From 3b8e75b7c5b1f2eb5614c8a720c2f10769588d6f Mon Sep 17 00:00:00 2001 From: Teddy Andrieux Date: Mon, 16 May 2022 09:26:39 +0200 Subject: [PATCH] build,packages,salt: Update Calico to 3.23.1 Calico binaries sha256 updated from: https://github.com/projectcalico/calico/releases/tag/v3.23.1 Images bumped with: docker.io/calico/node:v3.23.1 docker.io/calico/kube-controllers:v3.23.1 Manifest updated based on upstream from: https://docs.projectcalico.org/v3.23/manifests/calico.yaml --- CHANGELOG.md | 4 +- buildchain/buildchain/versions.py | 6 +- packages/redhat/common/calico-cni-plugin.spec | 9 +- .../kubernetes/cni/calico/deployed.sls | 279 +++++++++++++++--- 4 files changed, 253 insertions(+), 45 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index dffa1a125e..0670ea626b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -27,8 +27,8 @@ The pause image has been bump to 3.6 (PR[#3711](https://github.com/scality/metalk8s/pull/3711)) -- Bump Calico version to [3.22.0](https://github.com/projectcalico/calico/releases/tag/v3.22.0) - (PR[#3712](https://github.com/scality/metalk8s/pull/3712)) +- Bump Calico version to [3.23.1](https://github.com/projectcalico/calico/releases/tag/v3.23.1) + (PR[#3771](https://github.com/scality/metalk8s/pull/3771)) - Allow to resolve the registry endpoint from inside containers using CoreDNS (PR[#3690](https://github.com/scality/metalk8s/pull/3690)) diff --git a/buildchain/buildchain/versions.py b/buildchain/buildchain/versions.py index db1b8dfc30..c662de97d1 100644 --- a/buildchain/buildchain/versions.py +++ b/buildchain/buildchain/versions.py @@ -18,7 +18,7 @@ # Project-wide versions {{{ -CALICO_VERSION: str = "3.22.0" +CALICO_VERSION: str = "3.23.1" K8S_VERSION: str = "1.23.5" SALT_VERSION: str = "3002.8" CONTAINERD_VERSION: str = "1.6.0" @@ -97,12 +97,12 @@ def _version_prefix(version: str, prefix: str = "v") -> str: Image( name="calico-node", version=_version_prefix(CALICO_VERSION), - digest="sha256:393eb65c51e5acef64adb0648d9f2d087fcf0639f0020f757e80aa61b6fd0f77", + digest="sha256:d2c1613ef26c9ad43af40527691db1f3ad640291d5e4655ae27f1dd9222cc380", ), Image( name="calico-kube-controllers", version=_version_prefix(CALICO_VERSION), - digest="sha256:cfb3941c051abfa94bfae1bb907344117fe68914cb2962b4c5640b0b84f3a1d7", + digest="sha256:e8b2af28f2c283a38b4d80436e2d2a25e70f2820d97d1a8684609d42c3973afb", ), Image( name="coredns", diff --git a/packages/redhat/common/calico-cni-plugin.spec b/packages/redhat/common/calico-cni-plugin.spec index b5794d8081..7857212fda 100644 --- a/packages/redhat/common/calico-cni-plugin.spec +++ b/packages/redhat/common/calico-cni-plugin.spec @@ -6,12 +6,12 @@ %ifarch x86_64 %global built_arch amd64 -%global calico_sha256 6bac456294a08a5bba3121e44056e264f11085f78582b1770df740ebe9a5de5c -%global calico_ipam_sha256 6bac456294a08a5bba3121e44056e264f11085f78582b1770df740ebe9a5de5c +%global calico_sha256 906c5f20c6d9b48d1ac78559fc82f86a8ffa4448c1671e77b794f84f61606cd8 +%global calico_ipam_sha256 906c5f20c6d9b48d1ac78559fc82f86a8ffa4448c1671e77b794f84f61606cd8 %endif Name: calico-cni-plugin -Version: 3.22.0 +Version: 3.23.1 Release: 1%{?dist} Summary: Calico CNI plugin @@ -50,6 +50,9 @@ install -p -m 755 %{_builddir}/release-v%{version}/bin/cni/%{built_arch}/calico- %doc README.md %changelog +* Wed May 18 2022 Teddy Andrieux - 3.23.1.1-1 +- Version bump + * Fri Feb 18 2022 Teddy Andrieux - 3.22.0.1-1 - Version bump diff --git a/salt/metalk8s/kubernetes/cni/calico/deployed.sls b/salt/metalk8s/kubernetes/cni/calico/deployed.sls index 9acb482107..f96151c711 100644 --- a/salt/metalk8s/kubernetes/cni/calico/deployed.sls +++ b/salt/metalk8s/kubernetes/cni/calico/deployed.sls @@ -110,6 +110,12 @@ spec: 64512]' format: int32 type: integer + bindMode: + description: BindMode indicates whether to listen for BGP connections + on all addresses (None) or only on the node's canonical IP address + Node.Spec.BGP.IPvXAddress (NodeIP). Default behaviour is to listen + for BGP connections on all addresses. + type: string communities: description: Communities is a list of BGP community values and their arbitrary names for tagging routes. @@ -140,6 +146,37 @@ spec: description: 'LogSeverityScreen is the log severity above which logs are sent to the stdout. [Default: INFO]' type: string + nodeMeshMaxRestartTime: + description: Time to allow for software restart for node-to-mesh peerings. When + specified, this is configured as the graceful restart timeout. When + not specified, the BIRD default of 120s is used. This field can + only be set on the default BGPConfiguration instance and requires + that NodeMesh is enabled + type: string + nodeMeshPassword: + description: Optional BGP password for full node-to-mesh peerings. + This field can only be set on the default BGPConfiguration instance + and requires that NodeMesh is enabled + properties: + secretKeyRef: + description: Selects a key of a secret in the node pod's namespace. + properties: + key: + description: The key of the secret to select from. Must be + a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + optional: + description: Specify whether the Secret or its key must be + defined + type: boolean + required: + - key + type: object + type: object nodeToNodeMeshEnabled: description: 'NodeToNodeMeshEnabled sets whether full node to node BGP mesh is enabled. [Default: true]' @@ -271,6 +308,12 @@ spec: description: Selector for the nodes that should have this peering. When this is set, the Node field must be empty. type: string + numAllowedLocalASNumbers: + description: Maximum number of local AS numbers that are allowed in + the AS path for received routes. This removes BGP loop prevention + and should only be used if absolutely necesssary. + format: int32 + type: integer password: description: Optional BGP password for the peerings generated by this BGPPeer resource. @@ -388,8 +431,6 @@ status: conditions: [] storedVersions: [] ---- - --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition @@ -797,6 +838,11 @@ spec: description: 'BPFEnabled, if enabled Felix will use the BPF dataplane. [Default: false]' type: boolean + bpfEnforceRPF: + description: 'BPFEnforceRPF enforce strict RPF on all interfaces with + BPF programs regardless of what is the per-interfaces or global + setting. Possible values are Disabled or Strict. [Default: Strict]' + type: string bpfExtToServiceConnmark: description: 'BPFExtToServiceConnmark in BPF mode, control a 32bit mark that is set on connections from an external client to a local @@ -836,6 +882,51 @@ spec: logs are emitted to the BPF trace pipe, accessible with the command `tc exec bpf debug`. [Default: Off].' type: string + bpfMapSizeConntrack: + description: 'BPFMapSizeConntrack sets the size for the conntrack + map. This map must be large enough to hold an entry for each active + connection. Warning: changing the size of the conntrack map can + cause disruption.' + type: integer + bpfMapSizeIPSets: + description: BPFMapSizeIPSets sets the size for ipsets map. The IP + sets map must be large enough to hold an entry for each endpoint + matched by every selector in the source/destination matches in network + policy. Selectors such as "all()" can result in large numbers of + entries (one entry per endpoint in that case). + type: integer + bpfMapSizeNATAffinity: + type: integer + bpfMapSizeNATBackend: + description: BPFMapSizeNATBackend sets the size for nat back end map. + This is the total number of endpoints. This is mostly more than + the size of the number of services. + type: integer + bpfMapSizeNATFrontend: + description: BPFMapSizeNATFrontend sets the size for nat front end + map. FrontendMap should be large enough to hold an entry for each + nodeport, external IP and each port in each service. + type: integer + bpfMapSizeRoute: + description: BPFMapSizeRoute sets the size for the routes map. The + routes map should be large enough to hold one entry per workload + and a handful of entries per host (enough to cover its own IPs and + tunnel IPs). + type: integer + bpfPSNATPorts: + anyOf: + - type: integer + - type: string + description: 'BPFPSNATPorts sets the range from which we randomly + pick a port if there is a source port collision. This should be + within the ephemeral range as defined by RFC 6056 (1024–65535) and + preferably outside the ephemeral ranges used by common operating + systems. Linux uses 32768–60999, while others mostly use the IANA + defined range 49152–65535. It is not necessarily a problem if this + range overlaps with the operating systems. Both ends of the range + are inclusive. [Default: 20000:29999]' + pattern: ^.* + x-kubernetes-int-or-string: true chainInsertMode: description: 'ChainInsertMode controls whether Felix hooks the kernel''s top-level iptables chains by inserting a rule at the top of the @@ -846,6 +937,15 @@ spec: Calico policy will be bypassed. [Default: insert]' type: string dataplaneDriver: + description: DataplaneDriver filename of the external dataplane driver + to use. Only used if UseInternalDataplaneDriver is set to false. + type: string + dataplaneWatchdogTimeout: + description: 'DataplaneWatchdogTimeout is the readiness/liveness timeout + used for Felix''s (internal) dataplane driver. Increase this value + if you experience spurious non-ready or non-live events when Felix + is under heavy load. Decrease the value to get felix to report non-live + or non-ready more quickly. [Default: 90s]' type: string debugDisableLogDropping: type: boolean @@ -874,9 +974,14 @@ spec: routes, by default this will be RTPROT_BOOT when left blank. type: integer deviceRouteSourceAddress: - description: This is the source address to use on programmed device - routes. By default the source address is left blank, leaving the - kernel to choose the source address used. + description: This is the IPv4 source address to use on programmed + device routes. By default the source address is left blank, leaving + the kernel to choose the source address used. + type: string + deviceRouteSourceAddressIPv6: + description: This is the IPv6 source address to use on programmed + device routes. By default the source address is left blank, leaving + the kernel to choose the source address used. type: string disableConntrackInvalidCheck: type: boolean @@ -950,6 +1055,14 @@ spec: "true" or "false" will force the feature, empty or omitted values are auto-detected. type: string + floatingIPs: + default: Disabled + description: FloatingIPs configures whether or not Felix will program + floating IP addresses. + enum: + - Enabled + - Disabled + type: string genericXDPEnabled: description: 'GenericXDPEnabled enables Generic XDP so network cards that don''t support XDP offload or driver modes can use XDP. This @@ -987,6 +1100,9 @@ spec: disabled by setting the interval to 0. type: string ipipEnabled: + description: 'IPIPEnabled overrides whether Felix should configure + an IPIP interface on the host. Optional as Felix determines this + based on the existing IP pools. [Default: nil (unset)]' type: boolean ipipMTU: description: 'IPIPMTU is the MTU to set on the tunnel device. See @@ -1053,6 +1169,8 @@ spec: usage. [Default: 10s]' type: string ipv6Support: + description: IPv6Support controls whether Felix enables support for + IPv6 (if supported by the in-use dataplane). type: boolean kubeNodePortRanges: description: 'KubeNodePortRanges holds list of port ranges used for @@ -1066,6 +1184,12 @@ spec: pattern: ^.* x-kubernetes-int-or-string: true type: array + logDebugFilenameRegex: + description: LogDebugFilenameRegex controls which source code files + have their Debug log output included in the logs. Only logs from + files with names that match the given regular expression are included. The + filter only applies to Debug level logs. + type: string logFilePath: description: 'LogFilePath is the full path to the Felix log. Set to none to disable file logging. [Default: /var/log/calico/felix.log]' @@ -1195,9 +1319,9 @@ spec: routes. - CalicoIPAM: the default - use IPAM data to construct routes.' type: string routeTableRange: - description: Calico programs additional Linux route tables for various - purposes. RouteTableRange specifies the indices of the route tables - that Calico should use. + description: Deprecated in favor of RouteTableRanges. Calico programs + additional Linux route tables for various purposes. RouteTableRange + specifies the indices of the route tables that Calico should use. properties: max: type: integer @@ -1207,6 +1331,21 @@ spec: - max - min type: object + routeTableRanges: + description: Calico programs additional Linux route tables for various + purposes. RouteTableRanges specifies a set of table index ranges + that Calico should use. Deprecates`RouteTableRange`, overrides `RouteTableRange`. + items: + properties: + max: + type: integer + min: + type: integer + required: + - max + - min + type: object + type: array serviceLoopPrevention: description: 'When service IP advertisement is enabled, prevent routing loops to service IPs that are not in use, by dropping or rejecting @@ -1234,12 +1373,22 @@ spec: Felix makes reports. [Default: 86400s]' type: string useInternalDataplaneDriver: + description: UseInternalDataplaneDriver, if true, Felix will use its + internal dataplane programming logic. If false, it will launch + an external dataplane driver and communicate with it over protobuf. type: boolean vxlanEnabled: + description: 'VXLANEnabled overrides whether Felix should create the + VXLAN tunnel device for VXLAN networking. Optional as Felix determines + this based on the existing IP pools. [Default: nil (unset)]' type: boolean vxlanMTU: - description: 'VXLANMTU is the MTU to set on the tunnel device. See - Configuring MTU [Default: 1440]' + description: 'VXLANMTU is the MTU to set on the IPv4 VXLAN tunnel + device. See Configuring MTU [Default: 1410]' + type: integer + vxlanMTUV6: + description: 'VXLANMTUV6 is the MTU to set on the IPv6 VXLAN tunnel + device. See Configuring MTU [Default: 1390]' type: integer vxlanPort: type: integer @@ -1257,6 +1406,10 @@ spec: description: 'WireguardInterfaceName specifies the name to use for the Wireguard interface. [Default: wg.calico]' type: string + wireguardKeepAlive: + description: 'WireguardKeepAlive controls Wireguard PersistentKeepalive + option. Set 0 to disable. [Default: 0]' + type: string wireguardListeningPort: description: 'WireguardListeningPort controls the listening port used by Wireguard. [Default: 51820]' @@ -1269,6 +1422,12 @@ spec: description: 'WireguardRoutingRulePriority controls the priority value to use for the Wireguard routing rule. [Default: 99]' type: integer + workloadSourceSpoofing: + description: WorkloadSourceSpoofing controls whether pods can use + the allowedSourcePrefixes annotation to send traffic with a source + IP address that is not theirs. This is disabled by default. When + set to "Any", pods can request any prefix. + type: string xdpEnabled: description: 'XDPEnabled enables XDP acceleration for suitable untracked incoming deny rules. [Default: true]' @@ -2341,8 +2500,16 @@ spec: resource. properties: affinity: + description: Affinity of the block, if this block has one. If set, + it will be of the form "host:". If not set, this block + is not affine to a host. type: string allocations: + description: Array of allocations in-use within this block. nil entries + mean the allocation is free. For non-nil entries at index i, the + index is the ordinal of the allocation within this block and the + value is the index of the associated attributes in the Attributes + array. items: type: integer # TODO: This nullable is manually added in. We should update controller-gen @@ -2350,6 +2517,10 @@ spec: nullable: true type: array attributes: + description: Attributes is an array of arbitrary metadata associated + with allocations in the block. To find attributes for a given allocation, + use the value of the allocation's entry in the Allocations array + as the index of the element in this array. items: properties: handle_id: @@ -2361,12 +2532,38 @@ spec: type: object type: array cidr: + description: The block's CIDR. type: string deleted: + description: Deleted is an internal boolean used to workaround a limitation + in the Kubernetes API whereby deletion will not return a conflict + error if the block has been updated. It should not be set manually. type: boolean + sequenceNumber: + default: 0 + description: We store a sequence number that is updated each time + the block is written. Each allocation will also store the sequence + number of the block at the time of its creation. When releasing + an IP, passing the sequence number associated with the allocation + allows us to protect against a race condition and ensure the IP + hasn't been released and re-allocated since the release request. + format: int64 + type: integer + sequenceNumberForAllocation: + additionalProperties: + format: int64 + type: integer + description: Map of allocated ordinal within the block to sequence + number of the block at the time of allocation. Kubernetes does not + allow numerical keys for maps, so the key is cast to a string. + type: object strictAffinity: + description: StrictAffinity on the IPAMBlock is deprecated and no + longer used by the code. Use IPAMConfig StrictAffinity instead. type: boolean unallocated: + description: Unallocated is an ordered list of allocations which are + free in the block. items: type: integer type: array @@ -2540,19 +2737,19 @@ spec: type: array blockSize: description: The block size to use for IP address assignments from - this pool. Defaults to 26 for IPv4 and 112 for IPv6. + this pool. Defaults to 26 for IPv4 and 122 for IPv6. type: integer cidr: description: The pool CIDR. type: string + disableBGPExport: + description: 'Disable exporting routes from this IP Pool''s CIDR over + BGP. [Default: false]' + type: boolean disabled: description: When disabled is true, Calico IPAM will not assign addresses from this pool. type: boolean - disableBGPExport: - description: "Disable exporting routes from this IP Pool's CIDR over - BGP. [Default: false]" - type: boolean ipip: description: 'Deprecated: this field is only used for APIv1 backwards compatibility. Setting this field is not allowed, this field is @@ -2612,6 +2809,9 @@ status: apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: + annotations: + controller-gen.kubebuilder.io/version: (devel) + creationTimestamp: null name: ipreservations.crd.projectcalico.org spec: group: crd.projectcalico.org @@ -2761,6 +2961,11 @@ spec: type: string type: object type: object + debugProfilePort: + description: DebugProfilePort configures the port to serve memory + and cpu profiles on. If not specified, profiling is disabled. + format: int32 + type: integer etcdV3CompactionPeriod: description: 'EtcdV3CompactionPeriod is the period between etcdv3 compaction requests. Set to 0 to disable. [Default: 10m]' @@ -2871,6 +3076,11 @@ spec: type: string type: object type: object + debugProfilePort: + description: DebugProfilePort configures the port to serve memory + and cpu profiles on. If not specified, profiling is disabled. + format: int32 + type: integer etcdV3CompactionPeriod: description: 'EtcdV3CompactionPeriod is the period between etcdv3 compaction requests. Set to 0 to disable. [Default: 10m]' @@ -3816,10 +4026,9 @@ rules: - get - list - watch - # IPAM resources are manipulated when nodes are deleted. + # IPAM resources are manipulated in response to node and block updates, as well as periodic triggers. - apiGroups: ["crd.projectcalico.org"] resources: - - ippools - ipreservations verbs: - list @@ -3835,6 +4044,13 @@ rules: - update - delete - watch + # Pools are watched to maintain a mapping of blocks to IP pools. + - apiGroups: ["crd.projectcalico.org"] + resources: + - ippools + verbs: + - list + - watch # kube-controllers manages hostendpoints. - apiGroups: ["crd.projectcalico.org"] resources: @@ -3851,8 +4067,10 @@ rules: - clusterinformations verbs: - get + - list - create - update + - watch # KubeControllersConfiguration is where it gets its config - apiGroups: ["crd.projectcalico.org"] resources: @@ -4051,7 +4269,7 @@ subjects: - kind: ServiceAccount name: calico-node namespace: kube-system -# In MetalK8s, we create a kubeconfig file for Calico per node, with a +# Note: In MetalK8s, we create a kubeconfig file for Calico per node, with a # certificate of a user in the `metalk8s:calico-node` 'group' - apiGroup: rbac.authorization.k8s.io kind: Group @@ -4107,7 +4325,7 @@ spec: # install of CNI and upgrade of ipam are handled in the dedicated # salt states #- name: upgrade-ipam - # image: docker.io/calico/cni:v3.22.0 + # image: docker.io/calico/cni:v3.23.0 # command: ["/opt/cni/bin/calico-ipam", "-upgrade"] # envFrom: # - configMapRef: @@ -4134,7 +4352,7 @@ spec: # This container installs the CNI binaries # and CNI network config file on each node. #- name: install-cni - # image: docker.io/calico/cni:v3.22.0 + # image: docker.io/calico/cni:v3.23.0 # command: ["/opt/cni/bin/install"] # envFrom: # - configMapRef: @@ -4172,16 +4390,6 @@ spec: # name: cni-net-dir # securityContext: # privileged: true - # Adds a Flex Volume Driver that creates a per-pod Unix Domain Socket to allow Dikastes - # to communicate with Felix over the Policy Sync API. - # Note: In MetalK8s, we have no support for Dikastes (yet). - #- name: flexvol-driver - # image: docker.io/calico/pod2daemon-flexvol:v3.22.0 - # volumeMounts: - # - name: flexvol-driver-host - # mountPath: /host/driver - # securityContext: - # privileged: true containers: # Runs calico-node container on each Kubernetes node. This # container programs network policy and routes on each @@ -4228,6 +4436,9 @@ spec: # Enable or Disable VXLAN on the default IP pool. - name: CALICO_IPV4POOL_VXLAN value: "Never" + # Enable or Disable VXLAN on the default IPv6 IP pool. + - name: CALICO_IPV6POOL_VXLAN + value: "Never" # Set MTU for tunnel device used if ipip is enabled - name: FELIX_IPINIPMTU valueFrom: @@ -4376,12 +4587,6 @@ spec: # hostPath: # type: DirectoryOrCreate # path: /var/run/nodeagent - # Used to install Flex Volume Driver - # Note: Not used in MetalK8s - #- name: flexvol-driver-host - # hostPath: - # type: DirectoryOrCreate - # path: /usr/libexec/kubernetes/kubelet-plugins/volume/exec/nodeagent~uds --- apiVersion: v1 @@ -4470,7 +4675,7 @@ metadata: # This manifest creates a Pod Disruption Budget for Controller to allow K8s Cluster Autoscaler to evict -apiVersion: policy/v1beta1 +apiVersion: policy/v1 kind: PodDisruptionBudget metadata: name: calico-kube-controllers