roles/k3s: update cilium config v1.13.0

2023-03-28 00:37:47 +08:00 · 2023-03-28 00:37:47 +08:00 · bb317a8685
commit bb317a8685
parent e5407dcb11
2 changed files with 21 additions and 24 deletions
--- a/playbook/roles/k3s/files/setup-egress.sh
+++ b/playbook/roles/k3s/files/setup-egress.sh
@ -3,17 +3,20 @@ ip=$1

 cat > /tmp/egress.yaml << EOF
 apiVersion: cilium.io/v2
-kind: CiliumNetworkPolicy
+kind: CiliumEgressGatewayPolicy
 metadata:
-  name: egress-nat
+  name: egress-nat-policy
 spec:
-  endpointSelector:
-    matchLabels:
-      role: egress-gateway
-  egress:
-  - {}
-  egressNAT:
-  - source: 10.42.0.0/16
-    translation: $ip
+  selectors:
+  - podSelector:
+      matchLabels:
+        role: egress-gateway
+  destinationCIDRs:
+  - "0.0.0.0/0"
+  egressGateway:
+    nodeSelector:
+      matchLabels:
+        node.kubernetes.io/name: tky-connector.onwalk.net
+    egressIP: $ip
 EOF
 kubectl apply -f /tmp/egress.yaml
--- a/playbook/roles/k3s/files/setup-k3s-with-hostpath-sc.sh
+++ b/playbook/roles/k3s/files/setup-k3s-with-hostpath-sc.sh
@ -1,8 +1,9 @@
 mkdir -pv /opt/rancher/k3s
-curl -sfL https://get.k3s.io | INSTALL_K3S_VERSION=v1.24.7+k3s1 sh -s - \
+curl -sfL https://get.k3s.io | sh -s - \
 	--disable=traefik                                    \
 	--flannel-backend=none                               \
 	--disable-network-policy                             \
+	--disable-kube-proxy                                 \
 	--write-kubeconfig-mode 644                          \
 	--write-kubeconfig ~/.kube/config                    \
 	--data-dir=/opt/rancher/k3s                          \
@ -21,19 +22,12 @@ sudo wget --no-check-certificate https://mirrors.onwalk.net/tools/linux-${ARCH}/
 sudo chmod 755 /usr/local/bin/helm

 helm install cilium cilium/cilium --version 1.13.1 \
-  --namespace kube-system \
-  --set global.kubeProxyReplacement=strict \
-  --set global.masquerade=false \
-  --set global.nodePort.enabled=true \
-  --set global.tunnel=disabled \
-  --set nodeinit.enabled=true \
-  --set nodeinit.reconfigureKubelet=true \
-  --set cni.binPath=/opt/cni/bin \
-  --set cni.customConf=true \
-  --set cni.confTemplate=/etc/cilium/cilium-cni.conf.tmpl \
-  --set hubble.enabled=true \
-  --set hubble.listenAddress=":4244" \
-  --set hubble.metrics.enabled="{dns,drop,tcp,flow,port-distribution,icmp,http}"
+	--namespace kube-system           \
+	--set egressGateway.enabled=true  \
+	--set bpf.masquerade=true         \
+	--set kubeProxyReplacement=strict \
+	--set operator.replicas=1 \
+	--set l7Proxy=false

 helm repo add artifact https://artifact.onwalk.net/chartrepo/k8s/ | echo true
 helm repo up