VM support fixes #123
Merged
VM support fixes #123
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Fixed format. |
jrajahalme
force-pushed
the
vm-support
branch
2 times, most recently
from
d7f0f11
to
a921cc4
Compare
|
@tgraf Updated 1st and 3rd commit as per your comments above, and added the last commit since your review, please re-review :-) |
Allow enabling clustermesh with default cluster name and ID (zero) to allow external workloads to be used without explicitly setting cluster ID and/or name. Validate both local and remote cluster config fully when connecting to remote cluster instead. Signed-off-by: Jarno Rajahalme <jarno@covalent.io>
|
@jrajahalme FYI, I've pushed two fixup commits addressing the |
tklauser
reviewed
Mar 18, 2021
There was a problem hiding this comment.
Did an initial test of this on GKE using the docs in cilium/cilium#15320. Some of my review comments might be applicable here too cilium/cilium#15320 (review)
Add support for extracting service's ClusterIP and port rather than erroring out. Signed-off-by: Jarno Rajahalme <jarno@covalent.io>
…er type can not be used Error out if service type is not explicitly set or can not be auto-detected as LoadBalancer type. Warn if service type is set to HostPort. Signed-off-by: Jarno Rajahalme <jarno@covalent.io>
Client certificate's Common Name is used as etcd user account name once TLS based user auth (--client-cert-auth) is enabled. Use the user account names as CNs as follows: - Admin cert: root - Client cert: remote Signed-off-by: Jarno Rajahalme <jarno@covalent.io>
Add a new cert to be used by External Workloads. Common Name is set to the etcd user account name that has write access to the registation key (externalworkload). Signed-off-by: Jarno Rajahalme <jarno@covalent.io>
Auto-detect tunnel mode for Kind and disable kube-proxy replacement to be able to access NodePort services. Signed-off-by: Jarno Rajahalme <jarno@covalent.io>
This makes 'cilium clustermesh status' succeed with a warning message instead of failing when Cluster ID and/or Cluster Name has not been set when Cilium was installed. In that case warn like this: ✅ Service "clustermesh-apiserver" of type "NodePort" found⚠️ Cluster not configured for clustermesh, use '--cluster-id' and '--cluster-name' with 'cilium install'. External workloads may still be configured. Signed-off-by: Jarno Rajahalme <jarno@covalent.io>
Add 'external-workload' (alias 'vm') subcommands to 'clustermesh':
'cilium clustermesh external-workload status' - Show the status of external workloads
'cilium clustermesh external-workload create <name...>' - Create new Cilium External Workload resource to allow a VM to join
A new CEW resource with name <name> is created with a "default" namespace label. Options:
'--namespace string' (alias '-n') Specify other than "default" as the namespace label
'--labels' Pass a comma separated list of other labels for the identity of the external workload
'--ipv4-alloc-cidr string' IPv4 allocation CIDR to be used instead the default picked by the VM (e.g., 10.15.0.0/30)
'--ipv6-alloc-cidr string' IPv6 allocation CIDR to be used instead the default picked by the VM (e.g., f00d::a0f:0:0:0/126)
'cilium clustermesh external-workload delete <name...>' - Delete Cilium External Workload resources
The named CEW resources will be deleted. External Workloads that have
already registered may continue to communicate with the cluster, but may not
rergister again. Options:
'--all' Delete all CEW resources if none are named on the command line.
'cilium clustermesh external-workload install <file>' - Create an installation script to be used in external workloads to install or uninstall Cilium
Write an installation script to the named file. Note that the script inlines
the TLS credentials for external workload registration as well as the access
details to the your k8s cluster. The file needs to be copied to the external
workload (such as a VM) and executed there to install Cilium as a Docker
container and connect to your k8s cluster. 'uninstall' parameter to the
script will cause the script to uninstall Cilium from the external workload.
All these commands require clustermesh to be enabled (via 'cilium clustermesh enable').
Signed-off-by: Jarno Rajahalme <jarno@covalent.io>
|
Tested with a GCP VM against GKE cluster, fixed the GSG PR by adding
|
…tunneling disabled As of now external workload installs rely on vxlan tunneling. Fail the install script generation if Cilium has tunneling disabled of not set to vxlan. In future consider testing with geneve and non-tunneled datapaths. Signed-off-by: Jarno Rajahalme <jarno@covalent.io>
|
Added commit to fail external workload install script generation if Cilium datapath config in cluster is not using vxlan. |
tklauser
approved these changes
Mar 19, 2021
…slog Define $SUDO as an empty string if running as root. Use 'local' docker log driver to not depend on syslog. Signed-off-by: Jarno Rajahalme <jarno@covalent.io>
|
Added one more commit: This allows the script to run as root and in environments where syslog is not available. Needed this to mock a VM with a Ubuntu 20.10 docker image, and running cilium agent inside as a "docker-in-docker" image. |
|
@tgraf It should be pretty straightforward to add a GH action run to test VM support using kind and docker. We have also successfully tested with GKE & GCP, would that be desirable for a GH CI run as well? |
I'll take care of adding GH actions to test VM support on GKE & GCP in a follow-up PR. I can try to add one covering kind & docker as well. |
'make staticcheck' does not allow error messages starting with a capital letter, so do not use 'Cilium' to start an error message. Correctly spell 'DaemonSet' in error messages. Signed-off-by: Jarno Rajahalme <jarno@covalent.io>
|
Fixed error message spelling and capitalization. |
tgraf
approved these changes
Mar 25, 2021
jrajahalme
added a commit
that referenced
this pull request
Apr 20, 2021
`cilium clustermesh status` was inadvertently broken by #123 when clusters have not been connected yet. Fix this by expliticly checking cluster's name and id instead of checking the number of connections. Add a warning about missing cluster name and/or id to `cilium clustermesh enable` with a note that external workloads do not need either. Signed-off-by: Jarno Rajahalme <jarno@covalent.io>
jrajahalme
added a commit
that referenced
this pull request
Apr 20, 2021
`cilium clustermesh status` was inadvertently broken by #123 when clusters have not been connected yet. Fix this by expliticly checking cluster's name and id instead of checking the number of connections. Add a warning about missing cluster name and/or id to `cilium clustermesh enable` with a note that external workloads do not need either. Fixes: #166 Signed-off-by: Jarno Rajahalme <jarno@covalent.io>
jrajahalme
added a commit
that referenced
this pull request
Apr 20, 2021
`cilium clustermesh status` was inadvertently broken by #123 when clusters have not been connected yet. Fix this by expliticly checking cluster's name and id instead of checking the number of connections. Add the same warning about missing cluster name and/or id to `cilium clustermesh enable` as well with a note that external workloads do not need either. Fixes: #166 Signed-off-by: Jarno Rajahalme <jarno@covalent.io>
tgraf
pushed a commit
that referenced
this pull request
Apr 20, 2021
`cilium clustermesh status` was inadvertently broken by #123 when clusters have not been connected yet. Fix this by expliticly checking cluster's name and id instead of checking the number of connections. Add the same warning about missing cluster name and/or id to `cilium clustermesh enable` as well with a note that external workloads do not need either. Fixes: #166 Signed-off-by: Jarno Rajahalme <jarno@covalent.io>
aditighag
pushed a commit
to aditighag/cilium-cli
that referenced
this pull request
Apr 21, 2023
`cilium clustermesh status` was inadvertently broken by cilium#123 when clusters have not been connected yet. Fix this by expliticly checking cluster's name and id instead of checking the number of connections. Add the same warning about missing cluster name and/or id to `cilium clustermesh enable` as well with a note that external workloads do not need either. Fixes: cilium#166 Signed-off-by: Jarno Rajahalme <jarno@covalent.io>
michi-covalent
pushed a commit
to michi-covalent/cilium
that referenced
this pull request
May 30, 2023
`cilium clustermesh status` was inadvertently broken by cilium/cilium-cli#123 when clusters have not been connected yet. Fix this by expliticly checking cluster's name and id instead of checking the number of connections. Add the same warning about missing cluster name and/or id to `cilium clustermesh enable` as well with a note that external workloads do not need either. Fixes: #166 Signed-off-by: Jarno Rajahalme <jarno@covalent.io>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Various changes to allow external workloads to be used when installing Cilium with the Cilium CLI tool:
These changes are required to run the updated GSG at cilium/cilium#15320.