Skip to content

Refactor Cilium CNI installation #12101

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 15 commits into from
May 20, 2025
Merged

Refactor Cilium CNI installation #12101

merged 15 commits into from
May 20, 2025

Conversation

tico88612
Copy link
Member

@tico88612 tico88612 commented Apr 1, 2025
edited
Loading

What type of PR is this?

/kind design
/kind feature

What this PR does / why we need it:

We would deprecate the old template installation, and using the Cilium CLI will be better.

Which issue(s) this PR fixes:

Fixes #12049 #12153
Related #11487

Special notes for your reviewer:

Does this PR introduce a user-facing change?:

Cilium CNI installation replaces Jinja template with Cilium CLI
[action required] `cilium_agent_custom_args` and `cilium_operator_custom_args` are deprecated, please use `cilium_agent_extra_args` and `cilium_operator_extra_args`.
[action required] `cilium_identity_allocation_mode` default change to `crd`.
[action required] `cilium_enable_host_legacy_routing` default change to `false`.
Add CIlium hubble export advanced flow log settings (`cilium_hubble_export_file_max_backups`, cilium_hubble_export_file_max_size_mb`, `cilium_hubble_export_dynamic_enabled` and `cilium_hubble_export_dynamic_config_content`)
Deprecated `cilium_ipsec_node_encryption`, replace it with `cilium_encryption_node_encryption`

@k8s-ci-robot k8s-ci-robot added kind/design Categorizes issue or PR as related to design. do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. release-note Denotes a PR that will be considered when it comes time to generate release notes. kind/feature Categorizes issue or PR as related to a new feature. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. labels Apr 1, 2025
@tico88612
Copy link
Member Author

/ok-to-test

@k8s-ci-robot k8s-ci-robot added the ok-to-test Indicates a non-member PR verified by an org member that is safe to test. label Apr 1, 2025
@tico88612
Copy link
Member Author

For the extended cilium test.

/label ci-extended

@k8s-ci-robot k8s-ci-robot added the ci-extended Run additional tests label Apr 1, 2025
@tico88612 tico88612 force-pushed the refactor/cilium-install branch 2 times, most recently from d5433be to 775aa12 Compare April 1, 2025 13:51
@tico88612
Copy link
Member Author

/label tide/merge-method-merge

@k8s-ci-robot k8s-ci-robot added the tide/merge-method-merge Denotes a PR that should use a standard merge by tide when it merges. label Apr 1, 2025
@tico88612 tico88612 force-pushed the refactor/cilium-install branch 5 times, most recently from 58e644b to c281a50 Compare April 3, 2025 13:34
@tico88612 tico88612 changed the title [WIP] Refactor Cilium CNI installation Refactor Cilium CNI installation Apr 3, 2025
@k8s-ci-robot k8s-ci-robot added release-note-action-required Denotes a PR that introduces potentially breaking changes that require user action. and removed do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. release-note Denotes a PR that will be considered when it comes time to generate release notes. labels Apr 3, 2025
@tico88612
Copy link
Member Author

/retest-failed

1 similar comment
@tico88612
Copy link
Member Author

/retest-failed

@VannTen
Copy link
Contributor

VannTen commented Apr 8, 2025

I didn't review thoroughly yet, I'll see if I can find the time.
Since this is a relatively big change (right ?) do we want to hold this one until after 2.28, to have more testing time in master before a release ?

@tico88612
Copy link
Member Author

@VannTen Selfishly, I hope it will be released on 2.28 (I'm not sure if Cilium 1.15 is compatible with Kubernetes 1.32), but if it requires a lot of testing (it's too close to the K8s 1.33 release), I agree with your idea.

@VannTen
Copy link
Contributor

VannTen commented Apr 8, 2025 via email

@k8s-ci-robot k8s-ci-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label May 19, 2025
tico88612 added 15 commits May 19, 2025 08:48
@tico88612
Upgrade outdated cilium_min_version_required
1e471d5 
Signed-off-by: ChengHao Yang <17496418+tico88612@users.noreply.github.com>
@tico88612
Remove old cilium templates install
6fe6432 
Signed-off-by: ChengHao Yang <17496418+tico88612@users.noreply.github.com>
@tico88612
Use cilium-cli install Cilium
8643773 
Signed-off-by: ChengHao Yang <17496418+tico88612@users.noreply.github.com>
@tico88612
Change kube_owner to root for cilium CI test
bebba47 
Signed-off-by: ChengHao Yang <17496418+tico88612@users.noreply.github.com>
@tico88612
Change cilium_kube_proxy_replacement to true for CI tests
af62570 
Signed-off-by: ChengHao Yang <17496418+tico88612@users.noreply.github.com>
@tico88612
Upgrade cilium version to 1.17.3
a4b73c0 
Signed-off-by: ChengHao Yang
<17496418+tico88612@users.noreply.github.com>
@tico88612
Upgrade Cilium related images
48f75c2 
Signed-off-by: ChengHao Yang <17496418+tico88612@users.noreply.github.com>
@tico88612
Cilium values use image variables
dcd3461 
Signed-off-by: ChengHao Yang <17496418+tico88612@users.noreply.github.com>
@tico88612
Cilium values k8sServiceHost and k8sServicePort use auto
4c16fc1 
Signed-off-by: ChengHao Yang
<17496418+tico88612@users.noreply.github.com>
@tico88612
Add cilium operator tolerations default values
65751e8 
Signed-off-by: ChengHao Yang <17496418+tico88612@users.noreply.github.com>
@tico88612
Add cilium hubble export file max backups & size mb
b771d73 
Signed-off-by: ChengHao Yang <17496418+tico88612@users.noreply.github.com>
@tico88612
Add cilium hubble export dynamic content
6619d98 
Signed-off-by: ChengHao Yang <17496418+tico88612@users.noreply.github.com>
@tico88612
Add cilium gateway api support
db290ca 
Signed-off-by: ChengHao Yang <17496418+tico88612@users.noreply.github.com>
@tico88612
Make cilium dnsProxy transparent mode configure
5e2e63e 
When Cilium is configured to replace kube-proxy, it automatically
enables dnsProxy, which can conflict with nodelocaldns.
@tico88612
Add cilium cli binary hash before 0.18.3
1266527 
Signed-off-by: ChengHao Yang <17496418+tico88612@users.noreply.github.com>
@tico88612 tico88612 force-pushed the refactor/cilium-install branch from 19225f2 to 1266527 Compare May 19, 2025 00:48
@k8s-ci-robot k8s-ci-robot removed lgtm "Looks good to me", indicates that a PR is ready to be merged. needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. labels May 19, 2025
@tmurakam
Copy link
Contributor

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label May 19, 2025
@tmurakam
Copy link
Contributor

tmurakam commented May 19, 2025
edited
Loading

This is the last blocking issue of #12175 (Release proposal of 2.28.0)
Can anyone review and approve this PR?

@VannTen
Copy link
Contributor

VannTen commented May 20, 2025

I haven't reviewed the diff in detail, but I don't see anything immediatly wrong and since there has been review by @tmurakam already, let's merge this.

Thanks everyone for all the work 🎉
/approve

@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: RaulButuc, tico88612, VannTen

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label May 20, 2025
@k8s-ci-robot k8s-ci-robot merged commit 019cf2a into kubernetes-sigs:master May 20, 2025
61 checks passed
@tmurakam
Copy link
Contributor

@VannTen
Thank you!

@VannTen VannTen mentioned this pull request May 20, 2025
Closed
@tico88612 tico88612 deleted the refactor/cilium-install branch May 20, 2025 12:09
@tmurakam tmurakam mentioned this pull request May 27, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tmurakam tmurakam tmurakam left review comments

@VannTen VannTen VannTen left review comments

@RaulButuc RaulButuc RaulButuc approved these changes

@ErikJiang ErikJiang Awaiting requested review from ErikJiang

Assignees

@tmurakam tmurakam

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. ci-extended Run additional tests cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/design Categorizes issue or PR as related to design. kind/feature Categorizes issue or PR as related to a new feature. lgtm "Looks good to me", indicates that a PR is ready to be merged. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. release-note-action-required Denotes a PR that introduces potentially breaking changes that require user action. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. tide/merge-method-merge Denotes a PR that should use a standard merge by tide when it merges.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Cilium CNI version bump
8 participants
@tico88612 @VannTen @RaulButuc @k8s-ci-robot @snowhanse @tmurakam @tonve @kuboqu