daemon: Remove enableRemoteNodeIdentity flag

The enable-remote-node-identity agent flag was marked as deprecated for 1.15 in commit cf472ef ("daemon: Deprecate EnableRemoteNodeIdentity"). This commit wipes the code from the option as a flag and set it directly to the default value in the daemon config. Signed-off-by: Donia Chaiehloudj <donia.cld@isovalent.com>
cilium · Mar 12, 2024 · edc9799 · edc9799
1 parent 4711bb7
commit edc9799
Show file tree

Hide file tree

Showing 5 changed files with 23 additions and 46 deletions.
diff --git a/daemon/cmd/daemon.go b/daemon/cmd/daemon.go
@@ -750,9 +750,6 @@ func newDaemon(ctx context.Context, cleaner *daemonCleanup, params *daemonParams
 		case !option.Config.EnableNodePort:
 			err = fmt.Errorf("BPF masquerade requires NodePort (--%s=\"true\")",
 				option.EnableNodePort)
-		case !option.Config.EnableRemoteNodeIdentity:
-			err = fmt.Errorf("BPF masquerade requires remote node identities (--%s=\"true\")",
-				option.EnableRemoteNodeIdentity)
 		case len(option.Config.MasqueradeInterfaces) > 0:
 			err = fmt.Errorf("BPF masquerade does not allow to specify devices via --%s (use --%s instead)",
 				option.MasqueradeInterfaces, option.Devices)

diff --git a/daemon/cmd/daemon_main.go b/daemon/cmd/daemon_main.go
@@ -279,10 +279,6 @@ func InitGlobalFlags(cmd *cobra.Command, vp *viper.Viper) {
 	flags.String(option.IPv6MCastDevice, "", "Device that joins a Solicited-Node multicast group for IPv6")
 	option.BindEnv(vp, option.IPv6MCastDevice)
 
-	flags.Bool(option.EnableRemoteNodeIdentity, defaults.EnableRemoteNodeIdentity, "Enable use of remote node identity")
-	flags.MarkDeprecated(option.EnableRemoteNodeIdentity, "Remote Node Identity is needed for various other features to work or work fully, including EgressGateway and Policies. There is no benefit to having it turned off. It will be removed in v1.16.")
-	option.BindEnv(vp, option.EnableRemoteNodeIdentity)
-
 	flags.String(option.EncryptInterface, "", "Transparent encryption interface")
 	option.BindEnv(vp, option.EncryptInterface)
 
@@ -1421,10 +1417,6 @@ func initEnv(vp *viper.Viper) {
 		if option.Config.EnableIPSec {
 			log.Fatal("IPSec cannot be used with the host firewall.")
 		}
-		if option.Config.EnableEndpointRoutes && !option.Config.EnableRemoteNodeIdentity {
-			log.Fatalf("The host firewall requires remote-node identities (%s) when running with %s",
-				option.EnableRemoteNodeIdentity, option.EnableEndpointRoutes)
-		}
 	}
 
 	if option.Config.EnableIPv6Masquerade && option.Config.EnableBPFMasquerade && option.Config.EnableHostFirewall {

diff --git a/pkg/egressgateway/manager.go b/pkg/egressgateway/manager.go
@@ -190,12 +190,6 @@ func NewEgressGatewayManager(p Params) (out struct {
 		return out, fmt.Errorf("egress gateway requires --%s=\"true\" and --%s=\"true\"", option.EnableIPv4Masquerade, option.EnableBPFMasquerade)
 	}
 
-	if !dcfg.EnableRemoteNodeIdentity {
-		// datapath code depends on remote node identities to distinguish between
-		// cluster-local and cluster-egress traffic.
-		return out, fmt.Errorf("egress gateway requires remote node identities (--%s=\"true\")", option.EnableRemoteNodeIdentity)
-	}
-
 	if dcfg.EnableL7Proxy {
 		log.WithField(logfields.URL, "https://github.com/cilium/cilium/issues/19642").
 			Warningf("both egress gateway and L7 proxy (--%s) are enabled. This is currently not fully supported: "+

diff --git a/pkg/node/manager/manager.go b/pkg/node/manager/manager.go
@@ -408,37 +408,34 @@ func (m *manager) endpointEncryptionKey(n *nodeTypes.Node) ipcacheTypes.EncryptK
 
 func (m *manager) nodeIdentityLabels(n nodeTypes.Node) (nodeLabels labels.Labels, hasOverride bool) {
 	nodeLabels = labels.NewFrom(labels.LabelRemoteNode)
-	if m.conf.RemoteNodeIdentitiesEnabled() {
-		if n.IsLocal() {
-			nodeLabels = labels.NewFrom(labels.LabelHost)
-			if m.conf.PolicyCIDRMatchesNodes() {
-				for _, address := range n.IPAddresses {
-					addr, ok := ip.AddrFromIP(address.IP)
-					if ok {
-						bitLen := addr.BitLen()
-						if m.conf.EnableIPv4 && bitLen == net.IPv4len*8 ||
-							m.conf.EnableIPv6 && bitLen == net.IPv6len*8 {
-							prefix, err := addr.Prefix(bitLen)
-							if err == nil {
-								cidrLabels := labels.GetCIDRLabels(prefix)
-								nodeLabels.MergeLabels(cidrLabels)
-							}
+	if n.IsLocal() {
+		nodeLabels = labels.NewFrom(labels.LabelHost)
+		if m.conf.PolicyCIDRMatchesNodes() {
+			for _, address := range n.IPAddresses {
+				addr, ok := ip.AddrFromIP(address.IP)
+				if ok {
+					bitLen := addr.BitLen()
+					if m.conf.EnableIPv4 && bitLen == net.IPv4len*8 ||
+						m.conf.EnableIPv6 && bitLen == net.IPv6len*8 {
+						prefix, err := addr.Prefix(bitLen)
+						if err == nil {
+							cidrLabels := labels.GetCIDRLabels(prefix)
+							nodeLabels.MergeLabels(cidrLabels)
 						}
 					}
 				}
 			}
-		} else if !identity.NumericIdentity(n.NodeIdentity).IsReservedIdentity() {
-			// This needs to match clustermesh-apiserver's VMManager.AllocateNodeIdentity
-			nodeLabels = labels.Map2Labels(n.Labels, labels.LabelSourceK8s)
-			hasOverride = true
-		} else if !n.IsLocal() && option.Config.PerNodeLabelsEnabled() {
-			lbls := labels.Map2Labels(n.Labels, labels.LabelSourceNode)
-			filteredLbls, _ := labelsfilter.FilterNodeLabels(lbls)
-			nodeLabels.MergeLabels(filteredLbls)
 		}
-	} else {
-		nodeLabels = labels.NewFrom(labels.LabelHost)
+	} else if !identity.NumericIdentity(n.NodeIdentity).IsReservedIdentity() {
+		// This needs to match clustermesh-apiserver's VMManager.AllocateNodeIdentity
+		nodeLabels = labels.Map2Labels(n.Labels, labels.LabelSourceK8s)
+		hasOverride = true
+	} else if !n.IsLocal() && option.Config.PerNodeLabelsEnabled() {
+		lbls := labels.Map2Labels(n.Labels, labels.LabelSourceNode)
+		filteredLbls, _ := labelsfilter.FilterNodeLabels(lbls)
+		nodeLabels.MergeLabels(filteredLbls)
 	}
+
 	return nodeLabels, hasOverride
 }
 

diff --git a/pkg/option/config.go b/pkg/option/config.go
@@ -918,9 +918,6 @@ const (
 	// control plane, e.g. when using the managed etcd feature
 	EnableWellKnownIdentities = "enable-well-known-identities"
 
-	// EnableRemoteNodeIdentity enables use of the remote-node identity
-	EnableRemoteNodeIdentity = "enable-remote-node-identity"
-
 	// PolicyAuditModeArg argument enables policy audit mode.
 	PolicyAuditModeArg = "policy-audit-mode"
 
@@ -2445,6 +2442,7 @@ var (
 		EnableIPv6NDP:                   defaults.EnableIPv6NDP,
 		EnableSCTP:                      defaults.EnableSCTP,
 		EnableL7Proxy:                   defaults.EnableL7Proxy,
+		EnableRemoteNodeIdentity:        defaults.EnableRemoteNodeIdentity,
 		DNSMaxIPsPerRestoredRule:        defaults.DNSMaxIPsPerRestoredRule,
 		ToFQDNsMaxIPsPerHost:            defaults.ToFQDNsMaxIPsPerHost,
 		KVstorePeriodicSync:             defaults.KVstorePeriodicSync,
@@ -3013,7 +3011,6 @@ func (c *DaemonConfig) Populate(vp *viper.Viper) {
 	c.BPFSocketLBHostnsOnly = vp.GetBool(BPFSocketLBHostnsOnly)
 	c.EnableSocketLB = vp.GetBool(EnableSocketLB)
 	c.EnableSocketLBTracing = vp.GetBool(EnableSocketLBTracing)
-	c.EnableRemoteNodeIdentity = vp.GetBool(EnableRemoteNodeIdentity)
 	c.EnableBPFTProxy = vp.GetBool(EnableBPFTProxy)
 	c.EnableXTSocketFallback = vp.GetBool(EnableXTSocketFallbackName)
 	c.EnableAutoDirectRouting = vp.GetBool(EnableAutoDirectRoutingName)