Refactor calico route reflector to run in k8s cluster (#4975)

* Refactor calico-rr to run in k8s cluster with taint Change-Id: I75a3169ff5b36ce8302fc7ef1c32d3eb697b5afa * add preinstall checks * rework calico/rr role Change-Id: I2f0a7e6cb77cf91ad4a615923680760d2e5d9ca8 * add empty calico-rr group Change-Id: I006c0a60db9b72d02245bf8fdfabcf982144a5ad
2026-02-16 02:30:03 -03:30 · 2019-08-08 17:37:22 +03:00
parent 75d1be8272
commit 023108a733
19 changed files with 170 additions and 230 deletions
--- a/roles/network_plugin/calico/rr/defaults/main.yml
+++ b/roles/network_plugin/calico/rr/defaults/main.yml
@@ -2,15 +2,4 @@
 # Global as_num (/calico/bgp/v1/global/as_num)
 # should be the same as in calico role
 global_as_num: "64512"
-
-calico_cert_dir: /etc/calico/certs
-
-# Limits for apps
-calico_rr_memory_limit: 1000M
-calico_rr_cpu_limit: 300m
-calico_rr_memory_requests: 128M
-calico_rr_cpu_requests: 150m
-
-kube_etcd_cacert_file: ca.pem
-kube_etcd_cert_file: node-{{ inventory_hostname }}.pem
-kube_etcd_key_file: node-{{ inventory_hostname }}-key.pem
+calico_baremetal_nodename: "{{ kube_override_hostname | default(inventory_hostname) }}"
--- a/roles/network_plugin/calico/rr/handlers/main.yml
+++ b/roles/network_plugin/calico/rr/handlers/main.yml
@@ -1,15 +0,0 @@
---
- name: restart calico-rr
-  command: /bin/true
-  notify:
-    - Calico-rr | reload systemd
-    - Calico-rr | reload calico-rr
-
- name: Calico-rr | reload systemd
-  systemd:
-    daemon_reload: true
-
- name: Calico-rr | reload calico-rr
-  service:
-    name: calico-rr
-    state: restarted
--- a/roles/network_plugin/calico/rr/tasks/main.yml
+++ b/roles/network_plugin/calico/rr/tasks/main.yml
@@ -1,82 +1,29 @@
 ---
-# Required from inventory:
-#   calico_rr_ip - which specific IP to use for RR, defaults to
-#   "ip" from inventory or "ansible_default_ipv4.address"
+- name: Calico-rr | Pre-upgrade tasks
+  include_tasks: pre.yml

- name: Calico-rr | Set IP fact
-  set_fact:
-    rr_ip: "{{ calico_rr_ip | default(ip) | default(fallback_ips[inventory_hostname]) }}"
+- name: Calico-rr | Fetch current node object
+  command: "{{ bin_dir }}/calicoctl.sh get node {{ inventory_hostname }} -oyaml"
+  register: calico_rr_node

- name: Calico-rr | Create calico certs directory
-  file:
-    dest: "{{ calico_cert_dir }}"
-    state: directory
-    mode: 0750
-    owner: root
-    group: root
-
- name: Calico-rr | Link etcd certificates for calico-node
-  file:
-    src: "{{ etcd_cert_dir }}/{{ item.s }}"
-    dest: "{{ calico_cert_dir }}/{{ item.d }}"
-    state: hard
-    force: yes
-  with_items:
-    - {s: "{{ kube_etcd_cacert_file }}", d: "ca_cert.crt"}
-    - {s: "{{ kube_etcd_cert_file }}", d: "cert.crt"}
-    - {s: "{{ kube_etcd_key_file }}", d: "key.pem"}
-
- name: Calico-rr | Create dir for logs
-  file:
-    path: /var/log/calico-rr
-    state: directory
-    mode: 0755
-    owner: root
-    group: root
-
- name: Calico-rr | Write calico-rr.env for systemd init file
-  template:
-    src: calico-rr.env.j2
-    dest: /etc/calico/calico-rr.env
-  notify: restart calico-rr
-
- name: Calico-rr | Write calico-rr systemd init file
-  template:
-    src: calico-rr-docker.service.j2
-    dest: /etc/systemd/system/calico-rr.service
-  notify: restart calico-rr
-  when:
-    - container_manager in ['crio', 'docker', 'rkt']
-
- name: Calico-rr | Write calico-rr systemd init file
-  template:
-    src: calico-rr-containerd.service.j2
-    dest: /etc/systemd/system/calico-rr.service
-  notify: restart calico-rr
-  when:
-    - container_manager == 'containerd'
+# FIXME(mattymo): Use jsonpatch when ansible/ansible#52931 is merged
+- name: Calico-rr | Set route reflector cluster ID
+  shell: >-
+    echo -e '{{ calico_rr_node.stdout }}' |
+    sed '/bgp:/a \ \ \ \ routeReflectorClusterID: {{ cluster_id }}'
+  register: calico_rr_node
+  when: '("routeReflectorClusterID: " + cluster_id|string) not in calico_rr_node.stdout_lines'

 - name: Calico-rr | Configure route reflector
-  command: |-
-    {{ bin_dir }}/etcdctl \
-    --endpoints={{ etcd_access_addresses }} \
-    put /calico/bgp/v1/rr_v4/{{ rr_ip }} \
-    '{
-       "ip": "{{ rr_ip }}",
-       "cluster_id": "{{ cluster_id }}"
-     }'
-  environment:
-    ETCDCTL_API: 3
-    ETCDCTL_CERT: "{{ etcd_cert_dir }}/admin-{{ groups['etcd'][0] }}.pem"
-    ETCDCTL_KEY: "{{ etcd_cert_dir }}/admin-{{ groups['etcd'][0] }}-key.pem"
+  shell: |-
+    echo -e '{{ calico_rr_node.stdout }}' |
+    {{ bin_dir }}/calicoctl.sh replace -f-
  retries: 4
  delay: "{{ retry_stagger | random + 3 }}"
-  delegate_to: "{{ groups['etcd'][0] }}"

- meta: flush_handlers
-
- name: Calico-rr | Enable calico-rr
-  service:
-    name: calico-rr
-    state: started
-    enabled: yes
+- name: Calico-rr | Set label for route reflector
+  command: >-
+    {{ bin_dir }}/calicoctl.sh label node {{ inventory_hostname }}
+    'i-am-a-route-reflector=true' --overwrite
+  retries: 4
+  delay: "{{ retry_stagger | random + 3 }}"
--- a/roles/network_plugin/calico/rr/tasks/pre.yml
+++ b/roles/network_plugin/calico/rr/tasks/pre.yml
@@ -0,0 +1,15 @@
+---
+- name: Calico-rr | Disable calico-rr service if it exists
+  service:
+    name: calico-rr
+    state: stopped
+    enabled: no
+  failed_when: false
+
+- name: Calico-rr | Delete obsolete files
+  file:
+    path: "{{ item }}"
+    state: absent
+  with_items:
+    - /etc/calico/calico-rr.env
+    - /etc/systemd/system/calico-rr.service
--- a/roles/network_plugin/calico/rr/templates/calico-rr-containerd.service.j2
+++ b/roles/network_plugin/calico/rr/templates/calico-rr-containerd.service.j2
@@ -1,27 +0,0 @@
-[Unit]
-Description=calico-rr
-After=containerd.service
-Requires=containerd.service
-
-[Service]
-EnvironmentFile=/etc/calico/calico-rr.env
-ExecStartPre=-{{ containerd_bin_dir }}/ctr t delete -f calico-rr
-ExecStart={{ containerd_bin_dir }}/ctr run --net-host --privileged \
- --env IP=${IP} \
- --env IP6=${IP6} \
- --env ETCD_ENDPOINTS=${ETCD_ENDPOINTS} \
- --env ETCD_CA_CERT_FILE=${ETCD_CA_CERT_FILE} \
- --env ETCD_CERT_FILE=${ETCD_CERT_FILE} \
- --env ETCD_KEY_FILE=${ETCD_KEY_FILE} \
- --mount type=bind,src=/var/log/calico-rr,dst=/var/log/calico,options=rbind:rw \
- --mount type=bind,src={{ calico_cert_dir }},dst={{ calico_cert_dir }},options=rbind:ro \
- {{ calico_rr_image_repo }}:{{ calico_rr_image_tag }} \
- calico-rr
-
-Restart=always
-RestartSec=10s
-
-ExecStop=-{{ containerd_bin_dir }}/ctr c rm calico-rr
-
-[Install]
-WantedBy=multi-user.target
--- a/roles/network_plugin/calico/rr/templates/calico-rr-docker.service.j2
+++ b/roles/network_plugin/calico/rr/templates/calico-rr-docker.service.j2
@@ -1,28 +0,0 @@
-[Unit]
-Description=calico-rr
-After=docker.service
-Requires=docker.service
-
-[Service]
-EnvironmentFile=/etc/calico/calico-rr.env
-ExecStartPre=-{{ docker_bin_dir }}/docker rm -f calico-rr
-ExecStart={{ docker_bin_dir }}/docker run --net=host --privileged \
- --name=calico-rr \
- -e IP=${IP} \
- -e IP6=${IP6} \
- -e ETCD_ENDPOINTS=${ETCD_ENDPOINTS} \
- -e ETCD_CA_CERT_FILE=${ETCD_CA_CERT_FILE} \
- -e ETCD_CERT_FILE=${ETCD_CERT_FILE} \
- -e ETCD_KEY_FILE=${ETCD_KEY_FILE} \
- -v /var/log/calico-rr:/var/log/calico \
- -v {{ calico_cert_dir }}:{{ calico_cert_dir }}:ro \
- --memory={{ calico_rr_memory_limit|regex_replace('Mi', 'M') }} --cpu-shares={{ calico_rr_cpu_limit|regex_replace('m', '') }} \
- {{ calico_rr_image_repo }}:{{ calico_rr_image_tag }}
-
-Restart=always
-RestartSec=10s
-
-ExecStop=-{{ docker_bin_dir }}/docker stop calico-rr
-
-[Install]
-WantedBy=multi-user.target
--- a/roles/network_plugin/calico/rr/templates/calico-rr.env.j2
+++ b/roles/network_plugin/calico/rr/templates/calico-rr.env.j2
@@ -1,6 +0,0 @@
-ETCD_ENDPOINTS="{{ etcd_access_addresses }}"
-ETCD_CA_CERT_FILE="{{ calico_cert_dir }}/ca_cert.crt"
-ETCD_CERT_FILE="{{ calico_cert_dir }}/cert.crt"
-ETCD_KEY_FILE="{{ calico_cert_dir }}/key.pem"
-IP="{{ rr_ip }}"
-IP6=""
--- a/roles/network_plugin/calico/tasks/install.yml
+++ b/roles/network_plugin/calico/tasks/install.yml
@@ -163,16 +163,16 @@

 - name: Calico | Configure peering with router(s) at global scope
  shell: >
-   echo '{
-   "apiVersion": "projectcalico.org/v3",
-   "kind": "BGPPeer",
-   "metadata": {
-      "name": "global-{{ item.router_id }}"
-   },
-   "spec": {
-      "asNumber": "{{ item.as }}",
-      "peerIP": "{{ item.router_id }}"
-   }}' | {{ bin_dir }}/calicoctl.sh create --skip-exists -f -
+    echo '{
+    "apiVersion": "projectcalico.org/v3",
+    "kind": "BGPPeer",
+    "metadata": {
+       "name": "global-{{ item.router_id }}"
+    },
+    "spec": {
+       "asNumber": "{{ item.as }}",
+       "peerIP": "{{ item.router_id }}"
+    }}' | {{ bin_dir }}/calicoctl.sh create --skip-exists -f -
  retries: 4
  delay: "{{ retry_stagger | random + 3 }}"
  with_items:
@@ -181,6 +181,46 @@
    - inventory_hostname == groups['kube-master'][0]
    - peer_with_router|default(false)

+- name: Calico | Configure peering with route reflectors at global scope
+  shell: |
+    echo '{
+    "apiVersion": "projectcalico.org/v3",
+    "kind": "BGPPeer",
+    "metadata": {
+       "name": "peer-to-rrs"
+    },
+    "spec": {
+       "nodeSelector": "!has(i-am-a-route-reflector)",
+       "peerSelector": "has(i-am-a-route-reflector)"
+    }}' | {{ bin_dir }}/calicoctl.sh create --skip-exists -f -
+  retries: 4
+  delay: "{{ retry_stagger | random + 3 }}"
+  with_items:
+    - "{{ groups['calico-rr'] | default([]) }}"
+  when:
+    - inventory_hostname == groups['kube-master'][0]
+    - peer_with_calico_rr|default(false)
+
+- name: Calico | Configure route reflectors to peer with each other
+  shell: >
+    echo '{
+    "apiVersion": "projectcalico.org/v3",
+    "kind": "BGPPeer",
+    "metadata": {
+       "name": "rr-mesh"
+    },
+    "spec": {
+       "nodeSelector": "has(i-am-a-route-reflector)",
+       "peerSelector": "has(i-am-a-route-reflector)"
+    }}' | {{ bin_dir }}/calicoctl.sh create --skip-exists -f -
+  retries: 4
+  delay: "{{ retry_stagger | random + 3 }}"
+  with_items:
+    - "{{ groups['calico-rr'] | default([]) }}"
+  when:
+    - inventory_hostname == groups['kube-master'][0]
+    - peer_with_calico_rr|default(false)
+
 - name: Calico | Create calico manifests
  template:
    src: "{{ item.file }}.j2"
@@ -234,18 +274,18 @@

 - name: Calico | Configure node asNumber for per node peering
  shell: >
-   echo '{
-   "apiVersion": "projectcalico.org/v3",
-   "kind": "Node",
-   "metadata": {
-      "name": "{{ inventory_hostname }}"
-   },
-   "spec": {
-      "bgp": {
-        "asNumber": "{{ local_as }}"
-      },
-      "orchRefs":[{"nodeName":"{{ inventory_hostname }}","orchestrator":"k8s"}]
-   }}' | {{ bin_dir }}/calicoctl.sh {{ 'apply -f -' if calico_datastore == "kdd" else 'create --skip-exists -f -' }}
+    echo '{
+    "apiVersion": "projectcalico.org/v3",
+    "kind": "Node",
+    "metadata": {
+       "name": "{{ inventory_hostname }}"
+    },
+    "spec": {
+       "bgp": {
+         "asNumber": "{{ local_as }}"
+       },
+       "orchRefs":[{"nodeName":"{{ inventory_hostname }}","orchestrator":"k8s"}]
+    }}' | {{ bin_dir }}/calicoctl.sh {{ 'apply -f -' if calico_datastore == "kdd" else 'create --skip-exists -f -' }}
  retries: 4
  delay: "{{ retry_stagger | random + 3 }}"
  when:
@@ -256,17 +296,17 @@

 - name: Calico | Configure peering with router(s) at node scope
  shell: >
-   echo '{
-   "apiVersion": "projectcalico.org/v3",
-   "kind": "BGPPeer",
-   "metadata": {
-      "name": "{{ inventory_hostname }}-{{ item.router_id }}"
-   },
-   "spec": {
-      "asNumber": "{{ item.as }}",
-      "node": "{{ inventory_hostname }}",
-      "peerIP": "{{ item.router_id }}"
-   }}' | {{ bin_dir }}/calicoctl.sh create --skip-exists -f -
+    echo '{
+    "apiVersion": "projectcalico.org/v3",
+    "kind": "BGPPeer",
+    "metadata": {
+       "name": "{{ inventory_hostname }}-{{ item.router_id }}"
+    },
+    "spec": {
+       "asNumber": "{{ item.as }}",
+       "node": "{{ inventory_hostname }}",
+       "peerIP": "{{ item.router_id }}"
+    }}' | {{ bin_dir }}/calicoctl.sh create --skip-exists -f -
  retries: 4
  delay: "{{ retry_stagger | random + 3 }}"
  with_items:
@@ -274,25 +314,3 @@
  when:
    - peer_with_router|default(false)
    - inventory_hostname in groups['k8s-cluster']
-
- name: Calico | Configure peering with route reflectors
-  shell: >
-   echo '{
-   "apiVersion": "projectcalico.org/v3",
-   "kind": "BGPPeer",
-   "metadata": {
-      "name": "{{ inventory_hostname }}-{{ hostvars[item]["calico_rr_ip"]|default(hostvars[item]["ip"])|default(fallback_ips[item]) }}"
-   },
-   "spec": {
-      "asNumber": "{{ local_as | default(global_as_num) }}",
-      "node": "{{ inventory_hostname }}",
-      "peerIP": "{{ hostvars[item]["calico_rr_ip"]|default(hostvars[item]["ip"])|default(fallback_ips[item]) }}"
-   }}' | {{ bin_dir }}/calicoctl.sh create --skip-exists -f -
-  retries: 4
-  delay: "{{ retry_stagger | random + 3 }}"
-  with_items:
-    - "{{ groups['calico-rr'] | default([]) }}"
-  when:
-    - peer_with_calico_rr|default(false)
-    - inventory_hostname in groups['k8s-cluster']
-    - hostvars[item]['cluster_id'] == cluster_id