install/kubernetes/cilium/values.yaml

# Include the cilium-agent DaemonSet
agent:
  enabled: true
  # Do not run Cilium agent when running with clean mode. Useful to completely
  # uninstall Cilium as it will stop Cilium from starting and create artifacts
  # in the node.
  sleepAfterInit: false
  # Keep the deprecated selector labels when deploying Cilium DaemonSet
  keepDeprecatedLabels: false

# Include the cilium-config ConfigMap
config:
  enabled: true

# Include the cilium-operator Deployment
operator:
  enabled: true

# Include the PreFlight DaemonSet
preflight:
  enabled: false
  # Path to write the --tofqdns-pre-cache file to. When empty no file is
  # generated.
  tofqdnsPreCache: ""

# global groups all configuration options that have effect on all sub-charts
global:
  # registry is the address of the registry and orgnization for all container images
  registry: docker.io/cilium

  # tag is the container image tag to use
  tag: latest

  # pullPolicy is the container image pull policy
  pullPolicy: Always

  # etcd is the etcd configuration
  etcd:
    # enabled enables use of etcd
    enabled: false

    # managed turns on managed etcd mode based on the cilium-etcd-operator
    managed: false

    # sets cluster domain for cilium-etcd-operator
    clusterDomain: cluster.local

    # endpoints is the list of etcd endpoints (not needed when using
    # managed=true)
    endpoints:
      - https://CHANGE-ME:2379

    # ssl enables use of TLS/SSL for connectivity to etcd. (auto-enabled if
    # managed=true)
    ssl: false

  # identityAllocationMode is the method to use for identity allocation.
  # Supported modes:
  #  crd: Kubernetes CRD backing
  #  kvstore: Key-value store backend (better scalability)
  identityAllocationMode: crd

  # ipv4 is the IPv4 addressing configuration
  ipv4:
    enabled: true

  # ipv6 is the IPv6 addressing configuration
  ipv6:
    enabled: false

  # debug enables debugging mode
  debug:
    enabled: false

    # verbose allows additional levels of debug/trace messaging
    #verbose: flow

  # prometheus enables
  prometheus:
    enabled: false
    port: 9090
    serviceMonitor:
      enabled: false

  # operatorPrometheus enables
  operatorPrometheus:
    enabled: false
    port: 6942

  # enableXTSocketFallback enables the fallback compatibility solution
  # when the xt_socket kernel module is missing and it is needed for
  # the datapath L7 redirection to work properly.  See documentation
  # for details on when this can be disabled:
  # http://docs.cilium.io/en/latest/install/system_requirements/#admin-kernel-version.
  enableXTSocketFallback: true

  # installIptablesRules enables installation of iptables rules to allow for
  # TPROXY (L7 proxy injection), itpables based masquerading and compatibility
  # with kube-proxy. See documentation for details on when this can be
  # disabled.
  installIptablesRules: true

  # masquerade enables masquerading of traffic leaving the ndoe for
  # destinations outside of the cluster.
  masquerade: true

  # autoDirectNodeRoutes enables installation of PodCIDR routes between worker
  # nodes if worker nodes share a common L2 network segment.
  autoDirectNodeRoutes: false

  # endpointRoutes enables use of per endpoint routes instead of routing vis
  # the cilium_host interface
  endpointRoutes:
    enabled: false

  # cni is the CNI configuration
  cni:
    # install determines whether to install the CNI configuration and binary
    # files into the filesystem.
    install: true

    # chainingMode enables chaining on top of other CNI plugins. Possible
    # values:
    #  - none
    #  - generic-veth
    #  - aws-cni
    #  - portmap
    chainingMode: none

    # customConf skips writing of the CNI configuration. This can be used if
    # writing of the CNI configuration is performed by external automation.
    customConf: false

    # confPath is the path to the CNI configuration directory on the host
    confPath: /etc/cni/net.d

    # binPath si the path to the CNI binary directory on the host
    binPath: /opt/cni/bin

    # configMap when defined, will mount the provided value as ConfigMap  and
    # interpret the cniConf variable as CNI configuration file and write it
    # when the agent starts up
    # configMap: cni-configuration

    # configMapKey is the key in the CNI ConfigMap to read the contents of the
    # CNI configuration from
    configMapKey: cni-config

    # confFileMountPath is the path to where to mount the ConfigMap inside the
    # pod
    confFileMountPath: /tmp/cni-configuration

    # hostConfDirMountPath is the path to where the CNI configuration directory
    # is mounted inside the  pod
    hostConfDirMountPath: /host/etc/cni/net.d

  # cluster is the clustermesh related configuration
  cluster:
    # name is the human readable name of the cluster when setting up
    # clustermesh
    name: default

    # id is a 8 bits unique cluster identifier when setting up clustermesh
    #id: "1"

  # tunnel is the encapsulation configuration for communication between nodes
  # Possible values:
  #   - disabled
  #   - vxlan (default)
  #   - geneve
  tunnel: "vxlan"

  # containerRuntime enables container runtime specific integration. Supported
  # values:
  # - containerd
  # - crio
  # - docker
  # - none
  # - auto (automatically detect the container runtime)
  containerRuntime:
    integration: none

    # socketPath can be used to configure the path to the container runtime
    # control socket, if it is on a non-standard path.
    #socketPath:

  # bpf is the BPF datapath specific configuration
  bpf:
    # waitForMount instructs the cilium-agent DaemoNSet to wait in an
    # initContainer until the BPF filesystem has been mounted.
    waitForMount: false

    # preallocateMaps enables pre allocation of BPF map values. This increases
    # memory usage but can reduce latency.
    preallocateMaps: false

    # ctTcpMax is the maximum number of entries in the TCP connection tracking
    # table
    ctTcpMax: 524288

    # ctAnyMax is the maximum number of entries for the non-TCP connection
    # tracking table
    ctAnyMax: 262144

    # natMax is the maximum number of entries for the NAT table
    natMax: 841429

    # montiorAggregation is the level of aggregation for datapath trace events
    monitorAggregation: medium

    # monitorInterval is the typical time between monitor notifications for
    # active connections
    monitorInterval: "5s"

    # monitorFlags are TCP flags that trigger notifications when seen for the
    # first time
    monitorFlags: "all"

  # encryption is the encryption specific configuration
  encryption:
    # enabled enables encryption
    enabled: false

    # keyFile is the name of the key file inside the Kubernetes secret
    # configured via secretName
    keyFile: keys

    # mountPath is the path where to mount the secret inside the Cilium pod
    mountPath: /etc/ipsec

    # secretName is the name of the Kubernetes secret containing the encryption
    # keys
    secretName: cilium-ipsec-keys

    # nodeEncryption enables encryption for pure node to node traffic
    nodeEncryption: false

    # interface is the interface to use for encryption
    # interface: eth0

  # kubeProxyReplacement enables kube-proxy replacement in Cilium BPF datapath
  kubeProxyReplacement: "probe"

  # hostServices is the configuration for ClusterIP service handling in host namespace
  hostServices:
    # enabled enables host reachable functionality
    enabled: false

    # protocols is the list of protocols to support
    protocols: tcp,udp

  # nodePort is the configuration for NodePort service handling
  nodePort:
    # enabled enables NodePort functionality
    enabled: false

    # range is the port range to use for NodePort
    # range:

    # device is the name of the device handling NodePort requests
    # device:

    # mode is the mode of NodePort feature
    mode: "hybrid"

  # externalIPs is the configuration for ExternalIPs service handling
  externalIPs:
    # enabled enables ExternalIPs functionality
    enabled: false

  # flannel is the flannel specific configuration
  flannel:
    # enabled enables the flannel integration
    enabled: false

    # masterDevice is the name of the flannel bridge
    masterDevice: cni0

    # uninstallOnExt enables uninstallation of Cilium BPF programs on flannel
    # managed pods when the Cilium pod is terminated
    uninstallOnExit: false

  # ipvlan is the IPVLAN configuration
  ipvlan:
    # enabled enables use of the IPVLAN datapath
    enabled: false

    # masterDevice is the name of the device to use to attach secondary IPVLAN
    # devices
    # masterDevice: eth0

  # pprof is the GO pprof configuration
  pprof:
    # enabled enables go pprof debugging
    enabled: false

  # logSytemLoad enables logging of system load
  logSystemLoad: false

  # sockops is the BPF socket operations configuration
  sockops:
    # enabled enables installation of socket level functionality.
    enabled: false

  # k8s is the Kubernetes specific configuration
  k8s:
    # requireIPv4PodCIDR enables waiting for Kubernetes to provide the PodCIDR
    # range via the Kubernetes node resource
    requireIPv4PodCIDR: false

  # ENI mode configures the options required to run with ENI
  eni: false

  azure:
    enabled: false
    #resourceGroup: group1
    #subscriptionID: 00000000-0000-0000-0000-000000000000
    #tenantID: 00000000-0000-0000-0000-000000000000
    #clientID: 00000000-0000-0000-0000-000000000000
    #clientSecret: 00000000-0000-0000-0000-000000000000

  # cleanState instructs the cilium-agent DaemonSet to clean all state in the
  # initContainer
  #
  # WARNING: Use with care!
  cleanState: false

  # cleanBpfState instructs the cilium-agent DaemonSet to clean all BPF
  # datapath state in the initContainer
  #
  # WARNING: Use with care!
  cleanBpfState: false

  nodeinit:
    # enabled enables inclusion of the nodeinit DaemonSet
    enabled: false

    # bootstrapFile is the location of the file where the bootstrap timestamp is
    # written by the node-init DaemonSet
    bootstrapFile: "/tmp/cilium-bootstrap-time"

  daemon:
    runPath: "/var/run/cilium"

  wellKnownIdentities:
    # enabled enables the use of well-known identities
    enabled: false

  tls:
    secretsBackend: local

  # remoteNodeIdentity enables use of the remote node identity
  remoteNodeIdentity: true

  synchronizeK8sNodes: true

  # psp creates and binds PodSecurityPolicies for the components that require it
  psp:
    enabled: false

  # enables non-drop mode for installed policies. In audit mode
  # packets affected by policies will not be dropped. Policy related
  # decisions can be checked via the poicy verdict messages.
  policyAuditMode: false

  # hubble configures Hubble.
  hubble:
    # List of unix domain socket paths to listen to, for example:
    #
    #   listenAddresses:
    #   - "unix:///var/run/cilium/hubble.sock"
    #
    # You can specify the list of metrics from the helm CLI:
    #
    #   --set global.hubble.listenAddresses={unix:///var/run/cilium}
    #
    # Hubble is disabled if the list is empty.
    listenAddresses: []
    # Buffer size of the channel Hubble uses to receive monitor events. Defaults to 128.
    eventQueueSize: ~
    # Number of recent flows for Hubble to cache. Defaults to 4096.
    flowBufferSize: ~
    # Specifies the address the metric server listens to (e.g. ":12345"). The metric server is
    # disabled if this value is empty.
    metricServer: ~
    # List of metrics to collect, for example:
    #
    #   metrics:
    #   - dns:query;ignoreAAAA
    #   - drop
    #   - tcp
    #   - flow
    #   - port-distribution
    #   - icmp
    #   - http
    #
    # You can specify the list of metrics from the helm CLI:
    #
    #   --set metrics.enabled="{dns:query;ignoreAAAA,drop,tcp,flow,port-distribution,icmp,http}"
    #
    # See https://github.com/cilium/hubble/blob/master/Documentation/metrics.md for more comprehensive
    # documentation about Hubble's metric collection.
    metrics: []