fix: Make calico work with pod security standard by labelling tigera ns

Author: dkoshkin

README.md

@@ -24,13 +24,15 @@ clusterctl generate cluster capi-quickstart \
   --kubernetes-version v1.26.0 \
   --control-plane-machine-count=1 \
   --worker-machine-count=1 | \
+  gojq --yaml-input --yaml-output --slurp \
+    '.[] | (select( .kind=="Cluster").metadata.labels += {"capi-runtime-extensions.d2iq-labs.com/cni": "calico"})' \
   kubectl apply -f -
 ```
 
-Label the cluster to deploy Calico:
+Wait until control plane is ready:
 
 ```shell
-kubectl label cluster capi-quickstart capi-runtime-extensions.d2iq-labs.com/cni=calico
+kubectl wait clusters/capi-quickstart --for=condition=ControlPlaneInitialized --timeout=5m
 ```
 
 To get the kubeconfig for the new cluster, run:
@@ -47,6 +49,18 @@ kubectl config set-cluster capi-quickstart \
   --server=https://$(docker port capi-quickstart-lb 6443/tcp)
 ```
 
+Wait until all nodes are ready (this indicates that CNI has been deployed successfully):
+
+```shell
+kubectl --kubeconfig capd-kubeconfig wait nodes --all --for=condition=Ready --timeout=5m
+```
+
+Show that Calico is running successfully on the workload cluster:
+
+```shell
+kubectl --kubeconfig capd-kubeconfig get daemonsets -n calico-system
+```
+
 To delete the workload cluster, run:
 
 ```shell

hack/addons/update-calico-manifests.sh

@@ -13,11 +13,10 @@ if [ -z "${CALICO_VERSION-}" ]; then
   echo "Missing environment variable: CALICO_VERSION"
   exit 1
 fi
-readonly CALICO_CNI_ASSETS_DIR="${GIT_REPO_ROOT}/.local/cni/calico/${CALICO_VERSION}"
-mkdir -p "${CALICO_CNI_ASSETS_DIR}"
 
-curl -fsSL "https://docs.projectcalico.org/archive/${CALICO_VERSION}/manifests/tigera-operator.yaml" \
-  -o "${CALICO_CNI_ASSETS_DIR}/tigera-operator.yaml"
+CALICO_CNI_ASSETS_DIR="$(mktemp -d -p "${TMPDIR:-/tmp}")"
+readonly CALICO_CNI_ASSETS_DIR
+trap 'rm -rf ${CALICO_CNI_ASSETS_DIR}' EXIT
 
 # The operator manifest in YAML format is 1226666 bytes. It turns out that much of that is whitespace. Converting the
 # manifest to JSON without indentation allows us to remove most of the whitespace, reducing the size by more than half,
@@ -27,10 +26,10 @@ curl -fsSL "https://docs.projectcalico.org/archive/${CALICO_VERSION}/manifests/t
 # 1. The YAML manifest includes many documents, and the documents must become elements in a JSON array in order for the ClusterResourceController to [parse them](https://github.com/mesosphere/cluster-api//blob/65586de0080a960d085031de87ec627b2d606a6b/exp/addons/internal/controllers/clusterresourceset_helpers.go#L59). We create a JSON array with the --slurp flag.
 # 2. The YAML manifest has some whitespace between YAML document markers (`---`), and these become `null` entries in the JSON array. This causes the ["SortForCreate" subroutine](https://github.com/mesosphere/cluster-api//blob/65586de0080a960d085031de87ec627b2d606a6b/exp/addons/internal/controllers/clusterresourceset_helpers.go#L84) of the ClusterResourceSet controller to misbehave. We remove these null entries using a filter expression.
 # 3. If we indent the JSON document, it is nearly as large as the YAML document, at 1099093 bytes. We remove indentation with the --indent=0 flag.
-gojq --yaml-input --slurp --indent=0 \
-  '[ .[] | select( . != null ) ]' \
-  <"${CALICO_CNI_ASSETS_DIR}/tigera-operator.yaml" \
-  >"${CALICO_CNI_ASSETS_DIR}/tigera-operator.json"
+curl -fsSL "https://docs.projectcalico.org/archive/${CALICO_VERSION}/manifests/tigera-operator.yaml" |
+  gojq --yaml-input --slurp --indent=0 \
+    '[ .[] | select( . != null ) | (select( .kind=="Namespace").metadata.labels += {"pod-security.kubernetes.io/enforce": "privileged", "pod-security.kubernetes.io/enforce-version": "latest"}) ]' \
+    >"${CALICO_CNI_ASSETS_DIR}/tigera-operator.json"
 
 kubectl create configmap tigera-operator --dry-run=client --output yaml \
   --from-file "${CALICO_CNI_ASSETS_DIR}/tigera-operator.json" \