Init basic cluster

infra/cilium/Makefile

@@ -0,0 +1,5 @@
+install:
+	helm repo add cilium https://helm.cilium.io/
+	helm repo update cilium
+	helm upgrade --install -n kube-system cilium cilium/cilium --version 1.16.6 -f values.yml
+	kubectl apply -f loadbalancer-ippool.yml -f bgp-cluster-config.yml

infra/cilium/bgp-cluster-config.yml

@@ -0,0 +1,62 @@
+apiVersion: cilium.io/v2alpha1
+kind: CiliumBGPClusterConfig
+metadata:
+  name: router
+spec:
+  bgpInstances:
+    - name: "main"
+      localASN: 65000
+      peers:
+        - name: barracuda
+          peerASN: 65000
+          peerAddress: 2001:470:61a3:100:ffff:ffff:ffff:ffff
+          peerConfigRef:
+            name: cilium-peer
+---
+apiVersion: cilium.io/v2alpha1
+kind: CiliumBGPPeerConfig
+metadata:
+  name: cilium-peer
+spec:
+  timers:
+    keepAliveTimeSeconds: 3
+    holdTimeSeconds: 9
+    connectRetryTimeSeconds: 12
+  gracefulRestart:
+    enabled: true
+    restartTimeSeconds: 60
+  families:
+    - afi: ipv4
+      safi: unicast
+      advertisements:
+        matchLabels:
+          advertise: bgp
+    - afi: ipv6
+      safi: unicast
+      advertisements:
+        matchLabels:
+          advertise: bgp
+---
+apiVersion: cilium.io/v2alpha1
+kind: CiliumBGPAdvertisement
+metadata:
+  name: bgp-advertisements
+  labels:
+    advertise: bgp
+spec:
+  advertisements:
+    - advertisementType: "CiliumPodIPPool"
+      # Wanting to advertise all pools
+      # https://docs.cilium.io/en/v1.16/network/bgp-control-plane/bgp-control-plane-v2/#multipool-ipam
+      selector:
+        matchExpressions:
+          - { key: somekey, operator: NotIn, values: ["never-used-value"] }
+    - advertisementType: Service
+      service:
+        addresses:
+          # Not advertising ClusterIP - kubeproxyreplacement should? translate them directly to pod ips
+          # Not advertising ExternalIP - they should be reachable via static config
+          - LoadBalancerIP
+      selector:
+        matchExpressions:
+          - { key: somekey, operator: NotIn, values: ["never-used-value"] }

infra/cilium/loadbalancer-ippool.yml

@@ -0,0 +1,8 @@
+apiVersion: "cilium.io/v2alpha1"
+kind: CiliumLoadBalancerIPPool
+metadata:
+  name: "blue-pool"
+spec:
+  blocks:
+    - cidr: 10.44.0.0/16
+    - cidr: 2001:470:61a3:400::/112

infra/cilium/values.yml

@@ -0,0 +1,59 @@
+# Talos specific
+# https://www.talos.dev/v1.9/kubernetes-guides/network/deploying-cilium/
+kubeProxyReplacement: true
+
+securityContext:
+  capabilities:
+    ciliumAgent:
+      - CHOWN
+      - KILL
+      - NET_ADMIN
+      - NET_RAW
+      - IPC_LOCK
+      - SYS_ADMIN
+      - SYS_RESOURCE
+      - DAC_OVERRIDE
+      - FOWNER
+      - SETGID
+      - SETUID
+    cleanCiliumState:
+      - NET_ADMIN
+      - SYS_ADMIN
+      - SYS_RESOURCE
+
+cgroup:
+  autoMount:
+    enabled: false
+  hostRoot: /sys/fs/cgroup
+
+k8sServiceHost: localhost
+k8sServicePort: 7445
+
+# Homelab
+routingMode: native
+ipv6:
+  enabled: true
+
+# Enable managing of IP Pools via CRD
+ipam:
+  mode: multi-pool
+  operator:
+    autoCreateCiliumPodIPPools:
+      default:
+        # In line with controlplane.yml
+        ipv4:
+          cidrs:
+            - 10.42.0.0/16
+          maskSize: 24
+        ipv6:
+          cidrs:
+            - 2001:470:61a3:200::/104
+          maskSize: 120
+
+# Disable masquerading, ipv4 is done at router level
+enableIPv4Masquerade: false
+enableIPv6Masquerade: false
+
+# Enable peering announcing routes via BGP
+bgpControlPlane:
+  enabled: true