Skip to Content
TutorialsConfigurationCilium

Cilium

This repository uses Cilium as a replacement for various Kubernetes key elements, such as kube-proxy, network-policy, servicelb, and traefik.

Provisioning

Due to the intricate nature of its requirements, Cilium is deployed in three steps:

  • Initial provisioning, after the K3s cluster services are started
  • Provisioning, using resources created during initial provisioning
  • Post-install provisioning, using resources created by other provisioning roles

Dependencies

See below the required Cilium dependencies used in chart configuration.

CertManager

During chart post-install provisioning, Cilium Hubble is configured to take advantage of CertManager auto-renewed certificates instead of default Helm expiring certificates. This requires the creation of three resources:

Important

Cilium details the following instructions in their cert-manager installation  steps:

Please make sure that your issuer is able to create certificates under the cilium.io domain name.

CertManager cannot control a domain not owned by the end-user — therefore, the above listed Certificate and ClusterIssuer resources are created.

Refer to the Cilium Hubble documentation  for further details.

Gateway API

Gateway API  is an official Kubernetes project focused on L4 and L7 routing in Kubernetes.

Usage Example

This is an example of Gateway and HTTPRoute resources usage for Cilium Hubble UI, as a replacement for the Ingress resource:

Refer to the Cilium documentation  for further details.

Connectivity

To perform a connectivity test, log in to one of the server nodes and run the following commands:

cilium hubble port-forward &
cilium connectivity test

To remove the cilium-test namespace and Hubble port-forward, run:

kubectl delete namespace cilium-test
ps aux | grep kubectl | grep -v grep | awk {'print $2'} | xargs kill
Last updated on
Argo CDExternalDNS