Update calico template #3803
Update calico template #3803
Conversation
k8s-ci-robot
added
the
do-not-merge/work-in-progress
|
Thanks for your pull request. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). 📝 Please follow instructions at https://github.com/kubernetes/kubernetes/wiki/CLA-FAQ to sign the CLA. It may take a couple minutes for the CLA signature to be fully registered; after that, please reply here with a new comment and we'll verify. Thanks.
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
k8s-ci-robot
added
cncf-cla: no
|
signed |
k8s-ci-robot
added
cncf-cla: yes
| @@ -494,7 +494,22 @@ func (b *BootstrapChannelBuilder) buildManifest() (*channelsapi.Addons, map[stri | |||
| Version: fi.String(version), | |||
| Selector: networkingSelector, | |||
| Manifest: fi.String(location), | |||
| KubernetesVersion: ">=1.6.0", | |||
| KubernetesVersion: ">=1.6.0 <1.8.0", | |||
There was a problem hiding this comment.
what do you mean? is the selector wrong?
There was a problem hiding this comment.
I have an open branch with the changes I mentioned, and version matching like we're doing for Canal: https://github.com/kubernetes/kops/compare/master...blakebarnett:bdb/update_calico_for_k8s_1-8?expand=1
I didn't realize this PR was already in flight. Feel free to copy/use any of it.
| cni_network_config: |- | ||
| { | ||
| "name": "k8s-pod-network", | ||
| "cniVersion": "0.3.0", |
There was a problem hiding this comment.
This should be 0.1.0 per: projectcalico/calico#742
There was a problem hiding this comment.
should I update the 1.6 template as well?
| namespace: kube-system | ||
| data: | ||
| # The calico-etcd PetSet service IP:port | ||
| etcd_endpoints: "{{ $cluster := index .EtcdClusters 0 -}} |
There was a problem hiding this comment.
If we do this we should probably handle TLS too since that config can provide it now.
There was a problem hiding this comment.
can you expand on this?
There was a problem hiding this comment.
The new etcd configuration supports TLS, if someone happens to enable it there, we'll blow up the cluster unless we support it here.
| value: "kops,bgp" | ||
| # Disable file logging so `kubectl logs` works. | ||
| - name: CALICO_DISABLE_FILE_LOGGING | ||
| value: "true" |
There was a problem hiding this comment.
We should add the FELIX defaults from the example configs
There was a problem hiding this comment.
added the missing vars 👍
|
|
||
| --- | ||
|
|
||
| # This manifest deploys the Calico Kubernetes controllers. |
There was a problem hiding this comment.
You'll need to add a manifest that scales down calico-policy-controller from the old version or they'll conflict.
There was a problem hiding this comment.
that's suboptimal tho, because people starting from scratch they will see a weird deployment scaled to 0 for no reason.
There was a problem hiding this comment.
Agreed, but we'll have to just add it to to the release notes, or automatically delete it somehow (which seems potentially hairy)
|
/ok-to-test |
k8s-ci-robot
removed
the
needs-ok-to-test
|
|
||
| addons.Spec.Addons = append(addons.Spec.Addons, &channelsapi.AddonSpec{ | ||
| Name: fi.String(key), | ||
| Version: fi.String(version), | ||
| Version: fi.String("2.4.1"), |
There was a problem hiding this comment.
changing this from 2.4.1-kops.1, was there a specific reason the version was different? can't find the code for that specific tag. if so, should it be kept and and are some changes to be done also for 2.6.2?
There was a problem hiding this comment.
I don't actually know why that version exists, I got rid of it in my branch but maybe @chrislovecnm or @justinsb can enlighten us.
There was a problem hiding this comment.
This should be the version of calico. We have another PR going in, which will force a rebase. @itajaja are you able to update this afternoon?
|
no problem @chrislovecnm, I'll rebase, just ping back when the other pr is merged :) |
|
Ping |
|
🙌 |
|
/lgtm |
k8s-ci-robot
added
the
lgtm
k8s-github-robot
added
the
approved
|
/lgtm cancel Is this still wip? |
k8s-ci-robot
removed
the
lgtm
k8s-ci-robot
removed
the
do-not-merge/work-in-progress
you mean for 1.6? |
k8s-github-robot
removed
the
approved
There was a problem hiding this comment.
It would be nice to have the clear version mapping like canal has: https://github.com/itajaja/kops/blob/3719d15c6b195aa58b2c4c8ff9e52c47dca71195/upup/pkg/fi/cloudup/bootstrapchannelbuilder.go#L521
Otherwise LGTM
|
I guess the value there is just readability, since each field is accessed once? I think looking in the branch is pretty readable as well and makes the method shorter, but I can change it if you think the alternative is better 👍 |
|
Yeah just easier to see what versions map to what at a glance, and to be consistent. |
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: chrislovecnm The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these OWNERS Files:
You can indicate your approval by writing |
k8s-github-robot
added
the
approved
|
great! @chrislovecnm if you want to expand what you mean by "We need to get another PR in for the older manifests as well. Thanks!" I'll be happy to pr that as well |
|
/test all [submit-queue is verifying that this PR is safe to merge] |
|
@itajaja i assume you tested the PR Also we need the other calico manifests to have the new version of calico once them. Just bump the version in the manifest and in bootstrap - thanks for your help! |
|
@chrislovecnm I am not sure if there is an easy way to do more integration testing, the way I tested was to apply the template against my local toy cluster to see networking would work as expected. |
|
Automatic merge from submit-queue. |
|
You able to update the other manifests? That testing is perfect btw |
|
@chrislovecnm but then why creating a 1.8 if I could just update 1.6? Am I missing anything? |
|
the rbac stuff does not work in 1.6. On my phone so I could be wrong. Does the manifest work on 1.8 and 1.7? I thought we had 1.8 specific stuff |
|
I just followed the canal PR tbh. it might be that the 1.8 template works with 1.6 as is, but it's probably not strictly necessary because pre 1.8 there is no egress policy, which strictly requires the new calico version |
|
@itajaja yah I messed up 😞 I will move the 1.8 manifest to 1.6. Grumble. My mistake. We will need a 1.7+ manifest when we enable Calico to use the k8s api as a datasource |
|
lmk if I can help, I can replace the 1.6 with 1.8 manifest and remove 1.8. |
|
Can you do the pre 1.6 template and test k8s 1.5? I have the branch already moving the 1.8 file around. |
|
@itajaja problem is a bit more complicated - ran into a bug testing. k8s 1.6 is broken in master and in the last beta. The policy controller is not scheduling on the master. I am guessing that we need a toleration that works for ks8 1.6, and thus need a pre-1.6 manifest, a 1.6 manifest, and a 1.7+ manifest. It is late, so I going to address this tomorrow. If you want to upgrade the pre-1.6 yaml please do. |
| # it isn't governed by policy that would prevent it from working. | ||
| hostNetwork: true | ||
| serviceAccountName: calico | ||
| tolerations: |
There was a problem hiding this comment.
So we should probably just change these to match what's in the current calico-node so it works on all k8s versions:
- key: CriticalAddonsOnly
operator: Exists
- effect: NoExecute
operator: Exists
- effect: NoSchedule
operator: Exists
closes #3791
changes taken from https://docs.projectcalico.org/v2.6/getting-started/kubernetes/installation/hosted/hosted
just a POC. not sure if I should update the 1.6 template or create a new template for 1.8 (maybe 1.7?) as I did. Do you have any suggestions on how to test this?