Clarify documentation and prevent activating Ingress and Gateway controllers if l7 proxy is disabled

[youngnick]

This issue is effectively an epic covering work to handle what happens when Ingress or Gateway API support is enabled when L7 proxy support has already been explicitly disabled (which is required for Wireguard support, but could also be done for other reasons).

When this happens, a few problems can arise:

• Ingress Controller fails silently if l7proxy is disabled #22535
• Cilium Ingress in Shared mode crashes all cilium pods #22667

The fact that the last one has all Cilium pods panic and crash seems pretty bad.

Actions to take here are at least:

• Update Ingress and Gateway API docs to indicate that you must have the l7 proxy enabled #22788
• Add something to installs to try to prevent enabling Ingress if l7 proxy is disabled #22789
• Have the cilium agent disable Ingress at runtime if l7 proxy is disabled #22790
• Ingress + egress + l7proxy=false results in panic: invalid memory address or nil pointer dereference #21354 insead of the above issue.
• ~Ensure that Kubernetes watchers don't use uninitialized l7 proxy config (which is the source of Cilium Ingress in Shared mode crashes all cilium pods #22667) ~ - This is a very large refactor that will also cross over into efforts to move code more towards the Hive style, so it's pulled out of this issue.

[pchaigno]

Should we split this up into the 4 above tasks and mark good-first-issues? You should find people to work on this in the community if we do that IMO.

[afzal442]

Hey there, would like to look into it.

cc @pchaigno

[youngnick]

Thanks @pchaigno, good call. I've split out three of the tasks, and marked them good-first-issue. @afzal442, please feel free to pick up any of those sub-tasks!

[amolkavitkar]

cilium/daemon/cmd/daemon_main.go

Line 1490 in 13ee10a

case option.Config.EnableL7Proxy:

isn't this is suppose to log a error if wireguard is enabled with L7proxy

[pchaigno]

@amolkavitkar That's correct and this logic works, but the present issue is about the Ingress and Gateway controllers when the L7 proxy is disabled, not about WireGuard. WireGuard is just one of the reasons why the L7 proxy might be disabled.

[youngnick]

#18773 is another example of a similar behavior.

[github-actions]

This issue has been automatically marked as stale because it has not
had recent activity. It will be closed if no further activity occurs.

[youngnick]

With #25215 merged, this one is resolved. As of 1.13, it's not possible to disable l7 proxy and enable Ingress or Gateway API, it will be rejected by Helm.

[jibi]

With #25215 merged, this one is resolved. As of 1.13, it's not possible to disable l7 proxy and enable Ingress or Gateway API, it will be rejected by Helm.

reopening this as I think there's a typo in https://github.com/cilium/cilium/pull/25215/files: l7proxy should be l7Proxy (we dropped that PR from v1.12 #25452 and v1.13 #25346 backports but probably the notification from the PR description got lost)

[youngnick]

@sayboras closed this one in #25570.