adrien/ansible-role-k8s-calico
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Update to version v3.19.0

Browse source
This commit is contained in:
Adrien Reslinger 2021-05-07 22:44:57 +02:00
parent 3fbe1541c1
commit e415d35bda
Signed by: adrien
GPG key ID: DA7B27055C66D6DE
8 changed files with 84 additions and 36 deletions
Download patch file Download diff file Expand all files Collapse all files

7
bin/update.sh
View file

@ -1,15 +1,18 @@
#!/bin/bash #!/bin/bash
curl https://docs.projectcalico.org/manifests/calico.yaml -O BASEURL=https://docs.projectcalico.org/manifests
#BASEURL=https://docs.projectcalico.org/archive/v3.18/manifests
curl "${BASEURL}"/calico.yaml -O
kubernetes-split-yaml calico.yaml > generated.log kubernetes-split-yaml calico.yaml > generated.log
mv generated/*.yaml files/ mv generated/*.yaml files/
rmdir generated rmdir generated
echo -e '---\ncalico_files:' > vars/calico-files.yaml echo -e '---\ncalico_files:' > vars/calico-files.yaml
cat generated.log | while read LIGNE; do if [ $(echo "${LIGNE}" | grep -c ^File) -eq 1 ]; then echo -n "${LIGNE} "; else echo "${LIGNE}"; fi; done | grep ^File | sort -V | sed 's|.*\(generated/\)\(.*\.yaml\)| - "\2"|' >> vars/calico-files.yaml cat generated.log | while read LIGNE; do if [ $(echo "${LIGNE}" | grep -c ^File) -eq 1 ]; then echo -n "${LIGNE} "; else echo "${LIGNE}"; fi; done | grep ^File | sort -V | sed 's|.*\(generated/\)\(.*\.yaml\)| - "\2"|' >> vars/calico-files.yaml
rm -f generated.log calico.yaml rm -f generated.log calico.yaml
curl https://docs.projectcalico.org/manifests/calicoctl.yaml -O curl "${BASEURL}"/calicoctl.yaml -O
kubernetes-split-yaml calicoctl.yaml > generated.log kubernetes-split-yaml calicoctl.yaml > generated.log
mv generated/*.yaml files/ mv generated/*.yaml files/
rmdir generated rmdir generated
echo -e '\ncalicoctl_files:' >> vars/calico-files.yaml
cat generated.log | while read LIGNE; do if [ $(echo "${LIGNE}" | grep -c ^File) -eq 1 ]; then echo -n "${LIGNE} "; else echo "${LIGNE}"; fi; done | grep ^File | sort -V | sed 's|.*\(generated/\)\(.*\.yaml\)| - "\2"|' >> vars/calico-files.yaml cat generated.log | while read LIGNE; do if [ $(echo "${LIGNE}" | grep -c ^File) -eq 1 ]; then echo -n "${LIGNE} "; else echo "${LIGNE}"; fi; done | grep ^File | sort -V | sed 's|.*\(generated/\)\(.*\.yaml\)| - "\2"|' >> vars/calico-files.yaml
rm -f generated.log calicoctl.yaml rm -f generated.log calicoctl.yaml

11
files/calico-kube-controllers-Deployment.yaml
View file

@ -34,16 +34,25 @@ spec:
priorityClassName: system-cluster-critical priorityClassName: system-cluster-critical
containers: containers:
- name: calico-kube-controllers - name: calico-kube-controllers
image: docker.io/calico/kube-controllers:v3.18.1 image: docker.io/calico/kube-controllers:v3.19.0
env: env:
# Choose which controllers to run. # Choose which controllers to run.
- name: ENABLED_CONTROLLERS - name: ENABLED_CONTROLLERS
value: node value: node
- name: DATASTORE_TYPE - name: DATASTORE_TYPE
value: kubernetes value: kubernetes
livenessProbe:
exec:
command:
- /usr/bin/check-status
- -l
periodSeconds: 10
initialDelaySeconds: 10
failureThreshold: 6
readinessProbe: readinessProbe:
exec: exec:
command: command:
- /usr/bin/check-status - /usr/bin/check-status
- -r - -r
periodSeconds: 10

11
files/calico-node-DaemonSet.yaml
View file

@ -44,7 +44,7 @@ spec:
# It can be deleted if this is a fresh installation, or if you have already # It can be deleted if this is a fresh installation, or if you have already
# upgraded to use calico-ipam. # upgraded to use calico-ipam.
- name: upgrade-ipam - name: upgrade-ipam
image: docker.io/calico/cni:v3.18.1 image: docker.io/calico/cni:v3.19.0
command: ["/opt/cni/bin/calico-ipam", "-upgrade"] command: ["/opt/cni/bin/calico-ipam", "-upgrade"]
envFrom: envFrom:
- configMapRef: - configMapRef:
@ -71,7 +71,7 @@ spec:
# This container installs the CNI binaries # This container installs the CNI binaries
# and CNI network config file on each node. # and CNI network config file on each node.
- name: install-cni - name: install-cni
image: docker.io/calico/cni:v3.18.1 image: docker.io/calico/cni:v3.19.0
command: ["/opt/cni/bin/install"] command: ["/opt/cni/bin/install"]
envFrom: envFrom:
- configMapRef: - configMapRef:
@ -112,7 +112,7 @@ spec:
# Adds a Flex Volume Driver that creates a per-pod Unix Domain Socket to allow Dikastes # Adds a Flex Volume Driver that creates a per-pod Unix Domain Socket to allow Dikastes
# to communicate with Felix over the Policy Sync API. # to communicate with Felix over the Policy Sync API.
- name: flexvol-driver - name: flexvol-driver
image: docker.io/calico/pod2daemon-flexvol:v3.18.1 image: docker.io/calico/pod2daemon-flexvol:v3.19.0
volumeMounts: volumeMounts:
- name: flexvol-driver-host - name: flexvol-driver-host
mountPath: /host/driver mountPath: /host/driver
@ -123,7 +123,7 @@ spec:
# container programs network policy and routes on each # container programs network policy and routes on each
# host. # host.
- name: calico-node - name: calico-node
image: docker.io/calico/node:v3.18.1 image: docker.io/calico/node:v3.19.0
envFrom: envFrom:
- configMapRef: - configMapRef:
# Allow KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT to be overridden for eBPF mode. # Allow KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT to be overridden for eBPF mode.
@ -191,9 +191,6 @@ spec:
# Disable IPv6 on Kubernetes. # Disable IPv6 on Kubernetes.
- name: FELIX_IPV6SUPPORT - name: FELIX_IPV6SUPPORT
value: "false" value: "false"
# Set Felix logging to "info"
- name: FELIX_LOGSEVERITYSCREEN
value: "info"
- name: FELIX_HEALTHENABLED - name: FELIX_HEALTHENABLED
value: "true" value: "true"
- name: FELIX_IPTABLESBACKEND - name: FELIX_IPTABLESBACKEND

2
files/calicoctl-Pod.yaml
View file

@ -11,7 +11,7 @@ spec:
serviceAccountName: calicoctl serviceAccountName: calicoctl
containers: containers:
- name: calicoctl - name: calicoctl
image: calico/ctl:v3.18.1 image: calico/ctl:v3.19.0
command: command:
- /calicoctl - /calicoctl
args: args:

6
files/calicoctl-ServiceAccount.yaml
View file

@ -1,7 +1,7 @@
# Calico Version v3.18.1 # Calico Version v3.19.0
# https://docs.projectcalico.org/releases#v3.18.1 # https://docs.projectcalico.org/releases#v3.19.0
# This manifest includes the following component versions: # This manifest includes the following component versions:
# calico/ctl:v3.18.1 # calico/ctl:v3.19.0
apiVersion: v1 apiVersion: v1
kind: ServiceAccount kind: ServiceAccount

57
files/felixconfigurations.crd.projectcalico.org-CustomResourceDefinition.yaml
View file

@ -77,6 +77,13 @@ spec:
description: 'BPFEnabled, if enabled Felix will use the BPF dataplane. description: 'BPFEnabled, if enabled Felix will use the BPF dataplane.
[Default: false]' [Default: false]'
type: boolean type: boolean
bpfExtToServiceConnmark:
description: 'BPFExtToServiceConnmark in BPF mode, control a 32bit
mark that is set on connections from an external client to a local
service. This mark allows us to control how packets of that connection
are routed within the host and how is routing intepreted by RPF
check. [Default: 0]'
type: integer
bpfExternalServiceMode: bpfExternalServiceMode:
description: 'BPFExternalServiceMode in BPF mode, controls how connections description: 'BPFExternalServiceMode in BPF mode, controls how connections
from outside the cluster to services (node ports and cluster IPs) from outside the cluster to services (node ports and cluster IPs)
@ -165,49 +172,55 @@ spec:
type: string type: string
type: array type: array
failsafeInboundHostPorts: failsafeInboundHostPorts:
description: 'FailsafeInboundHostPorts is a comma-delimited list of description: 'FailsafeInboundHostPorts is a list of UDP/TCP ports
UDP/TCP ports that Felix will allow incoming traffic to host endpoints and CIDRs that Felix will allow incoming traffic to host endpoints
on irrespective of the security policy. This is useful to avoid on irrespective of the security policy. This is useful to avoid
accidentally cutting off a host with incorrect configuration. Each accidentally cutting off a host with incorrect configuration. For
port should be specified as tcp:<port-number> or udp:<port-number>. back-compatibility, if the protocol is not specified, it defaults
For back-compatibility, if the protocol is not specified, it defaults to "tcp". If a CIDR is not specified, it will allow traffic from
to "tcp". To disable all inbound host ports, use the value none. all addresses. To disable all inbound host ports, use the value
The default value allows ssh access and DHCP. [Default: tcp:22, none. The default value allows ssh access and DHCP. [Default: tcp:22,
udp:68, tcp:179, tcp:2379, tcp:2380, tcp:6443, tcp:6666, tcp:6667]' udp:68, tcp:179, tcp:2379, tcp:2380, tcp:6443, tcp:6666, tcp:6667]'
items: items:
description: ProtoPort is combination of protocol and port, both description: ProtoPort is combination of protocol, port, and CIDR.
must be specified. All three must be specified.
properties: properties:
net:
type: string
port: port:
type: integer type: integer
protocol: protocol:
type: string type: string
required: required:
- net
- port - port
- protocol - protocol
type: object type: object
type: array type: array
failsafeOutboundHostPorts: failsafeOutboundHostPorts:
description: 'FailsafeOutboundHostPorts is a comma-delimited list description: 'FailsafeOutboundHostPorts is a list of UDP/TCP ports
of UDP/TCP ports that Felix will allow outgoing traffic from host and CIDRs that Felix will allow outgoing traffic from host endpoints
endpoints to irrespective of the security policy. This is useful to irrespective of the security policy. This is useful to avoid
to avoid accidentally cutting off a host with incorrect configuration. accidentally cutting off a host with incorrect configuration. For
Each port should be specified as tcp:<port-number> or udp:<port-number>. back-compatibility, if the protocol is not specified, it defaults
For back-compatibility, if the protocol is not specified, it defaults to "tcp". If a CIDR is not specified, it will allow traffic from
to "tcp". To disable all outbound host ports, use the value none. all addresses. To disable all outbound host ports, use the value
The default value opens etcd''s standard ports to ensure that Felix none. The default value opens etcd''s standard ports to ensure that
does not get cut off from etcd as well as allowing DHCP and DNS. Felix does not get cut off from etcd as well as allowing DHCP and
[Default: tcp:179, tcp:2379, tcp:2380, tcp:6443, tcp:6666, tcp:6667, DNS. [Default: tcp:179, tcp:2379, tcp:2380, tcp:6443, tcp:6666,
udp:53, udp:67]' tcp:6667, udp:53, udp:67]'
items: items:
description: ProtoPort is combination of protocol and port, both description: ProtoPort is combination of protocol, port, and CIDR.
must be specified. All three must be specified.
properties: properties:
net:
type: string
port: port:
type: integer type: integer
protocol: protocol:
type: string type: string
required: required:
- net
- port - port
- protocol - protocol
type: object type: object

24
tasks/main.yml
View file

@ -12,6 +12,30 @@
resource_definition: "{{ lookup('file', item) | from_yaml }}" resource_definition: "{{ lookup('file', item) | from_yaml }}"
with_items: with_items:
- "{{ calico_files }}" - "{{ calico_files }}"
register: calico_changed
- name: delete pods calicoctl
k8s:
state: absent
context: "{{ my_context }}"
kind: Pod
name: calicoctl
namespace: kube-system
when:
- calico_changed is changed
- name: calicoctl install
k8s:
state: present
context: "{{ my_context }}"
apply: yes
resource_definition: "{{ lookup('file', item) | from_yaml }}"
with_items:
- "{{ calicoctl_files }}"
when:
- calico_changed is changed
when: when:
- kubernetes_network == "calico" - kubernetes_network == "calico"
tags: tags:

2
vars/calico-files.yaml
View file

@ -25,6 +25,8 @@ calico_files:
- "calico-kube-controllers-Deployment.yaml" - "calico-kube-controllers-Deployment.yaml"
- "calico-kube-controllers-ServiceAccount.yaml" - "calico-kube-controllers-ServiceAccount.yaml"
- "calico-kube-controllers-PodDisruptionBudget.yaml" - "calico-kube-controllers-PodDisruptionBudget.yaml"
calicoctl_files:
- "calicoctl-ServiceAccount.yaml" - "calicoctl-ServiceAccount.yaml"
- "calicoctl-Pod.yaml" - "calicoctl-Pod.yaml"
- "calicoctl-ClusterRole.yaml" - "calicoctl-ClusterRole.yaml"