feat: upgrade cilium and add default variables (#9065)

Signed-off-by: eminaktas <eminaktas34@gmail.com> Signed-off-by: Emin Aktas <emin.aktas@trendyol.com>
2026-05-20 07:17:45 -02:30 · 2022-07-07 20:35:34 +03:00
parent 6d543b830a
commit 5071529a74
7 changed files with 332 additions and 36 deletions
--- a/roles/network_plugin/cilium/templates/cilium/config.yml.j2
+++ b/roles/network_plugin/cilium/templates/cilium/config.yml.j2
@@ -232,6 +232,33 @@ data:
  ipam: "{{ cilium_ipam_mode }}"
 {% endif %}

+  agent-health-port: "{{ cilium_agent_health_port }}"
+
+{% if cilium_version | regex_replace('v') is version('1.11', '>=') and cilium_cgroup_host_root != '' %}
+  cgroup-root: "{{ cilium_cgroup_host_root }}"
+{% endif %}
+
+  bpf-map-dynamic-size-ratio: "{{ cilium_bpf_map_dynamic_size_ratio }}"
+
+{% if cilium_version | regex_replace('v') is version('1.10', '>=') %}
+  enable-ipv4-masquerade: "{{ cilium_enable_ipv4_masquerade }}"
+  enable-ipv6-masquerade: "{{ cilium_enable_ipv6_masquerade }}"
+{% endif %}
+
+  enable-bpf-masquerade: "{{ cilium_enable_bpf_masquerade }}"
+
+  enable-host-legacy-routing: "{{ cilium_enable_host_legacy_routing }}"
+
+  enable-remote-node-identity: "{{ cilium_enable_remote_node_identity }}"
+
+  enable-well-known-identities: "{{ cilium_enable_well_known_identities }}"
+
+  monitor-aggregation-flags: "{{ cilium_monitor_aggregation_flags }}"
+
+  enable-bpf-clock-probe: "{{ cilium_enable_bpf_clock_probe }}"
+
+  disable-cnp-status-updates: "{{ cilium_disable_cnp_status_updates }}"
+
 {% if cilium_ip_masq_agent_enable %}
 ---
 apiVersion: v1
--- a/roles/network_plugin/cilium/templates/cilium/ds.yml.j2
+++ b/roles/network_plugin/cilium/templates/cilium/ds.yml.j2
@@ -96,11 +96,7 @@ spec:
          httpGet:
            host: '127.0.0.1'
            path: /healthz
-{% if cilium_version | regex_replace('v') is version('1.11.6', '>=') %}
-            port: 9879
-{% else %}
-            port: 9876
-{% endif %}
+            port: {{ cilium_agent_health_port }}
            scheme: HTTP
            httpHeaders:
            - name: "brief"
@@ -112,11 +108,7 @@ spec:
          httpGet:
            host: '127.0.0.1'
            path: /healthz
-{% if cilium_version | regex_replace('v') is version('1.11.6', '>=') %}
-            port: 9879
-{% else %}
-            port: 9876
-{% endif %}
+            port: {{ cilium_agent_health_port }}
            scheme: HTTP
            httpHeaders:
            - name: "brief"
@@ -129,11 +121,7 @@ spec:
          httpGet:
            host: 127.0.0.1
            path: /healthz
-{% if cilium_version | regex_replace('v') is version('1.11.6', '>=') %}
-            port: 9879
-{% else %}
-            port: 9876
-{% endif %}
+            port: {{ cilium_agent_health_port }}
            scheme: HTTP
            httpHeaders:
            - name: "brief"
@@ -228,6 +216,35 @@ spec:
 {% endif %}
      hostNetwork: true
      initContainers:
+{% if cilium_version | regex_replace('v') is version('1.11', '>=') and cilium_cgroup_auto_mount %}
+      - name: mount-cgroup
+        image: "{{cilium_image_repo}}:{{cilium_image_tag}}"
+        imagePullPolicy: {{ k8s_image_pull_policy }}
+        env:
+        - name: CGROUP_ROOT
+          value: {{ cilium_cgroup_host_root }}
+        - name: BIN_PATH
+          value: /opt/cni/bin
+        command:
+        - sh
+        - -ec
+        # The statically linked Go program binary is invoked to avoid any
+        # dependency on utilities like sh and mount that can be missing on certain
+        # distros installed on the underlying host. Copy the binary to the
+        # same directory where we install cilium cni plugin so that exec permissions
+        # are available.
+        - |
+          cp /usr/bin/cilium-mount /hostbin/cilium-mount;
+          nsenter --cgroup=/hostproc/1/ns/cgroup --mount=/hostproc/1/ns/mnt "${BIN_PATH}/cilium-mount" $CGROUP_ROOT;
+          rm /hostbin/cilium-mount
+        volumeMounts:
+        - name: hostproc
+          mountPath: /hostproc
+        - name: cni-path
+          mountPath: /hostbin
+        securityContext:
+          privileged: true
+{% endif %}
      - command:
        - /init-container.sh
        env:
@@ -276,7 +293,7 @@ spec:
 {% if cilium_version | regex_replace('v') is version('1.11', '>=') %}
          # Required to mount cgroup filesystem from the host to cilium agent pod
        - name: cilium-cgroup
-          mountPath: /run/cilium/cgroupv2
+          mountPath: {{ cilium_cgroup_host_root }}
          mountPropagation: HostToContainer
 {% endif %}
        - mountPath: /var/run/cilium
@@ -334,7 +351,7 @@ spec:
      # To keep state between restarts / upgrades for cgroup2 filesystem
      - name: cilium-cgroup
        hostPath:
-          path: /run/cilium/cgroupv2
+          path: {{ cilium_cgroup_host_root }}
          type: DirectoryOrCreate
 {% endif %}
        # To install cilium cni plugin in the host