docs: Clean up prerequisites for the Ingress Controller

[qmonnet]

This commit brings various minor improvements to the intro and prerequisites for the Ingress Controller documentation:

• Add a link to Kubernetes' documentation for Ingress, given that we never define or explain what Kubernetes Ingress is
• Instruct users to "enable" kube-proxy replacement, given that the values "strict" or "partial" are deprecated.
• Use the Helm value instead of the agent flag for the L7 proxy configuration, simply to remain consistent with the item above (KPR).
• Remove the requirement on Kubernetes 1.19+, given that 1.19 is now the minimum version supported by Cilium.

NOTE: kubeProxyReplacement=true is equivalent to the legacy strict mode, but not to the partial mode. It's likely that the full KPR is not necessary for running the Ingress Controller, but I wasn't able to find the exact subset of options that are required. @sayboras (you authored this requirement in the first place), do you know?

[qmonnet]

/test

[zacharysarah]

@qmonnet This is awesome. ✨ Minor formatting tweak, otherwise LGTM

[qmonnet]

/test

[sayboras]

NOTE: kubeProxyReplacement=true is equivalent to the legacy strict mode, but not to the partial mode. It's likely that the full KPR is not necessary for running the Ingress Controller, but I wasn't able to find the exact subset of options that are required

Actually, partial along might not be enough, we also need enable-node-port to complement.

[qmonnet]

Actually, partial along might not be enough, we also need enable-node-port to complement.

@sayboras "Partial" does not exist anymore, we have "enabled" (formerly "strict") or disabled ("pick your options"). My question in this case, is, is it enough to have KPR "disabled" and enable-node-port enabled for the Ingress Controller to work? Or is there something else that needs to be enabled?

In other words, what's the minimal requirement for Ingress support?

[sayboras]

"Partial" does not exist anymore, we have "enabled" (formerly "strict") or disabled ("pick your options"). My question in this case, is, is it enough to have KPR "disabled" and enable-node-port enabled for the Ingress Controller to work? Or is there something else that needs to be enabled?

Ah right, let me do a couple of tests locally and get back to you on this 👍

[sayboras]

👋 sorry for the late reply, seems like the combination of kpr=false and nodePort.enabled=true is working for Ingress (except direct traffic to Ingress LB service nodeport). I have created #27304 to add coverage in CI so that we don't break this behavior unintentionally.

Can you help to update the docs if possible, otherwise, I can send the follow-up PR?

$ ksysg cm cilium-config -o json | zgrep -E "replacement|enable-node-port" | head -3
        "enable-node-port": "true",
        "kube-proxy-replacement": "false",
        "kube-proxy-replacement-healthz-bind-address": "",

$ lb=$(kubectl get ingress basic-ingress -o jsonpath='{.status.loadBalancer.ingress[0].ip}')

$ curl -k http://$lb/details/1           
{"id":1,"author":"William Shakespeare","year":1595,"type":"paperback","pages":200,"publisher":"PublisherA","language":"English","ISBN-10":"1234567890","ISBN-13":"123-1234567890"}

[qmonnet]

/test

[sayboras]

Thanks and LGTM ✅

[qmonnet]

@sayboras: Thanks! Grepping for strict or partial in the docs, I see similar requirements on “[KPR] set to either partial or strict” in Documentation/servicemesh/l7-traffic-management.rst and Documentation/operations/troubleshooting_servicemesh.rst. Do you know if NodePort is the actual feature that we need there as well?

[Edit: see directly PR linked below.]

Review addressed, “otherwise LGTM”