[cilium] embed cilium-cli as a subcommand

Taskfile.yml

@@ -34,14 +34,16 @@ vars:
 
       echo "${ldflags[*]-}"
 
+  ciliumCLIVersion: "0.15.22"
+
   cgoTags: "dfrunsecurity dfrunnetwork dfrunmount dfssh containers_image_openpgp osusergo exclude_graphdriver_devicemapper netgo no_devmapper static_build cni"
   goTags: "dfrunsecurity dfrunnetwork dfrunmount dfssh containers_image_openpgp"
 
   cgoDevLDFlags: "-linkmode external -extldflags=-static"
   goDevLDFlags: ""
 
-  cgoReleaseLDFlags: "-linkmode external -extldflags=-static -s -w -X 'github.com/deckhouse/deckhouse-cli/cmd.Version={{ .version }}' -X github.com/werf/werf/pkg/werf.Version={{ .version }} {{ .kubectlLDFlags }}"
-  goReleaseLDFlags: "-s -w -X 'github.com/deckhouse/deckhouse-cli/cmd.Version={{ .version }}' -X github.com/werf/werf/pkg/werf.Version={{ .version }} {{ .kubectlLDFlags }}"
+  cgoReleaseLDFlags: "-linkmode external -extldflags=-static -s -w -X 'github.com/deckhouse/deckhouse-cli/cmd.Version={{ .version }}' -X 'github.com/cilium/cilium-cli/cli.Version=v{{ .ciliumCLIVersion }}' -X github.com/werf/werf/pkg/werf.Version={{ .version }} {{ .kubectlLDFlags }}"
+  goReleaseLDFlags: "-s -w -X 'github.com/deckhouse/deckhouse-cli/cmd.Version={{ .version }}' -X 'github.com/cilium/cilium-cli/cli.Version=v{{ .ciliumCLIVersion }}' -X github.com/werf/werf/pkg/werf.Version={{ .version }} {{ .kubectlLDFlags }}"
 
 tasks:
   _build:cgo:dev:
@@ -136,6 +138,15 @@ tasks:
       - build:dist:darwin:arm64
       - build:dist:windows:amd64
 
+  build:dist:linux:amd64:wocgo:
+    desc: Build d8 release binary for linux/amd64 w/o cgo
+    cmds:
+      - task: _build:go:dist
+        vars:
+          targetOS: "linux"
+          targetArch: "amd64"
+          outputDir: "{{ .outputDir }}"
+
   build:dist:linux:amd64:
     desc: Build d8 release binary for linux/amd64
     cmds:
@@ -238,3 +249,42 @@ tasks:
     desc: Clean all binaries
     cmds:
       - rm -rf ./build ./dist ./d8
+
+  _cilium:clone:
+    desc: Clone cilium-cli
+    cmds:
+      - mkdir -p internal/cilium-cli
+      - git clone --depth 1 --branch v{{ .ciliumCLIVersion }} {{ .SOURCE_REPO }}/cilium/cilium-cli.git internal/cilium-cli
+    vars:
+      SOURCE_REPO: "https://github.com"
+
+  _cilium:patch:
+    desc: Patch cilium-cli
+    dir: internal/cilium-cli
+    cmds:
+      - find ../../patches/cilium-cli -name '*.patch' | xargs git apply --verbose
+
+  _cilium:gomod-replace:
+    desc: Add replace to go.mod
+    cmds:
+      - go mod edit -replace github.com/cilium/cilium-cli=./internal/cilium-cli
+      - go mod tidy
+
+  _cilium:original-build:
+    desc: Build cilium-cli
+    dir: internal/cilium-cli
+    cmds:
+      - make install
+
+  _cilium:clean:
+    desc: Clean cilium dir
+    cmds:
+      - rm -rf internal/cilium-cli
+
+  build-d8-w-cilium:
+    desc: Build and package all d8 binaries
+    cmds:
+      - task: _cilium:clone
+      - task: _cilium:patch
+      - task: _cilium:gomod-replace
+      - task: build:dist:linux:amd64

cmd/cilium.go

@@ -0,0 +1,25 @@
+/*
+Copyright 2024 Flant JSC
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package cmd
+
+import (
+	"github.com/cilium/cilium-cli/cli"
+)
+
+func init() {
+	rootCmd.AddCommand(cli.NewCiliumCommand(&cli.NopHooks{}))
+}

go.mod

@@ -4,6 +4,7 @@ go 1.22.0
 
 require (
 	github.com/Masterminds/semver/v3 v3.2.1
+	github.com/cilium/cilium-cli v0.15.22
 	github.com/deckhouse/virtualization/api v0.0.0-20240326113112-979c4f4f17b9
 	github.com/google/go-containerregistry v0.19.1
 	github.com/gookit/color v1.5.4
@@ -14,7 +15,7 @@ require (
 	github.com/samber/lo v1.39.0
 	github.com/sirupsen/logrus v1.9.3
 	github.com/spf13/cobra v1.8.0
-	github.com/spf13/pflag v1.0.5
+	github.com/spf13/pflag v1.0.6-0.20210604193023-d5e0c0615ace
 	github.com/stretchr/testify v1.9.0
 	github.com/werf/3p-helm v0.0.0-20240806141915-3137f4cc1557
 	github.com/werf/logboek v0.6.1
@@ -129,7 +130,7 @@ require (
 	github.com/dustin/go-humanize v1.0.1 // indirect
 	github.com/emicklei/go-restful/v3 v3.11.2 // indirect
 	github.com/emirpasic/gods v1.18.1 // indirect
-	github.com/evanphx/json-patch v5.8.0+incompatible // indirect
+	github.com/evanphx/json-patch v5.9.0+incompatible // indirect
 	github.com/exponent-io/jsonpath v0.0.0-20210407135951-1de76d718b3f // indirect
 	github.com/fatih/camelcase v1.0.0 // indirect
 	github.com/fatih/color v1.16.0 // indirect
@@ -297,7 +298,7 @@ require (
 	github.com/ulikunitz/xz v0.5.11 // indirect
 	github.com/vbatts/tar-split v0.11.5 // indirect
 	github.com/vbauerster/mpb/v8 v8.7.2 // indirect
-	github.com/vishvananda/netlink v1.2.1-beta.2 // indirect
+	github.com/vishvananda/netlink v1.2.1-beta.2.0.20231127184239-0ced8385386a // indirect
 	github.com/vishvananda/netns v0.0.4 // indirect
 	github.com/wI2L/jsondiff v0.5.0 // indirect
 	github.com/werf/copy-recurse v0.2.7 // indirect

go.sum

@@ -181,6 +181,7 @@ github.com/chzyer/readline v1.5.1/go.mod h1:Eh+b79XXUwfKfcPLepksvw2tcLE/Ct21YObk
 github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU=
 github.com/chzyer/test v1.0.0 h1:p3BQDXSxOhOG0P9z6/hGnII4LGiEPOYBhs8asl/fC04=
 github.com/chzyer/test v1.0.0/go.mod h1:2JlltgoNkt4TW/z9V/IzDdFaMTM2JPIi26O1pF38GC8=
+github.com/cilium/cilium-cli v0.15.22/go.mod h1:lBs+5L0JBGyxfdjsQwQ+iJnkGHhK1xUDaGUCsxSXmZQ=
 github.com/cilium/ebpf v0.12.3 h1:8ht6F9MquybnY97at+VDZb3eQQr8ev79RueWeVaEcG4=
 github.com/cilium/ebpf v0.12.3/go.mod h1:TctK1ivibvI3znr66ljgi4hqOT8EYQjz1KWBfb1UVgM=
 github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
@@ -322,6 +323,7 @@ github.com/erikstmartin/go-testdb v0.0.0-20160219214506-8d10e4a1bae5/go.mod h1:a
 github.com/evanphx/json-patch v4.12.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
 github.com/evanphx/json-patch v5.8.0+incompatible h1:1Av9pn2FyxPdvrWNQszj1g6D6YthSmvCfcN6SYclTJg=
 github.com/evanphx/json-patch v5.8.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
+github.com/evanphx/json-patch v5.9.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
 github.com/exponent-io/jsonpath v0.0.0-20210407135951-1de76d718b3f h1:Wl78ApPPB2Wvf/TIe2xdyJxTlb6obmF18d8QdkxNDu4=
 github.com/exponent-io/jsonpath v0.0.0-20210407135951-1de76d718b3f/go.mod h1:OSYXu++VVOHnXeitef/D8n/6y4QV8uLHSFXX4NeXMGc=
 github.com/fatih/camelcase v1.0.0 h1:hxNvNX/xYBp0ovncs8WyWZrOrpBNub/JfaMvbURyft8=
@@ -937,6 +939,7 @@ github.com/spf13/jwalterweatherman v0.0.0-20141219030609-3d60171a6431/go.mod h1:
 github.com/spf13/pflag v1.0.0/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
 github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
 github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/spf13/pflag v1.0.6-0.20210604193023-d5e0c0615ace/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/spf13/viper v0.0.0-20150530192845-be5ff3e4840c/go.mod h1:A8kyI5cUJhb8N+3pkfONlcEcZbueH6nhAm0Fq7SrnBM=
 github.com/spf13/viper v1.18.2 h1:LUXCnvUvSM6FXAsj6nnfc8Q2tp1dIgUfY9Kc8GsSOiQ=
 github.com/spf13/viper v1.18.2/go.mod h1:EKmWIqdnk5lOcmR72yw6hS+8OPYcwD0jteitLMVB+yk=
@@ -998,6 +1001,7 @@ github.com/vbauerster/mpb/v8 v8.7.2 h1:SMJtxhNho1MV3OuFgS1DAzhANN1Ejc5Ct+0iSaIkB
 github.com/vbauerster/mpb/v8 v8.7.2/go.mod h1:ZFnrjzspgDHoxYLGvxIruiNk73GNTPG4YHgVNpR10VY=
 github.com/vishvananda/netlink v1.2.1-beta.2 h1:Llsql0lnQEbHj0I1OuKyp8otXp0r3q0mPkuhwHfStVs=
 github.com/vishvananda/netlink v1.2.1-beta.2/go.mod h1:twkDnbuQxJYemMlGd4JFIcuhgX83tXhKS2B/PRMpOho=
+github.com/vishvananda/netlink v1.2.1-beta.2.0.20231127184239-0ced8385386a/go.mod h1:whJevzBpTrid75eZy99s3DqCmy05NfibNaF2Ol5Ox5A=
 github.com/vishvananda/netns v0.0.0-20200728191858-db3c7e526aae/go.mod h1:DD4vA1DwXk04H54A1oHXtwZmA0grkVMdPxx/VGLCah0=
 github.com/vishvananda/netns v0.0.4 h1:Oeaw1EM2JMxD51g9uhtC0D7erkIjgmj8+JZc26m1YX8=
 github.com/vishvananda/netns v0.0.4/go.mod h1:SpkAiCQRtJ6TvvxPnOSyH3BMl6unz3xZlaprSwhNNJM=
@@ -1311,6 +1315,7 @@ golang.org/x/sys v0.3.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.10.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.16.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.18.0 h1:DBdB3niSjOA/O0blCZBqDefyWNYveAYMNF1Wum0DYQ4=

patches/cilium-cli/001-defaults.patch

@@ -0,0 +1,124 @@
+diff --git a/defaults/defaults.go b/defaults/defaults.go
+index 184eda2c..b1c68210 100644
+--- a/defaults/defaults.go
++++ b/defaults/defaults.go
+@@ -12,12 +12,12 @@ const (
+ 	Version = "v1.15.0"
+
+ 	AgentContainerName      = "cilium-agent"
+-	AgentServiceAccountName = "cilium"
+-	AgentClusterRoleName    = "cilium"
++	AgentServiceAccountName = "agent"
++	AgentClusterRoleName    = "d8:cni-cilium:agent"
+ 	AgentSecretsRoleName    = "cilium-secrets"
+ 	AgentConfigRoleName     = "cilium-config-agent"
+-	AgentDaemonSetName      = "cilium"
+-	AgentPodSelector        = "k8s-app=cilium"
++	AgentDaemonSetName      = "agent"
++	AgentPodSelector        = "app=agent"
+ 	AgentResourceQuota      = "cilium-resource-quota"
+ 	AgentImage              = "quay.io/cilium/cilium"
+
+@@ -33,13 +33,13 @@ const (
+
+ 	NodeInitDaemonSetName = "cilium-node-init"
+
+-	OperatorServiceAccountName = "cilium-operator"
+-	OperatorClusterRoleName    = "cilium-operator"
+-	OperatorPodSelector        = "io.cilium/app=operator"
++	OperatorServiceAccountName = "operator"
++	OperatorClusterRoleName    = "d8:cni-cilium:operator"
++	OperatorPodSelector        = "app=operator"
+ 	OperatorSecretsRoleName    = "cilium-operator-secrets"
+-	OperatorContainerName      = "cilium-operator"
++	OperatorContainerName      = "operator"
+ 	OperatorMetricsPortName    = "prometheus"
+-	OperatorDeploymentName     = "cilium-operator"
++	OperatorDeploymentName     = "operator"
+ 	OperatorResourceQuota      = "cilium-operator-resource-quota"
+ 	OperatorImage              = "quay.io/cilium/operator-generic"
+ 	OperatorImageAWS           = "quay.io/cilium/operator-aws"
+@@ -50,15 +50,15 @@ const (
+ 	RelayContainerName       = "hubble-relay"
+ 	RelayDeploymentName      = "hubble-relay"
+ 	RelayClusterRoleName     = "hubble-relay"
+-	RelayServiceAccountName  = "hubble-relay"
++	RelayServiceAccountName  = "relay"
+ 	RelayConfigMapName       = "hubble-relay-config"
+ 	RelayImage               = "quay.io/cilium/hubble-relay"
+ 	RelayServerSecretName    = "hubble-relay-server-certs"
+ 	RelayClientSecretName    = "hubble-relay-client-certs"
+ 	HubbleUIClientSecretName = "hubble-ui-client-certs"
+
+-	HubbleUIClusterRoleName    = "hubble-ui"
+-	HubbleUIServiceAccountName = "hubble-ui"
++	HubbleUIClusterRoleName    = "d8:cilium-hubble:ui:reader"
++	HubbleUIServiceAccountName = "ui"
+ 	HubbleUIDeploymentName     = "hubble-ui"
+ 	HubbleUIImage              = "quay.io/cilium/hubble-ui"
+ 	HubbleUIBackendImage       = "quay.io/cilium/hubble-ui-backend"
+diff --git a/internal/cli/cmd/cmd.go b/internal/cli/cmd/cmd.go
+index 0c38f5ac..a04fccb7 100644
+--- a/internal/cli/cmd/cmd.go
++++ b/internal/cli/cmd/cmd.go
+@@ -75,7 +75,7 @@ cilium connectivity test`,
+ 	}
+
+ 	cmd.PersistentFlags().StringVar(&contextName, "context", "", "Kubernetes configuration context")
+-	cmd.PersistentFlags().StringVarP(&namespace, "namespace", "n", "kube-system", "Namespace Cilium is running in")
++	cmd.PersistentFlags().StringVarP(&namespace, "namespace", "n", "d8-cni-cilium", "Namespace Cilium is running in")
+
+ 	cmd.AddCommand(
+ 		newCmdBgp(),
+diff --git a/sysdump/defaults.go b/sysdump/defaults.go
+index 0452cba0..231dc7c9 100644
+--- a/sysdump/defaults.go
++++ b/sysdump/defaults.go
+@@ -11,11 +11,11 @@ import (
+ )
+
+ const (
+-	labelPrefix = "k8s-app="
++	labelPrefix = "app="
+ )
+
+ const (
+-	DefaultCiliumLabelSelector               = labelPrefix + "cilium"
++	DefaultCiliumLabelSelector               = labelPrefix + "agent"
+ 	DefaultCiliumEnvoyLabelSelector          = labelPrefix + "cilium-envoy"
+ 	DefaultCiliumOperatorLabelSelector       = "io.cilium/app=operator"
+ 	DefaultClustermeshApiserverLabelSelector = labelPrefix + "clustermesh-apiserver"
+@@ -38,7 +38,7 @@ const (
+ 	DefaultQuick                             = false
+ 	DefaultOutputFileName                    = "cilium-sysdump-<ts>" // "<ts>" will be replaced with the timestamp
+ 	DefaultDetectGopsPID                     = false
+-	DefaultCNIConfigDirectory                = "/etc/cni/net.d/"
++	DefaultCNIConfigDirectory                = "/host/etc/cni/net.d/"
+ 	DefaultCNIConfigMapName                  = "cni-configuration"
+ 	DefaultTetragonNamespace                 = "kube-system"
+ 	DefaultTetragonLabelSelector             = "app.kubernetes.io/name=tetragon"
+@@ -60,9 +60,9 @@ var (
+
+ 	// DefaultCiliumNamespaces will be used to attempt to autodetect what namespace Cilium is installed in
+ 	// unless otherwise specified.
+-	DefaultCiliumNamespaces = []string{"kube-system", "cilium"}
++	DefaultCiliumNamespaces = []string{"kube-system", "cilium", "d8-cni-cilium"}
+
+ 	// DefaultCiliumSPIRENamespaces will be used to attempt to autodetect what namespace Cilium SPIRE is installed in
+ 	// unless otherwise specified.
+-	DefaultCiliumSPIRENamespaces = []string{"kube-system", "cilium", "cilium-spire"}
++	DefaultCiliumSPIRENamespaces = []string{"kube-system", "cilium", "cilium-spire", "d8-cni-cilium"}
+ )
+diff --git a/sysdump/sysdump.go b/sysdump/sysdump.go
+index ebe90e99..c279dbff 100644
+--- a/sysdump/sysdump.go
++++ b/sysdump/sysdump.go
+@@ -2471,7 +2471,7 @@ func detectCiliumNamespace(k KubernetesClient) (string, error) {
+ 			return "", fmt.Errorf("failed to detect Cilium namespace: %w", err)
+ 		}
+
+-		_, err = k.GetDaemonSet(ctx, ns.Name, "cilium", metav1.GetOptions{})
++		_, err = k.GetDaemonSet(ctx, ns.Name, "agent", metav1.GetOptions{})
+ 		if errors.IsNotFound(err) {
+ 			continue
+ 		}