feat: auto enable Cilium kube-proxy replacement

dkoshkin · dkoshkin · commit dca0748bc15c · 2025-09-03T15:46:04.000-07:00
diff --git a/charts/cluster-api-runtime-extensions-nutanix/addons/cni/cilium/values-template.yaml b/charts/cluster-api-runtime-extensions-nutanix/addons/cni/cilium/values-template.yaml
@@ -33,3 +33,7 @@ socketLB:
 envoy:
   image:
     useDigest: false
+{{- if .EnableKubeProxyReplacement }}
+kubeProxyReplacement: true
+k8sServiceHost: auto
+{{- end }}
diff --git a/charts/cluster-api-runtime-extensions-nutanix/templates/cni/cilium/manifests/cilium-configmap.yaml b/charts/cluster-api-runtime-extensions-nutanix/templates/cni/cilium/manifests/cilium-configmap.yaml
diff --git a/hack/addons/kustomize/cilium/kustomization.yaml.tmpl b/hack/addons/kustomize/cilium/kustomization.yaml.tmpl
@@ -19,7 +19,7 @@ helmCharts:
   skipTests: true
   namespace: kube-system
   kubeVersion: ${E2E_KUBERNETES_VERSION}
-  valuesFile: ../../../../charts/cluster-api-runtime-extensions-nutanix/addons/cni/cilium/values-template.yaml
+  valuesFile: helm-values.yaml
   # The CRS manifests are generated from the Cilium Helm chart using Kustomize. The Cilium
   # Helm chart uses a Helm hook to generate TLS certificates for Hubble. As the
   # CRS manifests are static those Helm hooks don't apply and so for now Hubble is
diff --git a/hack/addons/update-cilium-manifests.sh b/hack/addons/update-cilium-manifests.sh
@@ -21,13 +21,18 @@ readonly FILE_NAME="cilium.yaml"
 
 readonly KUSTOMIZE_BASE_DIR="${SCRIPT_DIR}/kustomize/cilium"
 mkdir -p "${ASSETS_DIR}/cilium"
-envsubst -no-unset <"${KUSTOMIZE_BASE_DIR}/kustomization.yaml.tmpl" >"${KUSTOMIZE_BASE_DIR}/kustomization.yaml"
-trap_add "rm -f ${KUSTOMIZE_BASE_DIR}/kustomization.yaml" EXIT
+envsubst -no-unset <"${KUSTOMIZE_BASE_DIR}/kustomization.yaml.tmpl" >"${ASSETS_DIR}/kustomization.yaml"
+
+cat <<EOF >"${ASSETS_DIR}/gomplate-context.yaml"
+EnableKubeProxyReplacement: true
+EOF
+gomplate -f "${GIT_REPO_ROOT}/charts/cluster-api-runtime-extensions-nutanix/addons/cni/cilium/values-template.yaml" \
+  --context .="${ASSETS_DIR}/gomplate-context.yaml" \
+  >"${ASSETS_DIR}/helm-values.yaml"
 
 kustomize build \
   --load-restrictor LoadRestrictionsNone \
-  --enable-helm "${KUSTOMIZE_BASE_DIR}/" >"${ASSETS_DIR}/${FILE_NAME}"
-trap_add "rm -rf ${KUSTOMIZE_BASE_DIR}/charts/" EXIT
+  --enable-helm "${ASSETS_DIR}/" >"${ASSETS_DIR}/${FILE_NAME}"
 
 # The operator manifest in YAML format is pretty big. It turns out that much of that is whitespace. Converting the
 # manifest to JSON without indentation allows us to remove most of the whitespace, reducing the size by more than half.
diff --git a/hack/tools/fetch-images/main.go b/hack/tools/fetch-images/main.go
@@ -259,7 +259,25 @@ func getValuesFileForChartIfNeeded(chartName, carenChartDirectory string) (strin
 	case "snapshot-controller":
 		return filepath.Join(carenChartDirectory, "addons", "csi", "snapshot-controller", defaultHelmAddonFilename), nil
 	case "cilium":
-		return filepath.Join(carenChartDirectory, "addons", "cni", "cilium", defaultHelmAddonFilename), nil
+		f := filepath.Join(carenChartDirectory, "addons", "cni", "cilium", defaultHelmAddonFilename)
+		tempFile, err := os.CreateTemp("", "")
+		if err != nil {
+			return "", fmt.Errorf("failed to create temp file: %w", err)
+		}
+
+		type input struct {
+			EnableKubeProxyReplacement bool
+		}
+		templateInput := input{
+			EnableKubeProxyReplacement: true,
+		}
+
+		err = template.Must(template.New(defaultHelmAddonFilename).ParseFiles(f)).Execute(tempFile, &templateInput)
+		if err != nil {
+			return "", fmt.Errorf("failed to execute helm values template %w", err)
+		}
+
+		return tempFile.Name(), nil
 	// Calico values differ slightly per provider, but that does not have a material imapct on the images required
 	// so we can use the default values file for AWS provider.
 	case "tigera-operator":
diff --git a/pkg/handlers/generic/lifecycle/cni/cilium/handler.go b/pkg/handlers/generic/lifecycle/cni/cilium/handler.go
@@ -221,7 +221,8 @@ func (c *CiliumCNI) apply(
 			),
 			c.client,
 			helmChart,
-		)
+		).
+			WithValueTemplater(templateValues)
 	case "":
 		resp.SetStatus(runtimehooksv1.ResponseStatusFailure)
 		resp.SetMessage("strategy not specified for Cilium CNI addon")
diff --git a/pkg/handlers/generic/lifecycle/cni/cilium/template.go b/pkg/handlers/generic/lifecycle/cni/cilium/template.go
@@ -0,0 +1,42 @@
+// Copyright 2025 Nutanix. All rights reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package cilium
+
+import (
+	"bytes"
+	"fmt"
+	"text/template"
+
+	clusterv1 "sigs.k8s.io/cluster-api/api/v1beta1"
+
+	capiutils "github.com/nutanix-cloud-native/cluster-api-runtime-extensions-nutanix/common/pkg/capi/utils"
+)
+
+// templateValues enables kube-proxy replacement when skip kube-proxy annotation is set.
+func templateValues(cluster *clusterv1.Cluster, text string) (string, error) {
+	ciliumTemplate, err := template.New("").Parse(text)
+	if err != nil {
+		return "", fmt.Errorf("failed to parse template: %w", err)
+	}
+
+	type input struct {
+		EnableKubeProxyReplacement bool
+	}
+
+	// Assume when kube-proxy is skipped, we should enable Cilium's kube-proxy replacement feature.
+	templateInput := input{
+		EnableKubeProxyReplacement: capiutils.SkipKubeProxy(cluster),
+	}
+
+	var b bytes.Buffer
+	err = ciliumTemplate.Execute(&b, templateInput)
+	if err != nil {
+		return "", fmt.Errorf(
+			"failed setting target Cluster name and namespace in template: %w",
+			err,
+		)
+	}
+
+	return b.String(), nil
+}
