Fix: cIlium node-to-node encryption

2025-10-29 17:42:47 +00:00 · 2022-01-31 22:56:48 +02:00
parent 7da6cafbe9
commit 019251b763
3 changed files with 26 additions and 1 deletions
--- a/scaleway/deployments/cilium.yaml
+++ b/scaleway/deployments/cilium.yaml
@@ -23,6 +23,7 @@ tunnel: "vxlan"
 autoDirectNodeRoutes: false
 devices: [eth0,eth1]

+l7Proxy: false
 encryption:
  enabled: true
  type: wireguard
--- a/scaleway/deployments/cilium_result.yaml
+++ b/scaleway/deployments/cilium_result.yaml
@@ -127,7 +127,7 @@ data:
  #   - geneve
  tunnel: vxlan
  # Enables L7 proxy for L7 policy enforcement and visibility
-  enable-l7-proxy: "true"
+  enable-l7-proxy: "false"

  enable-ipv4-masquerade: "true"
  enable-ipv6-masquerade: "true"
--- a/scaleway/network-secgroup.tf
+++ b/scaleway/network-secgroup.tf
@@ -25,6 +25,12 @@ resource "scaleway_instance_security_group" "controlplane" {
    }
  }

+  inbound_rule {
+    action   = "accept"
+    protocol = "TCP"
+    port     = 4240
+    ip_range = "::/0"
+  }
  inbound_rule {
    action   = "accept"
    protocol = "ANY"
@@ -43,6 +49,12 @@ resource "scaleway_instance_security_group" "controlplane" {
    port     = 51820
    ip_range = "::/0"
  }
+
+  inbound_rule {
+    action   = "accept"
+    protocol = "ICMP"
+    ip_range = "::/0"
+  }
 }

 resource "scaleway_instance_security_group" "web" {
@@ -60,6 +72,12 @@ resource "scaleway_instance_security_group" "web" {
    }
  }

+  inbound_rule {
+    action   = "accept"
+    protocol = "TCP"
+    port     = 4240
+    ip_range = "::/0"
+  }
  inbound_rule {
    action   = "accept"
    protocol = "ANY"
@@ -78,6 +96,12 @@ resource "scaleway_instance_security_group" "web" {
    port     = 51820
    ip_range = "::/0"
  }
+
+  inbound_rule {
+    action   = "accept"
+    protocol = "ICMP"
+    ip_range = "::/0"
+  }
 }

 resource "scaleway_instance_security_group" "worker" {