infrastructure/pve01.wheatley.in/k8s-wheatley/modules/talos-bootstrap/templates/cilium-install.yaml.tmpl

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: cilium-install
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- kind: ServiceAccount
  name: cilium-install
  namespace: kube-system
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: cilium-install
  namespace: kube-system
---
apiVersion: batch/v1
kind: Job
metadata:
  name: cilium-install
  namespace: kube-system
spec:
  backoffLimit: 10
  template:
    metadata:
      labels:
        app: cilium-install
    spec:
      restartPolicy: OnFailure
      tolerations:
        - operator: Exists
        - effect: NoSchedule
          operator: Exists
        - effect: NoExecute
          operator: Exists
        - effect: PreferNoSchedule
          operator: Exists
        - key: node-role.kubernetes.io/control-plane
          operator: Exists
          effect: NoSchedule
        - key: node-role.kubernetes.io/control-plane
          operator: Exists
          effect: NoExecute
        - key: node-role.kubernetes.io/control-plane
          operator: Exists
          effect: PreferNoSchedule
      affinity:
        nodeAffinity:
          requiredDuringSchedulingIgnoredDuringExecution:
            nodeSelectorTerms:
              - matchExpressions:
                  - key: node-role.kubernetes.io/control-plane
                    operator: Exists
      serviceAccount: cilium-install
      serviceAccountName: cilium-install
      hostNetwork: true
      containers:
      - name: cilium-install
        image: quay.io/cilium/cilium-cli:latest
        env:
        - name: KUBERNETES_SERVICE_HOST
          valueFrom:
            fieldRef:
              apiVersion: v1
              fieldPath: status.podIP
        - name: KUBERNETES_SERVICE_PORT
          value: "6443"
        command:
          - cilium
          - install
          - --set
          - ipam.mode=kubernetes
          - --set
          - kubeProxyReplacement=true
          - --set
          - securityContext.capabilities.ciliumAgent={CHOWN,KILL,NET_ADMIN,NET_RAW,IPC_LOCK,SYS_ADMIN,SYS_RESOURCE,DAC_OVERRIDE,FOWNER,SETGID,SETUID}
          - --set
          - securityContext.capabilities.cleanCiliumState={NET_ADMIN,SYS_ADMIN,SYS_RESOURCE}
          - --set
          - cgroup.autoMount.enabled=false
          - --set
          - cgroup.hostRoot=/sys/fs/cgroup
          - --set
          - k8sServiceHost=$(KUBERNETES_SERVICE_HOST)
          - --set
          - k8sServicePort=$(KUBERNETES_SERVICE_PORT)
          - --set
          - gatewayAPI.enabled=true
          - --set
          - gatewayAPI.enableAlpn=true 
          - --set
          - gatewayAPI.enableAppProtocol=true
          - --set
          - hubble.relay.enabled=true
          - --set 
          - hubble.ui.enabled=true
feat: Bootstrap Talos k8s cluster 2025-10-28 22:46:17 +01:00			`---`
			`apiVersion: rbac.authorization.k8s.io/v1`
			`kind: ClusterRoleBinding`
			`metadata:`
			`name: cilium-install`
			`roleRef:`
			`apiGroup: rbac.authorization.k8s.io`
			`kind: ClusterRole`
			`name: cluster-admin`
			`subjects:`
			`- kind: ServiceAccount`
			`name: cilium-install`
			`namespace: kube-system`
			`---`
			`apiVersion: v1`
			`kind: ServiceAccount`
			`metadata:`
			`name: cilium-install`
			`namespace: kube-system`
			`---`
			`apiVersion: batch/v1`
			`kind: Job`
			`metadata:`
			`name: cilium-install`
			`namespace: kube-system`
			`spec:`
			`backoffLimit: 10`
			`template:`
			`metadata:`
			`labels:`
			`app: cilium-install`
			`spec:`
			`restartPolicy: OnFailure`
			`tolerations:`
			`- operator: Exists`
			`- effect: NoSchedule`
			`operator: Exists`
			`- effect: NoExecute`
			`operator: Exists`
			`- effect: PreferNoSchedule`
			`operator: Exists`
			`- key: node-role.kubernetes.io/control-plane`
			`operator: Exists`
			`effect: NoSchedule`
			`- key: node-role.kubernetes.io/control-plane`
			`operator: Exists`
			`effect: NoExecute`
			`- key: node-role.kubernetes.io/control-plane`
			`operator: Exists`
			`effect: PreferNoSchedule`
			`affinity:`
			`nodeAffinity:`
			`requiredDuringSchedulingIgnoredDuringExecution:`
			`nodeSelectorTerms:`
			`- matchExpressions:`
			`- key: node-role.kubernetes.io/control-plane`
			`operator: Exists`
			`serviceAccount: cilium-install`
			`serviceAccountName: cilium-install`
			`hostNetwork: true`
			`containers:`
			`- name: cilium-install`
			`image: quay.io/cilium/cilium-cli:latest`
			`env:`
			`- name: KUBERNETES_SERVICE_HOST`
			`valueFrom:`
			`fieldRef:`
			`apiVersion: v1`
			`fieldPath: status.podIP`
			`- name: KUBERNETES_SERVICE_PORT`
			`value: "6443"`
			`command:`
			`- cilium`
			`- install`
			`- --set`
			`- ipam.mode=kubernetes`
			`- --set`
			`- kubeProxyReplacement=true`
			`- --set`
			`- securityContext.capabilities.ciliumAgent={CHOWN,KILL,NET_ADMIN,NET_RAW,IPC_LOCK,SYS_ADMIN,SYS_RESOURCE,DAC_OVERRIDE,FOWNER,SETGID,SETUID}`
			`- --set`
			`- securityContext.capabilities.cleanCiliumState={NET_ADMIN,SYS_ADMIN,SYS_RESOURCE}`
			`- --set`
			`- cgroup.autoMount.enabled=false`
			`- --set`
			`- cgroup.hostRoot=/sys/fs/cgroup`
			`- --set`
fix: Resolve Cilium bootstrap issues 2025-11-19 11:13:38 +01:00			`- k8sServiceHost=$(KUBERNETES_SERVICE_HOST)`
feat: Bootstrap Talos k8s cluster 2025-10-28 22:46:17 +01:00			`- --set`
fix: Resolve Cilium bootstrap issues 2025-11-19 11:13:38 +01:00			`- k8sServicePort=$(KUBERNETES_SERVICE_PORT)`
feat: Bootstrap Talos k8s cluster 2025-10-28 22:46:17 +01:00			`- --set`
			`- gatewayAPI.enabled=true`
			`- --set`
			`- gatewayAPI.enableAlpn=true`
			`- --set`
			`- gatewayAPI.enableAppProtocol=true`
feat: Add GatewayAPI support to cluster bootstrap 2025-10-29 21:07:54 +01:00			`- --set`
			`- hubble.relay.enabled=true`
			`- --set`
			`- hubble.ui.enabled=true`