v1.13 Backports 2023-08-03

Documentation/Makefile

@@ -89,13 +89,14 @@ M2R := $(DOCKER_CTR) $(HELM_TOOLBOX_IMAGE) python3 /usr/bin/m2r2
 .PHONY: update-helm-values FORCE
 $(HELM_VALUES): TMP_FILE_1 := helm-values.tmp
 $(HELM_VALUES): TMP_FILE_2 := helm-values.awk
+$(HELM_VALUES): TMP_FILE_3 := helm-values.sed
 $(HELM_VALUES): FORCE
 	$(QUIET)$(HELM_DOCS) -d -c $(HELM_DOCS_CHARTS_DIR) -t $(HELM_DOCS_OUTPUT_DIR)/$(TMP_FILE_1).tmpl > $(TMP_FILE_1)
 	$(QUIET)awk -F'|' '{print "|"$$2"|"$$5"|"$$3"|"$$4"|"}' $(TMP_FILE_1) > $(TMP_FILE_2)
 	$(QUIET)$(M2R) --overwrite $(TMP_FILE_2)
-	$(QUIET)sed -i 's/^\(   \* - \)\([[:print:]]\+\)$$/\1:spelling:ignore:`\2`/' $@
-	$(QUIET)printf '..\n  %s\n\n%s\n' "AUTO-GENERATED. Please DO NOT edit manually." "$$(cat $@)" > $@
-	$(QUIET)$(RM) -- $(TMP_FILE_1) $(TMP_FILE_2)
+	$(QUIET)$(SED) 's/^\(   \* - \)\([[:print:]]\+\)$$/\1:spelling:ignore:`\2`/' $@ > $(TMP_FILE_3)
+	$(QUIET)printf '..\n  %s\n\n%s\n' "AUTO-GENERATED. Please DO NOT edit manually." "$$(cat $(TMP_FILE_3))" > $@
+	$(QUIET)$(RM) -- $(TMP_FILE_1) $(TMP_FILE_2) $(TMP_FILE_3)
 
 epub latex html: builder-image update-helm-values ## Check documentation and render it under the specified format.
 	@$(ECHO_GEN)_build/$@

Documentation/network/clustermesh/clustermesh.rst

@@ -48,12 +48,12 @@ Additional Requirements for Native-routed Datapath Modes
 * Cilium in each cluster must be configured with a native routing CIDR that
   covers all the PodCIDR ranges across all connected clusters. Cluster CIDRs are
   typically allocated from the ``10.0.0.0/8`` private address space. When this
-  is a case a native routing CIDR such as ``10.0.0.0/9`` should cover all
+  is the case a native routing CIDR such as ``10.0.0.0/8`` should cover all
   clusters:
 
- * ConfigMap option ``ipv4-native-routing-cidr=10.0.0.0/9``
- * Helm option ``--set ipv4NativeRoutingCIDR=10.0.0.0/9``
- * ``cilium install`` option ``--ipv4-native-routing-cidr=10.0.0.0/9``
+ * ConfigMap option ``ipv4-native-routing-cidr=10.0.0.0/8``
+ * Helm option ``--set ipv4NativeRoutingCIDR=10.0.0.0/8``
+ * ``cilium install`` option ``--ipv4-native-routing-cidr=10.0.0.0/8``
 
 * In addition to nodes, pods in all clusters must have IP connectivity between each other. This
   requirement is typically met by establishing peering or VPN tunnels between

Documentation/network/concepts/ipam/cluster-pool.rst

@@ -45,6 +45,16 @@ Configuration
 For a practical tutorial on how to enable this mode in Cilium, see
 :ref:`gsg_ipam_crd_cluster_pool`.
 
+Expanding the cluster pool
+==========================
+
+Don't change any existing elements of the ``clusterPoolIPv4PodCIDRList`` list, as
+changes cause unexpected behavior. If the pool is exhausted,
+add a new element to the list instead. The minimum mask length is ``/30``, with a recommended minimum mask 
+length of at least ``/29``. The reason to add new elements rather than change existing elements is that
+the allocator reserves 2 IPs per CIDR block for the network and broadcast addresses.
+Changing ``clusterPoolIPv4MaskSize`` is also not possible. 
+
 ***************
 Troubleshooting
 ***************

Documentation/network/concepts/ipam/index.rst

@@ -14,6 +14,11 @@ IP Address Management (IPAM) is responsible for the allocation and management
 of IP addresses used by network endpoints (container and others) managed by
 Cilium. Various IPAM modes are supported to meet the needs of different users:
 
+Don't change the IPAM mode of an existing cluster. Changing the IPAM mode in
+a live environment may cause persistent disruption of connectivity for existing workloads.
+The safest path to change IPAM mode is to install a fresh Kubernetes cluster with the new IPAM configuration.
+If you are interested in extending Cilium to support migration between IPAM modes, see :gh-issue:`27164`.
+
 .. toctree::
    :maxdepth: 1
    :glob:

Makefile.defs

@@ -32,7 +32,7 @@ CONTAINER_ENGINE?=docker
 DOCKER_FLAGS?=
 DOCKER_BUILD_FLAGS?=
 
-# use gsed if avaiable, otherwise use sed.
+# use gsed if available, otherwise use sed.
 # gsed is needed for MacOS to make in-place replacement work correctly.
 SED ?= $(if $(shell command -v gsed), gsed, sed)
 

pkg/option/config.go

@@ -3591,6 +3591,15 @@ func (c *DaemonConfig) checkIPAMDelegatedPlugin() error {
 		if c.EnableEndpointHealthChecking {
 			return fmt.Errorf("--%s must be disabled with --%s=%s", EnableEndpointHealthChecking, IPAM, ipamOption.IPAMDelegatedPlugin)
 		}
+		// Ingress controller and envoy config require cilium-agent to create an IP address
+		// specifically for differentiating ingress and envoy traffic, which is not possible
+		// with delegated IPAM.
+		if c.EnableIngressController {
+			return fmt.Errorf("--%s must be disabled with --%s=%s", EnableIngressController, IPAM, ipamOption.IPAMDelegatedPlugin)
+		}
+		if c.EnableEnvoyConfig {
+			return fmt.Errorf("--%s must be disabled with --%s=%s", EnableEnvoyConfig, IPAM, ipamOption.IPAMDelegatedPlugin)
+		}
 	}
 	return nil
 }

pkg/option/config_test.go

@@ -669,6 +669,22 @@ func TestCheckIPAMDelegatedPlugin(t *testing.T) {
 			},
 			expectErr: fmt.Errorf("--local-router-ipv6 must be provided when IPv6 is enabled with --ipam=delegated-plugin"),
 		},
+		{
+			name: "IPAMDelegatedPlugin with ingress controller enabled",
+			d: &DaemonConfig{
+				IPAM:                    ipamOption.IPAMDelegatedPlugin,
+				EnableIngressController: true,
+			},
+			expectErr: fmt.Errorf("--enable-ingress-controller must be disabled with --ipam=delegated-plugin"),
+		},
+		{
+			name: "IPAMDelegatedPlugin with envoy config enabled",
+			d: &DaemonConfig{
+				IPAM:              ipamOption.IPAMDelegatedPlugin,
+				EnableEnvoyConfig: true,
+			},
+			expectErr: fmt.Errorf("--enable-envoy-config must be disabled with --ipam=delegated-plugin"),
+		},
 	}
 
 	for _, tt := range tests {