Fix calico host local ipam (#11022)

* Prevent upgrade-ipam for host-local IPAM Otherwise, the init container upgrade-ipam would clear the state of the host-local plugin, potentially causing it to reassign IPs that are still in use. * USE_POD_CIDR required for host-local 4efd1bfd91/charts/calico/templates/calico-node.yaml (L279) 4efd1bfd91/charts/calico/templates/calico-typha.yaml (L133)
2024-04-03 09:52:31 +02:00 · 2024-04-03 09:52:31 +02:00 · 3067e565c0
parent c6fcbf6ee0
commit 3067e565c0
2 changed files with 10 additions and 7 deletions
--- a/roles/network_plugin/calico/templates/calico-node.yml.j2
+++ b/roles/network_plugin/calico/templates/calico-node.yml.j2
@ -38,7 +38,7 @@ spec:
      # deletion": https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods.
      terminationGracePeriodSeconds: 0
      initContainers:
-{% if calico_datastore == "kdd" %}
+{% if calico_datastore == "kdd" and not calico_ipam_host_local %}
        # This container performs upgrade from host-local IPAM to calico-ipam.
        # It can be deleted if this is a fresh installation, or if you have already
        # upgraded to use calico-ipam.
@ -310,6 +310,10 @@ spec:
              value: "{{ calico_node_ignorelooserpf }}"
            - name: CALICO_MANAGE_CNI
              value: "true"
+{% if calico_ipam_host_local %}
+            - name: USE_POD_CIDR
+              value: "true"
+{% endif %}
 {% if calico_node_extra_envs is defined %}
 {% for key in calico_node_extra_envs %}
            - name: {{ key }}
@ -428,7 +432,7 @@ spec:
          hostPath:
            path: /run/xtables.lock
            type: FileOrCreate
-{% if calico_datastore == "kdd" %}
+{% if calico_datastore == "kdd" and not calico_ipam_host_local %}
        # Mount in the directory for host-local IPAM allocations. This is
        # used when upgrading from host-local to calico-ipam, and can be removed
        # if not using the upgrade-ipam init container.
--- a/roles/network_plugin/calico/templates/calico-typha.yml.j2
+++ b/roles/network_plugin/calico/templates/calico-typha.yml.j2
@ -136,11 +136,10 @@ spec:
            name: cacert
            readOnly: true
 {% endif %}
-          # Needed for version >=3.7 when the 'host-local' ipam is used
-          # Should never happen given templates/cni-calico.conflist.j2
-          # Configure route aggregation based on pod CIDR.
-          # - name: USE_POD_CIDR
-          #   value: "true"
+{% if calico_ipam_host_local %}
+          - name: USE_POD_CIDR
+            value: "true"
+{% endif %}
        livenessProbe:
          httpGet:
            path: /liveness