Use kube-proxy replacement by default with Cilium (#343)

charts/cluster-addons/templates/cni/cilium.yaml

@@ -1,4 +1,14 @@
 {{- if and .Values.cni.enabled (eq .Values.cni.type "cilium") }}
+{{/*
+  Use the kube-proxy replacement by default
+
+  NOTE(mkjpryor)
+  When using the kube-proxy replacement Cilium must be told the host and port for the
+  Kubernetes API as it is responsible for handling service traffic
+  We can use the templating support in the addon provider to extract this dynamically
+  from the CAPI cluster resource spec
+*/}}
+{{- $kubeProxyReplacement := dig "kubeProxyReplacement" true .Values.cni.cilium.release.values }}
 ---
 apiVersion: v1
 kind: Secret
@@ -9,8 +19,15 @@ metadata:
     addons.stackhpc.com/watch: ""
 stringData:
   defaults: |
+    # Use IPs allocated to each node by Kubernetes
+    # This respects the pod CIDR specified in the CAPI cluster resource
     ipam:
       mode: kubernetes
+    {{- if $kubeProxyReplacement }}
+    kubeProxyReplacement: true
+    k8sServiceHost: {{ "{{" }} cluster.spec.controlPlaneEndpoint.host {{ "}}" }}
+    k8sServicePort: {{ "{{" }} cluster.spec.controlPlaneEndpoint.port {{ "}}" }}
+    {{- end }}
   overrides: |
     {{- toYaml .Values.cni.cilium.release.values | nindent 4 }}
 ---

charts/openstack-cluster/templates/_helpers.tpl

@@ -346,7 +346,6 @@ webhooks and policies for audit logging can be added here.
   clusterConfiguration:
     apiServer:
       extraArgs:
-        cloud-provider: external
 {{- if $authWebhook }}
         authorization-mode: Node,Webhook,RBAC
 {{- if eq $authWebhook "k8s-keystone-auth" }}

charts/openstack-cluster/templates/control-plane/kubeadm-control-plane.yaml

@@ -8,8 +8,8 @@ joinConfiguration: {{ include "openstack-cluster.nodeRegistration.nodeLabels" .
 {{- define "openstack-cluster.controlplane.kubeadmConfigSpec.kubeProxyConfiguration" -}}
 {{- $ctx := index . 0 }}
 {{- $osDistro := index . 1 }}
-{{- $kubeProxyConfigurationPath := ternary "/etc/kube-proxy-configuration.yaml" "/run/kubeadm/kube-proxy-configuration.yaml" (eq $osDistro "flatcar") }}
-{{- $kubeadmPath := ternary "/etc/kubeadm.yml" "/run/kubeadm/kubeadm.yaml" (eq $osDistro "flatcar") }}
+{{- $kubeProxyConfigurationPath := eq $osDistro "flatcar" | ternary "/etc/kube-proxy-configuration.yaml" "/run/kubeadm/kube-proxy-configuration.yaml" }}
+{{- $kubeadmPath := eq $osDistro "flatcar" | ternary "/etc/kubeadm.yml" "/run/kubeadm/kubeadm.yaml" }}
 {{- with $ctx.kubeProxyConfiguration }}
 files:
   - path: {{ $kubeProxyConfigurationPath }}
@@ -52,6 +52,24 @@ mounts:
 {{- end }}
 {{- end }}
 
+{{/*
+  NOTE(mkjpryor)
+  When Cilium is enabled with the kube-proxy replacement, we need to skip kube-proxy
+*/}}
+{{- define "openstack-cluster.controlplane.kubeadmConfigSpec.cilium" -}}
+{{-
+  if and
+    .Values.addons.enabled
+    (dig "cni" "enabled" true .Values.addons)
+    (dig "cni" "type" "calico" .Values.addons | eq "cilium")
+    (dig "cni" "cilium" "release" "values" "kubeProxyReplacement" true .Values.addons)
+}}
+initConfiguration:
+  skipPhases:
+    - addon/kube-proxy
+{{- end }}
+{{- end }}
+
 ---
 apiVersion: controlplane.cluster.x-k8s.io/v1beta1
 kind: KubeadmControlPlane
@@ -85,6 +103,7 @@ spec:
         list
           (include "openstack-cluster.controlplane.kubeadmConfigSpec.nodeLabels" . | fromYaml)
           (include "openstack-cluster.controlplane.kubeadmConfigSpec.etcd" . | fromYaml)
+          (include "openstack-cluster.controlplane.kubeadmConfigSpec.cilium" . | fromYaml)
           (include "openstack-cluster.kubeadmConfigSpec" (list . .Values.controlPlane.kubeadmConfigSpec) | fromYaml)
           (include "openstack-cluster.osDistroKubeadmConfigSpec" (list . ) | fromYaml)
           (include "openstack-cluster.patchConfigSpec"  (list .) | fromYaml)