From 01c3fac039dc4bf0f5aa9c97907b02703879910a Mon Sep 17 00:00:00 2001 From: Stefan Reimer Date: Fri, 3 Jul 2020 15:33:36 +0100 Subject: [PATCH] New Calico AWS config --- artifacts/kubezero-calico/README.md | 18 ++-- .../kubezero-calico/aws/calico-v3.15.patch | 101 ++++++++++++++++++ .../{calico-aws.yaml => aws/calico.yaml} | 10 +- 3 files changed, 121 insertions(+), 8 deletions(-) create mode 100644 artifacts/kubezero-calico/aws/calico-v3.15.patch rename artifacts/kubezero-calico/{calico-aws.yaml => aws/calico.yaml} (99%) diff --git a/artifacts/kubezero-calico/README.md b/artifacts/kubezero-calico/README.md index c7aadea..6f83185 100644 --- a/artifacts/kubezero-calico/README.md +++ b/artifacts/kubezero-calico/README.md @@ -1,11 +1,15 @@ # Calico CNI -## Known issues -Due to a bug in Kustomize V2 vs. V3 we have to remove all namespaces from the base resources. -The kube-system namespace will be applied by kustomize. +Current top-level still contains the deprecated Canal implementation. +Removed once new AWS config is tested and rolled out to all existing clusters. -See eg: `https://github.com/kubernetes-sigs/kustomize/issues/1351` +## AWS +Calico is setup based on the upstream calico-vxlan config from +`https://docs.projectcalico.org/v3.15/manifests/calico-vxlan.yaml` -## Upgrade -See: https://docs.projectcalico.org/maintenance/kubernetes-upgrade -`curl https://docs.projectcalico.org/manifests/canal.yaml -O && patch < remove-namespace.patch` +Changes: + +- MTU set to 8941 +- Disable BGB and BIRD healthchecks +- Set FELIX log level to warning +- Enable Prometheus metrics diff --git a/artifacts/kubezero-calico/aws/calico-v3.15.patch b/artifacts/kubezero-calico/aws/calico-v3.15.patch new file mode 100644 index 0000000..786d290 --- /dev/null +++ b/artifacts/kubezero-calico/aws/calico-v3.15.patch @@ -0,0 +1,101 @@ +--- calico-vxlan.yaml 2020-07-03 15:32:40.740506882 +0100 ++++ calico.yaml 2020-07-03 15:27:47.651499841 +0100 +@@ -10,13 +10,13 @@ + # Typha is disabled. + typha_service_name: "none" + # Configure the backend to use. +- calico_backend: "bird" ++ calico_backend: "vxlan" + # Configure the MTU to use for workload interfaces and tunnels. + # - If Wireguard is enabled, set to your network MTU - 60 + # - Otherwise, if VXLAN or BPF mode is enabled, set to your network MTU - 50 + # - Otherwise, if IPIP is enabled, set to your network MTU - 20 + # - Otherwise, if not using any encapsulation, set to your network MTU. +- veth_mtu: "1410" ++ veth_mtu: "8941" + + # The CNI network configuration to install on each node. The special + # values in this config will be automatically populated. +@@ -3451,29 +3451,6 @@ + terminationGracePeriodSeconds: 0 + priorityClassName: system-node-critical + initContainers: +- # This container performs upgrade from host-local IPAM to calico-ipam. +- # It can be deleted if this is a fresh installation, or if you have already +- # upgraded to use calico-ipam. +- - name: upgrade-ipam +- image: calico/cni:v3.15.0 +- command: ["/opt/cni/bin/calico-ipam", "-upgrade"] +- env: +- - name: KUBERNETES_NODE_NAME +- valueFrom: +- fieldRef: +- fieldPath: spec.nodeName +- - name: CALICO_NETWORKING_BACKEND +- valueFrom: +- configMapKeyRef: +- name: calico-config +- key: calico_backend +- volumeMounts: +- - mountPath: /var/lib/cni/networks +- name: host-local-net-dir +- - mountPath: /host/opt/cni/bin +- name: cni-bin-dir +- securityContext: +- privileged: true + # This container installs the CNI binaries + # and CNI network config file on each node. + - name: install-cni +@@ -3545,7 +3522,7 @@ + key: calico_backend + # Cluster type to identify the deployment type + - name: CLUSTER_TYPE +- value: "k8s,bgp" ++ value: "k8s,kubeadm" + # Auto-detect the BGP IP address. + - name: IP + value: "autodetect" +@@ -3554,7 +3531,7 @@ + value: "Never" + # Enable or Disable VXLAN on the default IP pool. + - name: CALICO_IPV4POOL_VXLAN +- value: "CrossSubnet" ++ value: "Always" + # Set MTU for tunnel device used if ipip is enabled + - name: FELIX_IPINIPMTU + valueFrom: +@@ -3595,9 +3572,17 @@ + value: "false" + # Set Felix logging to "info" + - name: FELIX_LOGSEVERITYSCREEN +- value: "info" ++ value: "Warning" ++ - name: FELIX_LOGSEVERITYFILE ++ value: "Warning" ++ - name: FELIX_LOGSEVERITYSYS ++ value: "" + - name: FELIX_HEALTHENABLED + value: "true" ++ - name: FELIX_PROMETHEUSGOMETRICSENABLED ++ value: "false" ++ - name: FELIX_PROMETHEUSMETRICSENABLED ++ value: "true" + securityContext: + privileged: true + resources: +@@ -3608,7 +3593,6 @@ + command: + - /bin/calico-node + - -felix-live +- - -bird-live + periodSeconds: 10 + initialDelaySeconds: 10 + failureThreshold: 6 +@@ -3617,7 +3601,6 @@ + command: + - /bin/calico-node + - -felix-ready +- - -bird-ready + periodSeconds: 10 + volumeMounts: + - mountPath: /lib/modules diff --git a/artifacts/kubezero-calico/calico-aws.yaml b/artifacts/kubezero-calico/aws/calico.yaml similarity index 99% rename from artifacts/kubezero-calico/calico-aws.yaml rename to artifacts/kubezero-calico/aws/calico.yaml index d62cd5d..de2d34e 100644 --- a/artifacts/kubezero-calico/calico-aws.yaml +++ b/artifacts/kubezero-calico/aws/calico.yaml @@ -3572,9 +3572,17 @@ spec: value: "false" # Set Felix logging to "info" - name: FELIX_LOGSEVERITYSCREEN - value: "info" + value: "Warning" + - name: FELIX_LOGSEVERITYFILE + value: "Warning" + - name: FELIX_LOGSEVERITYSYS + value: "" - name: FELIX_HEALTHENABLED value: "true" + - name: FELIX_PROMETHEUSGOMETRICSENABLED + value: "false" + - name: FELIX_PROMETHEUSMETRICSENABLED + value: "true" securityContext: privileged: true resources: