kube-proxy-replacement=strict doesn't enable needed features like kube-proxy-replacement=true does

[zviratko]

Is there an existing issue for this?

• I have searched the existing issues

What happened?

I hit this when starting with Cilium, another user on Slack hit it recently.

Looking into code, it looks like it's supposed to work like a boolean, but it is a string.
In some places, tests are done whether it's "true" or "false", but "strict" is neither.

cilium/daemon/cmd/status.go

Line 248 in edc9cba

func (d *Daemon) getKubeProxyReplacementStatus() *models.KubeProxyReplacement {

I'm not exactly sure about the configuration logic, but I'm pretty sure it's not working right and doesn't enable the features needed for it to work correctly

cilium/daemon/cmd/kube_proxy_replacement.go

Line 51 in edc9cba

option.EnableNodePort, option.EnableExternalIPs,

The above will only work if it is "true", but not "strict".

Please make it a boolean and die if it's strict (please don't do the thing cilium does where it just warns somewhere on startup and keeps people pulling their hair!). I wonder how many people hit this.

Cilium Version

1.15.5

Kernel Version

1.2.34

Kubernetes Version

1.30.1

Regression

No response

Sysdump

No response

Relevant log output

No response

Anything else?

No response

Cilium Users Document

• Are you a user of Cilium? Please add yourself to the Users doc

Code of Conduct

• I agree to follow this project's Code of Conduct

[joestringer]

It looks like the use of "strict" was deprecated in v1.14 and removed in v1.15, per the release notes: https://docs.cilium.io/en/v1.14/operations/upgrade/#deprecated-options .

If I follow correctly, what you are asking for is for Helm to detect this misconfiguration and alert when you attempt to configure Cilium with an invalid value for this configuration. Is that accurate?

Unfortunately at the time of the v1.15 release we didn't have a schema for linting Helm configurations, so it may be a bit tricky to retrospectively apply this for those versions. However, as of the v1.16 prereleases, this should now be much more user-friendly. For example:

$ helm template cilium/cilium --version v1.16.0-pre.2  --set kubeProxyReplacement=strict
Error: execution error at (cilium/templates/cilium-configmap.yaml:70:5): kubeProxyReplacement must be explicitly set to a valid value (true or false) to continue.

Use --debug flag to render out invalid YAML