From 50b6f98dd77e7282acfc60e89535791518dc3ed0 Mon Sep 17 00:00:00 2001 From: Devin Buhl Date: Thu, 17 Oct 2024 08:44:35 -0400 Subject: [PATCH] feat(cilium): loadbalancer mode default to dsr and allow configurability Signed-off-by: Devin Buhl --- .../kube-system/cilium/app/helm-values.yaml.j2 | 2 +- .../ingress-nginx/external/helmrelease.yaml.j2 | 4 ++++ .../ingress-nginx/internal/helmrelease.yaml.j2 | 4 ++++ .../network/k8s-gateway/app/helmrelease.yaml.j2 | 4 ++++ config.sample.yaml | 15 ++++++++++----- 5 files changed, 23 insertions(+), 6 deletions(-) diff --git a/bootstrap/templates/kubernetes/apps/kube-system/cilium/app/helm-values.yaml.j2 b/bootstrap/templates/kubernetes/apps/kube-system/cilium/app/helm-values.yaml.j2 index 59c31e70bde..74594022465 100644 --- a/bootstrap/templates/kubernetes/apps/kube-system/cilium/app/helm-values.yaml.j2 +++ b/bootstrap/templates/kubernetes/apps/kube-system/cilium/app/helm-values.yaml.j2 @@ -43,7 +43,7 @@ l2announcements: #% endif %# loadBalancer: algorithm: maglev - mode: snat + mode: "#{ bootstrap_loadbalancer_mode|default('dsr', true) }#" localRedirectPolicy: true operator: replicas: 1 diff --git a/bootstrap/templates/kubernetes/apps/network/ingress-nginx/external/helmrelease.yaml.j2 b/bootstrap/templates/kubernetes/apps/network/ingress-nginx/external/helmrelease.yaml.j2 index badf93cb1b8..fe74b145413 100644 --- a/bootstrap/templates/kubernetes/apps/network/ingress-nginx/external/helmrelease.yaml.j2 +++ b/bootstrap/templates/kubernetes/apps/network/ingress-nginx/external/helmrelease.yaml.j2 @@ -30,7 +30,11 @@ spec: annotations: external-dns.alpha.kubernetes.io/hostname: "external.${SECRET_DOMAIN}" lbipam.cilium.io/ips: "#{ bootstrap_cloudflare.tunnel.ingress_vip }#" + #% if bootstrap_loadbalancer_mode in ['dsr'] %# externalTrafficPolicy: Cluster + #% else %# + externalTrafficPolicy: Local + #% endif %# ingressClassResource: name: external default: false diff --git a/bootstrap/templates/kubernetes/apps/network/ingress-nginx/internal/helmrelease.yaml.j2 b/bootstrap/templates/kubernetes/apps/network/ingress-nginx/internal/helmrelease.yaml.j2 index 074d0727f87..b69d23119eb 100644 --- a/bootstrap/templates/kubernetes/apps/network/ingress-nginx/internal/helmrelease.yaml.j2 +++ b/bootstrap/templates/kubernetes/apps/network/ingress-nginx/internal/helmrelease.yaml.j2 @@ -27,7 +27,11 @@ spec: service: annotations: lbipam.cilium.io/ips: "#{ bootstrap_cloudflare.ingress_vip }#" + #% if bootstrap_loadbalancer_mode in ['dsr'] %# externalTrafficPolicy: Cluster + #% else %# + externalTrafficPolicy: Local + #% endif %# ingressClassResource: name: internal default: true diff --git a/bootstrap/templates/kubernetes/apps/network/k8s-gateway/app/helmrelease.yaml.j2 b/bootstrap/templates/kubernetes/apps/network/k8s-gateway/app/helmrelease.yaml.j2 index 6c205b095be..8d65c19bc5e 100644 --- a/bootstrap/templates/kubernetes/apps/network/k8s-gateway/app/helmrelease.yaml.j2 +++ b/bootstrap/templates/kubernetes/apps/network/k8s-gateway/app/helmrelease.yaml.j2 @@ -29,5 +29,9 @@ spec: port: 53 annotations: lbipam.cilium.io/ips: "#{ bootstrap_cloudflare.gateway_vip }#" + #% if bootstrap_loadbalancer_mode in ['dsr'] %# externalTrafficPolicy: Cluster + #% else %# + externalTrafficPolicy: Local + #% endif %# watchedResources: ["Ingress", "Service"] diff --git a/config.sample.yaml b/config.sample.yaml index fae981d5a86..052f2234ae1 100644 --- a/config.sample.yaml +++ b/config.sample.yaml @@ -25,7 +25,7 @@ bootstrap_node_inventory: [] # schematic_id: "" # (Optional) Override the 'bootstrap_schematic_id' with a node specific schematic ID from https://factory.talos.dev/ # mtu: "" # (Optional) MTU for the NIC, default is 1500 # manifests: # (Optional) Additional manifests to include after MachineConfig - # - extra.yaml # See: https://www.talos.dev/v1.7/reference/configuration/extensions/extensionserviceconfig/ + # - extra.yaml # Ref: https://www.talos.dev/v1.7/reference/configuration/extensions/extensionserviceconfig/ # extension_services: # (Optional) Additional talhelper ExtensionServices (supports talenv.sops.yaml envsubst) # - name: name # configFiles: @@ -75,7 +75,7 @@ bootstrap_tls_sans: [] bootstrap_node_default_gateway: "" # (Optional) Add vlan tag to network master device, leave blank if you tag ports on your switch instead -# See: https://www.talos.dev/latest/advanced/advanced-networking/#vlans +# Ref: https://www.talos.dev/latest/advanced/advanced-networking/#vlans bootstrap_vlan: "" # (Required) Age Public Key (e.g. age1...) @@ -86,7 +86,7 @@ bootstrap_sops_age_pubkey: "" # (Optional) Use cilium BGP control plane when L2 announcements won't traverse VLAN network segments. # Needs a BGP capable router setup with the node IPs as peers. -# See: https://docs.cilium.io/en/latest/network/bgp-control-plane/ +# Ref: https://docs.cilium.io/en/latest/network/bgp-control-plane/ bootstrap_bgp: enabled: false # (Optional) If using multiple BGP peers add them here. @@ -105,12 +105,17 @@ bootstrap_bgp: # (Optional) Secureboot and TPM-based disk encryption bootstrap_secureboot: # (Optional) Enable secureboot on UEFI systems. Not supported on x86 platforms in BIOS mode. - # See: https://www.talos.dev/latest/talos-guides/install/bare-metal-platforms/secureboot + # Ref: https://www.talos.dev/latest/talos-guides/install/bare-metal-platforms/secureboot enabled: false # (Optional) Enable TPM-based disk encryption. Requires TPM 2.0 - # See: https://www.talos.dev/v1.6/talos-guides/install/bare-metal-platforms/secureboot/#disk-encryption-with-tpm + # Ref: https://www.talos.dev/v1.6/talos-guides/install/bare-metal-platforms/secureboot/#disk-encryption-with-tpm encrypt_disk_with_tpm: false +# (Optional) Change Cilium load balancer mode +# Default is "dsr" (Direct Server Return) +# Ref: https://docs.cilium.io/en/stable/network/kubernetes/kubeproxy-free/ +bootstrap_loadbalancer_mode: "" + # # 2. (Required) Flux details - Flux is used to manage the cluster configuration. #