helm: document missing bpf helm option

add missing bpf.hostLegacyRouting, bpf.tproxy, bpf.vlanBypass in helm reference and helm documents. remove bpf.lbBypassFIBLookup, hostRouting when original commented helm option is uncommented, the helm template generated manifest will include the new uncommented helm option even helm template does not specify the new uncommented option, this behavior could affect unknown effect, see cilium#21195 (comment) For bool type helm option, gandro suggested (not (eq nil $value)) check, but it didn't work. see cilium#21195 (comment) Eventually gandro suggested the {{- if (not (kindIs "invalid" .Values.bpf.tproxy)) }} trick found in Masterminds/sprig#53 (comment) see: cilium#21195 (comment) cilium#21195 (comment) Signed-off-by: Vincent Li <v.li@f5.com>
vincentmli · Oct 12, 2022 · 351af62 · 351af62
1 parent 4bafe17
commit 351af62
Show file tree

Hide file tree

Showing 7 changed files with 51 additions and 71 deletions.
diff --git a/Documentation/helm-values.rst b/Documentation/helm-values.rst
diff --git a/Documentation/network/kubernetes/kubeproxy-free.rst b/Documentation/network/kubernetes/kubeproxy-free.rst
@@ -903,29 +903,6 @@ and therefore not affecting any application pod ``bind(2)`` requests anymore. In
 order to opt-out from this behavior in general, this setting can be changed for
 expert users by switching ``nodePort.bindProtection`` to ``false``.
 
-NodePort with FHRP & VPC
-************************
-
-When using Cilium's kube-proxy replacement in conjunction with a
-`FHRP <https://en.wikipedia.org/wiki/First-hop_redundancy_protocol>`_
-such as VRRP or Cisco's HSRP and VPC (also known as multi-chassis EtherChannel), the default configuration
-can cause issues or unwanted traffic flows. This is due to an optimization that causes the source IP of
-ingress packets destined for a NodePort to be associated with the corresponding MAC address, and later in
-the reply, the MAC address is used as the destination when forwarding the L2 frame, bypassing the FIB lookup.
-
-In such an environment, it may be preferred to instruct Cilium not to attempt this optimization.
-This will ensure the response is always forwarded to the MAC address of the currently active FHRP peer, no matter
-the origin of the incoming packet.
-
-To disable the optimization set ``bpf.lbBypassFIBLookup`` to ``false``.
-
-.. parsed-literal::
-
- helm install cilium |CHART_RELEASE| \\
- --namespace kube-system \\
- --set kubeProxyReplacement=strict \\
- --set bpf.lbBypassFIBLookup=false
-
 .. _Configuring Maps:
 
 Configuring BPF Map Sizes

diff --git a/Documentation/spelling_wordlist.txt b/Documentation/spelling_wordlist.txt
@@ -479,6 +479,7 @@ hostAliases
 hostBoot
 hostConfDirMountPath
 hostFirewall
+hostLegacyRouting
 hostNetwork
 hostPath
 hostPort
@@ -720,6 +721,7 @@ nodeSelector
 nodeX
 nodegroup
 nodeinit
+nodeport
 nonMasqueradeCIDRs
 numReplicas
 observability
@@ -1022,6 +1024,7 @@ virtio
 virtualbox
 virtualization
 vlan
+vlanBypass
 vmlinux
 volumeMounts
 vrf

diff --git a/install/kubernetes/cilium/README.md b/install/kubernetes/cilium/README.md
@@ -75,8 +75,10 @@ contributors across the globe, there is almost always someone available to help.
 | bpf.ctAnyMax | int | `262144` | Configure the maximum number of entries for the non-TCP connection tracking table. |
 | bpf.ctTcpMax | int | `524288` | Configure the maximum number of entries in the TCP connection tracking table. |
 | bpf.hostBoot | string | `"/boot"` | Configure the path to the host boot directory |
+| bpf.hostLegacyRouting | bool | `false` | Configure whether direct routing mode should route traffic via host stack (true) or directly and more efficiently out of BPF (false) if the kernel supports it. The latter has the implication that it will also bypass netfilter in the host namespace. |
 | bpf.lbExternalClusterIP | bool | `false` | Allow cluster external access to ClusterIP services. |
 | bpf.lbMapMax | int | `65536` | Configure the maximum number of service entries in the load balancer maps. |
+| bpf.masquerade | bool | `false` | Enable native IP masquerade support in eBPF |
 | bpf.monitorAggregation | string | `"medium"` | Configure the level of aggregation for monitor notifications. Valid options are none, low, medium, maximum. |
 | bpf.monitorFlags | string | `"all"` | Configure which TCP flags trigger notifications when seen for the first time in a connection. |
 | bpf.monitorInterval | string | `"5s"` | Configure the typical time between monitor notifications for active connections. |
@@ -86,6 +88,8 @@ contributors across the globe, there is almost always someone available to help.
 | bpf.policyMapMax | int | `16384` | Configure the maximum number of entries in endpoint policy map (per endpoint). |
 | bpf.preallocateMaps | bool | `false` | Enables pre-allocation of eBPF map values. This increases memory usage but can reduce latency. |
 | bpf.root | string | `"/sys/fs/bpf"` | Configure the mount point for the BPF filesystem |
+| bpf.tproxy | bool | `false` | Configure the eBPF-based TPROXY to reduce reliance on iptables rules for implementing Layer 7 policy. |
+| bpf.vlanBypass | list | `[]` | Configure explicitly allowed VLAN id's for bpf logic bypass. [0] will allow all VLAN id's without any filtering. |
 | certgen | object | `{"image":{"override":null,"pullPolicy":"Always","repository":"quay.io/cilium/certgen","tag":"v0.1.8@sha256:4a456552a5f192992a6edcec2febb1c54870d665173a33dc7d876129b199ddbd"},"podLabels":{},"tolerations":[],"ttlSecondsAfterFinished":1800}` | Configure certificate generation for Hubble integration. If hubble.tls.auto.method=cronJob, these values are used for the Kubernetes CronJob which will be scheduled regularly to (re)generate any certificates not provided manually. |
 | certgen.podLabels | object | `{}` | Labels to be added to hubble-certgen pods |
 | certgen.tolerations | list | `[]` | Node tolerations for pod assignment on nodes with taints ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ |

diff --git a/install/kubernetes/cilium/templates/cilium-configmap.yaml b/install/kubernetes/cilium/templates/cilium-configmap.yaml
@@ -249,7 +249,7 @@ data:
  enable-bpf-clock-probe: {{ $defaultBpfClockProbe | quote }}
 {{- end }}
 
-{{- if hasKey .Values.bpf "tproxy" }}
+{{- if (not (kindIs "invalid" .Values.bpf.tproxy)) }}
  enable-bpf-tproxy: {{ .Values.bpf.tproxy | quote }}
 {{- else if eq $defaultBpfTProxy "true" }}
  enable-bpf-tproxy: {{ $defaultBpfTProxy | quote }}
@@ -284,11 +284,8 @@ data:
  bpf-map-dynamic-size-ratio: {{ $defaultBpfMapDynamicSizeRatio | quote }}
 {{- end }}
 
-{{- if hasKey .Values.bpf "hostLegacyRouting" }}
+{{- if (not (kindIs "invalid" .Values.bpf.hostLegacyRouting)) }}
  enable-host-legacy-routing: {{ .Values.bpf.hostLegacyRouting | quote }}
-{{- else if hasKey .Values.bpf "hostRouting" }}
- # DEPRECATED: this block should be removed in 1.13
- enable-host-legacy-routing: {{ .Values.bpf.hostRouting | quote }}
 {{- end }}
 
 {{- if or $bpfCtTcpMax $bpfCtAnyMax }}
@@ -330,11 +327,6 @@ data:
  # bpf-lb-map-max specifies the maximum number of entries in bpf lb service,
  # backend and affinity maps.
  bpf-lb-map-max: "{{ .Values.bpf.lbMapMax }}"
-{{- end }}
- # bpf-lb-bypass-fib-lookup instructs Cilium to enable the FIB lookup bypass
- # optimization for nodeport reverse NAT handling.
-{{- if hasKey .Values.bpf "lbBypassFIBLookup" }}
- bpf-lb-bypass-fib-lookup: {{ .Values.bpf.lbBypassFIBLookup | quote }}
 {{- end }}
 {{- if hasKey .Values.bpf "lbExternalClusterIP" }}
  bpf-lb-external-clusterip: {{ .Values.bpf.lbExternalClusterIP | quote }}
@@ -472,7 +464,7 @@ data:
  enable-ipv6-big-tcp: {{ .Values.enableIPv6BIGTCP | quote }}
  enable-ipv6-masquerade: {{ .Values.enableIPv6Masquerade | quote }}
 
-{{- if hasKey .Values.bpf "masquerade" }}
+{{- if (not (kindIs "invalid" .Values.bpf.masquerade)) }}
  enable-bpf-masquerade: {{ .Values.bpf.masquerade | quote }}
 {{- else if eq $defaultBpfMasquerade "true" }}
  enable-bpf-masquerade: {{ $defaultBpfMasquerade | quote }}
@@ -881,7 +873,7 @@ data:
  cgroup-root: {{ .Values.cgroup.hostRoot | quote }}
 {{- end }}
 
-{{- if hasKey .Values.bpf "vlanBypass" }}
+{{- if .Values.bpf.vlanBypass }}
  # A space separated list of explicitly allowed vlan id's
  vlan-bpf-bypass: {{ .Values.bpf.vlanBypass | join " " | quote }}
 {{- end }}

diff --git a/install/kubernetes/cilium/values.yaml b/install/kubernetes/cilium/values.yaml
@@ -319,32 +319,26 @@ bpf:
  # -- Allow cluster external access to ClusterIP services.
  lbExternalClusterIP: false
 
- # -- Enable native IP masquerade support in eBPF
- #masquerade: false
+ # -- (bool) Enable native IP masquerade support in eBPF
+ # @default -- `false`
+ masquerade: ~
 
- # -- Deprecated in favor of bpf.hostLegacyRouting. To be removed in 1.13.
- # Configure whether direct routing mode should route traffic via
- # host stack (true) or directly and more efficiently out of BPF (false) if
- # the kernel supports it.
- #hostRouting: true
-
- # -- Configure whether direct routing mode should route traffic via
+ # -- (bool) Configure whether direct routing mode should route traffic via
  # host stack (true) or directly and more efficiently out of BPF (false) if
  # the kernel supports it. The latter has the implication that it will also
  # bypass netfilter in the host namespace.
- #hostLegacyRouting: false
+ # @default -- `false`
+ hostLegacyRouting: ~
 
- # -- Configure the eBPF-based TPROXY to reduce reliance on iptables rules
+ # -- (bool) Configure the eBPF-based TPROXY to reduce reliance on iptables rules
  # for implementing Layer 7 policy.
- # tproxy: true
-
- # -- Configure the FIB lookup bypass optimization for nodeport reverse
- # NAT handling.
- # lbBypassFIBLookup: true
+ # @default -- `false`
+ tproxy: ~
 
- # -- Configure explicitly allowed VLAN id's for bpf logic bypass.
+ # -- (list) Configure explicitly allowed VLAN id's for bpf logic bypass.
  # [0] will allow all VLAN id's without any filtering.
- # vlanBypass: []
+ # @default -- `[]`
+ vlanBypass: ~
 
 # -- Clean all eBPF datapath state from the initContainer of the cilium-agent
 # DaemonSet.

diff --git a/install/kubernetes/cilium/values.yaml.tmpl b/install/kubernetes/cilium/values.yaml.tmpl
@@ -316,32 +316,26 @@ bpf:
  # -- Allow cluster external access to ClusterIP services.
  lbExternalClusterIP: false
 
- # -- Enable native IP masquerade support in eBPF
- #masquerade: false
+ # -- (bool) Enable native IP masquerade support in eBPF
+ # @default -- `false`
+ masquerade: ~
 
- # -- Deprecated in favor of bpf.hostLegacyRouting. To be removed in 1.13.
- # Configure whether direct routing mode should route traffic via
- # host stack (true) or directly and more efficiently out of BPF (false) if
- # the kernel supports it.
- #hostRouting: true
-
- # -- Configure whether direct routing mode should route traffic via
+ # -- (bool) Configure whether direct routing mode should route traffic via
  # host stack (true) or directly and more efficiently out of BPF (false) if
  # the kernel supports it. The latter has the implication that it will also
  # bypass netfilter in the host namespace.
- #hostLegacyRouting: false
+ # @default -- `false`
+ hostLegacyRouting: ~
 
- # -- Configure the eBPF-based TPROXY to reduce reliance on iptables rules
+ # -- (bool) Configure the eBPF-based TPROXY to reduce reliance on iptables rules
  # for implementing Layer 7 policy.
- # tproxy: true
-
- # -- Configure the FIB lookup bypass optimization for nodeport reverse
- # NAT handling.
- # lbBypassFIBLookup: true
+ # @default -- `false`
+ tproxy: ~
 
- # -- Configure explicitly allowed VLAN id's for bpf logic bypass.
+ # -- (list) Configure explicitly allowed VLAN id's for bpf logic bypass.
  # [0] will allow all VLAN id's without any filtering.
- # vlanBypass: []
+ # @default -- `[]`
+ vlanBypass: ~
 
 # -- Clean all eBPF datapath state from the initContainer of the cilium-agent
 # DaemonSet.