diff --git a/clustermesh/clustermesh.go b/clustermesh/clustermesh.go index e6c44c19b2..24f954e779 100644 --- a/clustermesh/clustermesh.go +++ b/clustermesh/clustermesh.go @@ -50,7 +50,10 @@ import ( const ( configNameClusterID = "cluster-id" configNameClusterName = "cluster-name" - configNameTunnel = "tunnel" + + configNameTunnelLegacy = "tunnel" + configNameTunnelProtocol = "tunnel-protocol" + configNameRoutingMode = "routing-mode" caSuffix = ".etcd-client-ca.crt" keySuffix = ".etcd-client.key" @@ -826,6 +829,19 @@ func (k *K8sClusterMesh) extractAccessInformation(ctx context.Context, client k8 } } + tunnelProtocol := "" + if cm.Data[configNameRoutingMode] == "tunnel" { + // Cilium v1.14 and newer + tunnelProtocol = "vxlan" // default for tunnel mode + if proto, ok := cm.Data[configNameTunnelProtocol]; ok { + tunnelProtocol = proto + } + } else if proto, ok := cm.Data[configNameTunnelLegacy]; ok { + // Cilium v1.13 and older (some v1.14 configurations might use it too) + // Can be removed once we drop support for v1.14 + tunnelProtocol = proto + } + ai := &accessInformation{ ClusterID: clusterID, ClusterName: clusterName, @@ -836,7 +852,7 @@ func (k *K8sClusterMesh) extractAccessInformation(ctx context.Context, client k8 ExternalWorkloadCert: externalWorkloadCert, ServiceType: svc.Spec.Type, ServiceIPs: []string{}, - Tunnel: cm.Data[configNameTunnel], + Tunnel: tunnelProtocol, } switch { @@ -1780,7 +1796,7 @@ func (k *K8sClusterMesh) WriteExternalWorkloadInstallScript(ctx context.Context, return err } if ai.Tunnel != "" && ai.Tunnel != "vxlan" { - return fmt.Errorf("datapath not using vxlan, please install Cilium with '--config tunnel=vxlan'") + return fmt.Errorf("datapath not using vxlan, please install Cilium with '--helm-set tunnelMode=vxlan'") } clusterAddr := fmt.Sprintf("%s:%d", ai.ServiceIPs[0], ai.ServicePort) diff --git a/install/helm.go b/install/helm.go index cd00ee7969..94e1affbb1 100644 --- a/install/helm.go +++ b/install/helm.go @@ -197,12 +197,21 @@ func (k *K8sInstaller) getHelmValues() (map[string]interface{}, error) { // Set Helm options specific to the detected / selected datapath mode switch k.params.DatapathMode { case DatapathTunnel: - helmMapOpts["tunnel"] = tunnelVxlan - + if versioncheck.MustCompile(">=1.14.0")(k.chartVersion) { + helmMapOpts["routingMode"] = routingModeTunnel + helmMapOpts["tunnelProtocol"] = tunnelVxlan + } else { + helmMapOpts["tunnel"] = tunnelVxlan + } case DatapathAwsENI: helmMapOpts["ipam.mode"] = ipamENI helmMapOpts["eni.enabled"] = "true" - helmMapOpts["tunnel"] = tunnelDisabled + if versioncheck.MustCompile(">=1.14.0")(k.chartVersion) { + helmMapOpts["routingMode"] = routingModeNative + } else { + // Can be removed once we drop support for <1.14.0 + helmMapOpts["tunnel"] = tunnelDisabled + } // TODO(tgraf) Is this really sane? helmMapOpts["egressMasqueradeInterfaces"] = "eth0" @@ -219,7 +228,12 @@ func (k *K8sInstaller) getHelmValues() (map[string]interface{}, error) { helmMapOpts["azure.tenantID"] = k.params.Azure.TenantID helmMapOpts["azure.clientID"] = k.params.Azure.ClientID helmMapOpts["azure.clientSecret"] = k.params.Azure.ClientSecret - helmMapOpts["tunnel"] = tunnelDisabled + if versioncheck.MustCompile(">=1.14.0")(k.chartVersion) { + helmMapOpts["routingMode"] = routingModeNative + } else { + // Can be removed once we drop support for <1.14.0 + helmMapOpts["tunnel"] = tunnelDisabled + } switch { case versioncheck.MustCompile(">=1.10.0")(k.chartVersion): helmMapOpts["bpf.masquerade"] = "false" diff --git a/install/install.go b/install/install.go index a96d27892b..6d281240ef 100644 --- a/install/install.go +++ b/install/install.go @@ -61,6 +61,11 @@ const ( tunnelVxlan = "vxlan" ) +const ( + routingModeNative = "native" + routingModeTunnel = "tunnel" +) + const ( encryptionUnspecified = "" encryptionDisabled = "disabled" @@ -523,7 +528,8 @@ func (k *K8sInstaller) generateConfigMap() (*corev1.ConfigMap, error) { return nil, fmt.Errorf("--install-no-conntrack-iptables-rules cannot be enabled on Azure AKS") } - if cm.Data["tunnel"] != "disabled" { + // The check for the legacy "tunnel" flag can be removed once we drop support for Cilium v1.14 + if cm.Data["tunnel"] != "disabled" || cm.Data["routing-mode"] != "native" { return nil, fmt.Errorf("--install-no-conntrack-iptables-rules requires tunneling to be disabled") }