Cilium

This repository uses Cilium, as replacement for various Kubernetes key elements, like kube-proxy, network-policy, servicelb and traefik.

Chart Provisioning

Due to the intricate nature of its requirements, Cilium is deployed in three steps:

• Initial provisioning, after the K3s cluster services are started
• Provisioning, using resources created during initial provisioning
• Post-install provisioning, using resources created by other provisioning roles

Chart Dependencies

See below the required Cilium dependencies, used into chart configuration.

CertManager

During chart post-install provisioning, Cilium Hubble is configured to take advantage of CertManager auto-renewed certificates, instead of default Helm expiring certificates. This requires the creation of three resources:

• CertManager ClusterIssuer resource template, see cluster_issuer.j2
• Hubble Certificate resource template, see certificate.j2
• Hubble ClusterIssuer resource template, see cluster_issuer.j2

Refer to Cilium documentation, for further details.

Gateway API

Gateway API is an official Kubernetes project, focused on L4 and L7 routing in Kubernetes.

Usage Example

This is an example of Gateway and HTTPRoute resources usage for Longhorn frontend, as replacement for deprecated Ingress resource:

• Gateway resource template, see gateway.j2
• HTTPRoute insecure resource template, see http_route.j2
• HTTPRoute secure resource template, see https_route.j2

Refer to Cilium documentation, for further details.

Connectivity Test

To perform a connectivity test, login into one of the server nodes and run the following commands:

cilium hubble port-forward &
cilium connectivity test

To remove the cilium-test namespace and Hubble port-forward, run:

kubectl delete namespace cilium-test -n kube-system
ps aux | grep kubectl | grep -v grep | awk {'print $2'} | xargs kill