cilium: use strict cidrs from state file

For the strict modes we need to dynamically use the CIDR used in the Terraform files. Therefore, we write them to our statefile and use them when installing Cilium.
2025-01-12 07:59:29 -05:00 · 2023-10-23 15:59:19 +02:00 · 2023-10-23 15:59:19 +02:00 · 4f32eefe90
commit 4f32eefe90
parent 7318f605e1
2 changed files with 21 additions and 19 deletions
--- a/cli/internal/helm/overrides.go
+++ b/cli/internal/helm/overrides.go
@ -42,11 +42,22 @@ func extraCiliumValues(provider cloudprovider.Provider, conformanceMode bool, ou
 		}
 	}

+	strictMode := map[string]any{}
+	if provider != cloudprovider.QEMU {
+		strictMode = map[string]any{
+			"enabled":      true,
+			"nodeCIDRList": []string{output.IPCidrNode},
+		}
+	}
+
 	extraVals["k8sServiceHost"] = output.InClusterEndpoint
 	extraVals["k8sServicePort"] = constants.KubernetesPort
 	if provider == cloudprovider.GCP {
 		extraVals["ipv4NativeRoutingCIDR"] = output.GCP.IPCidrPod
-		extraVals["strictModeCIDR"] = output.GCP.IPCidrPod
+		strictMode["podCIDRList"] = []string{output.GCP.IPCidrPod}
+	}
+	extraVals["encryption"] = map[string]any{
+		"strictMode": strictMode,
 	}
 	return extraVals
 }
@ -63,9 +74,6 @@ func extraConstellationServicesValues(
 	extraVals["verification-service"] = map[string]any{
 		"attestationVariant": cfg.GetAttestationConfig().GetVariant().String(),
 	}
-	extraVals["konnectivity"] = map[string]any{
-		"loadBalancerIP": output.ClusterEndpoint,
-	}

 	extraVals["key-service"] = map[string]any{
 		"masterSecret": base64.StdEncoding.EncodeToString(masterSecret.Key),
--- a/cli/internal/helm/values.go
+++ b/cli/internal/helm/values.go
@ -20,9 +20,8 @@ var ciliumVals = map[string]map[string]any{
 			"type":           "wireguard",
 			"nodeEncryption": true,
 			"strictMode": map[string]any{
-				"enabled":      true,
-				"podCIDRList":  []string{"10.244.0.0/16"},
-				"nodeCIDRList": []string{"192.168.179.0/24"},
+				"enabled":     true,
+				"podCIDRList": []string{"10.244.0.0/16"},
 			},
 		},
 		"l7Proxy": false,
@ -63,9 +62,8 @@ var ciliumVals = map[string]map[string]any{
 			"type":           "wireguard",
 			"nodeEncryption": true,
 			"strictMode": map[string]any{
-				"enabled":      true,
-				"podCIDRList":  []string{"10.244.0.0/16"},
-				"nodeCIDRList": []string{"10.9.0.0/24"},
+				"enabled":     true,
+				"podCIDRList": []string{"10.244.0.0/16"},
 			},
 		},
 		"l7Proxy": false,
@ -109,9 +107,7 @@ var ciliumVals = map[string]map[string]any{
 			"type":           "wireguard",
 			"nodeEncryption": true,
 			"strictMode": map[string]any{
-				"enabled":      true,
-				"podCIDRList":  []string{"10.244.0.0/16"},
-				"nodeCIDRList": []string{"192.168.178.0/24"},
+				"enabled": true,
 			},
 		},
 		"image": map[string]any{
@ -148,9 +144,8 @@ var ciliumVals = map[string]map[string]any{
 			"type":           "wireguard",
 			"nodeEncryption": true,
 			"strictMode": map[string]any{
-				"enabled":      true,
-				"podCIDRList":  []string{"10.244.0.0/16"},
-				"nodeCIDRList": []string{"192.168.178.0/24"},
+				"enabled":     true,
+				"podCIDRList": []string{"10.244.0.0/16"},
 			},
 		},
 		"l7Proxy": false,
@ -190,9 +185,8 @@ var ciliumVals = map[string]map[string]any{
 			"type":           "wireguard",
 			"nodeEncryption": true,
 			"strictMode": map[string]any{
-				"enabled":      true,
-				"podCIDRList":  []string{"10.244.0.0/16"},
-				"nodeCIDRList": []string{},
+				"enabled":     true,
+				"podCIDRList": []string{"10.244.0.0/16"},
 			},
 		},
 		"image": map[string]any{