Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Implement cilium upgrade using Helm #1492

Merged
merged 6 commits into from
Apr 18, 2023
Merged

Conversation

asauber
Copy link
Member

@asauber asauber commented Apr 5, 2023

Summary

Implements the cilium upgrade command using a thin wrapper around Helm rather than direct Kubernetes API calls.

A few of the self-contained features are broken down into separate commits.

Motivation

This implementation allows for more consistent documentation and behavior among Cilium installation methods, such as those docs which use only Helm directly.

This implementation includes an alternate implementation for the cilium {clustermesh,hubble} {enable,disable} family of commands. The "legacy" implementation of those commands came from a time when using Helm was insecure (it installed a daemon into the cluster with cluster-admin privileges. Helm is now relatively safe to use, thus we use Helm here as a library to implement all features for Cilium installation, upgrade, and feature enable/disable whcih are currently implemented in the Cilium Helm chart.

Example Usage

For example, we can use this new upgrade command to enable Cluster Mesh on a set of two Cilium clusters with the following procedure.

Create a kind cluster with the following config

kind: Cluster
apiVersion: kind.x-k8s.io/v1alpha4
name: c1
nodes:
  - role: control-plane
  - role: worker
  - role: worker
  - role: worker
networking:
  disableDefaultCNI: true
  podSubnet: "10.10.0.0/16"
  serviceSubnet: "10.50.0.0/16"
kind create cluster --config c1.kindconfig.yaml

Test that the kind cluster came up with k get pods -A

Install Cilium using the CLI, making sure to set a Cluster ID and Cluster Name

export CILIUM_CLI_MODE=helm
cilium install --help
# note the suggestion to use --helm-set flags
cilium install --helm-set cluster.id=1 --helm-set cluster.name=cluster1

Create a second cluster using kind with the following config

kind: Cluster
apiVersion: kind.x-k8s.io/v1alpha4
name: c2
nodes:
  - role: control-plane
  - role: worker
  - role: worker
  - role: worker
networking:
  disableDefaultCNI: true
  podSubnet: "10.11.0.0/16"
  serviceSubnet: "10.51.0.0/16"
kind create cluster --config c2.kindconfig.yaml

Check that you are authed for Cluster kind-c2

Run k get pods -A and look for kube-apiserver-c2-control-plane

Install Cilium using the CLI, making sure to set a Cluster ID and Cluster Name

export CILIUM_CLI_MODE=helm
cilium install --help
# note the suggestion to use --helm-set flags
cilium install --helm-set cluster.id=2 --helm-set cluster.name=cluster2

Enable clustermesh on Cluster 1 using the new Helm upgrade command

export CILIUM_CLI_MODE=helm
cilium upgrade --help
# note the suggestion to use --helm-set flags
cilium upgrade --context $CLUSTER1 \
    --helm-set clustermesh.useAPIServer=true \
    --helm-set clustermesh.apiserver.service.type=NodePort
# observe that the clustermesh apiserver is running
k get pods -A

Prep environment for the clustermesh enable.

export CLUSTER1=kind-c1 CLUSTER2=kind-c2

Extract the CA cert from Cluster 1 and install it into Cluster 2, then restart Cilium on Cluster 2

kubectl --context $CLUSTER2 delete secret -n kube-system cilium-ca && \
kubectl --context $CLUSTER1 get secrets -n kube-system cilium-ca -oyaml \
    | kubectl --context $CLUSTER2 apply -f -
# you should see the following output
# secret "cilium-ca" deleted
# secret/cilium-ca created
# proceed to restart Cilium on kind-c2
kubectl --context $CLUSTER2 delete pod -l app.kubernetes.io/part-of=cilium -A

Enable clustermesh on Cluster 2 using the new Helm upgrade command

export CILIUM_CLI_MODE=helm
cilium upgrade --help
# note the suggestion to use --helm-set flags
cilium upgrade --context $CLUSTER2 \
    --helm-set clustermesh.useAPIServer=true \
    --helm-set clustermesh.apiserver.service.type=NodePort

Move the secrets expected by the cilium clustermesh connect command (this quirk to be fixed with a helm-mode PR for that command)

k get secrets --context $CLUSTER1 -n kube-system clustermesh-apiserver-remote-cert \
    -oyaml \
    | sed 's/name: .*/name: clustermesh-apiserver-client-cert/' \
    | k apply --context $CLUSTER1 -f -

k get secrets --context $CLUSTER2 -n kube-system clustermesh-apiserver-remote-cert \
    -oyaml \
    | sed 's/name: .*/name: clustermesh-apiserver-client-cert/' \
    | k apply --context $CLUSTER2 -f -

Connect the two clusters using ClusterMesh

cilium clustermesh connect --context $CLUSTER1 --destination-context $CLUSTER2

Run the Multi-Cluster connectivity tests.

cilium connectivity test --context $CLUSTER1 --multi-cluster $CLUSTER2

(This has been included as a CI workflow)

closes #1493

@asauber asauber added the dont-merge/preview-only Only for preview or testing, don't merge it. label Apr 5, 2023
@asauber asauber self-assigned this Apr 5, 2023
@asauber asauber temporarily deployed to ci April 5, 2023 22:07 — with GitHub Actions Inactive
@asauber asauber force-pushed the pr/asauber/clustermesh branch from d5c39d0 to 8149f4b Compare April 5, 2023 22:10
@asauber asauber temporarily deployed to ci April 5, 2023 22:10 — with GitHub Actions Inactive
@asauber asauber force-pushed the pr/asauber/clustermesh branch from 8149f4b to 53f34b6 Compare April 10, 2023 20:01
@asauber asauber temporarily deployed to ci April 10, 2023 20:02 — with GitHub Actions Inactive
@asauber asauber force-pushed the pr/asauber/clustermesh branch from 356ec9c to dffba91 Compare April 13, 2023 14:06
@asauber asauber temporarily deployed to ci April 13, 2023 14:06 — with GitHub Actions Inactive
@asauber asauber temporarily deployed to ci April 13, 2023 19:14 — with GitHub Actions Inactive
@asauber asauber changed the title Helm implementation for clustermesh commands Implement cilium upgrade using Helm. This also provides an implementation for the clustermesh {enable,disable} commands. Apr 13, 2023
@asauber asauber changed the title Implement cilium upgrade using Helm. This also provides an implementation for the clustermesh {enable,disable} commands. Implement cilium upgrade using Helm. Provides an implementation for the clustermesh {enable,disable} commands. Apr 13, 2023
@asauber asauber changed the title Implement cilium upgrade using Helm. Provides an implementation for the clustermesh {enable,disable} commands. Implement cilium upgrade using Helm Apr 13, 2023
@asauber asauber requested a review from michi-covalent April 13, 2023 19:22
@asauber asauber temporarily deployed to ci April 13, 2023 19:25 — with GitHub Actions Inactive
@asauber asauber force-pushed the pr/asauber/clustermesh branch from 34fc1ee to 5885e00 Compare April 13, 2023 19:28
@asauber asauber temporarily deployed to ci April 13, 2023 19:28 — with GitHub Actions Inactive
@cilium cilium deleted a comment from maintainer-s-little-helper bot Apr 13, 2023
internal/helm/helm.go Outdated Show resolved Hide resolved
@asauber asauber removed the dont-merge/preview-only Only for preview or testing, don't merge it. label Apr 14, 2023
install/install.go Outdated Show resolved Hide resolved
@asauber asauber temporarily deployed to ci April 14, 2023 13:12 — with GitHub Actions Inactive
@asauber asauber temporarily deployed to ci April 14, 2023 13:21 — with GitHub Actions Inactive
@asauber asauber temporarily deployed to ci April 14, 2023 13:29 — with GitHub Actions Inactive
@asauber asauber temporarily deployed to ci April 14, 2023 13:33 — with GitHub Actions Inactive
@asauber asauber requested review from a team as code owners April 17, 2023 19:05
@asauber asauber requested a review from nbusseneau April 17, 2023 19:05
@asauber asauber temporarily deployed to ci April 17, 2023 19:05 — with GitHub Actions Inactive
@asauber
Copy link
Member Author

asauber commented Apr 17, 2023

Fix dry run

@asauber asauber force-pushed the pr/asauber/clustermesh branch from b038ac7 to 38814f5 Compare April 17, 2023 21:56
@asauber asauber temporarily deployed to ci April 17, 2023 21:57 — with GitHub Actions Inactive
@asauber asauber force-pushed the pr/asauber/clustermesh branch from 38814f5 to d3fa870 Compare April 18, 2023 14:49
@asauber asauber temporarily deployed to ci April 18, 2023 14:51 — with GitHub Actions Inactive
Copy link
Contributor

@michi-covalent michi-covalent left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm once the conflict is resolved

@asauber asauber force-pushed the pr/asauber/clustermesh branch from d3fa870 to 164a58a Compare April 18, 2023 15:05
@asauber asauber temporarily deployed to ci April 18, 2023 15:06 — with GitHub Actions Inactive
asauber added 6 commits April 18, 2023 11:49
This makes the early-return explicit, and works towards making the
preflight checks more understandable.

Signed-off-by: Andrew Sauber <[email protected]>
Adds upgrade implementation using a Helm update action directly if the
environment variable CILIUM_CLI_MODE=helm is set.

Signed-off-by: Andrew Sauber <[email protected]>
The chart version is either that of the current release or initialized
during k.getHelmValues

Signed-off-by: Andrew Sauber <[email protected]>
* Rename UpgradeCurrentRelease to Upgrade
* Move Chart parameter into params struct
* Don't query for latest chart when we don't need to

Signed-off-by: Andrew Sauber <[email protected]>
Previously, we were defaulting Helm's reuseValues flag to true. This
ended up not giving us the expected behavior when only our --version
flag was passed to an upgrade command (the most common case
for this flag). The result was that prior image versions from the
current release would override that version. By defaulting this flag to
false, we get the expect behavior in the common case.

Signed-off-by: Andrew Sauber <[email protected]>
@asauber asauber force-pushed the pr/asauber/clustermesh branch from 164a58a to 54f3d05 Compare April 18, 2023 15:51
@asauber asauber temporarily deployed to ci April 18, 2023 15:51 — with GitHub Actions Inactive
@michi-covalent
Copy link
Contributor

removing github-sec and ci-structure from reviewers. this pr got updated, and now it's only modifying files owned by cli and sig-hubble teams.

@michi-covalent michi-covalent removed request for a team and nbusseneau April 18, 2023 15:59
@michi-covalent
Copy link
Contributor

EKS (ENI): failed #1514

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

cilium upgrade doesn't support --chart-directory
2 participants