From 2c5c66676e3702dd4f1a4ffc0917e13055dd8f7f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marko=20Mudrini=C4=87?= Date: Mon, 22 Aug 2022 14:08:00 +0200 Subject: [PATCH] Set iptables backend to NFT for Canal and Calico VXLAN on Flatcar clusters MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Marko Mudrinić --- addons/calico-vxlan/calico-vxlan.yaml | 2 + addons/cni-canal/canal.yaml | 2 + pkg/addons/applier.go | 103 +++++++++++++++----------- 3 files changed, 65 insertions(+), 42 deletions(-) diff --git a/addons/calico-vxlan/calico-vxlan.yaml b/addons/calico-vxlan/calico-vxlan.yaml index 59ccdb949..c28c87dfc 100644 --- a/addons/calico-vxlan/calico-vxlan.yaml +++ b/addons/calico-vxlan/calico-vxlan.yaml @@ -4483,6 +4483,8 @@ spec: value: "false" - name: FELIX_HEALTHENABLED value: "true" + - name: FELIX_IPTABLESBACKEND + value: "{{ default .CalicoIptablesBackend .Params.iptablesBackend }}" securityContext: privileged: true resources: diff --git a/addons/cni-canal/canal.yaml b/addons/cni-canal/canal.yaml index 495409d6d..68c761df1 100644 --- a/addons/cni-canal/canal.yaml +++ b/addons/cni-canal/canal.yaml @@ -4479,6 +4479,8 @@ spec: value: "false" - name: FELIX_HEALTHENABLED value: "true" + - name: FELIX_IPTABLESBACKEND + value: "{{ default .CalicoIptablesBackend .Params.iptablesBackend }}" securityContext: privileged: true resources: diff --git a/pkg/addons/applier.go b/pkg/addons/applier.go index 085d5872d..cd6191c3c 100644 --- a/pkg/addons/applier.go +++ b/pkg/addons/applier.go @@ -75,6 +75,7 @@ type templateData struct { CCMClusterName string CSIMigration bool CSIMigrationFeatureGates string + CalicoIptablesBackend string DeployCSIAddon bool MachineControllerCredentialsEnvVars string MachineControllerCredentialsHash string @@ -178,6 +179,15 @@ func newAddonsApplier(s *state.State) (*applier, error) { // Check are we deploying the CSI driver deployCSI := len(ensureCSIAddons(s, []addonAction{})) > 0 + calicoIptablesBackend := "Auto" + for _, cp := range s.LiveCluster.ControlPlane { + if cp.Config.OperatingSystem == kubeoneapi.OperatingSystemNameFlatcar { + calicoIptablesBackend = "NFT" + + break + } + } + data := templateData{ Config: s.Cluster, Certificates: map[string]string{ @@ -193,6 +203,7 @@ func newAddonsApplier(s *state.State) (*applier, error) { CCMClusterName: s.LiveCluster.CCMClusterName, CSIMigration: csiMigration, CSIMigrationFeatureGates: csiMigrationFeatureGates, + CalicoIptablesBackend: calicoIptablesBackend, DeployCSIAddon: deployCSI, MachineControllerCredentialsEnvVars: string(credsEnvVarsMC), MachineControllerCredentialsHash: mcCredsHash, @@ -206,6 +217,51 @@ func newAddonsApplier(s *state.State) (*applier, error) { Params: params, } + if err := csiWebhookCerts(s, &data, csiMigration, kubeCAPrivateKey, kubeCACert); err != nil { + return nil, err + } + + // Certs for operating-system-manager-webhook + if s.Cluster.OperatingSystemManagerEnabled() { + if err := webhookCerts(data.Certificates, + "OSM", + resources.OperatingSystemManagerWebhookName, + resources.OperatingSystemManagerNamespace, + s.Cluster.ClusterNetwork.ServiceDomainName, + kubeCAPrivateKey, + kubeCACert, + ); err != nil { + return nil, err + } + + credsOSM, err := credentials.ProviderCredentials(s.Cluster.CloudProvider, s.CredentialsFilePath, credentials.TypeOSM) + if err != nil { + return nil, err + } + + envVarsOSM := credentials.EnvVarBindings(credentials.SecretNameOSM, credsOSM) + credsEnvVarsOSM, err := yaml.Marshal(envVarsOSM) + if err != nil { + return nil, fail.Runtime(err, "marshalling OSM credentials env variables") + } + + osmCredsHash, err := credentialsHash(s, credentials.TypeOSM) + if err != nil { + return nil, err + } + + data.OperatingSystemManagerCredentialsEnvVars = string(credsEnvVarsOSM) + data.OperatingSystemManagerCredentialsHash = osmCredsHash + } + + return &applier{ + TemplateData: data, + LocalFS: localFS, + EmbeddedFS: embeddedaddons.FS, + }, nil +} + +func csiWebhookCerts(s *state.State, data *templateData, csiMigration bool, kubeCAPrivateKey *rsa.PrivateKey, kubeCACert *x509.Certificate) error { // Certs for CSI plugins switch { case s.Cluster.CloudProvider.DigitalOcean != nil, @@ -219,7 +275,7 @@ func newAddonsApplier(s *state.State) (*applier, error) { kubeCAPrivateKey, kubeCACert, ); err != nil { - return nil, err + return err } // Certs for vsphere-csi-webhook (deployed only if CSIMigration is enabled) case s.Cluster.CloudProvider.Vsphere != nil: @@ -231,7 +287,7 @@ func newAddonsApplier(s *state.State) (*applier, error) { kubeCAPrivateKey, kubeCACert, ); err != nil { - return nil, err + return err } if csiMigration { if err := webhookCerts(data.Certificates, @@ -242,7 +298,7 @@ func newAddonsApplier(s *state.State) (*applier, error) { kubeCAPrivateKey, kubeCACert, ); err != nil { - return nil, err + return err } } case s.Cluster.CloudProvider.Nutanix != nil: @@ -254,48 +310,11 @@ func newAddonsApplier(s *state.State) (*applier, error) { kubeCAPrivateKey, kubeCACert, ); err != nil { - return nil, err - } - } - - // Certs for operating-system-manager-webhook - if s.Cluster.OperatingSystemManagerEnabled() { - if err := webhookCerts(data.Certificates, - "OSM", - resources.OperatingSystemManagerWebhookName, - resources.OperatingSystemManagerNamespace, - s.Cluster.ClusterNetwork.ServiceDomainName, - kubeCAPrivateKey, - kubeCACert, - ); err != nil { - return nil, err - } - - credsOSM, err := credentials.ProviderCredentials(s.Cluster.CloudProvider, s.CredentialsFilePath, credentials.TypeOSM) - if err != nil { - return nil, err - } - - envVarsOSM := credentials.EnvVarBindings(credentials.SecretNameOSM, credsOSM) - credsEnvVarsOSM, err := yaml.Marshal(envVarsOSM) - if err != nil { - return nil, fail.Runtime(err, "marshalling OSM credentials env variables") - } - - osmCredsHash, err := credentialsHash(s, credentials.TypeOSM) - if err != nil { - return nil, err + return err } - - data.OperatingSystemManagerCredentialsEnvVars = string(credsEnvVarsOSM) - data.OperatingSystemManagerCredentialsHash = osmCredsHash } - return &applier{ - TemplateData: data, - LocalFS: localFS, - EmbeddedFS: embeddedaddons.FS, - }, nil + return nil } func webhookCerts(certs map[string]string, prefix, webhookName, webhookNamespace, serviceDomainName string, kubeCAPrivateKey *rsa.PrivateKey, kubeCACert *x509.Certificate) error { //nolint:unparam