Skip to content

Update cilium to v1.17.1 #510

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Feb 26, 2025
Merged

Update cilium to v1.17.1 #510

merged 2 commits into from
Feb 26, 2025

Conversation

axel7born
Copy link
Contributor

How to categorize this PR?

/area networking
/kind enhancement

What this PR does / why we need it:

Which issue(s) this PR fixes:
Fixes #

Special notes for your reviewer:

Release note:

Update cilium to v1.17.1

@axel7born axel7born requested review from a team as code owners February 21, 2025 13:56
@gardener-robot gardener-robot added needs/review area/networking Networking related kind/enhancement Enhancement, improvement, extension size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Feb 21, 2025
DockToFuture
DockToFuture previously approved these changes Feb 25, 2025
View reviewed changes
Copy link
Member

@DockToFuture DockToFuture left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm, do we also want to allow/support TLS interception?

ScheererJ
ScheererJ reviewed Feb 25, 2025
View reviewed changes
charts/internal/cilium/values.yaml Outdated
Comment on lines 41 to 43
# -- Configure iptables--random-fully. Disabled by default. View https://github.com/cilium/cilium/issues/13037 for more information.
iptablesRandomFully: false

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does it make sense to change the default for our scenario? Reading through the issue also with context from other areas in mind, I do not see any reason why you would not want to use iptablesRandomFully. Whether we enable it here or adapt the values can be up for discussion.
WDYT?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, makes sense. I set it to true.

charts/internal/cilium/charts/config/templates/configmap.yaml
Comment on lines +627 to +629
{{- if .Values.global.ipam.multiPoolPreAllocation }}
ipam-multi-pool-pre-allocation: {{ .Values.global.ipam.multiPoolPreAllocation | quote }}
{{- end }}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is multiPoolPreAllocation in our values file? I do not find it. Should we add it to have a proper default?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The default is empty. I don't think it makes sense to add it with an empty string as default.

charts/internal/cilium/charts/config/templates/configmap.yaml
@@ -650,7 +674,7 @@ data:
dnsproxy-socket-linger-timeout: "10"
tofqdns-dns-reject-response-code: "refused"
tofqdns-enable-dns-compression: "true"
tofqdns-endpoint-max-ip-per-hostname: "50"
tofqdns-endpoint-max-ip-per-hostname: "1000"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not sure I understand why we use here the literal value while in other cases we took over the templated from. Could you please explain?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It was already a literal. Only the value changed.

charts/internal/cilium/charts/operator/templates/clusterrole.yaml
@@ -151,6 +151,13 @@ rules:
- watch
- delete
- patch
- apiGroups:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why are secrets missing in the section # to check apiserver connectivity? If I diff the versions, it seems like this should have been added.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

secrets would be needed if .Values.tls.secretSync.enabled would be true.
That would be part of TLS interception part, we want to add later.

@axel7born
Copy link
Contributor Author

/test pull-extension-networking-cilium-e2e-kind

1 similar comment
@axel7born
Copy link
Contributor Author

/test pull-extension-networking-cilium-e2e-kind

DockToFuture
DockToFuture approved these changes Feb 26, 2025
View reviewed changes
Copy link
Member

@DockToFuture DockToFuture left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@axel7born axel7born merged commit 271cb08 into gardener:master Feb 26, 2025
9 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ScheererJ ScheererJ ScheererJ left review comments

@DockToFuture DockToFuture DockToFuture approved these changes

Assignees
No one assigned
Labels
area/networking Networking related kind/enhancement Enhancement, improvement, extension size/M Denotes a PR that changes 30-99 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@axel7born @DockToFuture @ScheererJ @gardener-robot-ci-1 @gardener-robot-ci-2 @gardener-robot