Merge remote-tracking branch 'upstream/main'

isovalent · Jan 10, 2025 · 3fa9f22 · 3fa9f22
2 parents 4747faa + d6d582d
commit 3fa9f22
Show file tree

Hide file tree

Showing 9 changed files with 46 additions and 29 deletions.
diff --git a/.github/workflows/conformance-pr.yml b/.github/workflows/conformance-pr.yml
@@ -29,6 +29,7 @@ jobs:
             kube-proxy-replacement: "true"
             socketlb: false
             bpf-masquerade: true
+            bpf-hostlegacyrouting: true
             ipam-mode: 'kubernetes'
             ipv4: true
             ipv6: false
@@ -88,6 +89,7 @@ jobs:
             --set ipv4.enabled=${{ matrix.config.ipv4 }} \
             --set ipv6.enabled=${{ matrix.config.ipv6 }} \
             --set bpf.masquerade=${{ matrix.config.bpf-masquerade }} \
+            --set bpf.hostLegacyRouting=${{ matrix.config.bpf-hostlegacyrouting }} \
             --set kubeProxyReplacement=${{ matrix.config.kube-proxy-replacement }} \
             --set socketLB.enabled=${{ matrix.config.socketlb }} \
             --set ipam.mode=${{ matrix.config.ipam-mode }} \

diff --git a/.github/workflows/conformance.yml b/.github/workflows/conformance.yml
@@ -35,6 +35,7 @@ jobs:
             kube-proxy-replacement: "true"
             socketlb: false
             bpf-masquerade: true
+            bpf-hostlegacyrouting: true
             ipam-mode: 'kubernetes'
             ipv4: true
             ipv6: false
@@ -49,6 +50,7 @@ jobs:
             kube-proxy-replacement: "true"
             socketlb: false
             bpf-masquerade: true
+            bpf-hostlegacyrouting: true
             ipam-mode: 'kubernetes'
             ipv4: true
             ipv6: false
@@ -63,6 +65,7 @@ jobs:
             kube-proxy-replacement: "false"
             socketlb: true
             bpf-masquerade: false
+            bpf-hostlegacyrouting: true
             ipam-mode: 'kubernetes'
             ipv4: true
             ipv6: false
@@ -77,6 +80,7 @@ jobs:
             kube-proxy-replacement: "false"
             socketlb: true
             bpf-masquerade: true
+            bpf-hostlegacyrouting: true
             ipam-mode: 'kubernetes'
             ipv4: true
             ipv6: false
@@ -90,6 +94,7 @@ jobs:
             kube-proxy-replacement: "true"
             socketlb: false
             bpf-masquerade: true
+            bpf-hostlegacyrouting: true
             ipam-mode: 'cluster-pool'
             ipv4: true
             ipv6: false
@@ -104,6 +109,7 @@ jobs:
             kube-proxy-replacement: "true"
             socketlb: false
             bpf-masquerade: true
+            bpf-hostlegacyrouting: true
             ipam-mode: 'kubernetes'
             ipv4: true
             ipv6: false
@@ -163,6 +169,7 @@ jobs:
             --set ipv4.enabled=${{ matrix.config.ipv4 }} \
             --set ipv6.enabled=${{ matrix.config.ipv6 }} \
             --set bpf.masquerade=${{ matrix.config.bpf-masquerade }} \
+            --set bpf.hostLegacyRouting=${{ matrix.config.bpf-hostlegacyrouting }} \
             --set kubeProxyReplacement=${{ matrix.config.kube-proxy-replacement }} \
             --set socketLB.enabled=${{ matrix.config.socketlb }} \
             --set ipam.mode=${{ matrix.config.ipam-mode }} \

diff --git a/.github/workflows/terraform.yml b/.github/workflows/terraform.yml
@@ -13,11 +13,11 @@ jobs:
         with:
           ref: ${{ github.event.pull_request.head.sha }}
       - name: terraform fmt
-        uses: dflook/terraform-fmt-check@c9309dc072b71dded0f23b29e3ffd4406e27c078
+        uses: dflook/terraform-fmt-check@2bf43ab3454607c0f8567abc333f8208447ec03f
         with:
           path: .
       - name: terraform fmt
-        uses: dflook/terraform-fmt-check@c9309dc072b71dded0f23b29e3ffd4406e27c078
+        uses: dflook/terraform-fmt-check@2bf43ab3454607c0f8567abc333f8208447ec03f
         with:
           path: example
   docs:

diff --git a/00-terraform.tf b/00-terraform.tf
@@ -6,7 +6,7 @@ terraform {
     }
     talos = {
       source  = "siderolabs/talos"
-      version = "0.6.1"
+      version = "0.7.0"
     }
     random = {
       source  = "hashicorp/random"

diff --git a/00-variables.tf b/00-variables.tf
@@ -83,7 +83,7 @@ variable "allow_workload_on_cp_nodes" {
 }
 
 variable "talos_version" {
-  default     = "v1.8.0"
+  default     = "v1.9.1"
   description = "Talos version to use for the cluster, if not set, the newest Talos version. Check https://github.com/siderolabs/talos/releases for available releases."
   type        = string
   validation {

diff --git a/README.md b/README.md
@@ -25,8 +25,8 @@ module "talos" {
   source = "git::https://github.com/isovalent/terraform-aws-talos?ref=<RELEASE_TAG>"
 
   // Supported Talos versions (and therefore K8s versions) can be found here: https://github.com/siderolabs/talos/releases
-  talos_version      = "v1.5.3"
-  kubernetes_version = "1.27.3"
+  talos_version      = "v1.9.1"
+  kubernetes_version = "1.31.4"
   cluster_name       = "talos-cute"
   region             = "eu-west-1"
   tags               = local.tags
@@ -46,17 +46,17 @@ module "talos" {
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.4.0 |
 | <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 5.0 |
 | <a name="requirement_random"></a> [random](#requirement\_random) | ~> 3.5 |
-| <a name="requirement_talos"></a> [talos](#requirement\_talos) | 0.6.1 |
+| <a name="requirement_talos"></a> [talos](#requirement\_talos) | 0.7.0 |
 
 ### Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.82.2 |
-| <a name="provider_local"></a> [local](#provider\_local) | 2.5.2 |
-| <a name="provider_null"></a> [null](#provider\_null) | 3.2.3 |
-| <a name="provider_random"></a> [random](#provider\_random) | 3.6.3 |
-| <a name="provider_talos"></a> [talos](#provider\_talos) | 0.6.1 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | ~> 5.0 |
+| <a name="provider_local"></a> [local](#provider\_local) | n/a |
+| <a name="provider_null"></a> [null](#provider\_null) | n/a |
+| <a name="provider_random"></a> [random](#provider\_random) | ~> 3.5 |
+| <a name="provider_talos"></a> [talos](#provider\_talos) | 0.7.0 |
 
 ### Modules
 
@@ -76,18 +76,18 @@ module "talos" {
 | [local_file.talosconfig](https://registry.terraform.io/providers/hashicorp/local/latest/docs/resources/file) | resource |
 | [null_resource.wait_for_public_subnets](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
 | [random_string.workspace_id](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string) | resource |
-| [talos_cluster_kubeconfig.this](https://registry.terraform.io/providers/siderolabs/talos/0.6.1/docs/resources/cluster_kubeconfig) | resource |
-| [talos_machine_bootstrap.this](https://registry.terraform.io/providers/siderolabs/talos/0.6.1/docs/resources/machine_bootstrap) | resource |
-| [talos_machine_configuration_apply.controlplane](https://registry.terraform.io/providers/siderolabs/talos/0.6.1/docs/resources/machine_configuration_apply) | resource |
-| [talos_machine_configuration_apply.worker_group](https://registry.terraform.io/providers/siderolabs/talos/0.6.1/docs/resources/machine_configuration_apply) | resource |
-| [talos_machine_secrets.this](https://registry.terraform.io/providers/siderolabs/talos/0.6.1/docs/resources/machine_secrets) | resource |
+| [talos_cluster_kubeconfig.this](https://registry.terraform.io/providers/siderolabs/talos/0.7.0/docs/resources/cluster_kubeconfig) | resource |
+| [talos_machine_bootstrap.this](https://registry.terraform.io/providers/siderolabs/talos/0.7.0/docs/resources/machine_bootstrap) | resource |
+| [talos_machine_configuration_apply.controlplane](https://registry.terraform.io/providers/siderolabs/talos/0.7.0/docs/resources/machine_configuration_apply) | resource |
+| [talos_machine_configuration_apply.worker_group](https://registry.terraform.io/providers/siderolabs/talos/0.7.0/docs/resources/machine_configuration_apply) | resource |
+| [talos_machine_secrets.this](https://registry.terraform.io/providers/siderolabs/talos/0.7.0/docs/resources/machine_secrets) | resource |
 | [aws_ami.talos](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ami) | data source |
 | [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
 | [aws_subnets.public](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnets) | data source |
 | [aws_vpc.vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc) | data source |
-| [talos_client_configuration.this](https://registry.terraform.io/providers/siderolabs/talos/0.6.1/docs/data-sources/client_configuration) | data source |
-| [talos_machine_configuration.controlplane](https://registry.terraform.io/providers/siderolabs/talos/0.6.1/docs/data-sources/machine_configuration) | data source |
-| [talos_machine_configuration.worker_group](https://registry.terraform.io/providers/siderolabs/talos/0.6.1/docs/data-sources/machine_configuration) | data source |
+| [talos_client_configuration.this](https://registry.terraform.io/providers/siderolabs/talos/0.7.0/docs/data-sources/client_configuration) | data source |
+| [talos_machine_configuration.controlplane](https://registry.terraform.io/providers/siderolabs/talos/0.7.0/docs/data-sources/machine_configuration) | data source |
+| [talos_machine_configuration.worker_group](https://registry.terraform.io/providers/siderolabs/talos/0.7.0/docs/data-sources/machine_configuration) | data source |
 
 ### Inputs
 
@@ -113,7 +113,7 @@ module "talos" {
 | <a name="input_service_cidr"></a> [service\_cidr](#input\_service\_cidr) | The CIDR to use for services. | `string` | `"100.68.0.0/16"` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | The set of tags to place on the cluster. | `map(string)` | n/a | yes |
 | <a name="input_talos_api_allowed_cidr"></a> [talos\_api\_allowed\_cidr](#input\_talos\_api\_allowed\_cidr) | The CIDR from which to allow to access the Talos API | `string` | `"0.0.0.0/0"` | no |
-| <a name="input_talos_version"></a> [talos\_version](#input\_talos\_version) | Talos version to use for the cluster, if not set, the newest Talos version. Check https://github.com/siderolabs/talos/releases for available releases. | `string` | `"v1.8.0"` | no |
+| <a name="input_talos_version"></a> [talos\_version](#input\_talos\_version) | Talos version to use for the cluster, if not set, the newest Talos version. Check https://github.com/siderolabs/talos/releases for available releases. | `string` | `"v1.9.1"` | no |
 | <a name="input_vpc_cidr"></a> [vpc\_cidr](#input\_vpc\_cidr) | The IPv4 CIDR block for the VPC. | `string` | `"10.0.0.0/16"` | no |
 | <a name="input_vpc_id"></a> [vpc\_id](#input\_vpc\_id) | ID of the VPC where to place the VMs. | `string` | n/a | yes |
 | <a name="input_worker_groups"></a> [worker\_groups](#input\_worker\_groups) | List of node worker node groups to create | <pre>list(object({<br/>    name               = string<br/>    instance_type      = optional(string, "m5.large")<br/>    config_patch_files = optional(list(string), [])<br/>    tags               = optional(map(string), {})<br/>  }))</pre> | <pre>[<br/>  {<br/>    "name": "default"<br/>  }<br/>]</pre> | no |

diff --git a/example/00-variables.tf b/example/00-variables.tf
@@ -67,13 +67,13 @@ variable "tags" {
 
 # talos module
 variable "talos_version" {
-  default     = "v1.8.0"
+  default     = "v1.9.1"
   description = "Talos version to use for the cluster, if not set the newest Talos version. Check https://github.com/siderolabs/talos/releases for available releases."
   type        = string
 }
 
 variable "kubernetes_version" {
-  default     = "1.31.1"
+  default     = "1.31.4"
   description = "Kubernetes version to use for the Talos cluster, if not set, the K8s version shipped with the selected Talos version will be used. Check https://www.talos.dev/latest/introduction/support-matrix/."
   type        = string
 }
@@ -116,7 +116,7 @@ variable "cilium_helm_chart" {
 }
 
 variable "cilium_helm_version" {
-  default     = "1.16.1"
+  default     = "1.16.5"
   description = "The version of the used Helm chart. Check https://github.com/cilium/cilium/releases to see available versions."
   type        = string
 }
@@ -171,7 +171,7 @@ variable "tetragon_tracingpolicy_directory" {
 }
 
 variable "tetragon_helm_version" {
-  default     = "1.2.0"
+  default     = "1.3.0"
   description = "The version of the Tetragon Helm chart to install."
   type        = string
 }
diff --git a/example/03-cilium-values.yaml b/example/03-cilium-values.yaml
@@ -30,6 +30,14 @@ kubeProxyReplacement: "true"
 k8sServiceHost: ${KUBE_APISERVER_HOST}
 k8sServicePort: ${KUBE_APISERVER_PORT}
 
+# BPF optimizations
+bpf:
+  masquerade: true
+  # Legacy host routing is required when Talos' forwardKubeDNSToHost is used
+  # together with Cilium's eBPF host-routing.
+  # See https://docs.cilium.io/en/latest/operations/performance/tuning/#ebpf-host-routing
+  hostLegacyRouting: true
+
 # -- Monitoring and Flow Visibility
 
 # Enable Cilium Hubble to gain visibility

diff --git a/example/README.md b/example/README.md
@@ -127,25 +127,25 @@ aws-delete-vpc -cluster-name <Name of your cluster>
 | <a name="input_cilium_helm_chart"></a> [cilium\_helm\_chart](#input\_cilium\_helm\_chart) | The name of the Helm chart to be used. The naming depends on the Helm repo naming on the local machine. | `string` | `"cilium/cilium"` | no |
 | <a name="input_cilium_helm_values_file_path"></a> [cilium\_helm\_values\_file\_path](#input\_cilium\_helm\_values\_file\_path) | Cilium values file | `string` | `"03-cilium-values.yaml"` | no |
 | <a name="input_cilium_helm_values_override_file_path"></a> [cilium\_helm\_values\_override\_file\_path](#input\_cilium\_helm\_values\_override\_file\_path) | Override Cilium values file | `string` | `""` | no |
-| <a name="input_cilium_helm_version"></a> [cilium\_helm\_version](#input\_cilium\_helm\_version) | The version of the used Helm chart. Check https://github.com/cilium/cilium/releases to see available versions. | `string` | `"1.16.1"` | no |
+| <a name="input_cilium_helm_version"></a> [cilium\_helm\_version](#input\_cilium\_helm\_version) | The version of the used Helm chart. Check https://github.com/cilium/cilium/releases to see available versions. | `string` | `"1.16.5"` | no |
 | <a name="input_cilium_namespace"></a> [cilium\_namespace](#input\_cilium\_namespace) | The namespace in which to install Cilium. | `string` | `"kube-system"` | no |
 | <a name="input_cluster_architecture"></a> [cluster\_architecture](#input\_cluster\_architecture) | Cluster architecture. Choose 'arm64' or 'amd64'. If you choose 'arm64', ensure to also override the control\_plane.instance\_type and worker\_groups.instance\_type with an ARM64-based instance type like 'm7g.large'. | `string` | `"amd64"` | no |
 | <a name="input_cluster_id"></a> [cluster\_id](#input\_cluster\_id) | The (Cilium) ID of the cluster. Must be unique for Cilium ClusterMesh and between 0-255. | `number` | `"1"` | no |
 | <a name="input_cluster_name"></a> [cluster\_name](#input\_cluster\_name) | The name of the cluster. | `string` | `"talos-cute"` | no |
 | <a name="input_control_plane"></a> [control\_plane](#input\_control\_plane) | Info for control plane that will be created | <pre>object({<br/>    instance_type      = optional(string, "m5.large")<br/>    config_patch_files = optional(list(string), [])<br/>    tags               = optional(map(string), {})<br/>  })</pre> | `{}` | no |
 | <a name="input_disable_kube_proxy"></a> [disable\_kube\_proxy](#input\_disable\_kube\_proxy) | Whether to deploy Kube-Proxy or not. By default, KP shouldn't be deployed. | `bool` | `true` | no |
-| <a name="input_kubernetes_version"></a> [kubernetes\_version](#input\_kubernetes\_version) | Kubernetes version to use for the Talos cluster, if not set, the K8s version shipped with the selected Talos version will be used. Check https://www.talos.dev/latest/introduction/support-matrix/. | `string` | `"1.31.1"` | no |
+| <a name="input_kubernetes_version"></a> [kubernetes\_version](#input\_kubernetes\_version) | Kubernetes version to use for the Talos cluster, if not set, the K8s version shipped with the selected Talos version will be used. Check https://www.talos.dev/latest/introduction/support-matrix/. | `string` | `"1.31.4"` | no |
 | <a name="input_owner"></a> [owner](#input\_owner) | Owner for resource tagging | `string` | n/a | yes |
 | <a name="input_pod_cidr"></a> [pod\_cidr](#input\_pod\_cidr) | The CIDR to use for K8s Pods. Depending on if allocate\_node\_cidrs is set or not, it will either be configured on the controllerManager and assigned to Node resources or to CiliumNode CRs (in case Cilium runs with 'cluster-pool' IPAM mode). | `string` | `"100.64.0.0/14"` | no |
 | <a name="input_pre_cilium_install_script"></a> [pre\_cilium\_install\_script](#input\_pre\_cilium\_install\_script) | A script to be run before installing Cilium. | `string` | `""` | no |
 | <a name="input_region"></a> [region](#input\_region) | The region in which to create the cluster. | `string` | n/a | yes |
 | <a name="input_service_cidr"></a> [service\_cidr](#input\_service\_cidr) | The CIDR to use for K8s Services | `string` | `"100.68.0.0/16"` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | The set of tags to place on the created resources. These will be merged with the default tags defined via local.tags in 00-locals.tf. | `map(string)` | <pre>{<br/>  "platform": "talos",<br/>  "usage": "cute"<br/>}</pre> | no |
-| <a name="input_talos_version"></a> [talos\_version](#input\_talos\_version) | Talos version to use for the cluster, if not set the newest Talos version. Check https://github.com/siderolabs/talos/releases for available releases. | `string` | `"v1.8.0"` | no |
+| <a name="input_talos_version"></a> [talos\_version](#input\_talos\_version) | Talos version to use for the cluster, if not set the newest Talos version. Check https://github.com/siderolabs/talos/releases for available releases. | `string` | `"v1.9.1"` | no |
 | <a name="input_tetragon_helm_chart"></a> [tetragon\_helm\_chart](#input\_tetragon\_helm\_chart) | The name of the Helm chart to use to install Tetragon. It is assumed that the Helm repository containing this chart has been added beforehand (e.g. using 'helm repo add'). | `string` | `"cilium/tetragon"` | no |
 | <a name="input_tetragon_helm_values_file_path"></a> [tetragon\_helm\_values\_file\_path](#input\_tetragon\_helm\_values\_file\_path) | The path to the file containing the values to use when installing Tetragon. | `string` | `"04-tetragon-values.yaml"` | no |
 | <a name="input_tetragon_helm_values_override_file_path"></a> [tetragon\_helm\_values\_override\_file\_path](#input\_tetragon\_helm\_values\_override\_file\_path) | The path to the file containing the values to use when installing Tetragon. These values will override the ones in 'tetragon\_helm\_values\_file\_path'. | `string` | `""` | no |
-| <a name="input_tetragon_helm_version"></a> [tetragon\_helm\_version](#input\_tetragon\_helm\_version) | The version of the Tetragon Helm chart to install. | `string` | `"1.2.0"` | no |
+| <a name="input_tetragon_helm_version"></a> [tetragon\_helm\_version](#input\_tetragon\_helm\_version) | The version of the Tetragon Helm chart to install. | `string` | `"1.3.0"` | no |
 | <a name="input_tetragon_namespace"></a> [tetragon\_namespace](#input\_tetragon\_namespace) | The namespace in which to install Tetragon. | `string` | `"kube-system"` | no |
 | <a name="input_tetragon_tracingpolicy_directory"></a> [tetragon\_tracingpolicy\_directory](#input\_tetragon\_tracingpolicy\_directory) | Path to the directory where TracingPolicy files are stored which should automatically be applied. The directory can contain one or multiple valid TracingPoliciy YAML files. | `string` | `""` | no |
 | <a name="input_vpc_cidr"></a> [vpc\_cidr](#input\_vpc\_cidr) | The CIDR to use for the VPC. Currently it must be a /16 or /24. | `string` | `"10.0.0.0/16"` | no |