cilium: enforce device detection and enable image building (#151)

Signed-off-by: Andrei Kvapil <[email protected]>
aenix-io · May 27, 2024 · 6211f9d · 6211f9d
1 parent b5f8006
commit 6211f9d
Show file tree

Hide file tree

Showing 10 changed files with 306 additions and 11 deletions.
diff --git a/Makefile b/Makefile
@@ -3,6 +3,7 @@
 build:
 	make -C packages/apps/http-cache image
 	make -C packages/apps/kubernetes image
+	make -C packages/system/cilium image
 	make -C packages/system/kubeovn image
 	make -C packages/system/dashboard image
 	make -C packages/core/installer image

diff --git a/packages/system/cilium/Makefile b/packages/system/cilium/Makefile
@@ -1,12 +1,30 @@
+CILIUM_TAG=$(shell awk '$$1 == "version:" {print $$2}' charts/cilium/Chart.yaml)
+
 NAME=cilium
 NAMESPACE=cozy-$(NAME)
 
+include ../../../scripts/common-envs.mk
 include ../../../scripts/package-system.mk
 
 update:
 	rm -rf charts
 	helm repo add cilium https://helm.cilium.io/
 	helm repo update cilium
 	helm pull cilium/cilium --untar --untardir charts --version 1.15
+	ln -s ../../images charts/cilium/images
+	sed -i 's/include "cilium.image" .Values.image/include "cilium.image" ./g' charts/cilium/templates/cilium-agent/daemonset.yaml
 	sed -i -e '/Used in iptables/d' -e '/SYS_MODULE/d' charts/cilium/values.yaml
-	patch -p3 --no-backup-if-mismatch < patches/fix-cgroups.patch
+	version=$$(awk '$$1 == "version:" {print $$2}' charts/cilium/Chart.yaml) && \
+	sed -i "s/ARG VERSION=.*/ARG VERSION=v$${version}/" images/cilium/Dockerfile
+
+image:
+	docker buildx build images/cilium \
+		--provenance false \
+		--tag $(REGISTRY)/cilium:$(call settag,$(CILIUM_TAG)) \
+		--tag $(REGISTRY)/cilium:$(call settag,$(CILIUM_TAG)-$(TAG)) \
+		--cache-from type=registry,ref=$(REGISTRY)/cilium:latest \
+		--cache-to type=inline \
+		--metadata-file images/cilium.json \
+		--push=$(PUSH) \
+		--load=$(LOAD)
+	echo "$(REGISTRY)/cilium:$(call settag,$(TAG))" > images/cilium.tag
diff --git a/packages/system/cilium/charts/cilium/images b/packages/system/cilium/charts/cilium/images
@@ -0,0 +1 @@
+../../images
diff --git a/packages/system/cilium/charts/cilium/templates/cilium-agent/daemonset.yaml b/packages/system/cilium/charts/cilium/templates/cilium-agent/daemonset.yaml
@@ -94,7 +94,7 @@ spec:
       {{- end }}
       containers:
       - name: cilium-agent
-        image: {{ include "cilium.image" .Values.image | quote }}
+        image: {{ include "cilium.image" . | quote }}
         imagePullPolicy: {{ .Values.image.pullPolicy }}
         {{- if .Values.sleepAfterInit }}
         command:
@@ -398,7 +398,7 @@ spec:
         {{- end }}
       {{- if .Values.monitor.enabled }}
       - name: cilium-monitor
-        image: {{ include "cilium.image" .Values.image | quote }}
+        image: {{ include "cilium.image" . | quote }}
         imagePullPolicy: {{ .Values.image.pullPolicy }}
         command:
         - /bin/bash
@@ -430,7 +430,7 @@ spec:
       {{- end }}
       initContainers:
       - name: config
-        image: {{ include "cilium.image" .Values.image | quote }}
+        image: {{ include "cilium.image" . | quote }}
         imagePullPolicy: {{ .Values.image.pullPolicy }}
         command:
         - cilium-dbg
@@ -485,7 +485,7 @@ spec:
       # Required to mount cgroup2 filesystem on the underlying Kubernetes node.
       # We use nsenter command with host's cgroup and mount namespaces enabled.
       - name: mount-cgroup
-        image: {{ include "cilium.image" .Values.image | quote }}
+        image: {{ include "cilium.image" . | quote }}
         imagePullPolicy: {{ .Values.image.pullPolicy }}
         env:
         - name: CGROUP_ROOT
@@ -531,7 +531,7 @@ spec:
               - ALL
           {{- end}}
       - name: apply-sysctl-overwrites
-        image: {{ include "cilium.image" .Values.image | quote }}
+        image: {{ include "cilium.image" . | quote }}
         imagePullPolicy: {{ .Values.image.pullPolicy }}
         {{- with .Values.initResources }}
         resources:
@@ -580,7 +580,7 @@ spec:
       # from a privileged container because the mount propagation bidirectional
       # only works from privileged containers.
       - name: mount-bpf-fs
-        image: {{ include "cilium.image" .Values.image | quote }}
+        image: {{ include "cilium.image" . | quote }}
         imagePullPolicy: {{ .Values.image.pullPolicy }}
         {{- with .Values.initResources }}
         resources:
@@ -605,7 +605,7 @@ spec:
       {{- end }}
       {{- if and .Values.nodeinit.enabled .Values.nodeinit.bootstrapFile }}
       - name: wait-for-node-init
-        image: {{ include "cilium.image" .Values.image | quote }}
+        image: {{ include "cilium.image" . | quote }}
         imagePullPolicy: {{ .Values.image.pullPolicy }}
         {{- with .Values.initResources }}
         resources:
@@ -625,7 +625,7 @@ spec:
           mountPath: "/tmp/cilium-bootstrap.d"
       {{- end }}
       - name: clean-cilium-state
-        image: {{ include "cilium.image" .Values.image | quote }}
+        image: {{ include "cilium.image" . | quote }}
         imagePullPolicy: {{ .Values.image.pullPolicy }}
         command:
         - /init-container.sh
@@ -697,7 +697,7 @@ spec:
         {{- end }}
       {{- if and .Values.waitForKubeProxy (and (ne (toString $kubeProxyReplacement) "strict") (ne (toString $kubeProxyReplacement) "true"))  }}
       - name: wait-for-kube-proxy
-        image: {{ include "cilium.image" .Values.image | quote }}
+        image: {{ include "cilium.image" . | quote }}
         imagePullPolicy: {{ .Values.image.pullPolicy }}
         {{- with .Values.initResources }}
         resources:
@@ -735,7 +735,7 @@ spec:
       {{- if .Values.cni.install }}
       # Install the CNI binaries in an InitContainer so we don't have a writable host mount in the agent
       - name: install-cni-binaries
-        image: {{ include "cilium.image" .Values.image | quote }}
+        image: {{ include "cilium.image" . | quote }}
         imagePullPolicy: {{ .Values.image.pullPolicy }}
         command:
           - "/install-plugin.sh"

diff --git a/packages/system/cilium/images/cilium.json b/packages/system/cilium/images/cilium.json
@@ -0,0 +1,4 @@
+{
+  "containerimage.config.digest": "sha256:5d7a65f2d5c41bd53cccaa55d4f5d28933c08f5294e732b9a00427d091c1d78f",
+  "containerimage.digest": "sha256:f9f46b6c57cbe9ccb2686be7e58236e3bfae0942c4be687f0bf16270832f09ab"
+}
diff --git a/packages/system/cilium/images/cilium.tag b/packages/system/cilium/images/cilium.tag
@@ -0,0 +1 @@
+ghcr.io/aenix-io/cozystack/cilium:latest
diff --git a/packages/system/cilium/images/cilium/Dockerfile b/packages/system/cilium/images/cilium/Dockerfile
@@ -0,0 +1,16 @@
+# syntax=docker/dockerfile:experimental
+
+ARG VERSION=v1.15.5
+
+FROM golang:1.22-bookworm as builder
+
+WORKDIR /source
+
+COPY enforce-device-detection.diff /enforce-device-detection.diff
+
+RUN wget -O- https://github.com/cilium/cilium/archive/refs/tags/v1.15.5.tar.gz | tar xzf - --strip-components=1
+RUN git apply /enforce-device-detection.diff
+RUN make build-agent
+
+FROM quay.io/cilium/cilium:${VERSION}
+COPY --from=builder /source/daemon/cilium-agent /usr/bin/cilium-agent