cilium: don't allow remote node identities

The Cilium strict mode has a special mode which
loosens the security a slight bit. For compatability this
mode is enabled by default. But we don't need it for strict
node-to-node encryption. Therefore, we disable it.

cli/internal/helm/overrides.go

@@ -45,7 +45,6 @@ func extraCiliumValues(provider cloudprovider.Provider, conformanceMode bool, ou
 	strictMode := map[string]any{}
 	if provider != cloudprovider.QEMU {
 		strictMode = map[string]any{
-			"enabled":      true,
 			"nodeCIDRList": []string{output.IPCidrNode},
 		}
 	}

cli/internal/helm/values.go

@@ -21,6 +21,7 @@ var ciliumVals = map[string]map[string]any{
 			"nodeEncryption": true,
 			"strictMode": map[string]any{
 				"enabled":                   true,
+				"allowRemoteNodeIdentities": false,
 				"podCIDRList":               []string{"10.244.0.0/16"},
 			},
 		},
@@ -63,6 +64,7 @@ var ciliumVals = map[string]map[string]any{
 			"nodeEncryption": true,
 			"strictMode": map[string]any{
 				"enabled":                   true,
+				"allowRemoteNodeIdentities": false,
 				"podCIDRList":               []string{"10.244.0.0/16"},
 			},
 		},
@@ -108,6 +110,7 @@ var ciliumVals = map[string]map[string]any{
 			"nodeEncryption": true,
 			"strictMode": map[string]any{
 				"enabled":                   true,
+				"allowRemoteNodeIdentities": false,
 			},
 		},
 		"image": map[string]any{