Added cilium

2025-11-12 05:46:48 +01:00
parent 3200aaebaa
commit 66d2c03be4
5 changed files with 86 additions and 0 deletions
--- a/README.md
+++ b/README.md
@@ -65,3 +65,9 @@ Upgrading talos or changing the schematic:
 ```bash
 talosctl upgrade --nodes <node_id> --image factory.talos.dev/metal-installer/<schematic_id>:<version>
 ```
+
+To upgrade kubernetes or inline manifests, first apply the updated controlplane configs, then run:
+
+```bash
+talosctl upgrade-k8s
+```
--- a/nodes/_cilium_values.yaml
+++ b/nodes/_cilium_values.yaml
@@ -0,0 +1,31 @@
+ipam:
+  mode: kubernetes
+kubeProxyReplacement: true
+securityContext:
+  capabilities:
+    ciliumAgent:
+      - CHOWN
+      - KILL
+      - NET_ADMIN
+      - NET_RAW
+      - IPC_LOCK
+      - SYS_ADMIN
+      - SYS_RESOURCE
+      - DAC_OVERRIDE
+      - FOWNER
+      - SETGID
+      - SETUID
+    cleanCiliumState:
+      - NET_ADMIN
+      - SYS_ADMIN
+      - SYS_RESOURCE
+cgroup:
+  autoMount:
+    enabled: false
+  hostRoot: /sys/fs/cgroup
+k8sServiceHost: localhost
+k8sServicePort: 7445
+gatewayAPI:
+  enabled: true
+  enableAlpn: true
+  enableAppProtocol: true
--- a/nodes/_defaults.yaml
+++ b/nodes/_defaults.yaml
@@ -2,6 +2,10 @@ schematicId: !schematic default
 arch: amd64
 talosVersion: v1.11.3
 kubernesVersion: v1.34.1
+cluster:
+  cilium:
+    version: 1.18.3
+    valuesFile: !realpath _cilium_values.yaml
 kernelArgs:
  - talos.platform=metal
  - console=tty0
@@ -27,5 +31,6 @@ patches:
  - !patch network
  - !patch vip
  - !patch tailscale
+  - !patch cilium
 patchesControlPlane:
  - !patch allow-control-plane-workloads
--- a/patches/cilium.yaml
+++ b/patches/cilium.yaml
@@ -0,0 +1,11 @@
+machine:
+  features:
+    hostDNS:
+      # This option is enabled by default and causes issues with cilium
+      forwardKubeDNSToHost: false
+cluster:
+  network:
+    cni:
+      name: none
+  proxy:
+    disabled: true
--- a/templates/generate_configs.sh
+++ b/templates/generate_configs.sh
@@ -2,6 +2,36 @@
 set -euo pipefail
 CONFIGS={{ root }}/configs

+function create_inline_manifest() {
+	# Add indentation
+	CONTENT=$(echo "$3" | sed 's/^/        /')
+
+	# Create inline manifest patch
+	cat > $2 << EOF
+cluster:
+  inlineManifests:
+    - name: ${1}
+      contents: |
+${CONTENT}
+EOF
+}
+
+helm repo add cilium https://helm.cilium.io/
+helm repo update
+{% for cluster in clusters -%}
+{% if "cilium" in cluster -%}
+# Generate manifests
+CONTENT=$(helm template \
+    cilium \
+    cilium/cilium \
+    --version {{ cluster.cilium.version }} \
+    --namespace kube-system \
+	--values {{ cluster.cilium.valuesFile }})
+
+create_inline_manifest cilium ${CONFIGS}/{{cluster.name}}/cilium.yaml "${CONTENT}"
+{% endif %}
+{%- endfor %}
+
 # Generate the configuration for each node
 {% for node in nodes -%}
 talosctl gen config {{ node.cluster.name }} https://{{ node.cluster.controlPlaneIp }}:6443 -f \
@@ -17,6 +47,9 @@ talosctl gen config {{ node.cluster.name }} https://{{ node.cluster.controlPlane
 	{% for patch in node.patchesControlPlane -%}
 		--config-patch-control-plane {{ patch|tojson|tojson }} \
 	{% endfor -%}
+	{% if "cilium" in node.cluster -%}
+		--config-patch-control-plane "@${CONFIGS}/{{node.cluster.name}}/cilium.yaml" \
+	{%- endif %}
 	--with-docs=false \
 	--with-examples=false \
 	-o ${CONFIGS}/{{ node.filename }}.yaml