Conversation
Signed-off-by: vsoch <[email protected]>
The user can install calico (even using the same flannel port) via a CRD for it, adding the rules for it, customizing the Daemonset env and the addresses that the containers use. Signed-off-by: vsoch <[email protected]>
Signed-off-by: vsoch <[email protected]>
Signed-off-by: vsoch <[email protected]>
Signed-off-by: vsoch <[email protected]>
Signed-off-by: vsoch <[email protected]>
vsoch
force-pushed
the
calico-upstream-pr
branch
from
9efd023 to
602ebb4
Compare
|
@AkihiroSuda please take a look at these changes. |
There was a problem hiding this comment.
Why does this need to be a daemonset?
Could be in https://github.com/rootless-containers/usernetes/tree/master/Dockerfile.d
There was a problem hiding this comment.
We also had it as a COPY to the container via a udev rules files, but I don't think it took. At least whatever state changes the initial calico install triggered might have undone it.
There was a problem hiding this comment.
There was a problem hiding this comment.
Yes but we would need to name it something else so it's not specific to flannel.
| #!/bin/bash | ||
|
|
||
| # Install standard Calico | ||
| CALICO_VERSION="v3.31" |
There was a problem hiding this comment.
version should be consolidated in https://github.com/rootless-containers/usernetes/blob/9658658396ec51fe74a8e9f2bc0b62792a7223e5/Dockerfile#L1-L4
| # backend to vxlan | ||
| yq eval-all -i '(select(.kind == "ConfigMap" and .metadata.name == "calico-config").data.calico_backend) = "vxlan"' $CALICO_FILE | ||
|
|
||
| # IPIP and VXLAN |
| wget https://raw.githubusercontent.com/projectcalico/calico/refs/heads/release-v3.31/manifests/calico.yaml -O $CALICO_FILE | ||
|
|
||
| # backend to vxlan | ||
| yq eval-all -i '(select(.kind == "ConfigMap" and .metadata.name == "calico-config").data.calico_backend) = "vxlan"' $CALICO_FILE |
There was a problem hiding this comment.
Can we use helm with values.yaml ?
https://docs.tigera.io/calico/latest/getting-started/kubernetes/helm
There was a problem hiding this comment.
No we tried for weeks to get helm working - it was too complex. If you want to try and are successful we can do some testing of what you find.
| : "${CONTAINER_ENGINE_TYPE:=$("${detect_engine}" CONTAINER_ENGINE_TYPE)}" | ||
| : "${QUICK:=0}" | ||
|
|
||
| # Set to 1 since we will do calico by default |
| kubectl taint nodes "${node}" node.cloudprovider.kubernetes.io/uninitialized- | ||
| fi | ||
| nodename=$(cut -d / -f 2 <<< $node) | ||
| calicoctl --allow-version-mismatch patch node ${nodename} --patch='{"spec": {"bgp":{"ipv4Address": "'"$host_ip"'"}}}' |
There was a problem hiding this comment.
Needs explanation, and has to be skipped in non-calico setup
| } | ||
|
|
||
|
|
||
| install_yq() { |
There was a problem hiding this comment.
Should be consolidated to https://github.com/rootless-containers/usernetes/blob/master/Dockerfile
| gettext-base \ | ||
| moreutils \ | ||
| socat | ||
| socat ipset wget |
There was a problem hiding this comment.
wget and curl should not be mixed up
There was a problem hiding this comment.
The code comment should explain why ipset is needed
| ADD Dockerfile.d/etc_udev_rules.d_95-calico.rules /etc/udev/rules.d/95-calico.rules | ||
| ADD Dockerfile.d/u7s-entrypoint.sh / | ||
| # Calico | ||
| ENV FELIX_IGNORELOOSERPF=true |
There was a problem hiding this comment.
This is only passed to the entrypoint script, so probably not effective
| ``` | ||
|
|
||
| - sysctl: | ||
| - sysctl (should not be required for calico, but needs testing) |
2 participants
I'm not sure if this will be possible, but I'm trying to cleanup our current calico install. I was able to install from a release and then apply our custom manifests, but (so far) haven't been able to do the entire thing cleanly with yq. It's a weird case of needing to apply the initial setup they have, but then remove it and re-apply the customizations, importantly keeping the IP: autodetect set so the calico.vxlan network shows up with
ip addr. I am finding that when I try to patch from the getgo with yq I run into a myriad of errors. If I don't create our customizations with autodetect the network has issues too. I still think it might be possible, and the next step is to look closely at what we have for the individual configs here and compare with what is being installed upstream.Update: I've now removed all custom manifests - we get the upstream manifest and make all changes with yq. There are quite a few, but I think this is probably the slimmiest I can get it for something to review / easily see changes.