Merge pull request #122 from projectsyn/feat/bpf-masquerade

Enable BPF masquerading by default

class/defaults.yml

@@ -47,7 +47,7 @@ parameters:
       egressGateway:
         enabled: ${cilium:egress_gateway:enabled}
       bpf:
-        masquerade: ${cilium:egress_gateway:enabled}
+        masquerade: true
       l7Proxy: ${cilium:_egressgw_l7proxy:${cilium:egress_gateway:enabled}}
       prometheus:
         enabled: true

component/render-helm-values.jsonnet

@@ -38,10 +38,32 @@ local renderPodCIDRList = {
   },
 };
 
+// Ensure that BPF masquerading is enabled when the Egress Gateway (or Egress
+// Gateway HA)feature is enabled.
+local forceBPFMasqueradeEgressGW = {
+  local egressGWHA =
+    std.get(
+      std.get(
+        std.get(self, 'enterprise', {}), 'egressGatewayHA', {}
+      ),
+      'enabled',
+      false
+    ),
+  local cfg = self,
+  bpf+: {
+    [if !super.bpf.masquerade && (cfg.egressGateway.enabled || egressGWHA) then 'masquerade']:
+      std.trace(
+        'Forcing BPF masquerading since Egress Gateway (or Egress Gateway HA) feature is enabled',
+        true
+      ),
+  },
+};
+
 local cilium_values = std.prune(
   params.cilium_helm_values +
   replaceDeprecatedIPv4PodCIDR +
-  renderPodCIDRList
+  renderPodCIDRList +
+  forceBPFMasqueradeEgressGW
 );
 
 local helm_values = {

docs/modules/ROOT/pages/references/parameters.adoc

@@ -251,6 +251,8 @@ l7Proxy: false
 Notably, the L7 proxy feature is disabled by default when egress gateway policies are enabled.
 This is recommended by the Cilium documentation, see also https://docs.cilium.io/en/{helm-minor-version}/network/egress-gateway/#incompatibility-with-other-features[the upstream documentation].
 
+Additionally, BPF masquerading can't be disabled when the egress gateway feature is enabled.
+
 For Cilium EE, the component uses Helm value `egressGateway.enabled` for Helm value `enterprise.egressGatewayHA.enabled` by default.
 It's possible to override this by explicitly setting `egressGateway.enabled=false` and `enterprise.egressGatewayHA.enabled=true` in the component's `cilium_helm_values`.
 

tests/golden/bgp-control-plane/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-configmap.yaml

@@ -28,7 +28,7 @@ data:
   enable-auto-protect-node-port-range: 'true'
   enable-bgp-control-plane: 'true'
   enable-bpf-clock-probe: 'false'
-  enable-bpf-masquerade: 'false'
+  enable-bpf-masquerade: 'true'
   enable-endpoint-health-checking: 'true'
   enable-endpoint-routes: 'true'
   enable-health-check-loadbalancer-ip: 'false'

tests/golden/defaults/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-configmap.yaml

@@ -27,7 +27,7 @@ data:
   enable-auto-protect-node-port-range: 'true'
   enable-bgp-control-plane: 'false'
   enable-bpf-clock-probe: 'false'
-  enable-bpf-masquerade: 'false'
+  enable-bpf-masquerade: 'true'
   enable-endpoint-health-checking: 'true'
   enable-endpoint-routes: 'true'
   enable-health-check-loadbalancer-ip: 'false'

tests/golden/helm-opensource/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-configmap.yaml

@@ -27,7 +27,7 @@ data:
   enable-auto-protect-node-port-range: 'true'
   enable-bgp-control-plane: 'false'
   enable-bpf-clock-probe: 'false'
-  enable-bpf-masquerade: 'false'
+  enable-bpf-masquerade: 'true'
   enable-endpoint-health-checking: 'true'
   enable-endpoint-routes: 'true'
   enable-health-check-loadbalancer-ip: 'false'

tests/golden/kubeproxyreplacement-strict/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-configmap.yaml

@@ -27,7 +27,7 @@ data:
   enable-auto-protect-node-port-range: 'true'
   enable-bgp-control-plane: 'false'
   enable-bpf-clock-probe: 'false'
-  enable-bpf-masquerade: 'false'
+  enable-bpf-masquerade: 'true'
   enable-endpoint-health-checking: 'true'
   enable-endpoint-routes: 'true'
   enable-health-check-loadbalancer-ip: 'false'

tests/golden/olm-opensource/cilium/cilium/olm/cluster-network-07-cilium-ciliumconfig.yaml

@@ -9,7 +9,7 @@ spec:
     secretNamespace:
       name: cilium
   bpf:
-    masquerade: false
+    masquerade: true
   cni:
     binPath: /var/lib/cni/bin
     confPath: /var/run/multus/cni/net.d