cilium: use strict cidrs from state file

For the strict modes we need to dynamically use
the CIDR used in the Terraform files. Therefore,
we write them to our statefile and use them when
installing Cilium.

cli/internal/helm/overrides.go

@@ -42,11 +42,22 @@ func extraCiliumValues(provider cloudprovider.Provider, conformanceMode bool, ou
 		}
 	}
 
+	strictMode := map[string]any{}
+	if provider != cloudprovider.QEMU {
+		strictMode = map[string]any{
+			"enabled":      true,
+			"nodeCIDRList": []string{output.IPCidrNode},
+		}
+	}
+
 	extraVals["k8sServiceHost"] = output.InClusterEndpoint
 	extraVals["k8sServicePort"] = constants.KubernetesPort
 	if provider == cloudprovider.GCP {
 		extraVals["ipv4NativeRoutingCIDR"] = output.GCP.IPCidrPod
-		extraVals["strictModeCIDR"] = output.GCP.IPCidrPod
+		strictMode["podCIDRList"] = []string{output.GCP.IPCidrPod}
+	}
+	extraVals["encryption"] = map[string]any{
+		"strictMode": strictMode,
 	}
 	return extraVals
 }
@@ -63,9 +74,6 @@ func extraConstellationServicesValues(
 	extraVals["verification-service"] = map[string]any{
 		"attestationVariant": cfg.GetAttestationConfig().GetVariant().String(),
 	}
-	extraVals["konnectivity"] = map[string]any{
-		"loadBalancerIP": output.ClusterEndpoint,
-	}
 
 	extraVals["key-service"] = map[string]any{
 		"masterSecret": base64.StdEncoding.EncodeToString(masterSecret.Key),

cli/internal/helm/values.go

@@ -20,9 +20,8 @@ var ciliumVals = map[string]map[string]any{
 			"type":           "wireguard",
 			"nodeEncryption": true,
 			"strictMode": map[string]any{
-				"enabled":      true,
+				"enabled":     true,
-				"podCIDRList":  []string{"10.244.0.0/16"},
+				"podCIDRList": []string{"10.244.0.0/16"},
-				"nodeCIDRList": []string{"192.168.179.0/24"},
 			},
 		},
 		"l7Proxy": false,
@@ -63,9 +62,8 @@ var ciliumVals = map[string]map[string]any{
 			"type":           "wireguard",
 			"nodeEncryption": true,
 			"strictMode": map[string]any{
-				"enabled":      true,
+				"enabled":     true,
-				"podCIDRList":  []string{"10.244.0.0/16"},
+				"podCIDRList": []string{"10.244.0.0/16"},
-				"nodeCIDRList": []string{"10.9.0.0/24"},
 			},
 		},
 		"l7Proxy": false,
@@ -109,9 +107,7 @@ var ciliumVals = map[string]map[string]any{
 			"type":           "wireguard",
 			"nodeEncryption": true,
 			"strictMode": map[string]any{
-				"enabled":      true,
+				"enabled": true,
-				"podCIDRList":  []string{"10.244.0.0/16"},
-				"nodeCIDRList": []string{"192.168.178.0/24"},
 			},
 		},
 		"image": map[string]any{
@@ -148,9 +144,8 @@ var ciliumVals = map[string]map[string]any{
 			"type":           "wireguard",
 			"nodeEncryption": true,
 			"strictMode": map[string]any{
-				"enabled":      true,
+				"enabled":     true,
-				"podCIDRList":  []string{"10.244.0.0/16"},
+				"podCIDRList": []string{"10.244.0.0/16"},
-				"nodeCIDRList": []string{"192.168.178.0/24"},
 			},
 		},
 		"l7Proxy": false,
@@ -190,9 +185,8 @@ var ciliumVals = map[string]map[string]any{
 			"type":           "wireguard",
 			"nodeEncryption": true,
 			"strictMode": map[string]any{
-				"enabled":      true,
+				"enabled":     true,
-				"podCIDRList":  []string{"10.244.0.0/16"},
+				"podCIDRList": []string{"10.244.0.0/16"},
-				"nodeCIDRList": []string{},
 			},
 		},
 		"image": map[string]any{