Manage OpenShift's kube-proxy deployment based on the value of kubeProxyReplacement

.cruft.json

@@ -1,13 +1,13 @@
 {
   "template": "https://github.com/projectsyn/commodore-component-template.git",
-  "commit": "26ee71e475cca036551c68a6c6b2285fe86139a0",
+  "commit": "2ae1bc3383f211eee5f20a963f5ac74725d85d5b",
   "checkout": "main",
   "context": {
     "cookiecutter": {
       "name": "Cilium",
       "slug": "cilium",
       "parameter_key": "cilium",
-      "test_cases": "defaults helm-opensource olm-opensource egress-gateway bgp-control-plane",
+      "test_cases": "defaults helm-opensource olm-opensource egress-gateway bgp-control-plane kubeproxyreplacement-strict",
       "add_lib": "n",
       "add_pp": "n",
       "add_golden": "y",

.github/workflows/test.yaml

@@ -37,6 +37,7 @@ jobs:
           - olm-opensource
           - egress-gateway
           - bgp-control-plane
+          - kubeproxyreplacement-strict
     defaults:
       run:
         working-directory: ${{ env.COMPONENT_NAME }}
@@ -56,6 +57,7 @@ jobs:
           - olm-opensource
           - egress-gateway
           - bgp-control-plane
+          - kubeproxyreplacement-strict
     defaults:
       run:
         working-directory: ${{ env.COMPONENT_NAME }}

Makefile.vars.mk

@@ -57,4 +57,4 @@ KUBENT_IMAGE    ?= ghcr.io/doitintl/kube-no-trouble:latest
 KUBENT_DOCKER   ?= $(DOCKER_CMD) $(DOCKER_ARGS) $(root_volume) --entrypoint=/app/kubent $(KUBENT_IMAGE)
 
 instance ?= defaults
-test_instances = tests/defaults.yml tests/helm-opensource.yml tests/olm-opensource.yml tests/egress-gateway.yml tests/bgp-control-plane.yml
+test_instances = tests/defaults.yml tests/helm-opensource.yml tests/olm-opensource.yml tests/egress-gateway.yml tests/bgp-control-plane.yml tests/kubeproxyreplacement-strict.yml

class/cilium.yml

@@ -26,6 +26,7 @@ parameters:
             - ${_base_directory}/component/aggregated-clusterroles.jsonnet
             - ${_base_directory}/component/egress-gateway-policies.jsonnet
             - ${_base_directory}/component/bgp-control-plane.jsonnet
+            - ${_base_directory}/component/ocp-manage-kube-proxy.jsonnet
           input_type: jsonnet
           output_path: ${_instance}/
 
@@ -51,6 +52,7 @@ parameters:
             - ${_base_directory}/component/aggregated-clusterroles.jsonnet
             - ${_base_directory}/component/egress-gateway-policies.jsonnet
             - ${_base_directory}/component/bgp-control-plane.jsonnet
+            - ${_base_directory}/component/ocp-manage-kube-proxy.jsonnet
           input_type: jsonnet
           output_path: ${_instance}/
         - input_paths:

component/helm-namespace.jsonnet

@@ -1,14 +1,14 @@
 // main template for cilium
 local kap = import 'lib/kapitan.libjsonnet';
 local kube = import 'lib/kube.libjsonnet';
+local util = import 'util.libsonnet';
+
 local inv = kap.inventory();
 // The hiera parameters for the component
 local params = inv.parameters.cilium;
 
-local isOpenshift = std.startsWith(inv.parameters.facts.distribution, 'openshift');
-
 local additionalOpenshiftMeta =
-  if isOpenshift then
+  if util.isOpenshift then
     {
       labels+: {
         'openshift.io/cluster-logging': 'true',

component/ocp-manage-kube-proxy.jsonnet

@@ -0,0 +1,30 @@
+local kap = import 'lib/kapitan.libjsonnet';
+local kube = import 'lib/kube.libjsonnet';
+local po = import 'lib/patch-operator.libsonnet';
+local util = import 'util.libsonnet';
+
+local inv = kap.inventory();
+local params = inv.parameters.cilium;
+
+local fullReplacement = std.member(
+  [ 'strict', 'true' ],
+  params.cilium_helm_values.kubeProxyReplacement
+);
+
+
+local target = kube._Object('operator.openshift.io/v1', 'Network', 'cluster');
+
+local template = {
+  spec: {
+    deployKubeProxy: !fullReplacement,
+  },
+};
+
+local patch = po.Patch(target, template, patchstrategy='application/merge-patch+json');
+
+if util.isOpenshift then
+  {
+    '99_networkoperator_kube_proxy_patch': patch,
+  }
+else
+  {}

component/util.libsonnet

@@ -1,3 +1,8 @@
+local kap = import 'lib/kapitan.libjsonnet';
+
+local inv = kap.inventory();
+local isOpenshift = std.member([ 'openshift4', 'oke' ], inv.parameters.facts.distribution);
+
 local parse_version(ver) =
   local verparts = std.split(ver, '.');
   local parseOrError(val, typ) =
@@ -16,5 +21,6 @@ local parse_version(ver) =
   };
 
 {
+  isOpenshift: isOpenshift,
   parse_version: parse_version,
 }

docs/modules/ROOT/pages/references/parameters.adoc

@@ -175,6 +175,13 @@ See https://docs.cilium.io/en/{helm-minor-version}/helm-reference/[Opensource Ci
 
 The component will pre-process certain Helm values to allow users to more gracefully upgrade to newer Cilium versions which remove deprecated Helm values.
 
+[NOTE]
+====
+On OpenShift 4, the component will deploy a Patch which controls whether OpenShift deploys kube-proxy based on the value of `cilium_helm_values.kubeProxyReplacement`.
+If the `kubeProxyReplacement` Helm value is set to `true` or `strict` the component will configure OpenShift to not deploy kube-proxy.
+Otherwise, the component will configure OpenShift to deploy kube-proxy.
+====
+
 == `hubble_enterprise_helm_values`
 
 [horizontal]

tests/golden/kubeproxyreplacement-strict/cilium/cilium/01_cilium_helmchart/00_cilium_namespace.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  annotations:
+    openshift.io/node-selector: ''
+  labels:
+    name: cilium
+    openshift.io/cluster-logging: 'true'
+    openshift.io/cluster-monitoring: 'true'
+    openshift.io/run-level: '0'
+  name: cilium

tests/golden/kubeproxyreplacement-strict/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/clusterrole.yaml

@@ -0,0 +1,104 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/part-of: cilium
+  name: cilium
+rules:
+  - apiGroups:
+      - networking.k8s.io
+    resources:
+      - networkpolicies
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - discovery.k8s.io
+    resources:
+      - endpointslices
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - ''
+    resources:
+      - namespaces
+      - services
+      - pods
+      - endpoints
+      - nodes
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - apiextensions.k8s.io
+    resources:
+      - customresourcedefinitions
+    verbs:
+      - list
+      - watch
+      - get
+  - apiGroups:
+      - cilium.io
+    resources:
+      - ciliumloadbalancerippools
+      - ciliumbgppeeringpolicies
+      - ciliumclusterwideenvoyconfigs
+      - ciliumclusterwidenetworkpolicies
+      - ciliumegressgatewaypolicies
+      - ciliumendpoints
+      - ciliumendpointslices
+      - ciliumenvoyconfigs
+      - ciliumidentities
+      - ciliumlocalredirectpolicies
+      - ciliumnetworkpolicies
+      - ciliumnodes
+      - ciliumnodeconfigs
+      - ciliumcidrgroups
+      - ciliuml2announcementpolicies
+      - ciliumpodippools
+    verbs:
+      - list
+      - watch
+  - apiGroups:
+      - cilium.io
+    resources:
+      - ciliumidentities
+      - ciliumendpoints
+      - ciliumnodes
+    verbs:
+      - create
+  - apiGroups:
+      - cilium.io
+    resources:
+      - ciliumidentities
+    verbs:
+      - update
+  - apiGroups:
+      - cilium.io
+    resources:
+      - ciliumendpoints
+    verbs:
+      - delete
+      - get
+  - apiGroups:
+      - cilium.io
+    resources:
+      - ciliumnodes
+      - ciliumnodes/status
+    verbs:
+      - get
+      - update
+  - apiGroups:
+      - cilium.io
+    resources:
+      - ciliumnetworkpolicies/status
+      - ciliumclusterwidenetworkpolicies/status
+      - ciliumendpoints/status
+      - ciliumendpoints
+      - ciliuml2announcementpolicies/status
+    verbs:
+      - patch

tests/golden/kubeproxyreplacement-strict/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/clusterrolebinding.yaml

@@ -0,0 +1,14 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/part-of: cilium
+  name: cilium
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cilium
+subjects:
+  - kind: ServiceAccount
+    name: cilium
+    namespace: cilium