Add support for managing egress gateway policy resources

.cruft.json

@@ -1,13 +1,13 @@
 {
   "template": "https://github.com/projectsyn/commodore-component-template.git",
-  "commit": "d8afca0d957d69b362c2cb45e3f6faa13662dfe2",
+  "commit": "913f9693b1c2be92ecaee469fd0fa1bd608f7aaa",
   "checkout": "main",
   "context": {
     "cookiecutter": {
       "name": "Cilium",
       "slug": "cilium",
       "parameter_key": "cilium",
-      "test_cases": "defaults helm-opensource olm-opensource",
+      "test_cases": "defaults helm-opensource olm-opensource egress-gateway",
       "add_lib": "n",
       "add_pp": "n",
       "add_golden": "y",

.github/workflows/test.yaml

@@ -35,6 +35,7 @@ jobs:
           - defaults
           - helm-opensource
           - olm-opensource
+          - egress-gateway
     defaults:
       run:
         working-directory: ${{ env.COMPONENT_NAME }}
@@ -52,6 +53,7 @@ jobs:
           - defaults
           - helm-opensource
           - olm-opensource
+          - egress-gateway
     defaults:
       run:
         working-directory: ${{ env.COMPONENT_NAME }}

Makefile.vars.mk

@@ -57,4 +57,4 @@ KUBENT_IMAGE    ?= ghcr.io/doitintl/kube-no-trouble:latest
 KUBENT_DOCKER   ?= $(DOCKER_CMD) $(DOCKER_ARGS) $(root_volume) --entrypoint=/app/kubent $(KUBENT_IMAGE)
 
 instance ?= defaults
-test_instances = tests/defaults.yml tests/helm-opensource.yml tests/olm-opensource.yml
+test_instances = tests/defaults.yml tests/helm-opensource.yml tests/olm-opensource.yml tests/egress-gateway.yml

class/cilium.yml

@@ -24,6 +24,7 @@ parameters:
 
         - input_paths:
             - ${_base_directory}/component/aggregated-clusterroles.jsonnet
+            - ${_base_directory}/component/egress-gateway-policies.jsonnet
           input_type: jsonnet
           output_path: ${_instance}/
 
@@ -47,6 +48,7 @@ parameters:
           output_path: ${_instance}/01_cilium_helmchart
         - input_paths:
             - ${_base_directory}/component/aggregated-clusterroles.jsonnet
+            - ${_base_directory}/component/egress-gateway-policies.jsonnet
           input_type: jsonnet
           output_path: ${_instance}/
         - output_path: ${_instance}/01_cilium_helmchart

class/defaults.yml

@@ -10,6 +10,10 @@ parameters:
     # Enterprise is currently only supported for "helm"
     release: opensource
 
+    =_egressgw_l7proxy:
+      "True": false
+      "False": true
+
     cilium_helm_values:
       cni:
         binPath: /var/lib/cni/bin
@@ -40,6 +44,11 @@ parameters:
         enabled: true
       hostPort:
         enabled: true
+      egressGateway:
+        enabled: ${cilium:egress_gateway:enabled}
+      bpf:
+        masquerade: ${cilium:egress_gateway:enabled}
+      l7Proxy: ${cilium:_egressgw_l7proxy:${cilium:egress_gateway:enabled}}
       prometheus:
         enabled: true
         serviceMonitor:
@@ -57,6 +66,10 @@ parameters:
             cpu: 100m
             memory: 250Mi
 
+    egress_gateway:
+      enabled: false
+      policies: {}
+
     olm:
       source:
         opensource: https://github.com/isovalent/olm-for-cilium/archive/master.tar.gz

component/egress-gateway-policies.jsonnet

@@ -0,0 +1,20 @@
+local com = import 'lib/commodore.libjsonnet';
+local kap = import 'lib/kapitan.libjsonnet';
+local kube = import 'lib/kube.libjsonnet';
+
+local inv = kap.inventory();
+local params = inv.parameters.cilium;
+
+local CiliumEgressGatewayPolicy(name) =
+  kube._Object('cilium.io/v2', 'CiliumEgressGatewayPolicy', name);
+
+
+local policies = com.generateResources(
+  params.egress_gateway.policies,
+  CiliumEgressGatewayPolicy
+);
+
+{
+  [if params.egress_gateway.enabled && std.length(params.egress_gateway.policies) > 0 then
+    '20_egress_gateway_policies']: policies,
+}

docs/modules/ROOT/pages/references/parameters.adoc

@@ -165,6 +165,97 @@ default:: https://github.com/projectsyn/component-cilium/blob/master/class/defau
 The configuration values of the underlying Cilium helm chart.
 See https://docs.cilium.io/en/{helm-minor-version}/helm-reference/[Reference].
 
+== `egress_gateway`
+
+This section allows users to configure the [Cilium EgressGatewayPolicy] feature.
+
+=== `egress_gateway.enabled`
+
+[horizontal]
+type:: boolean
+default:: `false`
+
+This parameter allows users to set all the configurations necessary to enable the egress gateway policy feature through a single parameter.
+The parameter sets the following Helm values:
+
+[source,yaml]
+----
+egressGateway:
+  enabled: true
+bpf:
+  masquerade: true
+l7Proxy: false
+----
+
+Notably, the L7 proxy feature is disabled by default when egress gateway policies are enabled.
+This is recommended by the Cilium documentation, see also https://docs.cilium.io/en/v1.13/network/egress-gateway/#incompatibility-with-other-features[the upstream documentation].
+
+=== `egress_gateway.policies`
+
+[horizontal]
+type:: object
+default:: `{}`
+
+This parameter allows users to deploy `CiliumEgressGatewayPolicy` resources.
+Each key-value pair in the parameter is converted to a `CiliumEgressGatewayPolicy` resource.
+Entries can be removed by setting the value to `null`.
+
+==== Example
+
+
+[source,yaml]
+----
+egress_gateway:
+  policies:
+    all-example:
+      metadata:
+        annotations:
+          syn.tools/description: |
+            Route all egress traffic from example-namespace through
+            203.0.113.100.
+      spec:
+        destinationCIDRs:
+          - 0.0.0.0/0
+        egressGroups:
+          - nodeSelector:
+              matchLabels:
+                node-role.kubernetes.io/infra: ""
+            egressIP: 203.0.113.100
+        selectors:
+          - podSelector:
+              matchLabels:
+                io.kubernetes.pod.namespace: example-namespace
+    removed: null
+----
+
+The component configuration shown above is rendered as follows by the component:
+
+[source,yaml]
+----
+apiVersion: cilium.io/v2
+kind: CiliumEgressGatewayPolicy
+metadata:
+  annotations:
+    syn.tools/description: |
+      Route all egress traffic from example-namespace through
+      203.0.113.100.
+  labels:
+    name: all-example-namespace
+  name: all-example-namespace
+spec:
+  destinationCIDRs:
+    - 0.0.0.0/0
+  egressGroups:
+    - egressIP: 203.0.113.100
+      nodeSelector:
+        matchLabels:
+          node-role.kubernetes.io/infra: ''
+  selectors:
+    - podSelector:
+        matchLabels:
+          io.kubernetes.pod.namespace: example-namespace
+----
+
 == `helm_values`
 
 [horizontal]

tests/egress-gateway.yml

@@ -0,0 +1,21 @@
+# Overwrite parameters here
+
+parameters:
+  cilium:
+    egress_gateway:
+      enabled: true
+      policies:
+        all-example-namespace:
+          spec:
+            destinationCIDRs:
+              - 0.0.0.0/0
+            egressGroups:
+              - nodeSelector:
+                  matchLabels:
+                    node-role.kubernetes.io/infra: ""
+                egressIP: 203.0.113.100
+            selectors:
+              - podSelector:
+                  matchLabels:
+                    io.kubernetes.pod.namespace: example-namespace
+        removed: null

tests/golden/defaults/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-configmap.yaml

@@ -25,6 +25,7 @@ data:
   enable-auto-protect-node-port-range: 'true'
   enable-bgp-control-plane: 'false'
   enable-bpf-clock-probe: 'true'
+  enable-bpf-masquerade: 'false'
   enable-endpoint-health-checking: 'true'
   enable-endpoint-routes: 'true'
   enable-external-ips: 'true'

tests/golden/egress-gateway/cilium/cilium/01_cilium_helmchart/00_cilium_namespace.yaml

@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  annotations: {}
+  labels:
+    name: cilium
+  name: cilium

tests/golden/egress-gateway/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/clusterrole.yaml

@@ -0,0 +1,100 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/part-of: cilium
+  name: cilium
+rules:
+  - apiGroups:
+      - networking.k8s.io
+    resources:
+      - networkpolicies
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - discovery.k8s.io
+    resources:
+      - endpointslices
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - ''
+    resources:
+      - namespaces
+      - services
+      - pods
+      - endpoints
+      - nodes
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - apiextensions.k8s.io
+    resources:
+      - customresourcedefinitions
+    verbs:
+      - list
+      - watch
+      - get
+  - apiGroups:
+      - cilium.io
+    resources:
+      - ciliumloadbalancerippools
+      - ciliumbgppeeringpolicies
+      - ciliumclusterwideenvoyconfigs
+      - ciliumclusterwidenetworkpolicies
+      - ciliumegressgatewaypolicies
+      - ciliumendpoints
+      - ciliumendpointslices
+      - ciliumenvoyconfigs
+      - ciliumidentities
+      - ciliumlocalredirectpolicies
+      - ciliumnetworkpolicies
+      - ciliumnodes
+      - ciliumnodeconfigs
+    verbs:
+      - list
+      - watch
+  - apiGroups:
+      - cilium.io
+    resources:
+      - ciliumidentities
+      - ciliumendpoints
+      - ciliumnodes
+    verbs:
+      - create
+  - apiGroups:
+      - cilium.io
+    resources:
+      - ciliumidentities
+    verbs:
+      - update
+  - apiGroups:
+      - cilium.io
+    resources:
+      - ciliumendpoints
+    verbs:
+      - delete
+      - get
+  - apiGroups:
+      - cilium.io
+    resources:
+      - ciliumnodes
+      - ciliumnodes/status
+    verbs:
+      - get
+      - update
+  - apiGroups:
+      - cilium.io
+    resources:
+      - ciliumnetworkpolicies/status
+      - ciliumclusterwidenetworkpolicies/status
+      - ciliumendpoints/status
+      - ciliumendpoints
+    verbs:
+      - patch

tests/golden/egress-gateway/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/clusterrolebinding.yaml

@@ -0,0 +1,14 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/part-of: cilium
+  name: cilium
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cilium
+subjects:
+  - kind: ServiceAccount
+    name: cilium
+    namespace: cilium