Add Cilium support in Kubespray 2.27 (#445)

rarescosma · web-flow · commit 3715b64b738e · 2025-08-07T08:44:32.000+02:00
diff --git a/bin/apply.bash b/bin/apply.bash
@@ -32,7 +32,10 @@ if [ -z "${CK8S_KUBESPRAY_NO_VENV+x}" ]; then
 fi
 
 log_info "Running kubespray"
-ansible-playbook -i "${config[inventory_file]}" cluster.yml -b "${@}"
+ansible-playbook \
+  -i "${config[inventory_file]}" \
+  -i "${here}/../config/cilium-values-inventory.yaml" \
+  cluster.yml -b "${@}"
 
 log_info "Kubespray done"
 
diff --git a/config/cilium-values-inventory.yaml b/config/cilium-values-inventory.yaml
@@ -0,0 +1,48 @@
+all:
+  vars:
+    cilium_extra_values: "{{ cilium_extra_values_template | from_yaml }}"
+    cilium_extra_values_template: |
+      {% if ck8s_cilium | default(false) %}
+      policyEnforcementMode: {{ ck8s_cilium.policyEnforcementMode }}
+
+      policyAuditMode: {{ ck8s_cilium.policyAuditMode }}
+
+      operator:
+        unmanagedPodWatcher:
+          restart: {{ ck8s_cilium.operator.unmanagedPodWatcher.restart }}
+        prometheus:
+          enabled: {{ ck8s_cilium.operator.monitoring.enabled }}
+          serviceMonitor:
+            enabled: {{ ck8s_cilium.operator.monitoring.installServiceMonitor }}
+
+      encryption:
+        enabled: {{ ck8s_cilium.wireguard.enabled }}
+        type: wireguard
+        strictMode:
+          enabled: {{ ck8s_cilium.wireguard.strictMode }}
+
+      hubble:
+        enabled: {{ ck8s_cilium.hubble.enabled }}
+        metrics:
+          enabled: {{ ck8s_cilium.hubble.metrics }}
+          serviceMonitor:
+            enabled: {{ ck8s_cilium.hubble.monitoring.installServiceMonitor }}
+
+      prometheus:
+        enabled: {{ ck8s_cilium.prometheus.enabled }}
+        serviceMonitor:
+          enabled: {{ ck8s_cilium.prometheus.installServiceMonitor }}
+          trustCRDsExist: true
+
+      envoy:
+        enabled: {{ ck8s_cilium.envoy.enabled }}
+
+      {% if ck8s_cilium.enableNodeSelectability | default(false) %}
+      policyCIDRMatchMode: nodes
+      {% endif %}
+
+      annotateK8sNode: true
+
+      {% else %}
+      {}
+      {% endif %}
diff --git a/config/common/group_vars/k8s_cluster/ck8s-cilium.yaml b/config/common/group_vars/k8s_cluster/ck8s-cilium.yaml
@@ -0,0 +1,51 @@
+ck8s_cilium:
+  # policyEnforcementMode: Determine whether an endpoint accepts traffic from a source or not
+  #
+  # Has three options:
+  # - default: endpoints have unrestricted network access until selected by policy
+  # - always: policy enforcement is enabled on all endpoints even if no rules select specific endpoints.
+  # - never: All traffic is allowed from any source (on ingress) or destination (on egress)
+  policyEnforcementMode: default
+
+  # policyAuditMode: when true, no network policy is enforced.
+  #
+  # This feature helps to validate the impact of host policies before enforcing them.
+  policyAuditMode: false
+
+  # enableNodeSelectability: when true, allows Kubernetes nodes to be selected
+  # by cidr block selectors in classic NetworkPolicies.
+  #
+  # Without this, access to the Kubernets API Server pods might be restricted.
+  #
+  # See: https://github.com/cilium/cilium/issues/20550
+  enableNodeSelectability: true
+
+  operator:
+    unmanagedPodWatcher:
+      restart: true
+    monitoring:
+      enabled: true
+      installServiceMonitor: false
+
+  wireguard:
+    enabled: true
+    strictMode: false
+
+  hubble:
+    enabled: true
+    monitoring:
+      installServiceMonitor: false
+    metrics:
+      - dns
+      - drop
+      - tcp
+      - flow
+      - icmp
+      - http
+
+  prometheus:
+    enabled: true
+    installServiceMonitor: false
+
+  envoy:
+    enabled: false
diff --git a/kubespray b/kubespray
@@ -1 +1 @@
-Subproject commit b8c2ec4e69841fbd887167c039cced5730788ba1
+Subproject commit 760fbec269d339c312c64552236e27cfd66621ed
