docs(cilium): update documentation for unprivileged agent configuration (#12628 )

Check calico version in check mode (#12586 )
Signed-off-by: Ali Afsharzadeh <afsharzadeh8@gmail.com>
2025-12-14 13:54:37 +03:00 · 2025-12-13 19:39:44 -08:00 · 2025-12-10 00:39:29 -08:00 · 2025-12-09 01:19:32 -08:00 · 2025-12-08 04:29:33 -08:00 · 2025-12-07 21:37:27 -08:00
11 changed files with 31 additions and 77 deletions
--- a/.github/workflows/auto-label-os.yml
+++ b/.github/workflows/auto-label-os.yml
@@ -13,10 +13,10 @@ jobs:
      issues: write

    steps:
-      - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8

      - name: Parse issue form
-        uses: stefanbuck/github-issue-parser@2ea9b35a8c584529ed00891a8f7e41dc46d0441e
+        uses: stefanbuck/github-issue-parser@25f1485edffc1fee3ea68eb9f59a72e58720ffc4
        id: issue-parser
        with:
          template-path: .github/ISSUE_TEMPLATE/bug-report.yaml
--- a/.github/workflows/upgrade-patch-versions.yml
+++ b/.github/workflows/upgrade-patch-versions.yml
@@ -11,7 +11,7 @@ jobs:
  update-patch-versions:
    runs-on: ubuntu-latest
    steps:
-    - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3
+    - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
      with:
        ref: ${{ inputs.branch }}
    - uses: actions/setup-python@v6
@@ -29,7 +29,7 @@ jobs:
          ~/.cache/pre-commit
    - run: pre-commit run --all-files propagate-ansible-variables
      continue-on-error: true
-    - uses: peter-evans/create-pull-request@84ae59a2cdc2258d6fa0732dd66352dddae2a412
+    - uses: peter-evans/create-pull-request@22a9089034f40e5a961c8808d113e2c98fb63676
      with:
        commit-message: Patch versions updates
        title: Patch versions updates - ${{ inputs.branch }}
--- a/.gitlab-ci/terraform.yml
+++ b/.gitlab-ci/terraform.yml
@@ -116,5 +116,5 @@ tf-elastx_ubuntu20-calico:
    TF_VAR_az_list_node: '["sto1"]'
    TF_VAR_flavor_k8s_master: 3f73fc93-ec61-4808-88df-2580d94c1a9b    # v1-standard-2
    TF_VAR_flavor_k8s_node: 3f73fc93-ec61-4808-88df-2580d94c1a9b      # v1-standard-2
-    TF_VAR_image: ubuntu-20.04-server-latest
+    TF_VAR_image: ubuntu-24.04-server-latest
    TF_VAR_k8s_allowed_remote_ips: '["0.0.0.0/0"]'
--- a/docs/CNI/cilium.md
+++ b/docs/CNI/cilium.md
@@ -1,5 +1,13 @@
 # Cilium

+## Unprivileged agent configuration
+
+By default, Cilium is installed with `securityContext.privileged: false`. You need to set the `kube_owner` variable to `root` in the inventory:
+
+```yml
+kube_owner: root
+```
+
 ## IP Address Management (IPAM)

 IP Address Management (IPAM) is responsible for the allocation and management of IP addresses used by network endpoints (container and others) managed by Cilium. The default mode is "Cluster Scope".
--- a/docs/ansible/ansible.md
+++ b/docs/ansible/ansible.md
@@ -45,10 +45,7 @@ Kubespray expects users to use one of the following variables sources for settin
 |  - inventory host_vars                 | host specific vars overrides, group_vars is usually more practical           |
 | **extra vars** (always win precedence) | override with ``ansible-playbook -e @foo.yml``                               |

-[!IMPORTANT]
-Extra vars are best used to override kubespray internal variables, for instances, roles/vars/.
-Those vars are usually **not expected** (by Kubespray developers) to be modified by end users, and not part of Kubespray
-interface. Thus they can change, disappear, or break stuff unexpectedly.
+> Extra vars are best used to override kubespray internal variables, for instances, roles/vars/. Those vars are usually **not expected** (by Kubespray developers) to be modified by end users, and not part of Kubespray interface. Thus they can change, disappear, or break stuff unexpectedly.

 ## Ansible tags

--- a/inventory/sample/group_vars/k8s_cluster/k8s-cluster.yml
+++ b/inventory/sample/group_vars/k8s_cluster/k8s-cluster.yml
@@ -22,7 +22,8 @@ local_release_dir: "/tmp/releases"
 # Random shifts for retrying failed ops like pushing/downloading
 retry_stagger: 5

-# This is the user that owns tha cluster installation.
+# This is the user that owns the cluster installation.
+# Note: cilium needs to set kube_owner to root https://kubespray.io/#/docs/CNI/cilium?id=unprivileged-agent-configuration
 kube_owner: kube

 # This is the group that the cert creation scripts chgrp the
--- a/roles/kubernetes/control-plane/tasks/kubeadm-secondary.yml
+++ b/roles/kubernetes/control-plane/tasks/kubeadm-secondary.yml
@@ -11,24 +11,23 @@
  tags:
    - facts

- name: Upload certificates so they are fresh and not expired
-  command: >-
-    {{ bin_dir }}/kubeadm init phase
-    --config {{ kube_config_dir }}/kubeadm-config.yaml
-    upload-certs
-    --upload-certs
-  register: kubeadm_upload_cert
+- name: Obtain kubeadm certificate key for joining control planes nodes
  when:
-    - inventory_hostname == first_kube_control_plane
    - not kube_external_ca_mode
-
- name: Parse certificate key if not set
-  set_fact:
-    kubeadm_certificate_key: "{{ hostvars[first_kube_control_plane]['kubeadm_upload_cert'].stdout_lines[-1] | trim }}"
  run_once: true
-  when:
-    - hostvars[first_kube_control_plane]['kubeadm_upload_cert'] is defined
-    - hostvars[first_kube_control_plane]['kubeadm_upload_cert'] is not skipped
+  block:
+    - name: Upload certificates so they are fresh and not expired
+      command: >-
+        {{ bin_dir }}/kubeadm init phase
+        --config {{ kube_config_dir }}/kubeadm-config.yaml
+        upload-certs
+        --upload-certs
+      register: kubeadm_upload_cert
+      delegate_to: "{{ first_kube_control_plane }}"
+
+    - name: Parse certificate key if not set
+      set_fact:
+        kubeadm_certificate_key: "{{ kubeadm_upload_cert.stdout_lines[-1] | trim }}"

 - name: Wait for k8s apiserver
  wait_for:
--- a/roles/network_plugin/calico/tasks/check.yml
+++ b/roles/network_plugin/calico/tasks/check.yml
@@ -61,6 +61,7 @@
        executable: /bin/bash
      register: calico_version_on_server
      changed_when: false
+      check_mode: false

    - name: Assert that current calico version is enough for upgrade
      assert:
--- a/roles/network_plugin/cilium/defaults/main.yml
+++ b/roles/network_plugin/cilium/defaults/main.yml
@@ -1,8 +1,6 @@
 ---
 cilium_min_version_required: "1.15"

-# remove migrate after 2.29 released
-cilium_remove_old_resources: false
 # Log-level
 cilium_debug: false

--- a/roles/network_plugin/cilium/tasks/main.yml
+++ b/roles/network_plugin/cilium/tasks/main.yml
@@ -5,10 +5,5 @@
 - name: Cilium install
  include_tasks: install.yml

-# Remove after 2.29 released
- name: Cilium remove old resources
-  when: cilium_remove_old_resources
-  include_tasks: remove_old_resources.yml
-
 - name: Cilium apply
  include_tasks: apply.yml
--- a/roles/network_plugin/cilium/tasks/remove_old_resources.yml
+++ b/roles/network_plugin/cilium/tasks/remove_old_resources.yml
@@ -1,45 +0,0 @@
---
-# Remove after 2.29 released
- name: Cilium | Delete Old Resource
-  command: |
-    {{ kubectl }} delete {{ item.kind | lower }} {{ item.name }} \
-    {{ '-n kube-system' if item.kind not in ['ClusterRole', 'ClusterRoleBinding'] else '' }} \
-  loop:
-    - { kind: ServiceAccount, name: cilium }
-    - { kind: ServiceAccount, name: cilium-operator }
-    - { kind: ServiceAccount, name: hubble-generate-certs }
-    - { kind: ServiceAccount, name: hubble-relay }
-    - { kind: ServiceAccount, name: hubble-ui }
-    - { kind: Service, name: hubble-metrics }
-    - { kind: Service, name: hubble-relay-metrics }
-    - { kind: Service, name: hubble-relay }
-    - { kind: Service, name: hubble-ui }
-    - { kind: Service, name: hubble-peer }
-    - { kind: Deployment, name: cilium-operator }
-    - { kind: Deployment, name: hubble-relay }
-    - { kind: Deployment, name: hubble-ui }
-    - { kind: DaemonSet, name: cilium }
-    - { kind: CronJob, name: hubble-generate-certs }
-    - { kind: Job, name: hubble-generate-certs }
-    - { kind: ConfigMap, name: cilium-config }
-    - { kind: ConfigMap, name: ip-masq-agent }
-    - { kind: ConfigMap, name: hubble-relay-config }
-    - { kind: ConfigMap, name: hubble-ui-nginx }
-    - { kind: ClusterRole, name: cilium }
-    - { kind: ClusterRole, name: cilium-operator }
-    - { kind: ClusterRole, name: hubble-generate-certs }
-    - { kind: ClusterRole, name: hubble-relay }
-    - { kind: ClusterRole, name: hubble-ui }
-    - { kind: ClusterRoleBinding, name: cilium }
-    - { kind: ClusterRoleBinding, name: cilium-operator }
-    - { kind: ClusterRoleBinding, name: hubble-generate-certs }
-    - { kind: ClusterRoleBinding, name: hubble-relay }
-    - { kind: ClusterRoleBinding, name: hubble-ui }
-    - { kind: Secret, name: hubble-ca-secret }
-    - { kind: Secret, name: hubble-relay-client-certs }
-    - { kind: Secret, name: hubble-server-certs }
-  register: patch_result
-  when: inventory_hostname == groups['kube_control_plane'][0]
-  failed_when:
-    - patch_result.rc != 0
-    - "'not found' not in patch_result.stderr"
Author	SHA1	Message	Date
r3m8	d80318301d	docs(cilium): update documentation for unprivileged agent configuration (#12628 )	2025-12-13 19:39:44 -08:00
Ali Afsharzadeh	31cce09fbc	Check calico version in check mode (#12586 ) Signed-off-by: Ali Afsharzadeh <afsharzadeh8@gmail.com>	2025-12-10 00:39:29 -08:00
Max Gautier	9a90c9d6c8	Upgrade elastx ubuntu version (#12776 ) This could fix the glibc version error we're currently having in CI.	2025-12-09 01:19:32 -08:00
dependabot[bot]	b9e1e8577f	build(deps): bump peter-evans/create-pull-request from 7.0.9 to 7.0.11 (#12774 ) Bumps [peter-evans/create-pull-request](https://github.com/peter-evans/create-pull-request) from 7.0.9 to 7.0.11. - [Release notes](https://github.com/peter-evans/create-pull-request/releases) - [Commits](`84ae59a2cd...22a9089034`) --- updated-dependencies: - dependency-name: peter-evans/create-pull-request dependency-version: 7.0.11 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2025-12-08 04:29:33 -08:00
dependabot[bot]	5d1dd83b07	build(deps): bump stefanbuck/github-issue-parser from 3.2.1 to 3.2.2 (#12773 ) Bumps [stefanbuck/github-issue-parser](https://github.com/stefanbuck/github-issue-parser) from 3.2.1 to 3.2.2. - [Release notes](https://github.com/stefanbuck/github-issue-parser/releases) - [Commits](`2ea9b35a8c...25f1485edf`) --- updated-dependencies: - dependency-name: stefanbuck/github-issue-parser dependency-version: 3.2.2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2025-12-07 21:37:27 -08:00
dependabot[bot]	b203586d6b	build(deps): bump actions/checkout from 6.0.0 to 6.0.1 (#12772 ) Bumps [actions/checkout](https://github.com/actions/checkout) from 6.0.0 to 6.0.1. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](`1af3b93b68...8e8c483db8`) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: 6.0.1 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2025-12-07 21:25:28 -08:00
Max Gautier	88df61357b	Use run_once for kubeadm init phase upload-certs (#12759 ) Before "5ca23e3bf (Changed to use first_kube_control_plane to parse kubeadm_certificate_key (#11875), 2025-01-14)", kubespray would have problem adding new control planes when the order of the nodes in kubectl output and the ansible inventory were not the same. But the underlying problem is that the operation is fundamentally something that should be done only once, and recorded for all host in play. Since `register` and `sef_fact` when used with `run_once` set the variable for all the hosts, use it. Also allows to use the variable directly instead of relying on hostvars to make the task more readable.	2025-12-07 21:07:27 -08:00
AFz	2edf176294	docs: fixed rendering issue by using generic markdown format (#12652 ) * docs: fix github markdown style * docs: use generic markdown format for quotes	2025-12-07 12:38:57 -08:00
Ali Afsharzadeh	39744146b4	Remove legacy `cilium_remove_old_resources` task (#12771 ) Signed-off-by: Ali Afsharzadeh <afsharzadeh8@gmail.com>	2025-12-07 07:36:55 -08:00