feat(cilium): loadbalancer mode default to dsr and allow configurability

Signed-off-by: Devin Buhl <[email protected]>
onedr0p · Oct 17, 2024 · 50b6f98 · 50b6f98
1 parent 7fb926c
commit 50b6f98
Show file tree

Hide file tree

Showing 5 changed files with 23 additions and 6 deletions.
diff --git a/bootstrap/templates/kubernetes/apps/kube-system/cilium/app/helm-values.yaml.j2 b/bootstrap/templates/kubernetes/apps/kube-system/cilium/app/helm-values.yaml.j2
@@ -43,7 +43,7 @@ l2announcements:
   #% endif %#
 loadBalancer:
   algorithm: maglev
-  mode: snat
+  mode: "#{ bootstrap_loadbalancer_mode|default('dsr', true) }#"
 localRedirectPolicy: true
 operator:
   replicas: 1

diff --git a/bootstrap/templates/kubernetes/apps/network/ingress-nginx/external/helmrelease.yaml.j2 b/bootstrap/templates/kubernetes/apps/network/ingress-nginx/external/helmrelease.yaml.j2
@@ -30,7 +30,11 @@ spec:
         annotations:
           external-dns.alpha.kubernetes.io/hostname: "external.${SECRET_DOMAIN}"
           lbipam.cilium.io/ips: "#{ bootstrap_cloudflare.tunnel.ingress_vip }#"
+        #% if bootstrap_loadbalancer_mode in ['dsr']  %#
         externalTrafficPolicy: Cluster
+        #% else %#
+        externalTrafficPolicy: Local
+        #% endif %#
       ingressClassResource:
         name: external
         default: false

diff --git a/bootstrap/templates/kubernetes/apps/network/ingress-nginx/internal/helmrelease.yaml.j2 b/bootstrap/templates/kubernetes/apps/network/ingress-nginx/internal/helmrelease.yaml.j2
@@ -27,7 +27,11 @@ spec:
       service:
         annotations:
           lbipam.cilium.io/ips: "#{ bootstrap_cloudflare.ingress_vip }#"
+        #% if bootstrap_loadbalancer_mode in ['dsr']  %#
         externalTrafficPolicy: Cluster
+        #% else %#
+        externalTrafficPolicy: Local
+        #% endif %#
       ingressClassResource:
         name: internal
         default: true

diff --git a/bootstrap/templates/kubernetes/apps/network/k8s-gateway/app/helmrelease.yaml.j2 b/bootstrap/templates/kubernetes/apps/network/k8s-gateway/app/helmrelease.yaml.j2
@@ -29,5 +29,9 @@ spec:
       port: 53
       annotations:
         lbipam.cilium.io/ips: "#{ bootstrap_cloudflare.gateway_vip }#"
+      #% if bootstrap_loadbalancer_mode in ['dsr']  %#
       externalTrafficPolicy: Cluster
+      #% else %#
+      externalTrafficPolicy: Local
+      #% endif %#
     watchedResources: ["Ingress", "Service"]
diff --git a/config.sample.yaml b/config.sample.yaml
@@ -25,7 +25,7 @@ bootstrap_node_inventory: []
     #   schematic_id: ""    # (Optional) Override the 'bootstrap_schematic_id' with a node specific schematic ID from https://factory.talos.dev/
     #   mtu: ""             # (Optional) MTU for the NIC, default is 1500
     #   manifests:          # (Optional) Additional manifests to include after MachineConfig
-    #     - extra.yaml      #            See: https://www.talos.dev/v1.7/reference/configuration/extensions/extensionserviceconfig/
+    #     - extra.yaml      #            Ref: https://www.talos.dev/v1.7/reference/configuration/extensions/extensionserviceconfig/
     #   extension_services: # (Optional) Additional talhelper ExtensionServices (supports talenv.sops.yaml envsubst)
     #     - name: name
     #       configFiles:
@@ -75,7 +75,7 @@ bootstrap_tls_sans: []
 bootstrap_node_default_gateway: ""
 
 # (Optional) Add vlan tag to network master device, leave blank if you tag ports on your switch instead
-#   See: https://www.talos.dev/latest/advanced/advanced-networking/#vlans
+#   Ref: https://www.talos.dev/latest/advanced/advanced-networking/#vlans
 bootstrap_vlan: ""
 
 # (Required) Age Public Key (e.g. age1...)
@@ -86,7 +86,7 @@ bootstrap_sops_age_pubkey: ""
 
 # (Optional) Use cilium BGP control plane when L2 announcements won't traverse VLAN network segments.
 #   Needs a BGP capable router setup with the node IPs as peers.
-#   See: https://docs.cilium.io/en/latest/network/bgp-control-plane/
+#   Ref: https://docs.cilium.io/en/latest/network/bgp-control-plane/
 bootstrap_bgp:
   enabled: false
   # (Optional) If using multiple BGP peers add them here.
@@ -105,12 +105,17 @@ bootstrap_bgp:
 # (Optional) Secureboot and TPM-based disk encryption
 bootstrap_secureboot:
   # (Optional) Enable secureboot on UEFI systems. Not supported on x86 platforms in BIOS mode.
-  #   See: https://www.talos.dev/latest/talos-guides/install/bare-metal-platforms/secureboot
+  #   Ref: https://www.talos.dev/latest/talos-guides/install/bare-metal-platforms/secureboot
   enabled: false
   # (Optional) Enable TPM-based disk encryption. Requires TPM 2.0
-  #   See: https://www.talos.dev/v1.6/talos-guides/install/bare-metal-platforms/secureboot/#disk-encryption-with-tpm
+  #   Ref: https://www.talos.dev/v1.6/talos-guides/install/bare-metal-platforms/secureboot/#disk-encryption-with-tpm
   encrypt_disk_with_tpm: false
 
+# (Optional) Change Cilium load balancer mode
+#  Default is "dsr" (Direct Server Return)
+#  Ref: https://docs.cilium.io/en/stable/network/kubernetes/kubeproxy-free/
+bootstrap_loadbalancer_mode: ""
+
 #
 # 2. (Required) Flux details - Flux is used to manage the cluster configuration.
 #