New Calico AWS config

artifacts/kubezero-calico/README.md

@@ -1,11 +1,15 @@
 # Calico CNI
 
-## Known issues
+Current top-level still contains the deprecated Canal implementation.
-Due to a bug in Kustomize V2 vs. V3 we have to remove all namespaces from the base resources.
+Removed once new AWS config is tested and rolled out to all existing clusters.
-The kube-system namespace will be applied by kustomize.  
 
-See eg: `https://github.com/kubernetes-sigs/kustomize/issues/1351`
+## AWS
+Calico is setup based on the upstream calico-vxlan config from  
+`https://docs.projectcalico.org/v3.15/manifests/calico-vxlan.yaml`
 
-## Upgrade
+Changes:
-See: https://docs.projectcalico.org/maintenance/kubernetes-upgrade  
+
-`curl https://docs.projectcalico.org/manifests/canal.yaml -O && patch < remove-namespace.patch`
+- MTU set to 8941
+- Disable BGB and BIRD healthchecks
+- Set FELIX log level to warning
+- Enable Prometheus metrics

artifacts/kubezero-calico/aws/calico-v3.15.patch

@@ -0,0 +1,101 @@
+--- calico-vxlan.yaml	2020-07-03 15:32:40.740506882 +0100
++++ calico.yaml	2020-07-03 15:27:47.651499841 +0100
+@@ -10,13 +10,13 @@
+   # Typha is disabled.
+   typha_service_name: "none"
+   # Configure the backend to use.
+-  calico_backend: "bird"
++  calico_backend: "vxlan"
+   # Configure the MTU to use for workload interfaces and tunnels.
+   # - If Wireguard is enabled, set to your network MTU - 60
+   # - Otherwise, if VXLAN or BPF mode is enabled, set to your network MTU - 50
+   # - Otherwise, if IPIP is enabled, set to your network MTU - 20
+   # - Otherwise, if not using any encapsulation, set to your network MTU.
+-  veth_mtu: "1410"
++  veth_mtu: "8941"
+ 
+   # The CNI network configuration to install on each node. The special
+   # values in this config will be automatically populated.
+@@ -3451,29 +3451,6 @@
+       terminationGracePeriodSeconds: 0
+       priorityClassName: system-node-critical
+       initContainers:
+-        # This container performs upgrade from host-local IPAM to calico-ipam.
+-        # It can be deleted if this is a fresh installation, or if you have already
+-        # upgraded to use calico-ipam.
+-        - name: upgrade-ipam
+-          image: calico/cni:v3.15.0
+-          command: ["/opt/cni/bin/calico-ipam", "-upgrade"]
+-          env:
+-            - name: KUBERNETES_NODE_NAME
+-              valueFrom:
+-                fieldRef:
+-                  fieldPath: spec.nodeName
+-            - name: CALICO_NETWORKING_BACKEND
+-              valueFrom:
+-                configMapKeyRef:
+-                  name: calico-config
+-                  key: calico_backend
+-          volumeMounts:
+-            - mountPath: /var/lib/cni/networks
+-              name: host-local-net-dir
+-            - mountPath: /host/opt/cni/bin
+-              name: cni-bin-dir
+-          securityContext:
+-            privileged: true
+         # This container installs the CNI binaries
+         # and CNI network config file on each node.
+         - name: install-cni
+@@ -3545,7 +3522,7 @@
+                   key: calico_backend
+             # Cluster type to identify the deployment type
+             - name: CLUSTER_TYPE
+-              value: "k8s,bgp"
++              value: "k8s,kubeadm"
+             # Auto-detect the BGP IP address.
+             - name: IP
+               value: "autodetect"
+@@ -3554,7 +3531,7 @@
+               value: "Never"
+             # Enable or Disable VXLAN on the default IP pool.
+             - name: CALICO_IPV4POOL_VXLAN
+-              value: "CrossSubnet"
++              value: "Always"
+             # Set MTU for tunnel device used if ipip is enabled
+             - name: FELIX_IPINIPMTU
+               valueFrom:
+@@ -3595,9 +3572,17 @@
+               value: "false"
+             # Set Felix logging to "info"
+             - name: FELIX_LOGSEVERITYSCREEN
+-              value: "info"
++              value: "Warning"
++            - name: FELIX_LOGSEVERITYFILE
++              value: "Warning"
++            - name: FELIX_LOGSEVERITYSYS
++              value: ""
+             - name: FELIX_HEALTHENABLED
+               value: "true"
++            - name: FELIX_PROMETHEUSGOMETRICSENABLED
++              value: "false"
++            - name: FELIX_PROMETHEUSMETRICSENABLED
++              value: "true"
+           securityContext:
+             privileged: true
+           resources:
+@@ -3608,7 +3593,6 @@
+               command:
+               - /bin/calico-node
+               - -felix-live
+-              - -bird-live
+             periodSeconds: 10
+             initialDelaySeconds: 10
+             failureThreshold: 6
+@@ -3617,7 +3601,6 @@
+               command:
+               - /bin/calico-node
+               - -felix-ready
+-              - -bird-ready
+             periodSeconds: 10
+           volumeMounts:
+             - mountPath: /lib/modules

artifacts/kubezero-calico/aws/calico.yaml

@@ -3572,9 +3572,17 @@ spec:
               value: "false"
             # Set Felix logging to "info"
             - name: FELIX_LOGSEVERITYSCREEN
-              value: "info"
+              value: "Warning"
+            - name: FELIX_LOGSEVERITYFILE
+              value: "Warning"
+            - name: FELIX_LOGSEVERITYSYS
+              value: ""
             - name: FELIX_HEALTHENABLED
               value: "true"
+            - name: FELIX_PROMETHEUSGOMETRICSENABLED
+              value: "false"
+            - name: FELIX_PROMETHEUSMETRICSENABLED
+              value: "true"
           securityContext:
             privileged: true
           resources: