From a8575989289fd45ab42b7535aaed152cf2a2c5e2 Mon Sep 17 00:00:00 2001
From: Tadas Sutkaitis <tadasas@gmail.com>
Date: Thu, 7 Mar 2024 23:32:59 +0200
Subject: [PATCH] feat: replace kube-proxy with cni functionality

---
 roles/cilium/defaults/main.yml               |  2 ++
 roles/cilium/templates/values.yml.j2         |  6 ++++++
 roles/kubernetes/defaults/main.yml           |  3 +++
 roles/kubernetes/tasks/bootstrap-cluster.yml |  1 +
 roles/kubernetes/tasks/control-plane.yml     | 13 +++++++++++++
 5 files changed, 25 insertions(+)

diff --git a/roles/cilium/defaults/main.yml b/roles/cilium/defaults/main.yml
index c59c3bec..474fb0e2 100644
--- a/roles/cilium/defaults/main.yml
+++ b/roles/cilium/defaults/main.yml
@@ -7,3 +7,5 @@ cilium_helm_values: {}
 
 cilium_node_image: quay.io/cilium/cilium:v1.14.8@sha256:7fca3ba4b04af066e8b086b5c1a52e30f52db01ffc642e7db0a439514aed3ada
 cilium_operator_image: quay.io/cilium/operator-generic:v1.14.8@sha256:56d373c12483c09964a00a29246595917603a077a298aa90a98e4de32c86b7dc
+
+cilium_replace_kube_proxy: false
diff --git a/roles/cilium/templates/values.yml.j2 b/roles/cilium/templates/values.yml.j2
index 4aec12c2..7cc81666 100644
--- a/roles/cilium/templates/values.yml.j2
+++ b/roles/cilium/templates/values.yml.j2
@@ -21,4 +21,10 @@ ipam:
   operator:
     clusterPoolIPv4PodCIDRList:
       - "{{ cilium_ipv4_cidr | default('10.0.0.0/8') }}"
+{% if cilium_replace_kube_proxy %}
+k8sServiceHost: "{{ kubernetes_hostname }}"
+k8sServicePort: 6443
+kubeProxyReplacement: "true"
+kubeProxyReplacementHealthzBindAddr: "0.0.0.0:10256"
+{% endif %}
 upgradeCompatibility: "1.13"
diff --git a/roles/kubernetes/defaults/main.yml b/roles/kubernetes/defaults/main.yml
index 866b6686..7ca56a86 100644
--- a/roles/kubernetes/defaults/main.yml
+++ b/roles/kubernetes/defaults/main.yml
@@ -43,3 +43,6 @@ kubernetes_coredns_node_selector:
 
 # Allow custom CA usage in the cluster
 kubernetes_allow_custom_ca: false
+
+# Do not use kube-proxy. Instead use/configure cni replacement.
+kubernetes_remove_kube_proxy: false
diff --git a/roles/kubernetes/tasks/bootstrap-cluster.yml b/roles/kubernetes/tasks/bootstrap-cluster.yml
index e3786bd4..a51230ae 100644
--- a/roles/kubernetes/tasks/bootstrap-cluster.yml
+++ b/roles/kubernetes/tasks/bootstrap-cluster.yml
@@ -102,6 +102,7 @@
   throttle: 1
   ansible.builtin.shell: |
     kubeadm init --config /etc/kubernetes/kubeadm.yaml --upload-certs \
+                 {% if kubernetes_remove_kube_proxy %}--skip-phases=addon/kube-proxy \{% endif %}
                  --ignore-preflight-errors=DirAvailable--etc-kubernetes-manifests{% if kubernetes_allow_unsafe_swap %},Swap{% endif %}
   args:
     creates: /etc/kubernetes/admin.conf
diff --git a/roles/kubernetes/tasks/control-plane.yml b/roles/kubernetes/tasks/control-plane.yml
index 8e73d764..2b7598cd 100644
--- a/roles/kubernetes/tasks/control-plane.yml
+++ b/roles/kubernetes/tasks/control-plane.yml
@@ -55,6 +55,19 @@
       - effect: NoSchedule
         key: node-role.kubernetes.io/master
 
+- name: Remove kube-proxy resources
+  run_once: true
+  kubernetes.core.k8s:
+    state: absent
+    api_version: v1
+    kind: "{{ item }}"
+    namespace: kube-system
+    name: kube-proxy
+  with_items:
+    - DaemonSet
+    - ConfigMap
+  when: kubernetes_remove_kube_proxy | bool
+
 - name: Upgrade if necessary
   when:
     - kubernetes_upgrade_check_upgrade_required is defined