External-Mirrors/kubespray
2
0
Fork 0
mirror of https://github.com/kubernetes-sigs/kubespray.git synced 2026-05-01 22:55:36 -02:30
Code Issues Packages Projects Releases Wiki Activity
Files
a254f5ea687dcfaf1ce8485742363a924aa9eb60
kubespray/roles/network_plugin/cilium/tasks/check.yml
Kay Yan a254f5ea68 network_plugin/cilium: fail fast when Gateway API CRDs are incompatible (#13223) 
Cilium < 1.20 unconditionally registers a field indexer for TLSRoute
v1alpha2 when the Gateway API controller is enabled, but Gateway API
>= 1.5.0 ships TLSRoute v1alpha2 with served=false in the standard
channel. The result is cilium-operator CrashLoopBackOff with:

  no matches for kind "TLSRoute" in version "gateway.networking.k8s.io/v1alpha2"

The fix landed in Cilium 1.20 only and will not be backported.

Add a preflight assert that triggers only when all of the following
hold: cilium_gateway_api_enabled, gateway_api_enabled, cilium_version
< 1.20.0, gateway_api_version >= 1.5.0, and gateway_api_channel ==
"standard". Users hit by this combo get a clear error and two
workarounds (pin gateway_api_version to 1.4.1, or switch
gateway_api_channel to "experimental") instead of debugging a crash
loop after the fact.

Signed-off-by: Kay Yan <kay.yan@daocloud.io>
2026-04-30 11:43:26 +05:30

86 lines
3.6 KiB
YAML
Raw Blame History

---
- name: Cilium | Check Cilium encryption `cilium_ipsec_key` for ipsec
assert:
that:
- "cilium_ipsec_key is defined"
msg: "cilium_ipsec_key should be defined to enable encryption using ipsec"
when:
- cilium_encryption_enabled
- cilium_encryption_type == "ipsec"
- cilium_tunnel_mode in ['vxlan']
# TODO: Clean this task up when we drop backward compatibility support for `cilium_ipsec_enabled`
- name: Stop if `cilium_ipsec_enabled` is defined and `cilium_encryption_type` is not `ipsec`
assert:
that: cilium_encryption_type == 'ipsec'
msg: >
It is not possible to use `cilium_ipsec_enabled` when `cilium_encryption_type` is set to {{ cilium_encryption_type }}.
when:
- cilium_ipsec_enabled is defined
- cilium_ipsec_enabled
- kube_network_plugin == 'cilium' or cilium_deploy_additionally
- name: Stop if kernel version is too low for Cilium Wireguard encryption
assert:
that: ansible_kernel.split('-')[0] is version('5.6.0', '>=')
when:
- kube_network_plugin == 'cilium' or cilium_deploy_additionally
- cilium_encryption_enabled
- cilium_encryption_type == "wireguard"
- not ignore_assert_errors
- name: Stop if bad Cilium identity allocation mode
assert:
that: cilium_identity_allocation_mode in ['crd', 'kvstore']
msg: "cilium_identity_allocation_mode must be either 'crd' or 'kvstore'"
- name: Stop if bad Cilium Cluster ID
assert:
that:
- cilium_cluster_id <= 255
- cilium_cluster_id >= 0
msg: "'cilium_cluster_id' must be between 1 and 255"
when: cilium_cluster_id is defined
- name: Stop if bad encryption type
assert:
that: cilium_encryption_type in ['ipsec', 'wireguard']
msg: "cilium_encryption_type must be either 'ipsec' or 'wireguard'"
when: cilium_encryption_enabled
- name: Stop if cilium_version is < {{ cilium_min_version_required }}
assert:
that: cilium_version is version(cilium_min_version_required, '>=')
msg: "cilium_version is too low. Minimum version {{ cilium_min_version_required }}"
# TODO: Clean this task up when we drop backward compatibility support for `cilium_ipsec_enabled`
- name: Set `cilium_encryption_type` to "ipsec" and if `cilium_ipsec_enabled` is true
set_fact:
cilium_encryption_type: ipsec
cilium_encryption_enabled: true
when:
- cilium_ipsec_enabled is defined
- cilium_ipsec_enabled
- name: Stop if cilium_hubble_event_buffer_capacity is not a power of 2 minus 1 and is not between 1 and 65535
assert:
that: "cilium_hubble_event_buffer_capacity in [1, 3, 7, 15, 31, 63, 127, 255, 511, 1023, 2047, 4095, 8191, 16383, 32767, 65535]"
msg: "Error: cilium_hubble_event_buffer_capacity:{{ cilium_hubble_event_buffer_capacity }} is not a power of 2 minus 1 and it should be between 1 and 65535."
when: cilium_hubble_event_buffer_capacity is defined
# Cilium < 1.20 only supports Gateway API v1.4.1; v1.5+ standard channel drops
# TLSRoute v1alpha2 (served=false) which makes cilium-operator CrashLoopBackOff.
# Fix is in Cilium 1.20+ (cilium/cilium#45251) and will not be backported.
- name: Stop if cilium_gateway_api_enabled is incompatible with the Gateway API CRD bundle
assert:
that:
- gateway_api_version is version('1.5.0', '<') or gateway_api_channel != 'standard'
msg: |
Cilium < 1.20 only supports Gateway API v1.4.1, see
https://docs.cilium.io/en/stable/network/servicemesh/gateway-api/gateway-api/.
Pin gateway_api_version: '1.4.1', or set gateway_api_channel: 'experimental'.
when:
- cilium_gateway_api_enabled
- gateway_api_enabled
- cilium_version is version('1.20.0', '<')
Reference in New Issue View Git Blame Copy Permalink