k8s/02-k8s/infra/network/cilium/values.yaml

# https://github.com/cilium/cilium/blob/main/install/kubernetes/cilium/values.yaml
cluster:
  name: talos
  id: 1

kubeProxyReplacement: true

# Talos specific
k8sServiceHost: localhost
k8sServicePort: 7445
securityContext:
  capabilities:
    ciliumAgent: [ CHOWN, KILL, NET_ADMIN, NET_RAW, IPC_LOCK, SYS_ADMIN, SYS_RESOURCE, DAC_OVERRIDE, FOWNER, SETGID, SETUID ]
    cleanCiliumState: [ NET_ADMIN, SYS_ADMIN, SYS_RESOURCE ]

cgroup:
  autoMount:
    enabled: false
  hostRoot: /sys/fs/cgroup

bpf:
  lbExternalClusterIP: true
# https://www.talos.dev/latest/talos-guides/network/host-dns/#forwarding-kube-dns-to-host-dns
# https://docs.cilium.io/en/stable/operations/performance/tuning/#ebpf-host-routing
#   hostLegacyRouting: true

# https://docs.cilium.io/en/stable/network/concepts/ipam/
ipam:
  mode: kubernetes

# k8s:
#   requireIPv4PodCIDR: true
#   requireIPv6PodCIDR: false

ipv4:
  enabled: true
ipv6:
  enabled: false

# Avoid encapsulation for direct access
routingMode: native

#Route distribution gets managed by BGP
bgpControlPlane:
  enabled: true

# enable instead of bgpControlPlane
# l2announcements:
#   enabled: false
# externalIPs:
#   enabled: false

# Only BGP manages the routes
# auto-direct-node-routes: true
# direct-routing-skip-unreachable: true
# The whole internet is directly reachable from each pod
# ipv6-native-routing-cidr: ::/0
ipv4-native-routing-cidr: 10.0.0.0/8

# Disabling DNAT
enableIPv4Masquerade: false
enableIPv6Masquerade: false

enableIPv6BIGTCP: true

bandwidthManager:
  enabled: true
  bbr: true

#debug:
#  enabled: true

operator:
  rollOutPods: true
  prometheus:
    metricsService: true
    enabled: true
    port: 9963
    serviceMonitor:
      enabled: true
  dashboards:
    enabled: true
  resources:
    limits:
      cpu: 500m
      memory: 256Mi
    requests:
      cpu: 50m
      memory: 128Mi

# Roll out cilium agent pods automatically when ConfigMap is updated.
rollOutCiliumPods: true
resources:
  limits:
    cpu: 1000m
    memory: 1Gi
  requests:
    cpu: 200m
    memory: 512Mi

# Increase rate limit when doing L2 announcements
k8sClientRateLimit:
  qps: 20
  burst: 100

loadBalancer:
  # https://docs.cilium.io/en/stable/network/kubernetes/kubeproxy-free/#maglev-consistent-hashing
  algorithm: maglev

gatewayAPI:
  enabled: true
  enableAlpn: true
  enableAppProtocol: true

envoy:
  prometheus:
    enabled: true
    port: "9964"
    serviceMonitor:
      enabled: true
  securityContext:
    capabilities:
      keepCapNetBindService: true
      envoy: [ NET_ADMIN, PERFMON, BPF ]

hubble:
  enabled: true
  metrics:
    enabled:
      - dns
      - drop
      - tcp
      - flow
      - port-distribution
      - icmp
      - "httpV2:exemplars=true;labelsContext=source_ip,source_namespace,source_workload,destination_ip,destination_namespace,destination_workload,traffic_direction;sourceContext=workload-name|reserved-identity;destinationContext=workload-name|reserved-identity"
    enableOpenMetrics: true
    port: 9965
    serviceMonitor:
      enabled: true
    dashboards:
      enabled: true
  relay:
    enabled: true
    rollOutPods: true
    prometheus:
      enabled: true
      port: 9966
      serviceMonitor:
        enabled: true
  ui:
    enabled: true
    rollOutPods: true

ingressController: { enabled: false }

clustermesh:
  apiserver:
    metrics:
      enabled: true
      port: 9962
      serviceMonitor:
        enabled: true

# mTLS
authentication:
  enabled: false
  mutual:
    spire:
      enabled: false
      install:
        server:
          dataStorage:
            storageClass: cilium-spire-sc

prometheus:
  metricsService: true
  enabled: true
  port: 9962
  serviceMonitor:
    enabled: true
    trustCRDsExist: true

dashboards:
  enabled: true