From bb0348182d2eee6736cbf97698ad649cc6767f10 Mon Sep 17 00:00:00 2001 From: JJGadgets Date: Sat, 29 Apr 2023 06:17:31 +0800 Subject: [PATCH 1/3] feat(cilium): use full eBPF --- kube/3-deploy/1-core/01-networking/cilium/install.yaml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/kube/3-deploy/1-core/01-networking/cilium/install.yaml b/kube/3-deploy/1-core/01-networking/cilium/install.yaml index d3207798..375858eb 100644 --- a/kube/3-deploy/1-core/01-networking/cilium/install.yaml +++ b/kube/3-deploy/1-core/01-networking/cilium/install.yaml @@ -131,6 +131,13 @@ spec: range: 9993,32767 bandwidthManager: enabled: true + bbr: false # enable after Talos kernel updated to >= 5.18 + bpf: + masquerade: true + tproxy: true + ipMasqAgent: + enabled: true + enableIPv6BIGTCP: false # enable after Talos kernel updated to >= 5.19 l7Proxy: true hubble: enabled: true From d5907df5ea0e5030ef62621e563c88ff365edaa7 Mon Sep 17 00:00:00 2001 From: JJGadgets Date: Mon, 1 May 2023 03:27:45 +0800 Subject: [PATCH 2/3] fix(cilium): rm ipMasqAgent the defaults un-masq's all private IP ranges, unnecessary for my usage --- kube/3-deploy/1-core/01-networking/cilium/install.yaml | 2 -- 1 file changed, 2 deletions(-) diff --git a/kube/3-deploy/1-core/01-networking/cilium/install.yaml b/kube/3-deploy/1-core/01-networking/cilium/install.yaml index 375858eb..f4210c73 100644 --- a/kube/3-deploy/1-core/01-networking/cilium/install.yaml +++ b/kube/3-deploy/1-core/01-networking/cilium/install.yaml @@ -135,8 +135,6 @@ spec: bpf: masquerade: true tproxy: true - ipMasqAgent: - enabled: true enableIPv6BIGTCP: false # enable after Talos kernel updated to >= 5.19 l7Proxy: true hubble: From 019ec34b3196dfd5ae0cf63c5fafcc7ec8858368 Mon Sep 17 00:00:00 2001 From: JJGadgets Date: Mon, 1 May 2023 04:13:28 +0800 Subject: [PATCH 3/3] feat(kanidm): expose publicly added external-dns to ingress EC2 --- kube/3-deploy/2-apps/kanidm/app/hr.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/kube/3-deploy/2-apps/kanidm/app/hr.yaml b/kube/3-deploy/2-apps/kanidm/app/hr.yaml index dedf95bd..f1e74ba5 100644 --- a/kube/3-deploy/2-apps/kanidm/app/hr.yaml +++ b/kube/3-deploy/2-apps/kanidm/app/hr.yaml @@ -53,6 +53,7 @@ spec: primary: true ingressClassName: nginx annotations: + external-dns.alpha.kubernetes.io/target: "${IP_EC2_INGRESS}" nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" # https://github.com/kubernetes/ingress-nginx/issues/6728 nginx.ingress.kubernetes.io/server-snippet: |