From 9de2c93604363e9b09a0ae6e0bfc0068c9534435 Mon Sep 17 00:00:00 2001 From: Martin Gencur Date: Thu, 21 May 2026 12:17:25 +0200 Subject: [PATCH] fix(cilium): add CNI override ConfigMap and extend network-policies to OCP 5.0 Create a cilium-cni-override ConfigMap with cniVersion 0.4.0 to work around the CNI 0.3.1 incompatibility (OCPBUGS-86033). Mount the override into the cilium agent via readCniConf/extraVolumes and drop the now-redundant cni.chainingMode flag. Also extend the network-policies version gate to include OCP 5.0. Ref: https://redhat.atlassian.net/browse/OCPBUGS-86033 Co-Authored-By: Claude Opus 4.6 --- ...ift-hypershift-extended-cilium-commands.sh | 34 +++++++++++++++++-- ...tended-cilium-network-policies-commands.sh | 4 +-- 2 files changed, 34 insertions(+), 4 deletions(-) diff --git a/ci-operator/step-registry/cucushift/hypershift-extended/cilium/cucushift-hypershift-extended-cilium-commands.sh b/ci-operator/step-registry/cucushift/hypershift-extended/cilium/cucushift-hypershift-extended-cilium-commands.sh index 274f5ad7d4e78..dc747c461b450 100644 --- a/ci-operator/step-registry/cucushift/hypershift-extended/cilium/cucushift-hypershift-extended-cilium-commands.sh +++ b/ci-operator/step-registry/cucushift/hypershift-extended/cilium/cucushift-hypershift-extended-cilium-commands.sh @@ -45,6 +45,32 @@ oc adm policy add-scc-to-user privileged -z cilium -n cilium oc adm policy add-scc-to-user privileged -z cilium-operator -n cilium oc adm policy add-scc-to-user privileged -z cilium-envoy -n cilium +# Overriding the default 0.3.1 cniVersion to workaround https://redhat.atlassian.net/browse/OCPBUGS-86033 +oc apply -f - <<'EOF' +apiVersion: v1 +kind: ConfigMap +metadata: + name: cilium-cni-override + namespace: cilium +data: + cilium-override.conf: | + { + "cniVersion": "0.4.0", + "name": "portmap", + "plugins": [ + { + "type": "cilium-cni", + "enable-debug": true, + "log-file": "/var/run/cilium/cilium-cni.log" + }, + { + "type": "portmap", + "capabilities": {"portMappings": true} + } + ] + } +EOF + # Note: In order to test with a development version, use: # --repository oci://quay.io/cilium-charts-dev/cilium --version # where is a tag from https://quay.io/repository/cilium-charts-dev/cilium @@ -64,9 +90,13 @@ cilium install \ --set cni.confPath=/var/run/multus/cni/net.d \ --set sessionAffinity=true \ --set endpointRoutes.enabled="true" \ - --set cni.chainingMode=portmap \ --set tunnelPort=4789 \ --set clusterHealthPort=9940 \ - --set socketLB.enabled=true + --set socketLB.enabled=true \ + --set cni.readCniConf=/etc/cilium-cni/cilium-override.conf \ + --set extraVolumes[0].name=cni-override \ + --set extraVolumes[0].configMap.name=cilium-cni-override \ + --set extraVolumeMounts[0].name=cni-override \ + --set extraVolumeMounts[0].mountPath=/etc/cilium-cni cilium status --namespace cilium --wait \ No newline at end of file diff --git a/ci-operator/step-registry/cucushift/hypershift-extended/cilium/network-policies/cucushift-hypershift-extended-cilium-network-policies-commands.sh b/ci-operator/step-registry/cucushift/hypershift-extended/cilium/network-policies/cucushift-hypershift-extended-cilium-network-policies-commands.sh index cac8c5657a0dc..3b664a4baea98 100644 --- a/ci-operator/step-registry/cucushift/hypershift-extended/cilium/network-policies/cucushift-hypershift-extended-cilium-network-policies-commands.sh +++ b/ci-operator/step-registry/cucushift/hypershift-extended/cilium/network-policies/cucushift-hypershift-extended-cilium-network-policies-commands.sh @@ -13,8 +13,8 @@ if [[ -f "${SHARED_DIR}/nested_kubeconfig" ]]; then fi OCP_VERSION=$(oc get clusterversion version -o jsonpath='{.status.desired.version}' | cut -d. -f1-2) -if [ "$OCP_VERSION" != "4.22" ]; then - echo "OCP version ${OCP_VERSION} is not 4.22, skipping NetworkPolicy workarounds" +if [[ "$OCP_VERSION" != "4.22" && "$OCP_VERSION" != "5.0" ]]; then + echo "OCP version ${OCP_VERSION}, skipping NetworkPolicy workarounds" exit 0 fi