New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Sensible defaults for Cilium Envoy Config #25901
Sensible defaults for Cilium Envoy Config #25901
Conversation
daemon/cmd/kube_proxy_replacement.go
Outdated
@@ -62,6 +62,14 @@ func initKubeProxyReplacementOptions() error { | |||
return nil | |||
} | |||
|
|||
if option.Config.KubeProxyReplacement == option.KubeProxyReplacementPartial { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
can this be merged into 1 if statement? instead of a nested if?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It can, but IMO this reads better in the context, which is formed with similar if statements.
44d5838
to
7d775d5
Compare
{{- if hasKey .Values "kubeProxyReplacement" }} | ||
{{- if and (ne .Values.kubeProxyReplacement "partial") (ne .Values.kubeProxyReplacement "strict") }} | ||
{{- if (eq .Values.kubeProxyReplacement "disabled") }} | ||
{{ fail "Ingress/Gateway API controller requires .Values.kubeProxyReplacement to be set to either 'partial' or 'strict'" }} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The error messages should also mention envoy now, shouldn't they?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, changed messages to this form:
Ingress/Gateway API controller and EnvoyConfig require ...
@@ -50,6 +50,14 @@ | |||
{{- $defaultKubeProxyReplacement = "disabled" -}} | |||
{{- end -}} | |||
|
|||
{{- /* Default values when 1.14 was initially deployed */ -}} | |||
{{- if semverCompare ">=1.14" (default "1.14" .Values.upgradeCompatibility) -}} | |||
{{- if or .Values.envoyConfig.enabled .Values.ingressController.enabled .Values.gatewayAPI.enabled }} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ingress controller and gateway API now also set KPR=partial automatically after this change, right? Why are these features not mentioned in the commit message?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed, thanks!
7d775d5
to
34ac2c6
Compare
Awesome, thank you so much for all your work! |
34ac2c6
to
b7dcaa4
Compare
Updated docs for the new helm values. |
/test |
b7dcaa4
to
8c96db5
Compare
Added |
/test Job 'Cilium-PR-K8s-1.25-kernel-4.19' failed: Click to show.Test Name
Failure Output
Jenkins URL: https://jenkins.cilium.io/job/Cilium-PR-K8s-1.25-kernel-4.19/436/ If it is a flake and a GitHub issue doesn't already exist to track it, comment Then please upload the Jenkins artifacts to that issue. |
Rebased for merged #26005 |
@jrajahalme the dependency PR is now merged for this, can you rebase? |
12a3ed5
to
259964b
Compare
259964b
to
192cd55
Compare
/test |
192cd55
to
4cae1b4
Compare
/test |
4cae1b4
to
427c07f
Compare
/test |
kubeProxyReplacement default changes to "false" for new installs and for explicit installs with upgradeCompatibility >= 1.14. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
CiliumEnvoyConfig (also used by Ingress and GatewayAPI controllers) needs BPF NodePort to function properly in most cases. Enable BPF NodePort by default if Envoy config is enabled, and kube proxy replacement is not explicitly disabled. For this to work, helm chart is made to default to KPR=false starting on 1.14. Validation will now fail only if KPR=disabled is explicitly configured or if KPR option is not given and upgradeCompatibility is < 1.14, when KPR will default to a disabled or probe. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
427c07f
to
24b1b0b
Compare
Had to add a check or IPSec before enabling BPF node port. This can be lifted when BPF node port works with IPSec. |
/test |
CiliumEnvoyConfig needs BPF NodePort to function properly in most cases. Enable this by default if CEC is enabled, and kubeproxy replacement is not explicitly disabled.
For this to work, helm chart is made to default to KPR=false starting on 1.14. Validation will now fail only if KPR=disabled is explicitly configured or if KPR option is not given and upgradeCompatibility is < 1.14, when KPR will default to a disabled or probe.