Fix cilium strict kube proxy replacement in HA

[MrFreezeex]

Signed-off-by: Arthur Outhenin-Chalandre arthur@cri.epita.fr

What type of PR is this?

/kind bug

What this PR does / why we need it:

Fix cilium kube-proxy less install with an HA setup.

Which issue(s) this PR fixes:

Fixes #

Special notes for your reviewer:

Does this PR introduce a user-facing change?:

NONE

[k8s-ci-robot]

Hi @MrFreezeex. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[MrFreezeex]

This should do the job @mmack.

I replaced the test to execute in HA mode and fixed the bug that @mmack pointed out in #6334.
You may re-execute the job, but here is the modified testcase that passed https://gitlab.com/kargo-ci/kubernetes-sigs-kubespray/-/jobs/663726571

[MrFreezeex]

I didn't know about the urlsplit filter thanks @EppO !

I refactored a bit the PR to use only one new variable hopefully It's better like that. I have to use a new variable (or another trick) because If no loadbalancer is configured the kube_apiserver_endpoint will point to localhost which is not a valid endpoint for workers. I don't think there is another way to set the KUBERNETES_SERVICE_HOST environment to each node individually. If you have a better suggestion let me know!

The succeded cilium job is here https://gitlab.com/kargo-ci/kubernetes-sigs-kubespray/-/jobs/666510925 (same code, I just removed the commit to trigger It first).

[EppO]

Important: Replace API_SERVER_IP and API_SERVER_PORT below with the concrete control-plane node IP address and the kube-apiserver port number reported by kubeadm init (usually, it is port 6443).

Specifying this is necessary as kubeadm init is run explicitly without setting up kube-proxy and as a consequence while it exports KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT with a ClusterIP of the kube-apiserver service to the environment, there is no kube-proxy in our setup provisioning that service. The Cilium agent therefore needs to be made aware of this information through below configuration.

ok now I get your point. But that means all cilium agents (deployed on every node, right?) will point to the first master if no external LB is defined. We really need a cilium doc to list this kind of limitations. Could you start a docs/cilium.md in your PR with just that "warning". We'll enhance the doc outside of that PR. Just don't want to forget about it

[MrFreezeex]

I added docs about this limitation.

[EppO]

/ok-to-test
/lgtm

[EppO]

just some makeup changes and it'll be all good!
Thanks for your PR

[EppO]

/lgtm

[EppO]

/assign @Miouge1

[Miouge1]

/approve

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Miouge1, MrFreezeex

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [Miouge1]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment