Add identity_allocation_mode support for Cilium (#8430)

Co-authored-by: Emin Aktaş <eminaktas34@gmail.com>
Co-authored-by: Yasin Taha Erol <yasintahaerol@gmail.com>
Signed-off-by: necatican <necaticanyildirim@gmail.com>

Co-authored-by: Emin Aktaş <eminaktas34@gmail.com>
Co-authored-by: Yasin Taha Erol <yasintahaerol@gmail.com>
pull/8432/head
Necatican Yıldırım 2022-01-16 20:29:28 +03:00 committed by GitHub
parent c0d1bb1a5c
commit caff539ccd
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
8 changed files with 42 additions and 2 deletions

View File

@ -15,7 +15,7 @@ balancer deployed by Kubespray and **only contacts the first master**.
## Choose Cilium version ## Choose Cilium version
```yml ```yml
cilium_version: v1.9.9 cilium_version: v1.11.0
``` ```
## Add variable to config ## Add variable to config
@ -29,6 +29,16 @@ cilium_config_extra_vars:
enable-endpoint-routes: true enable-endpoint-routes: true
``` ```
## Change Identity Allocation Mode
Cilium assigns an identity for each endpoint. This identity is used to enforce basic connectivity between endpoints.
Cilium currently supports two different identity allocation modes:
- "crd" stores identities in kubernetes as CRDs (custom resource definition).
- These can be queried with `kubectl get ciliumid`
- "kvstore" stores identities in an etcd kvstore.
## Install Cilium Hubble ## Install Cilium Hubble
k8s-net-cilium.yml: k8s-net-cilium.yml:

View File

@ -1,3 +1,4 @@
# see roles/network_plugin/cilium/defaults/main.yml # see roles/network_plugin/cilium/defaults/main.yml
# cilium_version: "v1.11.0" # cilium_version: "v1.11.0"
# identity_allocation_mode: kvstore # kvstore or crd

View File

@ -6,6 +6,14 @@ cilium_mtu: ""
cilium_enable_ipv4: true cilium_enable_ipv4: true
cilium_enable_ipv6: false cilium_enable_ipv6: false
# Identity allocation mode selects how identities are shared between cilium
# nodes by setting how they are stored. The options are "crd" or "kvstore".
# - "crd" stores identities in kubernetes as CRDs (custom resource definition).
# These can be queried with:
# `kubectl get ciliumid`
# - "kvstore" stores identities in an etcd kvstore.
identity_allocation_mode: kvstore
# Etcd SSL dirs # Etcd SSL dirs
cilium_cert_dir: /etc/cilium/certs cilium_cert_dir: /etc/cilium/certs
kube_etcd_cacert_file: ca.pem kube_etcd_cacert_file: ca.pem

View File

@ -6,4 +6,9 @@
msg: "cilium_ipsec_key should be defined to use cilium_ipsec_enabled" msg: "cilium_ipsec_key should be defined to use cilium_ipsec_enabled"
when: when:
- cilium_ipsec_enabled - cilium_ipsec_enabled
- cilium_tunnel_mode in ['vxlan'] - cilium_tunnel_mode in ['vxlan']
- name: Stop if bad Cilium identity allocation mode
assert:
that: identity_allocation_mode in ['crd', 'kvstore']
msg: "identity_allocation_mode must be either 'crd' or 'kvstore'"

View File

@ -13,6 +13,8 @@
mode: 0750 mode: 0750
owner: root owner: root
group: root group: root
when:
- identity_allocation_mode == "kvstore"
- name: Cilium | Link etcd certificates for cilium - name: Cilium | Link etcd certificates for cilium
file: file:
@ -25,6 +27,8 @@
- {s: "{{ kube_etcd_cacert_file }}", d: "ca_cert.crt"} - {s: "{{ kube_etcd_cacert_file }}", d: "ca_cert.crt"}
- {s: "{{ kube_etcd_cert_file }}", d: "cert.crt"} - {s: "{{ kube_etcd_cert_file }}", d: "cert.crt"}
- {s: "{{ kube_etcd_key_file }}", d: "key.pem"} - {s: "{{ kube_etcd_key_file }}", d: "key.pem"}
when:
- identity_allocation_mode == "kvstore"
- name: Cilium | Create hubble dir - name: Cilium | Create hubble dir
file: file:

View File

@ -5,6 +5,9 @@ metadata:
name: cilium-config name: cilium-config
namespace: kube-system namespace: kube-system
data: data:
identity-allocation-mode: {{ identity_allocation_mode }}
{% if identity_allocation_mode == "kvstore" %}
# This etcd-config contains the etcd endpoints of your cluster. If you use # This etcd-config contains the etcd endpoints of your cluster. If you use
# TLS please make sure you follow the tutorial in https://cilium.link/etcd-config # TLS please make sure you follow the tutorial in https://cilium.link/etcd-config
etcd-config: |- etcd-config: |-
@ -29,6 +32,7 @@ data:
# https://docs.cilium.io/en/latest/cmdref/kvstore/ # https://docs.cilium.io/en/latest/cmdref/kvstore/
kvstore: etcd kvstore: etcd
kvstore-opt: '{"etcd.config": "/var/lib/etcd-config/etcd.config"}' kvstore-opt: '{"etcd.config": "/var/lib/etcd-config/etcd.config"}'
{% endif %}
# If you want metrics enabled in all of your Cilium agents, set the port for # If you want metrics enabled in all of your Cilium agents, set the port for
# which the Cilium agents will have their metrics exposed. # which the Cilium agents will have their metrics exposed.

View File

@ -135,12 +135,14 @@ spec:
periodSeconds: 10 periodSeconds: 10
timeoutSeconds: 3 timeoutSeconds: 3
volumeMounts: volumeMounts:
{% if identity_allocation_mode == "kvstore" %}
- mountPath: /var/lib/etcd-config - mountPath: /var/lib/etcd-config
name: etcd-config-path name: etcd-config-path
readOnly: true readOnly: true
- mountPath: "{{cilium_cert_dir}}" - mountPath: "{{cilium_cert_dir}}"
name: etcd-secrets name: etcd-secrets
readOnly: true readOnly: true
{% endif %}
- mountPath: /tmp/cilium/config-map - mountPath: /tmp/cilium/config-map
name: cilium-config-path name: cilium-config-path
readOnly: true readOnly: true
@ -153,6 +155,7 @@ spec:
tolerations: tolerations:
- operator: Exists - operator: Exists
volumes: volumes:
{% if identity_allocation_mode == "kvstore" %}
# To read the etcd config stored in config maps # To read the etcd config stored in config maps
- configMap: - configMap:
defaultMode: 420 defaultMode: 420
@ -165,6 +168,7 @@ spec:
- name: etcd-secrets - name: etcd-secrets
hostPath: hostPath:
path: "{{cilium_cert_dir}}" path: "{{cilium_cert_dir}}"
{% endif %}
- configMap: - configMap:
name: cilium-config name: cilium-config
name: cilium-config-path name: cilium-config-path

View File

@ -146,12 +146,14 @@ spec:
mountPath: {{ cri_socket }} mountPath: {{ cri_socket }}
readOnly: true readOnly: true
{% endif %} {% endif %}
{% if identity_allocation_mode == "kvstore" %}
- mountPath: /var/lib/etcd-config - mountPath: /var/lib/etcd-config
name: etcd-config-path name: etcd-config-path
readOnly: true readOnly: true
- mountPath: "{{cilium_cert_dir}}" - mountPath: "{{cilium_cert_dir}}"
name: etcd-secrets name: etcd-secrets
readOnly: true readOnly: true
{% endif %}
- mountPath: /var/lib/cilium/clustermesh - mountPath: /var/lib/cilium/clustermesh
name: clustermesh-secrets name: clustermesh-secrets
readOnly: true readOnly: true
@ -270,6 +272,7 @@ spec:
path: /run/xtables.lock path: /run/xtables.lock
type: FileOrCreate type: FileOrCreate
name: xtables-lock name: xtables-lock
{% if identity_allocation_mode == "kvstore" %}
# To read the etcd config stored in config maps # To read the etcd config stored in config maps
- configMap: - configMap:
defaultMode: 420 defaultMode: 420
@ -282,6 +285,7 @@ spec:
- name: etcd-secrets - name: etcd-secrets
hostPath: hostPath:
path: "{{cilium_cert_dir}}" path: "{{cilium_cert_dir}}"
{% endif %}
# To read the clustermesh configuration # To read the clustermesh configuration
- name: clustermesh-secrets - name: clustermesh-secrets
secret: secret: