node: require ipv4 address when wireguard is enabled

Currently, wireguard encryption is not performed when the nodes have ipv6-only addresses, since it relies on the tunnel_endpoint field of the ipcache map (which is not set in such case). This limitation has been removed with the reworking performed as part of #19401. As for previous versions, this commit adds a check to prevent the agent from starting in this configuration. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com>
cilium · Feb 20, 2023 · 5463073 · 5463073
1 parent ee5dc72
commit 5463073
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/pkg/node/address.go b/pkg/node/address.go
@@ -551,7 +551,7 @@ const mismatchRouterIPsMsg = "Mismatch of router IPs found during restoration. T
 // ValidatePostInit validates the entire addressing setup and completes it as
 // required
 func ValidatePostInit() error {
-	if option.Config.EnableIPv4 || option.Config.Tunnel != option.TunnelDisabled {
+	if option.Config.EnableIPv4 || option.Config.Tunnel != option.TunnelDisabled || option.Config.EnableWireguard {
 		if GetIPv4() == nil {
 			return fmt.Errorf("external IPv4 node address could not be derived, please configure via --ipv4-node")
 		}