fix(cilium): enable dsr load balancing

Direct Server Return (DSR) should preserve the client IP address for requests https://docs.cilium.io/en/stable/network/kubernetes/kubeproxy-free/#dsr-mode

Also need to change the routing mode to native for this to work

Signed-off-by: Vegard Hagen <[email protected]>

Author: vehagn

k8s/infra/network/cilium/values.yaml

@@ -21,6 +21,7 @@ cgroup:
 # https://docs.cilium.io/en/stable/operations/performance/tuning/#ebpf-host-routing
 bpf:
   masquerade: true
+  lbModeAnnotation: true
 
 # https://docs.cilium.io/en/stable/network/concepts/ipam/
 ipam:
@@ -77,6 +78,18 @@ externalIPs:
 loadBalancer:
   # https://docs.cilium.io/en/stable/network/kubernetes/kubeproxy-free/#maglev-consistent-hashing
   algorithm: maglev
+  #mode: dsr
+  mode: snat
+  dsrDispatch: geneve
+  l7:
+    backend: envoy
+
+# The default "vxlan" is incompatible with loadBalancer.mode: "dsr"
+routingMode: native
+tunnelProtocol: geneve
+
+ipMasqAgent:
+  enabled: true
 
 gatewayAPI:
   enabled: true

k8s/infra/network/gateway/gw-external.yaml

@@ -10,6 +10,8 @@ spec:
       bgp.cilium.io/advertise-service: default
       bgp.cilium.io/ip-pool: default
       l2.cilium.io/ip-pool: default
+    annotations:
+      service.cilium.io/forwarding-mode: dsr
   addresses:
     - type: IPAddress
       value: 172.20.10.110

k8s/infra/network/gateway/gw-internal.yaml

@@ -9,6 +9,8 @@ spec:
     labels:
       bgp.cilium.io/advertise-service: default
       bgp.cilium.io/ip-pool: default
+    annotations:
+      service.cilium.io/forwarding-mode: dsr
   addresses:
     - type: IPAddress
       value: 172.20.10.100