Cilium CNI version bump

[RaulButuc]

What would you like to be added

Cilium CNI version should be (incrementally) bumped from v1.15.9 to v1.17.2

cilium_version: "v1.17.2"
cilium_cli_version: "v0.18.2"
cilium_hubble_ui_image_tag: "v0.13.2"
cilium_hubble_ui_backend_image_tag: "v0.13.2"
cilium_hubble_envoy_image_tag: "v1.31.5"
cilium_hubble_certgen_image_tag: "v0.1.17"

Why is this needed

Kubespray has been using cilium version v1.15.9 for quite a while now.
Cilium v1.15 supports Kubernetes up to v1.29 - https://docs.cilium.io/en/v1.15/network/kubernetes/compatibility/
Cilium v1.16 supports Kubernetes up to v1.30 - https://docs.cilium.io/en/v1.16/network/kubernetes/compatibility/
Cilium v1.17 supports Kubernetes up to v1.32 - https://docs.cilium.io/en/stable/network/kubernetes/compatibility/

[tico88612]

/triage accept

[k8s-ci-robot]

@tico88612: The label(s) triage/accept cannot be applied, because the repository doesn't have them.

In response to this:

/triage accept

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[tico88612]

/triage accepted

[tico88612]

/assign

[tico88612]

I'm thinking of changing the installation method to a Cilium CLI installation. Otherwise, maintenance now involves manual modification of Jinja templates, and every update is painful.

@VannTen, do you have a better idea?

[VannTen]

I'm not sure what a cilium cli install means exactly TBH. My long-term plans (well, more like ideas at that stage) involves replacing all of the templated manifests (with maybe some exception) with download (like the binaries, with integrity checks) + kustomize patching (or equivalent), probably with templated patch. Won't be anytime soon though, so not much help for this.

[tico88612]

I'm not sure what a cilium cli install means exactly TBH.

Installing Cilium can be done through the Cilium CLI (e.g. cilium install, cilium install --version 1.17.2 -f my-setting.yaml), which eliminates the need to maintain the jinja template in the Cilium folder.

[VannTen]

I'm all for it, if we can do it without breaking compatibility.

[RaulButuc]

For reference, I've upgraded Cilium via Kubespray on multiple existing clusters, moving up to K8s v1.32.3 & Cilium v1.17.2 without changing any of the Jinja templates, just by updating the values for the versions as stated above. All working just fine.

EDIT: However, the upgrade had to be done in 2 phases: v1.15.9 -> v1.16.6 -> v1.17.0 (later patched to v1.17.2)

[Kaniikura]

I agree with changing the Cilium installation method in Kubespray. The primary concern is that Cilium deployed by Kubespray can behave differently from installations using Cilium's official CLI or Helm charts.

For instance, the config init container, introduced in Cilium v1.13, is missing in Kubespray deployments even when specifying the latest Cilium version. In fact, I recently encountered unexpected issues caused by this absence, which do not occur in standard Cilium environments.

To ensure consistency and reduce potential problems, it would be beneficial to align Kubespray's Cilium deployment with the official installation methods, rather than maintaining separate Jinja templates.

[RaulButuc]

To ensure consistency and reduce potential problems, it would be beneficial to align Kubespray's Cilium deployment with the official installation methods, rather than maintaining separate Jinja templates.

Yes, 100% agreed. I was only suggesting it can be upgraded without heavy changes to release in v2.27.1.

As a long-term vision, moving to use the Cilium CLI is the way to go.

[Kaniikura]

Yes, 100% agreed. I was only suggesting it can be upgraded without heavy changes to release in #12065.

I agree with your thinking. If updating Cilium version in Kubespray doesn't require major changes, it makes sense to address that first, with the installation method improvements coming at a later stage.

I've been thinking the Cilium installation method in Kubespray could use some improvements, so I just wanted to add my support when I saw this issue :)