kubespray/roles/network_plugin/cilium/defaults/main.yml

---
cilium_min_version_required: "1.15"

# Log-level
cilium_debug: false

cilium_mtu: "0"
cilium_enable_ipv4: "{{ ipv4_stack }}"
cilium_enable_ipv6: "{{ ipv6_stack }}"

# Enable l2 announcement from cilium to replace Metallb Ref: https://docs.cilium.io/en/v1.14/network/l2-announcements/
cilium_l2announcements: false

# Cilium agent health port
cilium_agent_health_port: "9879"

# Identity allocation mode selects how identities are shared between cilium
# nodes by setting how they are stored. The options are "crd" or "kvstore".
# - "crd" stores identities in kubernetes as CRDs (custom resource definition).
#   These can be queried with:
#     `kubectl get ciliumid`
# - "kvstore" stores identities in an etcd kvstore.
# - In order to support External Workloads, "crd" is required
#   - Ref: https://docs.cilium.io/en/stable/gettingstarted/external-workloads/#setting-up-support-for-external-workloads-beta
# - KVStore operations are only required when cilium-operator is running with any of the below options:
#   - --synchronize-k8s-services
#   - --synchronize-k8s-nodes
#   - --identity-allocation-mode=kvstore
#   - Ref: https://docs.cilium.io/en/stable/internals/cilium_operator/#kvstore-operations
cilium_identity_allocation_mode: crd

# Etcd SSL dirs
cilium_cert_dir: /etc/cilium/certs
kube_etcd_cacert_file: ca.pem
kube_etcd_cert_file: node-{{ inventory_hostname }}.pem
kube_etcd_key_file: node-{{ inventory_hostname }}-key.pem

# Limits for apps
cilium_memory_limit: 500M
cilium_cpu_limit: 500m
cilium_memory_requests: 64M
cilium_cpu_requests: 100m

# Overlay Network Mode
cilium_tunnel_mode: vxlan

# LoadBalancer Mode (snat/dsr/hybrid) Ref: https://docs.cilium.io/en/stable/network/kubernetes/kubeproxy-free/#dsr-mode
cilium_loadbalancer_mode: snat

# -- Configure Loadbalancer IP Pools
cilium_loadbalancer_ip_pools: []

# Optional features
cilium_enable_prometheus: false
# Enable if you want to make use of hostPort mappings
cilium_enable_portmap: false
# Monitor aggregation level (none/low/medium/maximum)
cilium_monitor_aggregation: medium
# Kube Proxy Replacement mode (true/false)
cilium_kube_proxy_replacement: false

# If not defined `cilium_dns_proxy_enable_transparent_mode`, it will following the Cilium behavior.
# When Cilium is configured to replace kube-proxy, it automatically enables dnsProxy, which will conflict with nodelocaldns.
# You can set `false` avoid conflict with nodelocaldns.
# https://github.com/cilium/cilium/issues/33144
# cilium_dns_proxy_enable_transparent_mode:

# If upgrading from Cilium < 1.5, you may want to override some of these options
# to prevent service disruptions. See also:
# http://docs.cilium.io/en/stable/install/upgrade/#changes-that-may-require-action
cilium_preallocate_bpf_maps: false

# Auto direct nodes routes can be used to advertise pods routes in your cluster
# without any tunelling (with `cilium_tunnel_mode` sets to `disabled`).
# This works only if you have a L2 connectivity between all your nodes.
# You wil also have to specify the variable `cilium_native_routing_cidr` to
# make this work. Please refer to the cilium documentation for more
# information about this kind of setups.
cilium_auto_direct_node_routes: false

# Allows to explicitly specify the IPv4 CIDR for native routing.
# When specified, Cilium assumes networking for this CIDR is preconfigured and
# hands traffic destined for that range to the Linux network stack without
# applying any SNAT.
# Generally speaking, specifying a native routing CIDR implies that Cilium can
# depend on the underlying networking stack to route packets to their
# destination. To offer a concrete example, if Cilium is configured to use
# direct routing and the Kubernetes CIDR is included in the native routing CIDR,
# the user must configure the routes to reach pods, either manually or by
# setting the auto-direct-node-routes flag.
cilium_native_routing_cidr: ""

# Allows to explicitly specify the IPv6 CIDR for native routing.
cilium_native_routing_cidr_ipv6: ""

# Enable transparent network encryption.
cilium_encryption_enabled: false

# Encryption method. Can be either ipsec or wireguard.
# Only effective when `cilium_encryption_enabled` is set to true.
cilium_encryption_type: "ipsec"

# Enable encryption for pure node to node traffic.
# This option is only effective when `cilium_encryption_type` is set to `wireguard`.
cilium_encryption_node_encryption: false

# If your kernel or distribution does not support WireGuard, Cilium agent can be configured to fall back on the user-space implementation.
# When this flag is enabled and Cilium detects that the kernel has no native support for WireGuard,
# it will fallback on the wireguard-go user-space implementation of WireGuard.
# This option is only effective when `cilium_encryption_type` is set to `wireguard`.
cilium_wireguard_userspace_fallback: false

# Enable Bandwidth Manager
# Cilium’s bandwidth manager supports the kubernetes.io/egress-bandwidth Pod annotation.
# Bandwidth enforcement currently does not work in combination with L7 Cilium Network Policies.
# In case they select the Pod at egress, then the bandwidth enforcement will be disabled for those Pods.
# Bandwidth Manager requires a v5.1.x or more recent Linux kernel.
cilium_enable_bandwidth_manager: false
cilium_enable_bandwidth_manager_bbr: false

# IP Masquerade Agent
# https://docs.cilium.io/en/stable/concepts/networking/masquerading/
# By default, all packets from a pod destined to an IP address outside of the cilium_native_routing_cidr range are masqueraded
cilium_ip_masq_agent_enable: false

### A packet sent from a pod to a destination which belongs to any CIDR from the nonMasqueradeCIDRs is not going to be masqueraded
cilium_non_masquerade_cidrs:
  - 10.0.0.0/8
  - 172.16.0.0/12
  - 192.168.0.0/16
  - 100.64.0.0/10
  - 192.0.0.0/24
  - 192.0.2.0/24
  - 192.88.99.0/24
  - 198.18.0.0/15
  - 198.51.100.0/24
  - 203.0.113.0/24
  - 240.0.0.0/4
### Indicates whether to masquerade traffic to the link local prefix.
### If the masqLinkLocal is not set or set to false, then 169.254.0.0/16 is appended to the non-masquerade CIDRs list.
cilium_masq_link_local: false
cilium_masq_link_local_ipv6: false
### A time interval at which the agent attempts to reload config from disk
cilium_ip_masq_resync_interval: 60s

# Hubble
### Enable Hubble without install
cilium_enable_hubble: false
### Enable Hubble-ui
cilium_enable_hubble_ui: "{{ cilium_enable_hubble }}"
### Enable Hubble Metrics (deprecated)
cilium_enable_hubble_metrics: false
### if cilium_enable_hubble_metrics: true
cilium_hubble_metrics: []
# - dns
# - drop
# - tcp
# - flow
# - icmp
# - http
### Enable Hubble install
cilium_hubble_install: false
### Enable auto generate certs if cilium_hubble_install: true
cilium_hubble_tls_generate: false

cilium_hubble_export_file_max_backups: "5"
cilium_hubble_export_file_max_size_mb: "10"

cilium_hubble_export_dynamic_enabled: false
cilium_hubble_export_dynamic_config_content:
  - name: all
    fieldMask: []
    includeFilters: []
    excludeFilters: []
    filePath: "/var/run/cilium/hubble/events.log"

# Override the DNS suffix that Hubble-Relay uses to resolve its peer service.
# It defaults to the inventory's `dns_domain`.
cilium_hubble_peer_service_cluster_domain: "{{ dns_domain }}"

### Capacity of Hubble events buffer. The provided value must be one less than an integer power of two and no larger than 65535
### (ie: 1, 3, ..., 2047, 4095, ..., 65535) (default 4095)
# cilium_hubble_event_buffer_capacity: 4095
### Buffer size of the channel to receive monitor events.
# cilium_hubble_event_queue_size: 50

cilium_gateway_api_enabled: false

# The default IP address management mode is "Cluster Scope".
# https://docs.cilium.io/en/stable/concepts/networking/ipam/
cilium_ipam_mode: cluster-pool

# Cluster Pod CIDRs use the kube_pods_subnet value by default.
# If your node network is in the same range you will lose connectivity to other nodes.
# Defaults to kube_pods_subnet if not set.
# cilium_pool_cidr: 10.233.64.0/18

# When cilium_enable_ipv6 is used, you need to set the IPV6 value.  Defaults to kube_pods_subnet_ipv6 if not set.
# cilium_pool_cidr_ipv6: fd85:ee78:d8a6:8607::1:0000/112

# When cilium IPAM uses the "Cluster Scope" mode, it will pre-allocate a segment of IP to each node,
# schedule the Pod to this node, and then allocate IP from here. cilium_pool_mask_size Specifies
# the size allocated from cluster Pod CIDR to node.ipam.podCIDRs
# Defaults to kube_network_node_prefix if not set.
# cilium_pool_mask_size: "24"

# cilium_pool_mask_size Specifies the size allocated to node.ipam.podCIDRs from cluster Pod IPV6 CIDR
# Defaults to kube_network_node_prefix_ipv6 if not set.
# cilium_pool_mask_size_ipv6: "120"


# Extra arguments for the Cilium agent
cilium_agent_custom_args: [] # deprecated
cilium_agent_extra_args: []

# For adding and mounting extra volumes to the cilium agent
cilium_agent_extra_volumes: []
cilium_agent_extra_volume_mounts: []

cilium_agent_extra_env_vars: []

cilium_operator_replicas: 2

# The address at which the cillium operator bind health check api
cilium_operator_api_serve_addr: "127.0.0.1:9234"

## A dictionary of extra config variables to add to cilium-config, formatted like:
##  cilium_config_extra_vars:
##    var1: "value1"
##    var2: "value2"
cilium_config_extra_vars: {}

# For adding and mounting extra volumes to the cilium operator
cilium_operator_extra_volumes: []
cilium_operator_extra_volume_mounts: []

# Extra arguments for the Cilium Operator
cilium_operator_custom_args: [] # deprecated
cilium_operator_extra_args: []

# Tolerations of the cilium operator
cilium_operator_tolerations:
  - operator: "Exists"

# Unique ID of the cluster. Must be unique across all connected
# clusters and in the range of 1 to 255. Only required for Cluster Mesh,
# may be 0 if Cluster Mesh is not used.
cilium_cluster_id: 0
# Name of the cluster. Only relevant when building a mesh of clusters.
# The "default" name cannot be used if the Cluster ID is different from 0.
cilium_cluster_name: default

# Make Cilium take ownership over the `/etc/cni/net.d` directory on the node, renaming all non-Cilium CNI configurations to `*.cilium_bak`.
# This ensures no Pods can be scheduled using other CNI plugins during Cilium agent downtime.
# Available for Cilium v1.10 and up.
cilium_cni_exclusive: true

# Configure the log file for CNI logging with retention policy of 7 days.
# Disable CNI file logging by setting this field to empty explicitly.
# Available for Cilium v1.12 and up.
cilium_cni_log_file: "/var/run/cilium/cilium-cni.log"

# -- Configure cgroup related configuration
# -- Enable auto mount of cgroup2 filesystem.
# When `cilium_cgroup_auto_mount` is enabled, cgroup2 filesystem is mounted at
# `cilium_cgroup_host_root` path on the underlying host and inside the cilium agent pod.
# If users disable `cilium_cgroup_auto_mount`, it's expected that users have mounted
# cgroup2 filesystem at the specified `cilium_cgroup_auto_mount` volume, and then the
# volume will be mounted inside the cilium agent pod at the same path.
# Available for Cilium v1.11 and up
cilium_cgroup_auto_mount: true
# -- Configure cgroup root where cgroup2 filesystem is mounted on the host
cilium_cgroup_host_root: "/run/cilium/cgroupv2"

# Specifies the ratio (0.0-1.0) of total system memory to use for dynamic
# sizing of the TCP CT, non-TCP CT, NAT and policy BPF maps.
cilium_bpf_map_dynamic_size_ratio: "0.0025"

# -- Enables masquerading of IPv4 traffic leaving the node from endpoints.
# Available for Cilium v1.10 and up
cilium_enable_ipv4_masquerade: true
# -- Enables masquerading of IPv6 traffic leaving the node from endpoints.
# Available for Cilium v1.10 and up
cilium_enable_ipv6_masquerade: true

# -- Enable native IP masquerade support in eBPF
cilium_enable_bpf_masquerade: false

# -- Configure whether direct routing mode should route traffic via
# host stack (true) or directly and more efficiently out of BPF (false) if
# the kernel supports it. The latter has the implication that it will also
# bypass netfilter in the host namespace.
cilium_enable_host_legacy_routing: false

# -- Enable use of the remote node identity.
# ref: https://docs.cilium.io/en/v1.7/install/upgrade/#configmap-remote-node-identity
cilium_enable_remote_node_identity: true

# -- Enable the use of well-known identities.
cilium_enable_well_known_identities: false

# The monitor aggregation flags determine which TCP flags which, upon the
# first observation, cause monitor notifications to be generated.
#
# Only effective when monitor aggregation is set to "medium" or higher.
cilium_monitor_aggregation_flags: "all"

cilium_enable_bpf_clock_probe: true

# -- Enable BGP Control Plane
cilium_enable_bgp_control_plane: false


# -- Configure BGP Instances (New bgpv2 API v1.16+)
cilium_bgp_cluster_configs: []

# -- Configure BGP Peers (New bgpv2 API v1.16+)
cilium_bgp_peer_configs: []

# -- Configure BGP Advertisements (New bgpv2 API v1.16+)
cilium_bgp_advertisements: []

# -- Configure BGP Node Config Overrides (New bgpv2 API v1.16+)
cilium_bgp_node_config_overrides: []

# -- Configure BGP Peers (Legacy < v1.16)
cilium_bgp_peering_policies: []

# -- Whether to enable CNP status updates.
cilium_disable_cnp_status_updates: true

# Configure how long to wait for the Cilium DaemonSet to be ready again
cilium_rolling_restart_wait_retries_count: 30
cilium_rolling_restart_wait_retries_delay_seconds: 10

# Cilium changed the default metrics exporter ports in 1.12
cilium_agent_scrape_port: "9962"
cilium_operator_scrape_port: "9963"
cilium_hubble_scrape_port: "9965"

# Cilium certgen args for generate certificate for hubble mTLS
cilium_certgen_args:
  cilium-namespace: kube-system
  ca-reuse-secret: true
  ca-secret-name: hubble-ca-secret
  ca-generate: true
  ca-validity-duration: 94608000s
  hubble-server-cert-generate: true
  hubble-server-cert-common-name: '*.{{ cilium_cluster_name }}.hubble-grpc.cilium.io'
  hubble-server-cert-validity-duration: 94608000s
  hubble-server-cert-secret-name: hubble-server-certs
  hubble-relay-client-cert-generate: true
  hubble-relay-client-cert-common-name: '*.{{ cilium_cluster_name }}.hubble-grpc.cilium.io'
  hubble-relay-client-cert-validity-duration: 94608000s
  hubble-relay-client-cert-secret-name: hubble-relay-client-certs
  hubble-relay-server-cert-generate: false

cilium_enable_host_firewall: false
cilium_policy_audit_mode: false

# Cilium extra install flags
cilium_install_extra_flags: ""

# Cilium extra values, use any values from cilium Helm Chart
# ref: https://docs.cilium.io/en/stable/helm-reference/
cilium_extra_values: {}