From 2050138b10b5cae1d9318ca18b67fe54156f68d3 Mon Sep 17 00:00:00 2001
From: Joseph Hanson <joe@veri.dev>
Date: Tue, 7 Jan 2025 10:51:37 -0600
Subject: [PATCH] enable bgp

---
 .../kube-system/cilium/app/helm-values.yml    |  9 +++++--
 .../cilium/config/kustomization.yaml          |  3 ++-
 .../apps/kube-system/cilium/config/l3.yaml    | 27 +++++++++++++++++++
 3 files changed, 36 insertions(+), 3 deletions(-)
 create mode 100644 kubernetes/apps/kube-system/cilium/config/l3.yaml

diff --git a/kubernetes/apps/kube-system/cilium/app/helm-values.yml b/kubernetes/apps/kube-system/cilium/app/helm-values.yml
index 5bc08440..8ff56d4d 100644
--- a/kubernetes/apps/kube-system/cilium/app/helm-values.yml
+++ b/kubernetes/apps/kube-system/cilium/app/helm-values.yml
@@ -7,6 +7,8 @@ bandwidthManager:
 bpf:
   masquerade: true
   tproxy: true
+bgpControlPlane:
+  enabled: true
 cgroup:
   automount:
     enabled: false
@@ -19,9 +21,9 @@ cni:
 enableRuntimeDeviceDetection: true
 endpointRoutes:
   enabled: true
-hubble:
-  enable: false
 envoy:
+  enabled: false
+hubble:
   enable: false
 ipam:
   mode: kubernetes
@@ -37,6 +39,7 @@ loadBalancer:
   mode: dsr
 localRedirectPolicy: true
 operator:
+  replicas: 2
   rollOutPods: true
 rollOutCiliumPods: true
 routingMode: native
@@ -50,6 +53,8 @@ securityContext:
       - IPC_LOCK
       - SYS_ADMIN
       - SYS_RESOURCE
+      - PERFMON
+      - BPF
       - DAC_OVERRIDE
       - FOWNER
       - SETGID
diff --git a/kubernetes/apps/kube-system/cilium/config/kustomization.yaml b/kubernetes/apps/kube-system/cilium/config/kustomization.yaml
index 89773e64..6288cc44 100644
--- a/kubernetes/apps/kube-system/cilium/config/kustomization.yaml
+++ b/kubernetes/apps/kube-system/cilium/config/kustomization.yaml
@@ -3,4 +3,5 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-  - ./l2.yaml
+  # - ./l2.yaml
+  - l3.yaml
diff --git a/kubernetes/apps/kube-system/cilium/config/l3.yaml b/kubernetes/apps/kube-system/cilium/config/l3.yaml
new file mode 100644
index 00000000..6e1e443b
--- /dev/null
+++ b/kubernetes/apps/kube-system/cilium/config/l3.yaml
@@ -0,0 +1,27 @@
+---
+# yaml-language-server: $schema=https://ks.hsn.dev/cilium.io/ciliumbgppeeringpolicy_v2alpha1.json
+apiVersion: cilium.io/v2alpha1
+kind: CiliumBGPPeeringPolicy
+# comments courtesy of JJGadgets
+# MAKE SURE CRDs ARE INSTALLED IN CLUSTER VIA cilium-config ConfigMap OR Cilium HelmRelease/values.yaml (bgpControlPlane.enabled: true), BEFORE THIS IS APPLIED!
+# "CiliumBGPPeeringPolicy" Custom Resource will replace the old MetalLB BGP's "bgp-config" ConfigMap
+# "CiliumBGPPeeringPolicy" is used with `bgpControlPlane.enabled: true` which uses GoBGP, NOT the old `bgp.enabled: true` which uses MetalLB
+metadata:
+  name: bgp-loadbalancer-ip-main
+spec:
+  nodeSelector:
+    matchLabels:
+      kubernetes.io/os: "linux" # match all Linux nodes, change this to match more granularly if more than 1 PeeringPolicy is to be used throughout cluster
+  virtualRouters:
+    - localASN: 64514
+      exportPodCIDR: false
+      serviceSelector: # this replaces address-pools, instead of defining the range of IPs that can be assigned to LoadBalancer services, now services have to match below selectors for their LB IPs to be announced
+        matchExpressions:
+          - {
+              key: thisFakeSelector,
+              operator: NotIn,
+              values: ["will-match-and-announce-all-services"],
+            }
+      neighbors:
+        - peerAddress: "10.33.44.1/32" # unlike bgp-config ConfigMap, peerAddress needs to be in CIDR notation
+          peerASN: 64513