Cilium deprecated values for kube-proxy-replacement now refused by daemonset/cilium

[ledroide]

summary

Cilium v1.16 fails to start in CrashLoopBackOff with this log :

level=fatal msg="failed to start: daemon creation failed: unable to initialize kube-proxy replacement options: Invalid value for --kube-proxy-replacement: partial\nfailed to stop: unable to find controller ipcache-inject-labels" subsys=daemon

This is due to settings values that have been deprecated since january 2023 in agent: Deprecate --kube-proxy-replacement=partial and agent/helm: Deprecate --kpr=partial|strict|disabled and use --kpr=true|false instead, and not supported anymore since march 2024 for v1.16.0.

Quote :

Users will have enough time to update their tools. We will completely remove the options in v1.16.

From cilum release notes :

cleanup: Remove deprecated values for KPR (#31286, @sayboras)

environment

• Kubespray version (commit): 343d680
• Network plugin: cilium
• Container runtime and engine: cri-o + crun
• OS: Ubuntu Cloud 24.04 Minimal
• Ansible: 2.16.9
• Python: 3.12.3
• Playbook: cluster.yml

what should be updated

• value for cilium_kube_proxy_replacement: strict is changed with cilium_kube_proxy_replacement: true
• value for cilium_kube_proxy_replacement: partial and disabled are both changed with cilium_kube_proxy_replacement: false
• docs/CNI/cilium.md -> "Kube-proxy replacement with Cilium" paragraph
• roles/network_plugin/cilium/templates/cilium/config.yml.j2 -> where value should be quoted to be a string, if I well understand the cilium code
• roles/network_plugin/cilium/templates/cilium/ds.yml.j2 ->with conditionals
• roles/kubespray-defaults/defaults/main/main.yml -> with conditionals
• roles/network_plugin/cilium/templates/cilium-operator/deploy.yml.j2 -> with conditionals
• roles/network_plugin/cilium/defaults/main.yml -> set default value to false
• tests/files/packet_rockylinux9-cilium.yml and tests/files/packet_debian12-cilium-svc-proxy.yml
• inventory/sample/group_vars/k8s_cluster/k8s-net-cilium.yml

I will try to fix it, and then if it succeeds I will sent a pull-request.

[ledroide]

Thinking of breaking changes .... this will be a breaking change anyway for users that have set a value for cilium_kube_proxy_replacement in their inventory. I'm afraid there is no solution for them.

Other issue can be in replacing 3 old options disabled/partial/strict with only a boolean choice. I have no idea how to manage this.

[tico88612]

We can just remind users about breaking change in the release note.

[Uncurlhalo]

Did you ever resolve this bug or was it incorporated into another release? I'm experiencing this issue

[ledroide]

Did you ever resolve this bug or was it incorporated into another release? I'm experiencing this issue

@Uncurlhalo : I had no time to work on this issue, so I cannot upgrade Cilium anymore - like other Cilium fans I guess.

I have made a census of files that should be fixed to solve deprecation, see "what should be updated" in my description. Not sure it is exhaustive however, but I think my list is complete.

Please feel free to fix theses variables and documentation in your own repo fork. I'll try to help ass soon as I can.