From db4a625e695e16ab554f555bfc0a1bb17042e6a6 Mon Sep 17 00:00:00 2001 From: Simon Gerber Date: Tue, 11 Nov 2025 11:20:34 +0100 Subject: [PATCH] Add note about experimental nature of BGP namespace egress IPs --- .../espejote-templates/egress-gateway.libsonnet | 1 + docs/modules/ROOT/pages/references/parameters.adoc | 12 +++++++++++- .../cilium/20_namespace_egress_ip_policies.yaml | 1 + .../cilium/cilium/40_egress_ip_managed_resource.yaml | 1 + 4 files changed, 14 insertions(+), 1 deletion(-) diff --git a/component/espejote-templates/egress-gateway.libsonnet b/component/espejote-templates/egress-gateway.libsonnet index 897c66bf..ff3f0196 100644 --- a/component/espejote-templates/egress-gateway.libsonnet +++ b/component/espejote-templates/egress-gateway.libsonnet @@ -113,6 +113,7 @@ local NamespaceEgressPolicy = egress_range, namespace, ], + [if bgp_egress_ip then 'cilium.syn.tools/experimental-policy']: 'true', 'cilium.syn.tools/egress-ip': egress_ip, 'cilium.syn.tools/interface-prefix': interface_prefix, 'cilium.syn.tools/egress-range': egress_range, diff --git a/docs/modules/ROOT/pages/references/parameters.adoc b/docs/modules/ROOT/pages/references/parameters.adoc index 1e925e58..cc1fcc63 100644 --- a/docs/modules/ROOT/pages/references/parameters.adoc +++ b/docs/modules/ROOT/pages/references/parameters.adoc @@ -408,12 +408,22 @@ When this field is omitted or empty, the component generates egress policies wit Such policies assign the egress IP to all traffic originating in the namespace. ==== +[IMPORTANT] +==== +Support for configuring BGP egress IPs through `egress_ip_ranges` is currently experimental. + +Policies which configure BGP egress IPs have an additional annotation `cilium.syn.tools/experimental-policy=true`. +==== + [NOTE] ==== Field `bgp_policy_labels` is optional. +The component's support for configuring BGP egress IPs through `egress_ip_ranges` is currently experimental. When the field is provided, and not an empty object, the component adds the contents as entries in `metadata.labels` of the resulting policies. -In this case, the component also configures the egress policies directly with the egress IP and `maxGatewayNodes: 1` in the `spec.egressGroups` entry. +In this case, the component configures the egress policies with https://docs.isovalent.com/v1.16/configuration-guide/networking/egress-gateway/introduction.html#requirements-for-egress-ip-and-ipam-feature[Cilium's Egress Gateawy IPAM] and `maxGatewayNodes: 1` in the `spec.egressGroups` entry. + +Please note that policies which use EGW IPAM will ignore static routes on the active gateway node (as of Cilium 1.16.16 and Cilium 1.17.9). If the field is omitted or empty, the component configures the egress group with the interface name and doesn't set `maxGatewayNodes`. ==== diff --git a/tests/golden/egress-gateway/cilium/cilium/20_namespace_egress_ip_policies.yaml b/tests/golden/egress-gateway/cilium/cilium/20_namespace_egress_ip_policies.yaml index 134fa11a..f9d49038 100644 --- a/tests/golden/egress-gateway/cilium/cilium/20_namespace_egress_ip_policies.yaml +++ b/tests/golden/egress-gateway/cilium/cilium/20_namespace_egress_ip_policies.yaml @@ -94,6 +94,7 @@ metadata: in egress range "egress_f" (192.0.2.160 - 192.0.2.190) to namespace qux. cilium.syn.tools/egress-ip: 192.0.2.160 cilium.syn.tools/egress-range: 192.0.2.160 - 192.0.2.190 + cilium.syn.tools/experimental-policy: 'true' cilium.syn.tools/interface-prefix: egress_f cilium.syn.tools/source-namespace: qux labels: diff --git a/tests/golden/egress-gateway/cilium/cilium/40_egress_ip_managed_resource.yaml b/tests/golden/egress-gateway/cilium/cilium/40_egress_ip_managed_resource.yaml index 5c2190df..d7e4b2f5 100644 --- a/tests/golden/egress-gateway/cilium/cilium/40_egress_ip_managed_resource.yaml +++ b/tests/golden/egress-gateway/cilium/cilium/40_egress_ip_managed_resource.yaml @@ -264,6 +264,7 @@ spec: egress_range, namespace, ], + [if bgp_egress_ip then 'cilium.syn.tools/experimental-policy']: 'true', 'cilium.syn.tools/egress-ip': egress_ip, 'cilium.syn.tools/interface-prefix': interface_prefix, 'cilium.syn.tools/egress-range': egress_range,