Skip to content

Commit

Permalink
Update Cilium migration how-to to always use api-int
Browse files Browse the repository at this point in the history
We can't use the public `api` record since Cilium simply patches the
clientset generated by `InClusterConfig()` [1] with the provided API host
name, cf. `createConfig()` [2]. Notably, the clientset still uses the
K8s-managed in-cluster CA bundle which isn't suitable for validating
public certificates.

If we actually want to use `api` record, we'd have to somehow configure
Cilium to use a custom kubeconfig (which I'm not sure is possible when
running Cilium in a cluster).

[1]: https://pkg.go.dev/k8s.io/client-go/rest#InClusterConfig
[2]: https://github.com/cilium/cilium/blob/bb81b095cb64053887e3cb087b53518c162beec6/pkg/k8s/client/cell.go#L348-L352
  • Loading branch information
simu committed Dec 4, 2024
1 parent b32c483 commit e364a72
Showing 1 changed file with 5 additions and 8 deletions.
13 changes: 5 additions & 8 deletions docs/modules/ROOT/pages/how-tos/network/migrate-to-cilium.adoc
Original file line number Diff line number Diff line change
Expand Up @@ -148,18 +148,15 @@ yq eval -i '.parameters.networkpolicy.ignoredNamespaces = ["openshift-oauth-apis
[source,bash]
----
export CLUSTER_DOMAIN=$(kubectl get dns cluster -ojsonpath='{.spec.baseDomain}')
kubectl --as=cluster-admin -n openshift-dns exec ds/node-resolver -- nslookup api-int.${CLUSTER_DOMAIN}
kubectl --as=cluster-admin -n openshift-dns exec ds/node-resolver -- dig +short api-int.${CLUSTER_DOMAIN}
----
+
[TIP]
[NOTE]
====
If the command doesn't return a valid record for `api-int`, the Cilium config needs to be adjusted to use the `api` record to ensure that the Kubernetes API can be accessed.
The command should always return a valid record for `api-int`.
[source,bash]
----
yq -i '.parameters.cilium.cilium_helm_values.k8sServiceHost="api.${openshift:baseDomain}"' \
"${CLUSTER_ID}.yml"
----
If it doesn't, please check that the OpenShift DNS cluster operator is healthy and double-check that the record is being resolved on the internal DNS for clusters on vSphere.
You can see more details about the lookup by omitting the `+short` flag for the `dig` command.
====

. Configure component `cilium`.
Expand Down

0 comments on commit e364a72

Please sign in to comment.