From 9d238984ca579da797b295b0d6f1cd3425a9e902 Mon Sep 17 00:00:00 2001 From: Matt Peters Date: Mon, 26 Nov 2018 15:18:03 -0500 Subject: [PATCH] downgrade calico to v3.1.4 and add IP autodetect Calico is being downgraded to v3.1.4 since the latest versions are causing readiness and liveness failures. Based on K8S v12.1, Calico should be on v3.3.x, therefore the underlying issue should be investigated further and Calico upgraded once resolved. This update also changes the IP autodetect method to ensure the proper IP is selected. This is required for hosts that have multiple IP addresses and the wrong address is being selected based on the default find first address method. Change-Id: I31c3630bde69160786866d0bc1bc29816892943f Story: 2002843 Task: 22791 Signed-off-by: Matt Peters --- puppet-manifests/centos/build_srpm.data | 2 +- .../platform/templates/calico.yaml.erb | 173 +++++++----------- .../platform/templates/rbac-kdd.yaml.erb | 5 +- 3 files changed, 74 insertions(+), 106 deletions(-) diff --git a/puppet-manifests/centos/build_srpm.data b/puppet-manifests/centos/build_srpm.data index 7631fd8635..cc746d762c 100644 --- a/puppet-manifests/centos/build_srpm.data +++ b/puppet-manifests/centos/build_srpm.data @@ -1,2 +1,2 @@ SRC_DIR="src" -TIS_PATCH_VER=72 +TIS_PATCH_VER=73 diff --git a/puppet-manifests/src/modules/platform/templates/calico.yaml.erb b/puppet-manifests/src/modules/platform/templates/calico.yaml.erb index 8eaab9caa0..1f6eea5ffc 100644 --- a/puppet-manifests/src/modules/platform/templates/calico.yaml.erb +++ b/puppet-manifests/src/modules/platform/templates/calico.yaml.erb @@ -1,8 +1,8 @@ -# Calico Version v3.2.3 -# https://docs.projectcalico.org/v3.2/releases#v3.2.3 +# Calico Version v3.1.4 +# https://docs.projectcalico.org/v3.1/releases#v3.1.4 # This manifest includes the following component versions: -# calico/node:v3.2.3 -# calico/cni:v3.2.3 +# calico/node:v3.1.4 +# calico/cni:v3.1.4 # This ConfigMap is used to configure a self-hosted Calico installation. kind: ConfigMap @@ -15,14 +15,8 @@ data: # below. We recommend using Typha if you have more than 50 nodes. Above 100 nodes it is # essential. typha_service_name: "none" - # Configure the Calico backend to use. - calico_backend: "bird" - # Configure the MTU to use - veth_mtu: "1440" - - # The CNI network configuration to install on each node. The special - # values in this config will be automatically populated. + # The CNI network configuration to install on each node. cni_network_config: |- { "name": "k8s-pod-network", @@ -33,16 +27,16 @@ data: "log_level": "info", "datastore_type": "kubernetes", "nodename": "__KUBERNETES_NODE_NAME__", - "mtu": __CNI_MTU__, + "mtu": 1500, "ipam": { "type": "host-local", "subnet": "usePodCidr" }, "policy": { - "type": "k8s" + "type": "k8s" }, "kubernetes": { - "kubeconfig": "__KUBECONFIG_FILEPATH__" + "kubeconfig": "__KUBECONFIG_FILEPATH__" } }, { @@ -55,7 +49,6 @@ data: --- - # This manifest creates a Service, which will be backed by Calico's Typha daemon. # Typha sits in between Felix and the API server, reducing Calico's load on the API server. @@ -105,8 +98,6 @@ spec: # if it ever gets evicted. scheduler.alpha.kubernetes.io/critical-pod: '' spec: - nodeSelector: - beta.kubernetes.io/os: linux hostNetwork: true tolerations: # Mark the pod as a critical add-on for rescheduling. @@ -116,7 +107,7 @@ spec: # as a host-networked pod. serviceAccountName: calico-node containers: - - image: quay.io/calico/typha:v3.2.3 + - image: quay.io/calico/typha:v3.1.4 name: calico-typha ports: - containerPort: 5473 @@ -146,19 +137,15 @@ spec: #- name: TYPHA_PROMETHEUSMETRICSPORT # value: "9093" livenessProbe: - exec: - command: - - calico-typha - - check - - liveness + httpGet: + path: /liveness + port: 9098 periodSeconds: 30 initialDelaySeconds: 30 readinessProbe: - exec: - command: - - calico-typha - - check - - readiness + httpGet: + path: /readiness + port: 9098 periodSeconds: 10 --- @@ -192,11 +179,9 @@ spec: # if it ever gets evicted. scheduler.alpha.kubernetes.io/critical-pod: '' spec: - nodeSelector: - beta.kubernetes.io/os: linux hostNetwork: true tolerations: - # Make sure calico-node gets scheduled on all nodes. + # Make sure calico/node gets scheduled on all nodes. - effect: NoSchedule operator: Exists # Mark the pod as a critical add-on for rescheduling. @@ -213,66 +198,59 @@ spec: # container programs network policy and routes on each # host. - name: calico-node - image: quay.io/calico/node:v3.2.3 + image: quay.io/calico/node:v3.1.4 env: # Use Kubernetes API as the backing datastore. - name: DATASTORE_TYPE value: "kubernetes" - # Typha support: controlled by the ConfigMap. - - name: FELIX_TYPHAK8SSERVICENAME - valueFrom: - configMapKeyRef: - name: calico-config - key: typha_service_name - # Wait for the datastore. - - name: WAIT_FOR_DATASTORE - value: "true" - # Set based on the k8s node name. - - name: NODENAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - # Choose the backend to use. - - name: CALICO_NETWORKING_BACKEND - valueFrom: - configMapKeyRef: - name: calico-config - key: calico_backend + # Enable felix info logging. + - name: FELIX_LOGSEVERITYSCREEN + value: "info" # Cluster type to identify the deployment type - name: CLUSTER_TYPE value: "k8s,bgp" - # Auto-detect the BGP IP address. - - name: IP - value: "autodetect" - # Enable IPIP - - name: CALICO_IPV4POOL_IPIP - value: "Always" - # Enable IP-in-IP within Felix. - - name: FELIX_IPINIPENABLED - value: "true" - # Set MTU for tunnel device used if ipip is enabled - - name: FELIX_IPINIPMTU - valueFrom: - configMapKeyRef: - name: calico-config - key: veth_mtu - # The default IPv4 pool to create on startup if none exists. Pod IPs will be - # chosen from this range. Changing this value after installation will have - # no effect. This should fall within `--cluster-cidr`. - - name: CALICO_IPV4POOL_CIDR - value: "<%= @pod_network_cidr %>" # Disable file logging so `kubectl logs` works. - name: CALICO_DISABLE_FILE_LOGGING value: "true" # Set Felix endpoint to host default action to ACCEPT. - name: FELIX_DEFAULTENDPOINTTOHOSTACTION value: "ACCEPT" - # Disable IPv6 on Kubernetes. + # Disable IPV6 on Kubernetes. - name: FELIX_IPV6SUPPORT value: "false" - # Set Felix logging to "info" - - name: FELIX_LOGSEVERITYSCREEN - value: "info" + # Set MTU for tunnel device used if ipip is enabled + - name: FELIX_IPINIPMTU + value: "1440" + # Wait for the datastore. + - name: WAIT_FOR_DATASTORE + value: "true" + # The default IPv4 pool to create on startup if none exists. Pod IPs will be + # chosen from this range. Changing this value after installation will have + # no effect. This should fall within `--cluster-cidr`. + - name: CALICO_IPV4POOL_CIDR + value: "<%= @pod_network_cidr %>" + # Enable IPIP + - name: CALICO_IPV4POOL_IPIP + value: "Always" + # Enable IP-in-IP within Felix. + - name: FELIX_IPINIPENABLED + value: "true" + # Typha support: controlled by the ConfigMap. + - name: FELIX_TYPHAK8SSERVICENAME + valueFrom: + configMapKeyRef: + name: calico-config + key: typha_service_name + # Set based on the k8s node name. + - name: NODENAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + # Auto-detect the BGP IP address. + - name: IP + value: "autodetect" + - name: IP_AUTODETECTION_METHOD + value: "can-reach=<%= @apiserver_advertise_address %>" - name: FELIX_HEALTHENABLED value: "true" securityContext: @@ -284,16 +262,13 @@ spec: httpGet: path: /liveness port: 9099 - host: localhost periodSeconds: 10 initialDelaySeconds: 10 failureThreshold: 6 readinessProbe: - exec: - command: - - /bin/calico-node - - -bird-ready - - -felix-ready + httpGet: + path: /readiness + port: 9099 periodSeconds: 10 volumeMounts: - mountPath: /lib/modules @@ -308,29 +283,23 @@ spec: # This container installs the Calico CNI binaries # and CNI network config file on each node. - name: install-cni - image: quay.io/calico/cni:v3.2.3 + image: quay.io/calico/cni:v3.1.4 command: ["/install-cni.sh"] env: # Name of the CNI config file to create. - name: CNI_CONF_NAME value: "10-calico.conflist" - # Set the hostname based on the k8s node name. - - name: KUBERNETES_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName # The CNI network config to install on each node. - name: CNI_NETWORK_CONFIG valueFrom: configMapKeyRef: name: calico-config key: cni_network_config - # CNI MTU Config variable - - name: CNI_MTU + # Set the hostname based on the k8s node name. + - name: KUBERNETES_NODE_NAME valueFrom: - configMapKeyRef: - name: calico-config - key: veth_mtu + fieldRef: + fieldPath: spec.nodeName volumeMounts: - mountPath: /host/opt/cni/bin name: cni-bin-dir @@ -354,18 +323,10 @@ spec: - name: cni-net-dir hostPath: path: /etc/cni/net.d ---- - -apiVersion: v1 -kind: ServiceAccount -metadata: - name: calico-node - namespace: kube-system - ---- # Create all the CustomResourceDefinitions needed for # Calico policy and networking mode. +--- apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition @@ -379,6 +340,7 @@ spec: kind: FelixConfiguration plural: felixconfigurations singular: felixconfiguration + --- apiVersion: apiextensions.k8s.io/v1beta1 @@ -499,3 +461,10 @@ spec: plural: networkpolicies singular: networkpolicy +--- + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: calico-node + namespace: kube-system diff --git a/puppet-manifests/src/modules/platform/templates/rbac-kdd.yaml.erb b/puppet-manifests/src/modules/platform/templates/rbac-kdd.yaml.erb index e06e908cce..478e36fa7b 100644 --- a/puppet-manifests/src/modules/platform/templates/rbac-kdd.yaml.erb +++ b/puppet-manifests/src/modules/platform/templates/rbac-kdd.yaml.erb @@ -1,5 +1,5 @@ -# Calico Version v3.2.3 -# https://docs.projectcalico.org/v3.2/releases#v3.2.3 +# Calico Version v3.1.4 +# https://docs.projectcalico.org/v3.1/releases#v3.1.4 kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: @@ -8,7 +8,6 @@ rules: - apiGroups: [""] resources: - namespaces - - serviceaccounts verbs: - get - list