crd, option: Make CiliumNodeConfig available on v2 API

This commit intens to turn CiliumNodeConfig feature to Limited. The CRD is now
available in v2 and v2alpha1 API versions. The depreciation of v2alpha1 should
be done in another commit.  The yaml definition of `CiliumNodeConfig` is in
`v2` directory but hold the two versions.

Signed-off-by: Donia Chaiehloudj <donia.cld@isovalent.com>

.github/actions/ginkgo/main-focus.yaml

@@ -44,7 +44,8 @@ include:
   # K8sAgentFQDNTest Restart Cilium validate that FQDN is still working
   # K8sAgentFQDNTest Validate that FQDN policy continues to work after being updated
   # K8sAgentFQDNTest Validate that multiple specs are working correctly
-  # K8sAgentPerNodeConfigTest Correctly computes config overrides
+  # K8sAgentPerNodeConfigTest Correctly computes config overrides with CNC v2alpha1
+  # K8sAgentPerNodeConfigTest Correctly computes config overrides with CNC v2
   - focus: "f02-agent-fqdn"
     cliFocus: "K8sAgentFQDNTest|K8sAgentPerNodeConfigTest"
 

Makefile

@@ -246,7 +246,8 @@ CRDS_CILIUM_V2 := ciliumnetworkpolicies \
                   ciliumlocalredirectpolicies \
                   ciliumegressgatewaypolicies \
                   ciliumenvoyconfigs \
-                  ciliumclusterwideenvoyconfigs
+                  ciliumclusterwideenvoyconfigs \
+                  ciliumnodeconfigs
 CRDS_CILIUM_V2ALPHA1 := ciliumendpointslices \
                         ciliumbgppeeringpolicies \
                         ciliumbgpclusterconfigs \
@@ -255,7 +256,6 @@ CRDS_CILIUM_V2ALPHA1 := ciliumendpointslices \
                         ciliumbgpnodeconfigs \
                         ciliumbgpnodeconfigoverrides \
                         ciliumloadbalancerippools \
-                        ciliumnodeconfigs \
                         ciliumcidrgroups \
                         ciliuml2announcementpolicies \
                         ciliumpodippools

pkg/k8s/apis/cilium.io/client/crds/v2alpha1/ciliumnodeconfigs.yaml → pkg/k8s/apis/cilium.io/client/crds/v2/ciliumnodeconfigs.yaml

@@ -17,7 +17,7 @@ spec:
     singular: ciliumnodeconfig
   scope: Namespaced
   versions:
-  - name: v2alpha1
+  - name: v2
     schema:
       openAPIV3Schema:
         description: "CiliumNodeConfig is a list of configuration key-value pairs.
@@ -106,6 +106,98 @@ spec:
         type: object
     served: true
     storage: true
+  - deprecated: true
+    deprecationWarning: cilium.io/v2alpha1 CiliumNodeConfig will be deprecated in
+      cilium v1.16; use cilium.io/v2 CiliumNodeConfig
+    name: v2alpha1
+    schema:
+      openAPIV3Schema:
+        description: "CiliumNodeConfig is a list of configuration key-value pairs.
+          It is applied to nodes indicated by a label selector. \n If multiple overrides
+          apply to the same node, they will be ordered by name with later Overrides
+          overwriting any conflicting keys."
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: Spec is the desired Cilium configuration overrides for a
+              given node
+            properties:
+              defaults:
+                additionalProperties:
+                  type: string
+                description: Defaults is treated the same as the cilium-config ConfigMap
+                  - a set of key-value pairs parsed by the agent and operator processes.
+                  Each key must be a valid config-map data field (i.e. a-z, A-Z, -,
+                  _, and .)
+                type: object
+              nodeSelector:
+                description: NodeSelector is a label selector that determines to which
+                  nodes this configuration applies. If not supplied, then this config
+                  applies to no nodes. If empty, then it applies to all nodes.
+                properties:
+                  matchExpressions:
+                    description: matchExpressions is a list of label selector requirements.
+                      The requirements are ANDed.
+                    items:
+                      description: A label selector requirement is a selector that
+                        contains values, a key, and an operator that relates the key
+                        and values.
+                      properties:
+                        key:
+                          description: key is the label key that the selector applies
+                            to.
+                          type: string
+                        operator:
+                          description: operator represents a key's relationship to
+                            a set of values. Valid operators are In, NotIn, Exists
+                            and DoesNotExist.
+                          type: string
+                        values:
+                          description: values is an array of string values. If the
+                            operator is In or NotIn, the values array must be non-empty.
+                            If the operator is Exists or DoesNotExist, the values
+                            array must be empty. This array is replaced during a strategic
+                            merge patch.
+                          items:
+                            type: string
+                          type: array
+                          x-kubernetes-list-type: atomic
+                      required:
+                      - key
+                      - operator
+                      type: object
+                    type: array
+                    x-kubernetes-list-type: atomic
+                  matchLabels:
+                    additionalProperties:
+                      type: string
+                    description: matchLabels is a map of {key,value} pairs. A single
+                      {key,value} in the matchLabels map is equivalent to an element
+                      of matchExpressions, whose key field is "key", the operator
+                      is "In", and the values array contains only "value". The requirements
+                      are ANDed.
+                    type: object
+                type: object
+            required:
+            - defaults
+            - nodeSelector
+            type: object
+        required:
+        - spec
+        type: object
+    served: true
+    storage: false
 status:
   acceptedNames:
     kind: ""

pkg/k8s/apis/cilium.io/client/register.go

@@ -62,6 +62,9 @@ const (
 	// CECCRDName is the full name of the CEC CRD.
 	CECCRDName = k8sconstv2.CECKindDefinition + "/" + k8sconstv2.CustomResourceDefinitionVersion
 
+	// CNCCRDName is the full name of the CiliumNodeConfig CRD.
+	CNCCRDName = k8sconstv2.CNCKindDefinition + "/" + k8sconstv2.CustomResourceDefinitionVersion
+
 	// BGPPCRDName is the full name of the BGPP CRD.
 	BGPPCRDName = k8sconstv2alpha1.BGPPKindDefinition + "/" + k8sconstv2alpha1.CustomResourceDefinitionVersion
 
@@ -83,8 +86,9 @@ const (
 	// LBIPPoolCRDName is the full name of the BGPPool CRD.
 	LBIPPoolCRDName = k8sconstv2alpha1.PoolKindDefinition + "/" + k8sconstv2alpha1.CustomResourceDefinitionVersion
 
-	// CNCCRDName is the full name of the CiliumNodeConfig CRD.
-	CNCCRDName = k8sconstv2alpha1.CNCKindDefinition + "/" + k8sconstv2alpha1.CustomResourceDefinitionVersion
+	// CNCCRDNameAlpha is the full name of the CiliumNodeConfig CRD.
+	// TODO remove me when CNC CRD v2alpha1 will be deprecated.
+	CNCCRDNameAlpha = k8sconstv2alpha1.CNCKindDefinition + "/" + k8sconstv2alpha1.CustomResourceDefinitionVersion
 
 	// CCGCRDName is the full name of the CiliumCIDRGroup CRD.
 	CCGCRDName = k8sconstv2alpha1.CCGKindDefinition + "/" + k8sconstv2alpha1.CustomResourceDefinitionVersion
@@ -104,7 +108,7 @@ type CRDList struct {
 	FullName string
 }
 
-// Returns a map of CRDs
+// CustomResourceDefinitionList returns a map of CRDs
 func CustomResourceDefinitionList() map[string]*CRDList {
 	return map[string]*CRDList{
 		synced.CRDResourceName(k8sconstv2.CNPName): {
@@ -139,6 +143,10 @@ func CustomResourceDefinitionList() map[string]*CRDList {
 			Name:     CEGPCRDName,
 			FullName: k8sconstv2.CEGPName,
 		},
+		synced.CRDResourceName(k8sconstv2.CNCName): {
+			Name:     CNCCRDName,
+			FullName: k8sconstv2.CNCName,
+		},
 		synced.CRDResourceName(k8sconstv2alpha1.CESName): {
 			Name:     CESCRDName,
 			FullName: k8sconstv2alpha1.CESName,
@@ -179,8 +187,9 @@ func CustomResourceDefinitionList() map[string]*CRDList {
 			Name:     LBIPPoolCRDName,
 			FullName: k8sconstv2alpha1.LBIPPoolName,
 		},
+		// TODO remove me when CNC v2alpha 1 will be deprecated
 		synced.CRDResourceName(k8sconstv2alpha1.CNCName): {
-			Name:     CNCCRDName,
+			Name:     CNCCRDNameAlpha,
 			FullName: k8sconstv2alpha1.CNCName,
 		},
 		synced.CRDResourceName(k8sconstv2alpha1.CCGName): {
@@ -243,6 +252,9 @@ var (
 	//go:embed crds/v2/ciliumegressgatewaypolicies.yaml
 	crdsv2Ciliumegressgatewaypolicies []byte
 
+	//go:embed crds/v2/ciliumnodeconfigs.yaml
+	crdsv2CiliumNodeConfigs []byte
+
 	//go:embed crds/v2alpha1/ciliumendpointslices.yaml
 	crdsv2Alpha1Ciliumendpointslices []byte
 
@@ -273,9 +285,6 @@ var (
 	//go:embed crds/v2alpha1/ciliumloadbalancerippools.yaml
 	crdsv2Alpha1Ciliumloadbalancerippools []byte
 
-	//go:embed crds/v2alpha1/ciliumnodeconfigs.yaml
-	crdsv2Alpha1CiliumNodeConfigs []byte
-
 	//go:embed crds/v2alpha1/ciliumcidrgroups.yaml
 	crdsv2Alpha1CiliumCIDRGroups []byte
 
@@ -335,8 +344,10 @@ func GetPregeneratedCRD(crdName string) apiextensionsv1.CustomResourceDefinition
 		crdBytes = crdsv2Alpha1Ciliumbgpnodeconfigoverrides
 	case LBIPPoolCRDName:
 		crdBytes = crdsv2Alpha1Ciliumloadbalancerippools
+	case CNCCRDNameAlpha:
+		crdBytes = crdsv2CiliumNodeConfigs
 	case CNCCRDName:
-		crdBytes = crdsv2Alpha1CiliumNodeConfigs
+		crdBytes = crdsv2CiliumNodeConfigs
 	case CCGCRDName:
 		crdBytes = crdsv2Alpha1CiliumCIDRGroups
 	case L2AnnouncementCRDName:
@@ -391,8 +402,9 @@ func constructV1CRD(
 				ShortNames: template.Spec.Names.ShortNames,
 				Singular:   template.Spec.Names.Singular,
 			},
-			Scope:    template.Spec.Scope,
-			Versions: template.Spec.Versions,
+			Scope:      template.Spec.Scope,
+			Versions:   template.Spec.Versions,
+			Conversion: template.Spec.Conversion, // conversion strategy is needed to support several versions of a same CRD
 		},
 	}
 }

pkg/k8s/apis/cilium.io/v2/cnc_types.go

@@ -0,0 +1,55 @@
+// SPDX-License-Identifier: Apache-2.0
+// Copyright Authors of Cilium
+
+package v2
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+//+genclient
+//+k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+//+kubebuilder:resource:categories={cilium}
+//+kubebuilder:object:root=true
+//+deepequal-gen=false
+//+kubebuilder:storageversion
+
+// CiliumNodeConfig is a list of configuration key-value pairs. It is applied to
+// nodes indicated by a label selector.
+//
+// If multiple overrides apply to the same node, they will be ordered by name
+// with later Overrides overwriting any conflicting keys.
+type CiliumNodeConfig struct {
+	// +deepequal-gen=false
+	metav1.TypeMeta `json:",inline"`
+	// +deepequal-gen=false
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	// Spec is the desired Cilium configuration overrides for a given node
+	Spec CiliumNodeConfigSpec `json:"spec"`
+}
+
+// +deepequal-gen=false
+type CiliumNodeConfigSpec struct {
+	// Defaults is treated the same as the cilium-config ConfigMap - a set
+	// of key-value pairs parsed by the agent and operator processes.
+	// Each key must be a valid config-map data field (i.e. a-z, A-Z, -, _, and .)
+	Defaults map[string]string `json:"defaults"`
+
+	// NodeSelector is a label selector that determines to which nodes
+	// this configuration applies.
+	// If not supplied, then this config applies to no nodes. If
+	// empty, then it applies to all nodes.
+	NodeSelector *metav1.LabelSelector `json:"nodeSelector"`
+}
+
+//+k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+//+deepequal-gen=false
+
+type CiliumNodeConfigList struct {
+	// +deepequal-gen=false
+	metav1.TypeMeta `json:",inline"`
+	// +deepequal-gen=false
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []CiliumNodeConfig `json:"items"`
+}

pkg/k8s/apis/cilium.io/v2/register.go

@@ -127,6 +127,17 @@ const (
 
 	// CECName is the full name of Cilium Envoy Config
 	CECName = CECPluralName + "." + CustomResourceDefinitionGroup
+
+	// CiliumNodeConfig (CNC)
+
+	// CNCPluralName is the plural name of Cilium Node Config
+	CNCPluralName = "ciliumnodeconfigs"
+
+	// CNCKindDefinition is the kind name of Cilium Node Config
+	CNCKindDefinition = "CiliumNodeConfig"
+
+	// CNCName is the full name of Cilium Node Config
+	CNCName = CNCPluralName + "." + CustomResourceDefinitionGroup
 )
 
 // SchemeGroupVersion is group version used to register these objects
@@ -180,6 +191,8 @@ func addKnownTypes(scheme *runtime.Scheme) error {
 		&CiliumEndpointList{},
 		&CiliumNode{},
 		&CiliumNodeList{},
+		&CiliumNodeConfig{},
+		&CiliumNodeConfigList{},
 		&CiliumExternalWorkload{},
 		&CiliumExternalWorkloadList{},
 		&CiliumIdentity{},