auricom-home-cluster/kubernetes/apps/kube-system/cilium/app/helmrelease.yaml

---
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2beta2.json
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
  name: &app cilium
  namespace: &ns kube-system
spec:
  interval: 30m
  chart:
    spec:
      chart: cilium
      version: 1.15.6
      sourceRef:
        kind: HelmRepository
        name: cilium
        namespace: flux-system
  maxHistory: 2
  install:
    createNamespace: true
    remediation:
      retries: 3
  upgrade:
    cleanupOnFail: true
    remediation:
      retries: 3
  uninstall:
    keepHistory: false
  values:
    autoDirectNodeRoutes: true
    bgp:
      announce:
        loadbalancerIP: true
      enabled: true
    cluster:
      id: 1
      name: cluster-0
    containerRuntime:
      integration: containerd
    enableRuntimeDeviceDetection: true
    endpointRoutes:
      enabled: true
    hubble:
      enabled: true
      metrics:
        enabled:
          - dns:query;ignoreAAAA
          - drop
          - tcp
          - flow
          - port-distribution
          - icmp
          - http
      relay:
        enabled: true
        rollOutPods: true
      serviceMonitor:
        enabled: true
      ui:
        enabled: true
        ingress:
          enabled: true
          className: nginx
          hosts:
            - &host "cilium.${SECRET_EXTERNAL_DOMAIN}"
          tls:
            - hosts:
                - *host
        rollOutPods: true
    ipam:
      mode: kubernetes
    ipv4NativeRoutingCIDR: ${CILIUM_POD_CIDR}
    k8sServiceHost: localhost
    k8sServicePort: 7445
    kubeProxyReplacement: true
    kubeProxyReplacementHealthzBindAddr: 0.0.0.0:10256
    l2announcements:
      enabled: true
    loadBalancer:
      algorithm: maglev
      mode: dsr
    localRedirectPolicy: true
    operator:
      rollOutPods: true
    rollOutCiliumPods: true
    securityContext:
      capabilities:
        ciliumAgent:
          - CHOWN
          - KILL
          - NET_ADMIN
          - NET_RAW
          - IPC_LOCK
          - SYS_ADMIN
          - SYS_RESOURCE
          - DAC_OVERRIDE
          - FOWNER
          - SETGID
          - SETUID
        cleanCiliumState:
          - NET_ADMIN
          - SYS_ADMIN
          - SYS_RESOURCE
    cgroup:
      autoMount:
        enabled: false
      hostRoot: /sys/fs/cgroup
    tunnel: disabled
    l7proxy: true
    routingMode: native
    ingressController:
      enabled: false
      defaultSecretNamespace: networking
      defaultSecretName: ${SECRET_EXTERNAL_DOMAIN//./-}-tls
      loadbalancerMode: shared
      service:
        loadBalancerIP: 192.168.169.115