Created
October 23, 2025 23:06
-
-
Save nctiggy/dd3b82c9efb41c29e07c894dfdb3b8a6 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| {"metadata":{"name":"VMO-RA-Infra-Agent-PXKE-Longhorn","description":"Infra layers for VMO Reference Architecture on Agent Mode (PXK-E), configured to use the Longhorn CSI and Cilium in legacy kubeproxy mode.","labels":{"refarch":"vmo-infra"}},"spec":{"version":"1.7.1","template":{"type":"cluster","cloudType":"edge-native","packs":[{"name":"edge-native-byoi","type":"oci","layer":"os","version":"2.1.0","tag":"2.1.0","values":"pack:\n content:\n images:\n - image: '{{.spectro.pack.edge-native-byoi.options.system.uri}}'\n drain:\n drainPods: auto # Set to false to skip node drain for cluster upgrades.\n podSelector: \"cluster.spectrocloud.com/task!=control-plan,cluster.spectrocloud.com/task!=worker-plan,app!=spectro,app!=spectro-proxy,app!=palette-webhook\" # Set additional pod selector options for draining.\n cordon: true\n timeout: 0 # The length of time to wait before giving up, zero means infinite\n gracePeriod: -1 # Period of time in seconds given to each pod to terminate gracefully. If negative, the default value specified in the pod will be used\n ignoreDaemonSets: true\n deleteLocalData: true # Continue even if there are pods using emptyDir (local data that will be deleted when the node is drained)\n force: true # Continue even if there are pods that do not declare a controller\n disableEviction: false # Force drain to use delete, even if eviction is supported. This will bypass checking PodDisruptionBudgets, use with caution\n skipWaitForDeleteTimeout: 0 # If pod DeletionTimestamp older than N seconds, skip waiting for the pod. Seconds must be greater than 0 to skip.\n\noptions:\n system.uri: \"NA\"\n\nstages:\n initramfs:\n - name: \"VMO - config files\"\n commands:\n - mkdir -p /etc/kubernetes/manifests\n - rm -f /var/lib/kubelet/cpu_manager_state\n - rm -f /var/lib/kubelet/memory_manager_state\n - sysctl -p /etc/sysctl.d/10-kubernetes-tuning.conf\n - systemctl set-property system.slice AllowedCPUs={{ .spectro.var.systemReservedCPU }}\n - systemctl set-property spectro.slice AllowedCPUs={{ .spectro.var.systemReservedCPU }}\n files:\n - path: /etc/sysctl.d/10-kubernetes-tuning.conf\n permissions: 0644\n owner: 0\n group: 0\n content: |-\n fs.inotify.max_user_watches=524288\n kernel.sched_autogroup_enabled=0\n net.ipv4.tcp_max_syn_backlog=2048\n net.ipv4.ip_local_port_range=10240 65535\n vm.dirty_background_ratio=5\n vm.dirty_ratio=15\n vm.swappiness=10\n - path: /etc/kubernetes/kubelet.conf.d/10-vmo-tuning.conf\n permissions: 0644\n owner: 0\n group: 0\n content: |-\n apiVersion: kubelet.config.k8s.io/v1beta1\n kind: KubeletConfiguration\n cpuManagerPolicy: static\n cpuManagerPolicyOptions:\n distribute-cpus-across-cores: \"true\"\n enforceNodeAllocatable:\n - pods\n featureGates:\n RotateKubeletServerCertificate: true\n CPUManagerPolicyBetaOptions: true\n CPUManagerPolicyAlphaOptions: true\n MemoryManager: true\n reservedSystemCPUs: {{.spectro.var.systemReservedCPU}}\n kubeReserved:\n memory: 5050Mi\n ephemeral-storage: 5Gi\n maxPods: 250\n systemReserved:\n memory: 1024Mi\n ephemeral-storage: 5Gi\n memoryManagerPolicy: Static\n reservedMemory:\n - numaNode: 0\n limits:\n memory: 6174Mi\n topologyManagerPolicy: best-effort\n - path: /etc/containerd/config.toml\n permissions: 0644\n owner: 0\n group: 0\n content: |-\n version = 2\n root = \"/var/lib/spectro/containerd\"\n state = \"/run/spectro/containerd\"\n imports = [\"/etc/containerd/conf.d/*.toml\"]\n \n [grpc]\n address = \"/run/spectro/containerd/containerd.sock\"\n \n [plugins]\n [plugins.\"io.containerd.grpc.v1.cri\"]\n sandbox_image = \"registry.k8s.io/pause:3.10\"\n device_ownership_from_security_context = true\n enable_unprivileged_ports = true\n enable_unprivileged_icmp = true\n [plugins.\"io.containerd.grpc.v1.cri\".containerd.runtimes.runc]\n runtime_type = \"io.containerd.runc.v2\"\n [plugins.\"io.containerd.grpc.v1.cri\".containerd.runtimes.runc.options]\n BinaryName = \"/opt/bin/runc\"\n SystemdCgroup = true\n [plugins.\"io.containerd.grpc.v1.cri\".registry]\n config_path = \"/etc/containerd/certs.d\"","registry":{"metadata":{"uid":"64eaff453040297344bcad5d","name":"Palette Registry","kind":"oci","isPrivate":true,"providerType":"pack","isSyncSupported":true}}},{"name":"edge-k8s","type":"oci","layer":"k8s","version":"1.32.4","tag":"1.32.4","values":"pack:\n content:\n images:\n - image: registry.k8s.io/coredns/coredns:v1.11.3\n - image: registry.k8s.io/etcd:3.5.16-0\n - image: registry.k8s.io/kube-apiserver:v1.32.4\n - image: registry.k8s.io/kube-controller-manager:v1.32.4\n - image: registry.k8s.io/kube-proxy:v1.32.4\n - image: registry.k8s.io/kube-scheduler:v1.32.4\n - image: registry.k8s.io/pause:3.10\n palette:\n config:\n oidc:\n identityProvider: palette\n#Client configuration to add OIDC based authentication flags in kubeconfig\n#clientConfig:\n #oidc-issuer-url: \"{{ .spectro.pack.kubernetes.kubeadmconfig.apiServer.extraArgs.oidc-issuer-url }}\"\n #oidc-client-id: \"{{ .spectro.pack.kubernetes.kubeadmconfig.apiServer.extraArgs.oidc-client-id }}\"\n #oidc-client-secret: \"\"\n #oidc-extra-scope: profile,email\ncluster:\n # kubevipArgs:\n # svc_enable: \"true\"\n # vip_interface: \"ens32\"\n # vip_servicesinterface: \"eno1\"\n # vip_leaseduration: \"50\"\n # vip_renewdeadline: \"40\"\n # vip_retryperiod: \"4\"\n # apiServer:\n # extraArgs:\n # oidc-groups-claim: \"groups\"\n # oidc-username-claim: \"email\"\n # oidc-issuer-url: \"\"\n # oidc-client-id: \"\"\n config: |\n clusterConfiguration:\n apiServer:\n extraArgs:\n - name: \"advertise-address\"\n value: \"0.0.0.0\"\n - name: \"anonymous-auth\"\n value: \"true\"\n - name: \"audit-log-maxage\"\n value: \"30\"\n - name: \"audit-log-maxbackup\"\n value: \"10\"\n - name: \"audit-log-maxsize\"\n value: \"100\"\n - name: \"audit-log-path\"\n value: \"/var/log/apiserver/audit.log\"\n - name: \"audit-policy-file\"\n value: \"/etc/kubernetes/audit-policy.yaml\"\n - name: \"authorization-mode\"\n value: RBAC,Node\n - name: \"default-not-ready-toleration-seconds\"\n value: \"60\"\n - name: \"default-unreachable-toleration-seconds\"\n value: \"60\"\n - name: \"disable-admission-plugins\"\n value: \"AlwaysAdmit\"\n - name: \"enable-admission-plugins\"\n value: \"AlwaysPullImages,NamespaceLifecycle,ServiceAccount,NodeRestriction\"\n - name: \"profiling\"\n value: \"false\"\n - name: \"secure-port\"\n value: \"6443\"\n - name: \"tls-cipher-suites\"\n value: \"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256\"\n extraVolumes:\n - hostPath: /var/log/apiserver\n mountPath: /var/log/apiserver\n name: audit-log\n pathType: DirectoryOrCreate\n - hostPath: /etc/kubernetes/audit-policy.yaml\n mountPath: /etc/kubernetes/audit-policy.yaml\n name: audit-policy\n pathType: File\n readOnly: true\n controllerManager:\n extraArgs:\n - name: \"feature-gates\"\n value: RotateKubeletServerCertificate=true\n - name: \"profiling\"\n value: \"false\"\n - name: \"terminated-pod-gc-threshold\"\n value: \"25\"\n - name: \"use-service-account-credentials\"\n value: \"true\"\n kubernetesVersion: v1.32.4\n featureGates:\n ControlPlaneKubeletLocalMode: true\n etcd:\n local:\n dataDir: \"/etc/kubernetes/etcd\"\n extraArgs:\n - name: \"listen-client-urls\"\n value: \"https://0.0.0.0:2379\"\n - name: \"snapshot-count\"\n value: \"50000\"\n - name: \"max-snapshots\"\n value: \"12\"\n - name: \"cipher-suites\"\n value: \"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305\"\n networking:\n podSubnet: '{{ .spectro.var.K8sPodCIDR }}'\n serviceSubnet: '{{ .spectro.var.K8sServiceCIDR }}'\n scheduler:\n extraArgs:\n - name: \"profiling\"\n value: \"false\"\n kubeletConfiguration:\n eventRecordQPS: 0\n featureGates:\n RotateKubeletServerCertificate: true\n protectKernelDefaults: true\n readOnlyPort: 0\n tlsCipherSuites:\n - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256\n - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256\n - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305\n - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384\n - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305\n - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384\n - TLS_RSA_WITH_AES_256_GCM_SHA384\n - TLS_RSA_WITH_AES_128_GCM_SHA256\n initConfiguration:\n nodeRegistration:\n kubeletExtraArgs:\n - name: config-dir\n value: \"/etc/kubernetes/kubelet.conf.d\"\n timeouts:\n controlPlaneComponentHealthCheck: 5m0s\n joinConfiguration:\n nodeRegistration:\n kubeletExtraArgs:\n - name: config-dir\n value: \"/etc/kubernetes/kubelet.conf.d\"\n timeouts:\n controlPlaneComponentHealthCheck: 5m0s\n\nstages:\n initramfs:\n - sysctl:\n vm.overcommit_memory: 1\n kernel.panic: 10\n kernel.panic_on_oops: 1\n commands:\n - \"ln -s /etc/kubernetes/admin.conf /run/kubeconfig\"\n files:\n - path: /etc/hosts\n permissions: 0644\n content: |\n 127.0.0.1 localhost\n - path: \"/etc/kubernetes/audit-policy.yaml\"\n owner_string: \"root\"\n permissions: 0600\n content: |\n apiVersion: audit.k8s.io/v1\n kind: Policy\n rules:\n - level: None\n users: [\"system:kube-proxy\"]\n verbs: [\"watch\"]\n resources:\n - group: \"\" # core\n resources: [\"endpoints\", \"services\", \"services/status\"]\n - level: None\n users: [\"system:unsecured\"]\n namespaces: [\"kube-system\"]\n verbs: [\"get\"]\n resources:\n - group: \"\" # core\n resources: [\"configmaps\"]\n - level: None\n users: [\"kubelet\"] # legacy kubelet identity\n verbs: [\"get\"]\n resources:\n - group: \"\" # core\n resources: [\"nodes\", \"nodes/status\"]\n - level: None\n userGroups: [\"system:nodes\"]\n verbs: [\"get\"]\n resources:\n - group: \"\" # core\n resources: [\"nodes\", \"nodes/status\"]\n - level: None\n users:\n - system:kube-controller-manager\n - system:kube-scheduler\n - system:serviceaccount:kube-system:endpoint-controller\n verbs: [\"get\", \"update\"]\n namespaces: [\"kube-system\"]\n resources:\n - group: \"\" # core\n resources: [\"endpoints\"]\n - level: None\n users: [\"system:apiserver\"]\n verbs: [\"get\"]\n resources:\n - group: \"\" # core\n resources: [\"namespaces\", \"namespaces/status\", \"namespaces/finalize\"]\n - level: None\n users: [\"cluster-autoscaler\"]\n verbs: [\"get\", \"update\"]\n namespaces: [\"kube-system\"]\n resources:\n - group: \"\" # core\n resources: [\"configmaps\", \"endpoints\"]\n # Don't log HPA fetching metrics.\n - level: None\n users:\n - system:kube-controller-manager\n verbs: [\"get\", \"list\"]\n resources:\n - group: \"metrics.k8s.io\"\n # Don't log these read-only URLs.\n - level: None\n nonResourceURLs:\n - /healthz*\n - /version\n - /swagger*\n # Don't log events requests.\n - level: None\n resources:\n - group: \"\" # core\n resources: [\"events\"]\n # node and pod status calls from nodes are high-volume and can be large, don't log responses for expected updates from nodes\n - level: Request\n users: [\"kubelet\", \"system:node-problem-detector\", \"system:serviceaccount:kube-system:node-problem-detector\"]\n verbs: [\"update\",\"patch\"]\n resources:\n - group: \"\" # core\n resources: [\"nodes/status\", \"pods/status\"]\n omitStages:\n - \"RequestReceived\"\n - level: Request\n userGroups: [\"system:nodes\"]\n verbs: [\"update\",\"patch\"]\n resources:\n - group: \"\" # core\n resources: [\"nodes/status\", \"pods/status\"]\n omitStages:\n - \"RequestReceived\"\n # deletecollection calls can be large, don't log responses for expected namespace deletions\n - level: Request\n users: [\"system:serviceaccount:kube-system:namespace-controller\"]\n verbs: [\"deletecollection\"]\n omitStages:\n - \"RequestReceived\"\n # Secrets, ConfigMaps, and TokenReviews can contain sensitive \u0026 binary data,\n # so only log at the Metadata level.\n - level: Metadata\n resources:\n - group: \"\" # core\n resources: [\"secrets\", \"configmaps\"]\n - group: authentication.k8s.io\n resources: [\"tokenreviews\"]\n omitStages:\n - \"RequestReceived\"\n # Get repsonses can be large; skip them.\n - level: Request\n verbs: [\"get\", \"list\", \"watch\"]\n resources:\n - group: \"\" # core\n - group: \"admissionregistration.k8s.io\"\n - group: \"apiextensions.k8s.io\"\n - group: \"apiregistration.k8s.io\"\n - group: \"apps\"\n - group: \"authentication.k8s.io\"\n - group: \"authorization.k8s.io\"\n - group: \"autoscaling\"\n - group: \"batch\"\n - group: \"certificates.k8s.io\"\n - group: \"extensions\"\n - group: \"metrics.k8s.io\"\n - group: \"networking.k8s.io\"\n - group: \"policy\"\n - group: \"rbac.authorization.k8s.io\"\n - group: \"settings.k8s.io\"\n - group: \"storage.k8s.io\"\n omitStages:\n - \"RequestReceived\"\n # Default level for known APIs\n - level: RequestResponse\n resources:\n - group: \"\" # core\n - group: \"admissionregistration.k8s.io\"\n - group: \"apiextensions.k8s.io\"\n - group: \"apiregistration.k8s.io\"\n - group: \"apps\"\n - group: \"authentication.k8s.io\"\n - group: \"authorization.k8s.io\"\n - group: \"autoscaling\"\n - group: \"batch\"\n - group: \"certificates.k8s.io\"\n - group: \"extensions\"\n - group: \"metrics.k8s.io\"\n - group: \"networking.k8s.io\"\n - group: \"policy\"\n - group: \"rbac.authorization.k8s.io\"\n - group: \"settings.k8s.io\"\n - group: \"storage.k8s.io\"\n omitStages:\n - \"RequestReceived\"\n # Default level for all other requests.\n - level: Metadata\n omitStages:\n - \"RequestReceived\"","registry":{"metadata":{"uid":"64eaff453040297344bcad5d","name":"Palette Registry","kind":"oci","isPrivate":true,"providerType":"pack","isSyncSupported":true}}},{"name":"cni-cilium-oss","type":"oci","layer":"cni","version":"1.17.4","tag":"1.17.4","values":"# spectrocloud.com/enabled-presets: Cilium Operator: op-multi-node,IPAM mode: ipam-kubernetes,Kube-proxy replacement: ebpf-kubeproxy,Loadbalancer mode: lb-no-xdp,Pod networking: podnw-vxlan,VMO - Bridge interface: vmo-auto,VMO Compatibility: vmo-enable\npack:\n content:\n images:\n - image: us-docker.pkg.dev/palette-images/packs/cilium/1.17.4/certgen:v0.2.1\n - image: us-docker.pkg.dev/palette-images/packs/cilium/1.17.4/cilium:v1.17.4\n - image: us-docker.pkg.dev/palette-images/packs/cilium/1.17.4/cilium-envoy:v1.32.6-1746661844-0f602c28cb2aa57b29078195049fb257d5b5246c\n - image: us-docker.pkg.dev/palette-images/packs/cilium/1.17.4/clustermesh-apiserver:v1.17.4\n - image: us-docker.pkg.dev/palette-images/packs/cilium/1.17.4/hubble-relay:v1.17.4\n - image: us-docker.pkg.dev/palette-images/packs/cilium/1.17.4/hubble-ui:v0.13.2\n - image: us-docker.pkg.dev/palette-images/packs/cilium/1.17.4/hubble-ui-backend:v0.13.2\n - image: us-docker.pkg.dev/palette-images/packs/cilium/1.17.4/operator:v1.17.4\n - image: us-docker.pkg.dev/palette-images/packs/cilium/1.17.4/operator-generic:v1.17.4\n - image: us-docker.pkg.dev/palette-images/packs/cilium/1.17.4/operator-aws:v1.17.4\n - image: us-docker.pkg.dev/palette-images/packs/cilium/1.17.4/operator-azure:v1.17.4\n - image: us-docker.pkg.dev/palette-images/packs/cilium/1.17.4/startup-script:c54c7edeab7fde4da68e59acd319ab24af242c3f\n - image: us-docker.pkg.dev/palette-images/packs/cilium/1.17.4/spire-agent:1.9.6\n - image: us-docker.pkg.dev/palette-images/packs/cilium/1.17.4/spire-server:1.9.6\n - image: us-docker.pkg.dev/palette-images/packs/cilium/1.17.4/busybox:v1.37.0-glibc\n\n charts:\n - repo: https://helm.cilium.io/\n name: cilium\n version: 1.17.4\n #The namespace (on the target cluster) to install this chart\n #When not found, a new namespace will be created\n namespace: kube-system\n\ncharts:\n cilium:\n # @schema\n # type: [null, string]\n # @schema\n # -- namespaceOverride allows to override the destination namespace for Cilium resources.\n # This property allows to use Cilium as part of an Umbrella Chart with different targets.\n namespaceOverride: \"\"\n # @schema\n # type: [null, object]\n # @schema\n # -- commonLabels allows users to add common labels for all Cilium resources.\n commonLabels: {}\n # @schema\n # type: [null, string]\n # @schema\n # -- upgradeCompatibility helps users upgrading to ensure that the configMap for\n # Cilium will not change critical values to ensure continued operation\n # This flag is not required for new installations.\n # For example: '1.7', '1.8', '1.9'\n upgradeCompatibility: null\n debug:\n # -- Enable debug logging\n enabled: false\n # @schema\n # type: [null, string]\n # @schema\n # -- Configure verbosity levels for debug logging\n # This option is used to enable debug messages for operations related to such\n # sub-system such as (e.g. kvstore, envoy, datapath or policy), and flow is\n # for enabling debug messages emitted per request, message and connection.\n # Multiple values can be set via a space-separated string (e.g. \"datapath envoy\").\n #\n # Applicable values:\n # - flow\n # - kvstore\n # - envoy\n # - datapath\n # - policy\n verbose: ~\n rbac:\n # -- Enable creation of Resource-Based Access Control configuration.\n create: true\n # -- Configure image pull secrets for pulling container images\n imagePullSecrets: []\n # - name: \"image-pull-secret\"\n\n # -- Configure iptables--random-fully. Disabled by default. View https://github.com/cilium/cilium/issues/13037 for more information.\n iptablesRandomFully: false\n # -- (string) Kubernetes config path\n # @default -- `\"~/.kube/config\"`\n kubeConfigPath: \"\"\n # -- (string) Kubernetes service host - use \"auto\" for automatic lookup from the cluster-info ConfigMap\n k8sServiceHost: \"\"\n # @schema\n # type: [string, integer]\n # @schema\n # -- (string) Kubernetes service port\n k8sServicePort: \"\"\n # @schema\n # type: [null, string]\n # @schema\n # -- (string) When `k8sServiceHost=auto`, allows to customize the configMap name. It defaults to `cluster-info`.\n k8sServiceLookupConfigMapName: \"\"\n # @schema\n # type: [null, string]\n # @schema\n # -- (string) When `k8sServiceHost=auto`, allows to customize the namespace that contains `k8sServiceLookupConfigMapName`. It defaults to `kube-public`.\n k8sServiceLookupNamespace: \"\"\n # -- Configure the client side rate limit for the agent\n #\n # If the amount of requests to the Kubernetes API server exceeds the configured\n # rate limit, the agent will start to throttle requests by delaying\n # them until there is budget or the request times out.\n k8sClientRateLimit:\n # @schema\n # type: [null, integer]\n # @schema\n # -- (int) The sustained request rate in requests per second.\n # @default -- 10\n qps:\n # @schema\n # type: [null, integer]\n # @schema\n # -- (int) The burst request rate in requests per second.\n # The rate limiter will allow short bursts with a higher rate.\n # @default -- 20\n burst:\n # -- Configure the client side rate limit for the Cilium Operator\n operator:\n # @schema\n # type: [null, integer]\n # @schema\n # -- (int) The sustained request rate in requests per second.\n # @default -- 100\n qps:\n # @schema\n # type: [null, integer]\n # @schema\n # -- (int) The burst request rate in requests per second.\n # The rate limiter will allow short bursts with a higher rate.\n # @default -- 200\n burst:\n cluster:\n # -- Name of the cluster. Only required for Cluster Mesh and mutual authentication with SPIRE.\n # It must respect the following constraints:\n # * It must contain at most 32 characters;\n # * It must begin and end with a lower case alphanumeric character;\n # * It may contain lower case alphanumeric characters and dashes between.\n # The \"default\" name cannot be used if the Cluster ID is different from 0.\n name: default\n # -- (int) Unique ID of the cluster. Must be unique across all connected\n # clusters and in the range of 1 to 255. Only required for Cluster Mesh,\n # may be 0 if Cluster Mesh is not used.\n id: 0\n # -- Define serviceAccount names for components.\n # @default -- Component's fully qualified name.\n serviceAccounts:\n cilium:\n create: true\n name: cilium\n automount: true\n annotations: {}\n nodeinit:\n create: true\n # -- Enabled is temporary until https://github.com/cilium/cilium-cli/issues/1396 is implemented.\n # Cilium CLI doesn't create the SAs for node-init, thus the workaround. Helm is not affected by\n # this issue. Name and automount can be configured, if enabled is set to true.\n # Otherwise, they are ignored. Enabled can be removed once the issue is fixed.\n # Cilium-nodeinit DS must also be fixed.\n enabled: false\n name: cilium-nodeinit\n automount: true\n annotations: {}\n envoy:\n create: true\n name: cilium-envoy\n automount: true\n annotations: {}\n operator:\n create: true\n name: cilium-operator\n automount: true\n annotations: {}\n preflight:\n create: true\n name: cilium-pre-flight\n automount: true\n annotations: {}\n relay:\n create: true\n name: hubble-relay\n automount: false\n annotations: {}\n ui:\n create: true\n name: hubble-ui\n automount: true\n annotations: {}\n clustermeshApiserver:\n create: true\n name: clustermesh-apiserver\n automount: true\n annotations: {}\n # -- Clustermeshcertgen is used if clustermesh.apiserver.tls.auto.method=cronJob\n clustermeshcertgen:\n create: true\n name: clustermesh-apiserver-generate-certs\n automount: true\n annotations: {}\n # -- Hubblecertgen is used if hubble.tls.auto.method=cronJob\n hubblecertgen:\n create: true\n name: hubble-generate-certs\n automount: true\n annotations: {}\n # -- Configure termination grace period for cilium-agent DaemonSet.\n terminationGracePeriodSeconds: 1\n # -- Install the cilium agent resources.\n agent: true\n # -- Agent container name.\n name: cilium\n # -- Roll out cilium agent pods automatically when configmap is updated.\n rollOutCiliumPods: false\n # -- Agent container image.\n image:\n # @schema\n # type: [null, string]\n # @schema\n override: ~\n repository: \"us-docker.pkg.dev/palette-images/packs/cilium/1.17.4/cilium\"\n tag: \"v1.17.4\"\n pullPolicy: \"IfNotPresent\"\n # cilium-digest\n digest: \"\"\n useDigest: false\n # -- Scheduling configurations for cilium pods\n scheduling:\n # @schema\n # enum: [\"anti-affinity\", \"kube-scheduler\"]\n # @schema\n # -- Mode specifies how Cilium daemonset pods should be scheduled to Nodes.\n # `anti-affinity` mode applies a pod anti-affinity rule to the cilium daemonset.\n # Pod anti-affinity may significantly impact scheduling throughput for large clusters.\n # See: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity\n # `kube-scheduler` mode forgoes the anti-affinity rule for full scheduling throughput.\n # Kube-scheduler avoids host port conflict when scheduling pods.\n # @default -- Defaults to apply a pod anti-affinity rule to the agent pod - `anti-affinity`\n mode: anti-affinity\n # -- Affinity for cilium-agent.\n affinity:\n podAntiAffinity:\n requiredDuringSchedulingIgnoredDuringExecution:\n - topologyKey: kubernetes.io/hostname\n labelSelector:\n matchLabels:\n k8s-app: cilium\n # -- Node selector for cilium-agent.\n nodeSelector:\n kubernetes.io/os: linux\n # -- Node tolerations for agent scheduling to nodes with taints\n # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/\n tolerations:\n - operator: Exists\n # - key: \"key\"\n # operator: \"Equal|Exists\"\n # value: \"value\"\n # effect: \"NoSchedule|PreferNoSchedule|NoExecute(1.6 only)\"\n # -- The priority class to use for cilium-agent.\n priorityClassName: \"\"\n # -- DNS policy for Cilium agent pods.\n # Ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy\n dnsPolicy: \"\"\n # -- Additional containers added to the cilium DaemonSet.\n extraContainers: []\n # -- Additional initContainers added to the cilium Daemonset.\n extraInitContainers: []\n # -- Additional agent container arguments.\n extraArgs: []\n # -- Additional agent container environment variables.\n extraEnv: []\n # -- Additional agent hostPath mounts.\n extraHostPathMounts: []\n # - name: host-mnt-data\n # mountPath: /host/mnt/data\n # hostPath: /mnt/data\n # hostPathType: Directory\n # readOnly: true\n # mountPropagation: HostToContainer\n\n # -- Additional agent volumes.\n extraVolumes: []\n # -- Additional agent volumeMounts.\n extraVolumeMounts: []\n # -- extraConfig allows you to specify additional configuration parameters to be\n # included in the cilium-config configmap.\n extraConfig: {}\n # my-config-a: \"1234\"\n # my-config-b: |-\n # test 1\n # test 2\n # test 3\n\n # -- Annotations to be added to all top-level cilium-agent objects (resources under templates/cilium-agent)\n annotations: {}\n # -- Security Context for cilium-agent pods.\n podSecurityContext:\n # -- AppArmorProfile options for the `cilium-agent` and init containers\n appArmorProfile:\n type: \"Unconfined\"\n # -- Annotations to be added to agent pods\n podAnnotations:\n container.apparmor.security.beta.kubernetes.io/cilium-agent: \"unconfined\"\n container.apparmor.security.beta.kubernetes.io/clean-cilium-state: \"unconfined\"\n container.apparmor.security.beta.kubernetes.io/mount-cgroup: \"unconfined\"\n container.apparmor.security.beta.kubernetes.io/apply-sysctl-overwrites: \"unconfined\"\n # -- Labels to be added to agent pods\n podLabels: {}\n # -- Agent resource limits \u0026 requests\n # ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/\n resources: {}\n # limits:\n # cpu: 4000m\n # memory: 4Gi\n # requests:\n # cpu: 100m\n # memory: 512Mi\n\n # -- resources \u0026 limits for the agent init containers\n initResources: {}\n securityContext:\n # -- User to run the pod with\n # runAsUser: 0\n # -- Run the pod with elevated privileges\n privileged: false\n # -- SELinux options for the `cilium-agent` and init containers\n seLinuxOptions:\n level: 's0'\n # Running with spc_t since we have removed the privileged mode.\n # Users can change it to a different type as long as they have the\n # type available on the system.\n type: 'spc_t'\n capabilities:\n # -- Capabilities for the `cilium-agent` container\n ciliumAgent:\n # Use to set socket permission\n - CHOWN\n # Used to terminate envoy child process\n - KILL\n # Used since cilium modifies routing tables, etc...\n - NET_ADMIN\n # Used since cilium creates raw sockets, etc...\n - NET_RAW\n # Used since cilium monitor uses mmap\n - IPC_LOCK\n # Used in iptables. Consider removing once we are iptables-free\n - SYS_MODULE\n # Needed to switch network namespaces (used for health endpoint, socket-LB).\n # We need it for now but might not need it for \u003e= 5.11 specially\n # for the 'SYS_RESOURCE'.\n # In \u003e= 5.8 there's already BPF and PERMON capabilities\n - SYS_ADMIN\n # Could be an alternative for the SYS_ADMIN for the RLIMIT_NPROC\n - SYS_RESOURCE\n # Both PERFMON and BPF requires kernel 5.8, container runtime\n # cri-o \u003e= v1.22.0 or containerd \u003e= v1.5.0.\n # If available, SYS_ADMIN can be removed.\n #- PERFMON\n #- BPF\n # Allow discretionary access control (e.g. required for package installation)\n - DAC_OVERRIDE\n # Allow to set Access Control Lists (ACLs) on arbitrary files (e.g. required for package installation)\n - FOWNER\n # Allow to execute program that changes GID (e.g. required for package installation)\n - SETGID\n # Allow to execute program that changes UID (e.g. required for package installation)\n - SETUID\n # -- Capabilities for the `mount-cgroup` init container\n mountCgroup:\n # Only used for 'mount' cgroup\n - SYS_ADMIN\n # Used for nsenter\n - SYS_CHROOT\n - SYS_PTRACE\n # -- capabilities for the `apply-sysctl-overwrites` init container\n applySysctlOverwrites:\n # Required in order to access host's /etc/sysctl.d dir\n - SYS_ADMIN\n # Used for nsenter\n - SYS_CHROOT\n - SYS_PTRACE\n # -- Capabilities for the `clean-cilium-state` init container\n cleanCiliumState:\n # Most of the capabilities here are the same ones used in the\n # cilium-agent's container because this container can be used to\n # uninstall all Cilium resources, and therefore it is likely that\n # will need the same capabilities.\n # Used since cilium modifies routing tables, etc...\n - NET_ADMIN\n # Used in iptables. Consider removing once we are iptables-free\n - SYS_MODULE\n # We need it for now but might not need it for \u003e= 5.11 specially\n # for the 'SYS_RESOURCE'.\n # In \u003e= 5.8 there's already BPF and PERMON capabilities\n - SYS_ADMIN\n # Could be an alternative for the SYS_ADMIN for the RLIMIT_NPROC\n - SYS_RESOURCE\n # Both PERFMON and BPF requires kernel 5.8, container runtime\n # cri-o \u003e= v1.22.0 or containerd \u003e= v1.5.0.\n # If available, SYS_ADMIN can be removed.\n #- PERFMON\n #- BPF\n # -- Cilium agent update strategy\n updateStrategy:\n type: RollingUpdate\n rollingUpdate:\n # @schema\n # type: [integer, string]\n # @schema\n maxUnavailable: 2\n # Configuration Values for cilium-agent\n aksbyocni:\n # -- Enable AKS BYOCNI integration.\n # Note that this is incompatible with AKS clusters not created in BYOCNI mode:\n # use Azure integration (`azure.enabled`) instead.\n enabled: false\n # @schema\n # type: [boolean, string]\n # @schema\n # -- Enable installation of PodCIDR routes between worker\n # nodes if worker nodes share a common L2 network segment.\n autoDirectNodeRoutes: false\n # -- Enable skipping of PodCIDR routes between worker\n # nodes if the worker nodes are in a different L2 network segment.\n directRoutingSkipUnreachable: false\n # -- Annotate k8s node upon initialization with Cilium's metadata.\n annotateK8sNode: false\n azure:\n # -- Enable Azure integration.\n # Note that this is incompatible with AKS clusters created in BYOCNI mode: use\n # AKS BYOCNI integration (`aksbyocni.enabled`) instead.\n enabled: false\n # usePrimaryAddress: false\n # resourceGroup: group1\n # subscriptionID: 00000000-0000-0000-0000-000000000000\n # tenantID: 00000000-0000-0000-0000-000000000000\n # clientID: 00000000-0000-0000-0000-000000000000\n # clientSecret: 00000000-0000-0000-0000-000000000000\n # userAssignedIdentityID: 00000000-0000-0000-0000-000000000000\n alibabacloud:\n # -- Enable AlibabaCloud ENI integration\n enabled: false\n # -- Enable bandwidth manager to optimize TCP and UDP workloads and allow\n # for rate-limiting traffic from individual Pods with EDT (Earliest Departure\n # Time) through the \"kubernetes.io/egress-bandwidth\" Pod annotation.\n bandwidthManager:\n # -- Enable bandwidth manager infrastructure (also prerequirement for BBR)\n enabled: false\n # -- Activate BBR TCP congestion control for Pods\n bbr: false\n # -- Configure standalone NAT46/NAT64 gateway\n nat46x64Gateway:\n # -- Enable RFC8215-prefixed translation\n enabled: false\n # -- EnableHighScaleIPcache enables the special ipcache mode for high scale\n # clusters. The ipcache content will be reduced to the strict minimum and\n # traffic will be encapsulated to carry security identities.\n highScaleIPcache:\n # -- Enable the high scale mode for the ipcache.\n enabled: false\n # -- Configure L2 announcements\n l2announcements:\n # -- Enable L2 announcements\n enabled: false\n # -- If a lease is not renewed for X duration, the current leader is considered dead, a new leader is picked\n # leaseDuration: 15s\n # -- The interval at which the leader will renew the lease\n # leaseRenewDeadline: 5s\n # -- The timeout between retries if renewal fails\n # leaseRetryPeriod: 2s\n # -- Configure L2 pod announcements\n l2podAnnouncements:\n # -- Enable L2 pod announcements\n enabled: false\n # -- Interface used for sending Gratuitous ARP pod announcements\n interface: \"eth0\"\n # -- This feature set enables virtual BGP routers to be created via\n # CiliumBGPPeeringPolicy CRDs.\n bgpControlPlane:\n # -- Enables the BGP control plane.\n enabled: false\n # -- SecretsNamespace is the namespace which BGP support will retrieve secrets from.\n secretsNamespace:\n # -- Create secrets namespace for BGP secrets.\n create: false\n # -- The name of the secret namespace to which Cilium agents are given read access\n name: kube-system\n # -- Status reporting settings (BGPv2 only)\n statusReport:\n # -- Enable/Disable BGPv2 status reporting\n # It is recommended to enable status reporting in general, but if you have any issue\n # such as high API server load, you can disable it by setting this to false.\n enabled: true\n pmtuDiscovery:\n # -- Enable path MTU discovery to send ICMP fragmentation-needed replies to\n # the client.\n enabled: false\n bpf:\n autoMount:\n # -- Enable automatic mount of BPF filesystem\n # When `autoMount` is enabled, the BPF filesystem is mounted at\n # `bpf.root` path on the underlying host and inside the cilium agent pod.\n # If users disable `autoMount`, it's expected that users have mounted\n # bpffs filesystem at the specified `bpf.root` volume, and then the\n # volume will be mounted inside the cilium agent pod at the same path.\n enabled: true\n # -- Configure the mount point for the BPF filesystem\n root: /sys/fs/bpf\n # -- Enables pre-allocation of eBPF map values. This increases\n # memory usage but can reduce latency.\n preallocateMaps: false\n # @schema\n # type: [null, integer]\n # @schema\n # -- (int) Configure the maximum number of entries in auth map.\n # @default -- `524288`\n authMapMax: ~\n # -- Enable CT accounting for packets and bytes\n ctAccounting: false\n # @schema\n # type: [null, integer]\n # @schema\n # -- (int) Configure the maximum number of entries in the TCP connection tracking\n # table.\n # @default -- `524288`\n ctTcpMax: ~\n # @schema\n # type: [null, integer]\n # @schema\n # -- (int) Configure the maximum number of entries for the non-TCP connection\n # tracking table.\n # @default -- `262144`\n ctAnyMax: ~\n # -- Control to use a distributed per-CPU backend memory for the core BPF LRU maps\n # which Cilium uses. This improves performance significantly, but it is also\n # recommended to increase BPF map sizing along with that.\n distributedLRU:\n # -- Enable distributed LRU backend memory. For compatibility with existing\n # installations it is off by default.\n enabled: false\n # -- Control events generated by the Cilium datapath exposed to Cilium monitor and Hubble.\n # Helm configuration for BPF events map rate limiting is experimental and might change\n # in upcoming releases.\n events:\n # -- Default settings for all types of events except dbg and pcap.\n default:\n # -- (int) Configure the limit of messages per second that can be written to\n # BPF events map. The number of messages is averaged, meaning that if no messages\n # were written to the map over 5 seconds, it's possible to write more events\n # in the 6th second. If rateLimit is greater than 0, non-zero value for burstLimit must\n # also be provided lest the configuration is considered invalid. Setting both burstLimit\n # and rateLimit to 0 disables BPF events rate limiting.\n # @default -- `0`\n rateLimit: ~\n # -- (int) Configure the maximum number of messages that can be written to BPF events\n # map in 1 second. If burstLimit is greater than 0, non-zero value for rateLimit must\n # also be provided lest the configuration is considered invalid. Setting both burstLimit\n # and rateLimit to 0 disables BPF events rate limiting.\n # @default -- `0`\n burstLimit: ~\n drop:\n # -- Enable drop events.\n enabled: true\n policyVerdict:\n # -- Enable policy verdict events.\n enabled: true\n trace:\n # -- Enable trace events.\n enabled: true\n # @schema\n # type: [null, integer]\n # @schema\n # -- Configure the maximum number of service entries in the\n # load balancer maps.\n lbMapMax: 65536\n # @schema\n # type: [null, integer]\n # @schema\n # -- (int) Configure the maximum number of entries for the NAT table.\n # @default -- `524288`\n natMax: ~\n # @schema\n # type: [null, integer]\n # @schema\n # -- (int) Configure the maximum number of entries for the neighbor table.\n # @default -- `524288`\n neighMax: ~\n # @schema\n # type: [null, integer]\n # @schema\n # @default -- `16384`\n # -- (int) Configures the maximum number of entries for the node table.\n nodeMapMax: ~\n # -- Configure the maximum number of entries in endpoint policy map (per endpoint).\n # @schema\n # type: [null, integer]\n # @schema\n policyMapMax: 16384\n # @schema\n # type: [null, number]\n # @schema\n # -- (float64) Configure auto-sizing for all BPF maps based on available memory.\n # ref: https://docs.cilium.io/en/stable/network/ebpf/maps/\n # @default -- `0.0025`\n mapDynamicSizeRatio: ~\n # -- Configure the level of aggregation for monitor notifications.\n # Valid options are none, low, medium, maximum.\n monitorAggregation: medium\n # -- Configure the typical time between monitor notifications for\n # active connections.\n monitorInterval: \"5s\"\n # -- Configure which TCP flags trigger notifications when seen for the\n # first time in a connection.\n monitorFlags: \"all\"\n # -- (bool) Allow cluster external access to ClusterIP services.\n # @default -- `false`\n lbExternalClusterIP: false\n # -- (bool) Enable loadBalancerSourceRanges CIDR filtering for all service\n # types, not just LoadBalancer services. The corresponding NodePort and\n # ClusterIP (if enabled for cluster-external traffic) will also apply the\n # CIDR filter.\n # @default -- `false`\n lbSourceRangeAllTypes: false\n # -- (bool) Enable the option to define the load balancing algorithm on\n # a per-service basis through service.cilium.io/lb-algorithm annotation.\n # @default -- `false`\n lbAlgorithmAnnotation: false\n # -- (bool) Enable the option to define the load balancing mode (SNAT or DSR)\n # on a per-service basis through service.cilium.io/forwarding-mode annotation.\n # @default -- `false`\n lbModeAnnotation: false\n # @schema\n # type: [null, boolean]\n # @schema\n # -- (bool) Enable native IP masquerade support in eBPF\n # @default -- `false`\n masquerade: ~\n # @schema\n # type: [null, boolean]\n # @schema\n # -- (bool) Configure whether direct routing mode should route traffic via\n # host stack (true) or directly and more efficiently out of BPF (false) if\n # the kernel supports it. The latter has the implication that it will also\n # bypass netfilter in the host namespace.\n # @default -- `false`\n hostLegacyRouting: false\n # @schema\n # type: [null, boolean]\n # @schema\n # -- (bool) Configure the eBPF-based TPROXY (beta) to reduce reliance on iptables rules\n # for implementing Layer 7 policy.\n # @default -- `false`\n tproxy: ~\n # @schema\n # type: [null, array]\n # @schema\n # -- (list) Configure explicitly allowed VLAN id's for bpf logic bypass.\n # [0] will allow all VLAN id's without any filtering.\n # @default -- `[]`\n vlanBypass: ~\n # -- (bool) Disable ExternalIP mitigation (CVE-2020-8554)\n # @default -- `false`\n disableExternalIPMitigation: false\n # -- (bool) Attach endpoint programs using tcx instead of legacy tc hooks on\n # supported kernels.\n # @default -- `true`\n enableTCX: true\n # -- (string) Mode for Pod devices for the core datapath (veth, netkit, netkit-l2, lb-only)\n # @default -- `veth`\n datapathMode: veth\n # -- Enable BPF clock source probing for more efficient tick retrieval.\n bpfClockProbe: false\n # -- Clean all eBPF datapath state from the initContainer of the cilium-agent\n # DaemonSet.\n #\n # WARNING: Use with care!\n cleanBpfState: false\n # -- Clean all local Cilium state from the initContainer of the cilium-agent\n # DaemonSet. Implies cleanBpfState: true.\n #\n # WARNING: Use with care!\n cleanState: false\n # -- Wait for KUBE-PROXY-CANARY iptables rule to appear in \"wait-for-kube-proxy\"\n # init container before launching cilium-agent.\n # More context can be found in the commit message of below PR\n # https://github.com/cilium/cilium/pull/20123\n waitForKubeProxy: false\n cni:\n # -- Install the CNI configuration and binary files into the filesystem.\n install: true\n # -- Remove the CNI configuration and binary files on agent shutdown. Enable this\n # if you're removing Cilium from the cluster. Disable this to prevent the CNI\n # configuration file from being removed during agent upgrade, which can cause\n # nodes to go unmanageable.\n uninstall: false\n # @schema\n # type: [null, string]\n # @schema\n # -- Configure chaining on top of other CNI plugins. Possible values:\n # - none\n # - aws-cni\n # - flannel\n # - generic-veth\n # - portmap\n chainingMode: ~\n # @schema\n # type: [null, string]\n # @schema\n # -- A CNI network name in to which the Cilium plugin should be added as a chained plugin.\n # This will cause the agent to watch for a CNI network with this network name. When it is\n # found, this will be used as the basis for Cilium's CNI configuration file. If this is\n # set, it assumes a chaining mode of generic-veth. As a special case, a chaining mode\n # of aws-cni implies a chainingTarget of aws-cni.\n chainingTarget: ~\n # -- Make Cilium take ownership over the `/etc/cni/net.d` directory on the\n # node, renaming all non-Cilium CNI configurations to `*.cilium_bak`.\n # This ensures no Pods can be scheduled using other CNI plugins during Cilium\n # agent downtime.\n exclusive: false\n # -- Configure the log file for CNI logging with retention policy of 7 days.\n # Disable CNI file logging by setting this field to empty explicitly.\n logFile: /var/run/cilium/cilium-cni.log\n # -- Skip writing of the CNI configuration. This can be used if\n # writing of the CNI configuration is performed by external automation.\n customConf: false\n # -- Configure the path to the CNI configuration directory on the host.\n confPath: /etc/cni/net.d\n # -- Configure the path to the CNI binary directory on the host.\n binPath: /opt/cni/bin\n # -- Specify the path to a CNI config to read from on agent start.\n # This can be useful if you want to manage your CNI\n # configuration outside of a Kubernetes environment. This parameter is\n # mutually exclusive with the 'cni.configMap' parameter. The agent will\n # write this to 05-cilium.conflist on startup.\n # readCniConf: /host/etc/cni/net.d/05-sample.conflist.input\n\n # -- When defined, configMap will mount the provided value as ConfigMap and\n # interpret the cniConf variable as CNI configuration file and write it\n # when the agent starts up\n # configMap: cni-configuration\n\n # -- Configure the key in the CNI ConfigMap to read the contents of\n # the CNI configuration from.\n configMapKey: cni-config\n # -- Configure the path to where to mount the ConfigMap inside the agent pod.\n confFileMountPath: /tmp/cni-configuration\n # -- Configure the path to where the CNI configuration directory is mounted\n # inside the agent pod.\n hostConfDirMountPath: /host/etc/cni/net.d\n # -- Specifies the resources for the cni initContainer\n resources:\n requests:\n cpu: 100m\n memory: 10Mi\n # -- Enable route MTU for pod netns when CNI chaining is used\n enableRouteMTUForCNIChaining: false\n # -- (string) Configure how frequently garbage collection should occur for the datapath\n # connection tracking table.\n # @default -- `\"0s\"`\n conntrackGCInterval: \"\"\n # -- (string) Configure the maximum frequency for the garbage collection of the\n # connection tracking table. Only affects the automatic computation for the frequency\n # and has no effect when 'conntrackGCInterval' is set. This can be set to more frequently\n # clean up unused identities created from ToFQDN policies.\n conntrackGCMaxInterval: \"\"\n # -- (string) Configure timeout in which Cilium will exit if CRDs are not available\n # @default -- `\"5m\"`\n crdWaitTimeout: \"\"\n # -- Tail call hooks for custom eBPF programs.\n customCalls:\n # -- Enable tail call hooks for custom eBPF programs.\n enabled: false\n daemon:\n # -- Configure where Cilium runtime state should be stored.\n runPath: \"/var/run/cilium\"\n # @schema\n # type: [null, string]\n # @schema\n # -- Configure a custom list of possible configuration override sources\n # The default is \"config-map:cilium-config,cilium-node-config\". For supported\n # values, see the help text for the build-config subcommand.\n # Note that this value should be a comma-separated string.\n configSources: ~\n # @schema\n # type: [null, string]\n # @schema\n # -- allowedConfigOverrides is a list of config-map keys that can be overridden.\n # That is to say, if this value is set, config sources (excepting the first one) can\n # only override keys in this list.\n #\n # This takes precedence over blockedConfigOverrides.\n #\n # By default, all keys may be overridden. To disable overrides, set this to \"none\" or\n # change the configSources variable.\n allowedConfigOverrides: ~\n # @schema\n # type: [null, string]\n # @schema\n # -- blockedConfigOverrides is a list of config-map keys that may not be overridden.\n # In other words, if any of these keys appear in a configuration source excepting the\n # first one, they will be ignored\n #\n # This is ignored if allowedConfigOverrides is set.\n #\n # By default, all keys may be overridden.\n blockedConfigOverrides: ~\n # @schema\n # type: [null, boolean]\n # @schema\n # -- enableSourceIPVerification is a boolean flag to enable or disable the Source IP verification\n # of endpoints. This flag is useful when Cilium is chained with other CNIs.\n #\n # By default, this functionality is enabled\n enableSourceIPVerification: true\n # -- Specify which network interfaces can run the eBPF datapath. This means\n # that a packet sent from a pod to a destination outside the cluster will be\n # masqueraded (to an output device IPv4 address), if the output device runs the\n # program. When not specified, probing will automatically detect devices that have\n # a non-local route. This should be used only when autodetection is not suitable.\n # devices: \"\"\n\n # -- Enables experimental support for the detection of new and removed datapath\n # devices. When devices change the eBPF datapath is reloaded and services updated.\n # If \"devices\" is set then only those devices, or devices matching a wildcard will\n # be considered.\n #\n # This option has been deprecated and is a no-op.\n enableRuntimeDeviceDetection: true\n # -- Forces the auto-detection of devices, even if specific devices are explicitly listed\n forceDeviceDetection: true\n # -- Chains to ignore when installing feeder rules.\n # disableIptablesFeederRules: \"\"\n\n # -- Limit iptables-based egress masquerading to interface selector.\n # egressMasqueradeInterfaces: \"\"\n\n # -- Enable setting identity mark for local traffic.\n # enableIdentityMark: true\n\n # -- Enable Kubernetes EndpointSlice feature in Cilium if the cluster supports it.\n # enableK8sEndpointSlice: true\n\n # -- Enable CiliumEndpointSlice feature (deprecated, please use `ciliumEndpointSlice.enabled` instead).\n enableCiliumEndpointSlice: false\n ciliumEndpointSlice:\n # -- Enable Cilium EndpointSlice feature.\n enabled: false\n # -- List of rate limit options to be used for the CiliumEndpointSlice controller.\n # Each object in the list must have the following fields:\n # nodes: Count of nodes at which to apply the rate limit.\n # limit: The sustained request rate in requests per second. The maximum rate that can be configured is 50.\n # burst: The burst request rate in requests per second. The maximum burst that can be configured is 100.\n rateLimits:\n - nodes: 0\n limit: 10\n burst: 20\n - nodes: 100\n limit: 50\n burst: 100\n # @schema\n # enum: [\"identity\", \"fcfs\"]\n # @schema\n # -- The slicing mode to use for CiliumEndpointSlices.\n # identity groups together CiliumEndpoints that share the same identity.\n # fcfs groups together CiliumEndpoints in a first-come-first-serve basis, filling in the largest non-full slice first.\n sliceMode: identity\n envoyConfig:\n # -- Enable CiliumEnvoyConfig CRD\n # CiliumEnvoyConfig CRD can also be implicitly enabled by other options.\n enabled: false\n # -- SecretsNamespace is the namespace in which envoy SDS will retrieve secrets from.\n secretsNamespace:\n # -- Create secrets namespace for CiliumEnvoyConfig CRDs.\n create: true\n # -- The name of the secret namespace to which Cilium agents are given read access.\n name: cilium-secrets\n # -- Interval in which an attempt is made to reconcile failed EnvoyConfigs. If the duration is zero, the retry is deactivated.\n retryInterval: 15s\n ingressController:\n # -- Enable cilium ingress controller\n # This will automatically set enable-envoy-config as well.\n enabled: false\n # -- Set cilium ingress controller to be the default ingress controller\n # This will let cilium ingress controller route entries without ingress class set\n default: false\n # -- Default ingress load balancer mode\n # Supported values: shared, dedicated\n # For granular control, use the following annotations on the ingress resource:\n # \"ingress.cilium.io/loadbalancer-mode: dedicated\" (or \"shared\").\n loadbalancerMode: dedicated\n # -- Enforce https for host having matching TLS host in Ingress.\n # Incoming traffic to http listener will return 308 http error code with respective location in header.\n enforceHttps: true\n # -- Enable proxy protocol for all Ingress listeners. Note that _only_ Proxy protocol traffic will be accepted once this is enabled.\n enableProxyProtocol: false\n # -- IngressLBAnnotations are the annotation and label prefixes, which are used to filter annotations and/or labels to propagate from Ingress to the Load Balancer service\n ingressLBAnnotationPrefixes: ['lbipam.cilium.io', 'nodeipam.cilium.io', 'service.beta.kubernetes.io', 'service.kubernetes.io', 'cloud.google.com']\n # @schema\n # type: [null, string]\n # @schema\n # -- Default secret namespace for ingresses without .spec.tls[].secretName set.\n defaultSecretNamespace:\n # @schema\n # type: [null, string]\n # @schema\n # -- Default secret name for ingresses without .spec.tls[].secretName set.\n defaultSecretName:\n # -- SecretsNamespace is the namespace in which envoy SDS will retrieve TLS secrets from.\n secretsNamespace:\n # -- Create secrets namespace for Ingress.\n create: true\n # -- Name of Ingress secret namespace.\n name: cilium-secrets\n # -- Enable secret sync, which will make sure all TLS secrets used by Ingress are synced to secretsNamespace.name.\n # If disabled, TLS secrets must be maintained externally.\n sync: true\n # -- Load-balancer service in shared mode.\n # This is a single load-balancer service for all Ingress resources.\n service:\n # -- Service name\n name: cilium-ingress\n # -- Labels to be added for the shared LB service\n labels: {}\n # -- Annotations to be added for the shared LB service\n annotations: {}\n # -- Service type for the shared LB service\n type: LoadBalancer\n # @schema\n # type: [null, integer]\n # @schema\n # -- Configure a specific nodePort for insecure HTTP traffic on the shared LB service\n insecureNodePort: ~\n # @schema\n # type: [null, integer]\n # @schema\n # -- Configure a specific nodePort for secure HTTPS traffic on the shared LB service\n secureNodePort: ~\n # @schema\n # type: [null, string]\n # @schema\n # -- Configure a specific loadBalancerClass on the shared LB service (requires Kubernetes 1.24+)\n loadBalancerClass: ~\n # @schema\n # type: [null, string]\n # @schema\n # -- Configure a specific loadBalancerIP on the shared LB service\n loadBalancerIP: ~\n # @schema\n # type: [null, boolean]\n # @schema\n # -- Configure if node port allocation is required for LB service\n # ref: https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-nodeport-allocation\n allocateLoadBalancerNodePorts: ~\n # -- Control how traffic from external sources is routed to the LoadBalancer Kubernetes Service for Cilium Ingress in shared mode.\n # Valid values are \"Cluster\" and \"Local\".\n # ref: https://kubernetes.io/docs/reference/networking/virtual-ips/#external-traffic-policy\n externalTrafficPolicy: Cluster\n # Host Network related configuration\n hostNetwork:\n # -- Configure whether the Envoy listeners should be exposed on the host network.\n enabled: false\n # -- Configure a specific port on the host network that gets used for the shared listener.\n sharedListenerPort: 8080\n # Specify the nodes where the Ingress listeners should be exposed\n nodes:\n # -- Specify the labels of the nodes where the Ingress listeners should be exposed\n #\n # matchLabels:\n # kubernetes.io/os: linux\n # kubernetes.io/hostname: kind-worker\n matchLabels: {}\n gatewayAPI:\n # -- Enable support for Gateway API in cilium\n # This will automatically set enable-envoy-config as well.\n enabled: false\n # -- Enable proxy protocol for all GatewayAPI listeners. Note that _only_ Proxy protocol traffic will be accepted once this is enabled.\n enableProxyProtocol: false\n # -- Enable Backend Protocol selection support (GEP-1911) for Gateway API via appProtocol.\n enableAppProtocol: false\n # -- Enable ALPN for all listeners configured with Gateway API. ALPN will attempt HTTP/2, then HTTP 1.1.\n # Note that this will also enable `appProtocol` support, and services that wish to use HTTP/2 will need to indicate that via their `appProtocol`.\n enableAlpn: false\n # -- The number of additional GatewayAPI proxy hops from the right side of the HTTP header to trust when determining the origin client's IP address.\n xffNumTrustedHops: 0\n # -- Control how traffic from external sources is routed to the LoadBalancer Kubernetes Service for all Cilium GatewayAPI Gateway instances. Valid values are \"Cluster\" and \"Local\".\n # Note that this value will be ignored when `hostNetwork.enabled == true`.\n # ref: https://kubernetes.io/docs/reference/networking/virtual-ips/#external-traffic-policy\n externalTrafficPolicy: Cluster\n gatewayClass:\n # -- Enable creation of GatewayClass resource\n # The default value is 'auto' which decides according to presence of gateway.networking.k8s.io/v1/GatewayClass in the cluster.\n # Other possible values are 'true' and 'false', which will either always or never create the GatewayClass, respectively.\n create: auto\n # -- SecretsNamespace is the namespace in which envoy SDS will retrieve TLS secrets from.\n secretsNamespace:\n # -- Create secrets namespace for Gateway API.\n create: true\n # -- Name of Gateway API secret namespace.\n name: cilium-secrets\n # -- Enable secret sync, which will make sure all TLS secrets used by Ingress are synced to secretsNamespace.name.\n # If disabled, TLS secrets must be maintained externally.\n sync: true\n # Host Network related configuration\n hostNetwork:\n # -- Configure whether the Envoy listeners should be exposed on the host network.\n enabled: false\n # Specify the nodes where the Ingress listeners should be exposed\n nodes:\n # -- Specify the labels of the nodes where the Ingress listeners should be exposed\n #\n # matchLabels:\n # kubernetes.io/os: linux\n # kubernetes.io/hostname: kind-worker\n matchLabels: {}\n # -- Enables the fallback compatibility solution for when the xt_socket kernel\n # module is missing and it is needed for the datapath L7 redirection to work\n # properly. See documentation for details on when this can be disabled:\n # https://docs.cilium.io/en/stable/operations/system_requirements/#linux-kernel.\n enableXTSocketFallback: true\n encryption:\n # -- Enable transparent network encryption.\n enabled: false\n # -- Encryption method. Can be either ipsec or wireguard.\n type: ipsec\n # -- Enable encryption for pure node to node traffic.\n # This option is only effective when encryption.type is set to \"wireguard\".\n nodeEncryption: false\n # -- Configure the WireGuard Pod2Pod strict mode.\n strictMode:\n # -- Enable WireGuard Pod2Pod strict mode.\n enabled: false\n # -- CIDR for the WireGuard Pod2Pod strict mode.\n cidr: \"\"\n # -- Allow dynamic lookup of remote node identities.\n # This is required when tunneling is used or direct routing is used and the node CIDR and pod CIDR overlap.\n allowRemoteNodeIdentities: false\n ipsec:\n # -- Name of the key file inside the Kubernetes secret configured via secretName.\n keyFile: keys\n # -- Path to mount the secret inside the Cilium pod.\n mountPath: /etc/ipsec\n # -- Name of the Kubernetes secret containing the encryption keys.\n secretName: cilium-ipsec-keys\n # -- The interface to use for encrypted traffic.\n interface: \"\"\n # -- Enable the key watcher. If disabled, a restart of the agent will be\n # necessary on key rotations.\n keyWatcher: true\n # -- Maximum duration of the IPsec key rotation. The previous key will be\n # removed after that delay.\n keyRotationDuration: \"5m\"\n # -- Enable IPsec encrypted overlay\n encryptedOverlay: false\n wireguard:\n # -- Controls WireGuard PersistentKeepalive option. Set 0s to disable.\n persistentKeepalive: 0s\n endpointHealthChecking:\n # -- Enable connectivity health checking between virtual endpoints.\n enabled: true\n endpointRoutes:\n # @schema\n # type: [boolean, string]\n # @schema\n # -- Enable use of per endpoint routes instead of routing via\n # the cilium_host interface.\n enabled: false\n k8sNetworkPolicy:\n # -- Enable support for K8s NetworkPolicy\n enabled: true\n # -- Enable endpoint lockdown on policy map overflow.\n endpointLockdownOnMapOverflow: false\n eni:\n # -- Enable Elastic Network Interface (ENI) integration.\n enabled: false\n # -- Update ENI Adapter limits from the EC2 API\n updateEC2AdapterLimitViaAPI: true\n # -- Release IPs not used from the ENI\n awsReleaseExcessIPs: false\n # -- Enable ENI prefix delegation\n awsEnablePrefixDelegation: false\n # -- EC2 API endpoint to use\n ec2APIEndpoint: \"\"\n # -- Tags to apply to the newly created ENIs\n eniTags: {}\n # -- Interval for garbage collection of unattached ENIs. Set to \"0s\" to disable.\n # @default -- `\"5m\"`\n gcInterval: \"\"\n # -- Additional tags attached to ENIs created by Cilium.\n # Dangling ENIs with this tag will be garbage collected\n # @default -- `{\"io.cilium/cilium-managed\":\"true,\"io.cilium/cluster-name\":\"\u003cauto-detected\u003e\"}`\n gcTags: {}\n # -- If using IAM role for Service Accounts will not try to\n # inject identity values from cilium-aws kubernetes secret.\n # Adds annotation to service account if managed by Helm.\n # See https://github.com/aws/amazon-eks-pod-identity-webhook\n iamRole: \"\"\n # -- Filter via subnet IDs which will dictate which subnets are going to be used to create new ENIs\n # Important note: This requires that each instance has an ENI with a matching subnet attached\n # when Cilium is deployed. If you only want to control subnets for ENIs attached by Cilium,\n # use the CNI configuration file settings (cni.customConf) instead.\n subnetIDsFilter: []\n # -- Filter via tags (k=v) which will dictate which subnets are going to be used to create new ENIs\n # Important note: This requires that each instance has an ENI with a matching subnet attached\n # when Cilium is deployed. If you only want to control subnets for ENIs attached by Cilium,\n # use the CNI configuration file settings (cni.customConf) instead.\n subnetTagsFilter: []\n # -- Filter via AWS EC2 Instance tags (k=v) which will dictate which AWS EC2 Instances\n # are going to be used to create new ENIs\n instanceTagsFilter: []\n externalIPs:\n # -- Enable ExternalIPs service support.\n enabled: false\n # fragmentTracking enables IPv4 fragment tracking support in the datapath.\n # fragmentTracking: true\n gke:\n # -- Enable Google Kubernetes Engine integration\n enabled: false\n # -- Enable connectivity health checking.\n healthChecking: true\n # -- TCP port for the agent health API. This is not the port for cilium-health.\n healthPort: 9879\n # -- Number of ICMP requests sent for each health check before marking a node or endpoint unreachable.\n healthCheckICMPFailureThreshold: 3\n # -- Configure the host firewall.\n hostFirewall:\n # -- Enables the enforcement of host policies in the eBPF datapath.\n enabled: false\n hostPort:\n # -- Enable hostPort service support.\n enabled: false\n # -- Configure socket LB\n socketLB:\n # -- Enable socket LB\n enabled: false\n # -- Disable socket lb for non-root ns. This is used to enable Istio routing rules.\n hostNamespaceOnly: true\n # -- Enable terminating pod connections to deleted service backends.\n # terminatePodConnections: true\n # -- Enables tracing for socket-based load balancing.\n # tracing: true\n # -- Configure certificate generation for Hubble integration.\n # If hubble.tls.auto.method=cronJob, these values are used\n # for the Kubernetes CronJob which will be scheduled regularly to\n # (re)generate any certificates not provided manually.\n certgen:\n # -- When set to true the certificate authority secret is created.\n generateCA: true\n image:\n # @schema\n # type: [null, string]\n # @schema\n override: ~\n repository: \"us-docker.pkg.dev/palette-images/packs/cilium/1.17.4/certgen\"\n tag: \"v0.2.1\"\n digest: \"\"\n useDigest: false\n pullPolicy: \"IfNotPresent\"\n # -- Seconds after which the completed job pod will be deleted\n ttlSecondsAfterFinished: 1800\n # -- Labels to be added to hubble-certgen pods\n podLabels: {}\n # -- Annotations to be added to the hubble-certgen initial Job and CronJob\n annotations:\n job: {}\n cronJob: {}\n # -- Node selector for certgen\n # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector\n nodeSelector: {}\n # -- Priority class for certgen\n # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/#priorityclass\n priorityClassName: \"\"\n # -- Node tolerations for pod assignment on nodes with taints\n # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/\n tolerations: []\n # -- Additional certgen volumes.\n extraVolumes: []\n # -- Additional certgen volumeMounts.\n extraVolumeMounts: []\n # -- Affinity for certgen\n affinity: {}\n hubble:\n # -- Enable Hubble (true by default).\n enabled: true\n # -- Annotations to be added to all top-level hubble objects (resources under templates/hubble)\n annotations: {}\n # -- Buffer size of the channel Hubble uses to receive monitor events. If this\n # value is not set, the queue size is set to the default monitor queue size.\n # eventQueueSize: \"\"\n\n # -- Number of recent flows for Hubble to cache. Defaults to 4095.\n # Possible values are:\n # 1, 3, 7, 15, 31, 63, 127, 255, 511, 1023,\n # 2047, 4095, 8191, 16383, 32767, 65535\n # eventBufferCapacity: \"4095\"\n\n # -- Hubble metrics configuration.\n # See https://docs.cilium.io/en/stable/observability/metrics/#hubble-metrics\n # for more comprehensive documentation about Hubble metrics.\n metrics:\n # @schema\n # type: [null, array]\n # @schema\n # -- Configures the list of metrics to collect. If empty or null, metrics\n # are disabled.\n # Example:\n #\n # enabled:\n # - dns:query;ignoreAAAA\n # - drop\n # - tcp\n # - flow\n # - icmp\n # - http\n #\n # You can specify the list of metrics from the helm CLI:\n #\n # --set hubble.metrics.enabled=\"{dns:query;ignoreAAAA,drop,tcp,flow,icmp,http}\"\n #\n enabled: ~\n # -- Enables exporting hubble metrics in OpenMetrics format.\n enableOpenMetrics: false\n # -- Configure the port the hubble metric server listens on.\n port: 9965\n tls:\n # Enable hubble metrics server TLS.\n enabled: false\n # Configure hubble metrics server TLS.\n server:\n # -- Name of the Secret containing the certificate and key for the Hubble metrics server.\n # If specified, cert and key are ignored.\n existingSecret: \"\"\n # -- base64 encoded PEM values for the Hubble metrics server certificate (deprecated).\n # Use existingSecret instead.\n cert: \"\"\n # -- base64 encoded PEM values for the Hubble metrics server key (deprecated).\n # Use existingSecret instead.\n key: \"\"\n # -- Extra DNS names added to certificate when it's auto generated\n extraDnsNames: []\n # -- Extra IP addresses added to certificate when it's auto generated\n extraIpAddresses: []\n # -- Configure mTLS for the Hubble metrics server.\n mtls:\n # When set to true enforces mutual TLS between Hubble Metrics server and its clients.\n # False allow non-mutual TLS connections.\n # This option has no effect when TLS is disabled.\n enabled: false\n useSecret: false\n # -- Name of the ConfigMap containing the CA to validate client certificates against.\n # If mTLS is enabled and this is unspecified, it will default to the\n # same CA used for Hubble metrics server certificates.\n name: ~\n # -- Entry of the ConfigMap containing the CA.\n key: ca.crt\n # -- Annotations to be added to hubble-metrics service.\n serviceAnnotations: {}\n serviceMonitor:\n # -- Create ServiceMonitor resources for Prometheus Operator.\n # This requires the prometheus CRDs to be available.\n # ref: https://github.com/prometheus-operator/prometheus-operator/blob/main/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml)\n enabled: false\n # -- Labels to add to ServiceMonitor hubble\n labels: {}\n # -- Annotations to add to ServiceMonitor hubble\n annotations: {}\n # -- jobLabel to add for ServiceMonitor hubble\n jobLabel: \"\"\n # -- Interval for scrape metrics.\n interval: \"10s\"\n # -- Relabeling configs for the ServiceMonitor hubble\n relabelings:\n - sourceLabels:\n - __meta_kubernetes_pod_node_name\n targetLabel: node\n replacement: ${1}\n # @schema\n # type: [null, array]\n # @schema\n # -- Metrics relabeling configs for the ServiceMonitor hubble\n metricRelabelings: ~\n # Configure TLS for the ServiceMonitor.\n # Note, when using TLS you will either need to specify\n # tlsConfig.insecureSkipVerify or specify a CA to use.\n tlsConfig: {}\n # -- Grafana dashboards for hubble\n # grafana can import dashboards based on the label and value\n # ref: https://github.com/grafana/helm-charts/tree/main/charts/grafana#sidecar-for-dashboards\n dashboards:\n enabled: false\n label: grafana_dashboard\n # @schema\n # type: [null, string]\n # @schema\n namespace: ~\n labelValue: \"1\"\n annotations: {}\n # Dynamic metrics may be reconfigured without a need of agent restarts.\n dynamic:\n enabled: false\n config:\n # ---- Name of configmap with configuration that may be altered to reconfigure metric handlers within a running agent.\n configMapName: cilium-dynamic-metrics-config\n # ---- True if helm installer should create config map.\n # Switch to false if you want to self maintain the file content.\n createConfigMap: true\n # ---- Exporters configuration in YAML format.\n content: []\n # - name: dns\n # contextOptions: []\n # includeFilters: []\n # excludeFilters: []\n # -- Unix domain socket path to listen to when Hubble is enabled.\n socketPath: /var/run/cilium/hubble.sock\n # -- Enables redacting sensitive information present in Layer 7 flows.\n redact:\n enabled: false\n http:\n # -- Enables redacting URL query (GET) parameters.\n # Example:\n #\n # redact:\n # enabled: true\n # http:\n # urlQuery: true\n #\n # You can specify the options from the helm CLI:\n #\n # --set hubble.redact.enabled=\"true\"\n # --set hubble.redact.http.urlQuery=\"true\"\n urlQuery: false\n # -- Enables redacting user info, e.g., password when basic auth is used.\n # Example:\n #\n # redact:\n # enabled: true\n # http:\n # userInfo: true\n #\n # You can specify the options from the helm CLI:\n #\n # --set hubble.redact.enabled=\"true\"\n # --set hubble.redact.http.userInfo=\"true\"\n userInfo: true\n headers:\n # -- List of HTTP headers to allow: headers not matching will be redacted. Note: `allow` and `deny` lists cannot be used both at the same time, only one can be present.\n # Example:\n # redact:\n # enabled: true\n # http:\n # headers:\n # allow:\n # - traceparent\n # - tracestate\n # - Cache-Control\n #\n # You can specify the options from the helm CLI:\n # --set hubble.redact.enabled=\"true\"\n # --set hubble.redact.http.headers.allow=\"traceparent,tracestate,Cache-Control\"\n allow: []\n # -- List of HTTP headers to deny: matching headers will be redacted. Note: `allow` and `deny` lists cannot be used both at the same time, only one can be present.\n # Example:\n # redact:\n # enabled: true\n # http:\n # headers:\n # deny:\n # - Authorization\n # - Proxy-Authorization\n #\n # You can specify the options from the helm CLI:\n # --set hubble.redact.enabled=\"true\"\n # --set hubble.redact.http.headers.deny=\"Authorization,Proxy-Authorization\"\n deny: []\n kafka:\n # -- Enables redacting Kafka's API key.\n # Example:\n #\n # redact:\n # enabled: true\n # kafka:\n # apiKey: true\n #\n # You can specify the options from the helm CLI:\n #\n # --set hubble.redact.enabled=\"true\"\n # --set hubble.redact.kafka.apiKey=\"true\"\n apiKey: true\n # -- An additional address for Hubble to listen to.\n # Set this field \":4244\" if you are enabling Hubble Relay, as it assumes that\n # Hubble is listening on port 4244.\n listenAddress: \":4244\"\n # -- Whether Hubble should prefer to announce IPv6 or IPv4 addresses if both are available.\n preferIpv6: false\n # @schema\n # type: [null, boolean]\n # @schema\n # -- (bool) Skip Hubble events with unknown cgroup ids\n # @default -- `true`\n skipUnknownCGroupIDs: ~\n peerService:\n # -- Service Port for the Peer service.\n # If not set, it is dynamically assigned to port 443 if TLS is enabled and to\n # port 80 if not.\n # servicePort: 80\n # -- Target Port for the Peer service, must match the hubble.listenAddress'\n # port.\n targetPort: 4244\n # -- The cluster domain to use to query the Hubble Peer service. It should\n # be the local cluster.\n clusterDomain: cluster.local\n # -- TLS configuration for Hubble\n tls:\n # -- Enable mutual TLS for listenAddress. Setting this value to false is\n # highly discouraged as the Hubble API provides access to potentially\n # sensitive network flow metadata and is exposed on the host network.\n enabled: true\n # -- Configure automatic TLS certificates generation.\n auto:\n # -- Auto-generate certificates.\n # When set to true, automatically generate a CA and certificates to\n # enable mTLS between Hubble server and Hubble Relay instances. If set to\n # false, the certs for Hubble server need to be provided by setting\n # appropriate values below.\n enabled: true\n # -- Set the method to auto-generate certificates. Supported values:\n # - helm: This method uses Helm to generate all certificates.\n # - cronJob: This method uses a Kubernetes CronJob the generate any\n # certificates not provided by the user at installation\n # time.\n # - certmanager: This method use cert-manager to generate \u0026 rotate certificates.\n method: helm\n # -- Generated certificates validity duration in days.\n #\n # Defaults to 365 days (1 year) because MacOS does not accept\n # self-signed certificates with expirations \u003e 825 days.\n certValidityDuration: 365\n # -- Schedule for certificates regeneration (regardless of their expiration date).\n # Only used if method is \"cronJob\". If nil, then no recurring job will be created.\n # Instead, only the one-shot job is deployed to generate the certificates at\n # installation time.\n #\n # Defaults to midnight of the first day of every fourth month. For syntax, see\n # https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/#schedule-syntax\n schedule: \"0 0 1 */4 *\"\n # [Example]\n # certManagerIssuerRef:\n # group: cert-manager.io\n # kind: ClusterIssuer\n # name: ca-issuer\n # -- certmanager issuer used when hubble.tls.auto.method=certmanager.\n certManagerIssuerRef: {}\n # -- The Hubble server certificate and private key\n server:\n # -- Name of the Secret containing the certificate and key for the Hubble server.\n # If specified, cert and key are ignored.\n existingSecret: \"\"\n # -- base64 encoded PEM values for the Hubble server certificate (deprecated).\n # Use existingSecret instead.\n cert: \"\"\n # -- base64 encoded PEM values for the Hubble server key (deprecated).\n # Use existingSecret instead.\n key: \"\"\n # -- Extra DNS names added to certificate when it's auto generated\n extraDnsNames: []\n # -- Extra IP addresses added to certificate when it's auto generated\n extraIpAddresses: []\n relay:\n # -- Enable Hubble Relay (requires hubble.enabled=true)\n enabled: false\n # -- Roll out Hubble Relay pods automatically when configmap is updated.\n rollOutPods: false\n # -- Hubble-relay container image.\n image:\n # @schema\n # type: [null, string]\n # @schema\n override: ~\n repository: \"us-docker.pkg.dev/palette-images/packs/cilium/1.17.4/hubble-relay\"\n tag: \"v1.17.4\"\n # hubble-relay-digest\n digest: \"\"\n useDigest: false\n pullPolicy: \"IfNotPresent\"\n # -- Specifies the resources for the hubble-relay pods\n resources: {}\n # -- Number of replicas run for the hubble-relay deployment.\n replicas: 1\n # -- Affinity for hubble-replay\n affinity:\n podAffinity:\n requiredDuringSchedulingIgnoredDuringExecution:\n - topologyKey: kubernetes.io/hostname\n labelSelector:\n matchLabels:\n k8s-app: cilium\n # -- Pod topology spread constraints for hubble-relay\n topologySpreadConstraints: []\n # - maxSkew: 1\n # topologyKey: topology.kubernetes.io/zone\n # whenUnsatisfiable: DoNotSchedule\n\n # -- Node labels for pod assignment\n # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector\n nodeSelector:\n kubernetes.io/os: linux\n # -- Node tolerations for pod assignment on nodes with taints\n # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/\n tolerations: []\n # -- Additional hubble-relay environment variables.\n extraEnv: []\n # -- Annotations to be added to all top-level hubble-relay objects (resources under templates/hubble-relay)\n annotations: {}\n # -- Annotations to be added to hubble-relay pods\n podAnnotations: {}\n # -- Labels to be added to hubble-relay pods\n podLabels: {}\n # PodDisruptionBudget settings\n podDisruptionBudget:\n # -- enable PodDisruptionBudget\n # ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/\n enabled: false\n # @schema\n # type: [null, integer, string]\n # @schema\n # -- Minimum number/percentage of pods that should remain scheduled.\n # When it's set, maxUnavailable must be disabled by `maxUnavailable: null`\n minAvailable: null\n # @schema\n # type: [null, integer, string]\n # @schema\n # -- Maximum number/percentage of pods that may be made unavailable\n maxUnavailable: 1\n # -- The priority class to use for hubble-relay\n priorityClassName: \"\"\n # -- Configure termination grace period for hubble relay Deployment.\n terminationGracePeriodSeconds: 1\n # -- hubble-relay update strategy\n updateStrategy:\n type: RollingUpdate\n rollingUpdate:\n # @schema\n # type: [integer, string]\n # @schema\n maxUnavailable: 1\n # -- Additional hubble-relay volumes.\n extraVolumes: []\n # -- Additional hubble-relay volumeMounts.\n extraVolumeMounts: []\n # -- hubble-relay pod security context\n podSecurityContext:\n fsGroup: 65532\n # -- hubble-relay container security context\n securityContext:\n # readOnlyRootFilesystem: true\n runAsNonRoot: true\n runAsUser: 65532\n runAsGroup: 65532\n capabilities:\n drop:\n - ALL\n # -- hubble-relay service configuration.\n service:\n # --- The type of service used for Hubble Relay access, either ClusterIP, NodePort or LoadBalancer.\n type: ClusterIP\n # --- The port to use when the service type is set to NodePort.\n nodePort: 31234\n # -- Host to listen to. Specify an empty string to bind to all the interfaces.\n listenHost: \"\"\n # -- Port to listen to.\n listenPort: \"4245\"\n # -- TLS configuration for Hubble Relay\n tls:\n # -- The hubble-relay client certificate and private key.\n # This keypair is presented to Hubble server instances for mTLS\n # authentication and is required when hubble.tls.enabled is true.\n # These values need to be set manually if hubble.tls.auto.enabled is false.\n client:\n # -- Name of the Secret containing the certificate and key for the Hubble metrics server.\n # If specified, cert and key are ignored.\n existingSecret: \"\"\n # -- base64 encoded PEM values for the Hubble relay client certificate (deprecated).\n # Use existingSecret instead.\n cert: \"\"\n # -- base64 encoded PEM values for the Hubble relay client key (deprecated).\n # Use existingSecret instead.\n key: \"\"\n # -- The hubble-relay server certificate and private key\n server:\n # When set to true, enable TLS on for Hubble Relay server\n # (ie: for clients connecting to the Hubble Relay API).\n enabled: false\n # When set to true enforces mutual TLS between Hubble Relay server and its clients.\n # False allow non-mutual TLS connections.\n # This option has no effect when TLS is disabled.\n mtls: false\n # -- Name of the Secret containing the certificate and key for the Hubble relay server.\n # If specified, cert and key are ignored.\n existingSecret: \"\"\n # -- base64 encoded PEM values for the Hubble relay server certificate (deprecated).\n # Use existingSecret instead.\n cert: \"\"\n # -- base64 encoded PEM values for the Hubble relay server key (deprecated).\n # Use existingSecret instead.\n key: \"\"\n # -- extra DNS names added to certificate when its auto gen\n extraDnsNames: []\n # -- extra IP addresses added to certificate when its auto gen\n extraIpAddresses: []\n # DNS name used by the backend to connect to the relay\n # This is a simple workaround as the relay certificates are currently hardcoded to\n # *.hubble-relay.cilium.io\n # See https://github.com/cilium/cilium/pull/28709#discussion_r1371792546\n # For GKE Dataplane V2 this should be set to relay.kube-system.svc.cluster.local\n relayName: \"ui.hubble-relay.cilium.io\"\n # @schema\n # type: [null, string]\n # @schema\n # -- Dial timeout to connect to the local hubble instance to receive peer information (e.g. \"30s\").\n #\n # This option has been deprecated and is a no-op.\n dialTimeout: ~\n # @schema\n # type: [null, string]\n # @schema\n # -- Backoff duration to retry connecting to the local hubble instance in case of failure (e.g. \"30s\").\n retryTimeout: ~\n # @schema\n # type: [null, integer]\n # @schema\n # -- (int) Max number of flows that can be buffered for sorting before being sent to the\n # client (per request) (e.g. 100).\n sortBufferLenMax: ~\n # @schema\n # type: [null, string]\n # @schema\n # -- When the per-request flows sort buffer is not full, a flow is drained every\n # time this timeout is reached (only affects requests in follow-mode) (e.g. \"1s\").\n sortBufferDrainTimeout: ~\n # -- Port to use for the k8s service backed by hubble-relay pods.\n # If not set, it is dynamically assigned to port 443 if TLS is enabled and to\n # port 80 if not.\n # servicePort: 80\n\n # -- Enable prometheus metrics for hubble-relay on the configured port at\n # /metrics\n prometheus:\n enabled: false\n port: 9966\n serviceMonitor:\n # -- Enable service monitors.\n # This requires the prometheus CRDs to be available (see https://github.com/prometheus-operator/prometheus-operator/blob/main/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml)\n enabled: false\n # -- Labels to add to ServiceMonitor hubble-relay\n labels: {}\n # -- Annotations to add to ServiceMonitor hubble-relay\n annotations: {}\n # -- Interval for scrape metrics.\n interval: \"10s\"\n # -- Specify the Kubernetes namespace where Prometheus expects to find\n # service monitors configured.\n # namespace: \"\"\n # @schema\n # type: [null, array]\n # @schema\n # -- Relabeling configs for the ServiceMonitor hubble-relay\n relabelings: ~\n # @schema\n # type: [null, array]\n # @schema\n # -- Metrics relabeling configs for the ServiceMonitor hubble-relay\n metricRelabelings: ~\n gops:\n # -- Enable gops for hubble-relay\n enabled: true\n # -- Configure gops listen port for hubble-relay\n port: 9893\n pprof:\n # -- Enable pprof for hubble-relay\n enabled: false\n # -- Configure pprof listen address for hubble-relay\n address: localhost\n # -- Configure pprof listen port for hubble-relay\n port: 6062\n ui:\n # -- Whether to enable the Hubble UI.\n enabled: false\n standalone:\n # -- When true, it will allow installing the Hubble UI only, without checking dependencies.\n # It is useful if a cluster already has cilium and Hubble relay installed and you just\n # want Hubble UI to be deployed.\n # When installed via helm, installing UI should be done via `helm upgrade` and when installed via the cilium cli, then `cilium hubble enable --ui`\n enabled: false\n tls:\n # -- When deploying Hubble UI in standalone, with tls enabled for Hubble relay, it is required\n # to provide a volume for mounting the client certificates.\n certsVolume: {}\n # projected:\n # defaultMode: 0400\n # sources:\n # - secret:\n # name: hubble-ui-client-certs\n # items:\n # - key: tls.crt\n # path: client.crt\n # - key: tls.key\n # path: client.key\n # - key: ca.crt\n # path: hubble-relay-ca.crt\n # -- Roll out Hubble-ui pods automatically when configmap is updated.\n rollOutPods: false\n tls:\n client:\n # -- Name of the Secret containing the client certificate and key for Hubble UI\n # If specified, cert and key are ignored.\n existingSecret: \"\"\n # -- base64 encoded PEM values for the Hubble UI client certificate (deprecated).\n # Use existingSecret instead.\n cert: \"\"\n # -- base64 encoded PEM values for the Hubble UI client key (deprecated).\n # Use existingSecret instead.\n key: \"\"\n backend:\n # -- Hubble-ui backend image.\n image:\n # @schema\n # type: [null, string]\n # @schema\n override: ~\n repository: \"us-docker.pkg.dev/palette-images/packs/cilium/1.17.4/hubble-ui-backend\"\n tag: \"v0.13.2\"\n digest: \"\"\n useDigest: false\n pullPolicy: \"IfNotPresent\"\n # -- Hubble-ui backend security context.\n securityContext: {}\n # -- Additional hubble-ui backend environment variables.\n extraEnv: []\n # -- Additional hubble-ui backend volumes.\n extraVolumes: []\n # -- Additional hubble-ui backend volumeMounts.\n extraVolumeMounts: []\n livenessProbe:\n # -- Enable liveness probe for Hubble-ui backend (requires Hubble-ui 0.12+)\n enabled: false\n readinessProbe:\n # -- Enable readiness probe for Hubble-ui backend (requires Hubble-ui 0.12+)\n enabled: false\n # -- Resource requests and limits for the 'backend' container of the 'hubble-ui' deployment.\n resources: {}\n # limits:\n # cpu: 1000m\n # memory: 1024M\n # requests:\n # cpu: 100m\n # memory: 64Mi\n frontend:\n # -- Hubble-ui frontend image.\n image:\n # @schema\n # type: [null, string]\n # @schema\n override: ~\n repository: \"us-docker.pkg.dev/palette-images/packs/cilium/1.17.4/hubble-ui\"\n tag: \"v0.13.2\"\n digest: \"\"\n useDigest: false\n pullPolicy: \"IfNotPresent\"\n # -- Hubble-ui frontend security context.\n securityContext: {}\n # -- Additional hubble-ui frontend environment variables.\n extraEnv: []\n # -- Additional hubble-ui frontend volumes.\n extraVolumes: []\n # -- Additional hubble-ui frontend volumeMounts.\n extraVolumeMounts: []\n # -- Resource requests and limits for the 'frontend' container of the 'hubble-ui' deployment.\n resources: {}\n # limits:\n # cpu: 1000m\n # memory: 1024M\n # requests:\n # cpu: 100m\n # memory: 64Mi\n server:\n # -- Controls server listener for ipv6\n ipv6:\n enabled: true\n # -- The number of replicas of Hubble UI to deploy.\n replicas: 1\n # -- Annotations to be added to all top-level hubble-ui objects (resources under templates/hubble-ui)\n annotations: {}\n # -- Additional labels to be added to 'hubble-ui' deployment object\n labels: {}\n # -- Annotations to be added to hubble-ui pods\n podAnnotations: {}\n # -- Labels to be added to hubble-ui pods\n podLabels: {}\n # PodDisruptionBudget settings\n podDisruptionBudget:\n # -- enable PodDisruptionBudget\n # ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/\n enabled: false\n # @schema\n # type: [null, integer, string]\n # @schema\n # -- Minimum number/percentage of pods that should remain scheduled.\n # When it's set, maxUnavailable must be disabled by `maxUnavailable: null`\n minAvailable: null\n # @schema\n # type: [null, integer, string]\n # @schema\n # -- Maximum number/percentage of pods that may be made unavailable\n maxUnavailable: 1\n # -- Affinity for hubble-ui\n affinity: {}\n # -- Pod topology spread constraints for hubble-ui\n topologySpreadConstraints: []\n # - maxSkew: 1\n # topologyKey: topology.kubernetes.io/zone\n # whenUnsatisfiable: DoNotSchedule\n\n # -- Node labels for pod assignment\n # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector\n nodeSelector:\n kubernetes.io/os: linux\n # -- Node tolerations for pod assignment on nodes with taints\n # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/\n tolerations: []\n # -- The priority class to use for hubble-ui\n priorityClassName: \"\"\n # -- hubble-ui update strategy.\n updateStrategy:\n type: RollingUpdate\n rollingUpdate:\n # @schema\n # type: [integer, string]\n # @schema\n maxUnavailable: 1\n # -- Security context to be added to Hubble UI pods\n securityContext:\n runAsUser: 1001\n runAsGroup: 1001\n fsGroup: 1001\n # -- hubble-ui service configuration.\n service:\n # -- Annotations to be added for the Hubble UI service\n annotations: {}\n # --- The type of service used for Hubble UI access, either ClusterIP or NodePort.\n type: ClusterIP\n # --- The port to use when the service type is set to NodePort.\n nodePort: 31235\n # -- Defines base url prefix for all hubble-ui http requests.\n # It needs to be changed in case if ingress for hubble-ui is configured under some sub-path.\n # Trailing `/` is required for custom path, ex. `/service-map/`\n baseUrl: \"/\"\n # -- hubble-ui ingress configuration.\n ingress:\n enabled: false\n annotations: {}\n # kubernetes.io/ingress.class: nginx\n # kubernetes.io/tls-acme: \"true\"\n className: \"\"\n hosts:\n - chart-example.local\n labels: {}\n tls: []\n # - secretName: chart-example-tls\n # hosts:\n # - chart-example.local\n # -- Hubble flows export.\n export:\n # --- Defines max file size of output file before it gets rotated.\n fileMaxSizeMb: 10\n # --- Defines max number of backup/rotated files.\n fileMaxBackups: 5\n # --- Static exporter configuration.\n # Static exporter is bound to agent lifecycle.\n static:\n enabled: false\n filePath: /var/run/cilium/hubble/events.log\n fieldMask: []\n # - time\n # - source\n # - destination\n # - verdict\n allowList: []\n # - '{\"verdict\":[\"DROPPED\",\"ERROR\"]}'\n denyList: []\n # - '{\"source_pod\":[\"kube-system/\"]}'\n # - '{\"destination_pod\":[\"kube-system/\"]}'\n # --- Dynamic exporters configuration.\n # Dynamic exporters may be reconfigured without a need of agent restarts.\n dynamic:\n enabled: false\n config:\n # ---- Name of configmap with configuration that may be altered to reconfigure exporters within a running agents.\n configMapName: cilium-flowlog-config\n # ---- True if helm installer should create config map.\n # Switch to false if you want to self maintain the file content.\n createConfigMap: true\n # ---- Exporters configuration in YAML format.\n content:\n - name: all\n fieldMask: []\n includeFilters: []\n excludeFilters: []\n filePath: \"/var/run/cilium/hubble/events.log\"\n # - name: \"test002\"\n # filePath: \"/var/log/network/flow-log/pa/test002.log\"\n # fieldMask: [\"source.namespace\", \"source.pod_name\", \"destination.namespace\", \"destination.pod_name\", \"verdict\"]\n # includeFilters:\n # - source_pod: [\"default/\"]\n # event_type:\n # - type: 1\n # - destination_pod: [\"frontend/nginx-975996d4c-7hhgt\"]\n # excludeFilters: []\n # end: \"2023-10-09T23:59:59-07:00\"\n # -- Emit v1.Events related to pods on detection of packet drops.\n # This feature is alpha, please provide feedback at https://github.com/cilium/cilium/issues/33975.\n dropEventEmitter:\n enabled: false\n # --- Minimum time between emitting same events.\n interval: 2m\n # --- Drop reasons to emit events for.\n # ref: https://docs.cilium.io/en/stable/_api/v1/flow/README/#dropreason\n reasons:\n - auth_required\n - policy_denied\n # -- Method to use for identity allocation (`crd`, `kvstore` or `doublewrite-readkvstore` / `doublewrite-readcrd` for migrating between identity backends).\n identityAllocationMode: \"crd\"\n # -- (string) Time to wait before using new identity on endpoint identity change.\n # @default -- `\"5s\"`\n identityChangeGracePeriod: \"\"\n # -- Install Iptables rules to skip netfilter connection tracking on all pod\n # traffic. This option is only effective when Cilium is running in direct\n # routing and full KPR mode. Moreover, this option cannot be enabled when Cilium\n # is running in a managed Kubernetes environment or in a chained CNI setup.\n installNoConntrackIptablesRules: false\n ipam:\n # -- Configure IP Address Management mode.\n # ref: https://docs.cilium.io/en/stable/network/concepts/ipam/\n mode: \"kubernetes\"\n # -- Maximum rate at which the CiliumNode custom resource is updated.\n ciliumNodeUpdateRate: \"15s\"\n # -- Pre-allocation settings for IPAM in Multi-Pool mode\n multiPoolPreAllocation: \"\"\n # -- Install ingress/egress routes through uplink on host for Pods when working with delegated IPAM plugin.\n installUplinkRoutesForDelegatedIPAM: false\n operator:\n # @schema\n # type: [array, string]\n # @schema\n # -- IPv4 CIDR list range to delegate to individual nodes for IPAM.\n clusterPoolIPv4PodCIDRList: [\"10.0.0.0/8\"]\n # -- IPv4 CIDR mask size to delegate to individual nodes for IPAM.\n clusterPoolIPv4MaskSize: 24\n # @schema\n # type: [array, string]\n # @schema\n # -- IPv6 CIDR list range to delegate to individual nodes for IPAM.\n clusterPoolIPv6PodCIDRList: [\"fd00::/104\"]\n # -- IPv6 CIDR mask size to delegate to individual nodes for IPAM.\n clusterPoolIPv6MaskSize: 120\n # -- IP pools to auto-create in multi-pool IPAM mode.\n autoCreateCiliumPodIPPools: {}\n # default:\n # ipv4:\n # cidrs:\n # - 10.10.0.0/8\n # maskSize: 24\n # other:\n # ipv6:\n # cidrs:\n # - fd00:100::/80\n # maskSize: 96\n # @schema\n # type: [null, integer]\n # @schema\n # -- (int) The maximum burst size when rate limiting access to external APIs.\n # Also known as the token bucket capacity.\n # @default -- `20`\n externalAPILimitBurstSize: ~\n # @schema\n # type: [null, number]\n # @schema\n # -- (float) The maximum queries per second when rate limiting access to\n # external APIs. Also known as the bucket refill rate, which is used to\n # refill the bucket up to the burst size capacity.\n # @default -- `4.0`\n externalAPILimitQPS: ~\n # -- defaultLBServiceIPAM indicates the default LoadBalancer Service IPAM when\n # no LoadBalancer class is set. Applicable values: lbipam, nodeipam, none\n # @schema\n # type: [string]\n # @schema\n defaultLBServiceIPAM: lbipam\n nodeIPAM:\n # -- Configure Node IPAM\n # ref: https://docs.cilium.io/en/stable/network/node-ipam/\n enabled: false\n # @schema\n # type: [null, string]\n # @schema\n # -- The api-rate-limit option can be used to overwrite individual settings of the default configuration for rate limiting calls to the Cilium Agent API\n apiRateLimit: ~\n # -- Configure the eBPF-based ip-masq-agent\n ipMasqAgent:\n enabled: false\n # the config of nonMasqueradeCIDRs\n # config:\n # nonMasqueradeCIDRs: []\n # masqLinkLocal: false\n # masqLinkLocalIPv6: false\n\n # iptablesLockTimeout defines the iptables \"--wait\" option when invoked from Cilium.\n # iptablesLockTimeout: \"5s\"\n ipv4:\n # -- Enable IPv4 support.\n enabled: true\n ipv6:\n # -- Enable IPv6 support.\n enabled: false\n # -- Configure Kubernetes specific configuration\n k8s:\n # -- requireIPv4PodCIDR enables waiting for Kubernetes to provide the PodCIDR\n # range via the Kubernetes node resource\n requireIPv4PodCIDR: false\n # -- requireIPv6PodCIDR enables waiting for Kubernetes to provide the PodCIDR\n # range via the Kubernetes node resource\n requireIPv6PodCIDR: false\n # -- Keep the deprecated selector labels when deploying Cilium DaemonSet.\n keepDeprecatedLabels: false\n # -- Keep the deprecated probes when deploying Cilium DaemonSet\n keepDeprecatedProbes: false\n startupProbe:\n # -- failure threshold of startup probe.\n # 105 x 2s translates to the old behaviour of the readiness probe (120s delay + 30 x 3s)\n failureThreshold: 105\n # -- interval between checks of the startup probe\n periodSeconds: 2\n livenessProbe:\n # -- failure threshold of liveness probe\n failureThreshold: 10\n # -- interval between checks of the liveness probe\n periodSeconds: 30\n # -- whether to require k8s connectivity as part of the check.\n requireK8sConnectivity: false\n readinessProbe:\n # -- failure threshold of readiness probe\n failureThreshold: 3\n # -- interval between checks of the readiness probe\n periodSeconds: 30\n # -- Configure the kube-proxy replacement in Cilium BPF datapath\n # Valid options are \"true\" or \"false\".\n # ref: https://docs.cilium.io/en/stable/network/kubernetes/kubeproxy-free/\n kubeProxyReplacement: \"false\"\n\n # -- healthz server bind address for the kube-proxy replacement.\n # To enable set the value to '0.0.0.0:10256' for all ipv4\n # addresses and this '[::]:10256' for all ipv6 addresses.\n # By default it is disabled.\n kubeProxyReplacementHealthzBindAddr: \"\"\n l2NeighDiscovery:\n # -- Enable L2 neighbor discovery in the agent\n enabled: true\n # -- Override the agent's default neighbor resolution refresh period.\n refreshPeriod: \"30s\"\n # -- Enable Layer 7 network policy.\n l7Proxy: true\n # -- Enable Local Redirect Policy.\n localRedirectPolicy: false\n # To include or exclude matched resources from cilium identity evaluation\n # labels: \"\"\n\n # logOptions allows you to define logging options. eg:\n # logOptions:\n # format: json\n\n # -- Enables periodic logging of system load\n logSystemLoad: false\n # -- Configure maglev consistent hashing\n maglev: {}\n # -- tableSize is the size (parameter M) for the backend table of one\n # service entry\n # tableSize:\n\n # -- hashSeed is the cluster-wide base64 encoded seed for the hashing\n # hashSeed:\n\n # -- Enables masquerading of IPv4 traffic leaving the node from endpoints.\n enableIPv4Masquerade: true\n # -- Enables masquerading of IPv6 traffic leaving the node from endpoints.\n enableIPv6Masquerade: true\n # -- Enables masquerading to the source of the route for traffic leaving the node from endpoints.\n enableMasqueradeRouteSource: false\n # -- Enables IPv4 BIG TCP support which increases maximum IPv4 GSO/GRO limits for nodes and pods\n enableIPv4BIGTCP: false\n # -- Enables IPv6 BIG TCP support which increases maximum IPv6 GSO/GRO limits for nodes and pods\n enableIPv6BIGTCP: false\n nat:\n # -- Number of the top-k SNAT map connections to track in Cilium statedb.\n mapStatsEntries: 32\n # -- Interval between how often SNAT map is counted for stats.\n mapStatsInterval: 30s\n egressGateway:\n # -- Enables egress gateway to redirect and SNAT the traffic that leaves the\n # cluster.\n enabled: false\n # -- Time between triggers of egress gateway state reconciliations\n reconciliationTriggerInterval: 1s\n # -- Maximum number of entries in egress gateway policy map\n # maxPolicyEntries: 16384\n vtep:\n # -- Enables VXLAN Tunnel Endpoint (VTEP) Integration (beta) to allow\n # Cilium-managed pods to talk to third party VTEP devices over Cilium tunnel.\n enabled: false\n # -- A space separated list of VTEP device endpoint IPs, for example \"1.1.1.1 1.1.2.1\"\n endpoint: \"\"\n # -- A space separated list of VTEP device CIDRs, for example \"1.1.1.0/24 1.1.2.0/24\"\n cidr: \"\"\n # -- VTEP CIDRs Mask that applies to all VTEP CIDRs, for example \"255.255.255.0\"\n mask: \"\"\n # -- A space separated list of VTEP device MAC addresses (VTEP MAC), for example \"x:x:x:x:x:x y:y:y:y:y:y:y\"\n mac: \"\"\n # -- (string) Allows to explicitly specify the IPv4 CIDR for native routing.\n # When specified, Cilium assumes networking for this CIDR is preconfigured and\n # hands traffic destined for that range to the Linux network stack without\n # applying any SNAT.\n # Generally speaking, specifying a native routing CIDR implies that Cilium can\n # depend on the underlying networking stack to route packets to their\n # destination. To offer a concrete example, if Cilium is configured to use\n # direct routing and the Kubernetes CIDR is included in the native routing CIDR,\n # the user must configure the routes to reach pods, either manually or by\n # setting the auto-direct-node-routes flag.\n ipv4NativeRoutingCIDR: \"\"\n # -- (string) Allows to explicitly specify the IPv6 CIDR for native routing.\n # When specified, Cilium assumes networking for this CIDR is preconfigured and\n # hands traffic destined for that range to the Linux network stack without\n # applying any SNAT.\n # Generally speaking, specifying a native routing CIDR implies that Cilium can\n # depend on the underlying networking stack to route packets to their\n # destination. To offer a concrete example, if Cilium is configured to use\n # direct routing and the Kubernetes CIDR is included in the native routing CIDR,\n # the user must configure the routes to reach pods, either manually or by\n # setting the auto-direct-node-routes flag.\n ipv6NativeRoutingCIDR: \"\"\n # -- cilium-monitor sidecar.\n monitor:\n # -- Enable the cilium-monitor sidecar.\n enabled: false\n # -- Configure service load balancing\n loadBalancer:\n # -- standalone enables the standalone L4LB which does not connect to\n # kube-apiserver.\n # standalone: false\n\n # -- algorithm is the name of the load balancing algorithm for backend\n # selection e.g. random or maglev\n # algorithm: random\n\n # -- mode is the operation mode of load balancing for remote backends\n # e.g. snat, dsr, hybrid\n # mode: snat\n\n # -- acceleration is the option to accelerate service handling via XDP\n # Applicable values can be: disabled (do not use XDP), native (XDP BPF\n # program is run directly out of the networking driver's early receive\n # path), or best-effort (use native mode XDP acceleration on devices\n # that support it).\n acceleration: disabled\n # -- dsrDispatch configures whether IP option or IPIP encapsulation is\n # used to pass a service IP and port to remote backend\n # dsrDispatch: opt\n\n # -- serviceTopology enables K8s Topology Aware Hints -based service\n # endpoints filtering\n # serviceTopology: false\n\n # -- experimental enables support for the experimental load-balancing\n # control-plane.\n experimental: false\n # -- L7 LoadBalancer\n l7:\n # -- Enable L7 service load balancing via envoy proxy.\n # The request to a k8s service, which has specific annotation e.g. service.cilium.io/lb-l7,\n # will be forwarded to the local backend proxy to be load balanced to the service endpoints.\n # Please refer to docs for supported annotations for more configuration.\n #\n # Applicable values:\n # - envoy: Enable L7 load balancing via envoy proxy. This will automatically set enable-envoy-config as well.\n # - disabled: Disable L7 load balancing by way of service annotation.\n backend: disabled\n # -- List of ports from service to be automatically redirected to above backend.\n # Any service exposing one of these ports will be automatically redirected.\n # Fine-grained control can be achieved by using the service annotation.\n ports: []\n # -- Default LB algorithm\n # The default LB algorithm to be used for services, which can be overridden by the\n # service annotation (e.g. service.cilium.io/lb-l7-algorithm)\n # Applicable values: round_robin, least_request, random\n algorithm: round_robin\n # -- Configure N-S k8s service loadbalancing\n nodePort:\n # -- Enable the Cilium NodePort service implementation.\n enabled: false\n # -- Port range to use for NodePort services.\n # range: \"30000,32767\"\n\n # @schema\n # type: [null, string, array]\n # @schema\n # -- List of CIDRs for choosing which IP addresses assigned to native devices are used for NodePort load-balancing.\n # By default this is empty and the first suitable, preferably private, IPv4 and IPv6 address assigned to each device is used.\n #\n # Example:\n #\n # addresses: [\"192.168.1.0/24\", \"2001::/64\"]\n #\n addresses: ~\n # -- Set to true to prevent applications binding to service ports.\n bindProtection: true\n # -- Append NodePort range to ip_local_reserved_ports if clash with ephemeral\n # ports is detected.\n autoProtectPortRange: true\n # -- Enable healthcheck nodePort server for NodePort services\n enableHealthCheck: true\n # -- Enable access of the healthcheck nodePort on the LoadBalancerIP. Needs\n # EnableHealthCheck to be enabled\n enableHealthCheckLoadBalancerIP: false\n # policyAuditMode: false\n\n # -- The agent can be put into one of the three policy enforcement modes:\n # default, always and never.\n # ref: https://docs.cilium.io/en/stable/security/policy/intro/#policy-enforcement-modes\n policyEnforcementMode: \"default\"\n # @schema\n # type: [null, string, array]\n # @schema\n # -- policyCIDRMatchMode is a list of entities that may be selected by CIDR selector.\n # The possible value is \"nodes\".\n policyCIDRMatchMode:\n pprof:\n # -- Enable pprof for cilium-agent\n enabled: false\n # -- Configure pprof listen address for cilium-agent\n address: localhost\n # -- Configure pprof listen port for cilium-agent\n port: 6060\n # -- Configure prometheus metrics on the configured port at /metrics\n prometheus:\n metricsService: false\n enabled: false\n port: 9962\n serviceMonitor:\n # -- Enable service monitors.\n # This requires the prometheus CRDs to be available (see https://github.com/prometheus-operator/prometheus-operator/blob/main/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml)\n enabled: false\n # -- Labels to add to ServiceMonitor cilium-agent\n labels: {}\n # -- Annotations to add to ServiceMonitor cilium-agent\n annotations: {}\n # -- jobLabel to add for ServiceMonitor cilium-agent\n jobLabel: \"\"\n # -- Interval for scrape metrics.\n interval: \"10s\"\n # -- Specify the Kubernetes namespace where Prometheus expects to find\n # service monitors configured.\n # namespace: \"\"\n # -- Relabeling configs for the ServiceMonitor cilium-agent\n relabelings:\n - sourceLabels:\n - __meta_kubernetes_pod_node_name\n targetLabel: node\n replacement: ${1}\n # @schema\n # type: [null, array]\n # @schema\n # -- Metrics relabeling configs for the ServiceMonitor cilium-agent\n metricRelabelings: ~\n # -- Set to `true` and helm will not check for monitoring.coreos.com/v1 CRDs before deploying\n trustCRDsExist: false\n # @schema\n # type: [null, array]\n # @schema\n # -- Metrics that should be enabled or disabled from the default metric list.\n # The list is expected to be separated by a space. (+metric_foo to enable\n # metric_foo , -metric_bar to disable metric_bar).\n # ref: https://docs.cilium.io/en/stable/observability/metrics/\n metrics: ~\n # --- Enable controller group metrics for monitoring specific Cilium\n # subsystems. The list is a list of controller group names. The special\n # values of \"all\" and \"none\" are supported. The set of controller\n # group names is not guaranteed to be stable between Cilium versions.\n controllerGroupMetrics:\n - write-cni-file\n - sync-host-ips\n - sync-lb-maps-with-k8s-services\n # -- Grafana dashboards for cilium-agent\n # grafana can import dashboards based on the label and value\n # ref: https://github.com/grafana/helm-charts/tree/main/charts/grafana#sidecar-for-dashboards\n dashboards:\n enabled: false\n label: grafana_dashboard\n # @schema\n # type: [null, string]\n # @schema\n namespace: ~\n labelValue: \"1\"\n annotations: {}\n # Configure Cilium Envoy options.\n envoy:\n # @schema\n # type: [null, boolean]\n # @schema\n # -- Enable Envoy Proxy in standalone DaemonSet.\n # This field is enabled by default for new installation.\n # @default -- `true` for new installation\n enabled: false\n # -- (int)\n # Set Envoy'--base-id' to use when allocating shared memory regions.\n # Only needs to be changed if multiple Envoy instances will run on the same node and may have conflicts. Supported values: 0 - 4294967295. Defaults to '0'\n baseID: 0\n log:\n # @schema\n # type: [null, string]\n # @schema\n # -- The format string to use for laying out the log message metadata of Envoy. If specified, Envoy will use text format output.\n # This setting is mutually exclusive with envoy.log.format_json.\n format: \"[%Y-%m-%d %T.%e][%t][%l][%n] [%g:%#] %v\"\n # @schema\n # type: [null, object]\n # @schema\n # -- The JSON logging format to use for Envoy. This setting is mutually exclusive with envoy.log.format.\n # ref: https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/bootstrap/v3/bootstrap.proto#envoy-v3-api-field-config-bootstrap-v3-bootstrap-applicationlogconfig-logformat-json-format\n format_json: null\n # date: \"%Y-%m-%dT%T.%e\"\n # thread_id: \"%t\"\n # source_line: \"%s:%#\"\n # level: \"%l\"\n # logger: \"%n\"\n # message: \"%j\"\n # -- Path to a separate Envoy log file, if any. Defaults to /dev/stdout.\n path: \"\"\n # @schema\n # oneOf:\n # - type: [null]\n # - enum: [trace,debug,info,warning,error,critical,off]\n # @schema\n # -- Default log level of Envoy application log that is configured if Cilium debug / verbose logging isn't enabled.\n # This option allows to have a different log level than the Cilium Agent - e.g. lower it to `critical`.\n # Possible values: trace, debug, info, warning, error, critical, off\n # @default -- Defaults to the default log level of the Cilium Agent - `info`\n defaultLevel: ~\n # @schema\n # type: [null, integer]\n # @schema\n # -- Size of the Envoy access log buffer created within the agent in bytes.\n # Tune this value up if you encounter \"Envoy: Discarded truncated access log message\" errors.\n # Large request/response header sizes (e.g. 16KiB) will require a larger buffer size.\n accessLogBufferSize: 4096\n # -- Time in seconds after which a TCP connection attempt times out\n connectTimeoutSeconds: 2\n # -- Time in seconds after which the initial fetch on an xDS stream is considered timed out\n initialFetchTimeoutSeconds: 30\n # -- Maximum number of concurrent retries on Envoy clusters\n maxConcurrentRetries: 128\n # -- Maximum number of retries for each HTTP request\n httpRetryCount: 3\n # -- ProxyMaxRequestsPerConnection specifies the max_requests_per_connection setting for Envoy\n maxRequestsPerConnection: 0\n # -- Set Envoy HTTP option max_connection_duration seconds. Default 0 (disable)\n maxConnectionDurationSeconds: 0\n # -- Set Envoy upstream HTTP idle connection timeout seconds.\n # Does not apply to connections with pending requests. Default 60s\n idleTimeoutDurationSeconds: 60\n # -- Number of trusted hops regarding the x-forwarded-for and related HTTP headers for the ingress L7 policy enforcement Envoy listeners.\n xffNumTrustedHopsL7PolicyIngress: 0\n # -- Number of trusted hops regarding the x-forwarded-for and related HTTP headers for the egress L7 policy enforcement Envoy listeners.\n xffNumTrustedHopsL7PolicyEgress: 0\n # @schema\n # type: [null, string]\n # @schema\n # -- Max duration to wait for endpoint policies to be restored on restart. Default \"3m\".\n policyRestoreTimeoutDuration: null\n # -- Envoy container image.\n image:\n # @schema\n # type: [null, string]\n # @schema\n override: ~\n repository: \"us-docker.pkg.dev/palette-images/packs/cilium/1.17.4/cilium-envoy\"\n tag: \"v1.32.6-1746661844-0f602c28cb2aa57b29078195049fb257d5b5246c\"\n pullPolicy: \"IfNotPresent\"\n digest: \"\"\n useDigest: false\n # -- Additional containers added to the cilium Envoy DaemonSet.\n extraContainers: []\n # -- Additional envoy container arguments.\n extraArgs: []\n # -- Additional envoy container environment variables.\n extraEnv: []\n # -- Additional envoy hostPath mounts.\n extraHostPathMounts: []\n # - name: host-mnt-data\n # mountPath: /host/mnt/data\n # hostPath: /mnt/data\n # hostPathType: Directory\n # readOnly: true\n # mountPropagation: HostToContainer\n\n # -- Additional envoy volumes.\n extraVolumes: []\n # -- Additional envoy volumeMounts.\n extraVolumeMounts: []\n # -- Configure termination grace period for cilium-envoy DaemonSet.\n terminationGracePeriodSeconds: 1\n # -- TCP port for the health API.\n healthPort: 9878\n # -- cilium-envoy update strategy\n # ref: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/#updating-a-daemonset\n updateStrategy:\n type: RollingUpdate\n rollingUpdate:\n # @schema\n # type: [integer, string]\n # @schema\n maxUnavailable: 2\n # -- Roll out cilium envoy pods automatically when configmap is updated.\n rollOutPods: false\n # -- ADVANCED OPTION: Bring your own custom Envoy bootstrap ConfigMap. Provide the name of a ConfigMap with a `bootstrap-config.json` key.\n # When specified, Envoy will use this ConfigMap instead of the default provided by the chart.\n # WARNING: Use of this setting has the potential to prevent cilium-envoy from starting up, and can cause unexpected behavior (e.g. due to\n # syntax error or semantically incorrect configuration). Before submitting an issue, please ensure you have disabled this feature, as support\n # cannot be provided for custom Envoy bootstrap configs.\n # @schema\n # type: [null, string]\n # @schema\n bootstrapConfigMap: ~\n # -- Annotations to be added to all top-level cilium-envoy objects (resources under templates/cilium-envoy)\n annotations: {}\n # -- Security Context for cilium-envoy pods.\n podSecurityContext:\n # -- AppArmorProfile options for the `cilium-agent` and init containers\n appArmorProfile:\n type: \"Unconfined\"\n # -- Annotations to be added to envoy pods\n podAnnotations: {}\n # -- Labels to be added to envoy pods\n podLabels: {}\n # -- Envoy resource limits \u0026 requests\n # ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/\n resources: {}\n # limits:\n # cpu: 4000m\n # memory: 4Gi\n # requests:\n # cpu: 100m\n # memory: 512Mi\n\n startupProbe:\n # -- failure threshold of startup probe.\n # 105 x 2s translates to the old behaviour of the readiness probe (120s delay + 30 x 3s)\n failureThreshold: 105\n # -- interval between checks of the startup probe\n periodSeconds: 2\n livenessProbe:\n # -- failure threshold of liveness probe\n failureThreshold: 10\n # -- interval between checks of the liveness probe\n periodSeconds: 30\n readinessProbe:\n # -- failure threshold of readiness probe\n failureThreshold: 3\n # -- interval between checks of the readiness probe\n periodSeconds: 30\n securityContext:\n # -- User to run the pod with\n # runAsUser: 0\n # -- Run the pod with elevated privileges\n privileged: false\n # -- SELinux options for the `cilium-envoy` container\n seLinuxOptions:\n level: 's0'\n # Running with spc_t since we have removed the privileged mode.\n # Users can change it to a different type as long as they have the\n # type available on the system.\n type: 'spc_t'\n capabilities:\n # -- Capabilities for the `cilium-envoy` container.\n # Even though granted to the container, the cilium-envoy-starter wrapper drops\n # all capabilities after forking the actual Envoy process.\n # `NET_BIND_SERVICE` is the only capability that can be passed to the Envoy process by\n # setting `envoy.securityContext.capabilities.keepNetBindService=true` (in addition to granting the\n # capability to the container).\n # Note: In case of embedded envoy, the capability must be granted to the cilium-agent container.\n envoy:\n # Used since cilium proxy uses setting IPPROTO_IP/IP_TRANSPARENT\n - NET_ADMIN\n # We need it for now but might not need it for \u003e= 5.11 specially\n # for the 'SYS_RESOURCE'.\n # In \u003e= 5.8 there's already BPF and PERMON capabilities\n - SYS_ADMIN\n # Both PERFMON and BPF requires kernel 5.8, container runtime\n # cri-o \u003e= v1.22.0 or containerd \u003e= v1.5.0.\n # If available, SYS_ADMIN can be removed.\n #- PERFMON\n #- BPF\n # -- Keep capability `NET_BIND_SERVICE` for Envoy process.\n keepCapNetBindService: false\n # -- Affinity for cilium-envoy.\n affinity:\n podAntiAffinity:\n requiredDuringSchedulingIgnoredDuringExecution:\n - topologyKey: kubernetes.io/hostname\n labelSelector:\n matchLabels:\n k8s-app: cilium-envoy\n podAffinity:\n requiredDuringSchedulingIgnoredDuringExecution:\n - topologyKey: kubernetes.io/hostname\n labelSelector:\n matchLabels:\n k8s-app: cilium\n nodeAffinity:\n requiredDuringSchedulingIgnoredDuringExecution:\n nodeSelectorTerms:\n - matchExpressions:\n - key: cilium.io/no-schedule\n operator: NotIn\n values:\n - \"true\"\n # -- Node selector for cilium-envoy.\n nodeSelector:\n kubernetes.io/os: linux\n # -- Node tolerations for envoy scheduling to nodes with taints\n # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/\n tolerations:\n - operator: Exists\n # - key: \"key\"\n # operator: \"Equal|Exists\"\n # value: \"value\"\n # effect: \"NoSchedule|PreferNoSchedule|NoExecute(1.6 only)\"\n # @schema\n # type: [null, string]\n # @schema\n # -- The priority class to use for cilium-envoy.\n priorityClassName: ~\n # @schema\n # type: [null, string]\n # @schema\n # -- DNS policy for Cilium envoy pods.\n # Ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy\n dnsPolicy: ~\n debug:\n admin:\n # -- Enable admin interface for cilium-envoy.\n # This is useful for debugging and should not be enabled in production.\n enabled: false\n # -- Port number (bound to loopback interface).\n # kubectl port-forward can be used to access the admin interface.\n port: 9901\n # -- Configure Cilium Envoy Prometheus options.\n # Note that some of these apply to either cilium-agent or cilium-envoy.\n prometheus:\n # -- Enable prometheus metrics for cilium-envoy\n enabled: true\n serviceMonitor:\n # -- Enable service monitors.\n # This requires the prometheus CRDs to be available (see https://github.com/prometheus-operator/prometheus-operator/blob/main/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml)\n # Note that this setting applies to both cilium-envoy _and_ cilium-agent\n # with Envoy enabled.\n enabled: false\n # -- Labels to add to ServiceMonitor cilium-envoy\n labels: {}\n # -- Annotations to add to ServiceMonitor cilium-envoy\n annotations: {}\n # -- Interval for scrape metrics.\n interval: \"10s\"\n # -- Specify the Kubernetes namespace where Prometheus expects to find\n # service monitors configured.\n # namespace: \"\"\n # -- Relabeling configs for the ServiceMonitor cilium-envoy\n # or for cilium-agent with Envoy configured.\n relabelings:\n - sourceLabels:\n - __meta_kubernetes_pod_node_name\n targetLabel: node\n replacement: ${1}\n # @schema\n # type: [null, array]\n # @schema\n # -- Metrics relabeling configs for the ServiceMonitor cilium-envoy\n # or for cilium-agent with Envoy configured.\n metricRelabelings: ~\n # -- Serve prometheus metrics for cilium-envoy on the configured port\n port: \"9964\"\n # -- Enable/Disable use of node label based identity\n nodeSelectorLabels: false\n # -- Enable resource quotas for priority classes used in the cluster.\n resourceQuotas:\n enabled: false\n cilium:\n hard:\n # 5k nodes * 2 DaemonSets (Cilium and cilium node init)\n pods: \"10k\"\n operator:\n hard:\n # 15 \"clusterwide\" Cilium Operator pods for HA\n pods: \"15\"\n # Need to document default\n ##################\n #sessionAffinity: false\n\n # -- Do not run Cilium agent when running with clean mode. Useful to completely\n # uninstall Cilium as it will stop Cilium from starting and create artifacts\n # in the node.\n sleepAfterInit: false\n # -- Enable check of service source ranges (currently, only for LoadBalancer).\n svcSourceRangeCheck: true\n # -- Synchronize Kubernetes nodes to kvstore and perform CNP GC.\n synchronizeK8sNodes: true\n # -- Configure TLS configuration in the agent.\n tls:\n # @schema\n # type: [null, string]\n # @schema\n # -- This configures how the Cilium agent loads the secrets used TLS-aware CiliumNetworkPolicies\n # (namely the secrets referenced by terminatingTLS and originatingTLS).\n # This value is DEPRECATED and will be removed in a future version.\n # Use `tls.readSecretsOnlyFromSecretsNamespace` instead.\n # Possible values:\n # - local\n # - k8s\n secretsBackend: ~\n # @schema\n # type: [null, boolean]\n # @schema\n # -- Configure if the Cilium Agent will only look in `tls.secretsNamespace` for\n # CiliumNetworkPolicy relevant Secrets.\n # If false, the Cilium Agent will be granted READ (GET/LIST/WATCH) access\n # to _all_ secrets in the entire cluster. This is not recommended and is\n # included for backwards compatibility.\n # This value obsoletes `tls.secretsBackend`, with `true` == `local` in the old\n # setting, and `false` == `k8s`.\n readSecretsOnlyFromSecretsNamespace: ~\n # -- Configures where secrets used in CiliumNetworkPolicies will be looked for\n secretsNamespace:\n # -- Create secrets namespace for TLS Interception secrets.\n create: true\n # -- Name of TLS Interception secret namespace.\n name: cilium-secrets\n # -- Configures settings for synchronization of TLS Interception Secrets\n secretSync:\n # @schema\n # type: [null, boolean]\n # @schema\n # -- Enable synchronization of Secrets for TLS Interception. If disabled and\n # tls.readSecretsOnlyFromSecretsNamespace is set to 'false', then secrets will be read directly by the agent.\n enabled: ~\n # -- Base64 encoded PEM values for the CA certificate and private key.\n # This can be used as common CA to generate certificates used by hubble and clustermesh components.\n # It is neither required nor used when cert-manager is used to generate the certificates.\n ca:\n # -- Optional CA cert. If it is provided, it will be used by cilium to\n # generate all other certificates. Otherwise, an ephemeral CA is generated.\n cert: \"\"\n # -- Optional CA private key. If it is provided, it will be used by cilium to\n # generate all other certificates. Otherwise, an ephemeral CA is generated.\n key: \"\"\n # -- Generated certificates validity duration in days. This will be used for auto generated CA.\n certValidityDuration: 1095\n # -- Configure the CA trust bundle used for the validation of the certificates\n # leveraged by hubble and clustermesh. When enabled, it overrides the content of the\n # 'ca.crt' field of the respective certificates, allowing for CA rotation with no down-time.\n caBundle:\n # -- Enable the use of the CA trust bundle.\n enabled: false\n # -- Name of the ConfigMap containing the CA trust bundle.\n name: cilium-root-ca.crt\n # -- Entry of the ConfigMap containing the CA trust bundle.\n key: ca.crt\n # -- Use a Secret instead of a ConfigMap.\n useSecret: false\n # If uncommented, creates the ConfigMap and fills it with the specified content.\n # Otherwise, the ConfigMap is assumed to be already present in .Release.Namespace.\n #\n # content: |\n # -----BEGIN CERTIFICATE-----\n # ...\n # -----END CERTIFICATE-----\n # -----BEGIN CERTIFICATE-----\n # ...\n # -----END CERTIFICATE-----\n # -- Tunneling protocol to use in tunneling mode and for ad-hoc tunnels.\n # Possible values:\n # - \"\"\n # - vxlan\n # - geneve\n # @default -- `\"vxlan\"`\n tunnelProtocol: \"\"\n # -- Enable native-routing mode or tunneling mode.\n # Possible values:\n # - \"\"\n # - native\n # - tunnel\n # @default -- `\"tunnel\"`\n routingMode: \"\"\n # -- Configure VXLAN and Geneve tunnel port.\n # @default -- Port 8472 for VXLAN, Port 6081 for Geneve\n tunnelPort: 0\n # -- Configure VXLAN and Geneve tunnel source port range hint.\n # @default -- 0-0 to let the kernel driver decide the range\n tunnelSourcePortRange: 0-0\n # -- Configure what the response should be to traffic for a service without backends.\n # Possible values:\n # - reject (default)\n # - drop\n serviceNoBackendResponse: reject\n # -- Configure the underlying network MTU to overwrite auto-detected MTU.\n # This value doesn't change the host network interface MTU i.e. eth0 or ens0.\n # It changes the MTU for cilium_net@cilium_host, cilium_host@cilium_net,\n # cilium_vxlan and lxc_health interfaces.\n MTU: 0\n # -- Disable the usage of CiliumEndpoint CRD.\n disableEndpointCRD: false\n wellKnownIdentities:\n # -- Enable the use of well-known identities.\n enabled: false\n etcd:\n # -- Enable etcd mode for the agent.\n enabled: false\n # -- List of etcd endpoints\n endpoints:\n - https://CHANGE-ME:2379\n # -- Enable use of TLS/SSL for connectivity to etcd.\n ssl: false\n operator:\n # -- Enable the cilium-operator component (required).\n enabled: true\n # -- Roll out cilium-operator pods automatically when configmap is updated.\n rollOutPods: false\n # -- cilium-operator image.\n image:\n # @schema\n # type: [null, string]\n # @schema\n override: ~\n repository: \"us-docker.pkg.dev/palette-images/packs/cilium/1.17.4/operator\"\n tag: \"v1.17.4\"\n # operator-generic-digest\n genericDigest: \"\"\n # operator-azure-digest\n azureDigest: \"\"\n # operator-aws-digest\n awsDigest: \"\"\n # operator-alibabacloud-digest\n alibabacloudDigest: \"\"\n useDigest: false\n pullPolicy: \"IfNotPresent\"\n suffix: \"\"\n # -- Number of replicas to run for the cilium-operator deployment\n replicas: 2\n # -- The priority class to use for cilium-operator\n priorityClassName: \"\"\n # -- DNS policy for Cilium operator pods.\n # Ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy\n dnsPolicy: \"\"\n # -- cilium-operator update strategy\n updateStrategy:\n type: RollingUpdate\n rollingUpdate:\n # @schema\n # type: [integer, string]\n # @schema\n maxSurge: 25%\n # @schema\n # type: [integer, string]\n # @schema\n maxUnavailable: 50%\n # -- Affinity for cilium-operator\n affinity:\n podAntiAffinity:\n requiredDuringSchedulingIgnoredDuringExecution:\n - topologyKey: kubernetes.io/hostname\n labelSelector:\n matchLabels:\n io.cilium/app: operator\n # -- Pod topology spread constraints for cilium-operator\n topologySpreadConstraints: []\n # - maxSkew: 1\n # topologyKey: topology.kubernetes.io/zone\n # whenUnsatisfiable: DoNotSchedule\n\n # -- Node labels for cilium-operator pod assignment\n # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector\n nodeSelector:\n kubernetes.io/os: linux\n # -- Node tolerations for cilium-operator scheduling to nodes with taints\n # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/\n tolerations:\n - operator: Exists\n # - key: \"key\"\n # operator: \"Equal|Exists\"\n # value: \"value\"\n # effect: \"NoSchedule|PreferNoSchedule|NoExecute(1.6 only)\"\n # -- Additional cilium-operator container arguments.\n extraArgs: []\n # -- Additional cilium-operator environment variables.\n extraEnv: []\n # -- Additional cilium-operator hostPath mounts.\n extraHostPathMounts: []\n # - name: host-mnt-data\n # mountPath: /host/mnt/data\n # hostPath: /mnt/data\n # hostPathType: Directory\n # readOnly: true\n # mountPropagation: HostToContainer\n\n # -- Additional cilium-operator volumes.\n extraVolumes: []\n # -- Additional cilium-operator volumeMounts.\n extraVolumeMounts: []\n # -- Annotations to be added to all top-level cilium-operator objects (resources under templates/cilium-operator)\n annotations: {}\n # -- HostNetwork setting\n hostNetwork: true\n # -- Security context to be added to cilium-operator pods\n podSecurityContext: {}\n # -- Annotations to be added to cilium-operator pods\n podAnnotations: {}\n # -- Labels to be added to cilium-operator pods\n podLabels: {}\n # PodDisruptionBudget settings\n podDisruptionBudget:\n # -- enable PodDisruptionBudget\n # ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/\n enabled: false\n # @schema\n # type: [null, integer, string]\n # @schema\n # -- Minimum number/percentage of pods that should remain scheduled.\n # When it's set, maxUnavailable must be disabled by `maxUnavailable: null`\n minAvailable: null\n # @schema\n # type: [null, integer, string]\n # @schema\n # -- Maximum number/percentage of pods that may be made unavailable\n maxUnavailable: 1\n # -- cilium-operator resource limits \u0026 requests\n # ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/\n resources: {}\n # limits:\n # cpu: 1000m\n # memory: 1Gi\n # requests:\n # cpu: 100m\n # memory: 128Mi\n\n # -- Security context to be added to cilium-operator pods\n securityContext: {}\n # runAsUser: 0\n\n # -- Interval for endpoint garbage collection.\n endpointGCInterval: \"5m0s\"\n # -- Interval for cilium node garbage collection.\n nodeGCInterval: \"5m0s\"\n # -- Interval for identity garbage collection.\n identityGCInterval: \"15m0s\"\n # -- Timeout for identity heartbeats.\n identityHeartbeatTimeout: \"30m0s\"\n pprof:\n # -- Enable pprof for cilium-operator\n enabled: false\n # -- Configure pprof listen address for cilium-operator\n address: localhost\n # -- Configure pprof listen port for cilium-operator\n port: 6061\n # -- Enable prometheus metrics for cilium-operator on the configured port at\n # /metrics\n prometheus:\n metricsService: false\n enabled: true\n port: 9963\n serviceMonitor:\n # -- Enable service monitors.\n # This requires the prometheus CRDs to be available (see https://github.com/prometheus-operator/prometheus-operator/blob/main/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml)\n enabled: false\n # -- Labels to add to ServiceMonitor cilium-operator\n labels: {}\n # -- Annotations to add to ServiceMonitor cilium-operator\n annotations: {}\n # -- jobLabel to add for ServiceMonitor cilium-operator\n jobLabel: \"\"\n # -- Interval for scrape metrics.\n interval: \"10s\"\n # @schema\n # type: [null, array]\n # @schema\n # -- Relabeling configs for the ServiceMonitor cilium-operator\n relabelings: ~\n # @schema\n # type: [null, array]\n # @schema\n # -- Metrics relabeling configs for the ServiceMonitor cilium-operator\n metricRelabelings: ~\n # -- Grafana dashboards for cilium-operator\n # grafana can import dashboards based on the label and value\n # ref: https://github.com/grafana/helm-charts/tree/main/charts/grafana#sidecar-for-dashboards\n dashboards:\n enabled: false\n label: grafana_dashboard\n # @schema\n # type: [null, string]\n # @schema\n namespace: ~\n labelValue: \"1\"\n annotations: {}\n # -- Skip CRDs creation for cilium-operator\n skipCRDCreation: false\n # -- Remove Cilium node taint from Kubernetes nodes that have a healthy Cilium\n # pod running.\n removeNodeTaints: true\n # @schema\n # type: [null, boolean]\n # @schema\n # -- Taint nodes where Cilium is scheduled but not running. This prevents pods\n # from being scheduled to nodes where Cilium is not the default CNI provider.\n # @default -- same as removeNodeTaints\n setNodeTaints: ~\n # -- Set Node condition NetworkUnavailable to 'false' with the reason\n # 'CiliumIsUp' for nodes that have a healthy Cilium pod.\n setNodeNetworkStatus: true\n unmanagedPodWatcher:\n # -- Restart any pod that are not managed by Cilium.\n restart: true\n # -- Interval, in seconds, to check if there are any pods that are not\n # managed by Cilium.\n intervalSeconds: 15\n nodeinit:\n # -- Enable the node initialization DaemonSet\n enabled: false\n # -- node-init image.\n image:\n # @schema\n # type: [null, string]\n # @schema\n override: ~\n repository: \"us-docker.pkg.dev/palette-images/packs/cilium/1.17.4/startup-script\"\n tag: \"c54c7edeab7fde4da68e59acd319ab24af242c3f\"\n digest: \"\"\n useDigest: false\n pullPolicy: \"IfNotPresent\"\n # -- The priority class to use for the nodeinit pod.\n priorityClassName: \"\"\n # -- node-init update strategy\n updateStrategy:\n type: RollingUpdate\n # -- Additional nodeinit environment variables.\n extraEnv: []\n # -- Additional nodeinit volumes.\n extraVolumes: []\n # -- Additional nodeinit volumeMounts.\n extraVolumeMounts: []\n # -- Affinity for cilium-nodeinit\n affinity: {}\n # -- Node labels for nodeinit pod assignment\n # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector\n nodeSelector:\n kubernetes.io/os: linux\n # -- Node tolerations for nodeinit scheduling to nodes with taints\n # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/\n tolerations:\n - operator: Exists\n # - key: \"key\"\n # operator: \"Equal|Exists\"\n # value: \"value\"\n # effect: \"NoSchedule|PreferNoSchedule|NoExecute(1.6 only)\"\n # -- Annotations to be added to all top-level nodeinit objects (resources under templates/cilium-nodeinit)\n annotations: {}\n # -- Annotations to be added to node-init pods.\n podAnnotations: {}\n # -- Labels to be added to node-init pods.\n podLabels: {}\n # -- Security Context for cilium-node-init pods.\n podSecurityContext:\n # -- AppArmorProfile options for the `cilium-node-init` and init containers\n appArmorProfile:\n type: \"Unconfined\"\n # -- nodeinit resource limits \u0026 requests\n # ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/\n resources:\n requests:\n cpu: 100m\n memory: 100Mi\n # -- Security context to be added to nodeinit pods.\n securityContext:\n privileged: false\n seLinuxOptions:\n level: 's0'\n # Running with spc_t since we have removed the privileged mode.\n # Users can change it to a different type as long as they have the\n # type available on the system.\n type: 'spc_t'\n capabilities:\n add:\n # Used in iptables. Consider removing once we are iptables-free\n - SYS_MODULE\n # Used for nsenter\n - NET_ADMIN\n - SYS_ADMIN\n - SYS_CHROOT\n - SYS_PTRACE\n # -- bootstrapFile is the location of the file where the bootstrap timestamp is\n # written by the node-init DaemonSet\n bootstrapFile: \"/tmp/cilium-bootstrap.d/cilium-bootstrap-time\"\n # -- startup offers way to customize startup nodeinit script (pre and post position)\n startup:\n preScript: \"\"\n postScript: \"\"\n # -- prestop offers way to customize prestop nodeinit script (pre and post position)\n prestop:\n preScript: \"\"\n postScript: \"\"\n preflight:\n # -- Enable Cilium pre-flight resources (required for upgrade)\n enabled: false\n # -- Cilium pre-flight image.\n image:\n # @schema\n # type: [null, string]\n # @schema\n override: ~\n repository: \"us-docker.pkg.dev/palette-images/packs/cilium/1.17.4/cilium\"\n tag: \"v1.17.4\"\n # cilium-digest\n digest: \"\"\n useDigest: false\n pullPolicy: \"IfNotPresent\"\n # -- The priority class to use for the preflight pod.\n priorityClassName: \"\"\n # -- preflight update strategy\n updateStrategy:\n type: RollingUpdate\n # -- Additional preflight environment variables.\n extraEnv: []\n # -- Additional preflight volumes.\n extraVolumes: []\n # -- Additional preflight volumeMounts.\n extraVolumeMounts: []\n # -- Affinity for cilium-preflight\n affinity:\n podAffinity:\n requiredDuringSchedulingIgnoredDuringExecution:\n - topologyKey: kubernetes.io/hostname\n labelSelector:\n matchLabels:\n k8s-app: cilium\n # -- Node labels for preflight pod assignment\n # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector\n nodeSelector:\n kubernetes.io/os: linux\n # -- Node tolerations for preflight scheduling to nodes with taints\n # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/\n tolerations:\n - operator: Exists\n # - key: \"key\"\n # operator: \"Equal|Exists\"\n # value: \"value\"\n # effect: \"NoSchedule|PreferNoSchedule|NoExecute(1.6 only)\"\n # -- Annotations to be added to all top-level preflight objects (resources under templates/cilium-preflight)\n annotations: {}\n # -- Security context to be added to preflight pods.\n podSecurityContext: {}\n # -- Annotations to be added to preflight pods\n podAnnotations: {}\n # -- Labels to be added to the preflight pod.\n podLabels: {}\n # PodDisruptionBudget settings\n podDisruptionBudget:\n # -- enable PodDisruptionBudget\n # ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/\n enabled: false\n # @schema\n # type: [null, integer, string]\n # @schema\n # -- Minimum number/percentage of pods that should remain scheduled.\n # When it's set, maxUnavailable must be disabled by `maxUnavailable: null`\n minAvailable: null\n # @schema\n # type: [null, integer, string]\n # @schema\n # -- Maximum number/percentage of pods that may be made unavailable\n maxUnavailable: 1\n # -- preflight resource limits \u0026 requests\n # ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/\n resources: {}\n # limits:\n # cpu: 4000m\n # memory: 4Gi\n # requests:\n # cpu: 100m\n # memory: 512Mi\n\n readinessProbe:\n # -- For how long kubelet should wait before performing the first probe\n initialDelaySeconds: 5\n # -- interval between checks of the readiness probe\n periodSeconds: 5\n # -- Security context to be added to preflight pods\n securityContext: {}\n # runAsUser: 0\n\n # -- Path to write the `--tofqdns-pre-cache` file to.\n tofqdnsPreCache: \"\"\n # -- Configure termination grace period for preflight Deployment and DaemonSet.\n terminationGracePeriodSeconds: 1\n # -- By default we should always validate the installed CNPs before upgrading\n # Cilium. This will make sure the user will have the policies deployed in the\n # cluster with the right schema.\n validateCNPs: true\n # -- Explicitly enable or disable priority class.\n # .Capabilities.KubeVersion is unsettable in `helm template` calls,\n # it depends on k8s libraries version that Helm was compiled against.\n # This option allows to explicitly disable setting the priority class, which\n # is useful for rendering charts for gke clusters in advance.\n enableCriticalPriorityClass: true\n # disableEnvoyVersionCheck removes the check for Envoy, which can be useful\n # on AArch64 as the images do not currently ship a version of Envoy.\n #disableEnvoyVersionCheck: false\n clustermesh:\n # -- Deploy clustermesh-apiserver for clustermesh\n useAPIServer: false\n # -- The maximum number of clusters to support in a ClusterMesh. This value\n # cannot be changed on running clusters, and all clusters in a ClusterMesh\n # must be configured with the same value. Values \u003e 255 will decrease the\n # maximum allocatable cluster-local identities.\n # Supported values are 255 and 511.\n maxConnectedClusters: 255\n # -- Enable the synchronization of Kubernetes EndpointSlices corresponding to\n # the remote endpoints of appropriately-annotated global services through ClusterMesh\n enableEndpointSliceSynchronization: false\n # -- Enable Multi-Cluster Services API support\n enableMCSAPISupport: false\n # -- Annotations to be added to all top-level clustermesh objects (resources under templates/clustermesh-apiserver and templates/clustermesh-config)\n annotations: {}\n # -- Clustermesh explicit configuration.\n config:\n # -- Enable the Clustermesh explicit configuration.\n enabled: false\n # -- Default dns domain for the Clustermesh API servers\n # This is used in the case cluster addresses are not provided\n # and IPs are used.\n domain: mesh.cilium.io\n # -- List of clusters to be peered in the mesh.\n clusters: []\n # clusters:\n # # -- Name of the cluster\n # - name: cluster1\n # # -- Address of the cluster, use this if you created DNS records for\n # # the cluster Clustermesh API server.\n # address: cluster1.mesh.cilium.io\n # # -- Port of the cluster Clustermesh API server.\n # port: 2379\n # # -- IPs of the cluster Clustermesh API server, use multiple ones when\n # # you have multiple IPs to access the Clustermesh API server.\n # ips:\n # - 172.18.255.201\n # # -- base64 encoded PEM values for the cluster client certificate, private key and certificate authority.\n # # These fields can (and should) be omitted in case the CA is shared across clusters. In that case, the\n # # \"remote\" private key and certificate available in the local cluster are automatically used instead.\n # tls:\n # cert: \"\"\n # key: \"\"\n # caCert: \"\"\n apiserver:\n # -- Clustermesh API server image.\n image:\n # @schema\n # type: [null, string]\n # @schema\n override: ~\n repository: \"us-docker.pkg.dev/palette-images/packs/cilium/1.17.4/clustermesh-apiserver\"\n tag: \"v1.17.4\"\n # clustermesh-apiserver-digest\n digest: \"\"\n useDigest: false\n pullPolicy: \"IfNotPresent\"\n # -- TCP port for the clustermesh-apiserver health API.\n healthPort: 9880\n # -- Configuration for the clustermesh-apiserver readiness probe.\n readinessProbe: {}\n etcd:\n # The etcd binary is included in the clustermesh API server image, so the same image from above is reused.\n # Independent override isn't supported, because clustermesh-apiserver is tested against the etcd version it is\n # built with.\n\n # -- Specifies the resources for etcd container in the apiserver\n resources: {}\n # requests:\n # cpu: 200m\n # memory: 256Mi\n # limits:\n # cpu: 1000m\n # memory: 256Mi\n\n # -- Security context to be added to clustermesh-apiserver etcd containers\n securityContext:\n allowPrivilegeEscalation: false\n capabilities:\n drop:\n - ALL\n # -- lifecycle setting for the etcd container\n lifecycle: {}\n init:\n # -- Specifies the resources for etcd init container in the apiserver\n resources: {}\n # requests:\n # cpu: 100m\n # memory: 100Mi\n # limits:\n # cpu: 100m\n # memory: 100Mi\n\n # -- Additional arguments to `clustermesh-apiserver etcdinit`.\n extraArgs: []\n # -- Additional environment variables to `clustermesh-apiserver etcdinit`.\n extraEnv: []\n # @schema\n # enum: [Disk, Memory]\n # @schema\n # -- Specifies whether etcd data is stored in a temporary volume backed by\n # the node's default medium, such as disk, SSD or network storage (Disk), or\n # RAM (Memory). The Memory option enables improved etcd read and write\n # performance at the cost of additional memory usage, which counts against\n # the memory limits of the container.\n storageMedium: Disk\n kvstoremesh:\n # -- Enable KVStoreMesh. KVStoreMesh caches the information retrieved\n # from the remote clusters in the local etcd instance.\n enabled: true\n # -- TCP port for the KVStoreMesh health API.\n healthPort: 9881\n # -- Configuration for the KVStoreMesh readiness probe.\n readinessProbe: {}\n # -- Additional KVStoreMesh arguments.\n extraArgs: []\n # -- Additional KVStoreMesh environment variables.\n extraEnv: []\n # -- Resource requests and limits for the KVStoreMesh container\n resources: {}\n # requests:\n # cpu: 100m\n # memory: 64Mi\n # limits:\n # cpu: 1000m\n # memory: 1024M\n\n # -- Additional KVStoreMesh volumeMounts.\n extraVolumeMounts: []\n # -- KVStoreMesh Security context\n securityContext:\n allowPrivilegeEscalation: false\n capabilities:\n drop:\n - ALL\n # -- lifecycle setting for the KVStoreMesh container\n lifecycle: {}\n service:\n # -- The type of service used for apiserver access.\n type: NodePort\n # -- Optional port to use as the node port for apiserver access.\n #\n # WARNING: make sure to configure a different NodePort in each cluster if\n # kube-proxy replacement is enabled, as Cilium is currently affected by a known\n # bug (#24692) when NodePorts are handled by the KPR implementation. If a service\n # with the same NodePort exists both in the local and the remote cluster, all\n # traffic originating from inside the cluster and targeting the corresponding\n # NodePort will be redirected to a local backend, regardless of whether the\n # destination node belongs to the local or the remote cluster.\n nodePort: 32379\n # -- Annotations for the clustermesh-apiserver service.\n # Example annotations to configure an internal load balancer on different cloud providers:\n # * AKS: service.beta.kubernetes.io/azure-load-balancer-internal: \"true\"\n # * EKS: service.beta.kubernetes.io/aws-load-balancer-scheme: \"internal\"\n # * GKE: networking.gke.io/load-balancer-type: \"Internal\"\n annotations: {}\n # @schema\n # enum: [Local, Cluster]\n # @schema\n # -- The externalTrafficPolicy of service used for apiserver access.\n externalTrafficPolicy: Cluster\n # @schema\n # enum: [Local, Cluster]\n # @schema\n # -- The internalTrafficPolicy of service used for apiserver access.\n internalTrafficPolicy: Cluster\n # @schema\n # enum: [HAOnly, Always, Never]\n # @schema\n # -- Defines when to enable session affinity.\n # Each replica in a clustermesh-apiserver deployment runs its own discrete\n # etcd cluster. Remote clients connect to one of the replicas through a\n # shared Kubernetes Service. A client reconnecting to a different backend\n # will require a full resync to ensure data integrity. Session affinity\n # can reduce the likelihood of this happening, but may not be supported\n # by all cloud providers.\n # Possible values:\n # - \"HAOnly\" (default) Only enable session affinity for deployments with more than 1 replica.\n # - \"Always\" Always enable session affinity.\n # - \"Never\" Never enable session affinity. Useful in environments where\n # session affinity is not supported, but may lead to slightly\n # degraded performance due to more frequent reconnections.\n enableSessionAffinity: \"HAOnly\"\n # @schema\n # type: [null, string]\n # @schema\n # -- Configure a loadBalancerClass.\n # Allows to configure the loadBalancerClass on the clustermesh-apiserver\n # LB service in case the Service type is set to LoadBalancer\n # (requires Kubernetes 1.24+).\n loadBalancerClass: ~\n # @schema\n # type: [null, string]\n # @schema\n # -- Configure a specific loadBalancerIP.\n # Allows to configure a specific loadBalancerIP on the clustermesh-apiserver\n # LB service in case the Service type is set to LoadBalancer.\n loadBalancerIP: ~\n # -- Configure loadBalancerSourceRanges.\n # Allows to configure the source IP ranges allowed to access the\n # clustermesh-apiserver LB service in case the Service type is set to LoadBalancer.\n loadBalancerSourceRanges: []\n # -- Number of replicas run for the clustermesh-apiserver deployment.\n replicas: 1\n # -- lifecycle setting for the apiserver container\n lifecycle: {}\n # -- terminationGracePeriodSeconds for the clustermesh-apiserver deployment\n terminationGracePeriodSeconds: 30\n # -- Additional clustermesh-apiserver arguments.\n extraArgs: []\n # -- Additional clustermesh-apiserver environment variables.\n extraEnv: []\n # -- Additional clustermesh-apiserver volumes.\n extraVolumes: []\n # -- Additional clustermesh-apiserver volumeMounts.\n extraVolumeMounts: []\n # -- Security context to be added to clustermesh-apiserver containers\n securityContext:\n allowPrivilegeEscalation: false\n capabilities:\n drop:\n - ALL\n # -- Security context to be added to clustermesh-apiserver pods\n podSecurityContext:\n runAsNonRoot: true\n runAsUser: 65532\n runAsGroup: 65532\n fsGroup: 65532\n # -- Annotations to be added to clustermesh-apiserver pods\n podAnnotations: {}\n # -- Labels to be added to clustermesh-apiserver pods\n podLabels: {}\n # PodDisruptionBudget settings\n podDisruptionBudget:\n # -- enable PodDisruptionBudget\n # ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/\n enabled: false\n # @schema\n # type: [null, integer, string]\n # @schema\n # -- Minimum number/percentage of pods that should remain scheduled.\n # When it's set, maxUnavailable must be disabled by `maxUnavailable: null`\n minAvailable: null\n # @schema\n # type: [null, integer, string]\n # @schema\n # -- Maximum number/percentage of pods that may be made unavailable\n maxUnavailable: 1\n # -- Resource requests and limits for the clustermesh-apiserver\n resources: {}\n # requests:\n # cpu: 100m\n # memory: 64Mi\n # limits:\n # cpu: 1000m\n # memory: 1024M\n\n # -- Affinity for clustermesh.apiserver\n affinity:\n podAntiAffinity:\n preferredDuringSchedulingIgnoredDuringExecution:\n - weight: 100\n podAffinityTerm:\n labelSelector:\n matchLabels:\n k8s-app: clustermesh-apiserver\n topologyKey: kubernetes.io/hostname\n # -- Pod topology spread constraints for clustermesh-apiserver\n topologySpreadConstraints: []\n # - maxSkew: 1\n # topologyKey: topology.kubernetes.io/zone\n # whenUnsatisfiable: DoNotSchedule\n\n # -- Node labels for pod assignment\n # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector\n nodeSelector:\n kubernetes.io/os: linux\n # -- Node tolerations for pod assignment on nodes with taints\n # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/\n tolerations: []\n # -- clustermesh-apiserver update strategy\n updateStrategy:\n type: RollingUpdate\n rollingUpdate:\n # @schema\n # type: [integer, string]\n # @schema\n maxSurge: 1\n # @schema\n # type: [integer, string]\n # @schema\n maxUnavailable: 0\n # -- The priority class to use for clustermesh-apiserver\n priorityClassName: \"\"\n tls:\n # -- Configure the clustermesh authentication mode.\n # Supported values:\n # - legacy: All clusters access remote clustermesh instances with the same\n # username (i.e., remote). The \"remote\" certificate must be\n # generated with CN=remote if provided manually.\n # - migration: Intermediate mode required to upgrade from legacy to cluster\n # (and vice versa) with no disruption. Specifically, it enables\n # the creation of the per-cluster usernames, while still using\n # the common one for authentication. The \"remote\" certificate must\n # be generated with CN=remote if provided manually (same as legacy).\n # - cluster: Each cluster accesses remote etcd instances with a username\n # depending on the local cluster name (i.e., remote-\u003ccluster-name\u003e).\n # The \"remote\" certificate must be generated with CN=remote-\u003ccluster-name\u003e\n # if provided manually. Cluster mode is meaningful only when the same\n # CA is shared across all clusters part of the mesh.\n authMode: legacy\n # -- Allow users to provide their own certificates\n # Users may need to provide their certificates using\n # a mechanism that requires they provide their own secrets.\n # This setting does not apply to any of the auto-generated\n # mechanisms below, it only restricts the creation of secrets\n # via the `tls-provided` templates.\n enableSecrets: true\n # -- Configure automatic TLS certificates generation.\n # A Kubernetes CronJob is used the generate any\n # certificates not provided by the user at installation\n # time.\n auto:\n # -- When set to true, automatically generate a CA and certificates to\n # enable mTLS between clustermesh-apiserver and external workload instances.\n # If set to false, the certs to be provided by setting appropriate values below.\n enabled: true\n # Sets the method to auto-generate certificates. Supported values:\n # - helm: This method uses Helm to generate all certificates.\n # - cronJob: This method uses a Kubernetes CronJob the generate any\n # certificates not provided by the user at installation\n # time.\n # - certmanager: This method use cert-manager to generate \u0026 rotate certificates.\n method: helm\n # -- Generated certificates validity duration in days.\n certValidityDuration: 1095\n # -- Schedule for certificates regeneration (regardless of their expiration date).\n # Only used if method is \"cronJob\". If nil, then no recurring job will be created.\n # Instead, only the one-shot job is deployed to generate the certificates at\n # installation time.\n #\n # Due to the out-of-band distribution of client certs to external workloads the\n # CA is (re)regenerated only if it is not provided as a helm value and the k8s\n # secret is manually deleted.\n #\n # Defaults to none. Commented syntax gives midnight of the first day of every\n # fourth month. For syntax, see\n # https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/#schedule-syntax\n # schedule: \"0 0 1 */4 *\"\n\n # [Example]\n # certManagerIssuerRef:\n # group: cert-manager.io\n # kind: ClusterIssuer\n # name: ca-issuer\n # -- certmanager issuer used when clustermesh.apiserver.tls.auto.method=certmanager.\n certManagerIssuerRef: {}\n # -- base64 encoded PEM values for the clustermesh-apiserver server certificate and private key.\n # Used if 'auto' is not enabled.\n server:\n cert: \"\"\n key: \"\"\n # -- Extra DNS names added to certificate when it's auto generated\n extraDnsNames: []\n # -- Extra IP addresses added to certificate when it's auto generated\n extraIpAddresses: []\n # -- base64 encoded PEM values for the clustermesh-apiserver admin certificate and private key.\n # Used if 'auto' is not enabled.\n admin:\n cert: \"\"\n key: \"\"\n # -- base64 encoded PEM values for the clustermesh-apiserver client certificate and private key.\n # Used if 'auto' is not enabled.\n client:\n cert: \"\"\n key: \"\"\n # -- base64 encoded PEM values for the clustermesh-apiserver remote cluster certificate and private key.\n # Used if 'auto' is not enabled.\n remote:\n cert: \"\"\n key: \"\"\n # clustermesh-apiserver Prometheus metrics configuration\n metrics:\n # -- Enables exporting apiserver metrics in OpenMetrics format.\n enabled: true\n # -- Configure the port the apiserver metric server listens on.\n port: 9962\n kvstoremesh:\n # -- Enables exporting KVStoreMesh metrics in OpenMetrics format.\n enabled: true\n # -- Configure the port the KVStoreMesh metric server listens on.\n port: 9964\n etcd:\n # -- Enables exporting etcd metrics in OpenMetrics format.\n enabled: true\n # -- Set level of detail for etcd metrics; specify 'extensive' to include server side gRPC histogram metrics.\n mode: basic\n # -- Configure the port the etcd metric server listens on.\n port: 9963\n serviceMonitor:\n # -- Enable service monitor.\n # This requires the prometheus CRDs to be available (see https://github.com/prometheus-operator/prometheus-operator/blob/main/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml)\n enabled: false\n # -- Labels to add to ServiceMonitor clustermesh-apiserver\n labels: {}\n # -- Annotations to add to ServiceMonitor clustermesh-apiserver\n annotations: {}\n # -- Specify the Kubernetes namespace where Prometheus expects to find\n # service monitors configured.\n # namespace: \"\"\n\n # -- Interval for scrape metrics (apiserver metrics)\n interval: \"10s\"\n # @schema\n # type: [null, array]\n # @schema\n # -- Relabeling configs for the ServiceMonitor clustermesh-apiserver (apiserver metrics)\n relabelings: ~\n # @schema\n # type: [null, array]\n # @schema\n # -- Metrics relabeling configs for the ServiceMonitor clustermesh-apiserver (apiserver metrics)\n metricRelabelings: ~\n kvstoremesh:\n # -- Interval for scrape metrics (KVStoreMesh metrics)\n interval: \"10s\"\n # @schema\n # type: [null, array]\n # @schema\n # -- Relabeling configs for the ServiceMonitor clustermesh-apiserver (KVStoreMesh metrics)\n relabelings: ~\n # @schema\n # type: [null, array]\n # @schema\n # -- Metrics relabeling configs for the ServiceMonitor clustermesh-apiserver (KVStoreMesh metrics)\n metricRelabelings: ~\n etcd:\n # -- Interval for scrape metrics (etcd metrics)\n interval: \"10s\"\n # @schema\n # type: [null, array]\n # @schema\n # -- Relabeling configs for the ServiceMonitor clustermesh-apiserver (etcd metrics)\n relabelings: ~\n # @schema\n # type: [null, array]\n # @schema\n # -- Metrics relabeling configs for the ServiceMonitor clustermesh-apiserver (etcd metrics)\n metricRelabelings: ~\n # -- Configure external workloads support\n externalWorkloads:\n # -- Enable support for external workloads, such as VMs (false by default).\n enabled: false\n # -- Configure cgroup related configuration\n cgroup:\n autoMount:\n # -- Enable auto mount of cgroup2 filesystem.\n # When `autoMount` is enabled, cgroup2 filesystem is mounted at\n # `cgroup.hostRoot` path on the underlying host and inside the cilium agent pod.\n # If users disable `autoMount`, it's expected that users have mounted\n # cgroup2 filesystem at the specified `cgroup.hostRoot` volume, and then the\n # volume will be mounted inside the cilium agent pod at the same path.\n enabled: true\n # -- Init Container Cgroup Automount resource limits \u0026 requests\n resources: {}\n # limits:\n # cpu: 100m\n # memory: 128Mi\n # requests:\n # cpu: 100m\n # memory: 128Mi\n # -- Configure cgroup root where cgroup2 filesystem is mounted on the host (see also: `cgroup.autoMount`)\n hostRoot: /run/cilium/cgroupv2\n # -- Configure sysctl override described in #20072.\n sysctlfix:\n # -- Enable the sysctl override. When enabled, the init container will mount the /proc of the host so that the `sysctlfix` utility can execute.\n enabled: true\n # -- Configure whether to enable auto detect of terminating state for endpoints\n # in order to support graceful termination.\n enableK8sTerminatingEndpoint: true\n # -- Configure whether to unload DNS policy rules on graceful shutdown\n # dnsPolicyUnloadOnShutdown: false\n\n # -- Configure the key of the taint indicating that Cilium is not ready on the node.\n # When set to a value starting with `ignore-taint.cluster-autoscaler.kubernetes.io/`, the Cluster Autoscaler will ignore the taint on its decisions, allowing the cluster to scale up.\n agentNotReadyTaintKey: \"node.cilium.io/agent-not-ready\"\n dnsProxy:\n # -- Timeout (in seconds) when closing the connection between the DNS proxy and the upstream server. If set to 0, the connection is closed immediately (with TCP RST). If set to -1, the connection is closed asynchronously in the background.\n socketLingerTimeout: 10\n # -- DNS response code for rejecting DNS requests, available options are '[nameError refused]'.\n dnsRejectResponseCode: refused\n # -- Allow the DNS proxy to compress responses to endpoints that are larger than 512 Bytes or the EDNS0 option, if present.\n enableDnsCompression: true\n # -- Maximum number of IPs to maintain per FQDN name for each endpoint.\n endpointMaxIpPerHostname: 1000\n # -- Time during which idle but previously active connections with expired DNS lookups are still considered alive.\n idleConnectionGracePeriod: 0s\n # -- Maximum number of IPs to retain for expired DNS lookups with still-active connections.\n maxDeferredConnectionDeletes: 10000\n # -- The minimum time, in seconds, to use DNS data for toFQDNs policies. If\n # the upstream DNS server returns a DNS record with a shorter TTL, Cilium\n # overwrites the TTL with this value. Setting this value to zero means that\n # Cilium will honor the TTLs returned by the upstream DNS server.\n minTtl: 0\n # -- DNS cache data at this path is preloaded on agent startup.\n preCache: \"\"\n # -- Global port on which the in-agent DNS proxy should listen. Default 0 is a OS-assigned port.\n proxyPort: 0\n # -- The maximum time the DNS proxy holds an allowed DNS response before sending it along. Responses are sent as soon as the datapath is updated with the new IP information.\n proxyResponseMaxDelay: 100ms\n # -- DNS proxy operation mode (true/false, or unset to use version dependent defaults)\n # enableTransparentMode: true\n # -- SCTP Configuration Values\n sctp:\n # -- Enable SCTP support. NOTE: Currently, SCTP support does not support rewriting ports or multihoming.\n enabled: false\n # -- Enable Non-Default-Deny policies\n enableNonDefaultDenyPolicies: true\n # Configuration for types of authentication for Cilium (beta)\n authentication:\n # -- Enable authentication processing and garbage collection.\n # Note that if disabled, policy enforcement will still block requests that require authentication.\n # But the resulting authentication requests for these requests will not be processed, therefore the requests not be allowed.\n enabled: true\n # -- Buffer size of the channel Cilium uses to receive authentication events from the signal map.\n queueSize: 1024\n # -- Buffer size of the channel Cilium uses to receive certificate expiration events from auth handlers.\n rotatedIdentitiesQueueSize: 1024\n # -- Interval for garbage collection of auth map entries.\n gcInterval: \"5m0s\"\n # Configuration for Cilium's service-to-service mutual authentication using TLS handshakes.\n # Note that this is not full mTLS support without also enabling encryption of some form.\n # Current encryption options are WireGuard or IPsec, configured in encryption block above.\n mutual:\n # -- Port on the agent where mutual authentication handshakes between agents will be performed\n port: 4250\n # -- Timeout for connecting to the remote node TCP socket\n connectTimeout: 5s\n # Settings for SPIRE\n spire:\n # -- Enable SPIRE integration (beta)\n enabled: false\n # -- Annotations to be added to all top-level spire objects (resources under templates/spire)\n annotations: {}\n # Settings to control the SPIRE installation and configuration\n install:\n # -- Enable SPIRE installation.\n # This will only take effect only if authentication.mutual.spire.enabled is true\n enabled: true\n # -- SPIRE namespace to install into\n namespace: cilium-spire\n # -- SPIRE namespace already exists. Set to true if Helm should not create, manage, and import the SPIRE namespace.\n existingNamespace: false\n # -- init container image of SPIRE agent and server\n initImage:\n # @schema\n # type: [null, string]\n # @schema\n override: ~\n repository: \"us-docker.pkg.dev/palette-images/packs/cilium/1.17.4/busybox\"\n tag: \"v1.37.0-glibc\"\n digest: \"\"\n useDigest: false\n pullPolicy: \"IfNotPresent\"\n # SPIRE agent configuration\n agent:\n # -- The priority class to use for the spire agent\n priorityClassName: \"\"\n # -- SPIRE agent image\n image:\n # @schema\n # type: [null, string]\n # @schema\n override: ~\n repository: \"us-docker.pkg.dev/palette-images/packs/cilium/1.17.4/spire-agent\"\n tag: \"1.9.6\"\n digest: \"\"\n useDigest: false\n pullPolicy: \"IfNotPresent\"\n # -- SPIRE agent service account\n serviceAccount:\n create: true\n name: spire-agent\n # -- SPIRE agent annotations\n annotations: {}\n # -- SPIRE agent labels\n labels: {}\n # -- container resource limits \u0026 requests\n resources: {}\n # -- SPIRE Workload Attestor kubelet verification.\n skipKubeletVerification: true\n # -- SPIRE agent tolerations configuration\n # By default it follows the same tolerations as the agent itself\n # to allow the Cilium agent on this node to connect to SPIRE.\n # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/\n tolerations:\n - key: node.kubernetes.io/not-ready\n effect: NoSchedule\n - key: node-role.kubernetes.io/master\n effect: NoSchedule\n - key: node-role.kubernetes.io/control-plane\n effect: NoSchedule\n - key: node.cloudprovider.kubernetes.io/uninitialized\n effect: NoSchedule\n value: \"true\"\n - key: CriticalAddonsOnly\n operator: \"Exists\"\n # -- SPIRE agent affinity configuration\n affinity: {}\n # -- SPIRE agent nodeSelector configuration\n # ref: ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector\n nodeSelector: {}\n # -- Security context to be added to spire agent pods.\n # SecurityContext holds pod-level security attributes and common container settings.\n # ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod\n podSecurityContext: {}\n # -- Security context to be added to spire agent containers.\n # SecurityContext holds pod-level security attributes and common container settings.\n # ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container\n securityContext: {}\n server:\n # -- The priority class to use for the spire server\n priorityClassName: \"\"\n # -- SPIRE server image\n image:\n # @schema\n # type: [null, string]\n # @schema\n override: ~\n repository: \"us-docker.pkg.dev/palette-images/packs/cilium/1.17.4/spire-server\"\n tag: \"1.9.6\"\n digest: \"\"\n useDigest: false\n pullPolicy: \"IfNotPresent\"\n # -- SPIRE server service account\n serviceAccount:\n create: true\n name: spire-server\n # -- SPIRE server init containers\n initContainers: []\n # -- SPIRE server annotations\n annotations: {}\n # -- SPIRE server labels\n labels: {}\n # SPIRE server service configuration\n # -- container resource limits \u0026 requests\n resources: {}\n service:\n # -- Service type for the SPIRE server service\n type: ClusterIP\n # -- Annotations to be added to the SPIRE server service\n annotations: {}\n # -- Labels to be added to the SPIRE server service\n labels: {}\n # -- SPIRE server affinity configuration\n affinity: {}\n # -- SPIRE server nodeSelector configuration\n # ref: ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector\n nodeSelector: {}\n # -- SPIRE server tolerations configuration\n # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/\n tolerations: []\n # SPIRE server datastorage configuration\n dataStorage:\n # -- Enable SPIRE server data storage\n enabled: true\n # -- Size of the SPIRE server data storage\n size: 1Gi\n # -- Access mode of the SPIRE server data storage\n accessMode: ReadWriteOnce\n # @schema\n # type: [null, string]\n # @schema\n # -- StorageClass of the SPIRE server data storage\n storageClass: null\n # -- Security context to be added to spire server pods.\n # SecurityContext holds pod-level security attributes and common container settings.\n # ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod\n podSecurityContext: {}\n # -- Security context to be added to spire server containers.\n # SecurityContext holds pod-level security attributes and common container settings.\n # ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container\n securityContext: {}\n # SPIRE CA configuration\n ca:\n # -- SPIRE CA key type\n # AWS requires the use of RSA. EC cryptography is not supported\n keyType: \"rsa-4096\"\n # -- SPIRE CA Subject\n subject:\n country: \"US\"\n organization: \"SPIRE\"\n commonName: \"Cilium SPIRE CA\"\n # @schema\n # type: [null, string]\n # @schema\n # -- SPIRE server address used by Cilium Operator\n #\n # If k8s Service DNS along with port number is used (e.g. \u003cservice-name\u003e.\u003cnamespace\u003e.svc(.*):\u003cport-number\u003e format),\n # Cilium Operator will resolve its address by looking up the clusterIP from Service resource.\n #\n # Example values: 10.0.0.1:8081, spire-server.cilium-spire.svc:8081\n serverAddress: ~\n # -- SPIFFE trust domain to use for fetching certificates\n trustDomain: spiffe.cilium\n # -- SPIRE socket path where the SPIRE delegated api agent is listening\n adminSocketPath: /run/spire/sockets/admin.sock\n # -- SPIRE socket path where the SPIRE workload agent is listening.\n # Applies to both the Cilium Agent and Operator\n agentSocketPath: /run/spire/sockets/agent/agent.sock\n # -- SPIRE connection timeout\n connectionTimeout: 30s\n # -- Enable Internal Traffic Policy\n enableInternalTrafficPolicy: true\n # -- Enable LoadBalancer IP Address Management\n enableLBIPAM: true","registry":{"metadata":{"uid":"64eaff453040297344bcad5d","name":"Palette Registry","kind":"oci","isPrivate":true,"providerType":"pack","isSyncSupported":true}}},{"name":"csi-longhorn-addon","type":"oci","layer":"addon","version":"1.8.1","tag":"1.8.1","values":"# spectrocloud.com/enabled-presets: Kubernetes Cluster Autoscaler: autoScalerDisabled\npack:\n namespace: \"longhorn-system\"\n namespaceLabels:\n \"longhorn-system\": \"pod-security.kubernetes.io/enforce=privileged,pod-security.kubernetes.io/enforce-version=v{{ .spectro.system.kubernetes.version | substr 0 4 }}\"\n content:\n images:\n - image: us-docker.pkg.dev/palette-images/packs/csi-longhorn/1.8.1/longhorn-engine:v1.8.1\n - image: us-docker.pkg.dev/palette-images/packs/csi-longhorn/1.8.1/longhorn-manager:v1.8.1\n - image: us-docker.pkg.dev/palette-images/packs/csi-longhorn/1.8.1/longhorn-ui:v1.8.1\n - image: us-docker.pkg.dev/palette-images/packs/csi-longhorn/1.8.1/longhorn-instance-manager:v1.8.1\n - image: us-docker.pkg.dev/palette-images/packs/csi-longhorn/1.8.1/longhorn-share-manager:v1.8.1\n - image: us-docker.pkg.dev/palette-images/packs/csi-longhorn/1.8.1/backing-image-manager:v1.8.1\n - image: us-docker.pkg.dev/palette-images/packs/csi-longhorn/1.8.1/support-bundle-kit:v0.0.52\n - image: us-docker.pkg.dev/palette-images/packs/csi-longhorn/1.8.1/csi-attacher:v4.8.1\n - image: us-docker.pkg.dev/palette-images/packs/csi-longhorn/1.8.1/csi-provisioner:v5.2.0\n - image: us-docker.pkg.dev/palette-images/packs/csi-longhorn/1.8.1/csi-node-driver-registrar:v2.13.0\n - image: us-docker.pkg.dev/palette-images/packs/csi-longhorn/1.8.1/csi-resizer:v1.13.2\n - image: us-docker.pkg.dev/palette-images/packs/csi-longhorn/1.8.1/csi-snapshotter:v8.2.0\n - image: us-docker.pkg.dev/palette-images/packs/csi-longhorn/1.8.1/livenessprobe:v2.15.0\n - image: us-docker.pkg.dev/palette-images/packs/csi-longhorn/1.8.1/origin-oauth-proxy:4.15\n charts:\n - repo: https://charts.longhorn.io\n name: longhorn\n version: 1.8.1\n\ncharts:\n longhorn:\n global:\n # -- Toleration for nodes allowed to run user-deployed components such as Longhorn Manager, Longhorn UI, and Longhorn Driver Deployer.\n tolerations: []\n # -- Node selector for nodes allowed to run user-deployed components such as Longhorn Manager, Longhorn UI, and Longhorn Driver Deployer.\n nodeSelector: {}\n cattle:\n # -- Default system registry.\n systemDefaultRegistry: \"\"\n windowsCluster:\n # -- Setting that allows Longhorn to run on a Rancher Windows cluster.\n enabled: false\n # -- Toleration for Linux nodes that can run user-deployed Longhorn components.\n tolerations:\n - key: \"cattle.io/os\"\n value: \"linux\"\n effect: \"NoSchedule\"\n operator: \"Equal\"\n # -- Node selector for Linux nodes that can run user-deployed Longhorn components.\n nodeSelector:\n kubernetes.io/os: \"linux\"\n defaultSetting:\n # -- Toleration for system-managed Longhorn components.\n taintToleration: cattle.io/os=linux:NoSchedule\n # -- Node selector for system-managed Longhorn components.\n systemManagedComponentsNodeSelector: kubernetes.io/os:linux\n networkPolicies:\n # -- Setting that allows you to enable network policies that control access to Longhorn pods.\n enabled: false\n # -- Distribution that determines the policy for allowing access for an ingress. (Options: \"k3s\", \"rke2\", \"rke1\")\n type: \"k3s\"\n image:\n longhorn:\n engine:\n # -- Repository for the Longhorn Engine image.\n repository: us-docker.pkg.dev/palette-images/packs/csi-longhorn/1.8.1/longhorn-engine\n # -- Tag for the Longhorn Engine image.\n tag: v1.8.1\n manager:\n # -- Repository for the Longhorn Manager image.\n repository: us-docker.pkg.dev/palette-images/packs/csi-longhorn/1.8.1/longhorn-manager\n # -- Tag for the Longhorn Manager image.\n tag: v1.8.1\n ui:\n # -- Repository for the Longhorn UI image.\n repository: us-docker.pkg.dev/palette-images/packs/csi-longhorn/1.8.1/longhorn-ui\n # -- Tag for the Longhorn UI image.\n tag: v1.8.1\n instanceManager:\n # -- Repository for the Longhorn Instance Manager image.\n repository: us-docker.pkg.dev/palette-images/packs/csi-longhorn/1.8.1/longhorn-instance-manager\n # -- Tag for the Longhorn Instance Manager image.\n tag: v1.8.1\n shareManager:\n # -- Repository for the Longhorn Share Manager image.\n repository: us-docker.pkg.dev/palette-images/packs/csi-longhorn/1.8.1/longhorn-share-manager\n # -- Tag for the Longhorn Share Manager image.\n tag: v1.8.1\n backingImageManager:\n # -- Repository for the Backing Image Manager image. When unspecified, Longhorn uses the default value.\n repository: us-docker.pkg.dev/palette-images/packs/csi-longhorn/1.8.1/backing-image-manager\n # -- Tag for the Backing Image Manager image. When unspecified, Longhorn uses the default value.\n tag: v1.8.1\n supportBundleKit:\n # -- Repository for the Longhorn Support Bundle Manager image.\n repository: us-docker.pkg.dev/palette-images/packs/csi-longhorn/1.8.1/support-bundle-kit\n # -- Tag for the Longhorn Support Bundle Manager image.\n tag: v0.0.52\n csi:\n attacher:\n # -- Repository for the CSI attacher image. When unspecified, Longhorn uses the default value.\n repository: us-docker.pkg.dev/palette-images/packs/csi-longhorn/1.8.1/csi-attacher\n # -- Tag for the CSI attacher image. When unspecified, Longhorn uses the default value.\n tag: v4.8.1\n provisioner:\n # -- Repository for the CSI Provisioner image. When unspecified, Longhorn uses the default value.\n repository: us-docker.pkg.dev/palette-images/packs/csi-longhorn/1.8.1/csi-provisioner\n # -- Tag for the CSI Provisioner image. When unspecified, Longhorn uses the default value.\n tag: v5.2.0\n nodeDriverRegistrar:\n # -- Repository for the CSI Node Driver Registrar image. When unspecified, Longhorn uses the default value.\n repository: us-docker.pkg.dev/palette-images/packs/csi-longhorn/1.8.1/csi-node-driver-registrar\n # -- Tag for the CSI Node Driver Registrar image. When unspecified, Longhorn uses the default value.\n tag: v2.13.0\n resizer:\n # -- Repository for the CSI Resizer image. When unspecified, Longhorn uses the default value.\n repository: us-docker.pkg.dev/palette-images/packs/csi-longhorn/1.8.1/csi-resizer\n # -- Tag for the CSI Resizer image. When unspecified, Longhorn uses the default value.\n tag: v1.13.2\n snapshotter:\n # -- Repository for the CSI Snapshotter image. When unspecified, Longhorn uses the default value.\n repository: us-docker.pkg.dev/palette-images/packs/csi-longhorn/1.8.1/csi-snapshotter\n # -- Tag for the CSI Snapshotter image. When unspecified, Longhorn uses the default value.\n tag: v8.2.0\n livenessProbe:\n # -- Repository for the CSI liveness probe image. When unspecified, Longhorn uses the default value.\n repository: us-docker.pkg.dev/palette-images/packs/csi-longhorn/1.8.1/livenessprobe\n # -- Tag for the CSI liveness probe image. When unspecified, Longhorn uses the default value.\n tag: v2.15.0\n openshift:\n oauthProxy:\n # -- Repository for the OAuth Proxy image. Specify the upstream image (for example, \"quay.io/openshift/origin-oauth-proxy\"). This setting applies only to OpenShift users.\n repository: \"us-docker.pkg.dev/palette-images/packs/csi-longhorn/1.8.1/origin-oauth-proxy\"\n # -- Tag for the OAuth Proxy image. Specify OCP/OKD version 4.1 or later (including version 4.15, which is available at quay.io/openshift/origin-oauth-proxy:4.15). This setting applies only to OpenShift users.\n tag: \"4.15\"\n # -- Image pull policy that applies to all user-deployed Longhorn components, such as Longhorn Manager, Longhorn driver, and Longhorn UI.\n pullPolicy: IfNotPresent\n service:\n ui:\n # -- Service type for Longhorn UI. (Options: \"ClusterIP\", \"NodePort\", \"LoadBalancer\", \"Rancher-Proxy\")\n type: ClusterIP\n # -- NodePort port number for Longhorn UI. When unspecified, Longhorn selects a free port between 30000 and 32767.\n nodePort: null\n manager:\n # -- Service type for Longhorn Manager.\n type: ClusterIP\n # -- NodePort port number for Longhorn Manager. When unspecified, Longhorn selects a free port between 30000 and 32767.\n nodePort: \"\"\n persistence:\n # -- Setting that allows you to specify the default Longhorn StorageClass.\n defaultClass: true\n # -- Filesystem type of the default Longhorn StorageClass.\n defaultFsType: ext4\n # -- mkfs parameters of the default Longhorn StorageClass.\n defaultMkfsParams: \"\"\n # -- Replica count of the default Longhorn StorageClass.\n defaultClassReplicaCount: 2\n # -- Data locality of the default Longhorn StorageClass. (Options: \"disabled\", \"best-effort\")\n defaultDataLocality: best-effort\n # -- Reclaim policy that provides instructions for handling of a volume after its claim is released. (Options: \"Retain\", \"Delete\")\n reclaimPolicy: Delete\n # -- Setting that allows you to enable live migration of a Longhorn volume from one node to another.\n migratable: true\n # -- Setting that disables the revision counter and thereby prevents Longhorn from tracking all write operations to a volume. When salvaging a volume, Longhorn uses properties of the volume-head-xxx.img file (the last file size and the last time the file was modified) to select the replica to be used for volume recovery.\n disableRevisionCounter: \"true\"\n # -- Set NFS mount options for Longhorn StorageClass for RWX volumes\n nfsOptions: \"\"\n recurringJobSelector:\n # -- Setting that allows you to enable the recurring job selector for a Longhorn StorageClass.\n enable: false\n # -- Recurring job selector for a Longhorn StorageClass. Ensure that quotes are used correctly when specifying job parameters. (Example: `[{\"name\":\"backup\", \"isGroup\":true}]`)\n jobList: []\n backingImage:\n # -- Setting that allows you to use a backing image in a Longhorn StorageClass.\n enable: false\n # -- Backing image to be used for creating and restoring volumes in a Longhorn StorageClass. When no backing images are available, specify the data source type and parameters that Longhorn can use to create a backing image.\n name: ~\n # -- Data source type of a backing image used in a Longhorn StorageClass.\n # If the backing image exists in the cluster, Longhorn uses this setting to verify the image.\n # If the backing image does not exist, Longhorn creates one using the specified data source type.\n dataSourceType: ~\n # -- Data source parameters of a backing image used in a Longhorn StorageClass.\n # You can specify a JSON string of a map. (Example: `'{\\\"url\\\":\\\"https://backing-image-example.s3-region.amazonaws.com/test-backing-image\\\"}'`)\n dataSourceParameters: ~\n # -- Expected SHA-512 checksum of a backing image used in a Longhorn StorageClass.\n expectedChecksum: ~\n defaultDiskSelector:\n # -- Setting that allows you to enable the disk selector for the default Longhorn StorageClass.\n enable: false\n # -- Disk selector for the default Longhorn StorageClass. Longhorn uses only disks with the specified tags for storing volume data. (Examples: \"nvme,sata\")\n selector: \"\"\n defaultNodeSelector:\n # -- Setting that allows you to enable the node selector for the default Longhorn StorageClass.\n enable: false\n # -- Node selector for the default Longhorn StorageClass. Longhorn uses only nodes with the specified tags for storing volume data. (Examples: \"storage,fast\")\n selector: \"\"\n # -- Setting that allows you to enable automatic snapshot removal during filesystem trim for a Longhorn StorageClass. (Options: \"ignored\", \"enabled\", \"disabled\")\n removeSnapshotsDuringFilesystemTrim: ignored\n # -- Setting that allows you to specify the data engine version for the default Longhorn StorageClass. (Options: \"v1\", \"v2\")\n dataEngine: v1\n # -- Setting that allows you to specify the backup target for the default Longhorn StorageClass.\n backupTargetName: default\n preUpgradeChecker:\n # -- Setting that allows Longhorn to perform pre-upgrade checks. Disable this setting when installing Longhorn using Argo CD or other GitOps solutions.\n jobEnabled: true\n # -- Setting that allows Longhorn to perform upgrade version checks after starting the Longhorn Manager DaemonSet Pods. Disabling this setting also disables `preUpgradeChecker.jobEnabled`. Longhorn recommends keeping this setting enabled.\n upgradeVersionCheck: true\n csi:\n # -- kubelet root directory. When unspecified, Longhorn uses the default value.\n kubeletRootDir: ~\n # -- Replica count of the CSI Attacher. When unspecified, Longhorn uses the default value (\"3\").\n attacherReplicaCount: ~\n # -- Replica count of the CSI Provisioner. When unspecified, Longhorn uses the default value (\"3\").\n provisionerReplicaCount: ~\n # -- Replica count of the CSI Resizer. When unspecified, Longhorn uses the default value (\"3\").\n resizerReplicaCount: ~\n # -- Replica count of the CSI Snapshotter. When unspecified, Longhorn uses the default value (\"3\").\n snapshotterReplicaCount: ~\n defaultSettings:\n # -- Setting that allows Longhorn to automatically attach a volume and create snapshots or backups when recurring jobs are run.\n allowRecurringJobWhileVolumeDetached: ~\n # -- Setting that allows Longhorn to automatically create a default disk only on nodes with the label \"node.longhorn.io/create-default-disk=true\" (if no other disks exist). When this setting is disabled, Longhorn creates a default disk on each node that is added to the cluster.\n createDefaultDiskLabeledNodes: ~\n # -- Default path for storing data on a host. The default value is \"/var/lib/longhorn/\".\n defaultDataPath: ~\n # -- Default data locality. A Longhorn volume has data locality if a local replica of the volume exists on the same node as the pod that is using the volume.\n defaultDataLocality: ~\n # -- Setting that allows scheduling on nodes with healthy replicas of the same volume. This setting is disabled by default.\n replicaSoftAntiAffinity: ~\n # -- Setting that automatically rebalances replicas when an available node is discovered.\n replicaAutoBalance: ~\n # -- Percentage of storage that can be allocated relative to hard drive capacity. The default value is \"100\".\n storageOverProvisioningPercentage: 300\n # -- Percentage of minimum available disk capacity. When the minimum available capacity exceeds the total available capacity, the disk becomes unschedulable until more space is made available for use. The default value is \"25\".\n storageMinimalAvailablePercentage: ~\n # -- Percentage of disk space that is not allocated to the default disk on each new Longhorn node.\n storageReservedPercentageForDefaultDisk: ~\n # -- Upgrade Checker that periodically checks for new Longhorn versions. When a new version is available, a notification appears on the Longhorn UI. This setting is enabled by default\n upgradeChecker: false\n # -- The Upgrade Responder sends a notification whenever a new Longhorn version that you can upgrade to becomes available. The default value is https://longhorn-upgrade-responder.rancher.io/v1/checkupgrade.\n upgradeResponderURL: ~\n # -- Default number of replicas for volumes created using the Longhorn UI. For Kubernetes configuration, modify the `numberOfReplicas` field in the StorageClass. The default value is \"3\".\n defaultReplicaCount: ~\n # -- Default name of Longhorn static StorageClass. \"storageClassName\" is assigned to PVs and PVCs that are created for an existing Longhorn volume. \"storageClassName\" can also be used as a label, so it is possible to use a Longhorn StorageClass to bind a workload to an existing PV without creating a Kubernetes StorageClass object. \"storageClassName\" needs to be an existing StorageClass. The default value is \"longhorn-static\".\n defaultLonghornStaticStorageClass: ~\n # -- Number of minutes that Longhorn keeps a failed backup resource. When the value is \"0\", automatic deletion is disabled.\n failedBackupTTL: ~\n # -- Number of minutes that Longhorn allows for the backup execution. The default value is \"1\".\n backupExecutionTimeout: ~\n # -- Setting that restores recurring jobs from a backup volume on a backup target and creates recurring jobs if none exist during backup restoration.\n restoreVolumeRecurringJobs: ~\n # -- Maximum number of successful recurring backup and snapshot jobs to be retained. When the value is \"0\", a history of successful recurring jobs is not retained.\n recurringSuccessfulJobsHistoryLimit: ~\n # -- Maximum number of failed recurring backup and snapshot jobs to be retained. When the value is \"0\", a history of failed recurring jobs is not retained.\n recurringFailedJobsHistoryLimit: ~\n # -- Maximum number of snapshots or backups to be retained.\n recurringJobMaxRetention: ~\n # -- Maximum number of failed support bundles that can exist in the cluster. When the value is \"0\", Longhorn automatically purges all failed support bundles.\n supportBundleFailedHistoryLimit: ~\n # -- Taint or toleration for system-managed Longhorn components.\n # Specify values using a semicolon-separated list in `kubectl taint` syntax (Example: key1=value1:effect; key2=value2:effect).\n taintToleration: ~\n # -- Node selector for system-managed Longhorn components.\n systemManagedComponentsNodeSelector: ~\n # -- PriorityClass for system-managed Longhorn components.\n # This setting can help prevent Longhorn components from being evicted under Node Pressure.\n # Notice that this will be applied to Longhorn user-deployed components by default if there are no priority class values set yet, such as `longhornManager.priorityClass`.\n priorityClass: \u0026defaultPriorityClassNameRef \"longhorn-critical\"\n # -- Setting that allows Longhorn to automatically salvage volumes when all replicas become faulty (for example, when the network connection is interrupted). Longhorn determines which replicas are usable and then uses these replicas for the volume. This setting is enabled by default.\n autoSalvage: ~\n # -- Setting that allows Longhorn to automatically delete a workload pod that is managed by a controller (for example, daemonset) whenever a Longhorn volume is detached unexpectedly (for example, during Kubernetes upgrades). After deletion, the controller restarts the pod and then Kubernetes handles volume reattachment and remounting.\n autoDeletePodWhenVolumeDetachedUnexpectedly: true\n # -- Setting that prevents Longhorn Manager from scheduling replicas on a cordoned Kubernetes node. This setting is enabled by default.\n disableSchedulingOnCordonedNode: ~\n # -- Setting that allows Longhorn to schedule new replicas of a volume to nodes in the same zone as existing healthy replicas. Nodes that do not belong to any zone are treated as existing in the zone that contains healthy replicas. When identifying zones, Longhorn relies on the label \"topology.kubernetes.io/zone=\u003cZone name of the node\u003e\" in the Kubernetes node object.\n replicaZoneSoftAntiAffinity: ~\n # -- Setting that allows scheduling on disks with existing healthy replicas of the same volume. This setting is enabled by default.\n replicaDiskSoftAntiAffinity: ~\n # -- Policy that defines the action Longhorn takes when a volume is stuck with a StatefulSet or Deployment pod on a node that failed.\n nodeDownPodDeletionPolicy: ~\n # -- Policy that defines the action Longhorn takes when a node with the last healthy replica of a volume is drained.\n nodeDrainPolicy: ~\n # -- Setting that allows automatic detaching of manually-attached volumes when a node is cordoned.\n detachManuallyAttachedVolumesWhenCordoned: ~\n # -- Number of seconds that Longhorn waits before reusing existing data on a failed replica instead of creating a new replica of a degraded volume.\n replicaReplenishmentWaitInterval: ~\n # -- Maximum number of replicas that can be concurrently rebuilt on each node.\n concurrentReplicaRebuildPerNodeLimit: ~\n # -- Maximum number of volumes that can be concurrently restored on each node using a backup. When the value is \"0\", restoration of volumes using a backup is disabled.\n concurrentVolumeBackupRestorePerNodeLimit: ~\n # -- Setting that disables the revision counter and thereby prevents Longhorn from tracking all write operations to a volume. When salvaging a volume, Longhorn uses properties of the \"volume-head-xxx.img\" file (the last file size and the last time the file was modified) to select the replica to be used for volume recovery. This setting applies only to volumes created using the Longhorn UI.\n disableRevisionCounter: \"true\"\n # -- Image pull policy for system-managed pods, such as Instance Manager, engine images, and CSI Driver. Changes to the image pull policy are applied only after the system-managed pods restart.\n systemManagedPodsImagePullPolicy: ~\n # -- Setting that allows you to create and attach a volume without having all replicas scheduled at the time of creation.\n allowVolumeCreationWithDegradedAvailability: ~\n # -- Setting that allows Longhorn to automatically clean up the system-generated snapshot after replica rebuilding is completed.\n autoCleanupSystemGeneratedSnapshot: ~\n # -- Setting that allows Longhorn to automatically clean up the snapshot generated by a recurring backup job.\n autoCleanupRecurringJobBackupSnapshot: ~\n # -- Maximum number of engines that are allowed to concurrently upgrade on each node after Longhorn Manager is upgraded. When the value is \"0\", Longhorn does not automatically upgrade volume engines to the new default engine image version.\n concurrentAutomaticEngineUpgradePerNodeLimit: 0\n # -- Number of minutes that Longhorn waits before cleaning up the backing image file when no replicas in the disk are using it.\n backingImageCleanupWaitInterval: ~\n # -- Number of seconds that Longhorn waits before downloading a backing image file again when the status of all image disk files changes to \"failed\" or \"unknown\".\n backingImageRecoveryWaitInterval: ~\n # -- Percentage of the total allocatable CPU resources on each node to be reserved for each instance manager pod when the V1 Data Engine is enabled. The default value is \"12\".\n guaranteedInstanceManagerCPU: ~\n # -- Setting that notifies Longhorn that the cluster is using the Kubernetes Cluster Autoscaler.\n kubernetesClusterAutoscalerEnabled: ~\n # -- Setting that allows Longhorn to automatically delete an orphaned resource and the corresponding data (for example, stale replicas). Orphaned resources on failed or unknown nodes are not automatically cleaned up.\n orphanAutoDeletion: ~\n # -- Storage network for in-cluster traffic. When unspecified, Longhorn uses the Kubernetes cluster network.\n storageNetwork: ~\n # -- Flag that prevents accidental uninstallation of Longhorn.\n deletingConfirmationFlag: ~\n # -- Timeout between the Longhorn Engine and replicas. Specify a value between \"8\" and \"30\" seconds. The default value is \"8\".\n engineReplicaTimeout: ~\n # -- Setting that allows you to enable and disable snapshot hashing and data integrity checks.\n snapshotDataIntegrity: ~\n # -- Setting that allows disabling of snapshot hashing after snapshot creation to minimize impact on system performance.\n snapshotDataIntegrityImmediateCheckAfterSnapshotCreation: ~\n # -- Setting that defines when Longhorn checks the integrity of data in snapshot disk files. You must use the Unix cron expression format.\n snapshotDataIntegrityCronjob: ~\n # -- Setting that allows Longhorn to automatically mark the latest snapshot and its parent files as removed during a filesystem trim. Longhorn does not remove snapshots containing multiple child files.\n removeSnapshotsDuringFilesystemTrim: ~\n # -- Setting that allows fast rebuilding of replicas using the checksum of snapshot disk files. Before enabling this setting, you must set the snapshot-data-integrity value to \"enable\" or \"fast-check\".\n fastReplicaRebuildEnabled: ~\n # -- Number of seconds that an HTTP client waits for a response from a File Sync server before considering the connection to have failed.\n replicaFileSyncHttpClientTimeout: ~\n # -- Number of seconds that Longhorn allows for the completion of replica rebuilding and snapshot cloning operations.\n longGRPCTimeOut: ~\n # -- Log levels that indicate the type and severity of logs in Longhorn Manager. The default value is \"Info\". (Options: \"Panic\", \"Fatal\", \"Error\", \"Warn\", \"Info\", \"Debug\", \"Trace\")\n logLevel: ~\n # -- Setting that allows you to specify a backup compression method.\n backupCompressionMethod: ~\n # -- Maximum number of worker threads that can concurrently run for each backup.\n backupConcurrentLimit: ~\n # -- Maximum number of worker threads that can concurrently run for each restore operation.\n restoreConcurrentLimit: ~\n # -- Setting that allows you to enable the V1 Data Engine.\n v1DataEngine: ~\n # -- Setting that allows you to enable the V2 Data Engine, which is based on the Storage Performance Development Kit (SPDK). The V2 Data Engine is an experimental feature and should not be used in production environments.\n v2DataEngine: ~\n # -- Setting that allows you to configure maximum huge page size (in MiB) for the V2 Data Engine.\n v2DataEngineHugepageLimit: ~\n # -- Number of millicpus on each node to be reserved for each Instance Manager pod when the V2 Data Engine is enabled. The default value is \"1250\".\n v2DataEngineGuaranteedInstanceManagerCPU: ~\n # -- CPU cores on which the Storage Performance Development Kit (SPDK) target daemon should run. The SPDK target daemon is located in each Instance Manager pod. Ensure that the number of cores is less than or equal to the guaranteed Instance Manager CPUs for the V2 Data Engine. The default value is \"0x1\".\n v2DataEngineCPUMask: ~\n # -- Setting that allows scheduling of empty node selector volumes to any node.\n allowEmptyNodeSelectorVolume: ~\n # -- Setting that allows scheduling of empty disk selector volumes to any disk.\n allowEmptyDiskSelectorVolume: ~\n # -- Setting that allows Longhorn to periodically collect anonymous usage data for product improvement purposes. Longhorn sends collected data to the [Upgrade Responder](https://github.com/longhorn/upgrade-responder) server, which is the data source of the Longhorn Public Metrics Dashboard (https://metrics.longhorn.io). The Upgrade Responder server does not store data that can be used to identify clients, including IP addresses.\n allowCollectingLonghornUsageMetrics: ~\n # -- Setting that temporarily prevents all attempts to purge volume snapshots.\n disableSnapshotPurge: ~\n # -- Maximum snapshot count for a volume. The value should be between 2 to 250\n snapshotMaxCount: ~\n # -- Setting that allows you to configure the log level of the SPDK target daemon (spdk_tgt) of the V2 Data Engine.\n v2DataEngineLogLevel: ~\n # -- Setting that allows you to configure the log flags of the SPDK target daemon (spdk_tgt) of the V2 Data Engine.\n v2DataEngineLogFlags: ~\n # -- Setting that freezes the filesystem on the root partition before a snapshot is created.\n freezeFilesystemForSnapshot: ~\n # -- Setting that automatically cleans up the snapshot when the backup is deleted.\n autoCleanupSnapshotWhenDeleteBackup: ~\n # -- Setting that allows Longhorn to detect node failure and immediately migrate affected RWX volumes.\n rwxVolumeFastFailover: ~\n # -- Setting that allows you to update the default backupstore.\n defaultBackupStore:\n # -- Endpoint used to access the default backupstore. (Options: \"NFS\", \"CIFS\", \"AWS\", \"GCP\", \"AZURE\")\n backupTarget: ~\n # -- Name of the Kubernetes secret associated with the default backup target.\n backupTargetCredentialSecret: ~\n # -- Number of seconds that Longhorn waits before checking the default backupstore for new backups. The default value is \"300\". When the value is \"0\", polling is disabled.\n pollInterval: ~\n privateRegistry:\n # -- Setting that allows you to create a private registry secret.\n createSecret: ~\n # -- URL of a private registry. When unspecified, Longhorn uses the default system registry.\n registryUrl: ~\n # -- User account used for authenticating with a private registry.\n registryUser: ~\n # -- Password for authenticating with a private registry.\n registryPasswd: ~\n # -- Kubernetes secret that allows you to pull images from a private registry. This setting applies only when creation of private registry secrets is enabled. You must include the private registry name in the secret name.\n registrySecret: ~\n longhornManager:\n log:\n # -- Format of Longhorn Manager logs. (Options: \"plain\", \"json\")\n format: plain\n # -- PriorityClass for Longhorn Manager.\n priorityClass: *defaultPriorityClassNameRef\n # -- Toleration for Longhorn Manager on nodes allowed to run Longhorn components.\n tolerations: []\n ## If you want to set tolerations for Longhorn Manager DaemonSet, delete the `[]` in the line above\n ## and uncomment this example block\n # - key: \"key\"\n # operator: \"Equal\"\n # value: \"value\"\n # effect: \"NoSchedule\"\n # -- Node selector for Longhorn Manager. Specify the nodes allowed to run Longhorn Manager.\n nodeSelector: {}\n ## If you want to set node selector for Longhorn Manager DaemonSet, delete the `{}` in the line above\n ## and uncomment this example block\n # label-key1: \"label-value1\"\n # label-key2: \"label-value2\"\n # -- Annotation for the Longhorn Manager service.\n serviceAnnotations: {}\n ## If you want to set annotations for the Longhorn Manager service, delete the `{}` in the line above\n ## and uncomment this example block\n # annotation-key1: \"annotation-value1\"\n # annotation-key2: \"annotation-value2\"\n longhornDriver:\n log:\n # -- Format of longhorn-driver logs. (Options: \"plain\", \"json\")\n format: plain\n # -- PriorityClass for Longhorn Driver.\n priorityClass: *defaultPriorityClassNameRef\n # -- Toleration for Longhorn Driver on nodes allowed to run Longhorn components.\n tolerations: []\n ## If you want to set tolerations for Longhorn Driver Deployer Deployment, delete the `[]` in the line above\n ## and uncomment this example block\n # - key: \"key\"\n # operator: \"Equal\"\n # value: \"value\"\n # effect: \"NoSchedule\"\n # -- Node selector for Longhorn Driver. Specify the nodes allowed to run Longhorn Driver.\n nodeSelector: {}\n ## If you want to set node selector for Longhorn Driver Deployer Deployment, delete the `{}` in the line above\n ## and uncomment this example block\n # label-key1: \"label-value1\"\n # label-key2: \"label-value2\"\n longhornUI:\n # -- Replica count for Longhorn UI.\n replicas: 1\n # -- PriorityClass for Longhorn UI.\n priorityClass: *defaultPriorityClassNameRef\n # -- Toleration for Longhorn UI on nodes allowed to run Longhorn components.\n tolerations: []\n ## If you want to set tolerations for Longhorn UI Deployment, delete the `[]` in the line above\n ## and uncomment this example block\n # - key: \"key\"\n # operator: \"Equal\"\n # value: \"value\"\n # effect: \"NoSchedule\"\n # -- Node selector for Longhorn UI. Specify the nodes allowed to run Longhorn UI.\n nodeSelector: {}\n ## If you want to set node selector for Longhorn UI Deployment, delete the `{}` in the line above\n ## and uncomment this example block\n # label-key1: \"label-value1\"\n # label-key2: \"label-value2\"\n ingress:\n # -- Setting that allows Longhorn to generate ingress records for the Longhorn UI service.\n enabled: false\n # -- IngressClass resource that contains ingress configuration, including the name of the Ingress controller.\n # ingressClassName can replace the kubernetes.io/ingress.class annotation used in earlier Kubernetes releases.\n ingressClassName: ~\n # -- Hostname of the Layer 7 load balancer.\n host: sslip.io\n # -- Setting that allows you to enable TLS on ingress records.\n tls: false\n # -- Setting that allows you to enable secure connections to the Longhorn UI service via port 443.\n secureBackends: false\n # -- TLS secret that contains the private key and certificate to be used for TLS. This setting applies only when TLS is enabled on ingress records.\n tlsSecret: longhorn.local-tls\n # -- Default ingress path. You can access the Longhorn UI by following the full ingress path {{host}}+{{path}}.\n path: /\n # -- Ingress path type. To maintain backward compatibility, the default value is \"ImplementationSpecific\".\n pathType: ImplementationSpecific\n ## If you're using kube-lego, you will want to add:\n ## kubernetes.io/tls-acme: true\n ##\n ## For a full list of possible ingress annotations, please see\n ## ref: https://github.com/kubernetes/ingress-nginx/blob/master/docs/annotations.md\n ##\n ## If tls is set to true, annotation ingress.kubernetes.io/secure-backends: \"true\" will automatically be set\n # -- Ingress annotations in the form of key-value pairs.\n annotations:\n # kubernetes.io/ingress.class: nginx\n # kubernetes.io/tls-acme: true\n\n # -- Secret that contains a TLS private key and certificate. Use secrets if you want to use your own certificates to secure ingresses.\n secrets:\n ## If you're providing your own certificates, please use this to add the certificates as secrets\n ## key and certificate should start with -----BEGIN CERTIFICATE----- or\n ## -----BEGIN RSA PRIVATE KEY-----\n ##\n ## name should line up with a tlsSecret set further up\n ## If you're using kube-lego, this is unneeded, as it will create the secret for you if it is not set\n ##\n ## It is also possible to create and manage the certificates outside of this helm chart\n ## Please see README.md for more information\n # - name: longhorn.local-tls\n # key:\n # certificate:\n # -- Setting that allows you to enable pod security policies (PSPs) that allow privileged Longhorn pods to start. This setting applies only to clusters running Kubernetes 1.25 and earlier, and with the built-in Pod Security admission controller enabled.\n enablePSP: false\n # -- Specify override namespace, specifically this is useful for using longhorn as sub-chart and its release namespace is not the `longhorn-system`.\n namespaceOverride: \"\"\n # -- Annotation for the Longhorn Manager DaemonSet pods. This setting is optional.\n annotations: {}\n serviceAccount:\n # -- Annotations to add to the service account\n annotations: {}\n metrics:\n serviceMonitor:\n # -- Setting that allows the creation of a Prometheus ServiceMonitor resource for Longhorn Manager components.\n enabled: false\n # -- Additional labels for the Prometheus ServiceMonitor resource.\n additionalLabels: {}\n # -- Annotations for the Prometheus ServiceMonitor resource.\n annotations: {}\n # -- Interval at which Prometheus scrapes the metrics from the target.\n interval: \"\"\n # -- Timeout after which Prometheus considers the scrape to be failed.\n scrapeTimeout: \"\"\n # -- Configures the relabeling rules to apply the target’s metadata labels. See the [Prometheus Operator\n # documentation](https://prometheus-operator.dev/docs/api-reference/api/#monitoring.coreos.com/v1.Endpoint) for\n # formatting details.\n relabelings: []\n # -- Configures the relabeling rules to apply to the samples before ingestion. See the [Prometheus Operator\n # documentation](https://prometheus-operator.dev/docs/api-reference/api/#monitoring.coreos.com/v1.Endpoint) for\n # formatting details.\n metricRelabelings: []\n ## openshift settings\n openshift:\n # -- Setting that allows Longhorn to integrate with OpenShift.\n enabled: false\n ui:\n # -- Route for connections between Longhorn and the OpenShift web console.\n route: \"longhorn-ui\"\n # -- Port for accessing the OpenShift web console.\n port: 443\n # -- Port for proxy that provides access to the OpenShift web console.\n proxy: 8443\n # -- Setting that allows Longhorn to generate code coverage profiles.\n enableGoCoverDir: false","registry":{"metadata":{"uid":"64eaff453040297344bcad5d","name":"Palette Registry","kind":"oci","isPrivate":true,"providerType":"pack","isSyncSupported":true}}}]},"variables":[{"name":"K8sPodCIDR","displayName":"Kubernetes pod CIDR","description":"CIDR used for the Kubernetes pod network","format":"ipv4cidr","required":true,"defaultValue":"100.64.0.0/18","immutable":true,"hidden":false,"isSensitive":false,"order":"1755511635441476164992"},{"name":"K8sServiceCIDR","displayName":"Kubernetes service CIDR","description":"CIDR used for the Kubernetes pod network","format":"ipv4cidr","required":true,"defaultValue":"100.64.64.0/18","immutable":true,"hidden":false,"isSensitive":false,"order":"1755511635441487227960"},{"name":"systemReservedCPU","displayName":"Reserved CPUs for kubelet and system","description":"Set of CPUs to reserve for the kubelet and OS system daemons. The CPU capacity reported by Kubelet for the node will be reduced by this amount. Reserve 8 CPUs when using Portworx Enterprise, otherwise reserve 4 CPUs.","format":"string","required":true,"regex":"\\d-\\d","defaultValue":"0-3","immutable":false,"hidden":false,"isSensitive":false,"order":"1755511635441490591648"}]}} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment