fix cilium encryption in gcp

2024-10-01 01:36:09 -04:00 · 2022-06-04 15:20:59 +02:00 · 2022-06-04 15:20:59 +02:00 · e5c4171a14
commit e5c4171a14
parent a15605475e
2 changed files with 3 additions and 2 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -14,6 +14,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Fixed

 ### Security
+- GCP WireGuard encryption via cilium

 ### Internal

--- a/coordinator/kubernetes/k8sapi/util.go
+++ b/coordinator/kubernetes/k8sapi/util.go
@ -118,7 +118,7 @@ func (k *KubernetesUtil) setupAzurePodNetwork(ctx context.Context, providerID, s
 		return fmt.Errorf("error splitting providerID %q", providerID)
 	}

-	ciliumInstall := exec.CommandContext(ctx, "cilium", "install", "--azure-resource-group", matches[2], "--encryption", "wireguard", "--ipam", "azure",
+	ciliumInstall := exec.CommandContext(ctx, "cilium", "install", "--azure-resource-group", matches[2], "--ipam", "azure",
 		"--helm-set",
 		"tunnel=disabled,enableIPv4Masquerade=true,azure.enabled=true,debug.enabled=true,ipv4NativeRoutingCIDR="+subnetworkPodCIDR+
 			",endpointRoutes.enabled=true,encryption.enabled=true,encryption.type=wireguard,l7Proxy=false,egressMasqueradeInterfaces=eth0")
@ -149,7 +149,7 @@ func (k *KubernetesUtil) setupGCPPodNetwork(ctx context.Context, nodeName, nodeP
 		return err
 	}

-	ciliumInstall := exec.CommandContext(ctx, "cilium", "install", "--encryption", "wireguard", "--ipam", "kubernetes", "--ipv4-native-routing-cidr", subnetworkPodCIDR, "--helm-set", "endpointRoutes.enabled=true,tunnel=disabled")
+	ciliumInstall := exec.CommandContext(ctx, "cilium", "install", "--ipam", "kubernetes", "--ipv4-native-routing-cidr", subnetworkPodCIDR, "--helm-set", "endpointRoutes.enabled=true,tunnel=disabled,encryption.enabled=true,encryption.type=wireguard,l7Proxy=false")
 	ciliumInstall.Env = append(os.Environ(), "KUBECONFIG="+kubeConfig)
 	out, err = ciliumInstall.CombinedOutput()
 	if err != nil {