Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

cilium: enforce device detection and enable image building #151

Merged
merged 1 commit into from
May 27, 2024
Merged

cilium: enforce device detection and enable image building #151

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@
build:
make -C packages/apps/http-cache image
make -C packages/apps/kubernetes image
make -C packages/system/cilium image
make -C packages/system/kubeovn image
make -C packages/system/dashboard image
make -C packages/core/installer image
Expand Down
20 changes: 19 additions & 1 deletion packages/system/cilium/Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,12 +1,30 @@
CILIUM_TAG=$(shell awk '$$1 == "version:" {print $$2}' charts/cilium/Chart.yaml)

NAME=cilium
NAMESPACE=cozy-$(NAME)

include ../../../scripts/common-envs.mk
include ../../../scripts/package-system.mk

update:
rm -rf charts
helm repo add cilium https://helm.cilium.io/
helm repo update cilium
helm pull cilium/cilium --untar --untardir charts --version 1.15
ln -s ../../images charts/cilium/images
sed -i 's/include "cilium.image" .Values.image/include "cilium.image" ./g' charts/cilium/templates/cilium-agent/daemonset.yaml
sed -i -e '/Used in iptables/d' -e '/SYS_MODULE/d' charts/cilium/values.yaml
patch -p3 --no-backup-if-mismatch < patches/fix-cgroups.patch
version=$$(awk '$$1 == "version:" {print $$2}' charts/cilium/Chart.yaml) && \
sed -i "s/ARG VERSION=.*/ARG VERSION=v$${version}/" images/cilium/Dockerfile

image:
docker buildx build images/cilium \
--provenance false \
--tag $(REGISTRY)/cilium:$(call settag,$(CILIUM_TAG)) \
--tag $(REGISTRY)/cilium:$(call settag,$(CILIUM_TAG)-$(TAG)) \
--cache-from type=registry,ref=$(REGISTRY)/cilium:latest \
--cache-to type=inline \
--metadata-file images/cilium.json \
--push=$(PUSH) \
--load=$(LOAD)
echo "$(REGISTRY)/cilium:$(call settag,$(TAG))" > images/cilium.tag
1 change: 1 addition & 0 deletions packages/system/cilium/charts/cilium/images
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
../../images
20 changes: 10 additions & 10 deletions packages/system/cilium/charts/cilium/templates/cilium-agent/daemonset.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -94,7 +94,7 @@ spec:
{{- end }}
containers:
- name: cilium-agent
image: {{ include "cilium.image" .Values.image | quote }}
image: {{ include "cilium.image" . | quote }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
{{- if .Values.sleepAfterInit }}
command:
Expand Down Expand Up @@ -398,7 +398,7 @@ spec:
{{- end }}
{{- if .Values.monitor.enabled }}
- name: cilium-monitor
image: {{ include "cilium.image" .Values.image | quote }}
image: {{ include "cilium.image" . | quote }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
command:
- /bin/bash
Expand Down Expand Up @@ -430,7 +430,7 @@ spec:
{{- end }}
initContainers:
- name: config
image: {{ include "cilium.image" .Values.image | quote }}
image: {{ include "cilium.image" . | quote }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
command:
- cilium-dbg
Expand Down Expand Up @@ -485,7 +485,7 @@ spec:
# Required to mount cgroup2 filesystem on the underlying Kubernetes node.
# We use nsenter command with host's cgroup and mount namespaces enabled.
- name: mount-cgroup
image: {{ include "cilium.image" .Values.image | quote }}
image: {{ include "cilium.image" . | quote }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
env:
- name: CGROUP_ROOT
Expand Down Expand Up @@ -531,7 +531,7 @@ spec:
- ALL
{{- end}}
- name: apply-sysctl-overwrites
image: {{ include "cilium.image" .Values.image | quote }}
image: {{ include "cilium.image" . | quote }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
{{- with .Values.initResources }}
resources:
Expand Down Expand Up @@ -580,7 +580,7 @@ spec:
# from a privileged container because the mount propagation bidirectional
# only works from privileged containers.
- name: mount-bpf-fs
image: {{ include "cilium.image" .Values.image | quote }}
image: {{ include "cilium.image" . | quote }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
{{- with .Values.initResources }}
resources:
Expand All @@ -605,7 +605,7 @@ spec:
{{- end }}
{{- if and .Values.nodeinit.enabled .Values.nodeinit.bootstrapFile }}
- name: wait-for-node-init
image: {{ include "cilium.image" .Values.image | quote }}
image: {{ include "cilium.image" . | quote }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
{{- with .Values.initResources }}
resources:
Expand All @@ -625,7 +625,7 @@ spec:
mountPath: "/tmp/cilium-bootstrap.d"
{{- end }}
- name: clean-cilium-state
image: {{ include "cilium.image" .Values.image | quote }}
image: {{ include "cilium.image" . | quote }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
command:
- /init-container.sh
Expand Down Expand Up @@ -697,7 +697,7 @@ spec:
{{- end }}
{{- if and .Values.waitForKubeProxy (and (ne (toString $kubeProxyReplacement) "strict") (ne (toString $kubeProxyReplacement) "true")) }}
- name: wait-for-kube-proxy
image: {{ include "cilium.image" .Values.image | quote }}
image: {{ include "cilium.image" . | quote }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
{{- with .Values.initResources }}
resources:
Expand Down Expand Up @@ -735,7 +735,7 @@ spec:
{{- if .Values.cni.install }}
# Install the CNI binaries in an InitContainer so we don't have a writable host mount in the agent
- name: install-cni-binaries
image: {{ include "cilium.image" .Values.image | quote }}
image: {{ include "cilium.image" . | quote }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
command:
- "/install-plugin.sh"
Expand Down
4 changes: 4 additions & 0 deletions packages/system/cilium/images/cilium.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
{
"containerimage.config.digest": "sha256:5d7a65f2d5c41bd53cccaa55d4f5d28933c08f5294e732b9a00427d091c1d78f",
"containerimage.digest": "sha256:f9f46b6c57cbe9ccb2686be7e58236e3bfae0942c4be687f0bf16270832f09ab"
}
1 change: 1 addition & 0 deletions packages/system/cilium/images/cilium.tag
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
ghcr.io/aenix-io/cozystack/cilium:latest
16 changes: 16 additions & 0 deletions packages/system/cilium/images/cilium/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
# syntax=docker/dockerfile:experimental

ARG VERSION=v1.15.5

FROM golang:1.22-bookworm as builder

WORKDIR /source

COPY enforce-device-detection.diff /enforce-device-detection.diff

RUN wget -O- https://github.com/cilium/cilium/archive/refs/tags/v1.15.5.tar.gz | tar xzf - --strip-components=1
RUN git apply /enforce-device-detection.diff
RUN make build-agent

FROM quay.io/cilium/cilium:${VERSION}
COPY --from=builder /source/daemon/cilium-agent /usr/bin/cilium-agent
Loading