Add and document option to disable `HealthCheckNodePort` service health server

[gandro]

When cilium-agent runs alongside kube-proxy with KubeProxyReplacement=Partial, both kube-proxy and cilium-agent will try to serve a health check for the service on the port specified by HealthCheckNodePort. This will cause the following error:

level=error msg="ListenAndServe failed for service health server" error="listen tcp :31659: bind: address already in use" serviceName=test-lb-local-k8s2 serviceNamespace=default subsys=service-healthserver svcHealthCheckNodePort=31659

The error itself means that the health check is currently served by kube-proxy. We should add an option to disable Cilium's HealthCheckNodePort service health server for Cilium deployments where kube-proxy is running and intended to serve the service health checks.

Proposal (after discussion @brb):

• Introduce a enable-health-check-nodeport (default: true) flag to allow users to opt-out of the service health server running inside cilium-agent when running NodePort BPF
• If the user selects kube-proxy-replacement=partial, then we will disable enable-health-check-nodeport, as we assume that kube-proxy is intentionally running in parallel to cilium-agent.
• If the NodePort BPF is enabled (i.e. EnableNodePort=true) either via kube-proxy-replacement=probe or kube-proxy-replacement=strict, then we will keep the service health server enabled unless the explicitly user opts-out.
• If NodePort BPF is disabled, then cilium-agent will not start the HealthCheckNodePort server anyways, so no action should be required there.
• We should extend the above error message with a notice that the service health server can be disabled via flag.

[pchaigno]

Note: This is a duplicate of #11166, with the underlying reason for the observed failure.

[soumynathan]

Do you mean that we should add an cilium-agent option to disable HealthCheckNodePort or do you mean when kubeProxyReplacement=disabled don't do anything and when kubeProxyReplacement=Partial/strict/probe make sure we disable the 'HealthCheckNodePort' internally. (Can you clarify ).

[gandro]

Do you mean that we should add an cilium-agent option to disable HealthCheckNodePort or do you mean when kubeProxyReplacement=disabled don't do anything and when kubeProxyReplacement=Partial/strict/probe make sure we disable the 'HealthCheckNodePort' internally. (Can you clarify ).

Good question! I've updated the issue, hopefully that clarifies things.

[soumynathan]

Thanks for the update. Can you assign me to the issue. I can take up the work.

[soumynathan]

Do you mean that we should add an cilium-agent option to disable HealthCheckNodePort or do you mean when kubeProxyReplacement=disabled don't do anything and when kubeProxyReplacement=Partial/strict/probe make sure we disable the 'HealthCheckNodePort' internally. (Can you clarify ).

Good question! I've updated the issue, hopefully that clarifies things.

@gandro @brb Thanks for the update. I hope the check needs to happen in the 'healthserver.UpsertService". But do we need to check for the 'service name' to apply prevent the server from getting started.

[gandro]

@gandro @brb Thanks for the update. I hope the check needs to happen in the 'healthserver.UpsertService". But do we need to check for the 'service name' to apply prevent the server from getting started.

Not sure I understand your question @soumynathan - why would you need to check the service name?

The way I imagine this to be implemented is that we would add a if option.Config.EnableHealthCheckNodePort statement around this line here:

cilium/pkg/service/service.go

Lines 265 to 266 in ffe0d11

	s.healthServer.UpsertService(lb.ID(svc.frontend.ID), svc.svcNamespace, svc.svcName,
	localBackendCount, svc.svcHealthCheckNodePort)

And ideally, don't initialize healthserver.New() here either if option.Config.EnableHealthCheckNodePort == false:

cilium/pkg/service/service.go

Line 137 in ffe0d11

healthServer: healthserver.New(),