From 1d86d69b769005e94ee090d6f3c5e641e11165ac Mon Sep 17 00:00:00 2001
From: Sebastian Wicki <sebastian@isovalent.com>
Date: Thu, 28 Sep 2023 13:41:16 +0200
Subject: [PATCH] install: Avoid using deprecated "tunnel" flag

The tunnel option is deprecated and will be removed in Cilium v1.15.
This commit fixes the remaining uses I have found where the Cilium CLI
still set the old `tunnel` flag unconditionally, which will lead to
issues once the flag is no longer accepted [1]. The Cilium CLI now only
uses the deprecated `tunnel` flag for Cilium versions 1.13 and older.

When reading the ConfigMap (such as in the clustermesh code), we attempt
to first parse the new values, before falling back on the old ones.

[1] https://github.com/cilium/cilium/pull/27841#issuecomment-1707275681

Signed-off-by: Sebastian Wicki <sebastian@isovalent.com>
---
 clustermesh/clustermesh.go | 22 +++++++++++++++++++---
 install/helm.go            | 22 ++++++++++++++++++----
 install/install.go         |  8 +++++++-
 3 files changed, 44 insertions(+), 8 deletions(-)

diff --git a/clustermesh/clustermesh.go b/clustermesh/clustermesh.go
index e6c44c19b2..24f954e779 100644
--- a/clustermesh/clustermesh.go
+++ b/clustermesh/clustermesh.go
@@ -50,7 +50,10 @@ import (
 const (
 	configNameClusterID   = "cluster-id"
 	configNameClusterName = "cluster-name"
-	configNameTunnel      = "tunnel"
+
+	configNameTunnelLegacy   = "tunnel"
+	configNameTunnelProtocol = "tunnel-protocol"
+	configNameRoutingMode    = "routing-mode"
 
 	caSuffix   = ".etcd-client-ca.crt"
 	keySuffix  = ".etcd-client.key"
@@ -826,6 +829,19 @@ func (k *K8sClusterMesh) extractAccessInformation(ctx context.Context, client k8
 		}
 	}
 
+	tunnelProtocol := ""
+	if cm.Data[configNameRoutingMode] == "tunnel" {
+		// Cilium v1.14 and newer
+		tunnelProtocol = "vxlan" // default for tunnel mode
+		if proto, ok := cm.Data[configNameTunnelProtocol]; ok {
+			tunnelProtocol = proto
+		}
+	} else if proto, ok := cm.Data[configNameTunnelLegacy]; ok {
+		// Cilium v1.13 and older (some v1.14 configurations might use it too)
+		// Can be removed once we drop support for v1.14
+		tunnelProtocol = proto
+	}
+
 	ai := &accessInformation{
 		ClusterID:            clusterID,
 		ClusterName:          clusterName,
@@ -836,7 +852,7 @@ func (k *K8sClusterMesh) extractAccessInformation(ctx context.Context, client k8
 		ExternalWorkloadCert: externalWorkloadCert,
 		ServiceType:          svc.Spec.Type,
 		ServiceIPs:           []string{},
-		Tunnel:               cm.Data[configNameTunnel],
+		Tunnel:               tunnelProtocol,
 	}
 
 	switch {
@@ -1780,7 +1796,7 @@ func (k *K8sClusterMesh) WriteExternalWorkloadInstallScript(ctx context.Context,
 		return err
 	}
 	if ai.Tunnel != "" && ai.Tunnel != "vxlan" {
-		return fmt.Errorf("datapath not using vxlan, please install Cilium with '--config tunnel=vxlan'")
+		return fmt.Errorf("datapath not using vxlan, please install Cilium with '--helm-set tunnelMode=vxlan'")
 	}
 
 	clusterAddr := fmt.Sprintf("%s:%d", ai.ServiceIPs[0], ai.ServicePort)
diff --git a/install/helm.go b/install/helm.go
index cd00ee7969..94e1affbb1 100644
--- a/install/helm.go
+++ b/install/helm.go
@@ -197,12 +197,21 @@ func (k *K8sInstaller) getHelmValues() (map[string]interface{}, error) {
 		// Set Helm options specific to the detected / selected datapath mode
 		switch k.params.DatapathMode {
 		case DatapathTunnel:
-			helmMapOpts["tunnel"] = tunnelVxlan
-
+			if versioncheck.MustCompile(">=1.14.0")(k.chartVersion) {
+				helmMapOpts["routingMode"] = routingModeTunnel
+				helmMapOpts["tunnelProtocol"] = tunnelVxlan
+			} else {
+				helmMapOpts["tunnel"] = tunnelVxlan
+			}
 		case DatapathAwsENI:
 			helmMapOpts["ipam.mode"] = ipamENI
 			helmMapOpts["eni.enabled"] = "true"
-			helmMapOpts["tunnel"] = tunnelDisabled
+			if versioncheck.MustCompile(">=1.14.0")(k.chartVersion) {
+				helmMapOpts["routingMode"] = routingModeNative
+			} else {
+				// Can be removed once we drop support for <1.14.0
+				helmMapOpts["tunnel"] = tunnelDisabled
+			}
 			// TODO(tgraf) Is this really sane?
 			helmMapOpts["egressMasqueradeInterfaces"] = "eth0"
 
@@ -219,7 +228,12 @@ func (k *K8sInstaller) getHelmValues() (map[string]interface{}, error) {
 			helmMapOpts["azure.tenantID"] = k.params.Azure.TenantID
 			helmMapOpts["azure.clientID"] = k.params.Azure.ClientID
 			helmMapOpts["azure.clientSecret"] = k.params.Azure.ClientSecret
-			helmMapOpts["tunnel"] = tunnelDisabled
+			if versioncheck.MustCompile(">=1.14.0")(k.chartVersion) {
+				helmMapOpts["routingMode"] = routingModeNative
+			} else {
+				// Can be removed once we drop support for <1.14.0
+				helmMapOpts["tunnel"] = tunnelDisabled
+			}
 			switch {
 			case versioncheck.MustCompile(">=1.10.0")(k.chartVersion):
 				helmMapOpts["bpf.masquerade"] = "false"
diff --git a/install/install.go b/install/install.go
index a96d27892b..6d281240ef 100644
--- a/install/install.go
+++ b/install/install.go
@@ -61,6 +61,11 @@ const (
 	tunnelVxlan    = "vxlan"
 )
 
+const (
+	routingModeNative = "native"
+	routingModeTunnel = "tunnel"
+)
+
 const (
 	encryptionUnspecified = ""
 	encryptionDisabled    = "disabled"
@@ -523,7 +528,8 @@ func (k *K8sInstaller) generateConfigMap() (*corev1.ConfigMap, error) {
 			return nil, fmt.Errorf("--install-no-conntrack-iptables-rules cannot be enabled on Azure AKS")
 		}
 
-		if cm.Data["tunnel"] != "disabled" {
+		// The check for the legacy "tunnel" flag can be removed once we drop support for Cilium v1.14
+		if cm.Data["tunnel"] != "disabled" || cm.Data["routing-mode"] != "native" {
 			return nil, fmt.Errorf("--install-no-conntrack-iptables-rules requires tunneling to be disabled")
 		}