salt,build,packages: No longer use/build calico-cni-plugin RPM
#3793
Conversation
Hello teddyandrieux,My role is to assist you with the merge of this Status report is not available. |
Waiting for approvalThe following approvals are needed before I can proceed with the merge:
Peer approvals must include at least 1 approval from the following list:
|
| # This container performs upgrade from host-local IPAM to calico-ipam. | ||
| # It can be deleted if this is a fresh installation, or if you have already | ||
| # upgraded to use calico-ipam. |
There was a problem hiding this comment.
This comment seems to indicate that's only needed in a context where we had host-local IPAM configured, but that's never been the case for us, right? Can't we just remove it?
There was a problem hiding this comment.
Today, yes we could but maybe in the future this calico-ipam -upgrade command will do something "useful", I'm not sure it's worth removing it, it just add some "manual patch" to do on the calico upstream manifest
| # The calico-cni-plugin package get removed in 123.0 | ||
| # This state can be removed in `development/124.0` | ||
|
|
||
| Ensure calico-cni-plugin is removed: | ||
| pkg.removed: | ||
| - name: calico-cni-plugin | ||
|
|
||
| Restart calico-node: | ||
| module.run: | ||
| - cri.stop_pod: | ||
| - labels: | ||
| k8s-app: calico-node | ||
| - onchanges: | ||
| - pkg: Ensure calico-cni-plugin is removed | ||
|
|
||
| Make sure calico-node is up and ready: | ||
| test.configurable_test_state: | ||
| - changes: False | ||
| - result: __slot__:salt:cri.wait_container(name="calico-node", state="running") | ||
| - require: | ||
| - module: Restart calico-node |
There was a problem hiding this comment.
I'm curious, do we really have to do this node-by-node? Couldn't we "just" apply pkg.removed calico-cni-plugin to all our nodes, and only then issue a restart on the DaemonSet?
There was a problem hiding this comment.
It's not "needed" but this way, since we have "require" in the orchestrate, we will stop the process if one calico node is not working after the package deletion
Waiting for approvalThe following approvals are needed before I can proceed with the merge:
Peer approvals must include at least 1 approval from the following list:
The following reviewers are expecting changes from the author, or must review again: |
Instead of relying on Salt to install the calico CNI binaries and manage the CNI config file, we use the calico CNI image with some host path mounted to drop those binaries and write the CNI config file. NOTE: This is how Calico upstream is used to manage those CNI binaries and config
NOTE: This commit can be reverted in `development/124.0`
TeddyAndrieux
force-pushed
the
improvement/change-calico-deployment
branch
from
71be753
to
6dabba4
Compare
| f"STDERR: {pod_ids_out['stderr']}\nSTDOUT: {pod_ids_out['stdout']}" | ||
| ) | ||
|
|
||
| pod_ids = pod_ids_out["stdout"] |
There was a problem hiding this comment.
Just realized that this is multiline, we'll have issues when passing this to cmd.run_all, no?
I just tested it manually:
# salt-call cmd.run_all "crictl stopp 9f93d9604d07d865ad74642a5a3ed2ce87fd605f5791e9b7ffbecad300219992
> a92c256f8baa99e57c65c9b730825b7a904d060cd88a0487d466a9e07f2eb1bc"
[ERROR ] Command 'crictl' failed with return code: 127
[ERROR ] stdout: Stopped sandbox 9f93d9604d07d865ad74642a5a3ed2ce87fd605f5791e9b7ffbecad300219992
[ERROR ] stderr: /bin/bash: line 1: a92c256f8baa99e57c65c9b730825b7a904d060cd88a0487d466a9e07f2eb1bc: command not found
[ERROR ] retcode: 127
local:
----------
pid:
27435
retcode:
127
stderr:
/bin/bash: line 1: a92c256f8baa99e57c65c9b730825b7a904d060cd88a0487d466a9e07f2eb1bc: command not found
stdout:
Stopped sandbox 9f93d9604d07d865ad74642a5a3ed2ce87fd605f5791e9b7ffbecad300219992
There was a problem hiding this comment.
No, it works well, you do not have the bash interpretation here
# salt-call cri.stop_pod labels="{'app.kubernetes.io/instance': 'ingress-nginx'}"
local:
Stopped sandbox c99388e45b37ff00d76e19bc4a9bec27fbf717dfa79f99a304e40221d88d8f19
Stopped sandbox 2727aef315f60006937d249ff47534f30e669c5746816e07244687ae8dadc7e8If you want to do the same with bash it will more look like this (that work as well)
# crictl stopp 8fca1769df6dcd8a29c65854ac60b95c104d9673b00c95f3023c0e0a6498907f \
> fdd31265ec3b3e9ad8e0b3f5c91a6fe4fdc82b196364c76b14138f2e1bb87828
Stopped sandbox 8fca1769df6dcd8a29c65854ac60b95c104d9673b00c95f3023c0e0a6498907f
Stopped sandbox fdd31265ec3b3e9ad8e0b3f5c91a6fe4fdc82b196364c76b14138f2e1bb87828
# salt-call cmd.run_all "crictl stopp 2be2f438ed2b16c1588cbe8e0c34ecb55cc23813af919cb71028b6b44c2bba19 \
> 06969ef0112cd2c8d8f3a854a5938ec8715a89604586f9ca8ff2e3b4ebc9e400"
local:
----------
pid:
13339
retcode:
0
stderr:
stdout:
Stopped sandbox 2be2f438ed2b16c1588cbe8e0c34ecb55cc23813af919cb71028b6b44c2bba19
Stopped sandbox 06969ef0112cd2c8d8f3a854a5938ec8715a89604586f9ca8ff2e3b4ebc9e400There was a problem hiding this comment.
OK, I'm surprised it works but I trust you 👍 (it's not really a Bash interpretation problem IMO, in your example you're escaping the newline while I explicitly send it to salt-call, which should be roughly the same as doing f"crictl stopp {pod_ids_out['stdout']}", unless I misunderstood something.. maybe it's just some other Salt magic 🤷 not worth investigating though, if it works then it's fine for me)
Waiting for approvalThe following approvals are needed before I can proceed with the merge:
Peer approvals must include at least 1 approval from the following list:
|
|
/approve |
In the queueThe changeset has received all authorizations and has been added to the The changeset will be merged in:
The following branches will NOT be impacted:
There is no action required on your side. You will be notified here once IMPORTANT Please do not attempt to modify this pull request.
If you need this pull request to be removed from the queue, please contact a The following options are set: approve |
|
I have successfully merged the changeset of this pull request
The following branches have NOT changed:
Please check the status of the associated issue None. Goodbye teddyandrieux. |
Instead of relying on Salt to install the Calico CNI binaries and manage
the CNI config file, we use the calico CNI image with some host path
mounted to drop those binaries and write the CNI config file.
NOTE: This is how Calico upstream is used to manage those CNI binaries
and config