feat(install): remove host dependency on sh or mount

[ernado]

This allows running cilium install on Talos.

Signed-off-by: Aleksandr Razumov ernado@ya.ru

Ref: cilium/cilium#17883
Ref: cilium/cilium#16815

Checked on Talos with one control node and one worker:

$ cilium connectivity test

✅ All 11 tests (80 actions) successful, 0 tests skipped, 0 scenarios skipped.

[ernado]

Some connectivity tests failed, but not sure if related to PR:

Run # Background wait for job to complete or timeout
job.batch/cilium-cli condition met
Error from server: Get "https://10.168.0.47:10250/containerLogs/kube-system/cilium-cli-mpq68/test?timestamps=true": dial timeout, backstop
Error: Process completed with exit code 1.

Looks like cilium install was not called at all, so assuming that it is unrelated.

Please restart pipeline.

[ldelossa]

LGTM - thanks.

[aditighag]

The mountCmd that you are replacing at L678 is to mount the BPF filesystem. However, L692-696 are for mounting cgroup fs.

[ernado]

Looks like we've already mounting BPF here:

cilium-cli/install/install.go

Lines 494 to 498 in d2d7498

	VolumeMounts: []corev1.VolumeMount{
	{
	Name: "bpf-maps",
	MountPath: "/sys/fs/bpf",
	MountPropagation: &bidirectional,

I've changed MountPropagation to bidirectional, reflecting cilium/cilium#16656.

So I've updated #L678-L745 also with some context from #627

PTAL, should be ok now.

[aditighag]

Thanks for the PR.
However, the changes are incorrect. You'll need to make changes equivalent to the file install/kubernetes/cilium/templates/cilium-agent/daemonset.yaml changes from PR - cilium/cilium#16656.

[ernado]

Thank you! Will update my implementation according to referred PR.

[ldelossa]

revoking approval as @aditighag found issues.

[tklauser]

Nit: please don't move this import group. We generally try to use the order 1. standard library, 2. packages from own repo, i.e. github.com/cilium/cilium-cli/... in that case) and 3. other 3rd party packages.

[ernado]

Done, thank you

[maintainer-s-little-helper]

Commit 2b1679f does not contain "Signed-off-by".

Please follow instructions provided in https://docs.cilium.io/en/stable/contributing/development/contributing_guide/#developer-s-certificate-of-origin

[maintainer-s-little-helper]

Commit 2b1679f does not contain "Signed-off-by".

Please follow instructions provided in https://docs.cilium.io/en/stable/contributing/development/contributing_guide/#developer-s-certificate-of-origin

[ernado]

Kind is not working without BPFFS init container, however BPFFS should be auto-mounted here with help of bidirectional volume.

Not sure how to fix it, so keeping init container for kind.

PTAL.

[ernado]

Gentle ping @aditighag

[aditighag]

Kind is not working without BPFFS init container, however BPFFS should be auto-mounted here with help of bidirectional volume.

Not sure how to fix it, so keeping init container for kind.

PTAL.

What error are you hitting?

[aditighag]

Also, this comment is not addresses - #635 (comment). This PR is adding cgroup mount init container - #627.

[ernado]

Looks like I'm lacking knowledge of internals, so closing this for now can't fully understand how eBPF fs is mounted.

For anybody interested: this PR works with Talos, rebase and build to use if needed.