github-personal/terraform-render-bootstrap
1
0
Fork 0
mirror of https://github.com/outbackdingo/terraform-render-bootstrap.git synced 2026-01-27 02:20:37 +00:00
Code Issues Packages Projects Releases Wiki Activity

Remove Calico and associated variables

Browse Source 
* Drop support for Calico CNI
This commit is contained in:
Dalton Hubble
2024-12-27 20:59:44 -08:00
parent 0d3f17393e
commit 79b8ae1280
9 changed files with 4 additions and 4859 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
conditional.tf
View File

@@ -17,29 +17,6 @@ locals {
if var.components.enable && var.components.flannel.enable && var.networking == "flannel"
}
# calico manifests map
# { manifests-networking/manifest.yaml => content }
calico_manifests = {
for name in fileset("${path.module}/resources/calico", "*.yaml") :
"manifests/network/${name}" => templatefile(
"${path.module}/resources/calico/${name}",
{
calico_image = var.container_images["calico"]
calico_cni_image = var.container_images["calico_cni"]
network_mtu = var.network_mtu
network_encapsulation = indent(2, var.network_encapsulation == "vxlan" ? "vxlanMode: Always" : "ipipMode: Always")
ipip_enabled = var.network_encapsulation == "ipip" ? true : false
ipip_readiness = var.network_encapsulation == "ipip" ? indent(16, "- --bird-ready") : ""
vxlan_enabled = var.network_encapsulation == "vxlan" ? true : false
network_ip_autodetection_method = var.network_ip_autodetection_method
pod_cidr = var.pod_cidr
enable_reporting = var.enable_reporting
daemonset_tolerations = var.daemonset_tolerations
}
)
if var.components.enable && var.components.calico.enable && var.networking == "calico"
}
# cilium manifests map
# { manifests-networking/manifest.yaml => content }
cilium_manifests = {

27
resources/calico/cluster-role-binding.yaml
View File

@@ -1,27 +0,0 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: calico-node
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: calico-node
subjects:
- kind: ServiceAccount
name: calico-node
namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: calico-cni-plugin
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: calico-cni-plugin
subjects:
- kind: ServiceAccount
name: calico-cni-plugin
namespace: kube-system

183
resources/calico/cluster-role.yaml
View File

@@ -1,183 +0,0 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: calico-node
rules:
# The CNI plugin needs to get pods, nodes, and namespaces.
- apiGroups: [""]
resources:
- pods
- nodes
- namespaces
verbs:
- get
# EndpointSlices are used for Service-based network policy rule
# enforcement.
- apiGroups: ["discovery.k8s.io"]
resources:
- endpointslices
verbs:
- watch
- list
# Used to discover service IPs for advertisement.
- apiGroups: [""]
resources:
- endpoints
- services
verbs:
- watch
- list
- apiGroups: [""]
resources:
- nodes/status
verbs:
# Calico patches the node NetworkUnavilable status
- patch
# Calico updates some info in node annotations
- update
# Calico monitors Kubernetes NetworkPolicies
- apiGroups: ["networking.k8s.io"]
resources:
- networkpolicies
verbs:
- watch
- list
# Used by Calico for policy information
- apiGroups: [""]
resources:
- pods
- namespaces
- serviceaccounts
verbs:
- list
- watch
# CNI plugin patches pods/status
- apiGroups: [""]
resources:
- pods/status
verbs:
- patch
# Used for creating service account tokens to be used by the CNI plugin
- apiGroups: [""]
resources:
- serviceaccounts/token
resourceNames:
- calico-cni-plugin
verbs:
- create
# Calico monitors its CRDs
- apiGroups: ["crd.projectcalico.org"]
resources:
- globalfelixconfigs
- felixconfigurations
- bgppeers
- bgpfilters
- globalbgpconfigs
- bgpconfigurations
- ippools
- ipreservations
- ipamblocks
- globalnetworkpolicies
- globalnetworksets
- networkpolicies
- networksets
- clusterinformations
- hostendpoints
- blockaffinities
- caliconodestatuses
verbs:
- get
- list
- watch
# Calico must create and update some CRDs on startup
- apiGroups: ["crd.projectcalico.org"]
resources:
- ippools
- felixconfigurations
- clusterinformations
verbs:
- create
- update
# Calico must update some CRDs
- apiGroups: [ "crd.projectcalico.org" ]
resources:
- caliconodestatuses
verbs:
- update
# Calico reads some info on nodes
- apiGroups: [""]
resources:
- nodes
verbs:
- get
- list
- watch
# Calico may perform IPAM allocations
- apiGroups: ["crd.projectcalico.org"]
resources:
- blockaffinities
- ipamblocks
- ipamhandles
verbs:
- get
- list
- create
- update
- delete
- apiGroups: ["crd.projectcalico.org"]
resources:
- ipamconfigs
verbs:
- get
- create
# Watch block affinities for route aggregation
- apiGroups: ["crd.projectcalico.org"]
resources:
- blockaffinities
verbs:
- watch
# calico-node has hardcoded kubeadm assumptions :(
# https://github.com/projectcalico/node/pull/417
# https://github.com/projectcalico/calico/pull/3211
- apiGroups: [""]
resources:
- configmaps
verbs:
- get
---
# Starting in Calico v3.26, calico-cni-plugin is separate
# https://github.com/projectcalico/calico/pull/7106
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: calico-cni-plugin
rules:
- apiGroups: [""]
resources:
- pods
- nodes
- namespaces
verbs:
- get
- apiGroups: [""]
resources:
- pods/status
verbs:
- patch
- apiGroups: ["crd.projectcalico.org"]
resources:
- blockaffinities
- ipamblocks
- ipamhandles
- clusterinformations
- ippools
- ipreservations
- ipamconfigs
verbs:
- get
- list
- create
- update
- delete

46
resources/calico/config.yaml
View File

@@ -1,46 +0,0 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: calico-config
namespace: kube-system
data:
# Disable Typha for now.
typha_service_name: "none"
# Calico backend to use
calico_backend: "bird"
# Calico autodetects MTU by default. Non-zero overrides.
veth_mtu: "0"
# The CNI network configuration to install on each node.
cni_network_config: |-
{
"name": "k8s-pod-network",
"cniVersion": "0.3.1",
"plugins": [
{
"type": "calico",
"log_level": "info",
"log_file_path": "/var/log/calico/cni/cni.log",
"datastore_type": "kubernetes",
"nodename": "__KUBERNETES_NODE_NAME__",
"mtu": __CNI_MTU__,
"ipam": {
"type": "calico-ipam"
},
"policy": {
"type": "k8s"
},
"kubernetes": {
"kubeconfig": "__KUBECONFIG_FILEPATH__"
}
},
{
"type": "portmap",
"snat": true,
"capabilities": {"portMappings": true}
},
{
"type": "bandwidth",
"capabilities": {"bandwidth": true}
}
]
}

4314
resources/calico/crds.yaml
View File

File diff suppressed because it is too large Load Diff

204
resources/calico/daemonset.yaml
View File

@@ -1,204 +0,0 @@
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: calico-node
namespace: kube-system
labels:
k8s-app: calico-node
spec:
selector:
matchLabels:
k8s-app: calico-node
updateStrategy:
type: RollingUpdate
rollingUpdate:
maxUnavailable: 1
template:
metadata:
labels:
k8s-app: calico-node
spec:
nodeSelector:
kubernetes.io/os: linux
hostNetwork: true
priorityClassName: system-node-critical
securityContext:
seccompProfile:
type: RuntimeDefault
serviceAccountName: calico-node
tolerations:
- key: node-role.kubernetes.io/controller
operator: Exists
- key: node.kubernetes.io/not-ready
operator: Exists
%{~ for key in daemonset_tolerations ~}
- key: ${key}
operator: Exists
%{~ endfor ~}
initContainers:
# Install Calico CNI binaries and CNI network config file on nodes
- name: install-cni
image: ${calico_cni_image}
command: ["/opt/cni/bin/install"]
env:
# Name of the CNI config file to create on each node.
- name: CNI_CONF_NAME
value: "10-calico.conflist"
# Contents of the CNI config to create on each node.
- name: CNI_NETWORK_CONFIG
valueFrom:
configMapKeyRef:
name: calico-config
key: cni_network_config
# Set node name based on k8s nodeName
- name: KUBERNETES_NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
- name: CNI_MTU
valueFrom:
configMapKeyRef:
name: calico-config
key: veth_mtu
- name: SLEEP
value: "false"
- name: CNI_NET_DIR
value: "/etc/cni/net.d"
volumeMounts:
- name: cni-bin-dir
mountPath: /host/opt/cni/bin
- name: cni-conf-dir
mountPath: /host/etc/cni/net.d
containers:
- name: calico-node
image: ${calico_image}
env:
# Use Kubernetes API as the backing datastore.
- name: DATASTORE_TYPE
value: "kubernetes"
# Wait for datastore
- name: WAIT_FOR_DATASTORE
value: "true"
# Typha support: controlled by the ConfigMap.
- name: FELIX_TYPHAK8SSERVICENAME
valueFrom:
configMapKeyRef:
name: calico-config
key: typha_service_name
- name: FELIX_USAGEREPORTINGENABLED
value: "${enable_reporting}"
# Set node name based on k8s nodeName.
- name: NODENAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
# Calico network backend
- name: CALICO_NETWORKING_BACKEND
valueFrom:
configMapKeyRef:
name: calico-config
key: calico_backend
# Cluster type to identify the deployment type
- name: CLUSTER_TYPE
value: "k8s,bgp"
# Auto-detect the BGP IP address.
- name: IP
value: "autodetect"
- name: IP_AUTODETECTION_METHOD
value: "${network_ip_autodetection_method}"
# Whether Felix should enable IP-in-IP tunnel
- name: FELIX_IPINIPENABLED
value: "${ipip_enabled}"
# MTU to set on the IPIP tunnel (if enabled)
- name: FELIX_IPINIPMTU
valueFrom:
configMapKeyRef:
name: calico-config
key: veth_mtu
# Whether Felix should enable VXLAN tunnel
- name: FELIX_VXLANENABLED
value: "${vxlan_enabled}"
# MTU to set on the VXLAN tunnel (if enabled)
- name: FELIX_VXLANMTU
valueFrom:
configMapKeyRef:
name: calico-config
key: veth_mtu
- name: NO_DEFAULT_POOLS
value: "true"
# Disable file logging so `kubectl logs` works.
- name: CALICO_DISABLE_FILE_LOGGING
value: "true"
# Set Felix endpoint to host default action to ACCEPT.
- name: FELIX_DEFAULTENDPOINTTOHOSTACTION
value: "ACCEPT"
# Disable IPV6 on Kubernetes.
- name: FELIX_IPV6SUPPORT
value: "false"
- name: FELIX_HEALTHENABLED
value: "true"
# Detect iptables legacy or nft
- name: FELIX_IPTABLESBACKEND
value: "Auto"
securityContext:
privileged: true
resources:
requests:
cpu: 100m
livenessProbe:
exec:
command:
- /bin/calico-node
- -felix-ready
periodSeconds: 10
initialDelaySeconds: 10
failureThreshold: 6
timeoutSeconds: 10
readinessProbe:
exec:
command:
- /bin/calico-node
- -felix-ready
${ipip_readiness}
periodSeconds: 10
volumeMounts:
- name: lib-modules
mountPath: /lib/modules
readOnly: true
- name: var-lib-calico
mountPath: /var/lib/calico
readOnly: false
- name: var-run-calico
mountPath: /var/run/calico
readOnly: false
- name: xtables-lock
mountPath: /run/xtables.lock
readOnly: false
# For maintaining CNI plugin API credentials
- name: cni-conf-dir
mountPath: /host/etc/cni/net.d
readOnly: false
terminationGracePeriodSeconds: 0
volumes:
# Used by calico/node
- name: lib-modules
hostPath:
path: /lib/modules
- name: var-lib-calico
hostPath:
path: /var/lib/calico
- name: var-run-calico
hostPath:
path: /var/run/calico
- name: xtables-lock
hostPath:
type: FileOrCreate
path: /run/xtables.lock
# Used by install-cni
- name: cni-bin-dir
hostPath:
path: /opt/cni/bin
- name: cni-conf-dir
hostPath:
type: DirectoryOrCreate
path: /etc/cni/net.d

10
resources/calico/ippools-default-ipv4.yaml
View File

@@ -1,10 +0,0 @@
apiVersion: crd.projectcalico.org/v1
kind: IPPool
metadata:
name: default-ipv4-ippool
spec:
blockSize: 24
cidr: ${pod_cidr}
${network_encapsulation}
natOutgoing: true
nodeSelector: all()

13
resources/calico/service-account.yaml
View File

@@ -1,13 +0,0 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: calico-node
namespace: kube-system
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: calico-cni-plugin
namespace: kube-system

43
variables.tf
View File

@@ -17,32 +17,14 @@ variable "etcd_servers" {
variable "networking" {
type = string
description = "Choice of networking provider (flannel or calico or cilium)"
default = "flannel"
description = "Choice of networking provider (flannel or cilium)"
default = "cilium"
validation {
condition = contains(["flannel", "calico", "cilium"], var.networking)
error_message = "networking can be flannel, calico, or cilium."
condition = contains(["flannel", "cilium"], var.networking)
error_message = "networking can be flannel or cilium."
}
}
variable "network_mtu" {
type = number
description = "CNI interface MTU (only applies to calico)"
default = 1500
}
variable "network_encapsulation" {
type = string
description = "Network encapsulation mode either ipip or vxlan (only applies to calico)"
default = "ipip"
}
variable "network_ip_autodetection_method" {
type = string
description = "Method to autodetect the host IPv4 address (only applies to calico)"
default = "first-found"
}
variable "pod_cidr" {
type = string
description = "CIDR IP range to assign Kubernetes pods"
@@ -62,8 +44,6 @@ variable "container_images" {
type = map(string)
description = "Container images to use"
default = {
calico = "quay.io/calico/node:v3.27.3"
calico_cni = "quay.io/calico/cni:v3.27.3"
cilium_agent = "quay.io/cilium/cilium:v1.16.5"
cilium_operator = "quay.io/cilium/operator-generic:v1.16.5"
coredns = "registry.k8s.io/coredns/coredns:v1.11.4"
@@ -76,12 +56,6 @@ variable "container_images" {
}
}
variable "enable_reporting" {
type = bool
description = "Enable usage or analytics reporting to upstream component owners (Tigera: Calico)"
default = false
}
variable "enable_aggregation" {
type = bool
description = "Enable the Kubernetes Aggregation Layer (defaults to true)"
@@ -138,14 +112,6 @@ variable "components" {
enable = true
}
)
calico = optional(
object({
enable = optional(bool, true)
}),
{
enable = true
}
)
cilium = optional(
object({
enable = optional(bool, true)
@@ -160,7 +126,6 @@ variable "components" {
coredns = null
kube_proxy = null
flannel = null
calico = null
cilium = null
}
# Set the variable value to the default value when the caller