fix(sol): update cilium config

Signed-off-by: Tyler Witlin <twitlin@witl.xyz>
coolguy1771 · Feb 7, 2024 · 2725bde · 2725bde
1 parent 7eba5b8
commit 2725bde
Showing 1 changed file with 78 additions and 50 deletions.
diff --git a/kubernetes/sol/apps/kube-system/cilium/app/helmrelease.yaml b/kubernetes/sol/apps/kube-system/cilium/app/helmrelease.yaml
@@ -1,5 +1,5 @@
 ---
-# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2beta2.json
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2beta1.json
 apiVersion: helm.toolkit.fluxcd.io/v2beta2
 kind: HelmRelease
 metadata:
@@ -14,6 +14,7 @@ spec:
         kind: HelmRepository
         name: cilium
         namespace: flux-system
+  maxHistory: 2
   install:
     remediation:
       retries: 3
@@ -24,48 +25,42 @@ spec:
   uninstall:
     keepHistory: false
   values:
+    securityContext:
+      privileged: true
     autoDirectNodeRoutes: true
-    bandwidthManager:
+    annotateK8sNode: true
+    routingMode: native
+    enableRuntimeDeviceDetection: true
+    endpointRoutes:
       enabled: true
-      bbr: true
-    bpf:
-      masquerade: true
-    bgp:
-      enabled: false
     cluster:
-      name: sol
       id: 2
+      name: sol
+    pmtuDiscovery:
+      enabled: true
+    bpf:
+      clockProbe: true
+      masquerade: true
+      tproxy: true
     containerRuntime:
       integration: containerd
       socketPath: /var/run/k3s/containerd/containerd.sock
-    endpointRoutes:
-      enabled: true
     nodePort:
       enabled: true
     enableCiliumEndpointSlice: true
     enableK8sEndpointSlice: true
     enableIdentityMark: true
     ingressController:
       enabled: false
+    gatewayAPI:
+      enabled: false
     bgpControlPlane:
       enabled: true
-    ipam:
-      mode: kubernetes
-    ipv4NativeRoutingCIDR: 10.143.0.0/16
-    k8sServiceHost: 10.10.10.50
-    k8sServicePort: 6443
-    kubeProxyReplacement: true
-    kubeProxyReplacementHealthzBindAddr: 0.0.0.0:10256
     l2announcements:
-      enabled: true
+      enabled: false
       leaseDuration: 120s
       leaseRenewDeadline: 60s
       leaseRetryPeriod: 1s
-    loadBalancer:
-      algorithm: maglev
-      mode: dsr
-      serviceTopology: true
-    localRedirectPolicy: true
     hubble:
       enabled: true
       metrics:
@@ -77,51 +72,84 @@ spec:
           - icmp
           - "flow:sourceContext=workload-name|reserved-identity;destinationContext=workload-name|reserved-identity"
           - "httpV2:exemplars=true;labelsContext=source_ip,source_namespace,source_workload,destination_ip,destination_namespace,destination_workload,traffic_direction;sourceContext=workload-name|reserved-identity;destinationContext=workload-name|reserved-identity"
-        serviceMonitor:
-          enabled: true
+        enableOpenMetrics: true
         dashboards:
+          enabled: false
+      tls:
+        enabled: true
+        auto:
           enabled: true
-          annotations:
-            grafana_folder: Cilium
+          method: helm
       relay:
         enabled: true
         rollOutPods: true
-        prometheus:
-          serviceMonitor:
-            enabled: true
+        replicas: 1
+      prometheus:
+        enabled: true
+        serviceMonitor:
+          enabled: false
       ui:
         enabled: true
         rollOutPods: true
         replicas: 1
+        backend:
+          image:
+            repository: "quay.io/cilium/hubble-ui-backend"
+            tag: v0.12.3
+        frontend:
+          image:
+            repository: "quay.io/cilium/hubble-ui"
+            tag: "v0.12.3"
         ingress:
           enabled: true
+          annotations:
+            cert-manager.io/cluster-issuer: letsencrypt-production
+            ingress.home.arpa/nginx-internal: allow
           className: internal
           hosts:
             - &host hubble.286k.co
           tls:
             - hosts:
                 - *host
+              secretName: hubble-tls
+    rollOutCiliumPods: true
+    externalIPs:
+      enabled: true
+    hostFirewall:
+      enabled: true
+    hostPort:
+      enabled: true
+    socketLB:
+      enabled: true
+    wellKnownIdentities:
+      enabled: true
+    enableCnpStatusUpdates: true
+    endpointStatus:
+      enabled: true
+      status: "policy"
+    ipam:
+      mode: kubernetes
+    ipv4NativeRoutingCIDR: "10.142.0.0/16"
+    monitor:
+      enabled: false
+    prometheus:
+      enabled: true
+    tunnel: disabled
     operator:
-      replicas: 1
+      enabled: true
       rollOutPods: true
+      replicas: 2
       prometheus:
         enabled: true
-        serviceMonitor:
-          enabled: true
-      dashboards:
-        enabled: true
-        annotations:
-          grafana_folder: Cilium
-    prometheus:
-      enabled: true
-      serviceMonitor:
-        enabled: true
-        trustCRDsExist: true
-    dashboards:
-      enabled: false
-      annotations:
-        grafana_folder: Cilium
-    rollOutCiliumPods: true
-    securityContext:
-      privileged: true
-    tunnel: disabled
+    loadBalancer:
+      algorithm: maglev
+      mode: dsr
+      serviceTopology: true
+    l7Proxy: true
+    localRedirectPolicy: true
+    k8sServiceHost: 127.0.0.1
+    k8sServicePort: 6444
+    kubeProxyReplacement: true
+    kubeProxyReplacementHealthzBindAddr: 0.0.0.0:10256
+    logOptions:
+      format: json