cilium
156 строк · 5.8 Кб
1name: cilium-config
2description: Derive Cilium installation config
3inputs:
4image-tag:
5description: 'SHA or tag'
6required: false
7chart-dir:
8description: 'Path to Cilium charts directory'
9required: true
10tunnel:
11description: '"disabled", "vxlan", "geneve"'
12default: 'disabled'
13endpoint-routes:
14description: 'Enable endpoint routes'
15default: false
16ipv6:
17description: 'Enable IPv6'
18default: true
19kpr:
20description: 'Enable kube-proxy replacement'
21default: false
22lb-mode:
23description: 'KPR load-balancer mode'
24default: 'snat'
25lb-acceleration:
26description: 'KPR acceleration'
27default: ''
28encryption:
29description: '"ipsec", "wireguard" or empty'
30default: ''
31encryption-node:
32description: 'Enable node-to-node encryption (WireGuard only)'
33default: false
34egress-gateway:
35description: 'Enable egress gateway'
36default: false
37host-fw:
38description: 'Enable host firewall'
39default: false
40mutual-auth:
41description: 'Enable mTLS-based Mutual Authentication'
42default: true
43ingress-controller:
44description: 'Enable ingress controller, required kubeProxyReplacement'
45default: false
46devices:
47description: 'List of native devices to attach datapath programs'
48default: ''
49misc:
50description: 'Misc helm rarely set by a user coma separated values'
51default: ''
52outputs:
53config:
54description: 'Cilium installation config'
55value: ${{ steps.derive-config.outputs.config }}
56runs:
57using: composite
58steps:
59- uses: ./.github/actions/set-env-variables
60- shell: bash
61id: derive-config
62run: |
63DEFAULTS="--wait \
64--chart-directory=${{ inputs.chart-dir }} \
65--helm-set=debug.enabled=true \
66--helm-set=debug.verbose=envoy \
67--helm-set=hubble.eventBufferCapacity=65535 \
68--helm-set=bpf.monitorAggregation=none \
69--helm-set=cluster.name=default \
70--helm-set=authentication.mutual.spire.enabled=${{ inputs.mutual-auth }} \
71--nodes-without-cilium=kind-worker3 \
72--helm-set-string=kubeProxyReplacement=${{ inputs.kpr }} \
73--set='${{ inputs.misc }}'"
74
75IMAGE=""
76if [ "${{ inputs.image-tag }}" != "" ]; then
77IMAGE="--helm-set=image.repository=quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-ci \
78--helm-set=image.useDigest=false \
79--helm-set=image.tag=${{ inputs.image-tag }} \
80--helm-set=operator.image.repository=quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/operator \
81--helm-set=operator.image.suffix=-ci \
82--helm-set=operator.image.tag=${{ inputs.image-tag }} \
83--helm-set=operator.image.useDigest=false \
84--helm-set=hubble.relay.image.repository=quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/hubble-relay-ci \
85--helm-set=hubble.relay.image.tag=${{ inputs.image-tag }} \
86--helm-set=hubble.relay.image.useDigest=false"
87fi
88
89TUNNEL="--helm-set-string=tunnelProtocol=${{ inputs.tunnel }}"
90if [ "${{ inputs.tunnel }}" == "disabled" ]; then
91TUNNEL="--helm-set-string=routingMode=native --helm-set-string=autoDirectNodeRoutes=true --helm-set-string=ipv4NativeRoutingCIDR=10.244.0.0/16"
92TUNNEL="${TUNNEL} --helm-set-string=ipv6NativeRoutingCIDR=fd00:10:244::/56"
93fi
94
95DEVICES=""
96if [ "${{ inputs.devices }}" != "" ]; then
97DEVICES="--helm-set=devices='${{ inputs.devices }}'"
98fi
99
100LB_MODE=""
101if [ "${{ inputs.lb-mode }}" != "" ]; then
102LB_MODE="--helm-set-string=loadBalancer.mode=${{ inputs.lb-mode }}"
103fi
104
105ENDPOINT_ROUTES=""
106if [ "${{ inputs.endpoint-routes }}" == "true" ]; then
107ENDPOINT_ROUTES="--helm-set-string=endpointRoutes.enabled=true"
108fi
109
110IPV6=""
111if [ "${{ inputs.ipv6 }}" != "false" ]; then
112IPV6="--helm-set=ipv6.enabled=true"
113fi
114
115MASQ=""
116if [ "${{ inputs.kpr }}" == "true" ]; then
117# BPF-masq requires KPR=true.
118MASQ="--helm-set=bpf.masquerade=true"
119if [ "${{ inputs.host-fw }}" == "true" ]; then
120# BPF IPv6 masquerade not currently supported with host firewall - GH-26074
121MASQ="${MASQ} --helm-set=enableIPv6Masquerade=false"
122fi
123fi
124
125EGRESS_GATEWAY=""
126if [ "${{ inputs.egress-gateway }}" == "true" ]; then
127EGRESS_GATEWAY="${{ env.EGRESS_GATEWAY_HELM_VALUES }}"
128fi
129
130LB_ACCELERATION=""
131if [ "${{ inputs.lb-acceleration }}" != "" ]; then
132LB_ACCELERATION="--helm-set=loadBalancer.acceleration=${{ inputs.lb-acceleration }}"
133fi
134
135ENCRYPT=""
136if [ "${{ inputs.encryption }}" != "" ]; then
137ENCRYPT="--helm-set=encryption.enabled=true --helm-set=encryption.type=${{ inputs.encryption }}"
138if [ "${{ inputs.encryption-node }}" != "" ]; then
139ENCRYPT+=" --helm-set=encryption.nodeEncryption=${{ inputs.encryption-node }}"
140fi
141fi
142
143HOST_FW=""
144if [ "${{ inputs.host-fw }}" == "true" ]; then
145HOST_FW="--helm-set=hostFirewall.enabled=true"
146fi
147
148if [ "${{ inputs.kpr }}" == "true" ]; then
149if [ "${{ inputs.ingress-controller }}" == "true" ]; then
150INGRESS_CONTROLLER="--helm-set=ingressController.enabled=true"
151INGRESS_CONTROLLER+=" --helm-set=ingressController.service.type=NodePort"
152fi
153fi
154
155CONFIG="${DEFAULTS} ${IMAGE} ${TUNNEL} ${DEVICES} ${LB_MODE} ${ENDPOINT_ROUTES} ${IPV6} ${MASQ} ${EGRESS_GATEWAY} ${ENCRYPT} ${HOST_FW} ${LB_ACCELERATION} ${INGRESS_CONTROLLER}"
156echo "config=${CONFIG}" >> $GITHUB_OUTPUT
157