diff --git a/class/defaults.yml b/class/defaults.yml index 592d0723..8d181cb6 100644 --- a/class/defaults.yml +++ b/class/defaults.yml @@ -47,7 +47,7 @@ parameters: egressGateway: enabled: ${cilium:egress_gateway:enabled} bpf: - masquerade: ${cilium:egress_gateway:enabled} + masquerade: true l7Proxy: ${cilium:_egressgw_l7proxy:${cilium:egress_gateway:enabled}} prometheus: enabled: true diff --git a/component/render-helm-values.jsonnet b/component/render-helm-values.jsonnet index 2ce9f473..a738f15d 100644 --- a/component/render-helm-values.jsonnet +++ b/component/render-helm-values.jsonnet @@ -38,10 +38,32 @@ local renderPodCIDRList = { }, }; +// Ensure that BPF masquerading is enabled when the Egress Gateway (or Egress +// Gateway HA)feature is enabled. +local forceBPFMasqueradeEgressGW = { + local egressGWHA = + std.get( + std.get( + std.get(self, 'enterprise', {}), 'egressGatewayHA', {} + ), + 'enabled', + false + ), + local cfg = self, + bpf+: { + [if !super.bpf.masquerade && (cfg.egressGateway.enabled || egressGWHA) then 'masquerade']: + std.trace( + 'Forcing BPF masquerading since Egress Gateway (or Egress Gateway HA) feature is enabled', + true + ), + }, +}; + local cilium_values = std.prune( params.cilium_helm_values + replaceDeprecatedIPv4PodCIDR + - renderPodCIDRList + renderPodCIDRList + + forceBPFMasqueradeEgressGW ); local helm_values = { diff --git a/docs/modules/ROOT/pages/references/parameters.adoc b/docs/modules/ROOT/pages/references/parameters.adoc index 11f44f5d..e1c0c526 100644 --- a/docs/modules/ROOT/pages/references/parameters.adoc +++ b/docs/modules/ROOT/pages/references/parameters.adoc @@ -251,6 +251,8 @@ l7Proxy: false Notably, the L7 proxy feature is disabled by default when egress gateway policies are enabled. This is recommended by the Cilium documentation, see also https://docs.cilium.io/en/{helm-minor-version}/network/egress-gateway/#incompatibility-with-other-features[the upstream documentation]. +Additionally, BPF masquerading can't be disabled when the egress gateway feature is enabled. + For Cilium EE, the component uses Helm value `egressGateway.enabled` for Helm value `enterprise.egressGatewayHA.enabled` by default. It's possible to override this by explicitly setting `egressGateway.enabled=false` and `enterprise.egressGatewayHA.enabled=true` in the component's `cilium_helm_values`. diff --git a/tests/golden/bgp-control-plane/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-configmap.yaml b/tests/golden/bgp-control-plane/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-configmap.yaml index 1e36fa7f..2fb8fc41 100644 --- a/tests/golden/bgp-control-plane/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-configmap.yaml +++ b/tests/golden/bgp-control-plane/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-configmap.yaml @@ -28,7 +28,7 @@ data: enable-auto-protect-node-port-range: 'true' enable-bgp-control-plane: 'true' enable-bpf-clock-probe: 'false' - enable-bpf-masquerade: 'false' + enable-bpf-masquerade: 'true' enable-endpoint-health-checking: 'true' enable-endpoint-routes: 'true' enable-health-check-loadbalancer-ip: 'false' diff --git a/tests/golden/defaults/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-configmap.yaml b/tests/golden/defaults/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-configmap.yaml index 8748fed3..83590560 100644 --- a/tests/golden/defaults/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-configmap.yaml +++ b/tests/golden/defaults/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-configmap.yaml @@ -27,7 +27,7 @@ data: enable-auto-protect-node-port-range: 'true' enable-bgp-control-plane: 'false' enable-bpf-clock-probe: 'false' - enable-bpf-masquerade: 'false' + enable-bpf-masquerade: 'true' enable-endpoint-health-checking: 'true' enable-endpoint-routes: 'true' enable-health-check-loadbalancer-ip: 'false' diff --git a/tests/golden/helm-opensource/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-configmap.yaml b/tests/golden/helm-opensource/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-configmap.yaml index 8748fed3..83590560 100644 --- a/tests/golden/helm-opensource/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-configmap.yaml +++ b/tests/golden/helm-opensource/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-configmap.yaml @@ -27,7 +27,7 @@ data: enable-auto-protect-node-port-range: 'true' enable-bgp-control-plane: 'false' enable-bpf-clock-probe: 'false' - enable-bpf-masquerade: 'false' + enable-bpf-masquerade: 'true' enable-endpoint-health-checking: 'true' enable-endpoint-routes: 'true' enable-health-check-loadbalancer-ip: 'false' diff --git a/tests/golden/kubeproxyreplacement-strict/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-configmap.yaml b/tests/golden/kubeproxyreplacement-strict/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-configmap.yaml index 8748fed3..83590560 100644 --- a/tests/golden/kubeproxyreplacement-strict/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-configmap.yaml +++ b/tests/golden/kubeproxyreplacement-strict/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-configmap.yaml @@ -27,7 +27,7 @@ data: enable-auto-protect-node-port-range: 'true' enable-bgp-control-plane: 'false' enable-bpf-clock-probe: 'false' - enable-bpf-masquerade: 'false' + enable-bpf-masquerade: 'true' enable-endpoint-health-checking: 'true' enable-endpoint-routes: 'true' enable-health-check-loadbalancer-ip: 'false' diff --git a/tests/golden/olm-opensource/cilium/cilium/olm/cluster-network-07-cilium-ciliumconfig.yaml b/tests/golden/olm-opensource/cilium/cilium/olm/cluster-network-07-cilium-ciliumconfig.yaml index 21d17a9e..95a40736 100644 --- a/tests/golden/olm-opensource/cilium/cilium/olm/cluster-network-07-cilium-ciliumconfig.yaml +++ b/tests/golden/olm-opensource/cilium/cilium/olm/cluster-network-07-cilium-ciliumconfig.yaml @@ -9,7 +9,7 @@ spec: secretNamespace: name: cilium bpf: - masquerade: false + masquerade: true cni: binPath: /var/lib/cni/bin confPath: /var/run/multus/cni/net.d