add templates

cilium-vmm.yaml

@@ -0,0 +1,37 @@
+hubble:
+  relay:
+    enabled: true
+    rollOutPods: true
+  ui:
+    enabled: true
+    rollOutPods: true
+annotateK8sNode: true
+
+bpf:
+  clockProbe: true
+  masquerade: true
+  tproxy: true
+
+ingressController:
+  enabled: true
+  loadbalancerMode: "shared"
+gatewayAPI:
+  enabled: true
+
+kubeProxyReplacement: "strict"
+localRedirectPolicy: true
+
+k8sServiceHost: "alm-aks-alm-aks-1afa17-62bcb514.hcp.westeurope.azmk8s.io"
+k8sServicePort: "443"
+
+loadBalancer: 
+  l7:
+    backend: "envoy"
+    algorithm: "round_robin"
+
+prometheus:
+  enabled: true
+
+operator:
+  prometheus:
+    enabled: true

cilium_ingress_network_policy.yaml

@@ -0,0 +1,11 @@
+---
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: web-allow-external
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: nginx
+  ingress:
+  - {}

default_network_policy.yaml

@@ -0,0 +1,54 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: default-deny-all
+spec:
+  podSelector: {}
+  policyTypes:
+  - Ingress
+  - Egress
+---
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: allow-dns-all
+spec:
+  podSelector: {}
+  policyTypes:
+  - Egress
+  egress:
+  - to:
+    - namespaceSelector:
+        matchLabels:
+          kubernetes.io/metadata.name: kube-system
+      podSelector:
+        matchLabels:
+          k8s-app: kube-dns
+    ports:
+      - port: 53
+        protocol: UDP
+      - port: 53
+        protocol: TCP
+---
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: allow-dns-all
+spec:
+  podSelector: {}
+  policyTypes:
+  - Egress
+  egress:
+  - to:
+    - namespaceSelector:
+        matchLabels:
+          kubernetes.io/metadata.name: kube-system
+      podSelector:
+        matchLabels:
+          k8s-app: kube-dns
+    ports:
+      - port: 53
+        protocol: UDP
+      - port: 53
+        protocol: TCP

jaeger.yaml

@@ -0,0 +1,16 @@
+apiVersion: jaegertracing.io/v1
+kind: Jaeger
+metadata:
+  name: jaeger-default
+  namespace: observability
+spec:
+  strategy: allInOne
+  storage:
+    type: memory
+    options:
+      memory:
+        max-traces: 100000
+  ingress:
+    enabled: false
+  annotations:
+    scheduler.alpha.kubernetes.io/critical-pod: ""

otelcol-hubble.yaml

@@ -0,0 +1,87 @@
+apiVersion: opentelemetry.io/v1alpha1
+kind: OpenTelemetryCollector
+metadata:
+  name: otelcol-hubble
+  namespace: kube-system # to access hubble clients certs
+spec:
+  mode: daemonset
+  image: ghcr.io/cilium/hubble-otel/otelcol:v0.1.1
+  env:
+    # set NODE_IP environment variable using downwards API
+    - name: NODE_IP
+      valueFrom:
+        fieldRef:
+          fieldPath: status.hostIP
+  volumes:
+    # this example connect to Hubble socket of Cilium agent
+    # using host port and TLS
+    - name: hubble-tls
+      projected:
+        defaultMode: 256
+        sources:
+          - secret:
+              name: hubble-relay-client-certs
+              items:
+                - key: tls.crt
+                  path: client.crt
+                - key: tls.key
+                  path: client.key
+                - key: ca.crt
+                  path: ca.crt
+    # it's possible to use the UNIX socket also, for which
+    # the following volume will be needed
+    # - name: cilium-run
+    #   hostPath:
+    #     path: /var/run/cilium
+    #     type: Directory
+  volumeMounts:
+    # - name: cilium-run
+    #   mountPath: /var/run/cilium
+    - name: hubble-tls
+      mountPath: /var/run/hubble-tls
+      readOnly: true
+  config: |
+    receivers:
+      otlp:
+        protocols:
+          grpc:
+            endpoint: 0.0.0.0:55690
+      hubble:
+        # NODE_IP is substituted by the collector at runtime
+        # the '\' prefix is required only in order for this config to be
+        # inlined in the guide and make it easy to paste, i.e. to avoid
+        # shell subtituting it
+        endpoint: \${NODE_IP}:4244 # unix:///var/run/cilium/hubble.sock
+        buffer_size: 100
+        include_flow_types:
+          # this sets an L7 flow filter, removing this section will
+          # disable filtering and result all types of flows being turned
+          # into spans;
+          # other type filters can be set, the names are same as what's
+          # used in 'hubble observe -t <type>'
+          traces: ["l7"]
+        tls:
+          insecure_skip_verify: true
+          ca_file: /var/run/hubble-tls/ca.crt
+          cert_file: /var/run/hubble-tls/client.crt
+          key_file: /var/run/hubble-tls/client.key
+    processors:
+      batch:
+        timeout: 30s
+        send_batch_size: 100
+
+    exporters:
+      jaeger:
+        endpoint: jaeger-default-collector.observability.svc.cluster.local:14250
+        tls:
+          insecure: true
+
+    service:
+      telemetry:
+        logs:
+          level: info
+      pipelines:
+        traces:
+          receivers: [hubble, otlp]
+          processors: [batch]
+          exporters: [jaeger]