilium

* helm: update cilium ref

Author: burgerdev

internal/constellation/helm/BUILD.bazel

@@ -474,6 +474,7 @@ go_library(
         "charts/coredns/templates/service.yaml",
         "charts/coredns/templates/serviceaccount.yaml",
         "charts/aws-load-balancer-controller/templates/hpa.yaml",
+        "charts/cilium/files/cilium-envoy/configmap/bootstrap-config.yaml",
     ],
     importpath = "github.com/edgelesssys/constellation/v2/internal/constellation/helm",
     visibility = ["//:__subpackages__"],

internal/constellation/helm/charts/cilium/Chart.yaml

@@ -2,8 +2,8 @@ apiVersion: v2
 name: cilium
 displayName: Cilium
 home: https://cilium.io/
-version: 1.15.8-edg.0
-appVersion: 1.15.8-edg.0
+version: 1.15.19-edg.0
+appVersion: 1.15.19-edg.0
 kubeVersion: ">= 1.16.0-0"
 icon: https://cdn.jsdelivr.net/gh/cilium/cilium@v1.15/Documentation/images/logo-solo.svg
 description: eBPF-based Networking, Security, and Observability

internal/constellation/helm/charts/cilium/README.md

@@ -0,0 +1,232 @@
+node:
+  id: "host~127.0.0.1~no-id~localdomain"
+  cluster: "ingress-cluster"
+staticResources:
+  listeners:
+  {{- if .Values.envoy.prometheus.enabled }}
+  - name: "envoy-prometheus-metrics-listener"
+    address:
+      socketAddress:
+        address: {{ .Values.ipv4.enabled | ternary "0.0.0.0" "::" | quote }}
+        portValue: {{ .Values.envoy.prometheus.port }}
+    {{- if and .Values.ipv4.enabled .Values.ipv6.enabled }}
+    additionalAddresses:
+    - address:
+        socketAddress:
+          address: "::"
+          portValue: {{ .Values.envoy.prometheus.port }}
+    {{- end }}
+    filterChains:
+    - filters:
+      - name: "envoy.filters.network.http_connection_manager"
+        typedConfig:
+          "@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager"
+          statPrefix: "envoy-prometheus-metrics-listener"
+          routeConfig:
+            virtualHosts:
+            - name: "prometheus_metrics_route"
+              domains:
+              - "*"
+              routes:
+              - name: "prometheus_metrics_route"
+                match:
+                  prefix: "/metrics"
+                route:
+                  cluster: "/envoy-admin"
+                  prefixRewrite: "/stats/prometheus"
+          httpFilters:
+          - name: "envoy.filters.http.router"
+            typedConfig:
+              "@type": "type.googleapis.com/envoy.extensions.filters.http.router.v3.Router"
+          internalAddressConfig:
+            cidrRanges:
+            {{- if .Values.ipv4.enabled }}
+            - addressPrefix: "10.0.0.0"
+              prefixLen: 8
+            - addressPrefix: "172.16.0.0"
+              prefixLen: 12
+            - addressPrefix: "192.168.0.0"
+              prefixLen: 16
+            - addressPrefix: "127.0.0.1"
+              prefixLen: 32
+            {{- end }}
+            {{- if .Values.ipv6.enabled }}
+            - addressPrefix: "::1"
+              prefixLen: 128
+            {{- end }}
+          streamIdleTimeout: "0s"
+  {{- end }}
+  - name: "envoy-health-listener"
+    address:
+      socketAddress:
+        address: {{ .Values.ipv4.enabled | ternary "127.0.0.1" "::1" | quote }}
+        portValue: {{ .Values.envoy.healthPort }}
+    {{- if and .Values.ipv4.enabled .Values.ipv6.enabled }}
+    additionalAddresses:
+    - address:
+        socketAddress:
+          address: "::1"
+          portValue: {{ .Values.envoy.healthPort }}
+    {{- end }}
+    filterChains:
+    - filters:
+      - name: "envoy.filters.network.http_connection_manager"
+        typedConfig:
+          "@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager"
+          statPrefix: "envoy-health-listener"
+          routeConfig:
+            virtual_hosts:
+            - name: "health"
+              domains:
+              - "*"
+              routes:
+              - name: "health"
+                match:
+                  prefix: "/healthz"
+                route:
+                  cluster: "/envoy-admin"
+                  prefixRewrite: "/ready"
+          httpFilters:
+          - name: "envoy.filters.http.router"
+            typedConfig:
+              "@type": "type.googleapis.com/envoy.extensions.filters.http.router.v3.Router"
+          internalAddressConfig:
+            cidrRanges:
+            {{- if .Values.ipv4.enabled }}
+            - addressPrefix: "10.0.0.0"
+              prefixLen: 8
+            - addressPrefix: "172.16.0.0"
+              prefixLen: 12
+            - addressPrefix: "192.168.0.0"
+              prefixLen: 16
+            - addressPrefix: "127.0.0.1"
+              prefixLen: 32
+            {{- end }}
+            {{- if .Values.ipv6.enabled }}
+            - addressPrefix: "::1"
+              prefixLen: 128
+            {{- end }}
+          streamIdleTimeout: "0s"
+  clusters:
+  - name: "ingress-cluster"
+    type: "ORIGINAL_DST"
+    connectTimeout: "{{ .Values.envoy.connectTimeoutSeconds }}s"
+    lbPolicy: "CLUSTER_PROVIDED"
+    typedExtensionProtocolOptions:
+      envoy.extensions.upstreams.http.v3.HttpProtocolOptions:
+        "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions"
+        commonHttpProtocolOptions:
+          idleTimeout: "{{ .Values.envoy.idleTimeoutDurationSeconds }}s"
+          maxConnectionDuration: "{{ .Values.envoy.maxConnectionDurationSeconds }}s"
+          maxRequestsPerConnection: {{ .Values.envoy.maxRequestsPerConnection }}
+        useDownstreamProtocolConfig: {}
+    cleanupInterval: "{{ .Values.envoy.connectTimeoutSeconds }}.500s"
+  - name: "egress-cluster-tls"
+    type: "ORIGINAL_DST"
+    connectTimeout: "{{ .Values.envoy.connectTimeoutSeconds }}s"
+    lbPolicy: "CLUSTER_PROVIDED"
+    typedExtensionProtocolOptions:
+      envoy.extensions.upstreams.http.v3.HttpProtocolOptions:
+        "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions"
+        commonHttpProtocolOptions:
+          idleTimeout: "{{ .Values.envoy.idleTimeoutDurationSeconds }}s"
+          maxConnectionDuration: "{{ .Values.envoy.maxConnectionDurationSeconds }}s"
+          maxRequestsPerConnection: {{ .Values.envoy.maxRequestsPerConnection }}
+        upstreamHttpProtocolOptions: {}
+        useDownstreamProtocolConfig: {}
+    cleanupInterval: "{{ .Values.envoy.connectTimeoutSeconds }}.500s"
+    transportSocket:
+      name: "cilium.tls_wrapper"
+      typedConfig:
+        "@type": "type.googleapis.com/cilium.UpstreamTlsWrapperContext"
+  - name: "egress-cluster"
+    type: "ORIGINAL_DST"
+    connectTimeout: "{{ .Values.envoy.connectTimeoutSeconds }}s"
+    lbPolicy: "CLUSTER_PROVIDED"
+    typedExtensionProtocolOptions:
+      envoy.extensions.upstreams.http.v3.HttpProtocolOptions:
+        "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions"
+        commonHttpProtocolOptions:
+          idleTimeout: "{{ .Values.envoy.idleTimeoutDurationSeconds }}s"
+          maxConnectionDuration: "{{ .Values.envoy.maxConnectionDurationSeconds }}s"
+          maxRequestsPerConnection: {{ .Values.envoy.maxRequestsPerConnection }}
+        useDownstreamProtocolConfig: {}
+    cleanupInterval: "{{ .Values.envoy.connectTimeoutSeconds }}.500s"
+  - name: "ingress-cluster-tls"
+    type: "ORIGINAL_DST"
+    connectTimeout: "{{ .Values.envoy.connectTimeoutSeconds }}s"
+    lbPolicy: "CLUSTER_PROVIDED"
+    typedExtensionProtocolOptions:
+      envoy.extensions.upstreams.http.v3.HttpProtocolOptions:
+        "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions"
+        commonHttpProtocolOptions:
+          idleTimeout: "{{ .Values.envoy.idleTimeoutDurationSeconds }}s"
+          maxConnectionDuration: "{{ .Values.envoy.maxConnectionDurationSeconds }}s"
+          maxRequestsPerConnection: {{ .Values.envoy.maxRequestsPerConnection }}
+        upstreamHttpProtocolOptions: {}
+        useDownstreamProtocolConfig: {}
+    cleanupInterval: "{{ .Values.envoy.connectTimeoutSeconds }}.500s"
+    transportSocket:
+      name: "cilium.tls_wrapper"
+      typedConfig:
+        "@type": "type.googleapis.com/cilium.UpstreamTlsWrapperContext"
+  - name: "xds-grpc-cilium"
+    type: "STATIC"
+    connectTimeout: "{{ .Values.envoy.connectTimeoutSeconds }}s"
+    loadAssignment:
+      clusterName: "xds-grpc-cilium"
+      endpoints:
+      - lbEndpoints:
+        - endpoint:
+            address:
+              pipe:
+                path: "/var/run/cilium/envoy/sockets/xds.sock"
+    typedExtensionProtocolOptions:
+      envoy.extensions.upstreams.http.v3.HttpProtocolOptions:
+        "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions"
+        explicitHttpConfig:
+          http2ProtocolOptions: {}
+  - name: "/envoy-admin"
+    type: "STATIC"
+    connectTimeout: "{{ .Values.envoy.connectTimeoutSeconds }}s"
+    loadAssignment:
+      clusterName: "/envoy-admin"
+      endpoints:
+      - lbEndpoints:
+        - endpoint:
+            address:
+              pipe:
+                path: "/var/run/cilium/envoy/sockets/admin.sock"
+dynamicResources:
+  ldsConfig:
+    apiConfigSource:
+      apiType: "GRPC"
+      transportApiVersion: "V3"
+      grpcServices:
+      - envoyGrpc:
+          clusterName: "xds-grpc-cilium"
+      setNodeOnFirstMessageOnly: true
+    resourceApiVersion: "V3"
+  cdsConfig:
+    apiConfigSource:
+      apiType: "GRPC"
+      transportApiVersion: "V3"
+      grpcServices:
+      - envoyGrpc:
+          clusterName: "xds-grpc-cilium"
+      setNodeOnFirstMessageOnly: true
+    resourceApiVersion: "V3"
+bootstrapExtensions:
+- name: "envoy.bootstrap.internal_listener"
+  typedConfig:
+    "@type": "type.googleapis.com/envoy.extensions.bootstrap.internal_listener.v3.InternalListener"
+overloadManager:
+  resourceMonitors:
+  - name: "envoy.resource_monitors.global_downstream_max_connections"
+    typedConfig:
+      "@type": "type.googleapis.com/envoy.extensions.resource_monitors.downstream_connections.v3.DownstreamConnectionsConfig"
+      max_active_downstream_connections: "50000"
+admin:
+  address:
+    pipe:
+      path: "/var/run/cilium/envoy/sockets/admin.sock"

internal/constellation/helm/charts/cilium/files/cilium-envoy/configmap/bootstrap-config.yaml

@@ -11,6 +11,7 @@ metadata:
     {{- toYaml . | nindent 4 }}
   {{- end }}
 data:
-{{- (tpl (.Files.Glob "files/cilium-envoy/configmap/bootstrap-config.json").AsConfig .) | nindent 2 }}
-
+  # Keep the key name as bootstrap-config.json to avoid breaking changes
+  bootstrap-config.json: |
+    {{- (tpl (.Files.Get "files/cilium-envoy/configmap/bootstrap-config.yaml") .) | fromYaml | toJson | nindent 4 }}
 {{- end }}

internal/constellation/helm/charts/cilium/templates/cilium-envoy/configmap.yaml

@@ -26,10 +26,6 @@ spec:
   template:
     metadata:
       annotations:
-        {{- if and .Values.proxy.prometheus.enabled .Values.envoy.prometheus.enabled (not .Values.envoy.prometheus.serviceMonitor.enabled) }}
-        prometheus.io/port: "{{ .Values.proxy.prometheus.port | default .Values.envoy.prometheus.port }}"
-        prometheus.io/scrape: "true"
-        {{- end }}
         {{- if .Values.envoy.rollOutPods }}
         # ensure pods roll when configmap updates
         cilium.io/cilium-envoy-configmap-checksum: {{ include (print $.Template.BasePath "/cilium-envoy/configmap.yaml") . | sha256sum | quote }}

internal/constellation/helm/charts/cilium/templates/cilium-envoy/daemonset.yaml

@@ -13,24 +13,12 @@ server {
         proxy_set_header Host $host;
         proxy_set_header X-Real-IP $remote_addr;
 
-        # CORS
-        add_header Access-Control-Allow-Methods "GET, POST, PUT, HEAD, DELETE, OPTIONS";
-        add_header Access-Control-Allow-Origin *;
-        add_header Access-Control-Max-Age 1728000;
-        add_header Access-Control-Expose-Headers content-length,grpc-status,grpc-message;
-        add_header Access-Control-Allow-Headers range,keep-alive,user-agent,cache-control,content-type,content-transfer-encoding,x-accept-content-transfer-encoding,x-accept-response-streaming,x-user-agent,x-grpc-web,grpc-timeout;
-        if ($request_method = OPTIONS) {
-            return 204;
-        }
-        # /CORS
-
         location {{ .Values.hubble.ui.baseUrl }}api {
             {{- if not (eq .Values.hubble.ui.baseUrl "/") }}
             rewrite ^{{ (trimSuffix "/" .Values.hubble.ui.baseUrl) }}(/.*)$ $1 break;
             {{- end }}
             proxy_http_version 1.1;
             proxy_pass_request_headers on;
-            proxy_hide_header Access-Control-Allow-Origin;
             {{- if eq .Values.hubble.ui.baseUrl "/" }}
             proxy_pass http://127.0.0.1:8090;
             {{- else }}

internal/constellation/helm/charts/cilium/templates/hubble-ui/_nginx.tpl

@@ -19,4 +19,9 @@ spec:
   duration: {{ printf "%dh0m0s" (mul .Values.hubble.tls.auto.certValidityDuration 24) }}
   privateKey:
     rotationPolicy: Always
+  isCA: false
+  usages:
+    - signing
+    - key encipherment
+    - client auth
 {{- end }}

internal/constellation/helm/charts/cilium/templates/hubble/tls-certmanager/relay-client-secret.yaml

@@ -28,4 +28,9 @@ spec:
   duration: {{ printf "%dh0m0s" (mul .Values.hubble.tls.auto.certValidityDuration 24) }}
   privateKey:
     rotationPolicy: Always
+  isCA: false
+  usages:
+    - signing
+    - key encipherment
+    - server auth
 {{- end }}

internal/constellation/helm/charts/cilium/templates/hubble/tls-certmanager/relay-server-secret.yaml

@@ -29,4 +29,10 @@ spec:
   duration: {{ printf "%dh0m0s" (mul .Values.hubble.tls.auto.certValidityDuration 24) }}
   privateKey:
     rotationPolicy: Always
+  isCA: false
+  usages:
+    - signing
+    - key encipherment
+    - server auth
+    - client auth
 {{- end }}