From 89c28410f70d709e91327ec6f0d1a8073dcd515f Mon Sep 17 00:00:00 2001
From: JJGadgets <git@jjgadgets.tech>
Date: Wed, 21 Aug 2024 19:05:13 +0800
Subject: [PATCH] fix(cilium): disable L7 proxy aka Envoy

---
 .../app/config/biohazard/helm-values.yaml     |  6 ++--
 .../core/_networking/cilium/app/hr.yaml       | 32 +++++--------------
 2 files changed, 11 insertions(+), 27 deletions(-)

diff --git a/kube/deploy/core/_networking/cilium/app/config/biohazard/helm-values.yaml b/kube/deploy/core/_networking/cilium/app/config/biohazard/helm-values.yaml
index c8a1c4e9..c7463cf2 100644
--- a/kube/deploy/core/_networking/cilium/app/config/biohazard/helm-values.yaml
+++ b/kube/deploy/core/_networking/cilium/app/config/biohazard/helm-values.yaml
@@ -72,7 +72,7 @@ operator:
 externalIPs:
   enabled: true
 l2announcements:
-  enabled: true
+  enabled: false
 #  leaseDuration: "120s"
 #  leaseRenewDeadline: "60s"
 #  leaseRetryPeriod: "1s"
@@ -86,7 +86,7 @@ bpf:
   tproxy: true # L7 netpols stuff
   #mapDynamicSizeRatio: "0.005" # Increase Cilium map sizes due to amount of netpols and identities, when BPF map pressure hits 100 endpoint creation starts failing
   policyMapMax: "40960" # 2.5x default, dynamic size ratio doesn't increase this
-l7Proxy: true # enables L7 netpols
+l7Proxy: false # enables L7 non-DNS netpols via proxy, e.g. Envoy
 dnsProxy:
   enableTransparentMode: true
 socketLB:
@@ -101,7 +101,7 @@ localRedirectPolicy: false
 nodePort:
   enabled: false
 bandwidthManager:
-  enabled: true
+  enabled: false
   bbr: false # enable after Talos kernel updated to >= 5.18
 enableIPv6BIGTCP: false # cannot enable if routingMode=tunnel
 ### `kubectl get` and `kubectl describe` will reflect CiliumNetworkPolicy (policy enforcement etc) with the below enabled
diff --git a/kube/deploy/core/_networking/cilium/app/hr.yaml b/kube/deploy/core/_networking/cilium/app/hr.yaml
index 949f364d..3127cb0b 100644
--- a/kube/deploy/core/_networking/cilium/app/hr.yaml
+++ b/kube/deploy/core/_networking/cilium/app/hr.yaml
@@ -110,7 +110,7 @@ spec:
           #enabled: true
           #annotations:
           #  grafana_folder: "Cilium"
-      eventQueueSize: "25000" # default is 6144 which fills up
+      eventQueueSize: "50000" # default is 6144 which fills up
     operator:
       prometheus:
         enabled: true
@@ -129,26 +129,10 @@ spec:
       enabled: true
       annotations:
         grafana_folder: "Cilium"
-    #resources: # for agent
-    #  limits:
-    #    memory: "3Gi"
-    debug: # for endpoint creation issue
-      enabled: true
-      verbose: "flow kvstore envoy datapath policy"
-  postRenderers:
-    - kustomize: # more reliable probe for endpoint creation issues
-        patches:
-          - target:
-              version: apps/v1
-              kind: DaemonSet
-              labelSelector: app.kubernetes.io/name=cilium-agent
-            patch: |
-              - op: replace
-                path: /spec/template/spec/containers/0/livenessProbe
-                value:
-                  failureThreshold: 10
-                  periodSeconds: 30
-                  successThreshold: 1
-                  timeoutSeconds: 5
-                  exec:
-                    command: ["cilium-health", "ping"]
+    resources: # for agent
+      requests:
+        cpu: "100m"
+        memory: "2Gi"
+      limits:
+        cpu: "1"
+        memory: "6Gi"