From 5edc615fb14e1624358d5c020fb13817c004365f Mon Sep 17 00:00:00 2001
From: Tadas Sutkaitis <tadasas@gmail.com>
Date: Thu, 7 Mar 2024 23:32:59 +0200
Subject: [PATCH] feat: replace kube-proxy with cni functionality

---
 roles/cilium/defaults/main.yml               |  2 ++
 roles/cilium/templates/values.yml.j2         |  6 ++++++
 roles/kubernetes/defaults/main.yml           |  3 +++
 roles/kubernetes/tasks/bootstrap-cluster.yml |  1 +
 roles/kubernetes/tasks/control-plane.yml     | 12 ++++++++++++
 5 files changed, 24 insertions(+)

diff --git a/roles/cilium/defaults/main.yml b/roles/cilium/defaults/main.yml
index 9f8b1a3..674f1cf 100644
--- a/roles/cilium/defaults/main.yml
+++ b/roles/cilium/defaults/main.yml
@@ -7,3 +7,5 @@ cilium_helm_values: {}
 
 cilium_node_image: quay.io/cilium/cilium:v1.13.3@sha256:77176464a1e11ea7e89e984ac7db365e7af39851507e94f137dcf56c87746314
 cilium_operator_image: quay.io/cilium/operator-generic:v1.13.3@sha256:fa7003cbfdf8358cb71786afebc711b26e5e44a2ed99bd4944930bba915b8910
+
+cilium_replace_kube_proxy: false
diff --git a/roles/cilium/templates/values.yml.j2 b/roles/cilium/templates/values.yml.j2
index 2f5acb6..42700db 100644
--- a/roles/cilium/templates/values.yml.j2
+++ b/roles/cilium/templates/values.yml.j2
@@ -20,3 +20,9 @@ operator:
 ipam:
   operator:
     clusterPoolIPv4PodCIDR: "{{ cilium_ipv4_cidr | default('10.0.0.0/8') }}"
+{% if cilium_replace_kube_proxy %}
+k8sServiceHost: "{{ kubernetes_hostname }}"
+k8sServicePort: 6443
+# NOTE(fitbeard): In a newer chart versions this value should be changed to 'true'.
+kubeProxyReplacement: "strict"
+{% endif %}
diff --git a/roles/kubernetes/defaults/main.yml b/roles/kubernetes/defaults/main.yml
index 866b668..7ca56a8 100644
--- a/roles/kubernetes/defaults/main.yml
+++ b/roles/kubernetes/defaults/main.yml
@@ -43,3 +43,6 @@ kubernetes_coredns_node_selector:
 
 # Allow custom CA usage in the cluster
 kubernetes_allow_custom_ca: false
+
+# Do not use kube-proxy. Instead use/configure cni replacement.
+kubernetes_remove_kube_proxy: false
diff --git a/roles/kubernetes/tasks/bootstrap-cluster.yml b/roles/kubernetes/tasks/bootstrap-cluster.yml
index e3786bd..a51230a 100644
--- a/roles/kubernetes/tasks/bootstrap-cluster.yml
+++ b/roles/kubernetes/tasks/bootstrap-cluster.yml
@@ -102,6 +102,7 @@
   throttle: 1
   ansible.builtin.shell: |
     kubeadm init --config /etc/kubernetes/kubeadm.yaml --upload-certs \
+                 {% if kubernetes_remove_kube_proxy %}--skip-phases=addon/kube-proxy \{% endif %}
                  --ignore-preflight-errors=DirAvailable--etc-kubernetes-manifests{% if kubernetes_allow_unsafe_swap %},Swap{% endif %}
   args:
     creates: /etc/kubernetes/admin.conf
diff --git a/roles/kubernetes/tasks/control-plane.yml b/roles/kubernetes/tasks/control-plane.yml
index 8e73d76..98e325b 100644
--- a/roles/kubernetes/tasks/control-plane.yml
+++ b/roles/kubernetes/tasks/control-plane.yml
@@ -55,6 +55,18 @@
       - effect: NoSchedule
         key: node-role.kubernetes.io/master
 
+- name: Remove kube-proxy resources
+  kubernetes.core.k8s:
+    state: absent
+    api_version: v1
+    kind: "{{ item }}"
+    namespace: kube-system
+    name: kube-proxy
+  with_items:
+    - DaemonSet
+    - ConfigMap
+  when: kubernetes_remove_kube_proxy | bool
+
 - name: Upgrade if necessary
   when:
     - kubernetes_upgrade_check_upgrade_required is defined