mirror of
https://github.com/edgelesssys/constellation.git
synced 2025-03-30 10:38:24 -04:00
a3de1d95d9
By default, Cilium's tc filters are added add the highest priority, which makes it impossible to add any tc filters of our own (because the Cilium eBPF programs don't return to the filter chain). Two near-future use cases that would benefit from this: * Network testing could add counting filters to interfaces and observe e.g. violations of encryption policy. * The VPN Helm chart could add a filter policy that drops packets on the "physical" interface before they can leak to the CSP.
239 lines
7.1 KiB
Go
239 lines
7.1 KiB
Go
/*
|
|
Copyright (c) Edgeless Systems GmbH
|
|
|
|
SPDX-License-Identifier: AGPL-3.0-only
|
|
*/
|
|
|
|
package helm
|
|
|
|
import "github.com/edgelesssys/constellation/v2/internal/cloud/cloudprovider"
|
|
|
|
// Values for the Cilium Helm releases for AWS.
|
|
var ciliumVals = map[string]map[string]any{
|
|
cloudprovider.AWS.String(): {
|
|
"endpointRoutes": map[string]any{
|
|
"enabled": true,
|
|
},
|
|
"extraArgs": []string{"--node-encryption-opt-out-labels=invalid.label", "--bpf-filter-priority=50"},
|
|
"encryption": map[string]any{
|
|
"enabled": true,
|
|
"type": "wireguard",
|
|
"nodeEncryption": true,
|
|
"strictMode": map[string]any{
|
|
"enabled": true,
|
|
"allowRemoteNodeIdentities": false,
|
|
"podCIDRList": []string{"10.244.0.0/16"},
|
|
},
|
|
},
|
|
"l7Proxy": false,
|
|
"ipam": map[string]any{
|
|
"operator": map[string]any{
|
|
"clusterPoolIPv4PodCIDRList": []string{
|
|
"10.244.0.0/16",
|
|
},
|
|
},
|
|
},
|
|
"image": map[string]any{
|
|
"repository": "ghcr.io/3u13r/cilium",
|
|
"suffix": "",
|
|
"tag": "v1.15.0-pre.2-edg.1",
|
|
"digest": "sha256:eebf631fd0f27e1f28f1fdeb2e049f2c83b887381466245c4b3e26440daefa27",
|
|
"useDigest": true,
|
|
},
|
|
"operator": map[string]any{
|
|
"image": map[string]any{
|
|
"repository": "ghcr.io/3u13r/operator",
|
|
"tag": "v1.15.0-pre.2-edg.1",
|
|
"suffix": "",
|
|
"genericDigest": "sha256:bfaeac2e05e8c38f439b0fbc36558fd8d11602997f2641423e8d86bd7ac6a88c",
|
|
"useDigest": true,
|
|
},
|
|
},
|
|
"kubeProxyReplacement": "strict",
|
|
"enableCiliumEndpointSlice": true,
|
|
"kubeProxyReplacementHealthzBindAddr": "0.0.0.0:10256",
|
|
},
|
|
cloudprovider.Azure.String(): {
|
|
"endpointRoutes": map[string]any{
|
|
"enabled": true,
|
|
},
|
|
"extraArgs": []string{"--node-encryption-opt-out-labels=invalid.label", "--bpf-filter-priority=50"},
|
|
"encryption": map[string]any{
|
|
"enabled": true,
|
|
"type": "wireguard",
|
|
"nodeEncryption": true,
|
|
"strictMode": map[string]any{
|
|
"enabled": true,
|
|
"allowRemoteNodeIdentities": false,
|
|
"podCIDRList": []string{"10.244.0.0/16"},
|
|
},
|
|
},
|
|
"l7Proxy": false,
|
|
"ipam": map[string]any{
|
|
"operator": map[string]any{
|
|
"clusterPoolIPv4PodCIDRList": []string{
|
|
"10.244.0.0/16",
|
|
},
|
|
},
|
|
},
|
|
"image": map[string]any{
|
|
"repository": "ghcr.io/3u13r/cilium",
|
|
"suffix": "",
|
|
"tag": "v1.15.0-pre.2-edg.1",
|
|
"digest": "sha256:eebf631fd0f27e1f28f1fdeb2e049f2c83b887381466245c4b3e26440daefa27",
|
|
"useDigest": true,
|
|
},
|
|
"operator": map[string]any{
|
|
"image": map[string]any{
|
|
"repository": "ghcr.io/3u13r/operator",
|
|
"tag": "v1.15.0-pre.2-edg.1",
|
|
"suffix": "",
|
|
"genericDigest": "sha256:bfaeac2e05e8c38f439b0fbc36558fd8d11602997f2641423e8d86bd7ac6a88c",
|
|
"useDigest": true,
|
|
},
|
|
},
|
|
"egressMasqueradeInterfaces": "eth0",
|
|
"enableIPv4Masquerade": true,
|
|
"kubeProxyReplacement": "strict",
|
|
"enableCiliumEndpointSlice": true,
|
|
"kubeProxyReplacementHealthzBindAddr": "0.0.0.0:10256",
|
|
},
|
|
cloudprovider.GCP.String(): {
|
|
"endpointRoutes": map[string]any{
|
|
"enabled": true,
|
|
},
|
|
"extraArgs": []string{"--node-encryption-opt-out-labels=invalid.label", "--bpf-filter-priority=50"},
|
|
"tunnel": "disabled",
|
|
"encryption": map[string]any{
|
|
"enabled": true,
|
|
"type": "wireguard",
|
|
"nodeEncryption": true,
|
|
"strictMode": map[string]any{
|
|
"enabled": true,
|
|
"allowRemoteNodeIdentities": false,
|
|
},
|
|
},
|
|
"image": map[string]any{
|
|
"repository": "ghcr.io/3u13r/cilium",
|
|
"suffix": "",
|
|
"tag": "v1.15.0-pre.2-edg.1",
|
|
"digest": "sha256:eebf631fd0f27e1f28f1fdeb2e049f2c83b887381466245c4b3e26440daefa27",
|
|
"useDigest": true,
|
|
},
|
|
"operator": map[string]any{
|
|
"image": map[string]any{
|
|
"repository": "ghcr.io/3u13r/operator",
|
|
"suffix": "",
|
|
"tag": "v1.15.0-pre.2-edg.1",
|
|
"genericDigest": "sha256:bfaeac2e05e8c38f439b0fbc36558fd8d11602997f2641423e8d86bd7ac6a88c",
|
|
"useDigest": true,
|
|
},
|
|
},
|
|
"l7Proxy": false,
|
|
"ipam": map[string]any{
|
|
"mode": "kubernetes",
|
|
},
|
|
"kubeProxyReplacement": "strict",
|
|
"enableCiliumEndpointSlice": true,
|
|
"kubeProxyReplacementHealthzBindAddr": "0.0.0.0:10256",
|
|
},
|
|
cloudprovider.OpenStack.String(): {
|
|
"endpointRoutes": map[string]any{
|
|
"enabled": true,
|
|
},
|
|
"extraArgs": []string{"--node-encryption-opt-out-labels=invalid.label"},
|
|
"encryption": map[string]any{
|
|
"enabled": true,
|
|
"type": "wireguard",
|
|
"nodeEncryption": true,
|
|
"strictMode": map[string]any{
|
|
"enabled": true,
|
|
"podCIDRList": []string{"10.244.0.0/16"},
|
|
},
|
|
},
|
|
"l7Proxy": false,
|
|
"ipam": map[string]any{
|
|
"operator": map[string]any{
|
|
"clusterPoolIPv4PodCIDRList": []string{
|
|
"10.244.0.0/16",
|
|
},
|
|
},
|
|
},
|
|
"image": map[string]any{
|
|
"repository": "ghcr.io/3u13r/cilium",
|
|
"suffix": "",
|
|
"tag": "v1.15.0-pre.2-edg.1",
|
|
"digest": "sha256:eebf631fd0f27e1f28f1fdeb2e049f2c83b887381466245c4b3e26440daefa27",
|
|
"useDigest": true,
|
|
},
|
|
"operator": map[string]any{
|
|
"image": map[string]any{
|
|
"repository": "ghcr.io/3u13r/operator",
|
|
"tag": "v1.15.0-pre.2-edg.1",
|
|
"suffix": "",
|
|
"genericDigest": "sha256:bfaeac2e05e8c38f439b0fbc36558fd8d11602997f2641423e8d86bd7ac6a88c",
|
|
"useDigest": true,
|
|
},
|
|
},
|
|
"kubeProxyReplacement": "strict",
|
|
"enableCiliumEndpointSlice": true,
|
|
"kubeProxyReplacementHealthzBindAddr": "0.0.0.0:10256",
|
|
},
|
|
cloudprovider.QEMU.String(): {
|
|
"endpointRoutes": map[string]any{
|
|
"enabled": true,
|
|
},
|
|
"encryption": map[string]any{
|
|
"enabled": true,
|
|
"type": "wireguard",
|
|
"nodeEncryption": true,
|
|
"strictMode": map[string]any{
|
|
"enabled": true,
|
|
"podCIDRList": []string{"10.244.0.0/16"},
|
|
},
|
|
},
|
|
"image": map[string]any{
|
|
"repository": "ghcr.io/3u13r/cilium",
|
|
"suffix": "",
|
|
"tag": "v1.15.0-pre.2-edg.1",
|
|
"digest": "sha256:eebf631fd0f27e1f28f1fdeb2e049f2c83b887381466245c4b3e26440daefa27",
|
|
"useDigest": true,
|
|
},
|
|
"operator": map[string]any{
|
|
"image": map[string]any{
|
|
"repository": "ghcr.io/3u13r/operator",
|
|
"suffix": "",
|
|
"tag": "v1.15.0-pre.2-edg.1",
|
|
"genericDigest": "sha256:bfaeac2e05e8c38f439b0fbc36558fd8d11602997f2641423e8d86bd7ac6a88c",
|
|
"useDigest": true,
|
|
},
|
|
},
|
|
"ipam": map[string]any{
|
|
"operator": map[string]any{
|
|
"clusterPoolIPv4PodCIDRList": []string{
|
|
"10.244.0.0/16",
|
|
},
|
|
},
|
|
},
|
|
"kubeProxyReplacement": "strict",
|
|
"enableCiliumEndpointSlice": true,
|
|
"kubeProxyReplacementHealthzBindAddr": "0.0.0.0:10256",
|
|
"l7Proxy": false,
|
|
},
|
|
}
|
|
|
|
var controlPlaneNodeSelector = map[string]any{"node-role.kubernetes.io/control-plane": ""}
|
|
|
|
var controlPlaneTolerations = []map[string]any{
|
|
{
|
|
"key": "node-role.kubernetes.io/control-plane",
|
|
"effect": "NoSchedule",
|
|
"operator": "Exists",
|
|
},
|
|
{
|
|
"key": "node-role.kubernetes.io/master",
|
|
"effect": "NoSchedule",
|
|
"operator": "Exists",
|
|
},
|
|
}
|