Cilium 启用 Ingress controller 并自定义默认 TLS 证书

发表于 分类于

概述

基于 cilium 启用 Ingress Controller

参考链接:https://docs.cilium.io/en/v1.14/network/servicemesh/ingress/#gs-ingress

环境

  • Rancher v2.8.9-ent
  • Kuberneres v1.28.15 +rke2r1
  • cilium 1.16.2

先决条件

  1. 需要启用 nodePort.enabled=true 或者 kubeProxyReplacement=true;
  2. 必须启用 L7 代理 l7Proxy=true

启用 Ingress controller

1
2
3
4
5
6
7
8
9
10
11
12
13
cat rke2-cilium-config.yaml 
apiVersion: helm.cattle.io/v1
kind: HelmChartConfig
metadata:
  name: rke2-cilium
  namespace: kube-system
spec:
  valuesContent: |-
    ingressController:
      enabled: true
      loadbalancerMode: dedicated
    l7Proxy: true
    kubeProxyReplacement: true

重启 cilium 和 cilium-operator

1
2
kubectl -n kube-system rollout restart deployment/cilium-operator
kubectl -n kube-system rollout restart ds/cilium

自定义默认 TLS 证书

首先准备好证书文件,并导入到 k8s 中

1
kubectl create secret tls cilium-tls --key ${KEY_FILE} --cert ${CERT_FILE} -n kube-system

接着配置 rke2-cilium-config.yaml 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
apiVersion: helm.cattle.io/v1
kind: HelmChartConfig
metadata:
  name: rke2-cilium
  namespace: kube-system
spec:
  valuesContent: |-
    ingressController:
      enabled: true
      loadbalancerMode: dedicated
      defaultSecretNamespace: kube-system
      defaultSecretName: cilium-tls
      secretsNamespace:
        create: true
        name: cilium-secrets
        sync: true
    l7Proxy: true
    kubeProxyReplacement: true

最后重启 cilium 和 cilium-operator

1
2
kubectl -n kube-system rollout restart deployment/cilium-operator
kubectl -n kube-system rollout restart ds/cilium