[calico] don't enable ipip encapsulation by default and use vxlan in CI (#8434)

* [calico] make vxlan encapsulation the default * don't enable ipip encapsulation by default * set calico_network_backend by default to vxlan * update sample inventory and documentation * [CI] pin default calico parameters for upgrade tests to ensure proper upgrade * [CI] improve netchecker connectivity testing * [CI] show logs for tests * [calico] tweak task name * [CI] Don't run the provisioner from vagrant since we run it in testcases_run.sh * [CI] move kube-router tests to vagrant to avoid network connectivity issues during netchecker check * service proxy mode still fails connectivity tests so keeping it manual mode * [kube-router] account for containerd use-case
2026-02-01 01:28:11 -03:30 · 2022-03-18 03:05:39 +02:00
parent a86d9bd8e8
commit dd2d95ecdf
26 changed files with 229 additions and 82 deletions
--- a/roles/kubernetes/preinstall/tasks/0020-verify-settings.yml
+++ b/roles/kubernetes/preinstall/tasks/0020-verify-settings.yml
@@ -36,6 +36,24 @@
    - kube_network_plugin is defined
    - not ignore_assert_errors

+- name: Stop if legacy encapsulation variables are detected (ipip)
+  assert:
+    that:
+      - ipip is not defined
+    msg: "'ipip' configuration variable is deprecated, please configure your inventory with 'calico_ipip_mode' set to 'Always' or 'CrossSubnet' according to your specific needs"
+  when:
+    - kube_network_plugin == 'calico'
+    - not ignore_assert_errors
+
+- name: Stop if legacy encapsulation variables are detected (ipip_mode)
+  assert:
+    that:
+      - ipip_mode is not defined
+    msg: "'ipip_mode' configuration variable is deprecated, please configure your inventory with 'calico_ipip_mode' set to 'Always' or 'CrossSubnet' according to your specific needs"
+  when:
+    - kube_network_plugin == 'calico'
+    - not ignore_assert_errors
+
 - name: Stop if incompatible network plugin and cloudprovider
  assert:
    that:
--- a/roles/network_plugin/calico/defaults/main.yml
+++ b/roles/network_plugin/calico/defaults/main.yml
@@ -6,16 +6,17 @@ nat_outgoing: true
 calico_pool_name: "default-pool"
 calico_ipv4pool_ipip: "Off"

-# Use IP-over-IP encapsulation across hosts
-ipip: true
-ipip_mode: "{{ 'Always' if ipip else 'Never' }}"  # change to "CrossSubnet" if you only want ipip encapsulation on traffic going across subnets
-calico_ipip_mode: "{{ ipip_mode }}"
-calico_vxlan_mode: 'Never'
+# Change encapsulation mode, by default we enable vxlan which is the most mature and well tested mode
+calico_ipip_mode: Never  # valid values are 'Always', 'Never' and 'CrossSubnet'
+calico_vxlan_mode: Always  # valid values are 'Always', 'Never' and 'CrossSubnet'

 calico_ipip_mode_ipv6: Never
 calico_vxlan_mode_ipv6: Never
 calico_pool_blocksize_ipv6: 116

+# Calico network backend can be 'bird', 'vxlan' and 'none'
+calico_network_backend: vxlan
+
 calico_cert_dir: /etc/calico/certs

 # Global as_num (/calico/bgp/v1/global/as_num)
--- a/roles/network_plugin/calico/tasks/check.yml
+++ b/roles/network_plugin/calico/tasks/check.yml
@@ -11,8 +11,6 @@
    that:
      - "calico_network_backend in ['bird', 'vxlan', 'none']"
    msg: "calico network backend is not 'bird', 'vxlan' or 'none'"
-  when:
-    - calico_network_backend is defined

 - name: "Check ipip and vxlan mode defined correctly"
  assert:
--- a/roles/network_plugin/calico/tasks/install.yml
+++ b/roles/network_plugin/calico/tasks/install.yml
@@ -194,7 +194,7 @@
    - inventory_hostname == groups['kube_control_plane'][0]
    - 'calico_conf.stdout == "0"'

- name: Calico | Configure calico ipv6 network pool (version >= v3.3.0)
+- name: Calico | Configure calico ipv6 network pool
  command:
    cmd: "{{ bin_dir }}/calicoctl.sh apply -f -"
    stdin: >
--- a/roles/network_plugin/calico/templates/calico-config.yml.j2
+++ b/roles/network_plugin/calico/templates/calico-config.yml.j2
@@ -15,12 +15,12 @@ data:
  # essential.
  typha_service_name: "calico-typha"
 {% endif %}
-{% if calico_network_backend is defined %}
-  cluster_type: "kubespray"
-  calico_backend: "{{ calico_network_backend }}"
-{% else %}
+{% if calico_network_backend == 'bird' %}
  cluster_type: "kubespray,bgp"
  calico_backend: "bird"
+{% else %}
+  cluster_type: "kubespray"
+  calico_backend: "{{ calico_network_backend }}"
 {% endif %}
 {% if inventory_hostname in groups['k8s_cluster'] and peer_with_router|default(false) %}
  as: "{{ local_as|default(global_as_num) }}"
--- a/roles/network_plugin/calico/templates/calico-node.yml.j2
+++ b/roles/network_plugin/calico/templates/calico-node.yml.j2
@@ -176,7 +176,7 @@ spec:
            - name: WAIT_FOR_DATASTORE
              value: "true"
 {% endif %}
-{% if calico_network_backend is defined and calico_network_backend == 'vxlan' %}
+{% if calico_network_backend == 'vxlan' %}
            - name: FELIX_VXLANVNI
              value: "{{ calico_vxlan_vni }}"
            - name: FELIX_VXLANPORT
@@ -319,7 +319,7 @@ spec:
              command:
              - /bin/calico-node
              - -felix-live
-{% if calico_network_backend|default("bird") == "bird" %}
+{% if calico_network_backend == "bird" %}
              - -bird-live
 {% endif %}
            periodSeconds: 10
@@ -330,7 +330,7 @@ spec:
            exec:
              command:
              - /bin/calico-node
-{% if calico_network_backend|default("bird") == "bird" %}
+{% if calico_network_backend == "bird" %}
              - -bird-ready
 {% endif %}
              - -felix-ready
--- a/roles/network_plugin/kube-router/templates/kube-router.yml.j2
+++ b/roles/network_plugin/kube-router/templates/kube-router.yml.j2
@@ -62,6 +62,14 @@ spec:
        - --metrics-path={{ kube_router_metrics_path }}
        - --metrics-port={{ kube_router_metrics_port }}
 {% endif %}
+{% if kube_router_enable_dsr %}
+{% if container_manager == "docker" %}
+        - --runtime-endpoint=unix:///var/run/docker.sock
+{% endif %}
+{% if container_manager == "containerd" %}
+{% endif %}
+        - --runtime-endpoint=unix:///run/containerd/containerd.sock
+{% endif %}
 {% for arg in kube_router_extra_args %}
        - "{{ arg }}"
 {% endfor %}
@@ -86,9 +94,16 @@ spec:
          privileged: true
        volumeMounts:
 {% if kube_router_enable_dsr %}
+{% if container_manager == "docker" %}
        - name: docker-socket
          mountPath: /var/run/docker.sock
          readOnly: true
+{% endif %}
+{% if container_manager == "containerd" %}
+        - name: containerd-socket
+          mountPath: /run/containerd/containerd.sock
+          readOnly: true
+{% endif %}
 {% endif %}
        - name: lib-modules
          mountPath: /lib/modules
@@ -118,10 +133,18 @@ spec:
      - operator: Exists
      volumes:
 {% if kube_router_enable_dsr %}
+{% if container_manager == "docker" %}
      - name: docker-socket
        hostPath:
          path: /var/run/docker.sock
          type: Socket
+{% endif %}
+{% if container_manager == "containerd" %}
+      - name: containerd-socket
+        hostPath:
+          path: /run/containerd/containerd.sock
+          type: Socket
+{% endif %}
 {% endif %}
      - name: lib-modules
        hostPath: