[calico] don't enable ipip encapsulation by default and use vxlan in CI

[cristicalin]

What type of PR is this?

/kind bug
/kind failing-test

What this PR does / why we need it:
While debugging calico ebpf failures in CI for AlmaLinux 8 we discovered an issue with Alma/Centos 8.5 and ipip encapsulation preventing pod-to-pod communication. Upon further investigation and discussions with the Calico team, their recomandation is to use vxlan encapsulation on newer kernels instead of ipip due to performance reasons even though both should work in both iptables and ebpf mode.

For now this PR changes the default to ipip: false disabling ipip encapsulation and we continue to investigate the reason for the ipip failure.

During the development of this fix I discovered that the kubespray CI needs encapsulation for multi-node deployments and I had to enable vxlan for calico based CI tests.

Additionally to properly troubleshoot the CI failures I had to modify the network connectivity test and actually make it fail when netchecker agents could not connect to the netchecker-server. This new change exposed connectivity issues with the kube-router CNI which were worked around by moving these tests to vagrant instead of packet. There is still a know failure in running kube-router in service proxy mode which I was not able to fully address, given that vagrant jobs in general are allowed to tail and this test is left on manual this will not block future CI jobs.

Which issue(s) this PR fixes:

Fixes #8456

Special notes for your reviewer:

Given previous experience with changing defaults such as when changing the container_manager to containerd, I'm somewhat conflicted on the actual change and an alternative would be to just change the settings in the CI but, for now the change as is seems like the best course of action to me but I welcome input here.

Does this PR introduce a user-facing change?:

[calico] Use vxlan instead of ipip as the default calico encapsulation mode. This change impacts existing deployments that don't explicitly set the encapsulation mode and will need to set calico_ipip_mode: Always and calico_network_backend: bird to avoid the upgrade process breaking.

[champtar]

At my job we switched to vxlan crosssubnet by default a long time ago because IPIP offload is broken with many driver / firmware combination. I think RHEL started to enable IPIP offload by default (if supported) in 8.3 or 8.4 and I found at least 3 different broken cases. Nobody uses IPIP except Calico I think, so it's not tested, when vxlan is used by OpenStack and many cloud. Also CrossSubnet because why encapsulate when not needed.

[champtar]

projectcalico/calico#4384

[cristicalin]

Thanks for the extra information @champtar ! it seems to put one more nail on the ipip encapsulation coffin. We could consider enabling vxlan for CrossSubnet by default to ensure a smooth deployment out of the box on public clouds. That thought actually crossed my mind for this PR but I'm waiting for the CI results of this run first before adding more changes to the mix.

[cristicalin]

I opened an issue on calico project side to track this: projectcalico/calico#5449

[cristicalin]

Since it appears we can run the CI without encapsulation, I'm not going to switch the vxlan encapsulation on by default in this PR to keep it clean.

The eBPF test case is actually manual so I wrote the above conclusion too soon. Keeping this back in draft.

[cristicalin]

/cc @floryut @oomichi

[oomichi]

Sorry for late response and thanks for updating.
This makes good enough test coverage and the change seems good for me.

/lgtm

[mazdakn]

The reason IPIP was not working in Calico was due to an internal change to IPIP code in kernel. We identified the change, and fixed our code to respect the new behaviour. The fix (projectcalico/calico#5846) will be available in Calico v3.23.0.