feat: Add support for cilium 1.15 and updated cilium to v1.15.4 (#11106)

2026-02-16 18:50:08 -03:30 · 2024-04-24 04:42:11 +02:00
parent ab0ef182fb
commit eee5b5890d
8 changed files with 67 additions and 4 deletions
--- a/roles/network_plugin/cilium/defaults/main.yml
+++ b/roles/network_plugin/cilium/defaults/main.yml
@@ -7,6 +7,9 @@ cilium_mtu: ""
 cilium_enable_ipv4: true
 cilium_enable_ipv6: false

+# Enable l2 announcement from cilium to replace Metallb Ref: https://docs.cilium.io/en/v1.14/network/l2-announcements/
+cilium_l2announcements: false
+
 # Cilium agent health port
 cilium_agent_health_port: "{%- if cilium_version | regex_replace('v') is version('1.11.6', '>=') -%}9879{%- else -%}9876{%- endif -%}"

@@ -39,6 +42,10 @@ cilium_cpu_requests: 100m

 # Overlay Network Mode
 cilium_tunnel_mode: vxlan
+
+# LoadBalancer Mode (snat/dsr/hybrid) Ref: https://docs.cilium.io/en/stable/network/kubernetes/kubeproxy-free/#dsr-mode
+cilium_loadbalancer_mode: snat
+
 # Optional features
 cilium_enable_prometheus: false
 # Enable if you want to make use of hostPort mappings
--- a/roles/network_plugin/cilium/templates/cilium-operator/cr.yml.j2
+++ b/roles/network_plugin/cilium/templates/cilium-operator/cr.yml.j2
@@ -97,6 +97,11 @@ rules:
  - ciliumloadbalancerippools/status
  - ciliumbgppeeringpolicies
  - ciliumenvoyconfigs
+{% endif %}
+{% if cilium_version | regex_replace('v') is version('1.15', '>=') %}
+  - ciliumbgppeerconfigs
+  - ciliumbgpadvertisements
+  - ciliumbgpnodeconfigs
 {% endif %}
  verbs:
  - '*'
@@ -146,6 +151,20 @@ rules:
  - ciliumlocalredirectpolicies.cilium.io
  - ciliumnetworkpolicies.cilium.io
  - ciliumnodes.cilium.io
+{% if cilium_version | regex_replace('v') is version('1.14', '>=') %}
+  - ciliumnodeconfigs.cilium.io
+  - ciliumcidrgroups.cilium.io
+  - ciliuml2announcementpolicies.cilium.io
+  - ciliumpodippools.cilium.io
+  - ciliumloadbalancerippools.cilium.io
+{% endif %}
+{% if cilium_version | regex_replace('v') is version('1.15', '>=') %}
+  - ciliumbgpclusterconfigs.cilium.io
+  - ciliumbgppeerconfigs.cilium.io
+  - ciliumbgpadvertisements.cilium.io
+  - ciliumbgpnodeconfigs.cilium.io
+  - ciliumbgpnodeconfigoverrides.cilium.io
+{% endif %}
 {% endif %}
 {% for rules in cilium_clusterrole_rules_operator_extra_vars %}
 - apiGroups:
--- a/roles/network_plugin/cilium/templates/cilium/config.yml.j2
+++ b/roles/network_plugin/cilium/templates/cilium/config.yml.j2
@@ -131,6 +131,12 @@ data:
  tunnel-protocol: "{{ cilium_tunnel_mode }}"
 {% endif %}

+  ## DSR setting
+  bpf-lb-mode: "{{ cilium_loadbalancer_mode }}"
+
+  # l2 
+  enable-l2-announcements: "{{ cilium_l2announcements }}"
+
  # Enable Bandwidth Manager
  # Cilium’s bandwidth manager supports the kubernetes.io/egress-bandwidth Pod annotation.
  # Bandwidth enforcement currently does not work in combination with L7 Cilium Network Policies.
--- a/roles/network_plugin/cilium/templates/cilium/cr.yml.j2
+++ b/roles/network_plugin/cilium/templates/cilium/cr.yml.j2
@@ -106,6 +106,15 @@ rules:
  - ciliumnodes/finalizers
  - ciliumidentities/finalizers
  - ciliumlocalredirectpolicies/finalizers
+{% endif %}
+{% if cilium_version | regex_replace('v') is version('1.14', '>=') %}
+  - ciliuml2announcementpolicies/status
+{% endif %}
+{% if cilium_version | regex_replace('v') is version('1.15', '>=') %}
+  - ciliumbgpnodeconfigs
+  - ciliumbgpnodeconfigs/status
+  - ciliumbgpadvertisements
+  - ciliumbgppeerconfigs
 {% endif %}
  verbs:
  - '*'
@@ -125,7 +134,22 @@ rules:
  - cilium.io
  resources:
  - ciliumcidrgroups
+  - ciliuml2announcementpolicies
+  - ciliumpodippools
+  - ciliuml2announcementpolicies/status
  verbs:
  - list
  - watch
+{% if cilium_version %} 
+- apiGroups:
+  - coordination.k8s.io
+  resources:
+  - leases
+  verbs:
+  - create
+  - get
+  - update
+  - list
+  - delete
+{% endif %}
 {% endif %}