Cilium sysext

create_cilium_sysext.sh

@@ -0,0 +1,75 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+export ARCH="${ARCH-x86-64}"
+SCRIPTFOLDER="$(dirname "$(readlink -f "$0")")"
+
+if [ $# -lt 2 ] || [ "$1" = "-h" ] || [ "$1" = "--help" ]; then
+  echo "Usage: $0 VERSION SYSEXTNAME"
+  echo "The script will download cilium release binaries (e.g., for v0.16.24) and create a sysext squashfs image with the name SYSEXTNAME.raw in the current folder."
+  echo "A temporary directory named SYSEXTNAME in the current folder will be created and deleted again."
+  echo "All files in the sysext image will be owned by root."
+  echo "To use arm64 pass 'ARCH=arm64' as environment variable (current value is '${ARCH}')."
+  "${SCRIPTFOLDER}"/bake.sh --help
+  exit 1
+fi
+
+VERSION="$1"
+SYSEXTNAME="$2"
+
+if [ "${ARCH}" = "x86_64" ] || [ "${ARCH}" = "x86-64" ]; then
+  ARCH="amd64"
+elif [ "${ARCH}" = "aarch64" ]; then
+  ARCH="arm64"
+fi
+
+VERSION="v${VERSION#v}"
+
+TARBALL="cilium-linux-${ARCH}.tar.gz"
+SHASUM="${TARBALL}.sha256sum"
+
+TARBALL_URL="https://github.com/cilium/cilium-cli/releases/download/${VERSION}/${TARBALL}"
+SHASUM_URL="https://github.com/cilium/cilium-cli/releases/download/${VERSION}/${SHASUM}"
+
+rm -rf "${SYSEXTNAME}"
+
+TMP_DIR="${SYSEXTNAME}/tmp"
+mkdir -p "${TMP_DIR}"
+
+curl --parallel --fail --silent --show-error --location \
+  --output "${TMP_DIR}/${TARBALL}" "${TARBALL_URL}" \
+  --output "${TMP_DIR}/${SHASUM}" "${SHASUM_URL}"
+
+pushd "${TMP_DIR}" > /dev/null
+grep "${TARBALL}$" "${SHASUM}" | sha256sum -c -
+popd  > /dev/null
+
+mkdir -p "${SYSEXTNAME}/usr/local/bin"
+
+tar --force-local -xf "${TMP_DIR}/${TARBALL}" -C "${SYSEXTNAME}/usr/local/bin"
+chmod +x "${SYSEXTNAME}/usr/local/bin/cilium"
+
+mkdir -p "${SYSEXTNAME}/usr/lib/systemd/system"
+cat > "${SYSEXTNAME}/usr/lib/systemd/system/cilium.service" <<-'EOF'
+[Unit]
+Description=Install cilium to running k8s cluster
+Documentation=https://docs.cilium.io/en/stable
+Wants=network-online.target
+After=network-online.target
+
+[Service]
+Environment=KUBECONFIG='/home/core/.kube/config'
+ExecStart=/opt/bin/cilium install ${CILIUM_INSTALL_ARGS}
+Restart=always
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+mkdir -p "${SYSEXTNAME}"/usr/lib/systemd/system/multi-user.target.d
+{ echo "[Unit]"; echo "Upholds=cilium.service"; } > "${SYSEXTNAME}"/usr/lib/systemd/system/multi-user.target.d/10-cilium.conf
+
+rm -rf "${TMP_DIR}"
+
+RELOAD=1 "${SCRIPTFOLDER}"/bake.sh "${SYSEXTNAME}"
+rm -rf "${SYSEXTNAME}"

docs/cilium.md

@@ -0,0 +1,57 @@
+# Cilium sysext
+
+This sysext ships the [Cilium CLI](https://github.com/cilium/cilium-cli).
+
+This sysext includes a service unit file to start cilium at boot.
+
+## Usage
+
+Download and merge the sysext at provisioning time using the below butane
+snippet.  Additional install flags can be passed to cilium using the
+CILIUM_INSTALL_ARGS environment variable.
+
+The snippet includes automated updates via systemd-sysupdate.
+Sysupdate will stage updates and request a reboot by creating a flag file at `/run/reboot-required`.
+You can deactivate updates by changing `enabled: true` to `enabled: false` in `systemd-sysupdate.timer`.
+
+```yaml
+variant: flatcar
+version: 1.1.0
+
+storage:
+  files:
+    - path: /opt/extensions/cilium/cilium-v0.16.24-x86-64.raw
+      contents:
+        source: https://github.com/flatcar/sysext-bakery/releases/download/latest/cilium-v0.16.24-x86-64.raw
+    - path: /etc/sysupdate.cilium.d/cilium.conf
+      contents:
+        source: https://github.com/flatcar/sysext-bakery/releases/download/latest/clium.conf
+    - path: /etc/sysupdate.d/noop.conf
+      contents:
+        source: https://github.com/flatcar/sysext-bakery/releases/download/latest/noop.conf
+  links:
+    - target: /opt/extensions/cilium/cilium-v0.16.24-x86-64.raw
+      path: /etc/extensions/cilium.raw
+      hard: false
+
+systemd:
+  units:
+    - name: ollama.service
+      enabled: true
+      dropins:
+        - name: 10-cilium-env-override.conf
+          contents: |
+            [Service]
+            Environment=CILIUM_INSTALL_ARGS="--set kubeProxyReplacement=true --namespace=kube-system"
+    - name: systemd-sysupdate.timer
+      enabled: true
+    - name: systemd-sysupdate.service
+      dropins:
+        - name: cilium.conf
+          contents: |
+            [Service]
+            ExecStartPre=/usr/bin/sh -c "readlink --canonicalize /etc/extensions/cilium.raw > /tmp/cilium"
+            ExecStartPre=/usr/lib/systemd/systemd-sysupdate -C cilium update
+            ExecStartPost=/usr/bin/sh -c "readlink --canonicalize /etc/extensions/cilium.raw > /tmp/cilium-new"
+            ExecStartPost=/usr/bin/sh -c "if ! cmp --silent /tmp/cilium /tmp/cilium-new; then touch /run/reboot-required; fi"
+```

docs/index.md

@@ -45,6 +45,7 @@ Check out the README files of specific extensions for detailed usage instruction
 |    Extension     | Availability | Documentation |
 | ---------------- | ------------ | ------------- |
 | `crio`           |  released    | [crio.md](docs/crio.md) |
+| `cilium`         |  released    | [cilium.md](docs/cilium.md) |
 | `docker`         |  released    | [docker.md](docs/docker.md) |
 | `docker_compose` |  released    | [docker_compose.md](docs/docker_compose.md) |
 | `falco`          |  released    | [falco.md](docs/falco.md) |

release_build_versions.txt

@@ -37,3 +37,5 @@ containerd-2.0.0
 wasmedge-0.14.1
 
 llamaedge-0.14.16
+
+cilium-v0.16.24