github-mirrors/kubespray
1
0
Fork 0
mirror of https://github.com/kubernetes-sigs/kubespray.git synced 2026-04-30 14:19:31 +03:00
Code Issues Packages Projects Releases Wiki Activity

network_plugin/cilium: fail fast when Gateway API CRDs are incompatible (#13223)

Browse Source 
Cilium < 1.20 unconditionally registers a field indexer for TLSRoute
v1alpha2 when the Gateway API controller is enabled, but Gateway API
>= 1.5.0 ships TLSRoute v1alpha2 with served=false in the standard
channel. The result is cilium-operator CrashLoopBackOff with:

  no matches for kind "TLSRoute" in version "gateway.networking.k8s.io/v1alpha2"

The fix landed in Cilium 1.20 only and will not be backported.

Add a preflight assert that triggers only when all of the following
hold: cilium_gateway_api_enabled, gateway_api_enabled, cilium_version
< 1.20.0, gateway_api_version >= 1.5.0, and gateway_api_channel ==
"standard". Users hit by this combo get a clear error and two
workarounds (pin gateway_api_version to 1.4.1, or switch
gateway_api_channel to "experimental") instead of debugging a crash
loop after the fact.

Signed-off-by: Kay Yan <kay.yan@daocloud.io>
This commit is contained in:
Kay Yan
2026-04-30 14:13:26 +08:00
committed by GitHub
parent c3d4864e63
commit a254f5ea68
1 changed files with 16 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
roles/network_plugin/cilium/tasks/check.yml
View File

@@ -67,3 +67,19 @@
that: "cilium_hubble_event_buffer_capacity in [1, 3, 7, 15, 31, 63, 127, 255, 511, 1023, 2047, 4095, 8191, 16383, 32767, 65535]"
msg: "Error: cilium_hubble_event_buffer_capacity:{{ cilium_hubble_event_buffer_capacity }} is not a power of 2 minus 1 and it should be between 1 and 65535."
when: cilium_hubble_event_buffer_capacity is defined
# Cilium < 1.20 only supports Gateway API v1.4.1; v1.5+ standard channel drops
# TLSRoute v1alpha2 (served=false) which makes cilium-operator CrashLoopBackOff.
# Fix is in Cilium 1.20+ (cilium/cilium#45251) and will not be backported.
- name: Stop if cilium_gateway_api_enabled is incompatible with the Gateway API CRD bundle
assert:
that:
- gateway_api_version is version('1.5.0', '<') or gateway_api_channel != 'standard'
msg: |
Cilium < 1.20 only supports Gateway API v1.4.1, see
https://docs.cilium.io/en/stable/network/servicemesh/gateway-api/gateway-api/.
Pin gateway_api_version: '1.4.1', or set gateway_api_channel: 'experimental'.
when:
- cilium_gateway_api_enabled
- gateway_api_enabled
- cilium_version is version('1.20.0', '<')