Support cilium ip-masq-agent configuration (#8893)

* fix deploy Cilium with eBPF-based Masquerading failed

Signed-off-by: mahjonp <junpeng.man@gmail.com>

* forget to add the enable-ip-masq-agent flag

Signed-off-by: mahjonp <junpeng.man@gmail.com>

roles/network_plugin/cilium/templates/cilium/config.yml.j2

@@ -206,6 +206,9 @@ data:
 {% endif %}
 {% endif %}
 
+  # IP Masquerade Agent
+  enable-ip-masq-agent: "{{ cilium_ip_masq_agent_enable }}"
+
 {% for key, value in cilium_config_extra_vars.items() %}
   {{ key }}: "{{ value }}"
 {% endfor %}
@@ -228,3 +231,20 @@ data:
 {% if cilium_version | regex_replace('v') is version('1.9', '>=') %}
   ipam: "{{ cilium_ipam_mode }}"
 {% endif %}
+
+{% if cilium_ip_masq_agent_enable %}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: ip-masq-agent
+  namespace: kube-system
+data:
+  config: |
+    nonMasqueradeCIDRs:
+{% for cidr in cilium_non_masquerade_cidrs %}
+      - {{ cidr }}
+{% endfor %}
+    masqLinkLocal: {{ cilium_masq_link_local|bool }}
+    resyncInterval: "{{ cilium_ip_masq_resync_interval }}"
+{% endif %}

roles/network_plugin/cilium/templates/cilium/ds.yml.j2

@@ -186,6 +186,11 @@ spec:
         - mountPath: /tmp/cilium/config-map
           name: cilium-config-path
           readOnly: true
+{% if not cilium_ip_masq_agent_enable %}
+        - name: ip-masq-agent
+          mountPath: /etc/config
+          readOnly: true
+{% endif %}
           # Needed to be able to load kernel modules
         - mountPath: /lib/modules
           name: lib-modules
@@ -365,6 +370,14 @@ spec:
       - configMap:
           name: cilium-config
         name: cilium-config-path
+{% if not cilium_ip_masq_agent_enable %}
+      - configMap:
+          name: ip-masq-agent
+          items:
+          - key: config
+            path: ip-masq-agent
+        name: ip-masq-agent
+{% endif %}
 {% if cilium_encryption_enabled and cilium_encryption_type == "ipsec" %}
       - name: cilium-ipsec-secrets
         secret: