Git-Mirrors/constellation
1
0
Fork 0
mirror of https://github.com/edgelesssys/constellation.git synced 2024-12-25 15:39:37 -05:00
Code Issues Packages Projects Releases Wiki Activity

cilium: also encryption control-planes

Browse Source 
When enabling node-to-node encryption, Cilium does not
encrypt control-plane to control-plane traffic by
default since they say that they cannot gurantee that
the generated private key for a node is persisted across
reboots.

In Constellation we use stateful VMs which when rebooted
still have the cilium_wg0 interface containing the
private key.

Therefore, we can enable this type of encryption.
This commit is contained in:
Leonard Cohnen 2023-10-25 13:54:32 +02:00 committed by 3u13r
parent e9694d40b9
commit 7318f605e1
1 changed files with 5 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
cli/internal/helm/values.go
View File

@ -14,6 +14,7 @@ var ciliumVals = map[string]map[string]any{
"endpointRoutes": map[string]any{
"enabled": true,
},
"extraArgs": []string{"--node-encryption-opt-out-labels=invalid.label"},
"encryption": map[string]any{
"enabled": true,
"type": "wireguard",
@ -56,6 +57,7 @@ var ciliumVals = map[string]map[string]any{
"endpointRoutes": map[string]any{
"enabled": true,
},
"extraArgs": []string{"--node-encryption-opt-out-labels=invalid.label"},
"encryption": map[string]any{
"enabled": true,
"type": "wireguard",
@ -100,7 +102,8 @@ var ciliumVals = map[string]map[string]any{
"endpointRoutes": map[string]any{
"enabled": true,
},
"tunnel": "disabled",
"extraArgs": []string{"--node-encryption-opt-out-labels=invalid.label"},
"tunnel": "disabled",
"encryption": map[string]any{
"enabled": true,
"type": "wireguard",
@ -139,6 +142,7 @@ var ciliumVals = map[string]map[string]any{
"endpointRoutes": map[string]any{
"enabled": true,
},
"extraArgs": []string{"--node-encryption-opt-out-labels=invalid.label"},
"encryption": map[string]any{
"enabled": true,
"type": "wireguard",