cni:
  exclusive: false
# upgradeCompatibility: "1.15"
cluster:
  name: virt-cluster
  id: 2

kubeProxyReplacement: true


socketLB: # Enabled because of problems with kubevirt reaching services
  enabled: true
  hostNamespaceOnly: true

# Talos specific
k8sServiceHost: localhost
k8sServicePort: 7445
securityContext:
  capabilities:
    ciliumAgent: [ CHOWN, KILL, NET_ADMIN, NET_RAW, IPC_LOCK, SYS_ADMIN, SYS_RESOURCE, DAC_OVERRIDE, FOWNER, SETGID, SETUID ]
    cleanCiliumState: [ NET_ADMIN, SYS_ADMIN, SYS_RESOURCE ]

cgroup:
  autoMount:
    enabled: false
  hostRoot: /sys/fs/cgroup

# https://docs.cilium.io/en/stable/network/concepts/ipam/
ipam:
  mode: kubernetes

# Devices are used to masquade traffic originating from these interfaces
# used with egressgateway
devices: [ ens18, br0, enp0s31f6, eth0, br-mgmt, enp2s0 ]
operator:
  rollOutPods: true
  resources:
    limits:
      cpu: 500m
      memory: 256Mi
    requests:
      cpu: 50m
      memory: 128Mi
#  prometheus:
#    enabled: true
#    metricsService: true
#    serviceMonitor:
#      enabled: true
# Roll out cilium agent pods automatically when ConfigMap is updated.
rollOutCiliumPods: true
resources:
  limits:
    cpu: 1000m
    memory: 1Gi
  requests:
    cpu: 200m
    memory: 512Mi

#debug:
#  enabled: true

# Increase rate limit when doing L2 announcements
#k8sClientRateLimit:
#  qps: 20
#  burst: 100

l2announcements:
  enabled: true
  leaseDuration: 3s
  leaseRenewDeadline: 1s
  leaseRetryPeriod: 200ms

externalIPs:
  enabled: true

#enableCiliumEndpointSlice: true

ipv6:
  enabled: true

bgpControlPlane:
  enabled: true


loadBalancer:
  # https://docs.cilium.io/en/stable/network/kubernetes/kubeproxy-free/#maglev-consistent-hashing
  algorithm: maglev

gatewayAPI:
  enabled: true # We disable gatewayAPI for now

#enableIPv4Masquerade: true
envoy:
  securityContext:
    capabilities:
      keepCapNetBindService: true
      envoy: [ NET_ADMIN, PERFMON, SYS_ADMIN, BPF ]

bpf:
  vlanBypass: [ 0 ]
#  masquade: true
#  lbExternalClusterIP: true
egressGateway:
  enabled: false


l2NeighDiscovery:
  enabled: true

#defaultLBServiceIPAM: none

# ingressController:
#   enabled: true
#   default: true
#   loadbalancerMode: dedicated
#   service:
#     annotations:
#       io.cilium/lb-ipam-ips: "10.99.101.50 2a02:a44d:67b4:501:ffff::"
#     labels:
#       network-announcement: "l2"

hubble:
  enabled: true
  relay:
    enabled: true
    rollOutPods: true
  ui:
    enabled: true
    rollOutPods: true

#prometheus:
#  metricsService: true
#  enabled: true
#  serviceMonitor:
#    enabled: true

dashboards:
  enabled: false
  label: grafana_dashboard