Skip to content

Commit

Permalink
daemon: Enable options needed for CiliumEnvoyConfig if enabled
Browse files Browse the repository at this point in the history 
CiliumEnvoyConfig (also used by Ingress and GatewayAPI controllers) needs
BPF NodePort to function properly in most cases. Enable BPF NodePort by
default if Envoy config is enabled, and kube proxy replacement is not
explicitly disabled.

For this to work, helm chart is made to default to KPR=false starting
on 1.14. Validation will now fail only if KPR=disabled is explicitly
configured or if KPR option is not given and upgradeCompatibility is <
1.14, when KPR will default to a disabled or probe.

Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
  • Loading branch information
@jrajahalme
jrajahalme committed Jun 29, 2023
1 parent 218b176 commit 7be6bc2
Show file tree
Hide file tree
Showing 2 changed files with 12 additions and 7 deletions.
9 changes: 9 additions & 0 deletions daemon/cmd/kube_proxy_replacement.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -86,6 +86,15 @@ func initKubeProxyReplacementOptions() error {
option.Config.EnableSessionAffinity = true
}

if option.Config.KubeProxyReplacement != option.KubeProxyReplacementDisabled &&
option.Config.EnableEnvoyConfig && !option.Config.EnableIPSec &&
!option.Config.EnableNodePort {
// CiliumEnvoyConfig L7 LB only works with bpf node port enabled
log.Infof("Auto-enabling %s for %s",
option.EnableNodePort, option.EnableEnvoyConfig)
option.Config.EnableNodePort = true
}

if option.Config.EnableNodePort {
if option.Config.EnableIPSec {
return fmt.Errorf("IPSec cannot be used with BPF NodePort")
Expand Down
10 changes: 3 additions & 7 deletions install/kubernetes/cilium/templates/validate.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -56,13 +56,9 @@
{{- end }}
{{- end }}

{{- if or .Values.ingressController.enabled .Values.gatewayAPI.enabled }}
{{- if hasKey .Values "kubeProxyReplacement" }}
{{- if and (ne (toString .Values.kubeProxyReplacement) "strict") (ne (toString .Values.kubeProxyReplacement) "true") (not .Values.nodePort.enabled) }}
{{ fail "Ingress/Gateway API controller requires either .Values.kubeProxyReplacement to be set to 'true' or .Values.nodePort.enabled to 'true'" }}
{{- end }}
{{- else }}
{{ fail "Ingress/Gateway API controller requires either .Values.kubeProxyReplacement to be set to 'true' or .Values.nodePort.enabled to 'true'" }}
{{- if or .Values.envoyConfig.enabled .Values.ingressController.enabled .Values.gatewayAPI.enabled }}
{{- if or (eq (toString .Values.kubeProxyReplacement) "disabled") (and (not (hasKey .Values "kubeProxyReplacement")) (not (semverCompare ">=1.14" (default "1.14" .Values.upgradeCompatibility)))) }}
{{ fail "Ingress/Gateway API controller and EnvoyConfig require .Values.kubeProxyReplacement to be explicitly set to 'false' or 'true'" }}
{{- end }}
{{- end }}

Expand Down

0 comments on commit 7be6bc2

Please sign in to comment.