Cilium

This repository uses Cilium, as replacement for various Kubernetes key elements, like kube-proxy, network-policy, servicelb and traefik.

Provisioning

Due to the intricate nature of its requirements, Cilium is deployed in three steps:

• Initial provisioning, after the K3s cluster services are started
• Provisioning, using resources created during initial provisioning
• Post-install provisioning, using resources created by other provisioning roles

Dependencies

See below the required Cilium dependencies, used into chart configuration.

CertManager

During chart post-install provisioning, Cilium Hubble is configured to take advantage of CertManager auto-renewed certificates, instead of default Helm expiring certificates. This requires the creation of three resources:

• CertManager ClusterIssuer resource template, see cluster_issuer.j2
• Hubble Certificate resource template, see certificate.j2
• Hubble ClusterIssuer resource template, see cluster_issuer.j2

Refer to Cilium Hubble documentation, for further details.

Gateway API

Gateway API is an official Kubernetes project, focused on L4 and L7 routing in Kubernetes.

Usage Example

This is an example of Gateway and HTTPRoute resources usage for Cilium Hubble UI, as replacement for Ingress resource:

• Gateway resource template, see gateway.j2
• HTTPRoute insecure resource template, see http_route_insecure.j2
• HTTPRoute secure resource template, see https_route_secure.j2

Refer to Cilium documentation, for further details.

Connectivity

To perform a connectivity test, login into one of the server nodes and run the following commands:

cilium hubble port-forward &
cilium connectivity test

To remove the cilium-test namespace and Hubble port-forward, run:

kubectl delete namespace cilium-test
ps aux | grep kubectl | grep -v grep | awk {'print $2'} | xargs kill