# IPSec Helm Values ```yaml cilium: extraConfig: external-dns-proxy: "true" encryption: enabled: true ipsec: secretName: cilium-ipsec-keys hubble: enabled: true metrics: enabled: # context options https://docs.isovalent.com/operations-guide/features/hubble-metrics/index.html#hubble-context-options - dns:query;ignoreAAAA:sourceContext=pod-short;destinationContext=pod-short - drop:sourceContext=pod-short;destinationContext=pod-short - tcp:sourceContext=pod-short;destinationContext=pod-short - flow:sourceContext=pod-short;destinationContext=pod-short - port-distribution:sourceContext=pod-short;destinationContext=pod-short - icmp:sourceContext=pod-short;destinationContext=pod-short - http:sourceContext=pod-short;destinationContext=pod-short tls: enabled: true auto: enabled: true method: certmanager certManagerIssuerRef: group: cert-manager.io kind: ClusterIssuer name: selfsigned-ca-issuer relay: enabled: true tls: server: enabled: true ipam: mode: cluster-pool operator: clusterPoolIPv4MaskSize: 23 clusterPoolIPv4PodCIDRList: - "172.0.0.0/16" nodeinit: enabled: true tunnel: vxlan hubble-enterprise: # No ARM support yet enabled: false enterprise: enabled: false hubble-ui: enabled: true relay: tls: enabled: true ``` OpenMetrics Configuration ```yaml= --- apiVersion: v1 kind: ConfigMap metadata: name: datadog-openmetrics namespace: monitoring-datadog annotations: configmanagement.gke.io/managed: disabled # https://github.com/DataDog/integrations-core/blob/master/openmetrics/datadog_checks/openmetrics/data/conf.yaml.example ## All options defined here are available to all instances. # openmetrics_endpoint: http://%%host%%:2112/metrics http://$DD_KUBERNETES_KUBELET_HOST:2112/metrics http://10.186.129.54:2112/metrics # data: conf.yaml: |- ad_identifiers: - hubble-enterprise - cilium init_config: instances: - openmetrics_endpoint: http://%%host%%:2112/metrics namespace: tetragon metrics: - isovalent_socket* - isovalent_interface* tag_by_endpoint: true max_returned_metrics: 30000 - openmetrics_endpoint: http://%%host%%:9091/metrics namespace: hubble metrics: - hubble_* tag_by_endpoint: true max_returned_metrics: 30000 ``` ## Script for reloading IPtables ```shell= #!/bin/sh set -x kubecontext=${1} node=${2} nodeName=$(kubectl --context ${kubecontext} get node ${node} -o template --template='{{index .metadata.labels "kubernetes.io/hostname"}}') nodeSelector='"nodeSelector": { "kubernetes.io/hostname": "'${nodeName:?}'" },' podName=nsenter-${node}-ipt-flush kubectl --context ${kubecontext} run ${podName:?} --restart=Never --image overriden --overrides ' { "spec": { "hostPID": true, "hostNetwork": true, '"${nodeSelector?}"' "tolerations": [{ "operator": "Exists" }], "containers": [ { "name": "nsenter", "image": "alexeiled/nsenter:2.34", "command": [ "/nsenter", "--all", "--target=1", "--", "su", "-c", "/bin/bash", "-c", "iptables -t nat --flush && iptables --flush && iptables-save" ], "stdin": true, "tty": true, "securityContext": { "privileged": true } } ] } }' sleep 60 kubectl --context ${kubecontext} delete pod ${podName} ```