[Bug]: Cilium fails to start (CrashLoopBackOff) when routingMode=native and tunnelProtocol=disabled in v2.30.0

[emircanagac]

What happened?

When cilium_tunnel_mode: disabled and cilium_routing_mode: native are explicitly set in the Kubespray inventory, the Cilium agents fail to start.

Despite the configuration in k8s-net-cilium.yml clearly stating that tunneling should be disabled, the rendered Helm chart attempts to initialize tunnel protocols (vxlan/geneve) and standalone DNS proxies. The agent logs show the application crashing due to conflicting settings: it is being forced to run in tunnel mode by the Helm chart, even though the user configuration explicitly requested native routing.

What did you expect to happen?

Kubespray should honor the inventory settings. If cilium_tunnel_mode: disabled and cilium_routing_mode: native are set, the rendered Helm chart is expected to disable all tunneling (tunnelProtocol: "") to prevent the agent from entering a conflicted state.

How can we reproduce it (as minimally and precisely as possible)?

1. Use Kubespray v2.30.0.
2. Configure k8s-net-cilium.yml with the following variables:

cilium_tunnel_mode: disabled

3. Run cluster.yml or upgrade-cluster.yml.
4. Observe the kube-system namespace. Cilium and Hubble relay pods will fail to start and enter CrashLoopBackOff.

OS

RHEL 10

Version of Ansible

As bundled in quay.io/kubespray/kubespray:v2.30.0 Docker image

Version of Python

As bundled in quay.io/kubespray/kubespray:v2.30.0 Docker image

Version of Kubespray (commit)

v2.30.0

Network plugin used

cilium

Full inventory with variables

# k8s-net-cilium.yml
cilium_enable_ipv4: true
cilium_enable_ipv6: false
cilium_l2announcements: false
cilium_tunnel_mode: disabled
cilium_routing_mode: native
cilium_kube_proxy_replacement: true
cilium_auto_direct_node_routes: true
cilium_native_routing_cidr: 10.233.0.0/16
cilium_enable_hubble: true
cilium_enable_hubble_metrics: true
cilium_hubble_install: true
cilium_hubble_tls_generate: true

Command used to invoke ansible

ansible-playbook -i inventory/hosts.yml upgrade-cluster.yml -b -v -u <username>

Output of ansible run

The Ansible playbook completes successfully without errors, but the cluster state is degraded.

Running kubectl get pods -n kube-system shows:

cilium-xxxxx          0/1     CrashLoopBackOff   ...
hubble-relay-xxxxx    0/1     CrashLoopBackOff   ...

Anything else we need to know

roles/network_plugin/cilium/templates/values.yaml.j2 does not translate cilium_tunnel_mode: disabled into tunnelProtocol: "" in the rendered Helm values. As a result, Cilium 1.18 defaults to vxlan, which directly conflicts with routingMode: native and crashes the agent on startup.

The following manual Helm upgrade resolves the issue:

helm upgrade cilium cilium/cilium \
  -n kube-system \
  --version 1.18.6 \
  --reuse-values \
  --set tunnelProtocol="" \
  --set routingMode=native

[yankay]

/help

[k8s-ci-robot]

@yankay:
This request has been marked as needing help from a contributor.

Guidelines

Please ensure that the issue body includes answers to the following questions:

• Why are we solving this issue?
• To address this issue, are there any code changes? If there are code changes, what needs to be done in the code and what places can the assignee treat as reference points?
• How can the assignee reach out to you for help?

For more details on the requirements of such an issue, please see here and ensure that they are met.

If this request no longer meets these requirements, the label can be removed
by commenting with the /remove-help command.

Details

In response to this:

/help

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[tico88612]

We don't have cilium_routing_mode variable in Kubespray.

#12588

[emircanagac]

Hi @tico88612, regardless of the variable naming history, my main problem as a user is this:

I configured cilium_tunnel_mode: disabled expecting a native routing setup to be deployed automatically, just as the configuration implies. Instead, the deployment failed and the pods entered CrashLoopBackOff because the Helm chart still tried to initialize vxlan.

Why do I have to manually inject tunnelProtocol: "" via cilium_extra_values when I already explicitly disabled the tunnel in the Kubespray inventory?

I am just reporting this bug because the current template logic is broken for this setup and forces users to figure out manual Helm workarounds just to get a supported configuration running. Could the maintainers please fix the template so it works automatically out-of-the-box?

[emircanagac]

As an additional note: The roles/network_plugin/cilium/defaults/main.yml file explicitly instructs users to set cilium_tunnel_mode: disabled for native routing without tunneling.

If the actual expectation is that users should set cilium_tunnel_mode: "" and use extra_values (as suggested in some PR comments), then the documentation directly contradicts the code behavior. This contradiction is extremely confusing. It is exactly why the template should be patched to respect the disabled value properly as documented, instead of relying on manual workarounds.