From a9c658466fe2436ae56c5c2a1fda0affe18fab44 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Moritz=20J=C3=B6rg?= <moritz.jorg@oceanbox.io>
Date: Tue, 17 Mar 2026 10:56:43 +0100
Subject: [PATCH] feat(cilium): Enable clustermesh

---
 values/cilium/env-ekman.yaml.gotmpl     |  9 ++++++---
 values/cilium/env-oceanbox.yaml.gotmpl  |  3 +++
 values/cilium/env.yaml.gotmpl           |  4 ++++
 values/cilium/values/cilium.yaml.gotmpl | 13 +++++++++++++
 4 files changed, 26 insertions(+), 3 deletions(-)

diff --git a/values/cilium/env-ekman.yaml.gotmpl b/values/cilium/env-ekman.yaml.gotmpl
index 065e3a32..0a515416 100644
--- a/values/cilium/env-ekman.yaml.gotmpl
+++ b/values/cilium/env-ekman.yaml.gotmpl
@@ -1,8 +1,11 @@
 cilium:
   enabled: true
-  # WireGuard cannot be used during migration -- Flannel nodes have no WireGuard
-  # keys so encrypted traffic is unreadable by them.
-  # TODO: re-enable after migration
+  clustermesh:
+    enabled: true
+    clusterId: 2
+    # NodePort until L2LB is available (kubeproxyless)
+    apiserverServiceType: NodePort
+  # TODO: WireGuard blocks all traffic on ekman -- disable until root cause is found.
   encryption:
     enabled: false
   envoy:
diff --git a/values/cilium/env-oceanbox.yaml.gotmpl b/values/cilium/env-oceanbox.yaml.gotmpl
index 676526db..96faaa61 100644
--- a/values/cilium/env-oceanbox.yaml.gotmpl
+++ b/values/cilium/env-oceanbox.yaml.gotmpl
@@ -1,5 +1,8 @@
 cilium:
   enabled: true
+  clustermesh:
+    enabled: true
+    clusterId: 1
   nodePort:
     enabled: true
   l2announcement:
diff --git a/values/cilium/env.yaml.gotmpl b/values/cilium/env.yaml.gotmpl
index 1d2406ba..7b2be3b2 100644
--- a/values/cilium/env.yaml.gotmpl
+++ b/values/cilium/env.yaml.gotmpl
@@ -30,4 +30,8 @@ cilium:
   loadbalancerPool:
     enabled: false
     cidr: []
+  clustermesh:
+    enabled: false
+    clusterId: 0
+    apiserverServiceType: LoadBalancer
   cluster: {{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}
diff --git a/values/cilium/values/cilium.yaml.gotmpl b/values/cilium/values/cilium.yaml.gotmpl
index 0c253248..8a354f60 100644
--- a/values/cilium/values/cilium.yaml.gotmpl
+++ b/values/cilium/values/cilium.yaml.gotmpl
@@ -1,3 +1,16 @@
+cluster:
+  name: {{ .Values.cilium.cluster }}
+  id: {{ .Values.cilium.clustermesh.clusterId }}
+{{- if .Values.cilium.clustermesh.enabled }}
+clustermesh:
+  useAPIServer: true
+  apiserver:
+    service:
+      type: {{ .Values.cilium.clustermesh.apiserverServiceType }}
+    tls:
+      auto:
+        method: helm
+{{- end }}
 authentication:
   mutual:
     spire: