helm: use Cilium chart from fork (#3130)

2025-01-11 15:39:33 -05:00 · 2024-06-05 07:56:11 +02:00 · 2024-06-05 07:56:11 +02:00 · 5a100d1fc9
commit 5a100d1fc9
parent 66a5d6a5d3
5 changed files with 18 additions and 100 deletions
--- a/internal/constellation/helm/charts/cilium/README.md
+++ b/internal/constellation/helm/charts/cilium/README.md
@ -297,10 +297,11 @@ contributors across the globe, there is almost always someone available to help.
 | encryption.mountPath | string | `"/etc/ipsec"` | Deprecated in favor of encryption.ipsec.mountPath. To be removed in 1.15. Path to mount the secret inside the Cilium pod. This option is only effective when encryption.type is set to ipsec. |
 | encryption.nodeEncryption | bool | `false` | Enable encryption for pure node to node traffic. This option is only effective when encryption.type is set to "wireguard". |
 | encryption.secretName | string | `"cilium-ipsec-keys"` | Deprecated in favor of encryption.ipsec.secretName. To be removed in 1.15. Name of the Kubernetes secret containing the encryption keys. This option is only effective when encryption.type is set to ipsec. |
-| encryption.strictMode | object | `{"allowRemoteNodeIdentities":false,"cidr":"","enabled":false}` | Configure the WireGuard Pod2Pod strict mode. |
-| encryption.strictMode.allowRemoteNodeIdentities | bool | `false` | Allow dynamic lookup of remote node identities. This is required when tunneling is used or direct routing is used and the node CIDR and pod CIDR overlap. |
-| encryption.strictMode.cidr | string | `""` | CIDR for the WireGuard Pod2Pod strict mode. |
-| encryption.strictMode.enabled | bool | `false` | Enable WireGuard Pod2Pod strict mode. |
+| encryption.strictMode | object | `{"allowRemoteNodeIdentities":true,"enabled":false,"nodeCIDRList":[],"podCIDRList":[]}` | Configure the WireGuard strict mode. |
+| encryption.strictMode.allowRemoteNodeIdentities | bool | `true` | Allow dynamic lookup of remote node identities. This is required when tunneling is used or direct routing is used and the node CIDR and pod CIDR overlap. This is also required when control-plane nodes are exempted from node-to-node encryption. |
+| encryption.strictMode.enabled | bool | `false` | Enable WireGuard strict mode. |
+| encryption.strictMode.nodeCIDRList | list | `[]` | nodeCIDRList for the WireGuard strict mode. |
+| encryption.strictMode.podCIDRList | list | `[]` | podCIDRList for the WireGuard strict mode. |
 | encryption.type | string | `"ipsec"` | Encryption method. Can be either ipsec or wireguard. |
 | encryption.wireguard.persistentKeepalive | string | `"0s"` | Controls Wireguard PersistentKeepalive option. Set 0s to disable. |
 | encryption.wireguard.userspaceFallback | bool | `false` | Enables the fallback to the user-space implementation. |
--- a/internal/constellation/helm/charts/cilium/templates/cilium-agent/daemonset.yaml
+++ b/internal/constellation/helm/charts/cilium/templates/cilium-agent/daemonset.yaml
@ -716,7 +716,7 @@ spec:
            mountPath: /host/opt/cni/bin
      {{- end }} # .Values.cni.install
      - name: firewall-pods
-        image: ghcr.io/edgelesssys/cilium/cilium:v1.15.0-pre.3-edg.2@sha256:c21b7fbbb084a128a479d6170e5f89ad2768dfecb4af10ee6a99ffe5d1a11749
+        image: {{ include "cilium.image" .Values.image | quote }}
        imagePullPolicy: IfNotPresent
        command:
        - /bin/bash
--- a/internal/constellation/helm/charts/cilium/values.yaml.tmpl
+++ b/internal/constellation/helm/charts/cilium/values.yaml.tmpl
@ -800,17 +800,21 @@ encryption:
  # This option is only effective when encryption.type is set to "wireguard".
  nodeEncryption: false

-  # -- Configure the WireGuard Pod2Pod strict mode.
+  # -- Configure the WireGuard strict mode.
  strictMode:
-    # -- Enable WireGuard Pod2Pod strict mode.
+    # -- Enable WireGuard strict mode.
    enabled: false

-    # -- CIDR for the WireGuard Pod2Pod strict mode.
-    cidr: ""
+    # -- podCIDRList for the WireGuard strict mode.
+    podCIDRList: []
+
+    # -- nodeCIDRList for the WireGuard strict mode.
+    nodeCIDRList: []

    # -- Allow dynamic lookup of remote node identities.
    # This is required when tunneling is used or direct routing is used and the node CIDR and pod CIDR overlap.
-    allowRemoteNodeIdentities: false
+    # This is also required when control-plane nodes are exempted from node-to-node encryption.
+    allowRemoteNodeIdentities: true

  ipsec:
    # -- Name of the key file inside the Kubernetes secret configured via secretName.
--- a/internal/constellation/helm/cilium.patch
+++ b/internal/constellation/helm/cilium.patch
@ -1,49 +1,3 @@
-diff --git a/install/kubernetes/cilium/templates/cilium-configmap.yaml b/install/kubernetes/cilium/templates/cilium-configmap.yaml
-index 4ac3b006e3..3541e3d380 100644
--- a/install/kubernetes/cilium/templates/cilium-configmap.yaml
-+++ b/install/kubernetes/cilium/templates/cilium-configmap.yaml
-@@ -608,7 +608,9 @@ data:
- {{- if .Values.encryption.strictMode.enabled }}
-   enable-encryption-strict-mode: {{ .Values.encryption.strictMode.enabled | quote }}
- 
-  encryption-strict-mode-cidr: {{ .Values.encryption.strictMode.cidr | quote }}
-+  encryption-strict-mode-node-cidrs: {{ .Values.encryption.strictMode.nodeCIDRList | join " " | quote }}
-+
-+  encryption-strict-mode-pod-cidrs: {{ .Values.encryption.strictMode.podCIDRList | join " " | quote }}
- 
-   encryption-strict-mode-allow-remote-node-identities: {{ .Values.encryption.strictMode.allowRemoteNodeIdentities | quote }}
- {{- end }}
-diff --git a/install/kubernetes/cilium/values.yaml b/install/kubernetes/cilium/values.yaml
-index c00e9af831..4661c16f56 100644
--- a/install/kubernetes/cilium/values.yaml
-+++ b/install/kubernetes/cilium/values.yaml
-@@ -794,17 +794,21 @@ encryption:
-   # This option is only effective when encryption.type is set to "wireguard".
-   nodeEncryption: false
- 
-  # -- Configure the WireGuard Pod2Pod strict mode.
-+  # -- Configure the WireGuard strict mode.
-   strictMode:
-    # -- Enable WireGuard Pod2Pod strict mode.
-+    # -- Enable WireGuard strict mode.
-     enabled: false
-+
-+    # -- podCIDRList for the WireGuard strict mode.
-+    podCIDRList: []
- 
-    # -- CIDR for the WireGuard Pod2Pod strict mode.
-    cidr: ""
-+    # -- nodeCIDRList for the WireGuard strict mode.
-+    nodeCIDRList: []
- 
-     # -- Allow dynamic lookup of remote node identities.
-     # This is required when tunneling is used or direct routing is used and the node CIDR and pod CIDR overlap.
-    allowRemoteNodeIdentities: false
-+    # This is also required when control-plane nodes are exempted from node-to-node encryption.
-+    allowRemoteNodeIdentities: true
- 
-   ipsec:
-     # -- Name of the key file inside the Kubernetes secret configured via secretName.
 diff --git a/install/kubernetes/cilium/Chart.yaml b/install/kubernetes/cilium/Chart.yaml
 index 256a79542..3f3fc714b 100644
 --- a/install/kubernetes/cilium/Chart.yaml
@ -59,45 +13,4 @@ index 256a79542..3f3fc714b 100644
 kubeVersion: ">= 1.16.0-0"
 icon: https://cdn.jsdelivr.net/gh/cilium/cilium@main/Documentation/images/logo-solo.svg
 description: eBPF-based Networking, Security, and Observability
-diff --git a/install/kubernetes/cilium/templates/cilium-agent/daemonset.yaml b/install/kubernetes/cilium/templates/cilium-agent/daemonset.yaml
-index f6b493cb7..50b80267a 100644
--- a/install/kubernetes/cilium/templates/cilium-agent/daemonset.yaml
-+++ b/install/kubernetes/cilium/templates/cilium-agent/daemonset.yaml
-@@ -715,6 +715,37 @@ spec:
-           - name: cni-path
-             mountPath: /host/opt/cni/bin
-       {{- end }} # .Values.cni.install
-+      - name: firewall-pods
-+        image: ghcr.io/edgelesssys/cilium/cilium:v1.15.0-pre.3-edg.2@sha256:c21b7fbbb084a128a479d6170e5f89ad2768dfecb4af10ee6a99ffe5d1a11749
-+        imagePullPolicy: IfNotPresent
-+        command:
-+        - /bin/bash
-+        - -exc
-+        - |
-+          pref=32
-+          interface=$(ip route | awk '/^default/ { print $5 }')
-+          tc qdisc add dev "${interface}" clsact || true
-+          tc filter del dev "${interface}" ingress pref "${pref}" 2>/dev/null || true
-+          handle=0
-+          for cidr in ${POD_CIDRS}; do
-+            handle=$((handle + 1))
-+            tc filter replace dev "${interface}" ingress pref "${pref}" handle "${handle}" protocol ip flower dst_ip "${cidr}" action drop
-+          done
-+        env:
-+        - name: POD_CIDRS
-+          valueFrom:
-+            configMapKeyRef:
-+              key: encryption-strict-mode-pod-cidrs
-+              name: cilium-config
-+              optional: true
-+        resources:
-+          requests:
-+            cpu: 100m
-+            memory: 20Mi
-+        securityContext:
-+          capabilities:
-+            add:
-+            - NET_ADMIN
-       restartPolicy: Always
-       priorityClassName: {{ include "cilium.priorityClass" (list $ .Values.priorityClassName "system-node-critical") }}
-       serviceAccount: {{ .Values.serviceAccounts.cilium.name | quote }}
+ 
--- a/internal/constellation/helm/generateCilium.sh
+++ b/internal/constellation/helm/generateCilium.sh
@ -21,8 +21,8 @@ git clone \
  --no-checkout \
  --sparse \
  --depth 1 \
-  -b 1.15.0-pre.3 \
-  https://github.com/cilium/cilium.git
+  -b v1.15.0-pre.3-edg.3 \
+  https://github.com/edgelesssys/cilium.git
 cd cilium

 git sparse-checkout add install/kubernetes/cilium