Skip to content

fix: Calico deployment to work with CAPD template #16

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Feb 6, 2023
Merged

fix: Calico deployment to work with CAPD template #16

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
f3e5868
feat: update Calico to v3.25
dkoshkin Feb 4, 2023
d8bb392
fix: Make calico work with pod security standard by labelling tigera ns
dkoshkin Feb 4, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 16 additions & 2 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,13 +24,15 @@ clusterctl generate cluster capi-quickstart \
--kubernetes-version v1.26.0 \
--control-plane-machine-count=1 \
--worker-machine-count=1 | \
gojq --yaml-input --yaml-output --slurp \
'.[] | (select( .kind=="Cluster").metadata.labels += {"capi-runtime-extensions.d2iq-labs.com/cni": "calico"})' \
kubectl apply -f -
```

Label the cluster to deploy Calico:
Wait until control plane is ready:

```shell
kubectl label cluster capi-quickstart capi-runtime-extensions.d2iq-labs.com/cni=calico
kubectl wait clusters/capi-quickstart --for=condition=ControlPlaneInitialized --timeout=5m
```

To get the kubeconfig for the new cluster, run:
Expand All @@ -47,6 +49,18 @@ kubectl config set-cluster capi-quickstart \
--server=https://$(docker port capi-quickstart-lb 6443/tcp)
```

Wait until all nodes are ready (this indicates that CNI has been deployed successfully):

```shell
kubectl --kubeconfig capd-kubeconfig wait nodes --all --for=condition=Ready --timeout=5m
```

Show that Calico is running successfully on the workload cluster:

```shell
kubectl --kubeconfig capd-kubeconfig get daemonsets -n calico-system
```

To delete the workload cluster, run:

```shell
Expand Down
15 changes: 7 additions & 8 deletions hack/addons/update-calico-manifests.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,11 +13,10 @@ if [ -z "${CALICO_VERSION-}" ]; then
echo "Missing environment variable: CALICO_VERSION"
exit 1
fi
readonly CALICO_CNI_ASSETS_DIR="${GIT_REPO_ROOT}/.local/cni/calico/${CALICO_VERSION}"
mkdir -p "${CALICO_CNI_ASSETS_DIR}"

curl -fsSL "https://docs.projectcalico.org/archive/${CALICO_VERSION}/manifests/tigera-operator.yaml" \
-o "${CALICO_CNI_ASSETS_DIR}/tigera-operator.yaml"
CALICO_CNI_ASSETS_DIR="$(mktemp -d -p "${TMPDIR:-/tmp}")"
readonly CALICO_CNI_ASSETS_DIR
trap 'rm -rf ${CALICO_CNI_ASSETS_DIR}' EXIT

# The operator manifest in YAML format is 1226666 bytes. It turns out that much of that is whitespace. Converting the
# manifest to JSON without indentation allows us to remove most of the whitespace, reducing the size by more than half,
Expand All @@ -27,10 +26,10 @@ curl -fsSL "https://docs.projectcalico.org/archive/${CALICO_VERSION}/manifests/t
# 1. The YAML manifest includes many documents, and the documents must become elements in a JSON array in order for the ClusterResourceController to [parse them](https://github.com/mesosphere/cluster-api//blob/65586de0080a960d085031de87ec627b2d606a6b/exp/addons/internal/controllers/clusterresourceset_helpers.go#L59). We create a JSON array with the --slurp flag.
# 2. The YAML manifest has some whitespace between YAML document markers (`---`), and these become `null` entries in the JSON array. This causes the ["SortForCreate" subroutine](https://github.com/mesosphere/cluster-api//blob/65586de0080a960d085031de87ec627b2d606a6b/exp/addons/internal/controllers/clusterresourceset_helpers.go#L84) of the ClusterResourceSet controller to misbehave. We remove these null entries using a filter expression.
# 3. If we indent the JSON document, it is nearly as large as the YAML document, at 1099093 bytes. We remove indentation with the --indent=0 flag.
gojq --yaml-input --slurp --indent=0 \
'[ .[] | select( . != null ) ]' \
<"${CALICO_CNI_ASSETS_DIR}/tigera-operator.yaml" \
>"${CALICO_CNI_ASSETS_DIR}/tigera-operator.json"
curl -fsSL "https://docs.projectcalico.org/archive/${CALICO_VERSION}/manifests/tigera-operator.yaml" |
gojq --yaml-input --slurp --indent=0 \
'[ .[] | select( . != null ) | (select( .kind=="Namespace").metadata.labels += {"pod-security.kubernetes.io/enforce": "privileged", "pod-security.kubernetes.io/enforce-version": "latest"}) ]' \
>"${CALICO_CNI_ASSETS_DIR}/tigera-operator.json"

kubectl create configmap tigera-operator --dry-run=client --output yaml \
--from-file "${CALICO_CNI_ASSETS_DIR}/tigera-operator.json" \
Expand Down
2 changes: 1 addition & 1 deletion make/addons.mk
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
# Copyright 2023 D2iQ, Inc. All rights reserved.
# SPDX-License-Identifier: Apache-2.0

export CALICO_VERSION := v3.24
export CALICO_VERSION := v3.25

.PHONY: update-addon.calico
update-addon.calico: install-tool.gojq install-tool.kubectl ; $(info $(M) updating calico manifests)
Expand Down
2 changes: 1 addition & 1 deletion pkg/addons/templates/cni/tigera-operator-configmap.yaml
View file
Open in desktop

Large diffs are not rendered by default.