From f05d6b37110a64833e8c3ee1310a43ce6173eb62 Mon Sep 17 00:00:00 2001
From: Frank Ritchie <12985912+fritchie@users.noreply.github.com>
Date: Thu, 1 Apr 2021 10:33:22 -0400
Subject: [PATCH] Add cilium_ipam_mode variable (#7418)

Starting with Cilium v1.9 the default ipam mode has changed to "Cluster
Scope". See:

https://docs.cilium.io/en/v1.9/concepts/networking/ipam/

With this ipam mode Cilium handles assigning subnets to nodes to use
for pod ip addresses. The default Kubespray deploy uses the Kube
Controller Manager for this (the --allocate-node-cidrs
kube-controller-manager flag is set). This makes the proper ipam mode
for kubespray using cilium v1.9+ "kubernetes".

Tested with Cilium 1.9.5.

This PR also mounts the cilium-config ConfigMap for this variable
to be read properly.

In the future we can probably remove the kvstore and kvstore-opt
Cilium Operator args since they can be in the ConfigMap. I will tackle
that after this merges.
---
 roles/network_plugin/cilium/defaults/main.yml              | 6 +++++-
 roles/network_plugin/cilium/templates/cilium-config.yml.j2 | 7 ++++++-
 roles/network_plugin/cilium/templates/cilium-deploy.yml.j2 | 7 +++++++
 3 files changed, 18 insertions(+), 2 deletions(-)

diff --git a/roles/network_plugin/cilium/defaults/main.yml b/roles/network_plugin/cilium/defaults/main.yml
index 48e254474..4ca451621 100644
--- a/roles/network_plugin/cilium/defaults/main.yml
+++ b/roles/network_plugin/cilium/defaults/main.yml
@@ -53,4 +53,8 @@ cilium_auto_direct_node_routes: false
 cilium_native_routing_cidr: ""
 
 # IPsec based transparent encryption between nodes
-cilium_ipsec_enabled: false
\ No newline at end of file
+cilium_ipsec_enabled: false
+
+# IP address management mode for v1.9+.
+# https://docs.cilium.io/en/v1.9/concepts/networking/ipam/
+cilium_ipam_mode: kubernetes
diff --git a/roles/network_plugin/cilium/templates/cilium-config.yml.j2 b/roles/network_plugin/cilium/templates/cilium-config.yml.j2
index d430fe733..7df18b3f2 100644
--- a/roles/network_plugin/cilium/templates/cilium-config.yml.j2
+++ b/roles/network_plugin/cilium/templates/cilium-config.yml.j2
@@ -161,4 +161,9 @@ data:
   enable-ipsec: "true"
   ipsec-key-file: /etc/ipsec/keys
   encrypt-node: "false"
-{% endif %}
\ No newline at end of file
+{% endif %}
+
+  # IPAM settings
+{% if cilium_version | regex_replace('v') is version('1.9', '>=') %}
+  ipam: "{{ cilium_ipam_mode }}"
+{% endif %}
diff --git a/roles/network_plugin/cilium/templates/cilium-deploy.yml.j2 b/roles/network_plugin/cilium/templates/cilium-deploy.yml.j2
index bf65a746d..baae001c0 100644
--- a/roles/network_plugin/cilium/templates/cilium-deploy.yml.j2
+++ b/roles/network_plugin/cilium/templates/cilium-deploy.yml.j2
@@ -44,6 +44,7 @@ spec:
       containers:
         - args:
             - --debug=$(CILIUM_DEBUG)
+            - --config-dir=/tmp/cilium/config-map
             - --kvstore=etcd
             - --kvstore-opt=etcd.config=/var/lib/etcd-config/etcd.config
           command:
@@ -142,6 +143,9 @@ spec:
             - mountPath: "{{cilium_cert_dir}}"
               name: etcd-secrets
               readOnly: true
+            - mountPath: /tmp/cilium/config-map
+              name: cilium-config-path
+              readOnly: true
       dnsPolicy: ClusterFirst
       priorityClassName: system-node-critical
       restartPolicy: Always
@@ -163,3 +167,6 @@ spec:
         - name: etcd-secrets
           hostPath:
             path: "{{cilium_cert_dir}}"
+        - configMap:
+            name: cilium-config
+          name: cilium-config-path