github.com/fafucoder/cilium@v1.6.11/install/kubernetes/cilium/charts/config/templates/configmap.yaml

apiVersion: v1
kind: ConfigMap
metadata:
  name: cilium-config
  namespace: {{ .Release.Namespace }}
data:
{{- if .Values.global.etcd.enabled }}
  # The kvstore configuration is used to enable use of a kvstore for state
  # storage. This can either be provided with an external kvstore or with the
  # help of cilium-etcd-operator which operates an etcd cluster automatically.
  kvstore: etcd
  kvstore-opt: '{"etcd.config": "/var/lib/etcd-config/etcd.config"}'

  # This etcd-config contains the etcd endpoints of your cluster. If you use
  # TLS please make sure you follow the tutorial in https://cilium.link/etcd-config
  etcd-config: |-
    ---
    endpoints:
{{- if .Values.global.etcd.managed }}
      - https://cilium-etcd-client.{{ .Release.Namespace }}.svc:2379
{{- else }}
{{- range .Values.global.etcd.endpoints }}
      - {{ . }}
{{- end }}
{{- end }}
{{- if or .Values.global.etcd.ssl .Values.global.etcd.managed }}
    trusted-ca-file: '/var/lib/etcd-secrets/etcd-client-ca.crt'
    key-file: '/var/lib/etcd-secrets/etcd-client.key'
    cert-file: '/var/lib/etcd-secrets/etcd-client.crt'
{{- end }}
{{- end }}

  # Identity allocation mode selects how identities are shared between cilium
  # nodes by setting how they are stored. The options are "crd" or "kvstore".
  # - "crd" stores identities in kubernetes as CRDs (custom resource definition).
  #   These can be queried with:
  #     kubectl get ciliumid
  # - "kvstore" stores identities in a kvstore, etcd or consul, that is
  #   configured below. Cilium versions before 1.6 supported only the kvstore
  #   backend. Upgrades from these older cilium versions should continue using
  #   the kvstore by commenting out the identity-allocation-mode below, or
  #   setting it to "kvstore".
  identity-allocation-mode: {{ .Values.global.identityAllocationMode }}

  # If you want to run cilium in debug mode change this value to true
  debug: {{ .Values.global.debug.enabled | quote }}

{{- if .Values.global.debug.verbose }}
  debug-verbose: "{{ .Values.global.debug.verbose }}"
{{- end }}

{{- if .Values.global.prometheus.enabled }}
  # If you want metrics enabled in all of your Cilium agents, set the port for
  # which the Cilium agents will have their metrics exposed.
  # This option deprecates the "prometheus-serve-addr" in the
  # "cilium-metrics-config" ConfigMap
  # NOTE that this will open the port on ALL nodes where Cilium pods are
  # scheduled.
  prometheus-serve-addr: ":9090"
{{- end }}

  # Enable IPv4 addressing. If enabled, all endpoints are allocated an IPv4
  # address.
{{- if .Values.global.ipv4 }}
  enable-ipv4: {{ .Values.global.ipv4.enabled | quote }}
{{- end }}

  # Enable IPv6 addressing. If enabled, all endpoints are allocated an IPv6
  # address.
{{- if .Values.global.ipv6 }}
  enable-ipv6: {{ .Values.global.ipv6.enabled | quote }}
{{- end }}

{{- if .Values.global.cleanState }}
  # If a serious issue occurs during Cilium startup, this
  # invasive option may be set to true to remove all persistent
  # state. Endpoints will not be restored using knowledge from a
  # prior Cilium run, so they may receive new IP addresses upon
  # restart. This also triggers clean-cilium-bpf-state.
  clean-cilium-state: "true"
{{- end }}

{{- if .Values.global.cleanBpfState }}
  # If you want to clean cilium BPF state, set this to true;
  # Removes all BPF maps from the filesystem. Upon restart,
  # endpoints are restored with the same IP addresses, however
  # any ongoing connections may be disrupted briefly.
  # Loadbalancing decisions will be reset, so any ongoing
  # connections via a service may be loadbalanced to a different
  # backend after restart.
  clean-cilium-bpf-state: "true"
{{- end }}

{{- if .Values.global.cni.customConf }}
  # Users who wish to specify their own custom CNI configuration file must set
  # custom-cni-conf to "true", otherwise Cilium may overwrite the configuration.
  custom-cni-conf: "{{ .Values.global.cni.customConf }}"
{{- end }}

  # If you want cilium monitor to aggregate tracing for packets, set this level
  # to "low", "medium", or "maximum". The higher the level, the less packets
  # that will be seen in monitor output.
  monitor-aggregation: {{ .Values.global.bpf.monitorAggregation }}

  # ct-global-max-entries-* specifies the maximum number of connections
  # supported across all endpoints, split by protocol: tcp or other. One pair
  # of maps uses these values for IPv4 connections, and another pair of maps
  # use these values for IPv6 connections.
  #
  # If these values are modified, then during the next Cilium startup the
  # tracking of ongoing connections may be disrupted. This may lead to brief
  # policy drops or a change in loadbalancing decisions for a connection.
  #
  # For users upgrading from Cilium 1.2 or earlier, to minimize disruption
  # during the upgrade process, comment out these options.
  bpf-ct-global-tcp-max: "{{ .Values.global.bpf.ctTcpMax }}"
  bpf-ct-global-any-max: "{{ .Values.global.bpf.ctAnyMax }}"

  # Pre-allocation of map entries allows per-packet latency to be reduced, at
  # the expense of up-front memory allocation for the entries in the maps. The
  # default value below will minimize memory usage in the default installation;
  # users who are sensitive to latency may consider setting this to "true".
  #
  # This option was introduced in Cilium 1.4. Cilium 1.3 and earlier ignore
  # this option and behave as though it is set to "true".
  #
  # If this value is modified, then during the next Cilium startup the restore
  # of existing endpoints and tracking of ongoing connections may be disrupted.
  # This may lead to policy drops or a change in loadbalancing decisions for a
  # connection for some time. Endpoints may need to be recreated to restore
  # connectivity.
  #
  # If this option is set to "false" during an upgrade from 1.3 or earlier to
  # 1.4 or later, then it may cause one-time disruptions during the upgrade.
  preallocate-bpf-maps: "{{ .Values.global.bpf.preallocateMaps }}"

  # Regular expression matching compatible Istio sidecar istio-proxy
  # container image names
  sidecar-istio-proxy-image: "cilium/istio_proxy"

  # Encapsulation mode for communication between nodes
  # Possible values:
  #   - disabled
  #   - vxlan (default)
  #   - geneve
  tunnel: {{ .Values.global.tunnel }}

  # Name of the cluster. Only relevant when building a mesh of clusters.
  cluster-name: {{ .Values.global.cluster.name }}

{{- if .Values.global.cluster.id }}
  # Unique ID of the cluster. Must be unique across all conneted clusters and
  # in the range of 1 and 255. Only relevant when building a mesh of clusters.
  cluster-id: "{{ .Values.global.cluster.id }}"
{{- end }}

{{- if .Values.global.eni }}
  ipam: "eni"
  enable-endpoint-routes: "true"
  auto-create-cilium-node-resource: "true"
  blacklist-conflicting-routes: "false"
{{- end }}

{{- if .Values.global.flannel.enabled }}
  # Interface to be used when running Cilium on top of a CNI plugin.
  # For flannel, use "cni0"
  flannel-master-device: {{ .Values.global.flannel.masterDevice }}

  # When running Cilium with policy enforcement enabled on top of a CNI plugin
  # the BPF programs will be installed on the network interface specified in
  # 'flannel-master-device' and on all network interfaces belonging to
  # a container. When the Cilium DaemonSet is removed, the BPF programs will
  # be kept in the interfaces unless this option is set to "true".
  flannel-uninstall-on-exit: "{{ .Values.global.flannel.uninstallOnExit}}"

  # Installs a BPF program to allow for policy enforcement in already running
  # containers managed by Flannel.
  # NOTE: This requires Cilium DaemonSet to be running in the hostPID.
  # To run in this mode in Kubernetes change the value of the hostPID from
  # false to true. Can be found under the path `spec.spec.hostPID`
  flannel-manage-existing-containers: "{{ .Values.global.flannel.manageExistingContainers }}"
{{- end }}

{{- if .Values.global.l7Proxy }}

  # Enables L7 proxy for L7 policy enforcement and visibility
  enable-l7-proxy: {{ .Values.global.l7Proxy.enabled | quote }}
{{- end }}

  # DNS Polling periodically issues a DNS lookup for each `matchName` from
  # cilium-agent. The result is used to regenerate endpoint policy.
  # DNS lookups are repeated with an interval of 5 seconds, and are made for
  # A(IPv4) and AAAA(IPv6) addresses. Should a lookup fail, the most recent IP
  # data is used instead. An IP change will trigger a regeneration of the Cilium
  # policy for each endpoint and increment the per cilium-agent policy
  # repository revision.
  #
  # This option is disabled by default starting from version 1.4.x in favor
  # of a more powerful DNS proxy-based implementation, see [0] for details.
  # Enable this option if you want to use FQDN policies but do not want to use
  # the DNS proxy.
  #
  # To ease upgrade, users may opt to set this option to "true".
  # Otherwise please refer to the Upgrade Guide [1] which explains how to
  # prepare policy rules for upgrade.
  #
  # [0] http://docs.cilium.io/en/stable/policy/language/#dns-based
  # [1] http://docs.cilium.io/en/stable/install/upgrade/#changes-that-may-require-action
  tofqdns-enable-poller: "false"

  # wait-bpf-mount makes init container wait until bpf filesystem is mounted
  wait-bpf-mount: "{{ .Values.global.bpf.waitForMount }}"

{{- if ne .Values.global.cni.chainingMode "none" }}
  # Enable chaining with another CNI plugin
  #
  # Supported modes:
  #  - none
  #  - aws-cni
  #  - flannel
  #  - portmap (Enables HostPort support for Cilium)
  cni-chaining-mode: {{ .Values.global.cni.chainingMode }}
{{- end }}

  # Enable fetching of container-runtime specific metadata
  #
  # By default, the Kubernetes pod and namespace labels are retrieved and
  # associated with endpoints for identification purposes. By integrating
  # with the container runtime, container runtime specific labels can be
  # retrieved, such labels will be prefixed with container:
  #
  # CAUTION: The container runtime labels can include information such as pod
  # annotations which may result in each pod being associated a unique set of
  # labels which can result in excessive security identities being allocated.
  # Please review the labels filter when enabling container runtime labels.
  #
  # Supported values:
  # - containerd
  # - crio
  # - docker
  # - none
  # - auto (automatically detect the container runtime)
  #
  container-runtime: {{ .Values.global.containerRuntime.integration }}

  masquerade: {{ .Values.global.masquerade | quote }}
{{- if .Values.global.egressMasqueradeInterfaces }}
  egress-masquerade-interfaces: {{ .Values.global.egressMasqueradeInterfaces }}
{{- end }}

{{- if .Values.global.encryption.enabled }}
  enable-ipsec: {{ .Values.global.encryption.enabled | quote }}
  ipsec-key-file: {{ .Values.global.encryption.mountPath }}/{{ .Values.global.encryption.keyFile }}
{{- if .Values.global.encryption.interface }}
  encrypt-interface: {{ .Values.global.encryption.interface }}
{{- end }}
{{- if .Values.global.encryption.nodeEncryption }}
  encrypt-node: {{ .Values.global.encryption.nodeEncryption | quote }}
{{- end }}
{{- end }}

{{- if .Values.global.hostServices.enabled }}
  enable-host-reachable-services: "true"
{{- if ne .Values.global.hostServices.protocols "tcp,udp" }}
  host-reachable-services-protos: {{ .Values.global.hostServices.protocols }}
{{- end }}
{{- end }}

{{- if .Values.global.datapathMode }}
{{- if eq .Values.global.datapathMode "ipvlan" }}
  datapath-mode: ipvlan
  ipvlan-master-device: {{ .Values.global.ipvlan.masterDevice }}
{{- end }}
{{- end }}

  enable-xt-socket-fallback: {{ .Values.global.enableXTSocketFallback | quote }}
  install-iptables-rules: {{ .Values.global.installIptablesRules | quote }}
{{- if .Values.global.iptablesLockTimeout }}
  iptables-lock-timeout: {{ .Values.global.iptablesLockTimeout | quote }}
{{- end }}
  auto-direct-node-routes: {{ .Values.global.autoDirectNodeRoutes | quote }}
{{- if .Values.global.nodePort }}
  enable-node-port: {{ .Values.global.nodePort.enabled | quote }}
{{- if .Values.global.nodePort.range }}
  node-port-range: {{ .Values.global.nodePort.range | quote }}
{{- end }}
{{- if .Values.global.nodePort.device }}
  device: {{ .Values.global.nodePort.device | quote }}
{{- end }}

{{- end }}
{{- if and .Values.global.pprof .Values.global.pprof.enabled }}
  pprof: {{ .Values.global.pprof.enabled | quote }}
{{- end }}
{{- if .Values.global.logSystemLoad }}
  log-system-load: {{ .Values.global.logSystemLoad | quote }}
{{- end }}
{{- if and .Values.global.sockops .Values.global.sockops.enabled }}
  sockops-enable: {{ .Values.global.sockops.enabled | quote }}
{{- end }}
{{- if and .Values.global.k8s .Values.global.k8s.requireIPv4PodCIDR }}
  k8s-require-ipv4-pod-cidr: {{ .Values.global.k8s.requireIPv4PodCIDR | quote }}
{{- end }}
{{- if and .Values.global.endpointRoutes .Values.global.endpointRoutes.enabled }}
  enable-endpoint-routes: {{ .Values.global.endpointRoutes.enabled | quote }}
{{- end }}
{{- if .Values.global.cni.configMap }}
  read-cni-conf: {{ .Values.global.cni.confFileMountPath }}/{{ .Values.global.cni.configMapKey }}
  write-cni-conf-when-ready: {{ .Values.global.cni.hostConfDirMountPath }}/05-cilium.conflist
{{- end }}
{{- if .Values.global.kubeConfigPath }}
  k8s-kubeconfig-path: {{ .Values.global.kubeConfigPath | quote }}
{{- end }}
{{- if or (eq .Values.global.cni.chainingMode "portmap") (eq .Values.global.cni.chainingMode "none") }}
  # Chaining mode is set to portmap, enable health checking
  enable-endpoint-health-checking: "true"
{{- else}}
  # Disable health checking, when chaining mode is not set to portmap or none
  enable-endpoint-health-checking: "false"
{{- end }}