Partial Cilium 1.16+ Support & Add vars for configuring cilium IP load balancer pools and bgp v1 & v2 apis (#11620)

* Add vars for configuring cilium IP load balancer pools and bgp peer policies * Cilium 1.16+ Support - Add vars for configuring cilium bgpv2 api & handle cilium_kube_proxy_replacement unsupported values
2026-03-06 18:17:47 +03:00 · 2024-11-19 02:48:53 +00:00
parent e330ffa4ad
commit b8541962f3
16 changed files with 550 additions and 5 deletions
--- a/roles/network_plugin/cilium/templates/cilium-operator/cr.yml.j2
+++ b/roles/network_plugin/cilium/templates/cilium-operator/cr.yml.j2
@@ -102,6 +102,11 @@ rules:
  - ciliumbgppeerconfigs
  - ciliumbgpadvertisements
  - ciliumbgpnodeconfigs
+{% endif %}
+{% if cilium_version | regex_replace('v') is version('1.16', '>=') %}
+  - ciliumbgpclusterconfigs
+  - ciliumbgpclusterconfigs/status
+  - ciliumbgpnodeconfigoverrides
 {% endif %}
  verbs:
  - '*'
--- a/roles/network_plugin/cilium/templates/cilium-operator/deploy.yml.j2
+++ b/roles/network_plugin/cilium/templates/cilium-operator/deploy.yml.j2
@@ -84,7 +84,7 @@ spec:
                  name: cilium-aws
                  key: AWS_DEFAULT_REGION
                  optional: true
-{% if cilium_kube_proxy_replacement == 'strict' %}
+{% if (cilium_kube_proxy_replacement == 'strict') or (cilium_kube_proxy_replacement | bool) or (cilium_kube_proxy_replacement | string | lower == 'true') %}
            - name: KUBERNETES_SERVICE_HOST
              value: "{{ kube_apiserver_global_endpoint | urlsplit('hostname') }}"
            - name: KUBERNETES_SERVICE_PORT
--- a/roles/network_plugin/cilium/templates/cilium/cilium-bgp-advertisement.yml.j2
+++ b/roles/network_plugin/cilium/templates/cilium/cilium-bgp-advertisement.yml.j2
@@ -0,0 +1,12 @@
+{% for cilium_bgp_advertisement in cilium_bgp_advertisements %}
+---
+apiVersion: "cilium.io/v2alpha1"
+kind: CiliumBGPAdvertisement
+metadata:
+  name: "{{ cilium_bgp_advertisement.name }}"
+{% if cilium_bgp_advertisement.labels %}
+  labels: {{ cilium_bgp_advertisement.labels | to_yaml }}
+{% endif %}
+spec:
+  {{ cilium_bgp_advertisement.spec | to_yaml | indent(4) }}
+{% endfor %}
--- a/roles/network_plugin/cilium/templates/cilium/cilium-bgp-cluster-config.yml.j2
+++ b/roles/network_plugin/cilium/templates/cilium/cilium-bgp-cluster-config.yml.j2
@@ -0,0 +1,9 @@
+{% for cilium_bgp_cluster_config in cilium_bgp_cluster_configs %}
+---
+apiVersion: "cilium.io/v2alpha1"
+kind: CiliumBGPClusterConfig
+metadata:
+  name: "{{ cilium_bgp_cluster_config.name }}"
+spec:
+  {{ cilium_bgp_cluster_config.spec | to_yaml | indent(2) }}
+{% endfor %}
--- a/roles/network_plugin/cilium/templates/cilium/cilium-bgp-node-config-override.yml.j2
+++ b/roles/network_plugin/cilium/templates/cilium/cilium-bgp-node-config-override.yml.j2
@@ -0,0 +1,9 @@
+{% for cilium_bgp_node_config_override in cilium_bgp_node_config_overrides %}
+---
+apiVersion: "cilium.io/v2alpha1"
+kind: CiliumBGPNodeConfigOverride
+metadata:
+  name: "{{ cilium_bgp_node_config_override.name }}"
+spec:
+  {{ cilium_bgp_node_config_override.spec | to_yaml | indent(2) }}
+{% endfor %}
--- a/roles/network_plugin/cilium/templates/cilium/cilium-bgp-peer-config.yml.j2
+++ b/roles/network_plugin/cilium/templates/cilium/cilium-bgp-peer-config.yml.j2
@@ -0,0 +1,9 @@
+{% for cilium_bgp_peer_config in cilium_bgp_peer_configs %}
+---
+apiVersion: "cilium.io/v2alpha1"
+kind: CiliumBGPPeerConfig
+metadata:
+  name: "{{ cilium_bgp_peer_config.name }}"
+spec:
+  {{ cilium_bgp_peer_config.spec | to_yaml | indent(2) }}
+{% endfor %}
--- a/roles/network_plugin/cilium/templates/cilium/cilium-bgp-peering-policy.yml.j2
+++ b/roles/network_plugin/cilium/templates/cilium/cilium-bgp-peering-policy.yml.j2
@@ -0,0 +1,9 @@
+{% for cilium_bgp_peering_policy in cilium_bgp_peering_policies %}
+---
+apiVersion: "cilium.io/v2alpha1"
+kind: CiliumBGPPeeringPolicy
+metadata:
+  name: "{{ cilium_bgp_peering_policy.name }}"
+spec:
+  {{ cilium_bgp_peering_policy.spec | to_yaml | indent(2) }}
+{% endfor %}
--- a/roles/network_plugin/cilium/templates/cilium/cilium-loadbalancer-ip-pool.yml.j2
+++ b/roles/network_plugin/cilium/templates/cilium/cilium-loadbalancer-ip-pool.yml.j2
@@ -0,0 +1,12 @@
+{% for cilium_loadbalancer_ip_pool in cilium_loadbalancer_ip_pools %}
+---
+apiVersion: "cilium.io/v2alpha1"
+kind: CiliumLoadBalancerIPPool
+metadata:
+  name: "{{ cilium_loadbalancer_ip_pool.name }}"
+spec:
+  blocks:
+{% for cblock in cilium_loadbalancer_ip_pool.cidrs %}
+  - cidr: "{{ cblock }}"
+{% endfor %}
+{% endfor %}
--- a/roles/network_plugin/cilium/templates/cilium/config.yml.j2
+++ b/roles/network_plugin/cilium/templates/cilium/config.yml.j2
@@ -167,7 +167,14 @@ data:
  wait-bpf-mount: "false"
 {% endif %}

+# `kube-proxy-replacement=partial|strict|disabled` is deprecated since january 2024 and unsupported in 1.16.
+# Replaced by `kube-proxy-replacement=true|false`
+# https://github.com/cilium/cilium/pull/31286
+{% if cilium_version | regex_replace('v') is version('1.16', '<') %}
  kube-proxy-replacement: "{{ cilium_kube_proxy_replacement }}"
+{% else %}
+  kube-proxy-replacement: "{% if (cilium_kube_proxy_replacement == 'strict') or (cilium_kube_proxy_replacement | bool) or (cilium_kube_proxy_replacement | string | lower == 'true') %}true{% else %}false{% endif %}"
+{% endif %}

 # `native-routing-cidr` is deprecated in 1.10, removed in 1.12.
 # Replaced by `ipv4-native-routing-cidr`
@@ -267,6 +274,8 @@ data:

  enable-bpf-clock-probe: "{{ cilium_enable_bpf_clock_probe }}"

+  enable-bgp-control-plane: "{{ cilium_enable_bgp_control_plane }}"
+
  disable-cnp-status-updates: "{{ cilium_disable_cnp_status_updates }}"
 {% if cilium_ip_masq_agent_enable %}
 ---
--- a/roles/network_plugin/cilium/templates/cilium/cr.yml.j2
+++ b/roles/network_plugin/cilium/templates/cilium/cr.yml.j2
@@ -124,6 +124,9 @@ rules:
  - ciliumbgpnodeconfigs/status
  - ciliumbgpadvertisements
  - ciliumbgppeerconfigs
+{% endif %}
+{% if cilium_version | regex_replace('v') is version('1.16', '>=') %}
+  - ciliumbgpclusterconfigs
 {% endif %}
  verbs:
  - '*'
@@ -145,6 +148,7 @@ rules:
  - ciliumcidrgroups
  - ciliuml2announcementpolicies
  - ciliumpodippools
+  - ciliumloadbalancerippools
  - ciliuml2announcementpolicies/status
  verbs:
  - list
--- a/roles/network_plugin/cilium/templates/cilium/ds.yml.j2
+++ b/roles/network_plugin/cilium/templates/cilium/ds.yml.j2
@@ -96,7 +96,7 @@ spec:
              fieldPath: metadata.namespace
        - name: CILIUM_CLUSTERMESH_CONFIG
          value: /var/lib/cilium/clustermesh/
-{% if cilium_kube_proxy_replacement == 'strict' %}
+{% if (cilium_kube_proxy_replacement == 'strict') or (cilium_kube_proxy_replacement | bool) or (cilium_kube_proxy_replacement | string | lower == 'true') %}
        - name: KUBERNETES_SERVICE_HOST
          value: "{{ kube_apiserver_global_endpoint | urlsplit('hostname') }}"
        - name: KUBERNETES_SERVICE_PORT
@@ -285,7 +285,7 @@ spec:
              name: cilium-config
              optional: true
 {% endif %}
-{% if cilium_kube_proxy_replacement == 'strict' %}
+{% if (cilium_kube_proxy_replacement == 'strict') or (cilium_kube_proxy_replacement | bool) or (cilium_kube_proxy_replacement | string | lower == 'true') %}
        - name: KUBERNETES_SERVICE_HOST
          value: "{{ kube_apiserver_global_endpoint | urlsplit('hostname') }}"
        - name: KUBERNETES_SERVICE_PORT