Merge pull request #7695 from olemarkus/automated-cherry-pick-of-#747…

…4-origin-release-1.15

Automated cherry pick of #7474: Change Cilium templates to standalone version

docs/networking.md

@@ -422,7 +422,7 @@ $ kops create cluster \
   --name cilium.example.com
 ```
 
-The above will deploy a daemonset installation which requires K8s 1.7.x or above.
+The above will deploy a Cilium daemonset installation which requires K8s 1.10.x or above.
 
 #### Configuring Cilium
 

k8s/crds/kops_v1alpha2_cluster.yaml

@@ -2121,6 +2121,8 @@ spec:
                   type: object
                 cilium:
                   properties:
+                    IPTablesRulesNoinstall:
+                      type: boolean
                     accessLog:
                       type: string
                     agentLabels:
@@ -2129,16 +2131,28 @@ spec:
                       type: array
                     allowLocalhost:
                       type: string
+                    autoDirectNodeRoutes:
+                      type: boolean
                     autoIpv6NodeRoutes:
                       type: boolean
+                    bpfCTGlobalAnyMax:
+                      format: int64
+                      type: integer
+                    bpfCTGlobalTCPMax:
+                      format: int64
+                      type: integer
                     bpfRoot:
                       type: string
+                    clusterName:
+                      type: string
                     containerRuntime:
                       items:
                         type: string
                       type: array
                     containerRuntimeEndpoint:
                       type: object
+                    containerRuntimeLabels:
+                      type: string
                     debug:
                       type: boolean
                     debugVerbose:
@@ -2155,10 +2169,16 @@ spec:
                       type: boolean
                     disableMasquerade:
                       type: boolean
+                    enableNodePort:
+                      type: boolean
                     enablePolicy:
                       type: string
                     enableTracing:
                       type: boolean
+                    enableipv4:
+                      type: boolean
+                    enableipv6:
+                      type: boolean
                     envoyLog:
                       type: string
                     ipv4ClusterCidrMaskSize:
@@ -2209,29 +2229,53 @@ spec:
                     logstashProbeTimer:
                       format: int32
                       type: integer
+                    monitorAggregation:
+                      type: string
                     nat46Range:
                       type: string
                     pprof:
                       type: boolean
+                    preallocateBPFMaps:
+                      type: boolean
                     prefilterDevice:
                       type: string
                     prometheusServeAddr:
                       type: string
                     restore:
                       type: boolean
+                    sidecarIstioProxyImage:
+                      type: string
                     singleClusterRoute:
                       type: boolean
                     socketPath:
                       type: string
                     stateDir:
                       type: string
+                    toFqdnsEnablePoller:
+                      type: boolean
                     tracePayloadlen:
                       format: int64
                       type: integer
                     tunnel:
                       type: string
                     version:
                       type: string
+                    waitBPFMount:
+                      type: boolean
+                  required:
+                  - enableipv6
+                  - enableipv4
+                  - monitorAggregation
+                  - bpfCTGlobalTCPMax
+                  - bpfCTGlobalAnyMax
+                  - preallocateBPFMaps
+                  - sidecarIstioProxyImage
+                  - clusterName
+                  - toFqdnsEnablePoller
+                  - waitBPFMount
+                  - IPTablesRulesNoinstall
+                  - autoDirectNodeRoutes
+                  - enableNodePort
                   type: object
                 classic:
                   type: object
@@ -2336,6 +2380,9 @@ spec:
                 NonMasqueradeCIDR is the CIDR for the internal k8s network (on which
                 pods & services live) It cannot overlap ServiceClusterIPRange
               type: string
+            podCIDR:
+              description: PodCIDR is the CIDR from which we allocate IPs for pods
+              type: string
             project:
               description: Project is the cloud project we should use, required on
                 GCE

k8s/crds/kops_v1alpha2_instancegroup.yaml

@@ -196,6 +196,10 @@ spec:
             image:
               description: Image is the instance (ami etc) we should use
               type: string
+            instanceProtection:
+              description: InstanceProtection makes new instances in an autoscaling
+                group protected from scale in
+              type: boolean
             kubelet:
               description: Kubelet overrides kubelet config from the ClusterSpec
               properties:
@@ -520,7 +524,8 @@ spec:
                   type: string
                 volumePluginDirectory:
                   description: The full path of the directory in which to search for
-                    additional third party volume plugins
+                    additional third party volume plugins (this path must be writeable,
+                    dependant on your choice of OS)
                   type: string
                 volumeStatsAggPeriod:
                   description: VolumeStatsAggPeriod is the interval for kubelet to

nodeup/pkg/model/network.go

@@ -70,6 +70,32 @@ func (b *NetworkBuilder) Build(c *fi.ModelBuilderContext) error {
 		}
 	}
 
+	if networking.Cilium != nil {
+		var unit *string
+		unit = s(`
+[Unit]
+Description=Cilium BPF mounts
+Documentation=http://docs.cilium.io/
+DefaultDependencies=no
+Before=local-fs.target umount.target kubelet.service
+
+[Mount]
+What=bpffs
+Where=/sys/fs/bpf
+Type=bpf
+
+[Install]
+WantedBy=multi-user.target		
+`)
+
+		service := &nodetasks.Service{
+			Name:       "sys-fs-bpf.mount",
+			Definition: unit,
+		}
+		service.InitDefaults()
+		c.AddTask(service)
+	}
+
 	return nil
 }
 

pkg/apis/kops/networking.go

@@ -155,7 +155,7 @@ type AmazonVPCNetworkingSpec struct {
 	ImageName string `json:"imageName,omitempty"`
 }
 
-const CiliumDefaultVersion = "v1.0-stable"
+const CiliumDefaultVersion = "v1.6.1"
 
 // CiliumNetworkingSpec declares that we want Cilium networking
 type CiliumNetworkingSpec struct {
@@ -209,6 +209,27 @@ type CiliumNetworkingSpec struct {
 	StateDir                 string            `json:"stateDir,omitempty"`
 	TracePayloadLen          int               `json:"tracePayloadlen,omitempty"`
 	Tunnel                   string            `json:"tunnel,omitempty"`
+
+	EnableIpv6             bool   `json:"enableipv6"`
+	EnableIpv4             bool   `json:"enableipv4"`
+	MonitorAggregation     string `json:"monitorAggregation"`
+	BPFCTGlobalTCPMax      int    `json:"bpfCTGlobalTCPMax"`
+	BPFCTGlobalAnyMax      int    `json:"bpfCTGlobalAnyMax"`
+	PreallocateBPFMaps     bool   `json:"preallocateBPFMaps"`
+	SidecarIstioProxyImage string `json:"sidecarIstioProxyImage"`
+	ClusterName            string `json:"clusterName"`
+	ToFqdnsEnablePoller    bool   `json:"toFqdnsEnablePoller"`
+	ContainerRuntimeLabels string `json:"containerRuntimeLabels,omitempty"`
+	IPTablesRulesNoinstall bool   `json:"IPTablesRulesNoinstall"`
+	AutoDirectNodeRoutes   bool   `json:"autoDirectNodeRoutes"`
+	EnableNodePort         bool   `json:"enableNodePort"`
+
+	//node init options
+	RemoveCbrBridge       bool   `json:"removeCbrBridge"`
+	RestartPods           bool   `json:"restartPods"`
+	ReconfigureKubelet    bool   `json:"reconfigureKubelet"`
+	NodeInitBootstrapFile string `json:"nodeInitBootstrapFile"`
+	CniBinPath            string `json:"cniBinPath"`
 }
 
 // LyftIpVlanNetworkingSpec declares that we want to use the cni-ipvlan-vpc-k8s CNI networking

pkg/apis/kops/v1alpha1/networking.go

@@ -206,6 +206,27 @@ type CiliumNetworkingSpec struct {
 	StateDir                 string            `json:"stateDir,omitempty"`
 	TracePayloadLen          int               `json:"tracePayloadlen,omitempty"`
 	Tunnel                   string            `json:"tunnel,omitempty"`
+
+	EnableIpv6             bool   `json:"enableipv6"`
+	EnableIpv4             bool   `json:"enableipv4"`
+	MonitorAggregation     string `json:"monitorAggregation"`
+	BPFCTGlobalTCPMax      int    `json:"bpfCTGlobalTCPMax"`
+	BPFCTGlobalAnyMax      int    `json:"bpfCTGlobalAnyMax"`
+	PreallocateBPFMaps     bool   `json:"preallocateBPFMaps"`
+	SidecarIstioProxyImage string `json:"sidecarIstioProxyImage"`
+	ClusterName            string `json:"clusterName"`
+	ToFqdnsEnablePoller    bool   `json:"toFqdnsEnablePoller"`
+	ContainerRuntimeLabels string `json:"containerRuntimeLabels,omitempty"`
+	IPTablesRulesNoinstall bool   `json:"IPTablesRulesNoinstall"`
+	AutoDirectNodeRoutes   bool   `json:"autoDirectNodeRoutes"`
+	EnableNodePort         bool   `json:"enableNodePort"`
+
+	//node init options
+	RemoveCbrBridge       bool   `json:"removeCbrBridge"`
+	RestartPods           bool   `json:"restartPods"`
+	ReconfigureKubelet    bool   `json:"reconfigureKubelet"`
+	NodeInitBootstrapFile string `json:"nodeInitBootstrapFile"`
+	CniBinPath            string `json:"cniBinPath"`
 }
 
 // LyftIpVlanNetworkingSpec declares that we want to use the cni-ipvlan-vpc-k8s CNI networking

pkg/apis/kops/v1alpha2/networking.go

@@ -207,6 +207,27 @@ type CiliumNetworkingSpec struct {
 	StateDir                 string            `json:"stateDir,omitempty"`
 	TracePayloadLen          int               `json:"tracePayloadlen,omitempty"`
 	Tunnel                   string            `json:"tunnel,omitempty"`
+
+	EnableIpv6             bool   `json:"enableipv6"`
+	EnableIpv4             bool   `json:"enableipv4"`
+	MonitorAggregation     string `json:"monitorAggregation"`
+	BPFCTGlobalTCPMax      int    `json:"bpfCTGlobalTCPMax"`
+	BPFCTGlobalAnyMax      int    `json:"bpfCTGlobalAnyMax"`
+	PreallocateBPFMaps     bool   `json:"preallocateBPFMaps"`
+	SidecarIstioProxyImage string `json:"sidecarIstioProxyImage"`
+	ClusterName            string `json:"clusterName"`
+	ToFqdnsEnablePoller    bool   `json:"toFqdnsEnablePoller"`
+	ContainerRuntimeLabels string `json:"containerRuntimeLabels,omitempty"`
+	IPTablesRulesNoinstall bool   `json:"IPTablesRulesNoinstall"`
+	AutoDirectNodeRoutes   bool   `json:"autoDirectNodeRoutes"`
+	EnableNodePort         bool   `json:"enableNodePort"`
+
+	//node init options
+	RemoveCbrBridge       bool   `json:"removeCbrBridge"`
+	RestartPods           bool   `json:"restartPods"`
+	ReconfigureKubelet    bool   `json:"reconfigureKubelet"`
+	NodeInitBootstrapFile string `json:"nodeInitBootstrapFile"`
+	CniBinPath            string `json:"cniBinPath"`
 }
 
 // LyftIpVlanNetworkingSpec declares that we want to use the cni-ipvlan-vpc-k8s CNI networking

pkg/apis/kops/validation/legacy.go

@@ -770,12 +770,6 @@ func validateCilium(c *kops.Cluster) *field.Error {
 		if kubeVersion.LT(minimalKubeVersion) {
 			return field.Invalid(specPath.Child("KubernetesVersion"), c.Spec.KubernetesVersion, "Cilium needs at least Kubernetes 1.7")
 		}
-
-		minimalVersion := semver.MustParse("3.1.0")
-		path := specPath.Child("EtcdClusters").Index(0)
-		if err := validateEtcdVersion(c.Spec.EtcdClusters[0], path, &minimalVersion); err != nil {
-			return err
-		}
 	}
 	return nil
 }