Hello all I m using the following cilium config this used to Rancher Users #rke2

Hello all, I'm using the following cilium config, ...

broad-petabyte-50341

07/21/2023, 6:52 PM

Hello all, I'm using the following cilium config, this used to require that I create a

cilium-ipsec-keys

secret to make the pods healthy. This is no longer the case and cilium also appears to not be using ipsec despite not having updated our cilium deployment process. cilium config (helm):

Copy code

cilium:
                tunnel: geneve
                ipam:
                  operator:
                    clusterPoolIPv4PodCIDRList: 10.0.0.0/16
                ipv4:
                  enabled: true
                ipv6:
                  enabled: false
                operator:
                  replicas: 1
                encryption:
                  enabled: true
                  type: ipsec
                  nodeEncryption: false
                  ipsec:
                    keyFile: keys
                    mountPath: /etc/ipsec
                    secretName: cilium-ipsec-keys
                hubble:
                  enabled: true
                  ui:
                    enabled: true
                    replicas: 1
                  relay:
                    enabled: true
                prometheus:
                  enabled: true
                  port: 19090

Grepping for ipsec in the cilium agent containers yields the following:

Copy code

k logs -n kube-system cilium-4np75 | rg ipsec
Defaulted container "cilium-agent" out of: cilium-agent, install-portmap-cni-plugin (init), config (init), mount-cgroup (init), apply-sysctl-overwrites (init), mount-bpf-fs (init), clean-cilium-state (init)
level=info msg="  --enable-ipsec='false'" subsys=daemon
level=info msg="  --ipsec-key-file=''" subsys=daemon

Please advise, and thank you for your time.

76 Views

Open in Slack

Previous Next