Calico: update to 3.11.1, allow to configure calico_iptables_backend (#5514)

I've tested this update by deploying a containerd / etcd cluster on top CentOS7, MetalLB + NGINX Ingress. Upgrade using upgrade-cluster.yml Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
2026-02-01 01:28:11 -03:30 · 2020-01-08 02:27:40 -08:00
parent 48c41bcbe7
commit 2c2ffa846c
7 changed files with 36 additions and 12 deletions
--- a/roles/network_plugin/calico/defaults/main.yml
+++ b/roles/network_plugin/calico/defaults/main.yml
@@ -51,6 +51,9 @@ calico_node_ignorelooserpf: false
 # Define address on which Felix will respond to health requests
 calico_healthhost: "localhost"

+# Choose Calico iptables backend: "Iptables" or "NFT" (FELIX_IPTABLESBACKEND)
+calico_iptables_backend: "Iptables"
+
 # If you want to use non default IP_AUTODETECTION_METHOD for calico node set this option to one of:
 # * can-reach=DESTINATION
 # * interface=INTERFACE-REGEX
--- a/roles/network_plugin/calico/templates/calico-cr.yml.j2
+++ b/roles/network_plugin/calico/templates/calico-cr.yml.j2
@@ -1,6 +1,6 @@
 ---
 kind: ClusterRole
-apiVersion: rbac.authorization.k8s.io/v1beta1
+apiVersion: rbac.authorization.k8s.io/v1
 metadata:
  name: calico-node
  namespace: kube-system
@@ -82,6 +82,9 @@ rules:
 {% endif %}
      - clusterinformations
      - hostendpoints
+{% if calico_version is version('v3.9.0', '>=') %}
+      - blockaffinities
+{% endif %}
    verbs:
      - get
      - list
--- a/roles/network_plugin/calico/templates/calico-crb.yml.j2
+++ b/roles/network_plugin/calico/templates/calico-crb.yml.j2
@@ -1,5 +1,5 @@
 ---
-apiVersion: rbac.authorization.k8s.io/v1beta1
+apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
  name: calico-node
--- a/roles/network_plugin/calico/templates/calico-node.yml.j2
+++ b/roles/network_plugin/calico/templates/calico-node.yml.j2
@@ -204,6 +204,10 @@ spec:
 {% if kube_proxy_mode == 'ipvs' and kube_apiserver_node_port_range is defined %}
            - name: FELIX_KUBENODEPORTRANGES
              value: "{{ kube_apiserver_node_port_range.split('-')[0] }}:{{ kube_apiserver_node_port_range.split('-')[1] }}"
+{% endif %}
+{% if calico_version is version('v3.8.1', '>=') %}
+            - name: FELIX_IPTABLESBACKEND
+              value: "{{ calico_iptables_backend }}"
 {% endif %}
            # Prior to v3.2.1 iptables didn't acquire the lock, so Calico's own implementation of the lock should be used,
            # this is not required in later versions https://github.com/projectcalico/calico/issues/2179
@@ -269,10 +273,18 @@ spec:
              cpu: {{ calico_node_cpu_requests }}
              memory: {{ calico_node_memory_requests }}
          livenessProbe:
+{% if calico_version is version('v3.8.0', '<') %}
            httpGet:
              host: 127.0.0.1
              path: /liveness
              port: 9099
+{% else %}
+            exec:
+              command:
+              - /bin/calico-node
+              - -felix-live
+              - -bird-live
+{% endif %}
            initialDelaySeconds: 5
            failureThreshold: 6
          readinessProbe: