helm: Add ipMasqAgent option

The BPF ip-masq-agent can be enabled with global.ipMasqAgent.enabled. When enabled, the ip-masq-agent configmap (created by a user) is mounted into /etc/config/ip-masq-agent of the cilium-agent pod. Signed-off-by: Martynas Pumputis <m@lambda.lt>
cilium · Apr 29, 2020 · 8290499 · 8290499
1 parent 79609b2
commit 8290499
Show file tree

Hide file tree

Showing 3 changed files with 23 additions and 0 deletions.
diff --git a/install/kubernetes/cilium/charts/agent/templates/daemonset.yaml b/install/kubernetes/cilium/charts/agent/templates/daemonset.yaml
@@ -193,6 +193,11 @@ spec:
         - mountPath: /tmp/cilium/config-map
           name: cilium-config-path
           readOnly: true
+{{- if and .Values.global.ipMasqAgent .Values.global.ipMasqAgent.enabled }}
+        - mountPath: /etc/config
+          name: ip-masq-agent
+          readOnly: true
+{{- end }}
 {{- if .Values.global.cni.configMap }}
         - mountPath: {{ .Values.global.cni.confFileMountPath }}
           name: cni-configuration
@@ -384,6 +389,15 @@ spec:
       - configMap:
           name: cilium-config
         name: cilium-config-path
+{{- if and .Values.global.ipMasqAgent .Values.global.ipMasqAgent.enabled }}
+      - configMap:
+          name: ip-masq-agent
+          optional: true
+          items:
+          - key: config
+            path: ip-masq-agent
+        name: ip-masq-agent
+{{- end }}
 {{- if .Values.global.encryption.enabled }}
       - name: cilium-ipsec-secrets
         secret:

diff --git a/install/kubernetes/cilium/charts/config/templates/configmap.yaml b/install/kubernetes/cilium/charts/config/templates/configmap.yaml
@@ -284,6 +284,10 @@ data:
 {{- if .Values.global.egressMasqueradeInterfaces }}
   egress-masquerade-interfaces: {{ .Values.global.egressMasqueradeInterfaces }}
 {{- end }}
+{{- if and .Values.global.ipMasqAgent .Values.global.ipMasqAgent.enabled }}
+  enable-ip-masq-agent: "true"
+  ip-masq-agent-sync-period: {{ .Values.global.ipMasqAgent.syncPeriod | quote }}
+{{- end }}
 
 {{- if .Values.global.encryption.enabled }}
   enable-ipsec: {{ .Values.global.encryption.enabled | quote }}

diff --git a/install/kubernetes/cilium/values.yaml b/install/kubernetes/cilium/values.yaml
@@ -126,6 +126,11 @@ global:
   # bpfMasquerade enables masquerading with BPF instead of iptables
   bpfMasquerade: false
 
+  # ipMasqAgent enables and controls BPF ip-masq-agent
+  ipMasqAgent:
+    enabled: false
+    syncPeriod: 60s
+
   # autoDirectNodeRoutes enables installation of PodCIDR routes between worker
   # nodes if worker nodes share a common L2 network segment.
   autoDirectNodeRoutes: false