From 6b331ca18fb2ff492bbc87cf3d366b0f06e816ee Mon Sep 17 00:00:00 2001
From: pgijsbertsen <117165507+pgijsbertsen@users.noreply.github.com>
Date: Sun, 9 Nov 2025 13:34:21 +0100
Subject: [PATCH] chore(k8s-wheatley): Use Helm chart to manage cilium

---
 .gitignore                             |  2 +-
 k8s-wheatley/cilium/kustomization.yaml |  9 +++++-
 k8s-wheatley/cilium/namespace.yaml     |  5 ----
 k8s-wheatley/cilium/values.yaml        | 38 ++++++++++++++++++++++++++
 4 files changed, 47 insertions(+), 7 deletions(-)
 delete mode 100644 k8s-wheatley/cilium/namespace.yaml
 create mode 100644 k8s-wheatley/cilium/values.yaml

diff --git a/.gitignore b/.gitignore
index 3aafb64..79fb9b1 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,3 +1,3 @@
 .envrc
 output.yaml
-chart/
+charts/
diff --git a/k8s-wheatley/cilium/kustomization.yaml b/k8s-wheatley/cilium/kustomization.yaml
index 34f4ff8..3328e07 100644
--- a/k8s-wheatley/cilium/kustomization.yaml
+++ b/k8s-wheatley/cilium/kustomization.yaml
@@ -4,7 +4,14 @@ kind: Kustomization
 namespace: kube-system
 
 resources:
-  - namespace.yaml
   - ip-pool.yaml
   - gateways.yaml
   - httproute.yaml
+
+helmCharts:
+  - name: cilium
+    repo: https://helm.cilium.io
+    namespace: kube-system
+    releaseName: cilium
+    version: 1.18.3
+    valuesFile: values.yaml
diff --git a/k8s-wheatley/cilium/namespace.yaml b/k8s-wheatley/cilium/namespace.yaml
deleted file mode 100644
index 5988ffb..0000000
--- a/k8s-wheatley/cilium/namespace.yaml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: kube-system
diff --git a/k8s-wheatley/cilium/values.yaml b/k8s-wheatley/cilium/values.yaml
new file mode 100644
index 0000000..f84e56e
--- /dev/null
+++ b/k8s-wheatley/cilium/values.yaml
@@ -0,0 +1,38 @@
+k8sServiceHost: localhost
+k8sServicePort: 7445
+kubeProxyReplacement: true
+
+cgroup:
+  hostRoot: /sys/fs/cgroup
+  autoMount:
+    enabled: false
+
+securityContext:
+  capabilities:
+    ciliumAgent:
+      - CHOWN
+      - KILL
+      - NET_ADMIN
+      - NET_RAW
+      - IPC_LOCK
+      - SYS_ADMIN
+      - SYS_RESOURCE
+      - DAC_OVERRIDE
+      - FOWNER
+      - SETGID
+      - SETUID
+    cleanCiliumState:
+      - NET_ADMIN
+      - SYS_ADMIN
+      - SYS_RESOURCE
+
+hubble:
+  relay:
+    enabled: true
+  ui:
+    enabled: true
+
+gatewayAPI:
+  enabled: true
+  enableAlpn: true
+  enableAppProtocol: true