From aea28b5a0fd746bc1a21793ad851472850b55e68 Mon Sep 17 00:00:00 2001 From: Michal Date: Tue, 31 Mar 2026 01:35:51 +0100 Subject: [PATCH] =?UTF-8?q?fix:=20Cilium=20multi-node=20support=20?= =?UTF-8?q?=E2=80=94=20auto-detect=20NIC,=20k3s=20agent=20API=20port,=20wo?= =?UTF-8?q?rker=20label?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Remove hardcoded devices/directRoutingDevice from Cilium install (let Cilium auto-detect per node — needed for heterogeneous NICs like eno1 vs enP7s7) - Set k8sServiceHost=127.0.0.1 k8sServicePort=6444 so Cilium init containers can reach the API via k3s agent's local LB proxy - Add node-role.kubernetes.io/worker label to agent config Co-Authored-By: Claude Opus 4.6 (1M context) --- .../modules/modules/k3s/src/operations/cilium.ts | 14 ++++---------- .../modules/k3s/src/operations/k3s-config.ts | 2 ++ 2 files changed, 6 insertions(+), 10 deletions(-) diff --git a/bastion/src/modules/modules/k3s/src/operations/cilium.ts b/bastion/src/modules/modules/k3s/src/operations/cilium.ts index 621c146..6c319cb 100644 --- a/bastion/src/modules/modules/k3s/src/operations/cilium.ts +++ b/bastion/src/modules/modules/k3s/src/operations/cilium.ts @@ -35,21 +35,15 @@ export const installCilium: Operation = async (ctx): Promise => } details.push(`Installed cilium CLI ${version} (${cliArch})`); - // Detect default network device (avoid tailscale/wireguard) - const devResult = await ctx.ssh.exec( - "ip -4 route show default | awk '{print $5}' | head -1", - sshOpts(ctx), - ); - const defaultDev = devResult.stdout.trim(); - details.push(`Network device: ${defaultDev}`); - // Install Cilium + // - No hardcoded devices: Cilium auto-detects per node (heterogeneous NICs like eno1 vs enP7s7) + // - k8sServiceHost/Port: k3s agents proxy the API on 127.0.0.1:6444 (not 6443) const installResult = await ctx.ssh.exec( `KUBECONFIG=/etc/rancher/k3s/k3s.yaml cilium install \ --set kubeProxyReplacement=true \ --set ipam.mode=kubernetes \ - --set devices="${defaultDev}" \ - --set nodePort.directRoutingDevice="${defaultDev}"`, + --set k8sServiceHost=127.0.0.1 \ + --set k8sServicePort=6444`, { timeoutMs: 300_000 }, ); if (installResult.exitCode !== 0) { diff --git a/bastion/src/modules/modules/k3s/src/operations/k3s-config.ts b/bastion/src/modules/modules/k3s/src/operations/k3s-config.ts index 542dd7e..0c749a6 100644 --- a/bastion/src/modules/modules/k3s/src/operations/k3s-config.ts +++ b/bastion/src/modules/modules/k3s/src/operations/k3s-config.ts @@ -42,6 +42,8 @@ ${tlsSans.map((s) => ` - "${s}"`).join("\n")} function generateAgentConfig(): string { return `protect-kernel-defaults: true +node-label: + - "node-role.kubernetes.io/worker=true" kubelet-arg: - "protect-kernel-defaults=true" - "streaming-connection-idle-timeout=5m" -- 2.49.1