Skip to content

Commit

Permalink
install: Avoid using deprecated "tunnel" flag
Browse files Browse the repository at this point in the history
The tunnel option is deprecated and will be removed in Cilium v1.15.
This commit fixes the remaining uses I have found where the Cilium CLI
still set the old `tunnel` flag unconditionally, which will lead to
issues once the flag is no longer accepted [1]. The Cilium CLI now only
uses the deprecated `tunnel` flag for Cilium versions 1.13 and older.

When reading the ConfigMap (such as in the clustermesh code), we attempt
to first parse the new values, before falling back on the old ones.

[1] cilium/cilium#27841 (comment)

Signed-off-by: Sebastian Wicki <[email protected]>
  • Loading branch information
gandro committed Oct 2, 2023
1 parent 3699480 commit 6b84802
Show file tree
Hide file tree
Showing 3 changed files with 44 additions and 8 deletions.
22 changes: 19 additions & 3 deletions clustermesh/clustermesh.go
Original file line number Diff line number Diff line change
Expand Up @@ -50,7 +50,10 @@ import (
const (
configNameClusterID = "cluster-id"
configNameClusterName = "cluster-name"
configNameTunnel = "tunnel"

configNameTunnelLegacy = "tunnel"
configNameTunnelProtocol = "tunnel-protocol"
configNameRoutingMode = "routing-mode"

caSuffix = ".etcd-client-ca.crt"
keySuffix = ".etcd-client.key"
Expand Down Expand Up @@ -826,6 +829,19 @@ func (k *K8sClusterMesh) extractAccessInformation(ctx context.Context, client k8
}
}

tunnelProtocol := ""
if cm.Data[configNameRoutingMode] == "tunnel" {
// Cilium v1.14 and newer
tunnelProtocol = "vxlan" // default for tunnel mode
if proto, ok := cm.Data[configNameTunnelProtocol]; ok {
tunnelProtocol = proto
}
} else if proto, ok := cm.Data[configNameTunnelLegacy]; ok {
// Cilium v1.13 and older (some v1.14 configurations might use it too)
// Can be removed once we drop support for v1.14
tunnelProtocol = proto
}

ai := &accessInformation{
ClusterID: clusterID,
ClusterName: clusterName,
Expand All @@ -836,7 +852,7 @@ func (k *K8sClusterMesh) extractAccessInformation(ctx context.Context, client k8
ExternalWorkloadCert: externalWorkloadCert,
ServiceType: svc.Spec.Type,
ServiceIPs: []string{},
Tunnel: cm.Data[configNameTunnel],
Tunnel: tunnelProtocol,
}

switch {
Expand Down Expand Up @@ -1780,7 +1796,7 @@ func (k *K8sClusterMesh) WriteExternalWorkloadInstallScript(ctx context.Context,
return err
}
if ai.Tunnel != "" && ai.Tunnel != "vxlan" {
return fmt.Errorf("datapath not using vxlan, please install Cilium with '--config tunnel=vxlan'")
return fmt.Errorf("datapath not using vxlan, please install Cilium with '--helm-set tunnelMode=vxlan'")
}

clusterAddr := fmt.Sprintf("%s:%d", ai.ServiceIPs[0], ai.ServicePort)
Expand Down
22 changes: 18 additions & 4 deletions install/helm.go
Original file line number Diff line number Diff line change
Expand Up @@ -197,12 +197,21 @@ func (k *K8sInstaller) getHelmValues() (map[string]interface{}, error) {
// Set Helm options specific to the detected / selected datapath mode
switch k.params.DatapathMode {
case DatapathTunnel:
helmMapOpts["tunnel"] = tunnelVxlan

if versioncheck.MustCompile(">=1.14.0")(k.chartVersion) {
helmMapOpts["routingMode"] = routingModeTunnel
helmMapOpts["tunnelProtocol"] = tunnelVxlan
} else {
helmMapOpts["tunnel"] = tunnelVxlan
}
case DatapathAwsENI:
helmMapOpts["ipam.mode"] = ipamENI
helmMapOpts["eni.enabled"] = "true"
helmMapOpts["tunnel"] = tunnelDisabled
if versioncheck.MustCompile(">=1.14.0")(k.chartVersion) {
helmMapOpts["routingMode"] = routingModeNative
} else {
// Can be removed once we drop support for <1.14.0
helmMapOpts["tunnel"] = tunnelDisabled
}
// TODO(tgraf) Is this really sane?
helmMapOpts["egressMasqueradeInterfaces"] = "eth0"

Expand All @@ -219,7 +228,12 @@ func (k *K8sInstaller) getHelmValues() (map[string]interface{}, error) {
helmMapOpts["azure.tenantID"] = k.params.Azure.TenantID
helmMapOpts["azure.clientID"] = k.params.Azure.ClientID
helmMapOpts["azure.clientSecret"] = k.params.Azure.ClientSecret
helmMapOpts["tunnel"] = tunnelDisabled
if versioncheck.MustCompile(">=1.14.0")(k.chartVersion) {
helmMapOpts["routingMode"] = routingModeNative
} else {
// Can be removed once we drop support for <1.14.0
helmMapOpts["tunnel"] = tunnelDisabled
}
switch {
case versioncheck.MustCompile(">=1.10.0")(k.chartVersion):
helmMapOpts["bpf.masquerade"] = "false"
Expand Down
8 changes: 7 additions & 1 deletion install/install.go
Original file line number Diff line number Diff line change
Expand Up @@ -61,6 +61,11 @@ const (
tunnelVxlan = "vxlan"
)

const (
routingModeNative = "native"
routingModeTunnel = "tunnel"
)

const (
encryptionUnspecified = ""
encryptionDisabled = "disabled"
Expand Down Expand Up @@ -523,7 +528,8 @@ func (k *K8sInstaller) generateConfigMap() (*corev1.ConfigMap, error) {
return nil, fmt.Errorf("--install-no-conntrack-iptables-rules cannot be enabled on Azure AKS")
}

if cm.Data["tunnel"] != "disabled" {
// The check for the legacy "tunnel" flag can be removed once we drop support for Cilium v1.14
if cm.Data["tunnel"] != "disabled" || cm.Data["routing-mode"] != "native" {
return nil, fmt.Errorf("--install-no-conntrack-iptables-rules requires tunneling to be disabled")
}

Expand Down

0 comments on commit 6b84802

Please sign in to comment.