New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Restructure helm chart into components #16795
Conversation
/cc @gandro |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Awesome, thanks you so much for splitting this up, makes it much easier to review. Overall looks good to me, I think there is a larger discussion to be had on how to do the etcd.managed
removal, as I think there is more to it than just removing the service accounts.
apiVersion: v1 | ||
kind: ServiceAccount | ||
metadata: | ||
name: cilium-etcd-sa |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This looks unused, but it's actually not. There are references to it here (different repository, but deployed as part of the cilium-etcd-operator
):
https://github.com/cilium/cilium-etcd-operator/blob/fdf1993dded89db77742916a9e55ef898a4e5ad0/etcd-operator/descriptors.go#L62
Cilium also has a a well-known identity for this SA as well:
cilium/pkg/identity/numericidentity.go
Lines 171 to 176 in 4f27865
WellKnown.add(ReservedETCDOperator, []string{ | |
"k8s:io.cilium/app=etcd-operator", | |
fmt.Sprintf("k8s:%s=%s", api.PodNamespaceLabel, c.CiliumNamespaceName()), | |
fmt.Sprintf("k8s:%s=cilium-etcd-sa", api.PolicyLabelServiceAccount), | |
fmt.Sprintf("k8s:%s=%s", api.PolicyLabelCluster, c.LocalClusterName()), | |
}) |
I think we want to remove managed-etcd in Cilium 1.11 (see #15464), as it's already deprecated. So this file here will have to go, but there is more that than just deleting this file. We also need to
- Remove the
cilium-etcd-operator
deployment from the helm chart - Remove all references to
.Values.etcd.managed
- Mention the removal in the upgrade guide
- Ensure there are no backwards-compatibility issues
Might be worth doing the etcd.managed
removal in a separate PR, so we have separation of concerns and better code reviews.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you for clarify. I changed it back and let etcd.managed
removal in another PR 💯
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In terms of correctness, this looks good to me! But I'll let the Helm team members chime in as well, as to if they agree with the approach.
test-me-please |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Small comments as per below, I am still on the fence about moving script to separate files as unlike envoy file, these files are having mix syntax now.
The rest looks good.
imagePullPolicy: {{ .Values.nodeinit.image.pullPolicy }} | ||
securityContext: | ||
privileged: true | ||
{{- if .Values.nodeinit.revertReconfigureKubelet }} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
not related to this PR, but I noticed this attribute is not mentioned in values.yaml (even commented). So something for later.
@@ -0,0 +1,49 @@ | |||
#!/bin/bash |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am not sure if this change makes it's easier to read bash script, as this file is now mixed with go template and bash.
I checked this one with below commands and compared the diff, seems like there are some changes with indentation (e.g. tab, space, etc), it might not be issue, but no harm to have second 👀
# From this branch
helm template ./cilium --set nodeinit.enabled=true --set nodeinit.revertReconfigureKubelet=true > new.yaml
# From the master
helm template ./cilium --set nodeinit.enabled=true --set nodeinit.revertReconfigureKubelet=true > original.yaml
diff original.yaml new.yaml
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank @sayboras , I fixed the spaces in nodeinit scripts
And yeah, I know that script is now mixed with go template and bash, but with code highlight from IDE, I think it's much easier to read than previous:
Old:
New:
test-me-please |
Hello @christarazi, could you please check the CI fails, It seem not the helm error. |
Signed-off-by: Đặng Minh Dũng <dungdm93@live.com>
Signed-off-by: Đặng Minh Dũng <dungdm93@live.com>
test-me-please Each time you push, the previous CI run results are hidden, so I've re-triggered them |
FYI. Conformance AWS-CNI (ci-awscni) was failed before on this branch, re-run was successful. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM overall. We will need to make changes to the upgrades e2e test to map between the old Helm chart structure and the new, like we did for #13259 (and potentially any followups after that PR).
In terms of CI, it looks like https://jenkins.cilium.io/job/Cilium-PR-K8s-1.21-kernel-4.9/1025 is a case of endpoint-routes mode being enabled in the previous test run and the pods needing to be restarted when disabling endpoint-routes mode[1]. This is what #16835 is supposed to fix. In other words, looks like CI has passed and the only failure is unrelated to this PR.
[1]: See the console output, find the failure, then scroll up to the previous test. You'll notice that it mentions enabling endpoint-routes mode.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Actually it seems like the updates e2e test is already passing so no further steps are required. Thanks! 🎉
@christarazi I take it from your most recent comment this is not necessary? I was under the impression that this was a purely developer-focused change to make it easier to maintain, and shouldn't impact users at all. |
@joestringer Yeah don't think it's necessary and the tests are passing anyway. I thought it would have been required because I thought any change to the structure of the chart would cause problems, but apparently not. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM 💯
Only failure in e2e is the one fixed by #16835. 👍 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@cilium/github-sec owner pieces LGTM. The rest should be good based on @sayboras @christarazi reviews.
Since this seems to be not user-facing, I've switched the release-note to misc. If you think this is user facing, please respond and we can switch it back (would also help to describe why it's user-facing or what users might notice). |
FWIW, I added the |
[ upstream commit 27a93e8 ] [ Backporter's notes: conflicts due to structure around daemonset manifest having changed in cilium#16795, which was not backported to v1.10. Changes have been manually reapplied where appropriate in `install/kubernetes/cilium/templates/cilium-nodeinit-daemonset.yaml` and `install/kubernetes/cilium/templates/cilium-agent-daemonset.yaml`. Please note in particular the Helm condition in that last file is different than in `master`, even though it should not have any impact. ] Fixes: cilium#14483 Signed-off-by: Raphaël Pinson <raphael@isovalent.com> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com>
[ upstream commit b38d591 ] [ Backporter's notes: conflicts due to structure around daemonset manifest having changed in cilium#16795, which was not backported to v1.10. Changes have been manually reapplied where appropriate in `install/kubernetes/cilium/templates/cilium-nodeinit-daemonset.yaml`. ] Take advantage of the dynamic CHECKPOINT_PATH in the startup-script: https://github.com/cilium/image-tools/blob/396d5a19690229b42398a8be63b5712ea64a2601/images/startup-script/manage-startup-script.sh#L58 Signed-off-by: Raphaël Pinson <raphael@isovalent.com> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com>
[ upstream commit 27a93e8 ] [ Backporter's notes: conflicts due to structure around daemonset manifest having changed in #16795, which was not backported to v1.10. Changes have been manually reapplied where appropriate in `install/kubernetes/cilium/templates/cilium-nodeinit-daemonset.yaml` and `install/kubernetes/cilium/templates/cilium-agent-daemonset.yaml`. Please note in particular the Helm condition in that last file is different than in `master`, even though it should not have any impact. ] Fixes: #14483 Signed-off-by: Raphaël Pinson <raphael@isovalent.com> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com>
[ upstream commit b38d591 ] [ Backporter's notes: conflicts due to structure around daemonset manifest having changed in #16795, which was not backported to v1.10. Changes have been manually reapplied where appropriate in `install/kubernetes/cilium/templates/cilium-nodeinit-daemonset.yaml`. ] Take advantage of the dynamic CHECKPOINT_PATH in the startup-script: https://github.com/cilium/image-tools/blob/396d5a19690229b42398a8be63b5712ea64a2601/images/startup-script/manage-startup-script.sh#L58 Signed-off-by: Raphaël Pinson <raphael@isovalent.com> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com>
This is the first part of refactoring helm chart #16792 with the following changes:
nodeinit
startup & prestop scripts to separated files