-
Notifications
You must be signed in to change notification settings - Fork 2.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Helm: possibility to install operator as standalone app #32019
Conversation
cilium-config map is mounted as a volume in agent, operator and clustermesh apiserver. It should be created when either of these components is enabled, not just when agent is enabled. This fixes a problem when agent is disabled and operator or clustermesh apiserver are enabled. Signed-off-by: Petr Baloun <petr.baloun@firma.seznam.cz>
a44c939
to
0c0e16c
Compare
Thanks for the PR. Since this adds a bit of complexity to the Helm charts, could you elaborate a bit why you need to install operator on a cluster with no cilium-agents? What purpose those that standalone operator serve? |
We run Cilium on OpenStack Hosts and load balacer. We install agents on OS and LB hosts (as systemd service). There are multiple OS clusters so there are multiple control planes (etcd, kube and cilium operator) that need to be run somewhere. We run them in a common K8S cluster as ordinary Kubernetes workload. Installing a Kubernetes control plane as helm chart is not a problem, Cilium chart (with everything but operator disabled) needs these fixes. |
Are you running Cilium in kvstore mode then? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The changes to the PR itself look fine to me. Though I think we should just remove the rbac.create
option honestly. It hasn't been working for a while now and will just be a maintenance burden for the project
This creates a possibility to run multiple operators in a single kubernetes cluster. Signed-off-by: Petr Baloun <petr.baloun@firma.seznam.cz>
rbac.create is present in values.yaml but is not used anywhere in the chart. This commit adds logic that installs ClusterRoles and ClusterRoleBindings when rbac.create is enabled (which is the default). It is useful to disabled cluster-wide RBAC when installing multiple instances of cilium chart in a single Kubernetes cluster. Signed-off-by: Petr Baloun <petr.baloun@firma.seznam.cz>
0c0e16c
to
7c66783
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Helm LGTM
Yes, we do. The purpose of this is to have Kubernetes and OpenStack clusters and even load balancer connected to a single mesh. We use etcd installed as helm chart in the same namespace as K8S control plane and Cilium operator but we are now migrating it to OS VMs as this solution is not very reliable. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM for servicemesh's related changes.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ClusterMesh LGTM.
/test |
This PR fixes problems encountered when installing multiple instances of operator into a single kubernetes cluster. We use Cilium in Openstack clusters and external LoadBalancer connected to clustermesh. Agents are installed on LB and OS hosts, operator is run in a common kubernetes clusters. Each OS and LB cluster has its its own operator instance.
Problems needed to be fixed in helm chart:
rbac.create
setting was already present in chartvalues.yaml
but was not used anywhere. Now it is used to control ClusterRoles and ClusterRoleBindings installation throughout the chart.cilium-config
config map installation - it is mounted as volume by agent, operator and clustermesh apiserver so it has to be installed if either of the three is enabled, not just agent.