cilium: enable bpf masquerading (#2723)

* cilium: enable bpf masquerading * cilium: also enable ipMasqAgent * cilium: remove custom Azure masqing
2025-05-15 04:32:15 -04:00 · 2023-12-15 23:07:03 +01:00 · 2023-12-15 23:07:03 +01:00 · 183c564483
commit 183c564483
parent 0111b6d718
2 changed files with 51 additions and 2 deletions
--- a/internal/constellation/helm/overrides.go
+++ b/internal/constellation/helm/overrides.go
@ -59,6 +59,12 @@ func extraCiliumValues(provider cloudprovider.Provider, conformanceMode bool, ou
 	extraVals["encryption"] = map[string]any{
 		"strictMode": strictMode,
 	}
+	extraVals["ipMasqAgent"] = map[string]any{
+		"config": map[string]any{
+			"nonMasqueradeCIDRs": []string{output.IPCidrNode},
+		},
+	}
+
 	return extraVals
 }

--- a/internal/constellation/helm/values.go
+++ b/internal/constellation/helm/values.go
@ -49,6 +49,15 @@ var ciliumVals = map[string]map[string]any{
 				"useDigest":     true,
 			},
 		},
+		"bpf": map[string]any{
+			"masquerade": true,
+		},
+		"ipMasqAgent": map[string]any{
+			"enabled": true,
+			"config": map[string]any{
+				"masqLinkLocal": true,
+			},
+		},
 		"kubeProxyReplacement":                "strict",
 		"enableCiliumEndpointSlice":           true,
 		"kubeProxyReplacementHealthzBindAddr": "0.0.0.0:10256",
@ -92,8 +101,15 @@ var ciliumVals = map[string]map[string]any{
 				"useDigest":     true,
 			},
 		},
-		"egressMasqueradeInterfaces":          "eth0",
-		"enableIPv4Masquerade":                true,
+		"bpf": map[string]any{
+			"masquerade": true,
+		},
+		"ipMasqAgent": map[string]any{
+			"enabled": true,
+			"config": map[string]any{
+				"masqLinkLocal": true,
+			},
+		},
 		"kubeProxyReplacement":                "strict",
 		"enableCiliumEndpointSlice":           true,
 		"kubeProxyReplacementHealthzBindAddr": "0.0.0.0:10256",
@ -133,6 +149,15 @@ var ciliumVals = map[string]map[string]any{
 		"ipam": map[string]any{
 			"mode": "kubernetes",
 		},
+		"bpf": map[string]any{
+			"masquerade": true,
+		},
+		"ipMasqAgent": map[string]any{
+			"enabled": true,
+			"config": map[string]any{
+				"masqLinkLocal": true,
+			},
+		},
 		"kubeProxyReplacement":                "strict",
 		"enableCiliumEndpointSlice":           true,
 		"kubeProxyReplacementHealthzBindAddr": "0.0.0.0:10256",
@ -175,6 +200,15 @@ var ciliumVals = map[string]map[string]any{
 				"useDigest":     true,
 			},
 		},
+		"bpf": map[string]any{
+			"masquerade": true,
+		},
+		"ipMasqAgent": map[string]any{
+			"enabled": true,
+			"config": map[string]any{
+				"masqLinkLocal": true,
+			},
+		},
 		"kubeProxyReplacement":                "strict",
 		"enableCiliumEndpointSlice":           true,
 		"kubeProxyReplacementHealthzBindAddr": "0.0.0.0:10256",
@ -215,6 +249,15 @@ var ciliumVals = map[string]map[string]any{
 				},
 			},
 		},
+		"bpf": map[string]any{
+			"masquerade": true,
+		},
+		"ipMasqAgent": map[string]any{
+			"enabled": true,
+			"config": map[string]any{
+				"masqLinkLocal": true,
+			},
+		},
 		"kubeProxyReplacement":                "strict",
 		"enableCiliumEndpointSlice":           true,
 		"kubeProxyReplacementHealthzBindAddr": "0.0.0.0:10256",