From eee5b5890df11d579f2c5ec716666732e5db1221 Mon Sep 17 00:00:00 2001
From: Devesh Kumar <vrshu112@gmail.com>
Date: Wed, 24 Apr 2024 04:42:11 +0200
Subject: [PATCH] feat: Add support for cilium 1.15 and updated cilium to
 v1.15.4 (#11106)

---
 README.md                                     |  2 +-
 docs/cilium.md                                |  2 +-
 .../group_vars/k8s_cluster/k8s-net-cilium.yml |  9 ++++++-
 .../defaults/main/download.yml                |  2 +-
 roles/network_plugin/cilium/defaults/main.yml |  7 ++++++
 .../templates/cilium-operator/cr.yml.j2       | 19 +++++++++++++++
 .../cilium/templates/cilium/config.yml.j2     |  6 +++++
 .../cilium/templates/cilium/cr.yml.j2         | 24 +++++++++++++++++++
 8 files changed, 67 insertions(+), 4 deletions(-)

diff --git a/README.md b/README.md
index 09e6319d4..3dce314c4 100644
--- a/README.md
+++ b/README.md
@@ -168,7 +168,7 @@ Note: Upstart/SysV init based OS types are not supported.
 - Network Plugin
   - [cni-plugins](https://github.com/containernetworking/plugins) v1.2.0
   - [calico](https://github.com/projectcalico/calico) v3.27.2
-  - [cilium](https://github.com/cilium/cilium) v1.13.4
+  - [cilium](https://github.com/cilium/cilium) v1.15.4
   - [flannel](https://github.com/flannel-io/flannel) v0.22.0
   - [kube-ovn](https://github.com/alauda/kube-ovn) v1.11.5
   - [kube-router](https://github.com/cloudnativelabs/kube-router) v2.0.0
diff --git a/docs/cilium.md b/docs/cilium.md
index a773dbc90..afc808c64 100644
--- a/docs/cilium.md
+++ b/docs/cilium.md
@@ -99,7 +99,7 @@ cilium_operator_extra_volume_mounts:
 ## Choose Cilium version
 
 ```yml
-cilium_version: v1.12.1
+cilium_version: v1.15.4
 ```
 
 ## Add variable to config
diff --git a/inventory/sample/group_vars/k8s_cluster/k8s-net-cilium.yml b/inventory/sample/group_vars/k8s_cluster/k8s-net-cilium.yml
index b3190a2f1..db827437e 100644
--- a/inventory/sample/group_vars/k8s_cluster/k8s-net-cilium.yml
+++ b/inventory/sample/group_vars/k8s_cluster/k8s-net-cilium.yml
@@ -1,5 +1,5 @@
 ---
-# cilium_version: "v1.12.1"
+# cilium_version: "v1.15.4"
 
 # Log-level
 # cilium_debug: false
@@ -8,6 +8,9 @@
 # cilium_enable_ipv4: true
 # cilium_enable_ipv6: false
 
+# Enable l2 announcement from cilium to replace Metallb Ref: https://docs.cilium.io/en/v1.14/network/l2-announcements/
+cilium_l2announcements: false
+
 # Cilium agent health port
 # cilium_agent_health_port: "9879"
 
@@ -40,6 +43,10 @@
 
 # Overlay Network Mode
 # cilium_tunnel_mode: vxlan
+
+# LoadBalancer Mode (snat/dsr/hybrid) Ref: https://docs.cilium.io/en/stable/network/kubernetes/kubeproxy-free/#dsr-mode
+# cilium_loadbalancer_mode: snat
+
 # Optional features
 # cilium_enable_prometheus: false
 # Enable if you want to make use of hostPort mappings
diff --git a/roles/kubespray-defaults/defaults/main/download.yml b/roles/kubespray-defaults/defaults/main/download.yml
index a464993be..31b4ec944 100644
--- a/roles/kubespray-defaults/defaults/main/download.yml
+++ b/roles/kubespray-defaults/defaults/main/download.yml
@@ -116,7 +116,7 @@ flannel_cni_version: "v1.1.2"
 cni_version: "v1.3.0"
 weave_version: 2.8.1
 
-cilium_version: "v1.13.4"
+cilium_version: "v1.15.4"
 cilium_cli_version: "v0.16.0"
 cilium_enable_hubble: false
 
diff --git a/roles/network_plugin/cilium/defaults/main.yml b/roles/network_plugin/cilium/defaults/main.yml
index f4c70e479..2f4830a8e 100644
--- a/roles/network_plugin/cilium/defaults/main.yml
+++ b/roles/network_plugin/cilium/defaults/main.yml
@@ -7,6 +7,9 @@ cilium_mtu: ""
 cilium_enable_ipv4: true
 cilium_enable_ipv6: false
 
+# Enable l2 announcement from cilium to replace Metallb Ref: https://docs.cilium.io/en/v1.14/network/l2-announcements/
+cilium_l2announcements: false
+
 # Cilium agent health port
 cilium_agent_health_port: "{%- if cilium_version | regex_replace('v') is version('1.11.6', '>=') -%}9879{%- else -%}9876{%- endif -%}"
 
@@ -39,6 +42,10 @@ cilium_cpu_requests: 100m
 
 # Overlay Network Mode
 cilium_tunnel_mode: vxlan
+
+# LoadBalancer Mode (snat/dsr/hybrid) Ref: https://docs.cilium.io/en/stable/network/kubernetes/kubeproxy-free/#dsr-mode
+cilium_loadbalancer_mode: snat
+
 # Optional features
 cilium_enable_prometheus: false
 # Enable if you want to make use of hostPort mappings
diff --git a/roles/network_plugin/cilium/templates/cilium-operator/cr.yml.j2 b/roles/network_plugin/cilium/templates/cilium-operator/cr.yml.j2
index 642a66702..5bcc44dec 100644
--- a/roles/network_plugin/cilium/templates/cilium-operator/cr.yml.j2
+++ b/roles/network_plugin/cilium/templates/cilium-operator/cr.yml.j2
@@ -97,6 +97,11 @@ rules:
   - ciliumloadbalancerippools/status
   - ciliumbgppeeringpolicies
   - ciliumenvoyconfigs
+{% endif %}
+{% if cilium_version | regex_replace('v') is version('1.15', '>=') %}
+  - ciliumbgppeerconfigs
+  - ciliumbgpadvertisements
+  - ciliumbgpnodeconfigs
 {% endif %}
   verbs:
   - '*'
@@ -146,6 +151,20 @@ rules:
   - ciliumlocalredirectpolicies.cilium.io
   - ciliumnetworkpolicies.cilium.io
   - ciliumnodes.cilium.io
+{% if cilium_version | regex_replace('v') is version('1.14', '>=') %}
+  - ciliumnodeconfigs.cilium.io
+  - ciliumcidrgroups.cilium.io
+  - ciliuml2announcementpolicies.cilium.io
+  - ciliumpodippools.cilium.io
+  - ciliumloadbalancerippools.cilium.io
+{% endif %}
+{% if cilium_version | regex_replace('v') is version('1.15', '>=') %}
+  - ciliumbgpclusterconfigs.cilium.io
+  - ciliumbgppeerconfigs.cilium.io
+  - ciliumbgpadvertisements.cilium.io
+  - ciliumbgpnodeconfigs.cilium.io
+  - ciliumbgpnodeconfigoverrides.cilium.io
+{% endif %}
 {% endif %}
 {% for rules in cilium_clusterrole_rules_operator_extra_vars %}
 - apiGroups:
diff --git a/roles/network_plugin/cilium/templates/cilium/config.yml.j2 b/roles/network_plugin/cilium/templates/cilium/config.yml.j2
index 32144de28..d294c6e29 100644
--- a/roles/network_plugin/cilium/templates/cilium/config.yml.j2
+++ b/roles/network_plugin/cilium/templates/cilium/config.yml.j2
@@ -131,6 +131,12 @@ data:
   tunnel-protocol: "{{ cilium_tunnel_mode }}"
 {% endif %}
 
+  ## DSR setting
+  bpf-lb-mode: "{{ cilium_loadbalancer_mode }}"
+
+  # l2 
+  enable-l2-announcements: "{{ cilium_l2announcements }}"
+
   # Enable Bandwidth Manager
   # Cilium’s bandwidth manager supports the kubernetes.io/egress-bandwidth Pod annotation.
   # Bandwidth enforcement currently does not work in combination with L7 Cilium Network Policies.
diff --git a/roles/network_plugin/cilium/templates/cilium/cr.yml.j2 b/roles/network_plugin/cilium/templates/cilium/cr.yml.j2
index 4ce747f0f..a4395b242 100644
--- a/roles/network_plugin/cilium/templates/cilium/cr.yml.j2
+++ b/roles/network_plugin/cilium/templates/cilium/cr.yml.j2
@@ -106,6 +106,15 @@ rules:
   - ciliumnodes/finalizers
   - ciliumidentities/finalizers
   - ciliumlocalredirectpolicies/finalizers
+{% endif %}
+{% if cilium_version | regex_replace('v') is version('1.14', '>=') %}
+  - ciliuml2announcementpolicies/status
+{% endif %}
+{% if cilium_version | regex_replace('v') is version('1.15', '>=') %}
+  - ciliumbgpnodeconfigs
+  - ciliumbgpnodeconfigs/status
+  - ciliumbgpadvertisements
+  - ciliumbgppeerconfigs
 {% endif %}
   verbs:
   - '*'
@@ -125,7 +134,22 @@ rules:
   - cilium.io
   resources:
   - ciliumcidrgroups
+  - ciliuml2announcementpolicies
+  - ciliumpodippools
+  - ciliuml2announcementpolicies/status
   verbs:
   - list
   - watch
+{% if cilium_version %} 
+- apiGroups:
+  - coordination.k8s.io
+  resources:
+  - leases
+  verbs:
+  - create
+  - get
+  - update
+  - list
+  - delete
+{% endif %}
 {% endif %}
-- 
GitLab