feat(cilium): Enable clustermesh

values/cilium/env-ekman.yaml.gotmpl

@@ -1,8 +1,11 @@
 cilium:
   enabled: true
-  # WireGuard cannot be used during migration -- Flannel nodes have no WireGuard
-  # keys so encrypted traffic is unreadable by them.
-  # TODO: re-enable after migration
+  clustermesh:
+    enabled: true
+    clusterId: 2
+    # NodePort until L2LB is available (kubeproxyless)
+    apiserverServiceType: NodePort
+  # TODO: WireGuard blocks all traffic on ekman -- disable until root cause is found.
   encryption:
     enabled: false
   envoy:

values/cilium/env-oceanbox.yaml.gotmpl

@@ -1,5 +1,8 @@
 cilium:
   enabled: true
+  clustermesh:
+    enabled: true
+    clusterId: 1
   nodePort:
     enabled: true
   l2announcement:

values/cilium/env.yaml.gotmpl

@@ -30,4 +30,8 @@ cilium:
   loadbalancerPool:
     enabled: false
     cidr: []
+  clustermesh:
+    enabled: false
+    clusterId: 0
+    apiserverServiceType: LoadBalancer
   cluster: {{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}

values/cilium/values/cilium.yaml.gotmpl

@@ -1,3 +1,16 @@
+cluster:
+  name: {{ .Values.cilium.cluster }}
+  id: {{ .Values.cilium.clustermesh.clusterId }}
+{{- if .Values.cilium.clustermesh.enabled }}
+clustermesh:
+  useAPIServer: true
+  apiserver:
+    service:
+      type: {{ .Values.cilium.clustermesh.apiserverServiceType }}
+    tls:
+      auto:
+        method: helm
+{{- end }}
 authentication:
   mutual:
     spire: