Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Sensible defaults for Cilium Envoy Config #25901

Merged
merged 2 commits into from Jun 29, 2023
Merged

Sensible defaults for Cilium Envoy Config #25901

merged 2 commits into from Jun 29, 2023

Conversation

jrajahalme
Copy link
Member

@jrajahalme jrajahalme commented Jun 5, 2023
edited

CiliumEnvoyConfig needs BPF NodePort to function properly in most cases. Enable this by default if CEC is enabled, and kubeproxy replacement is not explicitly disabled.

For this to work, helm chart is made to default to KPR=false starting on 1.14. Validation will now fail only if KPR=disabled is explicitly configured or if KPR option is not given and upgradeCompatibility is < 1.14, when KPR will default to a disabled or probe.

BPF NodePort is now enabled by default if CiliumEnvoyConfig is configured.

@jrajahalme jrajahalme added area/daemon Impacts operation of the Cilium daemon. release-note/minor This PR changes functionality that users may find relevant to operating Cilium. area/helm Impacts helm charts and user deployment experience area/servicemesh GH issues or PRs regarding servicemesh labels Jun 5, 2023
@jrajahalme jrajahalme requested review from a team as code owners June 5, 2023 12:25
meyskens
meyskens reviewed Jun 5, 2023
View reviewed changes
daemon/cmd/kube_proxy_replacement.go Outdated
@@ -62,6 +62,14 @@ func initKubeProxyReplacementOptions() error {
return nil
}

if option.Config.KubeProxyReplacement == option.KubeProxyReplacementPartial {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can this be merged into 1 if statement? instead of a nested if?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It can, but IMO this reads better in the context, which is formed with similar if statements.

@jrajahalme jrajahalme force-pushed the envoy-config-enable-options branch from 44d5838 to 7d775d5 Compare June 5, 2023 13:00
@jrajahalme jrajahalme requested review from a team as code owners June 5, 2023 13:00
@jrajahalme jrajahalme requested a review from squeed June 5, 2023 13:00
gentoo-root
gentoo-root reviewed Jun 5, 2023
View reviewed changes
install/kubernetes/cilium/templates/validate.yaml Outdated
{{- if hasKey .Values "kubeProxyReplacement" }}
{{- if and (ne .Values.kubeProxyReplacement "partial") (ne .Values.kubeProxyReplacement "strict") }}
{{- if (eq .Values.kubeProxyReplacement "disabled") }}
{{ fail "Ingress/Gateway API controller requires .Values.kubeProxyReplacement to be set to either 'partial' or 'strict'" }}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The error messages should also mention envoy now, shouldn't they?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, changed messages to this form:

Ingress/Gateway API controller and EnvoyConfig require ...

install/kubernetes/cilium/templates/cilium-configmap.yaml Outdated
@@ -50,6 +50,14 @@
{{- $defaultKubeProxyReplacement = "disabled" -}}
{{- end -}}

{{- /* Default values when 1.14 was initially deployed */ -}}
{{- if semverCompare ">=1.14" (default "1.14" .Values.upgradeCompatibility) -}}
{{- if or .Values.envoyConfig.enabled .Values.ingressController.enabled .Values.gatewayAPI.enabled }}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ingress controller and gateway API now also set KPR=partial automatically after this change, right? Why are these features not mentioned in the commit message?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed, thanks!

@jrajahalme jrajahalme force-pushed the envoy-config-enable-options branch from 7d775d5 to 34ac2c6 Compare June 5, 2023 13:45
@PhilipSchmid
Copy link
Contributor

Awesome, thank you so much for all your work!
One question: Do you think it's possible to backport this to 1.13? I guess this question mainly depends on daemon/cmd/kube_proxy_replacement.go as everything else isn't really changing existing behavior, so it should be quite safe to do so IMO.

@jrajahalme jrajahalme force-pushed the envoy-config-enable-options branch from 34ac2c6 to b7dcaa4 Compare June 6, 2023 05:57
@jrajahalme
Copy link
Member Author

Updated docs for the new helm values.

@jrajahalme
Copy link
Member Author

/test

@jrajahalme jrajahalme added the needs-backport/1.13 This PR / issue needs backporting to the v1.13 branch label Jun 6, 2023
@maintainer-s-little-helper maintainer-s-little-helper bot added this to Needs backport from main in 1.13.4 Jun 6, 2023
@jrajahalme jrajahalme force-pushed the envoy-config-enable-options branch from b7dcaa4 to 8c96db5 Compare June 6, 2023 06:37
@jrajahalme jrajahalme requested a review from a team as a code owner June 6, 2023 06:37
@jrajahalme jrajahalme requested a review from qmonnet June 6, 2023 06:37
@jrajahalme
Copy link
Member Author

Added envoyConfig to spelling_wordlist.txt.

@jrajahalme
Copy link
Member Author

jrajahalme commented Jun 6, 2023
edited by maintainer-s-little-helper bot

/test

Job 'Cilium-PR-K8s-1.25-kernel-4.19' failed:

Click to show.

Test Name

K8sAgentPolicyTest Multi-node policy test with L7 policy using connectivity-check to check datapath

Failure Output

FAIL: cannot install connectivity-check

Jenkins URL: https://jenkins.cilium.io/job/Cilium-PR-K8s-1.25-kernel-4.19/436/

If it is a flake and a GitHub issue doesn't already exist to track it, comment /mlh new-flake Cilium-PR-K8s-1.25-kernel-4.19 so I can create one.

Then please upload the Jenkins artifacts to that issue.

@jrajahalme
Copy link
Member Author

Rebased for merged #26005

@joestringer joestringer added dont-merge/needs-rebase This PR needs to be rebased because it has merge conflicts. and removed dont-merge/blocked Another PR must be merged before this one. labels Jun 26, 2023
@joestringer
Copy link
Member

@jrajahalme the dependency PR is now merged for this, can you rebase?

@jrajahalme jrajahalme added the dont-merge/blocked Another PR must be merged before this one. label Jun 27, 2023
@jrajahalme jrajahalme marked this pull request as draft June 27, 2023 06:54
@jrajahalme jrajahalme marked this pull request as ready for review June 28, 2023 15:07
@jrajahalme
Copy link
Member Author

/test

@jrajahalme jrajahalme removed the dont-merge/blocked Another PR must be merged before this one. label Jun 28, 2023
@jrajahalme
Copy link
Member Author

/test

@jrajahalme
Copy link
Member Author

/test

@jrajahalme
helm: Add configmap default values for Cilium 1.14
3dc92d6 
kubeProxyReplacement default changes to "false" for new installs and for
explicit installs with upgradeCompatibility >= 1.14.

Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
@jrajahalme
daemon: Enable options needed for CiliumEnvoyConfig if enabled
24b1b0b 
CiliumEnvoyConfig (also used by Ingress and GatewayAPI controllers) needs
BPF NodePort to function properly in most cases. Enable BPF NodePort by
default if Envoy config is enabled, and kube proxy replacement is not
explicitly disabled.

For this to work, helm chart is made to default to KPR=false starting
on 1.14. Validation will now fail only if KPR=disabled is explicitly
configured or if KPR option is not given and upgradeCompatibility is <
1.14, when KPR will default to a disabled or probe.

Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
@jrajahalme
Copy link
Member Author

Had to add a check or IPSec before enabling BPF node port. This can be lifted when BPF node port works with IPSec.

@jrajahalme
Copy link
Member Author

/test

@maintainer-s-little-helper maintainer-s-little-helper bot added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Jun 29, 2023
@jrajahalme jrajahalme merged commit 7be6bc2 into cilium:main Jun 29, 2023
64 of 65 checks passed
@borkmann borkmann added the needs-backport/1.14 This PR / issue needs backporting to the v1.14 branch label Jun 29, 2023
@jrajahalme jrajahalme mentioned this pull request Jun 30, 2023
Merged
@joamaki joamaki mentioned this pull request Jul 5, 2023
Merged
23 tasks
@joamaki joamaki added backport-pending/1.14 The backport for Cilium 1.14.x for this PR is in progress. and removed needs-backport/1.14 This PR / issue needs backporting to the v1.14 branch labels Jul 5, 2023
@jibi jibi added backport-done/1.14 The backport for Cilium 1.14.x for this PR is done. and removed backport-pending/1.14 The backport for Cilium 1.14.x for this PR is in progress. labels Jul 10, 2023
@joestringer joestringer mentioned this pull request Jul 17, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@squeed squeed squeed approved these changes

@sayboras sayboras sayboras left review comments

@qmonnet qmonnet qmonnet left review comments

@gentoo-root gentoo-root gentoo-root approved these changes

@meyskens meyskens meyskens approved these changes

@youngnick youngnick youngnick approved these changes

Assignees

@jrajahalme jrajahalme

Labels
area/daemon Impacts operation of the Cilium daemon. area/helm Impacts helm charts and user deployment experience area/servicemesh GH issues or PRs regarding servicemesh backport-done/1.14 The backport for Cilium 1.14.x for this PR is done. dont-merge/needs-rebase This PR needs to be rebased because it has merge conflicts. kind/enhancement This would improve or streamline existing functionality. ready-to-merge This PR has passed all tests and received consensus from code owners to merge. release-blocker/1.14 This issue will prevent the release of the next version of Cilium. release-note/minor This PR changes functionality that users may find relevant to operating Cilium.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet