Cilium updates (#5438)

* Add resources needed to deploy 1.6.4

* Use cilium v1.6.4

* Change deprecated option name

* Add update crd to clusterrole cilium

* Cilium 1.6.4 -> 1.6.5

* Make monitor-aggregation config configurable as a variable

* Change monitor-aggregation default none->medium

* Cilium 1.6.5 -> 1.6.6

* Update to 1.7.0

* v1.7.0->v1.7.1

roles/download/defaults/main.yml

@@ -80,7 +80,7 @@ cni_version: "v0.8.3"
 weave_version: 2.5.2
 pod_infra_version: 3.1
 contiv_version: 1.2.1
-cilium_version: "v1.5.5"
+cilium_version: "v1.7.1"
 kube_ovn_version: "v0.6.0"
 kube_router_version: "v0.2.5"
 multus_version: "v3.2.1"

roles/network_plugin/cilium/defaults/main.yml

@@ -23,6 +23,8 @@ cilium_tunnel_mode: vxlan
 cilium_enable_prometheus: false
 # Enable if you want to make use of hostPort mappings
 cilium_enable_portmap: false
+# Monitor aggregation level (none/low/medium/maximum)
+cilium_monitor_aggregation: medium
 
 # If upgrading from Cilium < 1.5, you may want to override some of these options
 # to prevent service disruptions. See also:

roles/network_plugin/cilium/templates/cilium-config.yml.j2

@@ -61,7 +61,7 @@ data:
   # If you want cilium monitor to aggregate tracing for packets, set this level
   # to "low", "medium", or "maximum". The higher the level, the less packets
   # that will be seen in monitor output.
-  monitor-aggregation-level: "none"
+  monitor-aggregation: "{{ cilium_monitor_aggregation }}"
 
   # ct-global-max-entries-* specifies the maximum number of connections
   # supported across all endpoints, split by protocol: tcp or other. One pair

roles/network_plugin/cilium/templates/cilium-cr.yml.j2

@@ -43,6 +43,10 @@ rules:
   - ciliumnetworkpolicies/status
   - ciliumendpoints
   - ciliumendpoints/status
+  - ciliumnodes
+  - ciliumnodes/status
+  - ciliumidentities
+  - ciliumidentities/status
   verbs:
   - '*'
 ---
@@ -66,7 +70,6 @@ rules:
       - services
       - nodes
       - endpoints
-      - componentstatuses
     verbs:
       - get
       - list
@@ -88,18 +91,10 @@ rules:
       - nodes/status
     verbs:
       - patch
-  - apiGroups:
-      - extensions
-    resources:
-      - ingresses
-    verbs:
-      - create
-      - get
-      - list
-      - watch
   - apiGroups:
       - apiextensions.k8s.io
     resources:
+      - ingresses
       - customresourcedefinitions
     verbs:
       - create
@@ -112,7 +107,13 @@ rules:
     resources:
       - ciliumnetworkpolicies
       - ciliumnetworkpolicies/status
+      - ciliumclusterwidenetworkpolicies
+      - ciliumclusterwidenetworkpolicies/status
       - ciliumendpoints
       - ciliumendpoints/status
+      - ciliumnodes
+      - ciliumnodes/status
+      - ciliumidentities
+      - ciliumidentities/status
     verbs:
       - '*'