From 019251b763505f128d42e081e1da5fa70870c3f1 Mon Sep 17 00:00:00 2001
From: Serge Logvinov <serge.logvinov@sinextra.dev>
Date: Mon, 31 Jan 2022 22:56:48 +0200
Subject: [PATCH] Fix: cIlium node-to-node encryption

---
 scaleway/deployments/cilium.yaml        |  1 +
 scaleway/deployments/cilium_result.yaml |  2 +-
 scaleway/network-secgroup.tf            | 24 ++++++++++++++++++++++++
 3 files changed, 26 insertions(+), 1 deletion(-)

diff --git a/scaleway/deployments/cilium.yaml b/scaleway/deployments/cilium.yaml
index d2d6683..1372ac1 100644
--- a/scaleway/deployments/cilium.yaml
+++ b/scaleway/deployments/cilium.yaml
@@ -23,6 +23,7 @@ tunnel: "vxlan"
 autoDirectNodeRoutes: false
 devices: [eth0,eth1]
 
+l7Proxy: false
 encryption:
   enabled: true
   type: wireguard
diff --git a/scaleway/deployments/cilium_result.yaml b/scaleway/deployments/cilium_result.yaml
index c69bc60..64bcf1a 100644
--- a/scaleway/deployments/cilium_result.yaml
+++ b/scaleway/deployments/cilium_result.yaml
@@ -127,7 +127,7 @@ data:
   #   - geneve
   tunnel: vxlan
   # Enables L7 proxy for L7 policy enforcement and visibility
-  enable-l7-proxy: "true"
+  enable-l7-proxy: "false"
 
   enable-ipv4-masquerade: "true"
   enable-ipv6-masquerade: "true"
diff --git a/scaleway/network-secgroup.tf b/scaleway/network-secgroup.tf
index da97921..b05cf2f 100644
--- a/scaleway/network-secgroup.tf
+++ b/scaleway/network-secgroup.tf
@@ -25,6 +25,12 @@ resource "scaleway_instance_security_group" "controlplane" {
     }
   }
 
+  inbound_rule {
+    action   = "accept"
+    protocol = "TCP"
+    port     = 4240
+    ip_range = "::/0"
+  }
   inbound_rule {
     action   = "accept"
     protocol = "ANY"
@@ -43,6 +49,12 @@ resource "scaleway_instance_security_group" "controlplane" {
     port     = 51820
     ip_range = "::/0"
   }
+
+  inbound_rule {
+    action   = "accept"
+    protocol = "ICMP"
+    ip_range = "::/0"
+  }
 }
 
 resource "scaleway_instance_security_group" "web" {
@@ -60,6 +72,12 @@ resource "scaleway_instance_security_group" "web" {
     }
   }
 
+  inbound_rule {
+    action   = "accept"
+    protocol = "TCP"
+    port     = 4240
+    ip_range = "::/0"
+  }
   inbound_rule {
     action   = "accept"
     protocol = "ANY"
@@ -78,6 +96,12 @@ resource "scaleway_instance_security_group" "web" {
     port     = 51820
     ip_range = "::/0"
   }
+
+  inbound_rule {
+    action   = "accept"
+    protocol = "ICMP"
+    ip_range = "::/0"
+  }
 }
 
 resource "scaleway_instance_security_group" "worker" {