From 84b93090a8e9296e5dbf669b3786c7306db64cfb Mon Sep 17 00:00:00 2001 From: Tom Stian Berget Date: Tue, 8 Feb 2022 23:04:35 +0100 Subject: [PATCH] Change Cilium setting identity_allocation_mode to cilium_identity_allocation_mode (#8519) * Change Cilium identity_allocation_mode to cilium_identity_allocation_mode * Change inventory sample --- .../sample/group_vars/k8s_cluster/k8s-net-cilium.yml | 2 +- roles/network_plugin/cilium/defaults/main.yml | 9 ++++++++- roles/network_plugin/cilium/tasks/check.yml | 4 ++-- roles/network_plugin/cilium/tasks/install.yml | 4 ++-- .../network_plugin/cilium/templates/cilium-config.yml.j2 | 4 ++-- .../network_plugin/cilium/templates/cilium-deploy.yml.j2 | 4 ++-- roles/network_plugin/cilium/templates/cilium-ds.yml.j2 | 4 ++-- 7 files changed, 19 insertions(+), 12 deletions(-) diff --git a/inventory/sample/group_vars/k8s_cluster/k8s-net-cilium.yml b/inventory/sample/group_vars/k8s_cluster/k8s-net-cilium.yml index 505aeb242..c35b95182 100644 --- a/inventory/sample/group_vars/k8s_cluster/k8s-net-cilium.yml +++ b/inventory/sample/group_vars/k8s_cluster/k8s-net-cilium.yml @@ -1,4 +1,4 @@ # see roles/network_plugin/cilium/defaults/main.yml # cilium_version: "v1.11.0" -# identity_allocation_mode: kvstore # kvstore or crd +# cilium_identity_allocation_mode: kvstore # kvstore or crd diff --git a/roles/network_plugin/cilium/defaults/main.yml b/roles/network_plugin/cilium/defaults/main.yml index 3f83aea99..e36a19906 100644 --- a/roles/network_plugin/cilium/defaults/main.yml +++ b/roles/network_plugin/cilium/defaults/main.yml @@ -12,7 +12,14 @@ cilium_enable_ipv6: false # These can be queried with: # `kubectl get ciliumid` # - "kvstore" stores identities in an etcd kvstore. -identity_allocation_mode: kvstore +# - In order to support External Workloads, "crd" is required +# - Ref: https://docs.cilium.io/en/stable/gettingstarted/external-workloads/#setting-up-support-for-external-workloads-beta +# - KVStore operations are only required when cilium-operator is running with any of the below options: +# - --synchronize-k8s-services +# - --synchronize-k8s-nodes +# - --identity-allocation-mode=kvstore +# - Ref: https://docs.cilium.io/en/stable/internals/cilium_operator/#kvstore-operations +cilium_identity_allocation_mode: kvstore # Etcd SSL dirs cilium_cert_dir: /etc/cilium/certs diff --git a/roles/network_plugin/cilium/tasks/check.yml b/roles/network_plugin/cilium/tasks/check.yml index 2a9ddc7c1..086eb91b4 100644 --- a/roles/network_plugin/cilium/tasks/check.yml +++ b/roles/network_plugin/cilium/tasks/check.yml @@ -10,5 +10,5 @@ - name: Stop if bad Cilium identity allocation mode assert: - that: identity_allocation_mode in ['crd', 'kvstore'] - msg: "identity_allocation_mode must be either 'crd' or 'kvstore'" + that: cilium_identity_allocation_mode in ['crd', 'kvstore'] + msg: "cilium_identity_allocation_mode must be either 'crd' or 'kvstore'" diff --git a/roles/network_plugin/cilium/tasks/install.yml b/roles/network_plugin/cilium/tasks/install.yml index 6c402a936..c394b6119 100644 --- a/roles/network_plugin/cilium/tasks/install.yml +++ b/roles/network_plugin/cilium/tasks/install.yml @@ -14,7 +14,7 @@ owner: root group: root when: - - identity_allocation_mode == "kvstore" + - cilium_identity_allocation_mode == "kvstore" - name: Cilium | Link etcd certificates for cilium file: @@ -28,7 +28,7 @@ - {s: "{{ kube_etcd_cert_file }}", d: "cert.crt"} - {s: "{{ kube_etcd_key_file }}", d: "key.pem"} when: - - identity_allocation_mode == "kvstore" + - cilium_identity_allocation_mode == "kvstore" - name: Cilium | Create hubble dir file: diff --git a/roles/network_plugin/cilium/templates/cilium-config.yml.j2 b/roles/network_plugin/cilium/templates/cilium-config.yml.j2 index 7d6adfe59..820d214c7 100644 --- a/roles/network_plugin/cilium/templates/cilium-config.yml.j2 +++ b/roles/network_plugin/cilium/templates/cilium-config.yml.j2 @@ -5,9 +5,9 @@ metadata: name: cilium-config namespace: kube-system data: - identity-allocation-mode: {{ identity_allocation_mode }} + identity-allocation-mode: {{ cilium_identity_allocation_mode }} -{% if identity_allocation_mode == "kvstore" %} +{% if cilium_identity_allocation_mode == "kvstore" %} # This etcd-config contains the etcd endpoints of your cluster. If you use # TLS please make sure you follow the tutorial in https://cilium.link/etcd-config etcd-config: |- diff --git a/roles/network_plugin/cilium/templates/cilium-deploy.yml.j2 b/roles/network_plugin/cilium/templates/cilium-deploy.yml.j2 index 854d96022..44dcea2b6 100644 --- a/roles/network_plugin/cilium/templates/cilium-deploy.yml.j2 +++ b/roles/network_plugin/cilium/templates/cilium-deploy.yml.j2 @@ -135,7 +135,7 @@ spec: periodSeconds: 10 timeoutSeconds: 3 volumeMounts: -{% if identity_allocation_mode == "kvstore" %} +{% if cilium_identity_allocation_mode == "kvstore" %} - mountPath: /var/lib/etcd-config name: etcd-config-path readOnly: true @@ -155,7 +155,7 @@ spec: tolerations: - operator: Exists volumes: -{% if identity_allocation_mode == "kvstore" %} +{% if cilium_identity_allocation_mode == "kvstore" %} # To read the etcd config stored in config maps - configMap: defaultMode: 420 diff --git a/roles/network_plugin/cilium/templates/cilium-ds.yml.j2 b/roles/network_plugin/cilium/templates/cilium-ds.yml.j2 index 7dd601e31..9589465ca 100644 --- a/roles/network_plugin/cilium/templates/cilium-ds.yml.j2 +++ b/roles/network_plugin/cilium/templates/cilium-ds.yml.j2 @@ -146,7 +146,7 @@ spec: mountPath: {{ cri_socket }} readOnly: true {% endif %} -{% if identity_allocation_mode == "kvstore" %} +{% if cilium_identity_allocation_mode == "kvstore" %} - mountPath: /var/lib/etcd-config name: etcd-config-path readOnly: true @@ -272,7 +272,7 @@ spec: path: /run/xtables.lock type: FileOrCreate name: xtables-lock -{% if identity_allocation_mode == "kvstore" %} +{% if cilium_identity_allocation_mode == "kvstore" %} # To read the etcd config stored in config maps - configMap: defaultMode: 420