Commit graph

622 commits

Author SHA1 Message Date
Cristian Calin
ef34f5fe7d
[calico] switch default iptables backend detection to Auto (#8429) 2022-01-23 23:47:57 -08:00
Necatican Yıldırım
caff539ccd
Add identity_allocation_mode support for Cilium (#8430)
Co-authored-by: Emin Aktaş <eminaktas34@gmail.com>
Co-authored-by: Yasin Taha Erol <yasintahaerol@gmail.com>
Signed-off-by: necatican <necaticanyildirim@gmail.com>

Co-authored-by: Emin Aktaş <eminaktas34@gmail.com>
Co-authored-by: Yasin Taha Erol <yasintahaerol@gmail.com>
2022-01-16 09:29:28 -08:00
Kenichi Omichi
73c889eb10
Fix failures of ansible-lint (#8401)
This fixes the following types of failures:
- empty-string-compare
- literal-compare
- risky-file-permissions
- risky-shell-pipe
- var-spacing

In addition, this changes .gitlab-ci/lint.yml to block the same issue
by using the same method at Kubespray CI.
2022-01-11 00:45:16 -08:00
forselli-stratio
df425ac143
Fix etcd certificates reference to support etcd_kubeadm_enabled:true (#7766)
* Fix etcd certificates reference to support etcd_kubeadm_enabled:true

* Add retries to ETCD Join Member task

* Fix etcd certificates reference when etcd_kubeadm_enabled:true

* Fix conflicts
2022-01-10 15:24:25 -08:00
Unai Arríen
57a1d18db3
Improve first_kube_control_plane variable management to avoid installation failures due to variable overlapping (#8388) 2022-01-10 01:35:19 -08:00
Kenichi Omichi
f80fd24a55
Fix risky-file-permissions (#8370)
When running ansible-lint directly, we can see a lot of warning
message like

  risky-file-permissions File permissions unset or incorrect

This fixes the warning messages.
2022-01-09 01:51:12 -08:00
Max Gautier
cb54eb40ce
Use a variable for standardizing kubectl invocation (#8329)
* Add kubectl variable

* Replace kubectl usage by kubectl variable in roles

* Remove redundant --kubeconfig on kubectl usage

* Replace unecessary shell usage with command
2022-01-05 02:26:32 -08:00
Necatican Yıldırım
bf00550388
Upgrade Cilium to 1.11.0 (#8354)
* Remove kvstore args from Cilium DaemonSet

Co-authored-by: Emin Aktaş <eminaktas34@gmail.com>
Co-authored-by: Yasin Taha Erol <yasintahaerol@gmail.com>
Signed-off-by: necatican <necaticanyildirim@gmail.com>

* Bump Cilium to 1.11.0

Co-authored-by: Emin Aktaş <eminaktas34@gmail.com>
Co-authored-by: Yasin Taha Erol <yasintahaerol@gmail.com>
Signed-off-by: necatican <necaticanyildirim@gmail.com>

Co-authored-by: Emin Aktaş <eminaktas34@gmail.com>
Co-authored-by: Yasin Taha Erol <yasintahaerol@gmail.com>
2022-01-05 00:36:32 -08:00
Cristian Calin
ed3932b7d5
[cni-plugins] upgrade to stable 1.0.1 (#8331)
* [cni-plugins] upgrade to stable 1.0.1

* [flannel] use binary from dedicated project
2021-12-23 23:16:15 -08:00
emiran-orange
2b5c185826
calico_pool_blocksize must be cast as well in assertion when defined (#8321)
* calico_pool_blocksize must be cast as string in assertion when defined

* Cast as int rather than string
2021-12-23 00:58:37 -08:00
kakkotetsu
c59407f105
add support for Calico BGPPeer sourceAddress (#8306) 2021-12-20 01:51:25 -08:00
Alvaro Campesino
27ab364df5
Improve control plane scale flow (#13) (#7989)
* Improve control plane scale flow (#13)

* Added version 1.20.10 of K8s

* Setting first_kube_control_plane to a existing one

* Setting first_kube_control_plane to a existing one

* change first_kube_master for first_kube_control_plane

* Ansible-lint changes
2021-12-06 00:16:32 -08:00
Cristian Calin
dfdebda0b6
Calico: remove duplicate values for CALICO_DISABLE_FILE_LOGGING and FELIX_DEFAULTENDPOINTTOHOSTACTION (#8269) 2021-12-03 20:32:31 -08:00
Florian Ruynat
e19ce27352
Remove ovn4nfv support (#8265) 2021-12-03 11:56:35 -08:00
Cristian Calin
31c7b6747b
Calico: add dependencies for 3.21.x (#8250) 2021-12-02 01:17:33 -08:00
khatrig
3ea496013f
Create reset.yml (#8227) 2021-11-24 09:44:20 -08:00
zhengtianbao
a08d82d94e
calico add support for container ip forwarding setting (#8184) 2021-11-12 19:06:46 -08:00
Hyojun Jeon
61c2ae5549
Add vxlanEnabled spec in FelixConfiguration (#8167) 2021-11-08 00:06:52 -08:00
brainfair
465ffa3c9f
Weave: add extra_args for weave-npc (#8140)
* add weave_npc_extra_args in template

* add defaults weave_npc_extra_args

* add sample for weave_npc_extra_args
2021-10-28 08:58:27 -07:00
Julio H Morimoto
d42b7228c2
Convert numbers to string for calico's inventory check. (#8120)
Fix https://github.com/kubernetes-sigs/kubespray/issues/8119

Signed-off-by: Julio Morimoto <julio@morimoto.net.br>
2021-10-24 11:42:21 -07:00
Kenichi Omichi
19d07a4f2e
Fix ownership related to Calico (#8072)
kube-bench scan outputs warning related to Calico like:

* text: "Ensure that the Container Network Interface file
  permissions are set to 644 or more restrictive (Manual)"
* text: "Ensure that the Container Network Interface file
  ownership is set to root:root (Manual)"

This fixes these warnings.
2021-10-19 17:35:57 -07:00
Florian Ruynat
16bf3549c1 Update kube-ovn to 1.8.1 2021-10-14 19:42:54 -07:00
Florian Ruynat
b912dafd7a Update multus to 3.8.0 2021-10-14 19:42:54 -07:00
Iago Santos
43958614e3
Fix kubespray flatcar ansible_os_family and ansible_distribution (#8029)
Closes https://github.com/kubernetes-sigs/kubespray/issues/8028

Signed-off-by: Iago Santos <iago.santos.pardo@adfinis.com>
2021-10-01 09:11:23 -07:00
Frank Filippone
eee2eb11d8
Update weave template to match source for 2.8.1 (#8013) 2021-09-28 09:16:43 -07:00
David Louks
1472528f6d
check if 'plugins' key exists in calico_cni_config object (#7717)
* check if 'plugins' key exists in calico_cni_config object

* fix whitespace linting error

* fixed when list indentation
2021-09-27 11:04:20 -07:00
Florian Ruynat
ecd267854b
Move ovn4nvf crd from v1beta1 to v1 (#8006) 2021-09-27 01:18:22 -07:00
Eric Lake
ddea79f0f0
Issue 8004: Fix typha prometheus (#8005)
The typha prometheus settings were in the `volumeMounts` section of the
spec and not in the `envs` section. This was cauing the deployment to
fail because it was looking for a volumeMount.

```
failed: [controller-001.a2.da.dev.logdna.net] (item=calico-typha.yml) => {"ansible_loop_var": "item", "changed": false, "item": {"ansible_loop_var": "item", "changed": true, "checksum": "598ac79530749e8e2110793b53fc49ac208e7130", "dest": "/etc/kubernetes/calico-typha.yml", "diff": [], "failed": false, "gid": 0, "group": "root", "invocation": {"module_args": {"_original_basename": "calico-typha.yml.j2", "attributes": null, "backup": false, "checksum": "598ac79530749e8e2110793b53fc49ac208e7130", "content": null, "delimiter": null, "dest": "/etc/kubernetes/calico-typha.yml", "directory_mode": null, "follow": false, "force": true, "group": null, "local_follow": null, "mode": null, "owner": null, "regexp": null, "remote_src": null, "selevel": null, "serole": null, "setype": null, "seuser": null, "src": "/home/core/.ansible/tmp/ansible-tmp-1632349768.56-75434-32452975679246/source", "unsafe_writes": null, "validate": null}}, "item": {"file": "calico-typha.yml", "name": "calico", "type": "typha"}, "md5sum": "53c00ac7f562cf9ecbbfd27899ea066d", "mode": "0644", "owner": "root", "size": 5378, "src": "/home/core/.ansible/tmp/ansible-tmp-1632349768.56-75434-32452975679246/source", "state": "file", "uid": 0}, "msg": "error running kubectl (/opt/bin/kubectl --namespace=kube-system apply --force --filename=/etc/kubernetes/calico-typha.yml) command (rc=1), out='service/calico-typha unchanged\n', err='error: error validating \"/etc/kubernetes/calico-typha.yml\": error validating data: [ValidationError(Deployment.spec.template.spec.containers[0].volumeMounts[2]): unknown field \"value\" in io.k8s.api.core.v1.VolumeMount, ValidationError(Deployment.spec.template.spec.containers[0].volumeMounts[2]): missing required field \"mountPath\" in io.k8s.api.core.v1.VolumeMount, ValidationError(Deployment.spec.template.spec.containers[0].volumeMounts[3]): unknown field \"value\" in io.k8s.api.core.v1.VolumeMount, ValidationError(Deployment.spec.template.spec.containers[0].volumeMounts[3]): missing required field \"mountPath\" in io.k8s.api.core.v1.VolumeMount]; if you choose to ignore these errors, turn validation off with --validate=false\n'"}
```
2021-09-23 08:37:22 -07:00
Léopold Jacquot
598f178054
Fix cilium operator metrics activation (#8000) 2021-09-22 10:00:02 -07:00
Cristian Calin
fb8662ec19
Calico: update versions 3.20.1, 3.19.3 (#7984)
* make Calico 3.20.1 the default version
* drop Calico 3.17.x support
2021-09-20 17:40:23 -07:00
Cristian Calin
ae44aff330
Calico: increase calico node probe timeouts and allow tunning (#7981) 2021-09-17 16:08:07 -07:00
Florian Ruynat
60853fa682 Update kube-ovn to 1.7.2 2021-09-09 08:14:10 -07:00
Ole Mathias Aa. Heggem
69b67a293a
Calico: Add kube_service_addresses_ipv6 to serviceClusterIPs (#7889) (#7944)
Add IPv6 Service Addresses to BGP advertisement when 
calico_advertise_cluster_ips is true.
2021-09-08 00:37:20 -07:00
Olivier Lemasle
497d2ca306
Fix Calico's FelixConfiguration when "IP in IP" is disabled (#7926)
When using Calico with:

- `calico_network_backend: vxlan`,
- `calico_ipip_mode: "Never"`,
- `calico_vxlan_mode: "Always"`,

the `FelixConfiguration` object has `ipipEnabled: true`, when it should be false:

This is caused by an error in the `| bool` conversion in the install task:
when `calico_ipip_mode` is `Never`,
`{{ calico_ipip_mode != 'Never' | bool }}` evaluates to `true`:
2021-08-31 13:14:21 -07:00
Cristian Calin
1c3d33e146
Calico: 3.20.0 policy update to allow access to endpointslices (#7899) 2021-08-25 12:06:01 -07:00
Sergey
5336943a8c
add cilium_operator_api_serve_addr to cilium operator config (#7901) 2021-08-24 03:49:13 -07:00
Cristian Calin
0ac364dfae
Calico: use --allow-version-mismatch in calicoctl.sh to allow upgrades (#7873) 2021-08-20 14:30:48 -07:00
Florian Ruynat
000b4565c2 Fix erroneous ansible args 2021-07-20 01:29:31 -07:00
Florian Ruynat
d5cbb19b39 Update kube-ovn to 1.7.1 2021-07-20 01:29:31 -07:00
Cristian Calin
7516fe142f
Move to Ansible 3.4.0 (#7672)
* Ansible: move to Ansible 3.4.0 which uses ansible-base 2.10.10

* Docs: add a note about ansible upgrade post 2.9.x

* CI: ensure ansible is removed before ansible 3.x is installed to avoid pip failures

* Ansible: use newer ansible-lint

* Fix ansible-lint 5.0.11 found issues

* syntax issues
* risky-file-permissions
* var-naming
* role-name
* molecule tests

* Mitogen: use 0.3.0rc1 which adds support for ansible 2.10+

* Pin ansible-base to 2.10.11 to get package fix on RHEL8
2021-07-12 00:00:47 -07:00
jayonlau
e3850fbbbc
Extra spaces of macvlan (#7752)
Although these errors are not important, they affect the code specification.
2021-06-28 02:13:25 -07:00
Cristian Calin
a2cf6816ce
Calico wireguard (#7638)
* Calico: add Wireguard support

* CI: Add Calico Wireguard scenario
2021-06-25 03:22:45 -07:00
Florian Ruynat
e77b9bf3ee
Update kube-ovn to 1.7.0 (#7686) 2021-06-16 08:10:00 -07:00
Cristian Calin
ec0c0d4a28
Calico enable support for eBPF (#7618)
* Calico: align manifests with upstream

* allow enabling typha prometheus metrics

* Calico: enable eBPF support

* manage the kubernetes-services-endpoint configmap

* Calico: document the use of eBPF dataplane

* Calico: improve checks before deployment

* enforce disabling kube-proxy when using eBPF dataplane
* ensure calico_version is supported
2021-06-07 04:58:39 -07:00
forselli-stratio
eff1931283
Add retries to 'Set label for route reflector' task (#7645) 2021-05-27 12:02:23 -07:00
Cristian Calin
858b29f425
Calico: add support for v3.19.1 (#7630)
* Calico: add v3.19.1 hashes

* enable liveness probe for calico-kube-controllers

3.19.1

* Calico: drop support for v3.16.x

* Calico: promote v3.18.3 as default
2021-05-25 13:40:50 -07:00
efrikin
7db76f8809
Add nodeSelctor for other services and node labels before CNI setup (#7613) 2021-05-25 13:40:43 -07:00
Cristian Calin
14cf3e138b
Support Calico advertisement of MetalLB LoadBalancer IPs (#7593)
* add initial MetalLB docs

* metallb allow disabling the deployment of the metallb speaker

* calico>=3.18 allow using calico to advertise service loadbalancer IPs

* Document the use of MetalLB and Calico

* clean MetalLB docs
2021-05-12 05:22:17 -07:00
emiran-orange
afbabebfd5
Enables Calico serviceAccount token monitoring and update of /etc/cni/net.d/calico-kubeconfig if need be. (#7586)
Since K8S 1.21, BoundServiceAccountTokenVolume feature gate is in beta stage, thus activated by default (anyone who follows CSI guidelines has enabled AllAlpha and faced the issue before 1.21).
With this feature, SA tokens are regenerated every hour.
As a consequence for Calico CNI, token in /etc/cni/net.d/calico-kubeconfig copied from /var/run/secrets/kubernetes.io/serviceaccount in install-cni initContainer expires after one hour and any pod creation fails due to unauthorization.
Calico pods need to be restarted so that /etc/cni/net.d/calico-kubeconfig is updated with the new SA token.
2021-05-11 08:47:36 -07:00
Cristian Calin
8c0a2741ae
allow overriding calico peers names and avoid ipv6 naming issues (#7591) 2021-05-11 07:05:36 -07:00