cilium: also encryption control-planes

When enabling node-to-node encryption, Cilium does not
encrypt control-plane to control-plane traffic by
default since they say that they cannot gurantee that
the generated private key for a node is persisted across
reboots.

In Constellation we use stateful VMs which when rebooted
still have the cilium_wg0 interface containing the
private key.

Therefore, we can enable this type of encryption.

cli/internal/helm/values.go

@@ -14,6 +14,7 @@ var ciliumVals = map[string]map[string]any{
 		"endpointRoutes": map[string]any{
 			"enabled": true,
 		},
+		"extraArgs": []string{"--node-encryption-opt-out-labels=invalid.label"},
 		"encryption": map[string]any{
 			"enabled":        true,
 			"type":           "wireguard",
@@ -56,6 +57,7 @@ var ciliumVals = map[string]map[string]any{
 		"endpointRoutes": map[string]any{
 			"enabled": true,
 		},
+		"extraArgs": []string{"--node-encryption-opt-out-labels=invalid.label"},
 		"encryption": map[string]any{
 			"enabled":        true,
 			"type":           "wireguard",
@@ -100,7 +102,8 @@ var ciliumVals = map[string]map[string]any{
 		"endpointRoutes": map[string]any{
 			"enabled": true,
 		},
-		"tunnel": "disabled",
+		"extraArgs": []string{"--node-encryption-opt-out-labels=invalid.label"},
+		"tunnel":    "disabled",
 		"encryption": map[string]any{
 			"enabled":        true,
 			"type":           "wireguard",
@@ -139,6 +142,7 @@ var ciliumVals = map[string]map[string]any{
 		"endpointRoutes": map[string]any{
 			"enabled": true,
 		},
+		"extraArgs": []string{"--node-encryption-opt-out-labels=invalid.label"},
 		"encryption": map[string]any{
 			"enabled":        true,
 			"type":           "wireguard",