cilium
156 строк · 5.8 Кб
1name: cilium-config2description: Derive Cilium installation config3inputs:4image-tag:5description: 'SHA or tag'6required: false7chart-dir:8description: 'Path to Cilium charts directory'9required: true10tunnel:11description: '"disabled", "vxlan", "geneve"'12default: 'disabled'13endpoint-routes:14description: 'Enable endpoint routes'15default: false16ipv6:17description: 'Enable IPv6'18default: true19kpr:20description: 'Enable kube-proxy replacement'21default: false22lb-mode:23description: 'KPR load-balancer mode'24default: 'snat'25lb-acceleration:26description: 'KPR acceleration'27default: ''28encryption:29description: '"ipsec", "wireguard" or empty'30default: ''31encryption-node:32description: 'Enable node-to-node encryption (WireGuard only)'33default: false34egress-gateway:35description: 'Enable egress gateway'36default: false37host-fw:38description: 'Enable host firewall'39default: false40mutual-auth:41description: 'Enable mTLS-based Mutual Authentication'42default: true43ingress-controller:44description: 'Enable ingress controller, required kubeProxyReplacement'45default: false46devices:47description: 'List of native devices to attach datapath programs'48default: ''49misc:50description: 'Misc helm rarely set by a user coma separated values'51default: ''52outputs:53config:54description: 'Cilium installation config'55value: ${{ steps.derive-config.outputs.config }}56runs:57using: composite58steps:59- uses: ./.github/actions/set-env-variables60- shell: bash61id: derive-config62run: |63DEFAULTS="--wait \64--chart-directory=${{ inputs.chart-dir }} \65--helm-set=debug.enabled=true \66--helm-set=debug.verbose=envoy \67--helm-set=hubble.eventBufferCapacity=65535 \68--helm-set=bpf.monitorAggregation=none \69--helm-set=cluster.name=default \70--helm-set=authentication.mutual.spire.enabled=${{ inputs.mutual-auth }} \71--nodes-without-cilium=kind-worker3 \72--helm-set-string=kubeProxyReplacement=${{ inputs.kpr }} \73--set='${{ inputs.misc }}'"74IMAGE=""76if [ "${{ inputs.image-tag }}" != "" ]; then77IMAGE="--helm-set=image.repository=quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-ci \78--helm-set=image.useDigest=false \79--helm-set=image.tag=${{ inputs.image-tag }} \80--helm-set=operator.image.repository=quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/operator \81--helm-set=operator.image.suffix=-ci \82--helm-set=operator.image.tag=${{ inputs.image-tag }} \83--helm-set=operator.image.useDigest=false \84--helm-set=hubble.relay.image.repository=quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/hubble-relay-ci \85--helm-set=hubble.relay.image.tag=${{ inputs.image-tag }} \86--helm-set=hubble.relay.image.useDigest=false"87fi88TUNNEL="--helm-set-string=tunnelProtocol=${{ inputs.tunnel }}"90if [ "${{ inputs.tunnel }}" == "disabled" ]; then91TUNNEL="--helm-set-string=routingMode=native --helm-set-string=autoDirectNodeRoutes=true --helm-set-string=ipv4NativeRoutingCIDR=10.244.0.0/16"92TUNNEL="${TUNNEL} --helm-set-string=ipv6NativeRoutingCIDR=fd00:10:244::/56"93fi94DEVICES=""96if [ "${{ inputs.devices }}" != "" ]; then97DEVICES="--helm-set=devices='${{ inputs.devices }}'"98fi99LB_MODE=""101if [ "${{ inputs.lb-mode }}" != "" ]; then102LB_MODE="--helm-set-string=loadBalancer.mode=${{ inputs.lb-mode }}"103fi104ENDPOINT_ROUTES=""106if [ "${{ inputs.endpoint-routes }}" == "true" ]; then107ENDPOINT_ROUTES="--helm-set-string=endpointRoutes.enabled=true"108fi109IPV6=""111if [ "${{ inputs.ipv6 }}" != "false" ]; then112IPV6="--helm-set=ipv6.enabled=true"113fi114MASQ=""116if [ "${{ inputs.kpr }}" == "true" ]; then117# BPF-masq requires KPR=true.118MASQ="--helm-set=bpf.masquerade=true"119if [ "${{ inputs.host-fw }}" == "true" ]; then120# BPF IPv6 masquerade not currently supported with host firewall - GH-26074121MASQ="${MASQ} --helm-set=enableIPv6Masquerade=false"122fi123fi124EGRESS_GATEWAY=""126if [ "${{ inputs.egress-gateway }}" == "true" ]; then127EGRESS_GATEWAY="${{ env.EGRESS_GATEWAY_HELM_VALUES }}"128fi129LB_ACCELERATION=""131if [ "${{ inputs.lb-acceleration }}" != "" ]; then132LB_ACCELERATION="--helm-set=loadBalancer.acceleration=${{ inputs.lb-acceleration }}"133fi134ENCRYPT=""136if [ "${{ inputs.encryption }}" != "" ]; then137ENCRYPT="--helm-set=encryption.enabled=true --helm-set=encryption.type=${{ inputs.encryption }}"138if [ "${{ inputs.encryption-node }}" != "" ]; then139ENCRYPT+=" --helm-set=encryption.nodeEncryption=${{ inputs.encryption-node }}"140fi141fi142HOST_FW=""144if [ "${{ inputs.host-fw }}" == "true" ]; then145HOST_FW="--helm-set=hostFirewall.enabled=true"146fi147if [ "${{ inputs.kpr }}" == "true" ]; then149if [ "${{ inputs.ingress-controller }}" == "true" ]; then150INGRESS_CONTROLLER="--helm-set=ingressController.enabled=true"151INGRESS_CONTROLLER+=" --helm-set=ingressController.service.type=NodePort"152fi153fi154CONFIG="${DEFAULTS} ${IMAGE} ${TUNNEL} ${DEVICES} ${LB_MODE} ${ENDPOINT_ROUTES} ${IPV6} ${MASQ} ${EGRESS_GATEWAY} ${ENCRYPT} ${HOST_FW} ${LB_ACCELERATION} ${INGRESS_CONTROLLER}"156echo "config=${CONFIG}" >> $GITHUB_OUTPUT157