Change Cilium templates to standalone version

[nebril]

Based on
https://github.com/cilium/cilium/blob/v1.6.0/install/kubernetes/quick-install.yaml

[olemarkus]

This is great!

It would be good to remove the code that opens the etcd ports to the nodes as well.

[nebril]

/retest

[nebril]

/test pull-kops-verify-bazel

[chrisz100]

Why are these limits required for cilium?

[chrisz100]

Is this really required to install cilium?

[chrisz100]

And once again, looks like you mixed some upstream things into one PR?

[chrisz100]

istio for cilium? correct me if I am wrong but they don't belong together I feel?

[nebril]

Cilium can run alongside istio, docs are here: http://docs.cilium.io/en/v1.6/gettingstarted/istio

[nebril]

@chrisz100 I did have some weird changes in this PR, thanks for pointing it out! Should be all good now.

[nebril]

/retest

[chrisz100]

/lgtm
/assign @mikesplain

[chrisz100]

It’s been long enough for people to also review.
/approve

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: chrisz100, nebril

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [chrisz100]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[mikesplain]

I was planning to review this after all the current CVE's and Centos fixes were in but oh well.

[mikesplain]

I have a few concerns with this being merged since it's a pretty significant update in cilium and we're forcing it upon all users, even 1.7 and up? I personally would prefer this to be a new manifest that only works with 1.13 or 1.14 and up, that way we encourage people to move to new versions as they upgrade.

What's the ugprade path between 1.0 and 1.6?

Also for this to apply to existing clusters, this will also need to up updated accordingly

kops/upup/pkg/fi/cloudup/bootstrapchannelbuilder.go

Lines 1091 to 1122 in 3b9821d

	if b.cluster.Spec.Networking.Cilium != nil {
	key := "networking.cilium.io"
	version := "v1.0-kops.2"
	{
	id := "k8s-1.7"
	location := key + "/" + id + ".yaml"
	addons.Spec.Addons = append(addons.Spec.Addons, &channelsapi.AddonSpec{
	Name: fi.String(key),
	Version: fi.String(version),
	Selector: networkingSelector,
	Manifest: fi.String(location),
	KubernetesVersion: ">=1.7.0 <1.12.0",
	Id: id,
	})
	}
	{
	id := "k8s-1.12"
	location := key + "/" + id + ".yaml"
	addons.Spec.Addons = append(addons.Spec.Addons, &channelsapi.AddonSpec{
	Name: fi.String(key),
	Version: fi.String(version),
	Selector: networkingSelector,
	Manifest: fi.String(location),
	KubernetesVersion: ">=1.12.0",
	Id: id,
	})
	}
	}

[mikesplain]

Are we really upgrading from 1.0 to 1.6.1?

[chrisz100]

What’s more concerning to me: did we really not care about cilium for 6 minor versions?

[mikesplain]

Anyone is welcome to update at anytime, but especially when leaping versions we need to ensure a smooth upgrade path for all users.

[mikesplain]

According to https://github.com/kubernetes/kops/pull/7474/files#diff-dec2adb888d136e5fcab51a2af69403dL425 Cilium doesn't support 1.7 so this shouldn't be updated? Also I really don't like forcing old users to this new version, especially when they really shouldn't be using k8s that's this old anyway.

[chrisz100]

I’m a little confused with that statement: people should use sth that old so we shouldn’t force people to update?

[mikesplain]

If a user is still running k8s 1.7 - k8s 1.12, forcing a cilium upgrade of this magnitude is likely aggressive and has a strong likelihood of causing instability.

[mikesplain]

@nebril Can you test an upgrade from before this PR to post this PR? We might need to break this into smaller upgrades:

According to https://docs.cilium.io/en/v1.5/install/upgrade/#upgrading-from-1-2-x-to-1-3-y

If you are running Cilium 1.0.x or 1.1.x, please upgrade to 1.2.x first. It is also possible to upgrade from 1.0 or 1.1 directly to 1.3 by combining the upgrade instructions for each minor release. See the documentation for said releases for further information.

[olemarkus]

The change with the most impact is probably changing state store from etcd to CRD. There will be network disruptions for the brief time cilium rebuilds the state.

I did a test upgrade from kops 1.13.0 to master now. The add-on version isn't bumped, so the manifests aren't applied. But even with the version bumped, nothing happens. So that is at least one thing to look into. What else needs to happen for the manifests to be applied?

[olemarkus]

Cilium resources also miss labels: role.kubernetes.io/networking: "1"

So that should be added to the manifests. But even when I label existing resources and then update, it doesn't change the daemonset.

[nebril]

@mikesplain the biggest issue is that Cilium addon was actually broken for several versions since kops closed access to etcd clusters for addons (I don't remember which exact kops version it happened).

I was trying to make a PR with etcd operator, but etcd operator is still hardly production ready, so instead I waited for Cilium to support being backed by CRDs, which landed in 1.6.