Restructure helm chart into components

.github/workflows/conformance-k8s-network-policies.yaml

@@ -27,8 +27,8 @@ jobs:
              -I '^[ ]\{2\}name: cilium.*' \
              -I '^Keep file in synced with.*' \
              -I '{{- if.*' \
-             cilium-agent-clusterrole.yaml \
-             cilium-preflight-clusterrole.yaml
+             cilium-agent/clusterrole.yaml \
+             cilium-preflight/clusterrole.yaml
 
   cyclonus-test:
     runs-on: ubuntu-latest

.github/workflows/tests-smoke.yaml

@@ -53,8 +53,8 @@ jobs:
              -I '^[ ]\{2\}name: cilium.*' \
              -I '^Keep file in synced with.*' \
              -I '{{- if.*' \
-             cilium-agent-clusterrole.yaml \
-             cilium-preflight-clusterrole.yaml
+             cilium-agent/clusterrole.yaml \
+             cilium-preflight/clusterrole.yaml
 
   lint:
     runs-on: ubuntu-latest

install/kubernetes/cilium/files/nodeinit/prestop.bash

@@ -0,0 +1,49 @@
+#!/bin/bash
+
+set -o errexit
+set -o pipefail
+set -o nounset
+
+if stat /tmp/node-deinit.cilium.io > /dev/null 2>&1; then
+  exit 0
+fi
+
+echo "Waiting on pods to stop..."
+if [ ! -f /etc/crictl.yaml ] || grep -q 'docker' /etc/crictl.yaml; then
+  # Works for COS, ubuntu
+  while docker ps | grep -v "node-init" | grep -q "POD_cilium"; do sleep 1; done
+else
+  # COS-beta (with containerd). Some versions of COS have crictl in /home/kubernetes/bin.
+  while PATH="${PATH}:/home/kubernetes/bin" crictl ps | grep -v "node-init" | grep -q "POD_cilium"; do sleep 1; done
+fi
+
+systemctl disable sys-fs-bpf.mount || true
+systemctl stop sys-fs-bpf.mount || true
+
+if ip link show cilium_host; then
+  echo "Deleting cilium_host interface..."
+  ip link del cilium_host
+fi
+
+{{- if not (eq .Values.nodeinit.bootstrapFile "") }}
+rm -f {{ .Values.nodeinit.bootstrapFile }}
+{{- end }}
+
+rm -f /tmp/node-init.cilium.io
+touch /tmp/node-deinit.cilium.io
+
+{{- if .Values.nodeinit.reconfigureKubelet }}
+echo "Changing kubelet configuration to --network-plugin=kubenet"
+sed -i "s:--network-plugin=cni\ --cni-bin-dir={{ .Values.cni.binPath }}:--network-plugin=kubenet:g" /etc/default/kubelet
+echo "Restarting kubelet..."
+systemctl restart kubelet
+{{- end }}
+
+{{- if (and .Values.gke.enabled (or .Values.masquerade .Values.gke.disableDefaultSnat))}}
+# If the IP-MASQ chain exists, add back default jump rule from the GKE instance configure script
+if iptables -w -t nat -L IP-MASQ > /dev/null; then
+  iptables -w -t nat -A POSTROUTING -m comment --comment "ip-masq: ensure nat POSTROUTING directs all non-LOCAL destination traffic to our custom IP-MASQ chain" -m addrtype ! --dst-type LOCAL -j IP-MASQ
+fi
+{{- end }}
+
+echo "Node de-initialization complete"

install/kubernetes/cilium/files/nodeinit/startup.bash

@@ -0,0 +1,129 @@
+#!/bin/bash
+
+set -o errexit
+set -o pipefail
+set -o nounset
+
+mount | grep "/sys/fs/bpf type bpf" || {
+  # Mount the filesystem until next reboot
+  echo "Mounting BPF filesystem..."
+  mount bpffs /sys/fs/bpf -t bpf
+
+  # Configure systemd to mount after next boot
+  echo "Installing BPF filesystem mount"
+  cat >/tmp/sys-fs-bpf.mount <<EOF
+[Unit]
+Description=Mount BPF filesystem (Cilium)
+Documentation=http://docs.cilium.io/
+DefaultDependencies=no
+Before=local-fs.target umount.target
+After=swap.target
+
+[Mount]
+What=bpffs
+Where=/sys/fs/bpf
+Type=bpf
+Options=rw,nosuid,nodev,noexec,relatime,mode=700
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+  if [ -d "/etc/systemd/system/" ]; then
+    mv /tmp/sys-fs-bpf.mount /etc/systemd/system/
+    echo "Installed sys-fs-bpf.mount to /etc/systemd/system/"
+  elif [ -d "/lib/systemd/system/" ]; then
+    mv /tmp/sys-fs-bpf.mount /lib/systemd/system/
+    echo "Installed sys-fs-bpf.mount to /lib/systemd/system/"
+  fi
+
+  # Ensure that filesystem gets mounted on next reboot
+  systemctl enable sys-fs-bpf.mount
+  systemctl start sys-fs-bpf.mount
+}
+
+echo "Link information:"
+ip link
+
+echo "Routing table:"
+ip route
+
+echo "Addressing:"
+ip -4 a
+ip -6 a
+
+{{- if .Values.nodeinit.removeCbrBridge }}
+if ip link show cbr0; then
+  echo "Detected cbr0 bridge. Deleting interface..."
+  ip link del cbr0
+fi
+{{- end }}
+
+{{- if .Values.nodeinit.reconfigureKubelet }}
+# GKE: Alter the kubelet configuration to run in CNI mode
+echo "Changing kubelet configuration to --network-plugin=cni --cni-bin-dir={{ .Values.cni.binPath }}"
+mkdir -p {{ .Values.cni.binPath }}
+sed -i "s:--network-plugin=kubenet:--network-plugin=cni\ --cni-bin-dir={{ .Values.cni.binPath }}:g" /etc/default/kubelet
+echo "Restarting kubelet..."
+systemctl restart kubelet
+{{- end }}
+
+{{- if (and .Values.gke.enabled (or .Values.masquerade .Values.gke.disableDefaultSnat))}}
+# If Cilium is configured to manage masquerading of traffic leaving the node,
+# we need to disable the IP-MASQ chain because even if ip-masq-agent
+# is not installed, the node init script installs some default rules into
+# the IP-MASQ chain.
+# If we remove the jump to that ip-masq chain, then we ensure the ip masquerade
+# configuration is solely managed by Cilium.
+# Also, if Cilium is installed, it may be expected that it would be solely responsible
+# for the networking configuration on that node. So provide the same functionality
+# as the --disable-snat-flag for existing GKE clusters.
+iptables -w -t nat -D POSTROUTING -m comment --comment "ip-masq: ensure nat POSTROUTING directs all non-LOCAL destination traffic to our custom IP-MASQ chain" -m addrtype ! --dst-type LOCAL -j IP-MASQ || true
+{{- end }}
+
+{{- if not (eq .Values.nodeinit.bootstrapFile "") }}
+date > {{ .Values.nodeinit.bootstrapFile }}
+{{- end }}
+
+# AKS: If azure-vnet is installed on the node, and (still) configured in bridge mode,
+# configure it as 'transparent' to be consistent with Cilium's CNI chaining config.
+# If the azure-vnet CNI config is not removed, kubelet will execute CNI CHECK commands
+# against it every 5 seconds and write 'bridge' to its state file, causing inconsistent
+# behaviour when Pods are removed.
+if [ -f /etc/cni/net.d/10-azure.conflist ]; then
+  echo "Ensuring azure-vnet is configured in 'transparent' mode..."
+  sed -i 's/"mode":\s*"bridge"/"mode":"transparent"/g' /etc/cni/net.d/10-azure.conflist
+fi
+
+{{- if .Values.azure.enabled }}
+# The azure0 interface being present means the node was booted with azure-vnet configured
+# in bridge mode. This means there might be ebtables rules and neight entries interfering
+# with pod connectivity if we deploy with Azure IPAM.
+if ip l show dev azure0 >/dev/null 2>&1; then
+
+  # In Azure IPAM mode, also remove the azure-vnet state file, otherwise ebtables rules get
+  # restored by the azure-vnet CNI plugin on every CNI CHECK, which can cause connectivity
+  # issues in Cilium-managed Pods. Since azure-vnet is no longer called on scheduling events,
+  # this file can be removed.
+  rm -f /var/run/azure-vnet.json
+
+  # This breaks connectivity for existing workload Pods when Cilium is scheduled, but we need
+  # to flush these to prevent Cilium-managed Pod IPs conflicting with Pod IPs previously allocated
+  # by azure-vnet. These ebtables DNAT rules contain fixed MACs that are no longer bound on the node,
+  # causing packets for these Pods to be redirected back out to the gateway, where they are dropped.
+  echo 'Flushing ebtables pre/postrouting rules in nat table.. (disconnecting non-Cilium Pods!)'
+  ebtables -t nat -F PREROUTING || true
+  ebtables -t nat -F POSTROUTING || true
+
+  # ip-masq-agent periodically injects PERM neigh entries towards the gateway
+  # for all other k8s nodes in the cluster. These are safe to flush, as ARP can
+  # resolve these nodes as usual. PERM entries will be automatically restored later.
+  echo 'Deleting all permanent neighbour entries on azure0...'
+  ip neigh show dev azure0 nud permanent | cut -d' ' -f1 | xargs -r -n1 ip neigh del dev azure0 to || true
+fi
+{{- end }}
+
+{{- if .Values.nodeinit.revertReconfigureKubelet }}
+rm -f /tmp/node-deinit.cilium.io
+{{- end }}
+echo "Node initialization complete"