From 3550e3c145004665296b3a1115f2af060713d033 Mon Sep 17 00:00:00 2001
From: Arthur Outhenin-Chalandre <arthur@cri.epita.fr>
Date: Thu, 30 Jul 2020 11:46:31 +0200
Subject: [PATCH] Adding kube-proxy-replacement support in cilium (#6334)

Signed-off-by: Arthur Outhenin-Chalandre <arthur@cri.epita.fr>
---
 .gitlab-ci/packet.yml                                |  5 +++++
 docs/ci.md                                           |  2 +-
 roles/kubespray-defaults/defaults/main.yaml          |  9 ++++++++-
 roles/network_plugin/cilium/defaults/main.yml        |  2 ++
 .../cilium/templates/cilium-config.yml.j2            |  2 ++
 tests/files/packet_debian10-cilium-svc-proxy.yml     | 12 ++++++++++++
 6 files changed, 30 insertions(+), 2 deletions(-)
 create mode 100644 tests/files/packet_debian10-cilium-svc-proxy.yml

diff --git a/.gitlab-ci/packet.yml b/.gitlab-ci/packet.yml
index b2b20b9ad..f80cd7fd6 100644
--- a/.gitlab-ci/packet.yml
+++ b/.gitlab-ci/packet.yml
@@ -68,6 +68,11 @@ packet_ubuntu16-kube-router-svc-proxy:
   extends: .packet
   when: manual
 
+packet_debian10-cilium-svc-proxy:
+  stage: deploy-part2
+  extends: .packet
+  when: manual
+
 packet_debian10-containerd:
   stage: deploy-part2
   extends: .packet
diff --git a/docs/ci.md b/docs/ci.md
index 6649cd98e..091485376 100644
--- a/docs/ci.md
+++ b/docs/ci.md
@@ -9,7 +9,7 @@ To generate this Matrix run `./tests/scripts/md-table/main.py`
 amazon |  :white_check_mark: | :x: | :x: | :x: | :x: | :x: | :x: | :x: | :x: |
 centos7 |  :white_check_mark: | :x: | :x: | :x: | :x: | :x: | :white_check_mark: | :x: | :white_check_mark: |
 centos8 |  :white_check_mark: | :x: | :x: | :x: | :x: | :white_check_mark: | :x: | :x: | :x: |
-debian10 |  :x: | :x: | :x: | :x: | :x: | :x: | :x: | :x: | :x: |
+debian10 |  :x: | :x: | :white_check_mark: | :x: | :x: | :x: | :x: | :x: | :x: |
 debian9 |  :white_check_mark: | :x: | :x: | :x: | :x: | :x: | :x: | :white_check_mark: | :x: |
 fedora30 |  :x: | :x: | :x: | :x: | :x: | :x: | :x: | :x: | :white_check_mark: |
 fedora31 |  :x: | :x: | :x: | :x: | :white_check_mark: | :x: | :x: | :x: | :x: |
diff --git a/roles/kubespray-defaults/defaults/main.yaml b/roles/kubespray-defaults/defaults/main.yaml
index bf391cd39..2e41e9d8b 100644
--- a/roles/kubespray-defaults/defaults/main.yaml
+++ b/roles/kubespray-defaults/defaults/main.yaml
@@ -27,7 +27,14 @@ kubeadm_use_hyperkube_image: False
 kube_proxy_mode: ipvs
 
 ## Delete kube-proxy daemonset if kube_proxy_remove set, e.g. kube_network_plugin providing proxy services
-kube_proxy_remove: "{{ (kube_network_plugin == 'kube-router') and (kube_router_run_service_proxy is defined and kube_router_run_service_proxy)| bool }}"
+kube_proxy_remove: >-
+  {%- if kube_network_plugin == 'kube-router' -%}
+  {{ (kube_router_run_service_proxy is defined and kube_router_run_service_proxy)| bool }}
+  {%- elif kube_network_plugin == 'cilium' -%}
+  {{ (cilium_kube_proxy_replacement is defined and cilium_kube_proxy_replacement == 'strict')| bool }}
+  {%- else -%}
+  false
+  {%- endif -%}
 
 # A string slice of values which specify the addresses to use for NodePorts.
 # Values may be valid IP blocks (e.g. 1.2.3.0/24, 1.2.3.4/32).
diff --git a/roles/network_plugin/cilium/defaults/main.yml b/roles/network_plugin/cilium/defaults/main.yml
index dce905dee..8b18a15b1 100755
--- a/roles/network_plugin/cilium/defaults/main.yml
+++ b/roles/network_plugin/cilium/defaults/main.yml
@@ -26,6 +26,8 @@ cilium_enable_prometheus: false
 cilium_enable_portmap: false
 # Monitor aggregation level (none/low/medium/maximum)
 cilium_monitor_aggregation: medium
+# Kube Proxy Replacement mode (strict/probe/partial)
+cilium_kube_proxy_replacement: probe
 
 # If upgrading from Cilium < 1.5, you may want to override some of these options
 # to prevent service disruptions. See also:
diff --git a/roles/network_plugin/cilium/templates/cilium-config.yml.j2 b/roles/network_plugin/cilium/templates/cilium-config.yml.j2
index 94cb27149..1b4811d3d 100644
--- a/roles/network_plugin/cilium/templates/cilium-config.yml.j2
+++ b/roles/network_plugin/cilium/templates/cilium-config.yml.j2
@@ -140,3 +140,5 @@ data:
   # Enable legacy services (prior v1.5) to prevent from terminating existing
   # connections with services when upgrading Cilium from < v1.5 to v1.5.
   enable-legacy-services: "{{cilium_enable_legacy_services}}"
+
+  kube-proxy-replacement: "{{ cilium_kube_proxy_replacement }}"
diff --git a/tests/files/packet_debian10-cilium-svc-proxy.yml b/tests/files/packet_debian10-cilium-svc-proxy.yml
new file mode 100644
index 000000000..eb163332c
--- /dev/null
+++ b/tests/files/packet_debian10-cilium-svc-proxy.yml
@@ -0,0 +1,12 @@
+---
+# Instance settings
+cloud_image: debian-10
+mode: separate
+
+# Kubespray settings
+kube_network_plugin: cilium
+deploy_netchecker: true
+enable_network_policy: true
+dns_min_replicas: 1
+
+cilium_kube_proxy_replacement: strict