install: Avoid using deprecated "tunnel" flag

The tunnel option is deprecated and will be removed in Cilium v1.15. This commit fixes the remaining uses I have found where the Cilium CLI still set the old `tunnel` flag unconditionally, which will lead to issues once the flag is no longer accepted [1]. The Cilium CLI now only uses the deprecated `tunnel` flag for Cilium versions 1.13 and older. When reading the ConfigMap (such as in the clustermesh code), we attempt to first parse the new values, before falling back on the old ones. [1] cilium/cilium#27841 (comment) Signed-off-by: Sebastian Wicki <sebastian@isovalent.com>
cilium · Sep 28, 2023 · 25781a5 · 25781a5
1 parent e71713f
commit 25781a5
Show file tree

Hide file tree

Showing 3 changed files with 40 additions and 8 deletions.
diff --git a/clustermesh/clustermesh.go b/clustermesh/clustermesh.go
@@ -50,7 +50,10 @@ import (
 const (
 	configNameClusterID   = "cluster-id"
 	configNameClusterName = "cluster-name"
-	configNameTunnel      = "tunnel"
+
+	configNameTunnelLegacy   = "tunnel"
+	configNameTunnelProtocol = "tunnel-protocol"
+	configNameRoutingMode    = "routing-mode"
 
 	caSuffix   = ".etcd-client-ca.crt"
 	keySuffix  = ".etcd-client.key"
@@ -826,6 +829,18 @@ func (k *K8sClusterMesh) extractAccessInformation(ctx context.Context, client k8
 		}
 	}
 
+	tunnelProtocol := ""
+	if cm.Data[configNameRoutingMode] == "tunnel" {
+		// Cilium v1.14 and newer
+		tunnelProtocol = "vxlan" // default for tunnel mode
+		if proto, ok := cm.Data[configNameTunnelProtocol]; ok {
+			tunnelProtocol = proto
+		}
+	} else if proto, ok := cm.Data[configNameTunnelLegacy]; ok {
+		// Cilium v1.13 and older
+		tunnelProtocol = proto
+	}
+
 	ai := &accessInformation{
 		ClusterID:            clusterID,
 		ClusterName:          clusterName,
@@ -836,7 +851,7 @@ func (k *K8sClusterMesh) extractAccessInformation(ctx context.Context, client k8
 		ExternalWorkloadCert: externalWorkloadCert,
 		ServiceType:          svc.Spec.Type,
 		ServiceIPs:           []string{},
-		Tunnel:               cm.Data[configNameTunnel],
+		Tunnel:               tunnelProtocol,
 	}
 
 	switch {
@@ -1780,7 +1795,7 @@ func (k *K8sClusterMesh) WriteExternalWorkloadInstallScript(ctx context.Context,
 		return err
 	}
 	if ai.Tunnel != "" && ai.Tunnel != "vxlan" {
-		return fmt.Errorf("datapath not using vxlan, please install Cilium with '--config tunnel=vxlan'")
+		return fmt.Errorf("datapath not using vxlan, please install Cilium with '--helm-set tunnelMode=vxlan'")
 	}
 
 	clusterAddr := fmt.Sprintf("%s:%d", ai.ServiceIPs[0], ai.ServicePort)

diff --git a/install/helm.go b/install/helm.go
@@ -197,12 +197,20 @@ func (k *K8sInstaller) getHelmValues() (map[string]interface{}, error) {
 		// Set Helm options specific to the detected / selected datapath mode
 		switch k.params.DatapathMode {
 		case DatapathTunnel:
-			helmMapOpts["tunnel"] = tunnelVxlan
-
+			if versioncheck.MustCompile(">=1.14.0")(k.chartVersion) {
+				helmMapOpts["routingMode"] = routingModeTunnel
+				helmMapOpts["tunnelProtocol"] = tunnelVxlan
+			} else {
+				helmMapOpts["tunnel"] = tunnelVxlan
+			}
 		case DatapathAwsENI:
 			helmMapOpts["ipam.mode"] = ipamENI
 			helmMapOpts["eni.enabled"] = "true"
-			helmMapOpts["tunnel"] = tunnelDisabled
+			if versioncheck.MustCompile(">=1.14.0")(k.chartVersion) {
+				helmMapOpts["routingMode"] = routingModeNative
+			} else {
+				helmMapOpts["tunnel"] = tunnelDisabled
+			}
 			// TODO(tgraf) Is this really sane?
 			helmMapOpts["egressMasqueradeInterfaces"] = "eth0"
 
@@ -219,7 +227,11 @@ func (k *K8sInstaller) getHelmValues() (map[string]interface{}, error) {
 			helmMapOpts["azure.tenantID"] = k.params.Azure.TenantID
 			helmMapOpts["azure.clientID"] = k.params.Azure.ClientID
 			helmMapOpts["azure.clientSecret"] = k.params.Azure.ClientSecret
-			helmMapOpts["tunnel"] = tunnelDisabled
+			if versioncheck.MustCompile(">=1.14.0")(k.chartVersion) {
+				helmMapOpts["routingMode"] = routingModeNative
+			} else {
+				helmMapOpts["tunnel"] = tunnelDisabled
+			}
 			switch {
 			case versioncheck.MustCompile(">=1.10.0")(k.chartVersion):
 				helmMapOpts["bpf.masquerade"] = "false"

diff --git a/install/install.go b/install/install.go
@@ -61,6 +61,11 @@ const (
 	tunnelVxlan    = "vxlan"
 )
 
+const (
+	routingModeNative = "native"
+	routingModeTunnel = "tunnel"
+)
+
 const (
 	encryptionUnspecified = ""
 	encryptionDisabled    = "disabled"
@@ -523,7 +528,7 @@ func (k *K8sInstaller) generateConfigMap() (*corev1.ConfigMap, error) {
 			return nil, fmt.Errorf("--install-no-conntrack-iptables-rules cannot be enabled on Azure AKS")
 		}
 
-		if cm.Data["tunnel"] != "disabled" {
+		if cm.Data["tunnel"] != "disabled" || cm.Data["routing-mode"] != "native" {
 			return nil, fmt.Errorf("--install-no-conntrack-iptables-rules requires tunneling to be disabled")
 		}