Drop canal network_plugin (#10100)

According to the canal github[1] the repo is not maintained over 5 years.
In addition, the README says
```
  Originally, we thought we might more deeply integrate the two projects
  (possibly even going as far as a rebranding!). However, over time it
  became clear that that wasn't really necessary to fulfil our goal of
  making them work well together. Ultimately, we decided to focus on
  adding features to both projects rather than doing work just to
  combine them.
```
So it is difficult to support canal by Kubespray at this situation.

[1]: https://github.com/projectcalico/canal

README.md

@@ -169,7 +169,6 @@ Note: Upstart/SysV init based OS types are not supported.
 - Network Plugin
   - [cni-plugins](https://github.com/containernetworking/plugins) v1.2.0
   - [calico](https://github.com/projectcalico/calico) v3.25.1
-  - [canal](https://github.com/projectcalico/canal) (given calico/flannel versions)
   - [cilium](https://github.com/cilium/cilium) v1.13.0
   - [flannel](https://github.com/flannel-io/flannel) v0.21.4
   - [kube-ovn](https://github.com/alauda/kube-ovn) v1.10.7
@@ -233,8 +232,6 @@ You can choose among ten network plugins. (default: `calico`, except Vagrant use
     and overlay networks, with or without BGP. Calico uses the same engine to enforce network policy for hosts,
     pods, and (if using Istio and Envoy) applications at the service mesh layer.
 
-- [canal](https://github.com/projectcalico/canal): a composition of calico and flannel plugins.
-
 - [cilium](http://docs.cilium.io/en/latest/): layer 3/4 networking (as well as layer 7 to protect and secure application protocols), supports dynamic insertion of BPF bytecode into the Linux kernel to implement security services, networking and visibility logic.
 
 - [weave](docs/weave.md): Weave is a lightweight container overlay network that doesn't require an external K/V database cluster.

docs/ansible.md

@@ -135,7 +135,6 @@ The following tags are defined in playbooks:
 | bootstrap-os                   | Anything related to host OS configuration             |
 | calico                         | Network plugin Calico                                 |
 | calico_rr                      | Configuring Calico route reflector                    |
-| canal                          | Network plugin Canal                                  |
 | cephfs-provisioner             | Configuring CephFS                                    |
 | cert-manager                   | Configuring certificate manager for K8s               |
 | cilium                         | Network plugin Cilium                                 |

inventory/sample/group_vars/k8s_cluster/k8s-net-canal.yml

-# see roles/network_plugin/canal/defaults/main.yml
-
-# The interface used by canal for host <-> host communication.
-# If left blank, then the interface is choosing using the node's
-# default route.
-# canal_iface: ""
-
-# Whether or not to masquerade traffic to destinations not within
-# the pod network.
-# canal_masquerade: "true"

roles/download/defaults/main.yml

@@ -1525,7 +1525,7 @@ downloads:
     - k8s_cluster
 
   flannel:
-    enabled: "{{ kube_network_plugin == 'flannel' or kube_network_plugin == 'canal' }}"
+    enabled: "{{ kube_network_plugin == 'flannel' }}"
     container: true
     repo: "{{ flannel_image_repo }}"
     tag: "{{ flannel_image_tag }}"
@@ -1534,7 +1534,7 @@ downloads:
     - k8s_cluster
 
   flannel_init:
-    enabled: "{{ kube_network_plugin == 'flannel' or kube_network_plugin == 'canal' }}"
+    enabled: "{{ kube_network_plugin == 'flannel' }}"
     container: true
     repo: "{{ flannel_init_image_repo }}"
     tag: "{{ flannel_init_image_tag }}"
@@ -1543,7 +1543,7 @@ downloads:
     - k8s_cluster
 
   calicoctl:
-    enabled: "{{ kube_network_plugin == 'calico' or kube_network_plugin == 'canal' }}"
+    enabled: "{{ kube_network_plugin == 'calico' }}"
     file: true
     version: "{{ calico_ctl_version }}"
     dest: "{{ local_release_dir }}/calicoctl"
@@ -1558,7 +1558,7 @@ downloads:
     - k8s_cluster
 
   calico_node:
-    enabled: "{{ kube_network_plugin == 'calico' or kube_network_plugin == 'canal' }}"
+    enabled: "{{ kube_network_plugin == 'calico' }}"
     container: true
     repo: "{{ calico_node_image_repo }}"
     tag: "{{ calico_node_image_tag }}"
@@ -1567,7 +1567,7 @@ downloads:
     - k8s_cluster
 
   calico_cni:
-    enabled: "{{ kube_network_plugin == 'calico' or kube_network_plugin == 'canal' }}"
+    enabled: "{{ kube_network_plugin == 'calico' }}"
     container: true
     repo: "{{ calico_cni_image_repo }}"
     tag: "{{ calico_cni_image_tag }}"
@@ -1576,7 +1576,7 @@ downloads:
     - k8s_cluster
 
   calico_flexvol:
-    enabled: "{{ kube_network_plugin == 'calico' or kube_network_plugin == 'canal' }}"
+    enabled: "{{ kube_network_plugin == 'calico' }}"
     container: true
     repo: "{{ calico_flexvol_image_repo }}"
     tag: "{{ calico_flexvol_image_tag }}"
@@ -1585,7 +1585,7 @@ downloads:
     - k8s_cluster
 
   calico_policy:
-    enabled: "{{ enable_network_policy and kube_network_plugin in ['calico', 'canal'] }}"
+    enabled: "{{ enable_network_policy and kube_network_plugin in ['calico'] }}"
     container: true
     repo: "{{ calico_policy_image_repo }}"
     tag: "{{ calico_policy_image_tag }}"

roles/etcd/tasks/check_certs.yml

@@ -84,7 +84,7 @@
         {% if not loop.last %}{{','}}{% endif %}
       {% endfor %}]
   when:
-    - kube_network_plugin in ["calico", "flannel", "canal", "cilium"] or cilium_deploy_additionally | default(false) | bool
+    - kube_network_plugin in ["calico", "flannel", "cilium"] or cilium_deploy_additionally | default(false) | bool
     - kube_network_plugin != "calico" or calico_datastore == "etcd"
     - force_etcd_cert_refresh or not item in etcdcert_master.files|map(attribute='path') | list
 

roles/etcd/tasks/gen_certs_script.yml

@@ -67,7 +67,7 @@
   run_once: yes
   delegate_to: "{{ groups['etcd'][0] }}"
   when:
-    - kube_network_plugin in ["calico", "flannel", "canal", "cilium"] or cilium_deploy_additionally | default(false) | bool
+    - kube_network_plugin in ["calico", "flannel", "cilium"] or cilium_deploy_additionally | default(false) | bool
     - kube_network_plugin != "calico" or calico_datastore == "etcd"
     - gen_certs|default(false)
   notify: set etcd_secret_changed
@@ -124,7 +124,7 @@
   when:
     - inventory_hostname in groups['etcd']
     - inventory_hostname != groups['etcd'][0]
-    - kube_network_plugin in ["calico", "flannel", "canal", "cilium"] or cilium_deploy_additionally | default(false) | bool
+    - kube_network_plugin in ["calico", "flannel", "cilium"] or cilium_deploy_additionally | default(false) | bool
     - kube_network_plugin != "calico" or calico_datastore == "etcd"
   notify: set etcd_secret_changed
 
@@ -139,7 +139,7 @@
   when:
     - inventory_hostname in groups['etcd']
     - inventory_hostname != groups['etcd'][0]
-    - kube_network_plugin in ["calico", "flannel", "canal", "cilium"] or cilium_deploy_additionally | default(false) | bool
+    - kube_network_plugin in ["calico", "flannel", "cilium"] or cilium_deploy_additionally | default(false) | bool
     - kube_network_plugin != "calico" or calico_datastore == "etcd"
   loop_control:
     label: "{{ item.item }}"
@@ -151,7 +151,7 @@
 
 - include_tasks: gen_nodes_certs_script.yml
   when:
-    - kube_network_plugin in ["calico", "flannel", "canal", "cilium"] or cilium_deploy_additionally | default(false) | bool
+    - kube_network_plugin in ["calico", "flannel", "cilium"] or cilium_deploy_additionally | default(false) | bool
     - kube_network_plugin != "calico" or calico_datastore == "etcd"
     - inventory_hostname in groups['k8s_cluster'] and
         sync_certs|default(false) and inventory_hostname not in groups['etcd']

roles/etcd/tasks/main.yml

@@ -19,7 +19,7 @@
 
 - include_tasks: upd_ca_trust.yml
   when:
-    - kube_network_plugin in ["calico", "flannel", "canal", "cilium"] or cilium_deploy_additionally | default(false) | bool
+    - kube_network_plugin in ["calico", "flannel", "cilium"] or cilium_deploy_additionally | default(false) | bool
     - kube_network_plugin != "calico" or calico_datastore == "etcd"
     - inventory_hostname in groups['k8s_cluster']
   tags:
@@ -31,7 +31,7 @@
   changed_when: false
   check_mode: no
   when:
-    - kube_network_plugin in ["calico", "flannel", "canal", "cilium"] or cilium_deploy_additionally | default(false) | bool
+    - kube_network_plugin in ["calico", "flannel", "cilium"] or cilium_deploy_additionally | default(false) | bool
     - kube_network_plugin != "calico" or calico_datastore == "etcd"
     - inventory_hostname in groups['k8s_cluster']
   tags:
@@ -42,7 +42,7 @@
   set_fact:
     etcd_client_cert_serial: "{{ etcd_client_cert_serial_result.stdout.split('=')[1] }}"
   when:
-    - kube_network_plugin in ["calico", "flannel", "canal", "cilium"] or cilium_deploy_additionally | default(false) | bool
+    - kube_network_plugin in ["calico", "flannel", "cilium"] or cilium_deploy_additionally | default(false) | bool
     - kube_network_plugin != "calico" or calico_datastore == "etcd"
     - inventory_hostname in groups['k8s_cluster']
   tags:

roles/kubernetes-apps/network_plugin/canal/tasks/main.yml

----
-- name: Canal | Start Resources
-  kube:
-    name: "{{ item.item.name }}"
-    namespace: "kube-system"
-    kubectl: "{{ bin_dir }}/kubectl"
-    resource: "{{ item.item.type }}"
-    filename: "{{ kube_config_dir }}/{{ item.item.file }}"
-    state: "latest"
-  with_items: "{{ canal_manifests.results }}"
-  when: inventory_hostname == groups['kube_control_plane'][0] and not item is skipped

roles/kubernetes-apps/network_plugin/meta/main.yml

@@ -5,11 +5,6 @@ dependencies:
     tags:
       - calico
 
-  - role: kubernetes-apps/network_plugin/canal
-    when: kube_network_plugin == 'canal'
-    tags:
-      - canal
-
   - role: kubernetes-apps/network_plugin/flannel
     when: kube_network_plugin == 'flannel'
     tags:

roles/kubernetes-apps/policy_controller/calico/defaults/main.yml

@@ -8,4 +8,3 @@ calico_policy_controller_deployment_nodeselector: "kubernetes.io/os: linux"
 
 # SSL
 calico_cert_dir: "/etc/calico/certs"
-canal_cert_dir: "/etc/canal/certs"

roles/kubernetes-apps/policy_controller/calico/tasks/main.yml

 ---
-- name: Set cert dir
-  set_fact:
-    calico_cert_dir: "{{ canal_cert_dir }}"
-  when:
-    - kube_network_plugin == 'canal'
-  tags:
-    - facts
-    - canal
-
 - name: Create calico-kube-controllers manifests
   template:
     src: "{{ item.file }}.j2"

roles/kubernetes-apps/policy_controller/meta/main.yml

@@ -2,7 +2,7 @@
 dependencies:
   - role: policy_controller/calico
     when:
-      - kube_network_plugin in ['calico', 'canal']
+      - kube_network_plugin in ['calico']
       - enable_network_policy
     tags:
       - policy-controller

roles/kubernetes/kubeadm/tasks/main.yml

@@ -172,5 +172,5 @@
   when:
     - etcd_deployment_type == "kubeadm"
     - inventory_hostname not in groups['kube_control_plane']
-    - kube_network_plugin in ["calico", "flannel", "canal", "cilium"] or cilium_deploy_additionally | default(false) | bool
+    - kube_network_plugin in ["calico", "flannel", "cilium"] or cilium_deploy_additionally | default(false) | bool
     - kube_network_plugin != "calico" or calico_datastore == "etcd"

roles/kubernetes/preinstall/tasks/0040-verify-settings.yml

@@ -30,7 +30,7 @@
 
 - name: Stop if unknown network plugin
   assert:
-    that: kube_network_plugin in ['calico', 'canal', 'flannel', 'weave', 'cloud', 'cilium', 'cni', 'kube-ovn', 'kube-router', 'macvlan', 'custom_cni']
+    that: kube_network_plugin in ['calico', 'flannel', 'weave', 'cloud', 'cilium', 'cni', 'kube-ovn', 'kube-router', 'macvlan', 'custom_cni']
     msg: "{{ kube_network_plugin }} is not supported"
   when:
     - kube_network_plugin is defined

roles/kubernetes/preinstall/tasks/0050-create_directories.yml

@@ -78,14 +78,13 @@
     - "/opt/cni/bin"
     - "/var/lib/calico"
   when:
-    - kube_network_plugin in ["calico", "weave", "canal", "flannel", "cilium", "kube-ovn", "kube-router", "macvlan"]
+    - kube_network_plugin in ["calico", "weave", "flannel", "cilium", "kube-ovn", "kube-router", "macvlan"]
     - inventory_hostname in groups['k8s_cluster']
   tags:
     - network
     - cilium
     - calico
     - weave
-    - canal
     - kube-ovn
     - kube-router
     - bootstrap-os

roles/network_plugin/canal/defaults/main.yml

----
-# The interface used by canal for host <-> host communication.
-# If left blank, then the interface is choosing using the node's
-# default route.
-canal_iface: ""
-
-# Whether or not to masquerade traffic to destinations not within
-# the pod network.
-canal_masquerade: "true"
-
-# Etcd SSL dirs
-canal_cert_dir: /etc/canal/certs
-
-# Canal Network Policy directory
-canal_policy_dir: /etc/kubernetes/policy
-
-# Limits for apps
-calico_node_memory_limit: 500M
-calico_node_cpu_limit: 200m
-calico_node_memory_requests: 64M
-calico_node_cpu_requests: 50m
-flannel_memory_limit: 500M
-flannel_cpu_limit: 200m
-flannel_memory_requests: 64M
-flannel_cpu_requests: 50m
-
-# etcd cert filenames
-kube_etcd_cacert_file: ca.pem
-kube_etcd_cert_file: node-{{ inventory_hostname }}.pem
-kube_etcd_key_file: node-{{ inventory_hostname }}-key.pem
-
-# Set log path for calico CNI plugin. Set to false to disable logging to disk.
-calico_cni_log_file_path: /var/log/calico/cni/cni.log

roles/network_plugin/canal/handlers/main.yml

----
-- name: reset_canal_cni
-  command: /bin/true
-  notify:
-    - delete 10-canal.conflist
-    - delete canal-node containers
-
-- name: delete 10-canal.conflist
-  file:
-    path: /etc/canal/10-canal.conflist
-    state: absent
-
-- name: delete canal-node containers
-  shell: "docker ps -af name=k8s_POD_canal-node* -q | xargs --no-run-if-empty docker rm -f"

roles/network_plugin/canal/tasks/main.yml

----
-- name: Canal | Write Canal cni config
-  template:
-    src: "cni-canal.conflist.j2"
-    dest: "/etc/cni/net.d/canal.conflist.template"
-    mode: 0644
-    owner: "{{ kube_owner }}"
-  register: canal_conflist
-  notify: reset_canal_cni
-
-- name: Canal | Create canal certs directory
-  file:
-    dest: "{{ canal_cert_dir }}"
-    state: directory
-    mode: 0750
-    owner: root
-    group: root
-
-- name: Canal | Link etcd certificates for canal-node
-  file:
-    src: "{{ etcd_cert_dir }}/{{ item.s }}"
-    dest: "{{ canal_cert_dir }}/{{ item.d }}"
-    state: hard
-    mode: 0640
-    force: yes
-  with_items:
-    - {s: "{{ kube_etcd_cacert_file }}", d: "ca_cert.crt"}
-    - {s: "{{ kube_etcd_cert_file }}", d: "cert.crt"}
-    - {s: "{{ kube_etcd_key_file }}", d: "key.pem"}
-
-- name: Slurp etcd cacert file
-  slurp:
-    src: "{{ canal_cert_dir }}/ca_cert.crt"
-  register: etcd_ca_cert_file
-  failed_when: false
-
-- name: Slurp etcd cert file
-  slurp:
-    src: "{{ canal_cert_dir }}/cert.crt"
-  register: etcd_cert_file
-  failed_when: false
-
-- name: Slurp etcd key file
-  slurp:
-    src: "{{ canal_cert_dir }}/key.pem"
-  register: etcd_key_file
-  failed_when: false
-
-# Flannel need etcd v2 API
-- name: Canal | Set Flannel etcd configuration
-  command: |-
-    {{ bin_dir }}/etcdctl set /coreos.com/network/config \
-    '{ "Network": "{{ kube_pods_subnet }}", "SubnetLen": {{ kube_network_node_prefix }}, "Backend": { "Type": "{{ flannel_backend_type }}" } }'
-  register: output
-  retries: 4
-  until: output.rc == 0
-  delay: "{{ retry_stagger | random + 3 }}"
-  delegate_to: "{{ groups['etcd'][0] }}"
-  changed_when: false
-  run_once: true
-  environment:
-    ETCDCTL_API: 2
-    ETCDCTL_CA_FILE: "{{ kube_cert_dir + '/etcd/ca.crt' if etcd_deployment_type == 'kubeadm' else etcd_cert_dir + '/ca.pem' }}"
-    ETCDCTL_CERT_FILE: "{{ kube_cert_dir + '/etcd/server.crt' if etcd_deployment_type == 'kubeadm' else etcd_cert_dir + '/admin-' + groups['etcd'][0] + '.pem' }}"
-    ETCDCTL_KEY_FILE: "{{ kube_cert_dir + '/etcd/server.key' if etcd_deployment_type == 'kubeadm' else etcd_cert_dir + '/admin-' + groups['etcd'][0] + '-key.pem' }}"
-    ETCDCTL_ENDPOINTS: "{{ etcd_access_addresses }}"
-
-- name: Canal | Create canal node manifests
-  template:
-    src: "{{ item.file }}.j2"
-    dest: "{{ kube_config_dir }}/{{ item.file }}"
-    mode: 0644
-  with_items:
-    - {name: canal-calico-etcd-secret, file: canal-secret-calico-etcd.yml, type: secret}
-    - {name: canal-config, file: canal-config.yaml, type: cm}
-    - {name: canal-node, file: canal-node.yaml, type: ds}
-    - {name: canal-kube-controllers, file: canal-calico-kube-controllers.yml, type: deployment}
-    - {name: canal-cr, file: canal-cr.yml, type: clusterrole}
-    - {name: canal, file: canal-node-sa.yml, type: sa}
-    - {name: calico-cr, file: canal-cr-calico-node.yml, type: clusterrole}
-    - {name: calico-kube-cr, file: canal-cr-calico-kube-controllers.yml, type: clusterrole}
-    - {name: calico-crd, file: canal-crd-calico.yml, type: crd}
-    - {name: flannel, file: canal-cr-flannel.yml, type: clusterrole}
-    - {name: canal, file: canal-crb-canal.yml, type: clusterrolebinding}
-    - {name: canal-calico, file: canal-crb-calico.yml, type: clusterrolebinding}
-    - {name: canal-flannel, file: canal-crb-flannel.yml, type: clusterrolebinding}
-  register: canal_manifests
-  when:
-    - inventory_hostname in groups['kube_control_plane']
-
-- name: Canal | Install calicoctl wrapper script
-  template:
-    src: calicoctl.sh.j2
-    dest: "{{ bin_dir }}/calicoctl.sh"
-    mode: 0755
-    owner: root
-    group: root
-
-- name: Canal | Create network policy directory
-  file:
-    path: "{{ canal_policy_dir }}"
-    state: directory
-    mode: 0755

roles/network_plugin/canal/templates/calicoctl.sh.j2

-#!/bin/bash
-ETCD_ENDPOINTS={{ etcd_access_addresses }} \
-ETCD_CA_CERT_FILE={{ calico_cert_dir }}/ca_cert.crt \
-ETCD_CERT_FILE={{ calico_cert_dir }}/cert.crt \
-ETCD_KEY_FILE={{ calico_cert_dir }}/key.pem \
-{{ bin_dir }}/calicoctl "$@"

roles/network_plugin/canal/templates/canal-calico-kube-controllers.yml.j2

----
-# Source: calico/templates/calico-kube-controllers.yaml
-# See https://github.com/projectcalico/kube-controllers
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: calico-kube-controllers
-  namespace: kube-system
-  labels:
-    k8s-app: calico-kube-controllers
-spec:
-  # The controllers can only have a single active instance.
-  replicas: 1
-  selector:
-    matchLabels:
-      k8s-app: calico-kube-controllers
-  strategy:
-    type: Recreate
-  template:
-    metadata:
-      name: calico-kube-controllers
-      namespace: kube-system
-      labels:
-        k8s-app: calico-kube-controllers
-    spec:
-      nodeSelector:
-        kubernetes.io/os: linux
-      tolerations:
-        # Mark the pod as a critical add-on for rescheduling.
-        - key: CriticalAddonsOnly
-          operator: Exists
-        - key: node-role.kubernetes.io/master
-          effect: NoSchedule
-        - key: node-role.kubernetes.io/control-plane
-          effect: NoSchedule
-      serviceAccountName: calico-kube-controllers
-      priorityClassName: system-cluster-critical
-      # The controllers must run in the host network namespace so that
-      # it isn't governed by policy that would prevent it from working.
-      hostNetwork: true
-      containers:
-        - name: calico-kube-controllers
-          image: {{ calico_cni_image_repo }}:{{ calico_cni_image_tag }}
-          imagePullPolicy: {{ k8s_image_pull_policy }}
-          env:
-            # The location of the etcd cluster.
-            - name: ETCD_ENDPOINTS
-              valueFrom:
-                configMapKeyRef:
-                  name: canal-config
-                  key: etcd_endpoints
-            # Location of the CA certificate for etcd.
-            - name: ETCD_CA_CERT_FILE
-              valueFrom:
-                configMapKeyRef:
-                  name: canal-config
-                  key: etcd_ca
-            # Location of the client key for etcd.
-            - name: ETCD_KEY_FILE
-              valueFrom:
-                configMapKeyRef:
-                  name: canal-config
-                  key: etcd_key
-            # Location of the client certificate for etcd.
-            - name: ETCD_CERT_FILE
-              valueFrom:
-                configMapKeyRef:
-                  name: canal-config
-                  key: etcd_cert
-            # Choose which controllers to run.
-            - name: ENABLED_CONTROLLERS
-              value: policy,namespace,serviceaccount,workloadendpoint,node
-          volumeMounts:
-            # Mount in the etcd TLS secrets.
-            - mountPath: /calico-secrets
-              name: etcd-certs
-          livenessProbe:
-            exec:
-              command:
-              - /usr/bin/check-status
-              - -l
-            periodSeconds: 10
-            initialDelaySeconds: 10
-            failureThreshold: 6
-            timeoutSeconds: 10
-          readinessProbe:
-            exec:
-              command:
-              - /usr/bin/check-status
-              - -r
-            periodSeconds: 10
-      volumes:
-        # Mount in the etcd TLS secrets with mode 400.
-        # See https://kubernetes.io/docs/concepts/configuration/secret/
-        - name: etcd-certs
-          secret:
-            secretName: calico-etcd-secrets
-            defaultMode: 0440