Skip to content

fix(cilium): upgrade Cilium 1.18 → 1.19.4 (hop 3 of 3)#209

Merged
jvcorredor merged 2 commits into
mainfrom
worktree-homelab-198-cilium-1.19.4
May 17, 2026
Merged

fix(cilium): upgrade Cilium 1.18 → 1.19.4 (hop 3 of 3)#209
jvcorredor merged 2 commits into
mainfrom
worktree-homelab-198-cilium-1.19.4

Conversation

@jvcorredor

@jvcorredor jvcorredor commented May 16, 2026

Copy link
Copy Markdown
Member

Summary

Hop 3 — the final hop of the staged Cilium upgrade tracked in #196. Lands the cluster on Cilium 1.19.x, the closest minor to Kubernetes 1.36.

  • cilium_chart_version 1.18.101.19.4
  • gateway_api_version v1.3.0v1.4.1 (Cilium 1.19 supports Gateway API v1.4.1)

1.18 → 1.19 upgrade-notes review

Reviewed the upstream 1.18→1.19 upgrade notes against this bootstrap root:

  • CiliumLoadBalancerIPPool promoted to cilium.io/v2. The upgrade notes call out moving off the now-deprecated v2alpha1. Bumped the lab-pool resource — v2 is the CRD storage version and the spec schema (blocks of start/stop) is unchanged. CiliumL2AnnouncementPolicy stays v2alpha1; 1.19 has not promoted that kind.
  • Removed Helm values: none are set here. kubeProxyReplacement is already the modern true form; the removed --enable-node-port / --enable-host-port / --enable-external-ips flags are not used.
  • Strict IPsec/WireGuard modes: neither encryption mode is enabled in cilium.tf, so the 1.19 strict-mode changes do not apply — confirmed per the issue.

On terraform_data.cilium_envoy_resync

The L7 proxy-port resync mitigation is kept in this PR. Removing it is conditional on the issue's runtime check — "verify L7 proxy-port stability across a cilium-agent restart; if stable on 1.19, remove the resource" — which can only be done after tofu apply lands hop 3 on the live cluster. That re-evaluation is tracked as a follow-up (see #198 comment) rather than removed speculatively, since dropping the mitigation while proxy ports are still unstable would blackhole the lab Gateway on every future apply.

Validation

Note on Kubernetes 1.36

Cilium 1.19 is e2e-tested to k8s 1.35 — one minor behind the cluster's 1.36. A fully-tested pairing needs Cilium 1.20 once it lists k8s 1.36; tracked separately.

Refs: #196
Closes: #198

🤖 Generated with Claude Code

@jvcorredor @claude
fix(cilium): upgrade Cilium 1.18 → 1.19.4 (hop 3 of 3)
df3a92c 
Bump cilium_chart_version 1.18.10 → 1.19.4 and gateway_api_version
v1.3.0 → v1.4.1 — the final hop of the staged upgrade tracked in #196.
Cilium 1.19 is the closest minor to the cluster's Kubernetes 1.36
(e2e-tested to k8s 1.35, one minor behind) and supports Gateway API
v1.4.1.

Reviewed the 1.18→1.19 upgrade notes against cilium.tf:

- CiliumLoadBalancerIPPool was promoted to the cilium.io/v2 API group;
  bumped the lab-pool resource off the now-deprecated v2alpha1. v2 is
  the CRD storage version and the spec schema is unchanged.
  CiliumL2AnnouncementPolicy stays v2alpha1 — 1.19 has not promoted it.
- No removed or renamed Helm values are set in this root.
  kubeProxyReplacement is already the modern `true` form; the removed
  --enable-node-port / --enable-host-port / --enable-external-ips flags
  are not used.
- Strict IPsec/WireGuard modes: neither encryption mode is enabled here,
  so the 1.19 strict-mode changes do not apply.

The terraform_data.cilium_envoy_resync mitigation is kept. Its removal
is gated on verifying L7 proxy-port stability across a cilium-agent
restart once hop 3 is applied — a runtime check, tracked as a follow-up.

Refs: #196
Closes: #198

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@jvcorredor jvcorredor mentioned this pull request May 16, 2026
Closed
3 tasks
@github-actions

github-actions Bot commented May 16, 2026
edited
Loading

Copy link
Copy Markdown

Terraform plan: terraform/bootstrap/

No changes. Infrastructure matches configuration.

Commit: 7fbbd5d02772cd2455aaa9d66e0a3ede53effe2d · Job log

Plan output 
data.terraform_remote_state.gcp: Reading...
data.http.local_path_manifest: Reading...
data.http.gateway_api_crds: Reading...
data.http.local_path_manifest: Read complete after 0s [id=https://raw.githubusercontent.com/rancher/local-path-provisioner/v0.0.32/deploy/local-path-storage.yaml]
data.kubectl_file_documents.local_path: Reading...
data.kubectl_file_documents.local_path: Read complete after 0s [id=1389a68e17a3035b7be0fdada9a9ecc7063cc2e5fee88fcbf9bfd87c0e30a38c]
data.http.gateway_api_crds: Read complete after 0s [id=https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.4.1/experimental-install.yaml]
data.kubectl_file_documents.gateway_api_crds: Reading...
data.kubectl_file_documents.gateway_api_crds: Read complete after 0s [id=553327e0ff32a1a2be446bf93823c8413cf9253ac6a6d5407eebd1e8d269f69e]
data.terraform_remote_state.gcp: Read complete after 0s

No changes. Your infrastructure matches the configuration.

OpenTofu has compared your real infrastructure against your configuration and
found no differences, so no changes are needed.

@jvcorredor jvcorredor mentioned this pull request May 16, 2026
Closed
5 tasks
@jvcorredor jvcorredor merged commit 435c163 into main May 17, 2026
4 checks passed
@jvcorredor jvcorredor deleted the worktree-homelab-198-cilium-1.19.4 branch May 17, 2026 00:46
@jvcorredor jvcorredor mentioned this pull request May 17, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

fix(cilium): upgrade Cilium 1.18 → 1.19.4 (hop 3 of 3)

1 participant

@jvcorredor