Add identity_allocation_mode support for Cilium (#8430)
Co-authored-by: Emin Aktaş <eminaktas34@gmail.com> Co-authored-by: Yasin Taha Erol <yasintahaerol@gmail.com> Signed-off-by: necatican <necaticanyildirim@gmail.com> Co-authored-by: Emin Aktaş <eminaktas34@gmail.com> Co-authored-by: Yasin Taha Erol <yasintahaerol@gmail.com>pull/8432/head
parent
c0d1bb1a5c
commit
caff539ccd
|
@ -15,7 +15,7 @@ balancer deployed by Kubespray and **only contacts the first master**.
|
||||||
## Choose Cilium version
|
## Choose Cilium version
|
||||||
|
|
||||||
```yml
|
```yml
|
||||||
cilium_version: v1.9.9
|
cilium_version: v1.11.0
|
||||||
```
|
```
|
||||||
|
|
||||||
## Add variable to config
|
## Add variable to config
|
||||||
|
@ -29,6 +29,16 @@ cilium_config_extra_vars:
|
||||||
enable-endpoint-routes: true
|
enable-endpoint-routes: true
|
||||||
```
|
```
|
||||||
|
|
||||||
|
## Change Identity Allocation Mode
|
||||||
|
|
||||||
|
Cilium assigns an identity for each endpoint. This identity is used to enforce basic connectivity between endpoints.
|
||||||
|
|
||||||
|
Cilium currently supports two different identity allocation modes:
|
||||||
|
|
||||||
|
- "crd" stores identities in kubernetes as CRDs (custom resource definition).
|
||||||
|
- These can be queried with `kubectl get ciliumid`
|
||||||
|
- "kvstore" stores identities in an etcd kvstore.
|
||||||
|
|
||||||
## Install Cilium Hubble
|
## Install Cilium Hubble
|
||||||
|
|
||||||
k8s-net-cilium.yml:
|
k8s-net-cilium.yml:
|
||||||
|
|
|
@ -1,3 +1,4 @@
|
||||||
# see roles/network_plugin/cilium/defaults/main.yml
|
# see roles/network_plugin/cilium/defaults/main.yml
|
||||||
|
|
||||||
# cilium_version: "v1.11.0"
|
# cilium_version: "v1.11.0"
|
||||||
|
# identity_allocation_mode: kvstore # kvstore or crd
|
||||||
|
|
|
@ -6,6 +6,14 @@ cilium_mtu: ""
|
||||||
cilium_enable_ipv4: true
|
cilium_enable_ipv4: true
|
||||||
cilium_enable_ipv6: false
|
cilium_enable_ipv6: false
|
||||||
|
|
||||||
|
# Identity allocation mode selects how identities are shared between cilium
|
||||||
|
# nodes by setting how they are stored. The options are "crd" or "kvstore".
|
||||||
|
# - "crd" stores identities in kubernetes as CRDs (custom resource definition).
|
||||||
|
# These can be queried with:
|
||||||
|
# `kubectl get ciliumid`
|
||||||
|
# - "kvstore" stores identities in an etcd kvstore.
|
||||||
|
identity_allocation_mode: kvstore
|
||||||
|
|
||||||
# Etcd SSL dirs
|
# Etcd SSL dirs
|
||||||
cilium_cert_dir: /etc/cilium/certs
|
cilium_cert_dir: /etc/cilium/certs
|
||||||
kube_etcd_cacert_file: ca.pem
|
kube_etcd_cacert_file: ca.pem
|
||||||
|
|
|
@ -6,4 +6,9 @@
|
||||||
msg: "cilium_ipsec_key should be defined to use cilium_ipsec_enabled"
|
msg: "cilium_ipsec_key should be defined to use cilium_ipsec_enabled"
|
||||||
when:
|
when:
|
||||||
- cilium_ipsec_enabled
|
- cilium_ipsec_enabled
|
||||||
- cilium_tunnel_mode in ['vxlan']
|
- cilium_tunnel_mode in ['vxlan']
|
||||||
|
|
||||||
|
- name: Stop if bad Cilium identity allocation mode
|
||||||
|
assert:
|
||||||
|
that: identity_allocation_mode in ['crd', 'kvstore']
|
||||||
|
msg: "identity_allocation_mode must be either 'crd' or 'kvstore'"
|
||||||
|
|
|
@ -13,6 +13,8 @@
|
||||||
mode: 0750
|
mode: 0750
|
||||||
owner: root
|
owner: root
|
||||||
group: root
|
group: root
|
||||||
|
when:
|
||||||
|
- identity_allocation_mode == "kvstore"
|
||||||
|
|
||||||
- name: Cilium | Link etcd certificates for cilium
|
- name: Cilium | Link etcd certificates for cilium
|
||||||
file:
|
file:
|
||||||
|
@ -25,6 +27,8 @@
|
||||||
- {s: "{{ kube_etcd_cacert_file }}", d: "ca_cert.crt"}
|
- {s: "{{ kube_etcd_cacert_file }}", d: "ca_cert.crt"}
|
||||||
- {s: "{{ kube_etcd_cert_file }}", d: "cert.crt"}
|
- {s: "{{ kube_etcd_cert_file }}", d: "cert.crt"}
|
||||||
- {s: "{{ kube_etcd_key_file }}", d: "key.pem"}
|
- {s: "{{ kube_etcd_key_file }}", d: "key.pem"}
|
||||||
|
when:
|
||||||
|
- identity_allocation_mode == "kvstore"
|
||||||
|
|
||||||
- name: Cilium | Create hubble dir
|
- name: Cilium | Create hubble dir
|
||||||
file:
|
file:
|
||||||
|
|
|
@ -5,6 +5,9 @@ metadata:
|
||||||
name: cilium-config
|
name: cilium-config
|
||||||
namespace: kube-system
|
namespace: kube-system
|
||||||
data:
|
data:
|
||||||
|
identity-allocation-mode: {{ identity_allocation_mode }}
|
||||||
|
|
||||||
|
{% if identity_allocation_mode == "kvstore" %}
|
||||||
# This etcd-config contains the etcd endpoints of your cluster. If you use
|
# This etcd-config contains the etcd endpoints of your cluster. If you use
|
||||||
# TLS please make sure you follow the tutorial in https://cilium.link/etcd-config
|
# TLS please make sure you follow the tutorial in https://cilium.link/etcd-config
|
||||||
etcd-config: |-
|
etcd-config: |-
|
||||||
|
@ -29,6 +32,7 @@ data:
|
||||||
# https://docs.cilium.io/en/latest/cmdref/kvstore/
|
# https://docs.cilium.io/en/latest/cmdref/kvstore/
|
||||||
kvstore: etcd
|
kvstore: etcd
|
||||||
kvstore-opt: '{"etcd.config": "/var/lib/etcd-config/etcd.config"}'
|
kvstore-opt: '{"etcd.config": "/var/lib/etcd-config/etcd.config"}'
|
||||||
|
{% endif %}
|
||||||
|
|
||||||
# If you want metrics enabled in all of your Cilium agents, set the port for
|
# If you want metrics enabled in all of your Cilium agents, set the port for
|
||||||
# which the Cilium agents will have their metrics exposed.
|
# which the Cilium agents will have their metrics exposed.
|
||||||
|
|
|
@ -135,12 +135,14 @@ spec:
|
||||||
periodSeconds: 10
|
periodSeconds: 10
|
||||||
timeoutSeconds: 3
|
timeoutSeconds: 3
|
||||||
volumeMounts:
|
volumeMounts:
|
||||||
|
{% if identity_allocation_mode == "kvstore" %}
|
||||||
- mountPath: /var/lib/etcd-config
|
- mountPath: /var/lib/etcd-config
|
||||||
name: etcd-config-path
|
name: etcd-config-path
|
||||||
readOnly: true
|
readOnly: true
|
||||||
- mountPath: "{{cilium_cert_dir}}"
|
- mountPath: "{{cilium_cert_dir}}"
|
||||||
name: etcd-secrets
|
name: etcd-secrets
|
||||||
readOnly: true
|
readOnly: true
|
||||||
|
{% endif %}
|
||||||
- mountPath: /tmp/cilium/config-map
|
- mountPath: /tmp/cilium/config-map
|
||||||
name: cilium-config-path
|
name: cilium-config-path
|
||||||
readOnly: true
|
readOnly: true
|
||||||
|
@ -153,6 +155,7 @@ spec:
|
||||||
tolerations:
|
tolerations:
|
||||||
- operator: Exists
|
- operator: Exists
|
||||||
volumes:
|
volumes:
|
||||||
|
{% if identity_allocation_mode == "kvstore" %}
|
||||||
# To read the etcd config stored in config maps
|
# To read the etcd config stored in config maps
|
||||||
- configMap:
|
- configMap:
|
||||||
defaultMode: 420
|
defaultMode: 420
|
||||||
|
@ -165,6 +168,7 @@ spec:
|
||||||
- name: etcd-secrets
|
- name: etcd-secrets
|
||||||
hostPath:
|
hostPath:
|
||||||
path: "{{cilium_cert_dir}}"
|
path: "{{cilium_cert_dir}}"
|
||||||
|
{% endif %}
|
||||||
- configMap:
|
- configMap:
|
||||||
name: cilium-config
|
name: cilium-config
|
||||||
name: cilium-config-path
|
name: cilium-config-path
|
||||||
|
|
|
@ -146,12 +146,14 @@ spec:
|
||||||
mountPath: {{ cri_socket }}
|
mountPath: {{ cri_socket }}
|
||||||
readOnly: true
|
readOnly: true
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
{% if identity_allocation_mode == "kvstore" %}
|
||||||
- mountPath: /var/lib/etcd-config
|
- mountPath: /var/lib/etcd-config
|
||||||
name: etcd-config-path
|
name: etcd-config-path
|
||||||
readOnly: true
|
readOnly: true
|
||||||
- mountPath: "{{cilium_cert_dir}}"
|
- mountPath: "{{cilium_cert_dir}}"
|
||||||
name: etcd-secrets
|
name: etcd-secrets
|
||||||
readOnly: true
|
readOnly: true
|
||||||
|
{% endif %}
|
||||||
- mountPath: /var/lib/cilium/clustermesh
|
- mountPath: /var/lib/cilium/clustermesh
|
||||||
name: clustermesh-secrets
|
name: clustermesh-secrets
|
||||||
readOnly: true
|
readOnly: true
|
||||||
|
@ -270,6 +272,7 @@ spec:
|
||||||
path: /run/xtables.lock
|
path: /run/xtables.lock
|
||||||
type: FileOrCreate
|
type: FileOrCreate
|
||||||
name: xtables-lock
|
name: xtables-lock
|
||||||
|
{% if identity_allocation_mode == "kvstore" %}
|
||||||
# To read the etcd config stored in config maps
|
# To read the etcd config stored in config maps
|
||||||
- configMap:
|
- configMap:
|
||||||
defaultMode: 420
|
defaultMode: 420
|
||||||
|
@ -282,6 +285,7 @@ spec:
|
||||||
- name: etcd-secrets
|
- name: etcd-secrets
|
||||||
hostPath:
|
hostPath:
|
||||||
path: "{{cilium_cert_dir}}"
|
path: "{{cilium_cert_dir}}"
|
||||||
|
{% endif %}
|
||||||
# To read the clustermesh configuration
|
# To read the clustermesh configuration
|
||||||
- name: clustermesh-secrets
|
- name: clustermesh-secrets
|
||||||
secret:
|
secret:
|
||||||
|
|
Loading…
Reference in New Issue