cilium: Clean up cmdline param wrt control plane mode

borkmann · borkmann · commit 809ce56bdfde · 2024-07-30T18:03:26.000+02:00
Get rid of the --bpf-lb-external-control-plane parameter in favor of simply just reusing existing --enable-k8s flag instead. The latter is already part of the k8s client hive cell which is even better. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Link: #33552 (comment)
diff --git a/Documentation/cmdref/cilium-agent.md b/Documentation/cmdref/cilium-agent.md
diff --git a/Documentation/operations/upgrade.rst b/Documentation/operations/upgrade.rst
@@ -294,8 +294,8 @@ communicating via the proxy must reconnect to re-establish connections.
 ------------------
 
 * Operating Cilium in ``--datapath-mode=lb-only`` for plain Docker mode now requires to
-  add an additional ``--bpf-lb-external-control-plane=true`` to the command line, otherwise
-  it is assumed that Kubernetes is present.
+  add an additional ``--enable-k8s=false`` to the command line, otherwise it is assumed
+  that Kubernetes is present.
 * The Kubernetes clients used by Cilium Agent and Cilium Operator now have separately configurable
   rate limits. The default rate limit for Cilium Operator K8s clients has been increased to
   100 QPS/200 Burst. To configure the rate limit for Cilium Operator, use the
diff --git a/daemon/cmd/daemon.go b/daemon/cmd/daemon.go
@@ -296,13 +296,6 @@ func newDaemon(ctx context.Context, cleaner *daemonCleanup, params *daemonParams
 
 	bootstrapStats.daemonInit.Start()
 
-	// Validate configuration options that depend on other cells.
-	if option.Config.IdentityAllocationMode == option.IdentityAllocationModeCRD &&
-		!option.Config.LoadBalancerExternalControlPlane &&
-		!params.Clientset.IsEnabled() {
-		return nil, nil, fmt.Errorf("CRD Identity allocation mode requires k8s to be configured")
-	}
-
 	// EncryptedOverlay feature must check the TunnelProtocol if enabled, since
 	// it only supports VXLAN right now.
 	if option.Config.EncryptionEnabled() && option.Config.EnableIPSecEncryptedOverlay {
@@ -839,7 +832,8 @@ func newDaemon(ctx context.Context, cleaner *daemonCleanup, params *daemonParams
 	// well known identities have already been initialized above.
 	// Ignore the channel returned by this function, as we want the global
 	// identity allocator to run asynchronously.
-	if !option.Config.LoadBalancerExternalControlPlane {
+	if option.Config.IdentityAllocationMode != option.IdentityAllocationModeCRD ||
+		params.Clientset.IsEnabled() {
 		realIdentityAllocator := d.identityAllocator
 		realIdentityAllocator.InitIdentityAllocator(params.Clientset)
 	}
diff --git a/daemon/cmd/daemon_main.go b/daemon/cmd/daemon_main.go
@@ -602,9 +602,6 @@ func InitGlobalFlags(cmd *cobra.Command, vp *viper.Viper) {
 	flags.String(option.LoadBalancerRSSv6CIDR, "", "BPF load balancing RSS outer source IPv6 CIDR prefix for IPIP")
 	option.BindEnv(vp, option.LoadBalancerRSSv6CIDR)
 
-	flags.Bool(option.LoadBalancerExternalControlPlane, false, "BPF load balancer uses an externally-provided control plane")
-	option.BindEnv(vp, option.LoadBalancerExternalControlPlane)
-
 	flags.String(option.LoadBalancerAcceleration, option.NodePortAccelerationDisabled, fmt.Sprintf(
 		"BPF load balancing acceleration via XDP (\"%s\", \"%s\")",
 		option.NodePortAccelerationNative, option.NodePortAccelerationDisabled))
@@ -1720,10 +1717,6 @@ func newDaemonPromise(params daemonParams) (promise.Promise[*Daemon], promise.Pr
 	daemonCtx, cancelDaemonCtx := context.WithCancel(context.Background())
 	cleaner := NewDaemonCleanup()
 
-	if option.Config.LoadBalancerExternalControlPlane {
-		params.Clientset.Disable()
-	}
-
 	var daemon *Daemon
 	var wg sync.WaitGroup
 
diff --git a/pkg/option/config.go b/pkg/option/config.go
@@ -277,10 +277,6 @@ const (
 	// Alias to NodePortAcceleration
 	LoadBalancerAcceleration = "bpf-lb-acceleration"
 
-	// LoadBalancerExternalControlPlane switch skips connectivity to kube-apiserver
-	// which is relevant in lb-only mode
-	LoadBalancerExternalControlPlane = "bpf-lb-external-control-plane"
-
 	// MaglevTableSize determines the size of the backend table per service
 	MaglevTableSize = "bpf-lb-maglev-table-size"
 
@@ -1992,10 +1988,6 @@ type DaemonConfig struct {
 	LoadBalancerRSSv6CIDR string
 	LoadBalancerRSSv6     net.IPNet
 
-	// LoadBalancerExternalControlPlane tells whether to not use kube-apiserver as
-	// its control plane in lb-only mode.
-	LoadBalancerExternalControlPlane bool
-
 	// EnablePMTUDiscovery indicates whether to send ICMP fragmentation-needed
 	// replies to the client (when needed).
 	EnablePMTUDiscovery bool
@@ -3131,7 +3123,6 @@ func (c *DaemonConfig) Populate(vp *viper.Viper) {
 	c.LoadBalancerDSRL4Xlate = vp.GetString(LoadBalancerDSRL4Xlate)
 	c.LoadBalancerRSSv4CIDR = vp.GetString(LoadBalancerRSSv4CIDR)
 	c.LoadBalancerRSSv6CIDR = vp.GetString(LoadBalancerRSSv6CIDR)
-	c.LoadBalancerExternalControlPlane = vp.GetBool(LoadBalancerExternalControlPlane)
 	c.InstallNoConntrackIptRules = vp.GetBool(InstallNoConntrackIptRules)
 	c.ContainerIPLocalReservedPorts = vp.GetString(ContainerIPLocalReservedPorts)
 	c.EnableCustomCalls = vp.GetBool(EnableCustomCallsName)
diff --git a/test/l4lb/test.sh b/test/l4lb/test.sh
@@ -65,8 +65,8 @@ docker exec -t lb-node \
     cilium-agent \
     --enable-ipv4=true \
     --enable-ipv6=false \
+    --enable-k8s=false \
     --datapath-mode=lb-only \
-    --bpf-lb-external-control-plane=true \
     --bpf-lb-algorithm=maglev \
     --bpf-lb-dsr-dispatch=ipip \
     --bpf-lb-acceleration=native \
diff --git a/test/nat46x64/test.sh b/test/nat46x64/test.sh
@@ -13,7 +13,7 @@ fi
 CILIUM_EXEC="docker exec -t lb-node docker exec -t cilium-lb"
 
 CFG_COMMON=("--enable-ipv4=true" "--enable-ipv6=true" "--devices=eth0" \
-            "--datapath-mode=lb-only" "--bpf-lb-external-control-plane=true" \
+            "--datapath-mode=lb-only" "--enable-k8s=false" \
 	    "--bpf-lb-mode=snat" "--enable-nat46x64-gateway=true")
 
 TXT_XDP_MAGLEV="Mode:XDP\tAlgorithm:Maglev\tRecorder:Disabled"
