From f62e36b5af14732a71246ac20f1ce50a24280e2c Mon Sep 17 00:00:00 2001 From: Tom Alexander Date: Mon, 29 Dec 2025 17:00:23 -0500 Subject: [PATCH] Enable ipv4 and tunnel routing. --- nix/kubernetes/README.org | 21 ++++++---- .../files/manifests/cilium.yaml | 39 +++++++++---------- .../roles/kube_apiserver/default.nix | 2 +- .../roles/kube_controller_manager/default.nix | 4 +- nix/kubernetes/roles/kube_proxy/default.nix | 4 +- 5 files changed, 37 insertions(+), 33 deletions(-) diff --git a/nix/kubernetes/README.org b/nix/kubernetes/README.org index f5d38e29..8e103f3a 100644 --- a/nix/kubernetes/README.org +++ b/nix/kubernetes/README.org @@ -23,14 +23,16 @@ --set k8sServiceHost="2620:11f:7001:7:ffff:ffff:ad7:1dd" \ --set k8sServicePort=6443 \ --set ipv6.enabled=true \ - --set ipv4.enabled=false \ - --set enableIPv4BIGTCP=false \ - --set enableIPv6BIGTCP=true \ - --set routingMode=native \ - --set ipv4NativeRoutingCIDR=10.0.0.0/8 \ - --set ipv6NativeRoutingCIDR=fd00::/100 + --set ipv4.enabled=true + # --set enableIPv6Masquerade=false + # --set enableIPv4BIGTCP=true \ + # --set enableIPv6BIGTCP=true + # --set routingMode=native \ + # --set ipv4NativeRoutingCIDR=10.0.0.0/8 \ + # --set ipv6NativeRoutingCIDR=fd00::/100 - kubectl -n kube-system exec ds/cilium -- cilium-dbg status --verbose + kubec + tl -n kube-system exec ds/cilium -- cilium-dbg status --verbose kubectl -n kube-system exec ds/cilium -- cilium-dbg status | grep KubeProxyReplacement # --set hostFirewall.enabled=true @@ -40,6 +42,11 @@ # --set ipv6-native-routing-cidr=fd00::/100 # --set 'ipam.operator.clusterPoolIPv4PodCIDRList=["10.0.0.0/8"]' \ # --set 'ipam.operator.clusterPoolIPv6PodCIDRList=["fd00::/100"]' \ + + + # --set encryption.enabled=true \ + # --set encryption.type=wireguard + # --set encryption.nodeEncryption=true #+end_src ** Install flux #+begin_src bash diff --git a/nix/kubernetes/keys/package/bootstrap-script/files/manifests/cilium.yaml b/nix/kubernetes/keys/package/bootstrap-script/files/manifests/cilium.yaml index 2113b65f..84251696 100644 --- a/nix/kubernetes/keys/package/bootstrap-script/files/manifests/cilium.yaml +++ b/nix/kubernetes/keys/package/bootstrap-script/files/manifests/cilium.yaml @@ -36,8 +36,8 @@ metadata: name: cilium-ca namespace: kube-system data: - ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURGRENDQWZ5Z0F3SUJBZ0lSQVBxa2tMQ3FLbm5tTThxWXczTW1Xakl3RFFZSktvWklodmNOQVFFTEJRQXcKRkRFU01CQUdBMVVFQXhNSlEybHNhWFZ0SUVOQk1CNFhEVEkxTVRJeU9USXdOVEF4TlZvWERUSTRNVEl5T0RJdwpOVEF4TlZvd0ZERVNNQkFHQTFVRUF4TUpRMmxzYVhWdElFTkJNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DCkFROEFNSUlCQ2dLQ0FRRUFxc0cvUjI4bHF4Z0JCRDYrdllrL3JPMk1xRTYvZGMxaDROZlEvK2RPM01NeGVpM0gKbXk1eVVXRXg1QWVCaCtzUGhTVGd1L1lrUkJWVDFDS3VtbVNiZE5VdkRRN3Rwc2pPNWQ4YjdObUhqb0Yya25OcQorVVc1MGF0a0M1dVpjR1dEekdaU0kyNElTdVl6Qnd3VzVoSklvNDUzQ21Zd3pJSlVaZWEzam1EQWQ2QUswMnNxCjViRzNuVkpNSHcyNlJQNUJuZWJaQS82dWZlNFlCcDIxR1dvT2gzcERhR0NSS2FRRkpyT0VGSU41aFJYRHJJN1MKUmh3TVNYSVFLallDL0NHNTkrV3FEemhTSTdtMHAyWGRPODU4SEpxL3hSemVrUmZtRkhlcEErNFVTWWZoRUZCUgpRcTV5Z0w4TDZNZEZ5QnU3TXNlMzVxZ3kvMFd6a21uamthUkk2d0lEQVFBQm8yRXdYekFPQmdOVkhROEJBZjhFCkJBTUNBcVF3SFFZRFZSMGxCQll3RkFZSUt3WUJCUVVIQXdFR0NDc0dBUVVGQndNQ01BOEdBMVVkRXdFQi93UUYKTUFNQkFmOHdIUVlEVlIwT0JCWUVGRkx0ZUlCVW9PTFZ6K1dRZWxzWkNFVTIyYVFQTUEwR0NTcUdTSWIzRFFFQgpDd1VBQTRJQkFRQ1ZVeW8rTDAyQUJybUIvRUU0V3lmVkFBOWxjeEFYQ0w2QVFzUGpBcGl5QkwrWWFvNkQrN09uCkJCUTRsRklrMFAxbXViOU1OS2xnMTRPcmVCMDhVYkJ3Mm1uYzh5Uk1keERuUjdpVzAwSXJramtkM0Mzc2FLWG4Kcmp2V3dIdzZDcThVUzhZNFMxZjIyUlNNT1h5dE8yd29SenF1UDBYWmtzVUFoeXNTMnVGS1RtQlN1SXNzWWtwRQoxeGhQY1dScUwxRUt3MHRYUHQ4QnhpOGlyckpTeHFHU0pwdTFRVWNra05ISHV2SlNGRXZPZXZPTGJydVRiZmNBCnRDd3p3am1aQVo3clFPMGR5NFNDZ0ppdlhsMktDODRGQ0JvcVkyaVl5d2pubFRzSHMwRnNGSmFsWGtjczhkdzEKUkF6VmZQek54OCtkUFBobGNqdkh3Y1lqT25tdFJqaFAKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= - ca.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0NBUUVBcXNHL1IyOGxxeGdCQkQ2K3ZZay9yTzJNcUU2L2RjMWg0TmZRLytkTzNNTXhlaTNICm15NXlVV0V4NUFlQmgrc1BoU1RndS9Za1JCVlQxQ0t1bW1TYmROVXZEUTd0cHNqTzVkOGI3Tm1Iam9GMmtuTnEKK1VXNTBhdGtDNXVaY0dXRHpHWlNJMjRJU3VZekJ3d1c1aEpJbzQ1M0NtWXd6SUpVWmVhM2ptREFkNkFLMDJzcQo1YkczblZKTUh3MjZSUDVCbmViWkEvNnVmZTRZQnAyMUdXb09oM3BEYUdDUkthUUZKck9FRklONWhSWERySTdTClJod01TWElRS2pZQy9DRzU5K1dxRHpoU0k3bTBwMlhkTzg1OEhKcS94Unpla1JmbUZIZXBBKzRVU1lmaEVGQlIKUXE1eWdMOEw2TWRGeUJ1N01zZTM1cWd5LzBXemttbmprYVJJNndJREFRQUJBb0lCQUFRa05kVHdNNnd1SlZ3cQpmMnJPYU41elZuMkFoM0UrZlhpOEUwUVpvcGFGSDI2VXJLb3RXclZ4azRteHl1ajJnUVpjS2gwMDc1VTlKUzdZCmRuNmxJUVlZNDQ3QUJYQ05uME1CQWNiaFVjSFpqdnduVTNsZlFRMytSNnRtWnpiTUo0R3VHNkRqV3MwaVB5dVYKRmZzWGgyNThGcFFJZlhlQVU3YXkvVkcxTkFYU3NEb25qZE01c1d1dkhYTDJTeFVQQjJBa1ZHek1ENEg2ZzZQSQpBOC94ekdTOHRQYnF0eGhaYW1Nbk9pN1BId0hLZDNWajJBTHh3ZEcyZ0tWVFhBNzNkQ2pWekN4dXJiZVJVWEIvCjhpam5jeEVBMFovY3Vzb3g1RENNUDUrd1prM2xlSjFaMWg3WW9MVFVmUldWL25KU244RDFhUVlRUmZXSGQ4NE4KWnVndDFia0NnWUVBeVBDb3psdkZmVmNkS0orYmtqa3o3bGN3bmhZRWpkTEswdkRUaFp5WUkzMTdiS3hHK28wSQplSDVWd21zRjFXUm9KYmZxYzFIN25nczFVUVp1ZnJvSko4TzJVZkp6YW9YdjIxMUswRVVNOCsvSFR6Q3ZwZDlhCmUvVElEVGlvUE1YRzEwOENDQ0l2aUM5NzBpWHMyajRuY3dKb2ZVZVBXdGZ3ek1vdStwN0dtV2tDZ1lFQTJZdlMKMzRONlFaOUVMUkY4Uzc1M0VjZHhtL0lxdDd2TnVzVW41OUxqR01ZRFpYM25MUEt3MmZRMG9nSXZKODVOUThsdQpIRTluRjVsc21uSkxNd2h2aFlPc1owdVVlNnNtaVRGbTRmeGdHT1J6QnRFV2pHQWlxRTB4eTZOVHNaNWRWNU1DCmcxSFIyZVY3N25SOGhNWVkvWnMwOUZNSHhNY3hRUTBoRVI2TjBUTUNnWUJ3b0JzdGx0aUptVk01bXNRNjRCOFEKWHdSY0J5RkVVTHJvSXAyY1RSb2xBa2Mwc1JjVGhnc1NabFV4SklWZmh1aXRBM25BYTFvcHlrUjNCckRXRFBYbQp1TmF1OWNMbEdPOUl0L0NmN2FRRjhnWjNoMlZjQm1XVUJxNCtZdHhCTytWb2R0cy9yZEdRZG5UalkraHVwdG03CnA4VGpPMEhKZkRGMngzZ3ZkdUQveVFLQmdIVThhdm5WS3U5dVd4bEdrUXRvcTFaRGV6QWxRMndjbzNRQmg4M2cKMGsycGVHOGJlSmU2ZWlBYkFMcEdIdzkrbUJqdDFvOGZJMW1PYnY2VWxYMzlEOHlOOXp6N2VCdGxVckVnbEdjNAowTGpaZER1Nk5rS1VGRmxLc0lrampaanMxVFM2bnVJU0Y5c3JWcXhjempYblk5Ulg3aU8xRXp5eWRCS3dkcDk1CkxjZ05Bb0dCQUxaS1IxRjl4SElnelpoUEVLM04vRis1VzZMLytVR29jRkt5K2VTU0tLbnA4eWlUVHJiRUdvYUMKU1pHdlo2eFBod1g5RGJ3ZnpyZHpXZWpFSUpYU3BwdmloekhUcXE1WVd4VnVkbnlFVzVxRmhENkZOencrV1hRegp4R28wM2R3N21JeXF6ZDM2K1RDcWFvNmJUeWc1bUUvZUJLREhCVGZ3UFNsanZrQmVPUU1YCi0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg== + ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURGRENDQWZ5Z0F3SUJBZ0lSQVBMcVRXajlHdHFqRXNMRTgxemtUUkl3RFFZSktvWklodmNOQVFFTEJRQXcKRkRFU01CQUdBMVVFQXhNSlEybHNhWFZ0SUVOQk1CNFhEVEkxTVRJeU9USXlNVGt6TkZvWERUSTRNVEl5T0RJeQpNVGt6TkZvd0ZERVNNQkFHQTFVRUF4TUpRMmxzYVhWdElFTkJNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DCkFROEFNSUlCQ2dLQ0FRRUE0UVIvSy9WOUEvNnNPdzU3N3ZodTVTcEw4anJHMFFWR1VPeXVqM2V5LytVRno5MWYKZlBiVDhzK3FCY1BreFZ4YVV4d05McVJGcFkrLzhKUm5NWi9Hb21jdEpiY2VQLzBuRnhMekRUdFhqWHFWTmMrSgpZSUx2cWFEYVhyOStBZFhmdUNuVFRtenlWVTBCekRGSFU3VTYyMldOL05FbEhZK3YvaTY2L3RWWFh5VWNpcXNzCit5Rjh0Vkd5cVNFTG5Wd0lDKzVvL1BhV29ybzEwZ0xCLzNBSGdNRlBDTG14QnF0Z3RKTzVaSWF5Mzc5VHJhamgKMytpQ2s0UGNIT2RhbFVDMGFiMHlUYjlvS0xjTHZoVFBMUjFpdGphVmRhaU9VYUtONDUyWUQ4UnJ1NFlyZ05rUwphMmtlcnNlbjZKNTRDZHFQL3VHcXJwaDV5TTFtSFNoa1dLaEdsd0lEQVFBQm8yRXdYekFPQmdOVkhROEJBZjhFCkJBTUNBcVF3SFFZRFZSMGxCQll3RkFZSUt3WUJCUVVIQXdFR0NDc0dBUVVGQndNQ01BOEdBMVVkRXdFQi93UUYKTUFNQkFmOHdIUVlEVlIwT0JCWUVGREIvYzlIRnFSY0prREpHeVV3aWlQZ0k2TDhmTUEwR0NTcUdTSWIzRFFFQgpDd1VBQTRJQkFRQlZSc3NtVlFIWkphVi9uNk8ydFJNQ2ZOckcwR01xRkpRNFlBRjg4ZW0wT0hNWWszRjNocGZmCkhUZHVrbTJ4OS9DZlNHNkdra3pCbFVhK1cxOVJNUFhJcXdybmwrOHEzVk4ySDA3THZFajVzZHhOK1hnSVR4dG4Kb3B0MndidXpJZWNjR2FnNEd1aHJOcHBXVndHODZURTVMelU0MXE0dlNUS01CUWtIVG5aVnhaTVV3RkxIUzNEVQpPalA0b3prYjc0OEZZNkJvbjR2dGJVYjk2U0I2V2FBRnhGZW8vanRSN0RUSjVxNjZzOFp1c05tMHBKZURzVFQ2Ck9xdzUvWDhJeVRPN2tZUmV4RTIvUEZwRWZOUXVyRTBlNGlvTG9rSC9acmtNZmtncTdISU84RDRUUFJVL0s0YXIKMTdwZmhBWDVieVlScy9FZTRrV0dQclByb3EzcGpFZ1kKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= + ca.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb2dJQkFBS0NBUUVBNFFSL0svVjlBLzZzT3c1Nzd2aHU1U3BMOGpyRzBRVkdVT3l1ajNleS8rVUZ6OTFmCmZQYlQ4cytxQmNQa3hWeGFVeHdOTHFSRnBZKy84SlJuTVovR29tY3RKYmNlUC8wbkZ4THpEVHRYalhxVk5jK0oKWUlMdnFhRGFYcjkrQWRYZnVDblRUbXp5VlUwQnpERkhVN1U2MjJXTi9ORWxIWSt2L2k2Ni90VlhYeVVjaXFzcworeUY4dFZHeXFTRUxuVndJQys1by9QYVdvcm8xMGdMQi8zQUhnTUZQQ0xteEJxdGd0Sk81WklheTM3OVRyYWpoCjMraUNrNFBjSE9kYWxVQzBhYjB5VGI5b0tMY0x2aFRQTFIxaXRqYVZkYWlPVWFLTjQ1MllEOFJydTRZcmdOa1MKYTJrZXJzZW42SjU0Q2RxUC91R3FycGg1eU0xbUhTaGtXS2hHbHdJREFRQUJBb0lCQUE5Zi9VaUZwNXNrUmFScgpZdkI3TFNpZmNUMEY0eHZaSG1yZElUaFFWM3pBcTFyK3AwMmtsK3JaWWFhdk1leUNXUEdnMHczQ3o3ZDJVUWtoCk9zUGJSUGxIejMvcU9UanFGVWV3VmNjcnJOblA3RzRXMWk0d0JDdzAvM2JGNHRoQlF0NFVqWW1vVEE2a0NtRm4KWkpaRnBkWGo1SVhIeko5dWQvb0lPMks2TlJRZEZpL01YaDdxdDhpaWtSUWllcVZQTEZlZExYSlBVSHk3ZEw5eApMaHpzSTNWak9Ed1VYZGJtSXlMYXhpUkpwY3NWb3RqcitGWEdEaVFvdnFJYnk0SWlId2ZZeFMzR3RkUUI1M2J3Cm5FOW9Ga1o1WHFCRys0dmxtQ0N2cVQvaFZkN3ZRU3U4S3p4dVd1MFh3WWJUelppZTBMd0hESndxTDRNdDVUbEEKVDlXQ2I5RUNnWUVBL3pCR3Y2cEFCUUZuL1l5VDRIRzNxcXNXKzhDUjFHZEhDUHI1YVZxYXpXSldOc3VwNjExKwpsUnZqT2RyVThtUkRFS2pGRzJMS2J4QmNlRkFIb2hkZGtoNnkyK1NsMFM0VnBKc3dPMGtXMkhtOWtzeFFYNGVRCmM4Ui8xVWFpVmNENC9KYnl5d012NjlQU3lSM3p6MEl2QTJZa2p5aGh0U0tVell5NlEramlZbE1DZ1lFQTRidXAKUXlxazhZSW9DWkQ0dHdRMHlzRHBibWlaTVpmem11VWFvdlQzOXEvdUpXMWtSWWdFeG9KSTJpVnUzRGx1YmxJaQplWEMvTG52SklZenZhQjM2MlhaaXFVWUJRamJtdUp3eks0QVNrRU9VOWNMNmI4dnpBRVB4Mi9kS3NJdnNhM1NnCnRPaE4wT1ozTGNQWVFXVXo0Q0R0RjY2SGdpUkJDS201cENtclNpMENnWUJES1JGMW4vajVXRVZtRlhsVnVKZjkKOHNrNXVKU29zZ1dmOTIxc3JNdlJBZkJ1dTJzYzVwNUozKzBOYk9wZVlNVEZ2YVVpYi8yVy9WZFkwcmN2a2JhdQpuaVcwZVppcVZOYWRXN3AxMythRFVvYngrNU9ya0tJVDFjTk8vaWY3S2E1ZHk5eGFVWnhyRkhTRk9ielE3em93ClN0R1VXNnhiWDU2SitsK0xQOTlVd1FLQmdCYVdqc04zMnZXSHpyWFdXZTBHY0xueFArcWFjT256aUo3eFdnOEEKY0dleEJ5V2Jvck1LZjEvVjNiQm1tb2RTLytmdU5DRHUxVkt6ZEZiMUlXZkx5RFJHa216WjRucGJ3QTZ0SXJteApvU25xZVZkMllWVWFsWUJyVENKMHhuYVFLZUkrMDI0RzZQS0VmVnlKQW5UWXlhNGQzVnZIVFN3S3NLOUxQSlplCnpSTXBBb0dBYk84NnRRMjNIWnB1Q1Z1eWprTkdoSklrTSsyZ0xoZURFVnBxVmsxU1kvL1RLYzNQSDJQY1lHNjcKM3pmTTJkTE01d2ZNenBVOVNsamNnQXZ3TjZBalJvdm1kOGJDZzl2RzEwZmRjSXFiRko1WU4xellRM0JPTDZudgpuNjBXVWQ5V2FXeDdDSGxSWjN6N1NBOFZuMlJ6NHFkdGRXdnlDblZtTnN0VmM1WnIwWk09Ci0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg== --- # Source: cilium/templates/hubble/tls-helm/server-secret.yaml apiVersion: v1 @@ -47,9 +47,9 @@ metadata: namespace: kube-system type: kubernetes.io/tls data: - ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURGRENDQWZ5Z0F3SUJBZ0lSQVBxa2tMQ3FLbm5tTThxWXczTW1Xakl3RFFZSktvWklodmNOQVFFTEJRQXcKRkRFU01CQUdBMVVFQXhNSlEybHNhWFZ0SUVOQk1CNFhEVEkxTVRJeU9USXdOVEF4TlZvWERUSTRNVEl5T0RJdwpOVEF4TlZvd0ZERVNNQkFHQTFVRUF4TUpRMmxzYVhWdElFTkJNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DCkFROEFNSUlCQ2dLQ0FRRUFxc0cvUjI4bHF4Z0JCRDYrdllrL3JPMk1xRTYvZGMxaDROZlEvK2RPM01NeGVpM0gKbXk1eVVXRXg1QWVCaCtzUGhTVGd1L1lrUkJWVDFDS3VtbVNiZE5VdkRRN3Rwc2pPNWQ4YjdObUhqb0Yya25OcQorVVc1MGF0a0M1dVpjR1dEekdaU0kyNElTdVl6Qnd3VzVoSklvNDUzQ21Zd3pJSlVaZWEzam1EQWQ2QUswMnNxCjViRzNuVkpNSHcyNlJQNUJuZWJaQS82dWZlNFlCcDIxR1dvT2gzcERhR0NSS2FRRkpyT0VGSU41aFJYRHJJN1MKUmh3TVNYSVFLallDL0NHNTkrV3FEemhTSTdtMHAyWGRPODU4SEpxL3hSemVrUmZtRkhlcEErNFVTWWZoRUZCUgpRcTV5Z0w4TDZNZEZ5QnU3TXNlMzVxZ3kvMFd6a21uamthUkk2d0lEQVFBQm8yRXdYekFPQmdOVkhROEJBZjhFCkJBTUNBcVF3SFFZRFZSMGxCQll3RkFZSUt3WUJCUVVIQXdFR0NDc0dBUVVGQndNQ01BOEdBMVVkRXdFQi93UUYKTUFNQkFmOHdIUVlEVlIwT0JCWUVGRkx0ZUlCVW9PTFZ6K1dRZWxzWkNFVTIyYVFQTUEwR0NTcUdTSWIzRFFFQgpDd1VBQTRJQkFRQ1ZVeW8rTDAyQUJybUIvRUU0V3lmVkFBOWxjeEFYQ0w2QVFzUGpBcGl5QkwrWWFvNkQrN09uCkJCUTRsRklrMFAxbXViOU1OS2xnMTRPcmVCMDhVYkJ3Mm1uYzh5Uk1keERuUjdpVzAwSXJramtkM0Mzc2FLWG4Kcmp2V3dIdzZDcThVUzhZNFMxZjIyUlNNT1h5dE8yd29SenF1UDBYWmtzVUFoeXNTMnVGS1RtQlN1SXNzWWtwRQoxeGhQY1dScUwxRUt3MHRYUHQ4QnhpOGlyckpTeHFHU0pwdTFRVWNra05ISHV2SlNGRXZPZXZPTGJydVRiZmNBCnRDd3p3am1aQVo3clFPMGR5NFNDZ0ppdlhsMktDODRGQ0JvcVkyaVl5d2pubFRzSHMwRnNGSmFsWGtjczhkdzEKUkF6VmZQek54OCtkUFBobGNqdkh3Y1lqT25tdFJqaFAKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= - tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURWakNDQWo2Z0F3SUJBZ0lRTmkxWC8xeWtubUpZczJ3VlZCTG9UekFOQmdrcWhraUc5dzBCQVFzRkFEQVUKTVJJd0VBWURWUVFERXdsRGFXeHBkVzBnUTBFd0hoY05NalV4TWpJNU1qQTFNREUxV2hjTk1qWXhNakk1TWpBMQpNREUxV2pBcU1TZ3dKZ1lEVlFRRERCOHFMbVJsWm1GMWJIUXVhSFZpWW14bExXZHljR011WTJsc2FYVnRMbWx2Ck1JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBcmF5QWhJUmY3OWY0bVBrc1ZIc2kKalBlTHpKaUdzbzlHemVNT0FKRlhSZDRzYmozdjFybVdyRjI5blczTnBzd09lOFgrY2FHR2JqVWNmdTkvaXdLdApCRjRBWU5aeW9sQzVwdlFIQUsvL3lLbFR5RVRRTTlTYmRvRlZoeVZ2TWUxL09WeU5yVlNVK090dGR2YUlZeUZBClJPdHUzY0hWUk5PMXlGcTJEVml1K0p0YTFwVmszOHNYZ1oxeVNCbW5qNXJhSVJOd2JwMVczMSs2UDJ3N3JCUFkKaUJPV0JsVFhZMm43eXMvSGJxRDhzVDY1VUsyN0ZVWTlXajg5QWNQWVppVVBGZjRwNVVLZ2ExUmtjQnFBQWlhUgpuWjNlSGhzNlpER0RPUStEZ2FXQW0wY1pJTTRubW42ZHh2ZlRVTmJJV21iMzBzYzZxVnUrMzBybThzM1R4Z1lDCkF3SURBUUFCbzRHTk1JR0tNQTRHQTFVZER3RUIvd1FFQXdJRm9EQWRCZ05WSFNVRUZqQVVCZ2dyQmdFRkJRY0QKQVFZSUt3WUJCUVVIQXdJd0RBWURWUjBUQVFIL0JBSXdBREFmQmdOVkhTTUVHREFXZ0JSUzdYaUFWS0RpMWMvbAprSHBiR1FoRk50bWtEekFxQmdOVkhSRUVJekFoZ2g4cUxtUmxabUYxYkhRdWFIVmlZbXhsTFdkeWNHTXVZMmxzCmFYVnRMbWx2TUEwR0NTcUdTSWIzRFFFQkN3VUFBNElCQVFDTEh4ZUd4QlRJT3cwa2N2VmYvSTBQNjNNRHR5Q0MKQ01IMzdENy9kWEd4RGVEYTMzUVNDQUwrZ2tHUVBHb0c3MU12Z09uNHJIZm54MkcwcVZrTERjQVhxUXg5dUlkcgpkOU1XNEN0SWpueVA2UzFSTEtJSmdQQmRJeTRlU2xZS2NKRU1HNVhVWERiWnh0TGEzWlo0N0E0VzZpMTY3d2pGCm5TZ05LNFBNdUxSd3ZqTDFScGt5blZDWmplVk1nUGE4K3ZIa1RDYW9rNVp2R09rQVhtbGhXS0pVcnlocjVKVmkKUXZiVk95dkhUaW1TM2RoZkt3dmV2OG5FZFJ3ak1UK0llUWxkb2hDMkZ0YWlVMU93V2d5Yi9uZFo1RCsrS3VjSwpodDlNbUorT1FCYk9PV2RWS0hZK0dUTmZ0NWdXS3IwT2Z3ZllnTUNGLzJ5Y3Z4ZFh3NlUxNjNIUQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== - tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb2dJQkFBS0NBUUVBcmF5QWhJUmY3OWY0bVBrc1ZIc2lqUGVMekppR3NvOUd6ZU1PQUpGWFJkNHNiajN2CjFybVdyRjI5blczTnBzd09lOFgrY2FHR2JqVWNmdTkvaXdLdEJGNEFZTlp5b2xDNXB2UUhBSy8veUtsVHlFVFEKTTlTYmRvRlZoeVZ2TWUxL09WeU5yVlNVK090dGR2YUlZeUZBUk90dTNjSFZSTk8xeUZxMkRWaXUrSnRhMXBWawozOHNYZ1oxeVNCbW5qNXJhSVJOd2JwMVczMSs2UDJ3N3JCUFlpQk9XQmxUWFkybjd5cy9IYnFEOHNUNjVVSzI3CkZVWTlXajg5QWNQWVppVVBGZjRwNVVLZ2ExUmtjQnFBQWlhUm5aM2VIaHM2WkRHRE9RK0RnYVdBbTBjWklNNG4KbW42ZHh2ZlRVTmJJV21iMzBzYzZxVnUrMzBybThzM1R4Z1lDQXdJREFRQUJBb0lCQUI2anNrQ3V3ZVlrYWYxQwo2R2szR0E5YWxOVlJpMkh4R1FLMXJnQzNvM2YyREV5ZXJMTnJKb1BlUGRlS1NaL0ZuRUNGMjYvY1dVVVVKYVRYClI5OFVaOFcvZDcyZDE3ZC9HbUd6NTVCZGZIakFOc0c4TWljU3VTS2RDcU8vSFBEbi8ydjFRaUYwTEp3Rm5OaEMKQWluSzhmVzJ1Mlp3RGRvSXA2ZGpLWDhOU0VFZmpPNmtjMWlCWjR0TTR1Q2VXNHBKaTUxZ3ErQk9PTWVidkc2TwpjVjlORllzVURpeXFUZFV2WFlndzBlVmh3R2FHZVo3N0M5cFhKTUhqVVc1SWx5ZDBzWk9JRzVtWWlSOFNwYjZ3Cjhsa1ZDU09CKzdhSWlmbmd6RUNwRjV2WUhmNzQzRGtUeEQrZStUbFFWK1VlZ2hyOVN0dUphMklkVVNaZ29mSisKbUlVRDlURUNnWUVBMGdYWHkzK1crS2Z1MzZrYWNZVXQvOENrVFRVWTB0VUhMUXAxZGw0TnR1SGxpRFV5SUdSUgpTdHZpMHh0bFVPRTUzUmdJQ0h2SXhXS0JQcVcybHpVdThYYk1mOVk1Z0xUOWR0N1pjUEJuUnZKWWNNSi8vZjBzCk9ORC9oUnFPNFRvNlc5SjVhbzlnS3laMVVZR2h2R0l4TEVYM3NGSjcyUTZKaHRqWWVtOEY5QlVDZ1lFQTA3R1UKUFRPalp3OXVsSEtaRjB0R21EM2pGa1c4MGRseU1NZ2tLWkV3N3pVTHRQZ2phWTZML1BvZkZMRUlRMjV4dEdEdQpGUGMzRkNHTEsvclpvaFRZVmEzYjBad3BuSmxXM1ppTHB4ZWJNalo0MjJPL3RyOUNjVXlJY0FNYWVvNUp2Q2Z3CkdSOFFRaXpPMHYzMkRKbkVrUjlXUmU2MG12Q09MVlFBV2wzeEs3Y0NnWUFPaldNWGNaN0hXZk4rUWR4WU0wOHQKb201Ly93YmFUUEp6VjM4dUZYUkQwTUV6ditQYVJMa3hRNjBpellvbW9ZUjk0bFZrS1JlUFBiVVEzekNZcDVHNgpIMjRxQ1hEd2p4bms2Nm9MWGt6NXFIOGlTUWZQVklTRTUwNWRMYXJxeGpzVzg2MkFDYkV6TERZQzBNV2hKUGlkClJiZlUydEpFQnZMV2loM3QxZFdHeFFLQmdIMUJVQjNhUk8vQTRNUHkvb1FhNVIxRldPMGZ2RFpLTzllRFJHcFgKM3lWYU5LQVNSaG01M3ppQzRnc0RLSW1GZXIrb3JwWTNKQjdFTGkyS2ttVGxnbzlIZkk0TW9VNW9LRTZiYU40bwpDSXJ3VWhnMWNBVDRLNThRRXBaOEw1bWVRU0NVWE9yd1IxVndYN3ZWeWxUd1VxOHZaSU9pVnJocVp5V0kwMkNrCnZ3TUhBb0dBUjlPZStGWnRiNlFyS0VIcGJ3c2xoNWZScnY1WmVLeGJqYTZTU3NsejVWdktWZXppcG9BNWJUTjcKQVV6djZRS1hXaHRLdGk5cUZDWHA0V25KRTd1SVk0VG1BMnZMRUV3NHZlOG9XaUFQZXlpWWVFZXFWOWsyQy9TRgp3MFdSOHkxOEprN05PMXN3UTZ3TDNqWXNyMXNiZEEyelROU1c2N2FBMGRxZjRHZHVlOTg9Ci0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg== + ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURGRENDQWZ5Z0F3SUJBZ0lSQVBMcVRXajlHdHFqRXNMRTgxemtUUkl3RFFZSktvWklodmNOQVFFTEJRQXcKRkRFU01CQUdBMVVFQXhNSlEybHNhWFZ0SUVOQk1CNFhEVEkxTVRJeU9USXlNVGt6TkZvWERUSTRNVEl5T0RJeQpNVGt6TkZvd0ZERVNNQkFHQTFVRUF4TUpRMmxzYVhWdElFTkJNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DCkFROEFNSUlCQ2dLQ0FRRUE0UVIvSy9WOUEvNnNPdzU3N3ZodTVTcEw4anJHMFFWR1VPeXVqM2V5LytVRno5MWYKZlBiVDhzK3FCY1BreFZ4YVV4d05McVJGcFkrLzhKUm5NWi9Hb21jdEpiY2VQLzBuRnhMekRUdFhqWHFWTmMrSgpZSUx2cWFEYVhyOStBZFhmdUNuVFRtenlWVTBCekRGSFU3VTYyMldOL05FbEhZK3YvaTY2L3RWWFh5VWNpcXNzCit5Rjh0Vkd5cVNFTG5Wd0lDKzVvL1BhV29ybzEwZ0xCLzNBSGdNRlBDTG14QnF0Z3RKTzVaSWF5Mzc5VHJhamgKMytpQ2s0UGNIT2RhbFVDMGFiMHlUYjlvS0xjTHZoVFBMUjFpdGphVmRhaU9VYUtONDUyWUQ4UnJ1NFlyZ05rUwphMmtlcnNlbjZKNTRDZHFQL3VHcXJwaDV5TTFtSFNoa1dLaEdsd0lEQVFBQm8yRXdYekFPQmdOVkhROEJBZjhFCkJBTUNBcVF3SFFZRFZSMGxCQll3RkFZSUt3WUJCUVVIQXdFR0NDc0dBUVVGQndNQ01BOEdBMVVkRXdFQi93UUYKTUFNQkFmOHdIUVlEVlIwT0JCWUVGREIvYzlIRnFSY0prREpHeVV3aWlQZ0k2TDhmTUEwR0NTcUdTSWIzRFFFQgpDd1VBQTRJQkFRQlZSc3NtVlFIWkphVi9uNk8ydFJNQ2ZOckcwR01xRkpRNFlBRjg4ZW0wT0hNWWszRjNocGZmCkhUZHVrbTJ4OS9DZlNHNkdra3pCbFVhK1cxOVJNUFhJcXdybmwrOHEzVk4ySDA3THZFajVzZHhOK1hnSVR4dG4Kb3B0MndidXpJZWNjR2FnNEd1aHJOcHBXVndHODZURTVMelU0MXE0dlNUS01CUWtIVG5aVnhaTVV3RkxIUzNEVQpPalA0b3prYjc0OEZZNkJvbjR2dGJVYjk2U0I2V2FBRnhGZW8vanRSN0RUSjVxNjZzOFp1c05tMHBKZURzVFQ2Ck9xdzUvWDhJeVRPN2tZUmV4RTIvUEZwRWZOUXVyRTBlNGlvTG9rSC9acmtNZmtncTdISU84RDRUUFJVL0s0YXIKMTdwZmhBWDVieVlScy9FZTRrV0dQclByb3EzcGpFZ1kKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= + tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURWekNDQWorZ0F3SUJBZ0lSQVB0VkxoVHZtMkFJbEFVYTRwaFB6Ykl3RFFZSktvWklodmNOQVFFTEJRQXcKRkRFU01CQUdBMVVFQXhNSlEybHNhWFZ0SUVOQk1CNFhEVEkxTVRJeU9USXlNVGt6TkZvWERUSTJNVEl5T1RJeQpNVGt6TkZvd0tqRW9NQ1lHQTFVRUF3d2ZLaTVrWldaaGRXeDBMbWgxWW1Kc1pTMW5jbkJqTG1OcGJHbDFiUzVwCmJ6Q0NBU0l3RFFZSktvWklodmNOQVFFQkJRQURnZ0VQQURDQ0FRb0NnZ0VCQUwyaWI2V0E4bUNZcitjWlZKTEIKbXBZd0VwQlo0bEpZYU1tbHZTMnlPQ09HbEE3bEh6c1QyZkVLT2dFVFZoNnZkSkJwVkVRdk5pb0VGejZ3YUd1OApuL1dmVVV4STZldUhkZmNjdXNwK1pLRld6dGJ5R0JnK01DUG42OEE5eFN1WWorMXpEWTA3WGVEem0xYU1jTGZGClFleER1OFQ5UnJ4UUJoTDBkWEVraWpFdFJYN1BSUTB1ODYrbnROVmVrRk4wa3lSTzZQMVhLcmpKWjFLeFJYZFMKOGRQaU1peFg5OXZZREwrbDR1a2hqQXJFUFYwK0d5OXo1cklobzMzYktRMFJBV1NtQi9SNU5aUllHNTR2U2VZZwplQzJsM2JQZmFMVGhuSU5NajIrb1JnRzErK21FMWxDMkZJTU4xaTFWUmN6cVdYZGlOZUxGMVdNNnBlaWkrSkZVCnVhOENBd0VBQWFPQmpUQ0JpakFPQmdOVkhROEJBZjhFQkFNQ0JhQXdIUVlEVlIwbEJCWXdGQVlJS3dZQkJRVUgKQXdFR0NDc0dBUVVGQndNQ01Bd0dBMVVkRXdFQi93UUNNQUF3SHdZRFZSMGpCQmd3Rm9BVU1IOXowY1dwRndtUQpNa2JKVENLSStBam92eDh3S2dZRFZSMFJCQ013SVlJZktpNWtaV1poZFd4MExtaDFZbUpzWlMxbmNuQmpMbU5wCmJHbDFiUzVwYnpBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQVFFQVpHNk9zMng2ZmdKQ01qSUNEUS9UaDFQSWhVakwKQ3FJQzlzWVZRRHM0dWpRMXJkK0pMMHBLQWVVa04ySmMxWktwanVSb2YwSGE2cmpzZVArTVZLMithemx6Qm9xTApDWVh1ZHJRb0h4U1RjVU9na01oWmtqM2dnUkthODBraEh1UjJOY21KbnZOTnVGdU4vVFBTd0JBUXpVczFLQkFpClJ0eUlOWjdERU9OVWd5Y0dwRGg5NkFKK2JUWlBGT1U1d28xS1hKajRCaVV0c1dxaFd3T3ozTWhkd1NsVC9yVTIKR1hmbXdibDY1THpneEZGaWt0TUpoUTdRdkRzdDVyM3prSXVVZWRPZ0U0RnRUMTRoZVgvMnlveitSWkxqaWFJQgowMWJFVEtGc1B6bFVQMnVLUzFaUnFqWlN0SjFZMXEycDYzRHJkM0hMNllWMytwa3lONG8waWhYM1NBPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= + tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0NBUUVBdmFKdnBZRHlZSml2NXhsVWtzR2FsakFTa0ZuaVVsaG95YVc5TGJJNEk0YVVEdVVmCk94UFo4UW82QVJOV0hxOTBrR2xVUkM4MktnUVhQckJvYTd5ZjlaOVJURWpwNjRkMTl4eTZ5bjVrb1ZiTzF2SVkKR0Q0d0krZnJ3RDNGSzVpUDdYTU5qVHRkNFBPYlZveHd0OFZCN0VPN3hQMUd2RkFHRXZSMWNTU0tNUzFGZnM5RgpEUzd6cjZlMDFWNlFVM1NUSkU3by9WY3F1TWxuVXJGRmQxTHgwK0l5TEZmMzI5Z012NlhpNlNHTUNzUTlYVDRiCkwzUG1zaUdqZmRzcERSRUJaS1lIOUhrMWxGZ2JuaTlKNWlCNExhWGRzOTlvdE9HY2cweVBiNmhHQWJYNzZZVFcKVUxZVWd3M1dMVlZGek9wWmQySTE0c1hWWXpxbDZLTDRrVlM1cndJREFRQUJBb0lCQUFVaVZiVjhaVDR2bVd1VQpxRkV2aEFPVzc1bTY1VUZuZXJGNFFabEZkRXhQUTNPWHlSMnNydW96WmEzMmNRN0puMHFkbjJ0dEtuYVVGUnV4CnVQeXZFYXhHWmtsb3hwOHdLVnNmQ3dEdno4SlNld0oweHRRNU1zMGd1cVdYY1RRa29FT1oxQ25EdHJTZ0dTVGgKdVN6Yk5BQUtqQlhobEQyd1NQUjdGb2JtcWdYUGNQQWtjK1JWR014bXpGUTBMOXg5bGZsZE1pSzNBR096UUJtMQpsNC9WSnBYUTEzaEkyU1dybGx0NEtYTUpTWnRnWllDdXgrS0FHUE1PK3BqbnFCZExUMllnbFRIc1VMN2pIU3FBCk91d3VFVCt3b3N6RVZiZFRwQkw3VVB0Z25FNFdibW1hOTR5M05xcGlVcXg3WXlkVWRQbHgrbGNkd0U5RmNRZG4KMVM5QzNWRUNnWUVBd2ZjamhQQkhHcGJldC85Q2liUVY2NHl2NmF3eENIVlNWWHVzekNwVlhRNy9zaEJmckZVZgpGUzQvenZhUkYyMVE3Sy9OT3ZTUWpJVUFSYnYySi9NY0VBamMwVThaWUplVFJyN1BjbkwrZ0FqT1ZGby9meHFqCkpWS0NQUHdiVkpSYUl2UTJERm8rdlQrdkwvRUg0VjdITDltRUZpMHFCS3VhcWUwaktDK1RSM2tDZ1lFQStraTEKYVljeGRiWmxoWkNpOTBkOHNhYW1WT004ZTJ4Wkl1czJmK3luUGQ2WjR2aDZ0YVFsVVNoSno1UVpZVlIrR3Y1OApNUzJxUDdQWmhEK3JiL2FaT2F6NFRGdjFac2JVSGhQdVlIVEU4WDUweDFVSlQ2Z3dCeVBNQXJWL08vZVJpeU5mCjF2SVRaWFhxMVNlUXVpeE9UbXdNemlFNlhYdVhxMEdLKzQ1VXVHY0NnWUJ2UUtlWTJwQ09DYmNaWmtudDNlTXMKeGZjb1dtR05ibTJaSm1USWZnZVVac1AyaURtNENPTFpMVHZnSThDNDVUU2piWHFUdEM4c3lpU0wydkdubkdPZQpOdGNoSHZONVdiZFp2cHdTRXk4eWxOcHp1NGZzQ1lWR0pQc2FxNmVwYmFYOW9vRlZ1SFYvNndVNnhFODJ6endFCmtBaVpCN0t3RnhXUkhia3FsWTh1VVFLQmdHNzlwVzJaNVlZbEQ5cHViTWFxTGhMK0swOER3b09kWmQ0Rlh4TFYKMk1pb0dhZzh0dllzUjl3NHVKclVPM2tkSmh0RWRjQzlWbjJQZlV1WGpLaEhQR1lHWGNwSEVZbTFiTVcxNHdWbApZeDBSRGlxRGZIQ1Z6azZzUWtHRlNWcEhqSVNlZUZieTNVVW1TTENrTGh0Um9KeEljRmxOQlB3RjNobTFKRFF3ClIwUExBb0dCQUpaclVxUDR4QkNSUEE2Tm41aFN6VklZcTJac1kxMnB0Y0F2WG8zTjY3MnVEZjh4QmRMTndac2YKMW1jOGVERmxqelZ0a2o2aWd2UzFFTkJMdTJkcnBRSmJOdDdHNS9tUGJHMnVBL21yOENuSFBFaGwreHVObVFrMQpoeEhoblZxekV2VkZPOHh3Tmh1TUx0YU1OSTYrQWNyS1c5WFE2UFVWbm1oUHZjamRzN3lYCi0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg== --- # Source: cilium/templates/cilium-configmap.yaml apiVersion: v1 @@ -101,7 +101,7 @@ data: # Enable IPv4 addressing. If enabled, all endpoints are allocated an IPv4 # address. - enable-ipv4: "false" + enable-ipv4: "true" # Enable IPv6 addressing. If enabled, all endpoints are allocated an IPv6 # address. @@ -177,7 +177,7 @@ data: # - vxlan (default) # - geneve - routing-mode: "native" + routing-mode: "tunnel" tunnel-protocol: "vxlan" tunnel-source-port-range: "0-0" service-no-backend-response: "reject" @@ -187,7 +187,7 @@ data: enable-l7-proxy: "true" enable-ipv4-masquerade: "true" enable-ipv4-big-tcp: "false" - enable-ipv6-big-tcp: "true" + enable-ipv6-big-tcp: "false" enable-ipv6-masquerade: "true" enable-tcx: "true" datapath-mode: "veth" @@ -201,8 +201,6 @@ data: direct-routing-skip-unreachable: "false" - ipv4-native-routing-cidr: 10.0.0.0/8 - ipv6-native-routing-cidr: fd00::/100 kube-proxy-replacement: "true" kube-proxy-replacement-healthz-bind-address: "" @@ -229,7 +227,7 @@ data: enable-well-known-identities: "false" enable-node-selector-labels: "false" synchronize-k8s-nodes: "true" - operator-api-serve-addr: "[::1]:9234" + operator-api-serve-addr: "127.0.0.1:9234" enable-hubble: "true" # UNIX domain socket for Hubble server to listen to. @@ -241,7 +239,6 @@ data: hubble-tls-cert-file: /var/lib/cilium/tls/hubble/server.crt hubble-tls-key-file: /var/lib/cilium/tls/hubble/server.key hubble-tls-client-ca-files: /var/lib/cilium/tls/hubble/client-ca.crt - hubble-prefer-ipv6: "true" ipam: "kubernetes" ipam-cilium-node-update-rate: "15s" @@ -318,7 +315,7 @@ metadata: data: # Keep the key name as bootstrap-config.json to avoid breaking changes bootstrap-config.json: | - {"admin":{"address":{"pipe":{"path":"/var/run/cilium/envoy/sockets/admin.sock"}}},"applicationLogConfig":{"logFormat":{"textFormat":"[%Y-%m-%d %T.%e][%t][%l][%n] [%g:%#] %v"}},"bootstrapExtensions":[{"name":"envoy.bootstrap.internal_listener","typedConfig":{"@type":"type.googleapis.com/envoy.extensions.bootstrap.internal_listener.v3.InternalListener"}}],"dynamicResources":{"cdsConfig":{"apiConfigSource":{"apiType":"GRPC","grpcServices":[{"envoyGrpc":{"clusterName":"xds-grpc-cilium"}}],"setNodeOnFirstMessageOnly":true,"transportApiVersion":"V3"},"initialFetchTimeout":"30s","resourceApiVersion":"V3"},"ldsConfig":{"apiConfigSource":{"apiType":"GRPC","grpcServices":[{"envoyGrpc":{"clusterName":"xds-grpc-cilium"}}],"setNodeOnFirstMessageOnly":true,"transportApiVersion":"V3"},"initialFetchTimeout":"30s","resourceApiVersion":"V3"}},"node":{"cluster":"ingress-cluster","id":"host~127.0.0.1~no-id~localdomain"},"overloadManager":{"resourceMonitors":[{"name":"envoy.resource_monitors.global_downstream_max_connections","typedConfig":{"@type":"type.googleapis.com/envoy.extensions.resource_monitors.downstream_connections.v3.DownstreamConnectionsConfig","max_active_downstream_connections":"50000"}}]},"staticResources":{"clusters":[{"circuitBreakers":{"thresholds":[{"maxRetries":128}]},"cleanupInterval":"2.500s","connectTimeout":"2s","lbPolicy":"CLUSTER_PROVIDED","name":"ingress-cluster","type":"ORIGINAL_DST","typedExtensionProtocolOptions":{"envoy.extensions.upstreams.http.v3.HttpProtocolOptions":{"@type":"type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions","commonHttpProtocolOptions":{"idleTimeout":"60s","maxConnectionDuration":"0s","maxRequestsPerConnection":0},"useDownstreamProtocolConfig":{}}}},{"circuitBreakers":{"thresholds":[{"maxRetries":128}]},"cleanupInterval":"2.500s","connectTimeout":"2s","lbPolicy":"CLUSTER_PROVIDED","name":"egress-cluster-tls","transportSocket":{"name":"cilium.tls_wrapper","typedConfig":{"@type":"type.googleapis.com/cilium.UpstreamTlsWrapperContext"}},"type":"ORIGINAL_DST","typedExtensionProtocolOptions":{"envoy.extensions.upstreams.http.v3.HttpProtocolOptions":{"@type":"type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions","commonHttpProtocolOptions":{"idleTimeout":"60s","maxConnectionDuration":"0s","maxRequestsPerConnection":0},"upstreamHttpProtocolOptions":{},"useDownstreamProtocolConfig":{}}}},{"circuitBreakers":{"thresholds":[{"maxRetries":128}]},"cleanupInterval":"2.500s","connectTimeout":"2s","lbPolicy":"CLUSTER_PROVIDED","name":"egress-cluster","type":"ORIGINAL_DST","typedExtensionProtocolOptions":{"envoy.extensions.upstreams.http.v3.HttpProtocolOptions":{"@type":"type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions","commonHttpProtocolOptions":{"idleTimeout":"60s","maxConnectionDuration":"0s","maxRequestsPerConnection":0},"useDownstreamProtocolConfig":{}}}},{"circuitBreakers":{"thresholds":[{"maxRetries":128}]},"cleanupInterval":"2.500s","connectTimeout":"2s","lbPolicy":"CLUSTER_PROVIDED","name":"ingress-cluster-tls","transportSocket":{"name":"cilium.tls_wrapper","typedConfig":{"@type":"type.googleapis.com/cilium.UpstreamTlsWrapperContext"}},"type":"ORIGINAL_DST","typedExtensionProtocolOptions":{"envoy.extensions.upstreams.http.v3.HttpProtocolOptions":{"@type":"type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions","commonHttpProtocolOptions":{"idleTimeout":"60s","maxConnectionDuration":"0s","maxRequestsPerConnection":0},"upstreamHttpProtocolOptions":{},"useDownstreamProtocolConfig":{}}}},{"connectTimeout":"2s","loadAssignment":{"clusterName":"xds-grpc-cilium","endpoints":[{"lbEndpoints":[{"endpoint":{"address":{"pipe":{"path":"/var/run/cilium/envoy/sockets/xds.sock"}}}}]}]},"name":"xds-grpc-cilium","type":"STATIC","typedExtensionProtocolOptions":{"envoy.extensions.upstreams.http.v3.HttpProtocolOptions":{"@type":"type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions","explicitHttpConfig":{"http2ProtocolOptions":{}}}}},{"connectTimeout":"2s","loadAssignment":{"clusterName":"/envoy-admin","endpoints":[{"lbEndpoints":[{"endpoint":{"address":{"pipe":{"path":"/var/run/cilium/envoy/sockets/admin.sock"}}}}]}]},"name":"/envoy-admin","type":"STATIC"}],"listeners":[{"address":{"socketAddress":{"address":"::","portValue":9964}},"filterChains":[{"filters":[{"name":"envoy.filters.network.http_connection_manager","typedConfig":{"@type":"type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager","httpFilters":[{"name":"envoy.filters.http.router","typedConfig":{"@type":"type.googleapis.com/envoy.extensions.filters.http.router.v3.Router"}}],"internalAddressConfig":{"cidrRanges":[{"addressPrefix":"::1","prefixLen":128}]},"routeConfig":{"virtualHosts":[{"domains":["*"],"name":"prometheus_metrics_route","routes":[{"match":{"prefix":"/metrics"},"name":"prometheus_metrics_route","route":{"cluster":"/envoy-admin","prefixRewrite":"/stats/prometheus"}}]}]},"statPrefix":"envoy-prometheus-metrics-listener","streamIdleTimeout":"300s"}}]}],"name":"envoy-prometheus-metrics-listener"},{"address":{"socketAddress":{"address":"::1","portValue":9878}},"filterChains":[{"filters":[{"name":"envoy.filters.network.http_connection_manager","typedConfig":{"@type":"type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager","httpFilters":[{"name":"envoy.filters.http.router","typedConfig":{"@type":"type.googleapis.com/envoy.extensions.filters.http.router.v3.Router"}}],"internalAddressConfig":{"cidrRanges":[{"addressPrefix":"::1","prefixLen":128}]},"routeConfig":{"virtual_hosts":[{"domains":["*"],"name":"health","routes":[{"match":{"prefix":"/healthz"},"name":"health","route":{"cluster":"/envoy-admin","prefixRewrite":"/ready"}}]}]},"statPrefix":"envoy-health-listener","streamIdleTimeout":"300s"}}]}],"name":"envoy-health-listener"}]}} + {"admin":{"address":{"pipe":{"path":"/var/run/cilium/envoy/sockets/admin.sock"}}},"applicationLogConfig":{"logFormat":{"textFormat":"[%Y-%m-%d %T.%e][%t][%l][%n] [%g:%#] %v"}},"bootstrapExtensions":[{"name":"envoy.bootstrap.internal_listener","typedConfig":{"@type":"type.googleapis.com/envoy.extensions.bootstrap.internal_listener.v3.InternalListener"}}],"dynamicResources":{"cdsConfig":{"apiConfigSource":{"apiType":"GRPC","grpcServices":[{"envoyGrpc":{"clusterName":"xds-grpc-cilium"}}],"setNodeOnFirstMessageOnly":true,"transportApiVersion":"V3"},"initialFetchTimeout":"30s","resourceApiVersion":"V3"},"ldsConfig":{"apiConfigSource":{"apiType":"GRPC","grpcServices":[{"envoyGrpc":{"clusterName":"xds-grpc-cilium"}}],"setNodeOnFirstMessageOnly":true,"transportApiVersion":"V3"},"initialFetchTimeout":"30s","resourceApiVersion":"V3"}},"node":{"cluster":"ingress-cluster","id":"host~127.0.0.1~no-id~localdomain"},"overloadManager":{"resourceMonitors":[{"name":"envoy.resource_monitors.global_downstream_max_connections","typedConfig":{"@type":"type.googleapis.com/envoy.extensions.resource_monitors.downstream_connections.v3.DownstreamConnectionsConfig","max_active_downstream_connections":"50000"}}]},"staticResources":{"clusters":[{"circuitBreakers":{"thresholds":[{"maxRetries":128}]},"cleanupInterval":"2.500s","connectTimeout":"2s","lbPolicy":"CLUSTER_PROVIDED","name":"ingress-cluster","type":"ORIGINAL_DST","typedExtensionProtocolOptions":{"envoy.extensions.upstreams.http.v3.HttpProtocolOptions":{"@type":"type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions","commonHttpProtocolOptions":{"idleTimeout":"60s","maxConnectionDuration":"0s","maxRequestsPerConnection":0},"useDownstreamProtocolConfig":{}}}},{"circuitBreakers":{"thresholds":[{"maxRetries":128}]},"cleanupInterval":"2.500s","connectTimeout":"2s","lbPolicy":"CLUSTER_PROVIDED","name":"egress-cluster-tls","transportSocket":{"name":"cilium.tls_wrapper","typedConfig":{"@type":"type.googleapis.com/cilium.UpstreamTlsWrapperContext"}},"type":"ORIGINAL_DST","typedExtensionProtocolOptions":{"envoy.extensions.upstreams.http.v3.HttpProtocolOptions":{"@type":"type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions","commonHttpProtocolOptions":{"idleTimeout":"60s","maxConnectionDuration":"0s","maxRequestsPerConnection":0},"upstreamHttpProtocolOptions":{},"useDownstreamProtocolConfig":{}}}},{"circuitBreakers":{"thresholds":[{"maxRetries":128}]},"cleanupInterval":"2.500s","connectTimeout":"2s","lbPolicy":"CLUSTER_PROVIDED","name":"egress-cluster","type":"ORIGINAL_DST","typedExtensionProtocolOptions":{"envoy.extensions.upstreams.http.v3.HttpProtocolOptions":{"@type":"type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions","commonHttpProtocolOptions":{"idleTimeout":"60s","maxConnectionDuration":"0s","maxRequestsPerConnection":0},"useDownstreamProtocolConfig":{}}}},{"circuitBreakers":{"thresholds":[{"maxRetries":128}]},"cleanupInterval":"2.500s","connectTimeout":"2s","lbPolicy":"CLUSTER_PROVIDED","name":"ingress-cluster-tls","transportSocket":{"name":"cilium.tls_wrapper","typedConfig":{"@type":"type.googleapis.com/cilium.UpstreamTlsWrapperContext"}},"type":"ORIGINAL_DST","typedExtensionProtocolOptions":{"envoy.extensions.upstreams.http.v3.HttpProtocolOptions":{"@type":"type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions","commonHttpProtocolOptions":{"idleTimeout":"60s","maxConnectionDuration":"0s","maxRequestsPerConnection":0},"upstreamHttpProtocolOptions":{},"useDownstreamProtocolConfig":{}}}},{"connectTimeout":"2s","loadAssignment":{"clusterName":"xds-grpc-cilium","endpoints":[{"lbEndpoints":[{"endpoint":{"address":{"pipe":{"path":"/var/run/cilium/envoy/sockets/xds.sock"}}}}]}]},"name":"xds-grpc-cilium","type":"STATIC","typedExtensionProtocolOptions":{"envoy.extensions.upstreams.http.v3.HttpProtocolOptions":{"@type":"type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions","explicitHttpConfig":{"http2ProtocolOptions":{}}}}},{"connectTimeout":"2s","loadAssignment":{"clusterName":"/envoy-admin","endpoints":[{"lbEndpoints":[{"endpoint":{"address":{"pipe":{"path":"/var/run/cilium/envoy/sockets/admin.sock"}}}}]}]},"name":"/envoy-admin","type":"STATIC"}],"listeners":[{"additionalAddresses":[{"address":{"socketAddress":{"address":"::","portValue":9964}}}],"address":{"socketAddress":{"address":"0.0.0.0","portValue":9964}},"filterChains":[{"filters":[{"name":"envoy.filters.network.http_connection_manager","typedConfig":{"@type":"type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager","httpFilters":[{"name":"envoy.filters.http.router","typedConfig":{"@type":"type.googleapis.com/envoy.extensions.filters.http.router.v3.Router"}}],"internalAddressConfig":{"cidrRanges":[{"addressPrefix":"10.0.0.0","prefixLen":8},{"addressPrefix":"172.16.0.0","prefixLen":12},{"addressPrefix":"192.168.0.0","prefixLen":16},{"addressPrefix":"127.0.0.1","prefixLen":32},{"addressPrefix":"::1","prefixLen":128}]},"routeConfig":{"virtualHosts":[{"domains":["*"],"name":"prometheus_metrics_route","routes":[{"match":{"prefix":"/metrics"},"name":"prometheus_metrics_route","route":{"cluster":"/envoy-admin","prefixRewrite":"/stats/prometheus"}}]}]},"statPrefix":"envoy-prometheus-metrics-listener","streamIdleTimeout":"300s"}}]}],"name":"envoy-prometheus-metrics-listener"},{"additionalAddresses":[{"address":{"socketAddress":{"address":"::1","portValue":9878}}}],"address":{"socketAddress":{"address":"127.0.0.1","portValue":9878}},"filterChains":[{"filters":[{"name":"envoy.filters.network.http_connection_manager","typedConfig":{"@type":"type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager","httpFilters":[{"name":"envoy.filters.http.router","typedConfig":{"@type":"type.googleapis.com/envoy.extensions.filters.http.router.v3.Router"}}],"internalAddressConfig":{"cidrRanges":[{"addressPrefix":"10.0.0.0","prefixLen":8},{"addressPrefix":"172.16.0.0","prefixLen":12},{"addressPrefix":"192.168.0.0","prefixLen":16},{"addressPrefix":"127.0.0.1","prefixLen":32},{"addressPrefix":"::1","prefixLen":128}]},"routeConfig":{"virtual_hosts":[{"domains":["*"],"name":"health","routes":[{"match":{"prefix":"/healthz"},"name":"health","route":{"cluster":"/envoy-admin","prefixRewrite":"/ready"}}]}]},"statPrefix":"envoy-health-listener","streamIdleTimeout":"300s"}}]}],"name":"envoy-health-listener"}]}} --- # Source: cilium/templates/cilium-agent/clusterrole.yaml apiVersion: rbac.authorization.k8s.io/v1 @@ -898,7 +895,7 @@ spec: - --config-dir=/tmp/cilium/config-map startupProbe: httpGet: - host: "::1" + host: "127.0.0.1" path: /healthz port: 9879 scheme: HTTP @@ -911,7 +908,7 @@ spec: initialDelaySeconds: 5 livenessProbe: httpGet: - host: "::1" + host: "127.0.0.1" path: /healthz port: 9879 scheme: HTTP @@ -926,7 +923,7 @@ spec: timeoutSeconds: 5 readinessProbe: httpGet: - host: "::1" + host: "127.0.0.1" path: /healthz port: 9879 scheme: HTTP @@ -1422,7 +1419,7 @@ spec: - '--log-level info' startupProbe: httpGet: - host: "::1" + host: "127.0.0.1" path: /healthz port: 9878 scheme: HTTP @@ -1432,7 +1429,7 @@ spec: initialDelaySeconds: 5 livenessProbe: httpGet: - host: "::1" + host: "127.0.0.1" path: /healthz port: 9878 scheme: HTTP @@ -1442,7 +1439,7 @@ spec: timeoutSeconds: 5 readinessProbe: httpGet: - host: "::1" + host: "127.0.0.1" path: /healthz port: 9878 scheme: HTTP @@ -1628,7 +1625,7 @@ spec: protocol: TCP livenessProbe: httpGet: - host: "::1" + host: "127.0.0.1" path: /healthz port: 9234 scheme: HTTP @@ -1637,7 +1634,7 @@ spec: timeoutSeconds: 3 readinessProbe: httpGet: - host: "::1" + host: "127.0.0.1" path: /healthz port: 9234 scheme: HTTP diff --git a/nix/kubernetes/roles/kube_apiserver/default.nix b/nix/kubernetes/roles/kube_apiserver/default.nix index 8cf4fb97..1c2edf78 100644 --- a/nix/kubernetes/roles/kube_apiserver/default.nix +++ b/nix/kubernetes/roles/kube_apiserver/default.nix @@ -84,7 +84,7 @@ in "--tls-cert-file=/.persist/keys/kube/kube-api-server.crt" "--tls-private-key-file=/.persist/keys/kube/kube-api-server.key" "--tls-min-version=VersionTLS13" - "--service-cluster-ip-range=fd00:3e42:e349::/112" + "--service-cluster-ip-range=fd00:3e42:e349::/112,10.197.0.0/16" "--v=2" # OLD: diff --git a/nix/kubernetes/roles/kube_controller_manager/default.nix b/nix/kubernetes/roles/kube_controller_manager/default.nix index 282d0a5b..75dc6595 100644 --- a/nix/kubernetes/roles/kube_controller_manager/default.nix +++ b/nix/kubernetes/roles/kube_controller_manager/default.nix @@ -40,7 +40,7 @@ in # "--cluster-cidr=10.200.0.0/16" # "--cluster-cidr=2620:11f:7001:7:ffff:ffff:0ac8:0000/16" "--allocate-node-cidrs=true" - "--cluster-cidr=fd49:0595:2bba::/48" + "--cluster-cidr=10.200.0.0/16,fd49:0595:2bba::/48" "--cluster-name=kubernetes" "--cluster-signing-cert-file=/.persist/keys/kube/ca.crt" "--cluster-signing-key-file=/.persist/keys/kube/ca.key" @@ -49,7 +49,7 @@ in "--service-account-private-key-file=/.persist/keys/kube/service-accounts.key" # "--service-cluster-ip-range=10.197.0.0/16" # "--service-cluster-ip-range=2620:11f:7001:7:ffff:ffff:0ac5:0000/16" - "--service-cluster-ip-range=fd00:3e42:e349::/112" + "--service-cluster-ip-range=10.197.0.0/16,fd00:3e42:e349::/112" "--use-service-account-credentials=true" "--v=2" ] diff --git a/nix/kubernetes/roles/kube_proxy/default.nix b/nix/kubernetes/roles/kube_proxy/default.nix index bd23e460..a7977e47 100644 --- a/nix/kubernetes/roles/kube_proxy/default.nix +++ b/nix/kubernetes/roles/kube_proxy/default.nix @@ -33,7 +33,7 @@ in mode = "iptables"; # clusterCIDR = "10.200.0.0/16"; # clusterCIDR = "2620:11f:7001:7:ffff:ffff:0ac8:0000/16"; - clusterCIDR = "fd49:0595:2bba::/48"; + clusterCIDR = "10.200.0.0/16,fd49:0595:2bba::/48"; }; description = '' kubelet-config.yaml @@ -57,7 +57,7 @@ in "${pkgs.kubernetes}/bin/kube-proxy" "--config=${config_file}" "--nodeport-addresses=primary" - "--cluster-cidr=fd49:0595:2bba::/48" + "--cluster-cidr=10.200.0.0/16,fd49:0595:2bba::/48" ] ); Restart = "on-failure";