Skip to content

Instantly share code, notes, and snippets.

@dgiebert

dgiebert/cilium-cluster-mesh.md

Last active June 24, 2024 06:44
Show Gist options
  • Save dgiebert/6a800a1f6bdee11d8b289275d55357bf to your computer and use it in GitHub Desktop.
Save dgiebert/6a800a1f6bdee11d8b289275d55357bf to your computer and use it in GitHub Desktop.
Download ZIP
Raw
cilium-cluster-mesh.md

Create a Cluster Mesh with RKE2 and Cilium

!! Make sure that the CIDRs dont overlap !!

  1. Read the following Cilium prerequisites
  2. Create or adapt the first clusters Cilium using the following HelmChartConfig 
    apiVersion: helm.cattle.io/v1
kind: HelmChartConfig
metadata:
  name: rke2-cilium
  namespace: kube-system
spec:
  valuesContent: |-
    kubeProxyReplacement: strict
    k8sServiceHost: 127.0.0.1
    k8sServicePort: 6443
    # Transparent Encryption
    l7Proxy: false
    encryption:
      enabled: true
      type: wireguard
    # Cluster-mesh
    cluster:
      name: cilium01
      id: 1
    externalWorkloads: 
      enabled: true
    clustermesh:
      useAPIServer: true
  3. Extract the CA Certificate for the other cluster (reason)
  4. Connect the second cluster using the following HelmChartConfig 
    apiVersion: helm.cattle.io/v1
kind: HelmChartConfig
metadata:
  name: rke2-cilium
  namespace: kube-system
spec:
  valuesContent: |-
    kubeProxyReplacement: strict
    k8sServiceHost: 127.0.0.1
    k8sServicePort: 6443
    # Transparent Encryption
    l7Proxy: false
    encryption:
      enabled: true
      type: wireguard
    # Cluster-mesh
    cluster:
      name: cilium02
      id: 2
    externalWorkloads: 
      enabled: true
    clustermesh:
      useAPIServer: true
      config:
        enabled: true
        clusters:
        - name: cilium01
          ips:
          - x.x.x.x
          port: 32379
          tls:
            cert: "Check clustermesh-apiserver-remote-cert in kube-system (cluster01)"
            key: "Check clustermesh-apiserver-remote-cert in kube-system (cluster01)"
      apiserver:
        tls:
          auto:
            method: cronJob
            schedule: "0 0 1 */4 *"
          ca:
            cert: "Check clustermesh-apiserver-ca-cert in kube-system (cluster01)"
            key: "Check clustermesh-apiserver-ca-cert in kube-system (cluster01)"
  5. Adapt the HelmChartConfig in Cluster01 
    apiVersion: helm.cattle.io/v1
kind: HelmChartConfig
metadata:
  name: rke2-cilium
  namespace: kube-system
spec:
  valuesContent: |-
    kubeProxyReplacement: strict
    k8sServiceHost: 127.0.0.1
    k8sServicePort: 6443
    # Transparent Encryption
    l7Proxy: false
    encryption:
      enabled: true
      type: wireguard
    # Cluster-mesh
    cluster:
      name: cilium01
      id: 1
    externalWorkloads: 
      enabled: true
    clustermesh:
      useAPIServer: true
      config:
        enabled: true
        clusters:
        - name: cilium02
          ips:
          - x.x.x.x
          port: 32379
          tls:
            cert: "Check clustermesh-apiserver-remote-cert in kube-system (cluster02)"
            key: "Check clustermesh-apiserver-remote-cert in kube-system (cluster02)"
      apiserver:
        tls:
          ca:
            cert: "Check clustermesh-apiserver-ca-cert in kube-system (cluster01)"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment