feat: Add support for cilium 1.15 and updated cilium to v1.15.4 (#11106)

README.md

@@ -168,7 +168,7 @@ Note: Upstart/SysV init based OS types are not supported.
 - Network Plugin
   - [cni-plugins](https://github.com/containernetworking/plugins) v1.2.0
   - [calico](https://github.com/projectcalico/calico) v3.27.2
-  - [cilium](https://github.com/cilium/cilium) v1.13.4
+  - [cilium](https://github.com/cilium/cilium) v1.15.4
   - [flannel](https://github.com/flannel-io/flannel) v0.22.0
   - [kube-ovn](https://github.com/alauda/kube-ovn) v1.11.5
   - [kube-router](https://github.com/cloudnativelabs/kube-router) v2.0.0

docs/cilium.md

@@ -99,7 +99,7 @@ cilium_operator_extra_volume_mounts:
 ## Choose Cilium version
 
 ```yml
-cilium_version: v1.12.1
+cilium_version: v1.15.4
 ```
 
 ## Add variable to config

inventory/sample/group_vars/k8s_cluster/k8s-net-cilium.yml

@@ -1,5 +1,5 @@
 ---
-# cilium_version: "v1.12.1"
+# cilium_version: "v1.15.4"
 
 # Log-level
 # cilium_debug: false
@@ -8,6 +8,9 @@
 # cilium_enable_ipv4: true
 # cilium_enable_ipv6: false
 
+# Enable l2 announcement from cilium to replace Metallb Ref: https://docs.cilium.io/en/v1.14/network/l2-announcements/
+cilium_l2announcements: false
+
 # Cilium agent health port
 # cilium_agent_health_port: "9879"
 
@@ -40,6 +43,10 @@
 
 # Overlay Network Mode
 # cilium_tunnel_mode: vxlan
+
+# LoadBalancer Mode (snat/dsr/hybrid) Ref: https://docs.cilium.io/en/stable/network/kubernetes/kubeproxy-free/#dsr-mode
+# cilium_loadbalancer_mode: snat
+
 # Optional features
 # cilium_enable_prometheus: false
 # Enable if you want to make use of hostPort mappings

roles/kubespray-defaults/defaults/main/download.yml

@@ -116,7 +116,7 @@ flannel_cni_version: "v1.1.2"
 cni_version: "v1.3.0"
 weave_version: 2.8.1
 
-cilium_version: "v1.13.4"
+cilium_version: "v1.15.4"
 cilium_cli_version: "v0.16.0"
 cilium_enable_hubble: false
 

roles/network_plugin/cilium/defaults/main.yml

@@ -7,6 +7,9 @@ cilium_mtu: ""
 cilium_enable_ipv4: true
 cilium_enable_ipv6: false
 
+# Enable l2 announcement from cilium to replace Metallb Ref: https://docs.cilium.io/en/v1.14/network/l2-announcements/
+cilium_l2announcements: false
+
 # Cilium agent health port
 cilium_agent_health_port: "{%- if cilium_version | regex_replace('v') is version('1.11.6', '>=') -%}9879{%- else -%}9876{%- endif -%}"
 
@@ -39,6 +42,10 @@ cilium_cpu_requests: 100m
 
 # Overlay Network Mode
 cilium_tunnel_mode: vxlan
+
+# LoadBalancer Mode (snat/dsr/hybrid) Ref: https://docs.cilium.io/en/stable/network/kubernetes/kubeproxy-free/#dsr-mode
+cilium_loadbalancer_mode: snat
+
 # Optional features
 cilium_enable_prometheus: false
 # Enable if you want to make use of hostPort mappings

roles/network_plugin/cilium/templates/cilium-operator/cr.yml.j2

@@ -97,6 +97,11 @@ rules:
   - ciliumloadbalancerippools/status
   - ciliumbgppeeringpolicies
   - ciliumenvoyconfigs
+{% endif %}
+{% if cilium_version | regex_replace('v') is version('1.15', '>=') %}
+  - ciliumbgppeerconfigs
+  - ciliumbgpadvertisements
+  - ciliumbgpnodeconfigs
 {% endif %}
   verbs:
   - '*'
@@ -146,6 +151,20 @@ rules:
   - ciliumlocalredirectpolicies.cilium.io
   - ciliumnetworkpolicies.cilium.io
   - ciliumnodes.cilium.io
+{% if cilium_version | regex_replace('v') is version('1.14', '>=') %}
+  - ciliumnodeconfigs.cilium.io
+  - ciliumcidrgroups.cilium.io
+  - ciliuml2announcementpolicies.cilium.io
+  - ciliumpodippools.cilium.io
+  - ciliumloadbalancerippools.cilium.io
+{% endif %}
+{% if cilium_version | regex_replace('v') is version('1.15', '>=') %}
+  - ciliumbgpclusterconfigs.cilium.io
+  - ciliumbgppeerconfigs.cilium.io
+  - ciliumbgpadvertisements.cilium.io
+  - ciliumbgpnodeconfigs.cilium.io
+  - ciliumbgpnodeconfigoverrides.cilium.io
+{% endif %}
 {% endif %}
 {% for rules in cilium_clusterrole_rules_operator_extra_vars %}
 - apiGroups:

roles/network_plugin/cilium/templates/cilium/config.yml.j2

@@ -131,6 +131,12 @@ data:
   tunnel-protocol: "{{ cilium_tunnel_mode }}"
 {% endif %}
 
+  ## DSR setting
+  bpf-lb-mode: "{{ cilium_loadbalancer_mode }}"
+
+  # l2 
+  enable-l2-announcements: "{{ cilium_l2announcements }}"
+
   # Enable Bandwidth Manager
   # Cilium’s bandwidth manager supports the kubernetes.io/egress-bandwidth Pod annotation.
   # Bandwidth enforcement currently does not work in combination with L7 Cilium Network Policies.

roles/network_plugin/cilium/templates/cilium/cr.yml.j2

@@ -106,6 +106,15 @@ rules:
   - ciliumnodes/finalizers
   - ciliumidentities/finalizers
   - ciliumlocalredirectpolicies/finalizers
+{% endif %}
+{% if cilium_version | regex_replace('v') is version('1.14', '>=') %}
+  - ciliuml2announcementpolicies/status
+{% endif %}
+{% if cilium_version | regex_replace('v') is version('1.15', '>=') %}
+  - ciliumbgpnodeconfigs
+  - ciliumbgpnodeconfigs/status
+  - ciliumbgpadvertisements
+  - ciliumbgppeerconfigs
 {% endif %}
   verbs:
   - '*'
@@ -125,7 +134,22 @@ rules:
   - cilium.io
   resources:
   - ciliumcidrgroups
+  - ciliuml2announcementpolicies
+  - ciliumpodippools
+  - ciliuml2announcementpolicies/status
   verbs:
   - list
   - watch
+{% if cilium_version %} 
+- apiGroups:
+  - coordination.k8s.io
+  resources:
+  - leases
+  verbs:
+  - create
+  - get
+  - update
+  - list
+  - delete
+{% endif %}
 {% endif %}