From f54f63ec3f776b1e715aa6c5bbc7b9f89fab77a3 Mon Sep 17 00:00:00 2001
From: Florian Ruynat <florian234@hotmail.com>
Date: Thu, 25 Jun 2020 15:16:38 +0200
Subject: [PATCH] Update cilium to 1.8.0 (#6314)

---
 README.md                                     |  2 +-
 roles/download/defaults/main.yml              |  2 +-
 .../cilium/templates/cilium-cr.yml.j2         | 10 ++++++
 .../cilium/templates/cilium-deploy.yml.j2     |  2 +-
 .../cilium/templates/cilium-ds.yml.j2         | 35 +++++++++++++------
 5 files changed, 37 insertions(+), 14 deletions(-)

diff --git a/README.md b/README.md
index 396e168e6..d7dfe4385 100644
--- a/README.md
+++ b/README.md
@@ -124,7 +124,7 @@ Note: Upstart/SysV init based OS types are not supported.
   - [cni-plugins](https://github.com/containernetworking/plugins) v0.8.6
   - [calico](https://github.com/projectcalico/calico) v3.14.1
   - [canal](https://github.com/projectcalico/canal) (given calico/flannel versions)
-  - [cilium](https://github.com/cilium/cilium) v1.7.4
+  - [cilium](https://github.com/cilium/cilium) v1.8.0
   - [contiv](https://github.com/contiv/install) v1.2.1
   - [flanneld](https://github.com/coreos/flannel) v0.12.0
   - [kube-ovn](https://github.com/alauda/kube-ovn) v1.2.0
diff --git a/roles/download/defaults/main.yml b/roles/download/defaults/main.yml
index 62aa6b0d0..f5d1cadde 100644
--- a/roles/download/defaults/main.yml
+++ b/roles/download/defaults/main.yml
@@ -79,7 +79,7 @@ cni_version: "v0.8.6"
 weave_version: 2.6.4
 pod_infra_version: "3.2"
 contiv_version: 1.2.1
-cilium_version: "v1.7.4"
+cilium_version: "v1.8.0"
 kube_ovn_version: "v1.2.0"
 kube_router_version: "v0.4.0"
 multus_version: "v3.4.2"
diff --git a/roles/network_plugin/cilium/templates/cilium-cr.yml.j2 b/roles/network_plugin/cilium/templates/cilium-cr.yml.j2
index 2b16f1f86..1fbf26235 100644
--- a/roles/network_plugin/cilium/templates/cilium-cr.yml.j2
+++ b/roles/network_plugin/cilium/templates/cilium-cr.yml.j2
@@ -26,10 +26,12 @@ rules:
 - apiGroups:
   - ""
   resources:
+{% if cilium_version | regex_replace('v') is version('1.8', '<') %}
   # to automatically read from k8s and import the node's pod CIDR to cilium's
   # etcd so all nodes know how to reach another pod running in in a different
   # node.
   - nodes
+{% endif %}
   # to perform the translation of a CNP that contains `ToGroup` to its endpoints
   - services
   - endpoints
@@ -59,6 +61,14 @@ rules:
 {% endif %}
   verbs:
   - '*'
+- apiGroups:
+  - apiextensions.k8s.io
+  resources:
+  - customresourcedefinitions
+  verbs:
+  - get
+  - list
+  - watch
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
diff --git a/roles/network_plugin/cilium/templates/cilium-deploy.yml.j2 b/roles/network_plugin/cilium/templates/cilium-deploy.yml.j2
index d379477ec..18fdad7bc 100644
--- a/roles/network_plugin/cilium/templates/cilium-deploy.yml.j2
+++ b/roles/network_plugin/cilium/templates/cilium-deploy.yml.j2
@@ -92,7 +92,7 @@ spec:
 {% if cilium_enable_ipv4 %}
               host: 127.0.0.1
 {% else %}
-              host: host: '[::1]'
+              host: '::1'
 {% endif %}
               path: /healthz
               port: 9234
diff --git a/roles/network_plugin/cilium/templates/cilium-ds.yml.j2 b/roles/network_plugin/cilium/templates/cilium-ds.yml.j2
index 43a96821f..dd8e1b910 100755
--- a/roles/network_plugin/cilium/templates/cilium-ds.yml.j2
+++ b/roles/network_plugin/cilium/templates/cilium-ds.yml.j2
@@ -59,11 +59,14 @@ spec:
               command:
               - /cni-uninstall.sh
         livenessProbe:
-          exec:
-            command:
-            - cilium
-            - status
-            - --brief
+          httpGet:
+            host: '127.0.0.1'
+            path: /healthz
+            port: 9876
+            scheme: HTTP
+            httpHeaders:
+            - name: "brief"
+              value: "true"
           failureThreshold: 10
           # The initial delay for the liveness probe is intentionally large to
           # avoid an endless kill & restart cycle if in the event that the initial
@@ -81,11 +84,14 @@ spec:
           protocol: TCP
 {% endif %}
         readinessProbe:
-          exec:
-            command:
-            - cilium
-            - status
-            - --brief
+          httpGet:
+            host: '127.0.0.1'
+            path: /healthz
+            port: 9876
+            scheme: HTTP
+            httpHeaders:
+            - name: "brief"
+              value: "true"
           failureThreshold: 3
           initialDelaySeconds: 5
           periodSeconds: 30
@@ -131,6 +137,8 @@ spec:
         - mountPath: /lib/modules
           name: lib-modules
           readOnly: true
+        - mountPath: /run/xtables.lock
+          name: xtables-lock
       dnsPolicy: ClusterFirstWithHostNet
       hostNetwork: true
       hostPID: false
@@ -138,7 +146,7 @@ spec:
       - command:
         - /init-container.sh
         env:
-        - name: CLEAN_CILIUM_STATE
+        - name: CILIUM_ALL_STATE
           valueFrom:
             configMapKeyRef:
               key: clean-cilium-state
@@ -214,6 +222,11 @@ spec:
       - hostPath:
           path: /lib/modules
         name: lib-modules
+        # To access iptables concurrently with other processes (e.g. kube-proxy)
+      - hostPath:
+          path: /run/xtables.lock
+          type: FileOrCreate
+        name: xtables-lock
         # To read the etcd config stored in config maps
       - configMap:
           defaultMode: 420