Merge pull request 'fix: Cilium multi-node support' (#9) from fix/cilium-multi-node into main

bastion/src/modules/modules/k3s/src/operations/cilium.ts

@@ -35,21 +35,15 @@ export const installCilium: Operation = async (ctx): Promise<OperationResult> =>
   }
   details.push(`Installed cilium CLI ${version} (${cliArch})`);
 
-  // Detect default network device (avoid tailscale/wireguard)
-  const devResult = await ctx.ssh.exec(
-    "ip -4 route show default | awk '{print $5}' | head -1",
-    sshOpts(ctx),
-  );
-  const defaultDev = devResult.stdout.trim();
-  details.push(`Network device: ${defaultDev}`);
-
   // Install Cilium
+  // - No hardcoded devices: Cilium auto-detects per node (heterogeneous NICs like eno1 vs enP7s7)
+  // - k8sServiceHost/Port: k3s agents proxy the API on 127.0.0.1:6444 (not 6443)
   const installResult = await ctx.ssh.exec(
     `KUBECONFIG=/etc/rancher/k3s/k3s.yaml cilium install \
       --set kubeProxyReplacement=true \
       --set ipam.mode=kubernetes \
-      --set devices="${defaultDev}" \
+      --set k8sServiceHost=127.0.0.1 \
-      --set nodePort.directRoutingDevice="${defaultDev}"`,
+      --set k8sServicePort=6444`,
     { timeoutMs: 300_000 },
   );
   if (installResult.exitCode !== 0) {

bastion/src/modules/modules/k3s/src/operations/k3s-config.ts

@@ -42,6 +42,8 @@ ${tlsSans.map((s) => `  - "${s}"`).join("\n")}
 
 function generateAgentConfig(): string {
   return `protect-kernel-defaults: true
+node-label:
+  - "node-role.kubernetes.io/worker=true"
 kubelet-arg:
   - "protect-kernel-defaults=true"
   - "streaming-connection-idle-timeout=5m"