Change Cilium setting identity_allocation_mode to cilium_identity_allocation_mode (#8519)

* Change Cilium identity_allocation_mode to cilium_identity_allocation_mode

* Change inventory sample

inventory/sample/group_vars/k8s_cluster/k8s-net-cilium.yml

@@ -1,4 +1,4 @@
 # see roles/network_plugin/cilium/defaults/main.yml
 
 # cilium_version: "v1.11.0"
-# identity_allocation_mode: kvstore # kvstore or crd
+# cilium_identity_allocation_mode: kvstore # kvstore or crd

roles/network_plugin/cilium/defaults/main.yml

@@ -12,7 +12,14 @@ cilium_enable_ipv6: false
 #   These can be queried with:
 #     `kubectl get ciliumid`
 # - "kvstore" stores identities in an etcd kvstore.
-identity_allocation_mode: kvstore
+# - In order to support External Workloads, "crd" is required
+#   - Ref: https://docs.cilium.io/en/stable/gettingstarted/external-workloads/#setting-up-support-for-external-workloads-beta
+# - KVStore operations are only required when cilium-operator is running with any of the below options:
+#   - --synchronize-k8s-services
+#   - --synchronize-k8s-nodes
+#   - --identity-allocation-mode=kvstore
+#   - Ref: https://docs.cilium.io/en/stable/internals/cilium_operator/#kvstore-operations
+cilium_identity_allocation_mode: kvstore
 
 # Etcd SSL dirs
 cilium_cert_dir: /etc/cilium/certs

roles/network_plugin/cilium/tasks/check.yml

@@ -10,5 +10,5 @@
 
 - name: Stop if bad Cilium identity allocation mode
   assert:
-    that: identity_allocation_mode in ['crd', 'kvstore']
-    msg: "identity_allocation_mode must be either 'crd' or 'kvstore'"
+    that: cilium_identity_allocation_mode in ['crd', 'kvstore']
+    msg: "cilium_identity_allocation_mode must be either 'crd' or 'kvstore'"

roles/network_plugin/cilium/tasks/install.yml

@@ -14,7 +14,7 @@
     owner: root
     group: root
   when:
-    - identity_allocation_mode == "kvstore"
+    - cilium_identity_allocation_mode == "kvstore"
 
 - name: Cilium | Link etcd certificates for cilium
   file:
@@ -28,7 +28,7 @@
     - {s: "{{ kube_etcd_cert_file }}", d: "cert.crt"}
     - {s: "{{ kube_etcd_key_file }}", d: "key.pem"}
   when:
-    - identity_allocation_mode == "kvstore"
+    - cilium_identity_allocation_mode == "kvstore"
 
 - name: Cilium | Create hubble dir
   file:

roles/network_plugin/cilium/templates/cilium-config.yml.j2

@@ -5,9 +5,9 @@ metadata:
   name: cilium-config
   namespace: kube-system
 data:
-  identity-allocation-mode: {{ identity_allocation_mode }}
+  identity-allocation-mode: {{ cilium_identity_allocation_mode }}
 
-{% if identity_allocation_mode == "kvstore" %}
+{% if cilium_identity_allocation_mode == "kvstore" %}
   # This etcd-config contains the etcd endpoints of your cluster. If you use
   # TLS please make sure you follow the tutorial in https://cilium.link/etcd-config
   etcd-config: |-

roles/network_plugin/cilium/templates/cilium-deploy.yml.j2

@@ -135,7 +135,7 @@ spec:
             periodSeconds: 10
             timeoutSeconds: 3
           volumeMounts:
-{% if identity_allocation_mode == "kvstore" %}
+{% if cilium_identity_allocation_mode == "kvstore" %}
             - mountPath: /var/lib/etcd-config
               name: etcd-config-path
               readOnly: true
@@ -155,7 +155,7 @@ spec:
       tolerations:
         - operator: Exists
       volumes:
-{% if identity_allocation_mode == "kvstore" %}
+{% if cilium_identity_allocation_mode == "kvstore" %}
         # To read the etcd config stored in config maps
         - configMap:
             defaultMode: 420

roles/network_plugin/cilium/templates/cilium-ds.yml.j2

@@ -146,7 +146,7 @@ spec:
           mountPath: {{ cri_socket }}
           readOnly: true
 {% endif %}
-{% if identity_allocation_mode == "kvstore" %}
+{% if cilium_identity_allocation_mode == "kvstore" %}
         - mountPath: /var/lib/etcd-config
           name: etcd-config-path
           readOnly: true
@@ -272,7 +272,7 @@ spec:
           path: /run/xtables.lock
           type: FileOrCreate
         name: xtables-lock
-{% if identity_allocation_mode == "kvstore" %}
+{% if cilium_identity_allocation_mode == "kvstore" %}
         # To read the etcd config stored in config maps
       - configMap:
           defaultMode: 420