Add possibility to configure native-routing-cidr in helm chart

install/kubernetes/cilium/charts/config/templates/configmap.yaml

@@ -295,6 +295,9 @@ data:
   enable-xt-socket-fallback: {{ .Values.global.enableXTSocketFallback | quote }}
   install-iptables-rules: {{ .Values.global.installIptablesRules | quote }}
   auto-direct-node-routes: {{ .Values.global.autoDirectNodeRoutes | quote }}
+{{- if .Values.global.nativeRoutingCIDR }}
+  native-routing-cidr: {{ .Values.global.nativeRoutingCIDR }}
+{{- end }}
 
 {{- if .Values.global.kubeProxyReplacement }}
   kube-proxy-replacement:  {{ .Values.global.kubeProxyReplacement | quote }}

install/kubernetes/cilium/values.yaml

@@ -127,6 +127,10 @@ global:
   # nodes if worker nodes share a common L2 network segment.
   autoDirectNodeRoutes: false
 
+  # nativeRoutingCIDR allows to explicitly specify the CIDR for native routing. This
+  # value corresponds to the configured cluster-cidr.
+  nativeRoutingCIDR: ""
+
   # endpointRoutes enables use of per endpoint routes instead of routing vis
   # the cilium_host interface
   endpointRoutes:

pkg/option/config.go

@@ -2169,6 +2169,10 @@ func (c *DaemonConfig) Validate() error {
 		return err
 	}
 
+	if err := c.checkIPv4NativeRoutingCIDR(); err != nil {
+		return nil
+	}
+
 	// Validate that the KVStore Lease TTL value lies between a particular range.
 	if c.KVstoreLeaseTTL > defaults.KVstoreLeaseMaxTTL || c.KVstoreLeaseTTL < defaults.LockLeaseTTL {
 		return fmt.Errorf("KVstoreLeaseTTL does not lie in required range(%ds, %ds)",
@@ -2758,6 +2762,15 @@ func (c *DaemonConfig) checkMapSizeLimits() error {
 	return nil
 }
 
+func (c *DaemonConfig) checkIPv4NativeRoutingCIDR() error {
+	if c.IPv4NativeRoutingCIDR() == nil && c.Masquerade && c.Tunnel == TunnelDisabled && c.IPAMMode() != IPAMENI {
+		return fmt.Errorf("native routing cidr must be configured with option --%s in combination with --%s --%s=%s --%s=%s",
+			IPv4NativeRoutingCIDR, Masquerade, TunnelName, c.Tunnel, IPAM, c.IPAMMode())
+	}
+
+	return nil
+}
+
 func (c *DaemonConfig) calculateBPFMapSizes() error {
 	// BPF map size options
 	// Any map size explicitly set via option will override the dynamic

pkg/option/config_test.go

@@ -25,6 +25,7 @@ import (
 	"reflect"
 	"testing"
 
+	"github.com/cilium/cilium/pkg/cidr"
 	"github.com/cilium/cilium/pkg/defaults"
 	"github.com/google/go-cmp/cmp"
 	flag "github.com/spf13/pflag"
@@ -467,6 +468,70 @@ func TestCheckMapSizeLimits(t *testing.T) {
 	}
 }
 
+func TestCheckIPv4NativeRoutingCIDR(t *testing.T) {
+	tests := []struct {
+		name    string
+		d       *DaemonConfig
+		wantErr bool
+	}{
+		{
+			name: "with native routing cidr",
+			d: &DaemonConfig{
+				Masquerade:            true,
+				Tunnel:                TunnelDisabled,
+				IPAM:                  IPAMAzure,
+				ipv4NativeRoutingCIDR: cidr.MustParseCIDR("10.127.64.0/18"),
+			},
+			wantErr: false,
+		},
+		{
+			name: "without native routing cidr and no masquerade",
+			d: &DaemonConfig{
+				Masquerade: false,
+				Tunnel:     TunnelDisabled,
+				IPAM:       IPAMAzure,
+			},
+			wantErr: false,
+		},
+		{
+			name: "without native routing cidr and tunnel enabled",
+			d: &DaemonConfig{
+				Masquerade: true,
+				Tunnel:     TunnelVXLAN,
+				IPAM:       IPAMAzure,
+			},
+			wantErr: false,
+		},
+		{
+			name: "without native routing cidr and tunnel enabled",
+			d: &DaemonConfig{
+				Masquerade: true,
+				Tunnel:     TunnelDisabled,
+				IPAM:       IPAMENI,
+			},
+			wantErr: false,
+		},
+		{
+			name: "without native routing cidr and with masquerade and tunnel disabled and ipam not eni",
+			d: &DaemonConfig{
+				Masquerade: true,
+				Tunnel:     TunnelDisabled,
+				IPAM:       IPAMAzure,
+			},
+			wantErr: true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			err := tt.d.checkIPv4NativeRoutingCIDR()
+			if tt.wantErr && err == nil {
+				t.Error("expected error, but got nil")
+			}
+		})
+	}
+}
+
 func Test_populateNodePortRange(t *testing.T) {
 	type want struct {
 		wantMin int