cilium目前成为最火的CNI实现，从github的star就可以看的出来，它利用新的kernel版本中ebpf特性，实现了流量的可视化和策略应用。
本文简单介绍在k8s 版本v1.27.2 版本下使用helm 安装配置cilium的过程。

# 安装helm

```shell
wget https://get.helm.sh/helm-v3.12.0-linux-amd64.tar.gz
tar zxf helm-v3.12.0-linux-amd64.tar.gz
cp linux-amd64/helm /usr/local/bin
```

# 下载cilium

在本文中cilium-main版本为1.14.0-dev

```shell
curl -LO https://github.com/cilium/cilium/archive/main.tar.gz
```

除了下载最新版本，我们也可以下载特定版本： https://github.com/cilium/cilium/releases/

# helm安装cilium

```shell
tar xzf main.tar.gz
cd cilium-main/install/kubernetes
helm install cilium ./cilium --namespace kube-system
```

检查cilium运行状态

```
cilium status --wait
```

正常输出为
```shell
    /¯¯\
 /¯¯\__/¯¯\    Cilium:             OK
 \__/¯¯\__/    Operator:           OK
 /¯¯\__/¯¯\    Envoy DaemonSet:    disabled (using embedded mode)
 \__/¯¯\__/    Hubble Relay:       disabled
    \__/       ClusterMesh:        disabled

Deployment        cilium-operator    Desired: 2, Ready: 2/2, Available: 2/2
DaemonSet         cilium             Desired: 3, Ready: 3/3, Available: 3/3
Containers:       cilium-operator    Running: 2
                  cilium             Running: 3
Cluster Pods:     8/8 managed by Cilium
Image versions    cilium             quay.io/cilium/cilium:v1.12.10: 3
                  cilium-operator    quay.io/cilium/operator-generic:v1.12.10: 2
```

# 安装cilium管理客户端

```shell
CILIUM_CLI_VERSION=$(curl -s https://raw.githubusercontent.com/cilium/cilium-cli/master/stable.txt)
CLI_ARCH=amd64
if [ "$(uname -m)" = "aarch64" ]; then CLI_ARCH=arm64; fi
curl -L --fail --remote-name-all https://github.com/cilium/cilium-cli/releases/download/${CILIUM_CLI_VERSION}/cilium-linux-${CLI_ARCH}.tar.gz{,.sha256sum}
sha256sum --check cilium-linux-${CLI_ARCH}.tar.gz.sha256sum
sudo tar xzvfC cilium-linux-${CLI_ARCH}.tar.gz /usr/local/bin
rm cilium-linux-${CLI_ARCH}.tar.gz{,.sha256sum}


sudo tar xzvfC cilium-linux-amd64.tar.gz /usr/local/bin
```

# 配置cilium vxlan 集成(可选)

Kubernetes 集群市场上存在各种容器网络接口 （CNI）。Cilium 作为一款开源软件，用于提供、保护和观察容器工作负载（云原生）之间的网络连接，并由革命性的内核技术 eBPF 提供支持。
在日常生产过程中，我们经常使用专门的“外部”应用交付设备提供Ingress能力，比如F5的BIGIP，我们可以通过配置VTEP的方式，让Cilium通过VXLAN隧道到外部VTEP设备，

Cilium VTEP implementation detail PR at VTEP .. _VTEP: [cilium/cilium#17370](https://github.com/cilium/cilium/pull/17370)

```shell
helm upgrade cilium /root/cilium-1.12.10/install/kubernetes/cilium \
              --namespace kube-system \
              --set debug.enabled=true \
              --set kubeProxyReplacement=strict \
              --set ipam.mode="kubernetes" \
              --set k8sServiceHost=10.250.16.103 \
              --set k8sServicePort=6443 \
              --set l7Proxy=false \
              --set vtep.enabled="true" \
              --set vtep.endpoint="10.250.16.105" \
              --set vtep.cidr="10.0.20.1/24" \
              --set vtep.mac="fa:16:3e:8f:47:51" \
              --set vtep.mask="255.255.255.0"
```

更多BIG-IP Integration可以参考：https://github.com/f5devcentral/f5-ci-docs/blob/master/docs/cilium/cilium-bigip-info.rst

重启cilium服务
```shell
kubectl -n kube-system rollout restart ds/cilium
```

# 配置文件介绍

在cilium下载目录下

```shell
cd install/kubernetes/cilium
#Chart.yaml  LICENSE  README.md  README.md.gotmpl  files  templates  values.yaml  values.yaml.tmpl
```
这里的values.yaml 包含了所有默认配置，我们可以修改这个文件配置cilium的启动行为、形态。
比如
```yaml
debug:
  # -- Enable debug logging
  enabled: true
  # verbose:

...

# -- Configure Kubernetes specific configuration
k8s: {}
  # -- requireIPv4PodCIDR enables waiting for Kubernetes to provide the PodCIDR
  # range via the Kubernetes node resource
  # requireIPv4PodCIDR: false

  # -- requireIPv6PodCIDR enables waiting for Kubernetes to provide the PodCIDR
  # range via the Kubernetes node resource
  # requireIPv6PodCIDR: false
 
...

vtep:
# -- Enables VXLAN Tunnel Endpoint (VTEP) Integration (beta) to allow
# Cilium-managed pods to talk to third party VTEP devices over Cilium tunnel.
  enabled: false

# -- A space separated list of VTEP device endpoint IPs, for example "1.1.1.1  1.1.2.1"
  endpoint: ""
# -- A space separated list of VTEP device CIDRs, for example "1.1.1.0/24 1.1.2.0/24"
  cidr: ""
# -- VTEP CIDRs Mask that applies to all VTEP CIDRs, for example "255.255.255.0"
  mask: ""
# -- A space separated list of VTEP device MAC addresses (VTEP MAC), for example "x:x:x:x:x:x  y:y:y:y:y:y:y"
  mac: ""
```

每个配置都有相应的使用说明。

# 更多组件安装

在本案例中并没有安装hubble等组件，读者可以根据需要自行安装。
更多cilium 配置细节，可以参考官网https://docs.cilium.io/en/stable/