From 2c2ffa846c6f1e6b00b858eafd593cc64f652126 Mon Sep 17 00:00:00 2001 From: Etienne Champetier Date: Wed, 8 Jan 2020 02:27:40 -0800 Subject: [PATCH] Calico: update to 3.11.1, allow to configure calico_iptables_backend (#5514) I've tested this update by deploying a containerd / etcd cluster on top CentOS7, MetalLB + NGINX Ingress. Upgrade using upgrade-cluster.yml Signed-off-by: Etienne Champetier --- README.md | 2 +- .../group_vars/k8s-cluster/k8s-net-calico.yml | 3 +++ roles/download/defaults/main.yml | 21 +++++++++++-------- roles/network_plugin/calico/defaults/main.yml | 3 +++ .../calico/templates/calico-cr.yml.j2 | 5 ++++- .../calico/templates/calico-crb.yml.j2 | 2 +- .../calico/templates/calico-node.yml.j2 | 12 +++++++++++ 7 files changed, 36 insertions(+), 12 deletions(-) diff --git a/README.md b/README.md index 8eae7934b..28a19a53c 100644 --- a/README.md +++ b/README.md @@ -118,7 +118,7 @@ Note: Upstart/SysV init based OS types are not supported. - [cri-o](http://cri-o.io/) v1.14.0 (experimental: see [CRI-O Note](docs/cri-o.md). Only on centos based OS) - Network Plugin - [cni-plugins](https://github.com/containernetworking/plugins) v0.8.1 - - [calico](https://github.com/projectcalico/calico) v3.7.3 + - [calico](https://github.com/projectcalico/calico) v3.11.1 - [canal](https://github.com/projectcalico/canal) (given calico/flannel versions) - [cilium](https://github.com/cilium/cilium) v1.5.5 - [contiv](https://github.com/contiv/install) v1.2.1 diff --git a/inventory/sample/group_vars/k8s-cluster/k8s-net-calico.yml b/inventory/sample/group_vars/k8s-cluster/k8s-net-calico.yml index 3935681c2..6d5987dc0 100644 --- a/inventory/sample/group_vars/k8s-cluster/k8s-net-calico.yml +++ b/inventory/sample/group_vars/k8s-cluster/k8s-net-calico.yml @@ -31,6 +31,9 @@ # Choose data store type for calico: "etcd" or "kdd" (kubernetes datastore) # calico_datastore: "etcd" +# Choose Calico iptables backend: "Iptables" or "NFT" +# calico_iptables_backend: "Iptables" + # Use typha (only with kdd) # typha_enabled: false diff --git a/roles/download/defaults/main.yml b/roles/download/defaults/main.yml index 12d0276cd..4df3444ef 100644 --- a/roles/download/defaults/main.yml +++ b/roles/download/defaults/main.yml @@ -65,12 +65,12 @@ quay_image_repo: "quay.io" # TODO(mattymo): Move calico versions to roles/network_plugins/calico/defaults # after migration to container download -calico_version: "v3.7.3" -calico_ctl_version: "v3.7.3" -calico_cni_version: "v3.7.3" -calico_policy_version: "v3.7.3" -calico_rr_version: "v0.6.1" -calico_typha_version: "v3.7.3" +calico_version: "v3.11.1" +calico_ctl_version: "v3.11.1" +calico_cni_version: "v3.11.1" +calico_policy_version: "v3.11.1" +calico_rr_version: "v0.6.3" +calico_typha_version: "v3.11.1" typha_enabled: false flannel_version: "v0.11.0" @@ -254,20 +254,23 @@ cni_binary_checksums: amd64: 29a092bef9cb6f26c8d5340f3d56567b62c7ebdb1321245d94b1842c80ba20ba calicoctl_binary_checksums: arm: + v3.11.1: 0 + v3.7.3: 0 v3.6.1: 0 v3.5.4: 0 v3.4.4: 0 - v3.7.3: 0 amd64: + v3.11.1: 045fdbfdb30789194c499ba17c8eac6d1704fe20d05e3c10027eb570767386db + v3.7.3: 932f68e893e80e95e10f064f1e7745e438d456f41a6ff12d11bb16ca0cab735c v3.6.1: 3b01336de37550e020343d62a38c96c4605d33a3ed7ddba2fe38bc172a5b42b5 v3.5.4: 197194b838cc2a9a7455c2ebd5505a5e24f8f3d994eb75c17f5dd568944100b8 v3.4.4: 93bd084e053cf1bf3b7fef369677bd6767c30fe7135e2c7e044e31693422ef61 - v3.7.3: 932f68e893e80e95e10f064f1e7745e438d456f41a6ff12d11bb16ca0cab735c arm64: + v3.11.1: 770e0fce9acf1927726d64a885f8350d44a3fcbf248017d0aceec58bd41fa1b8 + v3.7.3: 7cfaab25c287f7ef93b2682d060b55bf39f76b668540de50376b5ed174209832 v3.6.1: 60fbaeb257061647bdf12b5ede7a0d4298a5ee216f6472e5a92bb14ef5c2a5d3 v3.5.4: a4481178665658658a73e4ceca9a1dff5cccded4179615c91d1c3e49fd96f237 v3.4.4: ff35d9e8b5c00e9fe47d05e8f5123ec98fd641370f8cd93f4fbb3d913da77ab6 - v3.7.3: 7cfaab25c287f7ef93b2682d060b55bf39f76b668540de50376b5ed174209832 etcd_binary_checksum: "{{ etcd_binary_checksums[image_arch] }}" cni_binary_checksum: "{{ cni_binary_checksums[image_arch] }}" diff --git a/roles/network_plugin/calico/defaults/main.yml b/roles/network_plugin/calico/defaults/main.yml index 61462ba94..277fa36b8 100644 --- a/roles/network_plugin/calico/defaults/main.yml +++ b/roles/network_plugin/calico/defaults/main.yml @@ -51,6 +51,9 @@ calico_node_ignorelooserpf: false # Define address on which Felix will respond to health requests calico_healthhost: "localhost" +# Choose Calico iptables backend: "Iptables" or "NFT" (FELIX_IPTABLESBACKEND) +calico_iptables_backend: "Iptables" + # If you want to use non default IP_AUTODETECTION_METHOD for calico node set this option to one of: # * can-reach=DESTINATION # * interface=INTERFACE-REGEX diff --git a/roles/network_plugin/calico/templates/calico-cr.yml.j2 b/roles/network_plugin/calico/templates/calico-cr.yml.j2 index cfffce3d3..d818f3d9d 100644 --- a/roles/network_plugin/calico/templates/calico-cr.yml.j2 +++ b/roles/network_plugin/calico/templates/calico-cr.yml.j2 @@ -1,6 +1,6 @@ --- kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1beta1 +apiVersion: rbac.authorization.k8s.io/v1 metadata: name: calico-node namespace: kube-system @@ -82,6 +82,9 @@ rules: {% endif %} - clusterinformations - hostendpoints +{% if calico_version is version('v3.9.0', '>=') %} + - blockaffinities +{% endif %} verbs: - get - list diff --git a/roles/network_plugin/calico/templates/calico-crb.yml.j2 b/roles/network_plugin/calico/templates/calico-crb.yml.j2 index 1b4e8fe00..f747bfd18 100644 --- a/roles/network_plugin/calico/templates/calico-crb.yml.j2 +++ b/roles/network_plugin/calico/templates/calico-crb.yml.j2 @@ -1,5 +1,5 @@ --- -apiVersion: rbac.authorization.k8s.io/v1beta1 +apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: calico-node diff --git a/roles/network_plugin/calico/templates/calico-node.yml.j2 b/roles/network_plugin/calico/templates/calico-node.yml.j2 index 8a0ea9e5b..23e01430d 100644 --- a/roles/network_plugin/calico/templates/calico-node.yml.j2 +++ b/roles/network_plugin/calico/templates/calico-node.yml.j2 @@ -204,6 +204,10 @@ spec: {% if kube_proxy_mode == 'ipvs' and kube_apiserver_node_port_range is defined %} - name: FELIX_KUBENODEPORTRANGES value: "{{ kube_apiserver_node_port_range.split('-')[0] }}:{{ kube_apiserver_node_port_range.split('-')[1] }}" +{% endif %} +{% if calico_version is version('v3.8.1', '>=') %} + - name: FELIX_IPTABLESBACKEND + value: "{{ calico_iptables_backend }}" {% endif %} # Prior to v3.2.1 iptables didn't acquire the lock, so Calico's own implementation of the lock should be used, # this is not required in later versions https://github.com/projectcalico/calico/issues/2179 @@ -269,10 +273,18 @@ spec: cpu: {{ calico_node_cpu_requests }} memory: {{ calico_node_memory_requests }} livenessProbe: +{% if calico_version is version('v3.8.0', '<') %} httpGet: host: 127.0.0.1 path: /liveness port: 9099 +{% else %} + exec: + command: + - /bin/calico-node + - -felix-live + - -bird-live +{% endif %} initialDelaySeconds: 5 failureThreshold: 6 readinessProbe: