helm: disable cilium ipmasq agent when in conformance mode (#3062)

edgelesssys · May 14, 2024 · 29dc8ed · 29dc8ed
1 parent 8af455a
commit 29dc8ed
Showing 1 changed file with 22 additions and 8 deletions.
diff --git a/internal/constellation/helm/overrides.go b/internal/constellation/helm/overrides.go
@@ -33,14 +33,6 @@ import (
 // Also, the charts are not rendered correctly without all of these values.
 func extraCiliumValues(provider cloudprovider.Provider, conformanceMode bool, output state.Infrastructure) map[string]any {
 	extraVals := map[string]any{}
-	if conformanceMode {
-		extraVals["kubeProxyReplacementHealthzBindAddr"] = ""
-		extraVals["kubeProxyReplacement"] = "partial"
-		extraVals["sessionAffinity"] = true
-		extraVals["cni"] = map[string]any{
-			"chainingMode": "portmap",
-		}
-	}
 
 	strictMode := map[string]any{}
 	// TODO(@3u13r): Once we are able to set the subnet of the load balancer VMs
@@ -75,6 +67,28 @@ func extraCiliumValues(provider cloudprovider.Provider, conformanceMode bool, ou
 		},
 	}
 
+	// When --conformance is set, we try to mitigate https://github.com/cilium/cilium/issues/9207
+	// Users are discouraged of ever using this mode, except if they truly
+	// require protocol differentiation to work and cannot mitigate that any other way.
+	// Since there should always be workarounds, we only support this mode to
+	// pass the K8s conformance tests. It is not supported to switch to or from
+	// this mode after Constellation has been initialized.
+	// This only works for the K8s conformance tests up to K8s 1.28.
+	if conformanceMode {
+		extraVals["kubeProxyReplacementHealthzBindAddr"] = ""
+		extraVals["kubeProxyReplacement"] = "false"
+		extraVals["sessionAffinity"] = true
+		extraVals["cni"] = map[string]any{
+			"chainingMode": "portmap",
+		}
+		extraVals["ipMasqAgent"] = map[string]any{
+			"enabled": false,
+		}
+		extraVals["bpf"] = map[string]any{
+			"masquerade": false,
+		}
+	}
+
 	return extraVals
 }