constellation/internal/helm/cilium.patch

diff --git a/install/kubernetes/cilium/templates/cilium-configmap.yaml b/install/kubernetes/cilium/templates/cilium-configmap.yaml
index 4ac3b006e3..3541e3d380 100644
--- a/install/kubernetes/cilium/templates/cilium-configmap.yaml
+++ b/install/kubernetes/cilium/templates/cilium-configmap.yaml
@@ -608,7 +608,9 @@ data:
 {{- if .Values.encryption.strictMode.enabled }}
   enable-encryption-strict-mode: {{ .Values.encryption.strictMode.enabled | quote }}
 
-  encryption-strict-mode-cidr: {{ .Values.encryption.strictMode.cidr | quote }}
+  encryption-strict-mode-node-cidrs: {{ .Values.encryption.strictMode.nodeCIDRList | join " " | quote }}
+
+  encryption-strict-mode-pod-cidrs: {{ .Values.encryption.strictMode.podCIDRList | join " " | quote }}
 
   encryption-strict-mode-allow-remote-node-identities: {{ .Values.encryption.strictMode.allowRemoteNodeIdentities | quote }}
 {{- end }}
diff --git a/install/kubernetes/cilium/values.yaml b/install/kubernetes/cilium/values.yaml
index c00e9af831..4661c16f56 100644
--- a/install/kubernetes/cilium/values.yaml
+++ b/install/kubernetes/cilium/values.yaml
@@ -794,17 +794,21 @@ encryption:
   # This option is only effective when encryption.type is set to "wireguard".
   nodeEncryption: false
 
-  # -- Configure the WireGuard Pod2Pod strict mode.
+  # -- Configure the WireGuard strict mode.
   strictMode:
-    # -- Enable WireGuard Pod2Pod strict mode.
+    # -- Enable WireGuard strict mode.
     enabled: false
+
+    # -- podCIDRList for the WireGuard strict mode.
+    podCIDRList: []
 
-    # -- CIDR for the WireGuard Pod2Pod strict mode.
-    cidr: ""
+    # -- nodeCIDRList for the WireGuard strict mode.
+    nodeCIDRList: []
 
     # -- Allow dynamic lookup of remote node identities.
     # This is required when tunneling is used or direct routing is used and the node CIDR and pod CIDR overlap.
-    allowRemoteNodeIdentities: false
+    # This is also required when control-plane nodes are exempted from node-to-node encryption.
+    allowRemoteNodeIdentities: true
 
   ipsec:
     # -- Name of the key file inside the Kubernetes secret configured via secretName.
deploy cilium via helmchart (#321) 2022-08-12 04:20:19 -04:00			`diff --git a/install/kubernetes/cilium/templates/cilium-configmap.yaml b/install/kubernetes/cilium/templates/cilium-configmap.yaml`
deps: update cilium Bumping Cilium to also enable node-to-node encryption and node-to-node strict mode. Since the second is not upstream we use our fork. 2023-10-16 13:14:53 -04:00			`index 4ac3b006e3..3541e3d380 100644`
deploy cilium via helmchart (#321) 2022-08-12 04:20:19 -04:00			`--- a/install/kubernetes/cilium/templates/cilium-configmap.yaml`
			`+++ b/install/kubernetes/cilium/templates/cilium-configmap.yaml`
deps: update cilium Bumping Cilium to also enable node-to-node encryption and node-to-node strict mode. Since the second is not upstream we use our fork. 2023-10-16 13:14:53 -04:00			`@@ -608,7 +608,9 @@ data:`
			`{{- if .Values.encryption.strictMode.enabled }}`
			`enable-encryption-strict-mode: {{ .Values.encryption.strictMode.enabled \| quote }}`

			`- encryption-strict-mode-cidr: {{ .Values.encryption.strictMode.cidr \| quote }}`
			`+ encryption-strict-mode-node-cidrs: {{ .Values.encryption.strictMode.nodeCIDRList \| join " " \| quote }}`
			`+`
			`+ encryption-strict-mode-pod-cidrs: {{ .Values.encryption.strictMode.podCIDRList \| join " " \| quote }}`
deploy cilium via helmchart (#321) 2022-08-12 04:20:19 -04:00
deps: update cilium Bumping Cilium to also enable node-to-node encryption and node-to-node strict mode. Since the second is not upstream we use our fork. 2023-10-16 13:14:53 -04:00			`encryption-strict-mode-allow-remote-node-identities: {{ .Values.encryption.strictMode.allowRemoteNodeIdentities \| quote }}`
			`{{- end }}`
deploy cilium via helmchart (#321) 2022-08-12 04:20:19 -04:00			`diff --git a/install/kubernetes/cilium/values.yaml b/install/kubernetes/cilium/values.yaml`
deps: update cilium Bumping Cilium to also enable node-to-node encryption and node-to-node strict mode. Since the second is not upstream we use our fork. 2023-10-16 13:14:53 -04:00			`index c00e9af831..4661c16f56 100644`
deploy cilium via helmchart (#321) 2022-08-12 04:20:19 -04:00			`--- a/install/kubernetes/cilium/values.yaml`
			`+++ b/install/kubernetes/cilium/values.yaml`
deps: update cilium Bumping Cilium to also enable node-to-node encryption and node-to-node strict mode. Since the second is not upstream we use our fork. 2023-10-16 13:14:53 -04:00			`@@ -794,17 +794,21 @@ encryption:`
			`# This option is only effective when encryption.type is set to "wireguard".`
			`nodeEncryption: false`
deploy cilium via helmchart (#321) 2022-08-12 04:20:19 -04:00
deps: update cilium Bumping Cilium to also enable node-to-node encryption and node-to-node strict mode. Since the second is not upstream we use our fork. 2023-10-16 13:14:53 -04:00			`- # -- Configure the WireGuard Pod2Pod strict mode.`
			`+ # -- Configure the WireGuard strict mode.`
			`strictMode:`
			`- # -- Enable WireGuard Pod2Pod strict mode.`
			`+ # -- Enable WireGuard strict mode.`
			`enabled: false`
deploy cilium via helmchart (#321) 2022-08-12 04:20:19 -04:00			`+`
deps: update cilium Bumping Cilium to also enable node-to-node encryption and node-to-node strict mode. Since the second is not upstream we use our fork. 2023-10-16 13:14:53 -04:00			`+ # -- podCIDRList for the WireGuard strict mode.`
			`+ podCIDRList: []`

			`- # -- CIDR for the WireGuard Pod2Pod strict mode.`
			`- cidr: ""`
			`+ # -- nodeCIDRList for the WireGuard strict mode.`
			`+ nodeCIDRList: []`

			`# -- Allow dynamic lookup of remote node identities.`
			`# This is required when tunneling is used or direct routing is used and the node CIDR and pod CIDR overlap.`
			`- allowRemoteNodeIdentities: false`
			`+ # This is also required when control-plane nodes are exempted from node-to-node encryption.`
			`+ allowRemoteNodeIdentities: true`

			`ipsec:`
			`# -- Name of the key file inside the Kubernetes secret configured via secretName.`