cilium: add values overrides via custom inventory

rarescosma · rarescosma · commit 33803f3f1e67 · 2025-07-17T17:25:16.000+03:00
diff --git a/bin/apply.bash b/bin/apply.bash
@@ -32,7 +32,11 @@ if [ -z "${CK8S_KUBESPRAY_NO_VENV+x}" ]; then
 fi
 
 log_info "Running kubespray"
-ansible-playbook -i "${config[inventory_file]}" -i "${here}/node-labels-and-taints-inventory.bash" cluster.yml -b "${@}"
+ansible-playbook \
+  -i "${config[inventory_file]}" \
+  -i "${here}/node-labels-and-taints-inventory.bash" \
+  -i "${here}/../config/cilium-values-inventory.yaml" \
+  cluster.yml -b "${@}"
 
 log_info "Kubespray done"
 
diff --git a/config/cilium-values-inventory.yaml b/config/cilium-values-inventory.yaml
@@ -0,0 +1,48 @@
+all:
+  vars:
+    cilium_extra_values: "{{ cilium_extra_values_template | from_yaml }}"
+    cilium_extra_values_template: |
+      {% if ck8s_cilium | default(false) %}
+      policyEnforcementMode: {{ ck8s_cilium.policyEnforcementMode }}
+
+      policyAuditMode: {{ ck8s_cilium.policyAuditMode }}
+
+      operator:
+        unmanagedPodWatcher:
+          restart: {{ ck8s_cilium.operator.unmanagedPodWatcher.restart }}
+        prometheus:
+          enabled: {{ ck8s_cilium.operator.monitoring.enabled }}
+          serviceMonitor:
+            enabled: {{ ck8s_cilium.operator.monitoring.installServiceMonitor }}
+
+      encryption:
+        enabled: {{ ck8s_cilium.wireguard.enabled }}
+        type: wireguard
+        strictMode:
+          enabled: {{ ck8s_cilium.wireguard.strictMode }}
+
+      hubble:
+        enabled: {{ ck8s_cilium.hubble.enabled }}
+        metrics:
+          enabled: {{ ck8s_cilium.hubble.metrics }}
+          serviceMonitor:
+            enabled: {{ ck8s_cilium.hubble.monitoring.installServiceMonitor }}
+
+      prometheus:
+        enabled: {{ ck8s_cilium.prometheus.enabled }}
+        serviceMonitor:
+          enabled: {{ ck8s_cilium.prometheus.installServiceMonitor }}
+          trustCRDsExist: true
+
+      envoy:
+        enabled: {{ ck8s_cilium.envoy.enabled }}
+
+      {% if ck8s_cilium.enableNodeSelectability | default(false) %}
+      policyCIDRMatchMode: nodes
+      {% endif %}
+
+      annotateK8sNode: true
+
+      {% else %}
+      {}
+      {% endif %}
diff --git a/config/common/group_vars/k8s_cluster/ck8s-cilium.yaml b/config/common/group_vars/k8s_cluster/ck8s-cilium.yaml
@@ -0,0 +1,43 @@
+ck8s_cilium:
+  # policyEnforcementMode: Determine whether an endpoint accepts traffic from a source or not
+  #
+  # Has three options:
+  # - default: endpoints have unrestricted network access until selected by policy
+  # - always: policy enforcement is enabled on all endpoints even if no rules select specific endpoints.
+  # - never: All traffic is allowed from any source (on ingress) or destination (on egress)
+  policyEnforcementMode: default
+
+  # policyAuditMode: when true, no network policy is enforced.
+  #
+  # This feature helps to validate the impact of host policies before enforcing them.
+  policyAuditMode: false
+
+  operator:
+    unmanagedPodWatcher:
+      restart: true
+    monitoring:
+      enabled: true
+      installServiceMonitor: false
+
+  wireguard:
+    enabled: true
+    strictMode: false
+
+  hubble:
+    enabled: true
+    monitoring:
+      installServiceMonitor: false
+    metrics:
+      - dns
+      - drop
+      - tcp
+      - flow
+      - icmp
+      - http
+
+  prometheus:
+    enabled: true
+    installServiceMonitor: false
+
+  envoy:
+    enabled: false
