Use Cilium's kube-proxy replacement by default

2022-02-18 15:05:17 +00:00 · 2022-02-18 15:05:17 +00:00 · d7510dcd92
commit d7510dcd92
parent a1dd0932cb
3 changed files with 70 additions and 2 deletions
--- a/charts/cluster-addons/templates/cni-cilium.yaml
+++ b/charts/cluster-addons/templates/cni-cilium.yaml
@ -2,6 +2,37 @@
 {{- include "cluster-addons.job.defaults" (list . "cni-cilium") }}
 installType: helm
 helm: {{ toYaml .Values.cni.cilium | nindent 2 }}
+{{- $kubeProxyReplacement := dig "kubeProxyReplacement" "probe" .Values.cni.cilium.release.values }}
+{{- if eq $kubeProxyReplacement "strict" }}
+{{- $hasServiceHost := hasKey .Values.cni.cilium.release.values "k8sServiceHost" }}
+{{- $hasServicePort := hasKey .Values.cni.cilium.release.values "k8sServicePort" }}
+{{- if or (and $hasServiceHost $hasServicePort) .Values.kubeconfigSecret.name }}
+{{- if not (and $hasServiceHost $hasServicePort) }}
+hooks:
+  {{/* Point Cilium at the Kubernetes server targetted by the kubeconfig file */}}
+  preInstall: |
+    SERVER="$(kubectl config view --minify -o jsonpath='{.clusters[0].cluster.server}')"
+    SCHEME="$(echo "$SERVER" | cut -d':' -f1)"
+    ADDRESS="$(echo "$SERVER" | cut -d'/' -f3)"
+    HOST="$(echo "$ADDRESS" | cut -d':' -f1)"
+    if grep -q ":" <<< "$ADDRESS"; then
+      PORT="$(echo "$ADDRESS" | cut -d':' -f2)"
+    else
+      if [ "$SCHEME" = "http" ]; then
+        PORT=80
+      else
+        PORT=443
+      fi
+    fi
+
+    HELM_EXTRA_ARGS="--set k8sServiceHost=$HOST"
+    HELM_EXTRA_ARGS="$HELM_EXTRA_ARGS --set k8sServicePort=$PORT"
+    export HELM_EXTRA_ARGS
+{{- end }}
+{{- else }}
+{{- fail "k8sServiceHost and k8sServicePort must be specified when using a service account with kubeProxyReplacement=strict" }}
+{{- end }}
+{{- end }}
 {{- end }}

 {{-
--- a/charts/openstack-cluster/templates/control-plane/kubeadm-control-plane.yaml
+++ b/charts/openstack-cluster/templates/control-plane/kubeadm-control-plane.yaml
@ -1,18 +1,32 @@
 {{/*
-Produces the spec for the controlplane kubeadmconfig object, with support for KubeProxyConfiguration.
+Produces the spec for the controlplane kubeadmconfig object, with support for KubeProxyConfiguration
+and the skipPhases flag of InitConfiguration.
 */}}
 {{- define "openstack-cluster.controlplane.kubeadmConfigSpec" -}}
-{{- $kubeadmConfigSpec := omit . "kubeProxyConfiguration" "files" "preKubeadmCommands" }}
+{{- $kubeadmConfigSpec := omit . "initConfiguration" "kubeProxyConfiguration" "files" "preKubeadmCommands" }}
+{{- $initConfiguration := omit (dig "initConfiguration" dict .) "skipPhases" }}
+{{- $skipPhases := dig "initConfiguration" "skipPhases" list . }}
 {{- $kubeProxyConfiguration := dig "kubeProxyConfiguration" dict . }}
 {{- $files := dig "files" list . }}
 {{- $preKubeadmCommands := dig "preKubeadmCommands" list . }}
 {{- with $kubeadmConfigSpec }}
 {{- toYaml . }}
 {{- end }}
+{{- with $initConfiguration }}
+initConfiguration: {{ toYaml $initConfiguration | nindent 2 }}
+{{- end }}
+{{- if or $files $skipPhases $kubeProxyConfiguration }}
 files:
  {{- range $files }}
  - {{ toYaml . | nindent 4 }}
  {{- end }}
+  {{- if $skipPhases }}
+  - path: /run/kubeadm/skip-phases.yaml
+    content: |
+      skipPhases: {{ toYaml $skipPhases | nindent 8 }}
+    owner: root:root
+    permissions: "0644"
+  {{- end }}
  {{- with $kubeProxyConfiguration }}
  - path: /run/kubeadm/kube-proxy-configuration.yaml
    content: |
@ -23,14 +37,25 @@ files:
    owner: root:root
    permissions: "0644"
  {{- end }}
+{{- end }}
+{{- if or $preKubeadmCommands $skipPhases $kubeProxyConfiguration }}
 preKubeadmCommands:
  {{- range $preKubeadmCommands }}
  - {{ . }}
  {{- end }}
+  {{- if $skipPhases }}
+  - cat /run/kubeadm/skip-phases.yaml >> /run/kubeadm/kubeadm.yaml
+  {{- end }}
  {{- if $kubeProxyConfiguration }}
  - cat /run/kubeadm/kube-proxy-configuration.yaml >> /run/kubeadm/kubeadm.yaml
  {{- end }}
 {{- end }}
+{{- end }}
+
+{{- $skipPhases := dig "kubeadmConfigSpec" "initConfiguration" "skipPhases" list .Values.controlPlane }}
+{{- if and $skipPhases (semverCompare "<1.22.0" .Values.global.kubernetesVersion) }}
+{{- fail "skipPhases is only supported for Kubernetes 1.22 and higher" }}
+{{- end }}

 ---
 apiVersion: controlplane.cluster.x-k8s.io/v1beta1
--- a/charts/openstack-cluster/values.yaml
+++ b/charts/openstack-cluster/values.yaml
@ -116,6 +116,9 @@ controlPlane:
        name: '{{ local_hostname }}'
        kubeletExtraArgs:
          cloud-provider: external
+      # In the default configuration, Cilium is the CNI and we want to use the kube-proxy replacement
+      skipPhases:
+        - addon/kube-proxy
    # As well as enabling an external cloud provider, we set the bind addresses for the
    # etcd metrics, controller-manager, scheduler and kube-proxy to 0.0.0.0 so that Prometheus
    # can reach them to collect metrics
@ -246,6 +249,15 @@ addons:
  kubeconfigSecret:
    name: "{{ include \"openstack-cluster.componentName\" (list . \"kubeconfig\") }}"
    key: value
+  # Deploy Cilium with the kube-proxy replacement enabled
+  cni:
+    cilium:
+      release:
+        values:
+          kubeProxyReplacement: strict
+          bpf:
+            hostRouting: false
+            masquerade: true
  # By default, enable the OpenStack integrations
  openstack:
    enabled: true