From 84b93090a8e9296e5dbf669b3786c7306db64cfb Mon Sep 17 00:00:00 2001
From: Tom Stian Berget <tom.berget@tietoevry.com>
Date: Tue, 8 Feb 2022 23:04:35 +0100
Subject: [PATCH] Change Cilium setting identity_allocation_mode to
cilium_identity_allocation_mode (#8519)
* Change Cilium identity_allocation_mode to cilium_identity_allocation_mode
* Change inventory sample
---
.../sample/group_vars/k8s_cluster/k8s-net-cilium.yml | 2 +-
roles/network_plugin/cilium/defaults/main.yml | 9 ++++++++-
roles/network_plugin/cilium/tasks/check.yml | 4 ++--
roles/network_plugin/cilium/tasks/install.yml | 4 ++--
.../network_plugin/cilium/templates/cilium-config.yml.j2 | 4 ++--
.../network_plugin/cilium/templates/cilium-deploy.yml.j2 | 4 ++--
roles/network_plugin/cilium/templates/cilium-ds.yml.j2 | 4 ++--
7 files changed, 19 insertions(+), 12 deletions(-)
diff --git a/inventory/sample/group_vars/k8s_cluster/k8s-net-cilium.yml b/inventory/sample/group_vars/k8s_cluster/k8s-net-cilium.yml
index 505aeb242..c35b95182 100644
--- a/inventory/sample/group_vars/k8s_cluster/k8s-net-cilium.yml
+++ b/inventory/sample/group_vars/k8s_cluster/k8s-net-cilium.yml
@@ -1,4 +1,4 @@
# see roles/network_plugin/cilium/defaults/main.yml
# cilium_version: "v1.11.0"
-# identity_allocation_mode: kvstore # kvstore or crd
+# cilium_identity_allocation_mode: kvstore # kvstore or crd
diff --git a/roles/network_plugin/cilium/defaults/main.yml b/roles/network_plugin/cilium/defaults/main.yml
index 3f83aea99..e36a19906 100644
--- a/roles/network_plugin/cilium/defaults/main.yml
+++ b/roles/network_plugin/cilium/defaults/main.yml
@@ -12,7 +12,14 @@ cilium_enable_ipv6: false
# These can be queried with:
# `kubectl get ciliumid`
# - "kvstore" stores identities in an etcd kvstore.
-identity_allocation_mode: kvstore
+# - In order to support External Workloads, "crd" is required
+# - Ref: https://docs.cilium.io/en/stable/gettingstarted/external-workloads/#setting-up-support-for-external-workloads-beta
+# - KVStore operations are only required when cilium-operator is running with any of the below options:
+# - --synchronize-k8s-services
+# - --synchronize-k8s-nodes
+# - --identity-allocation-mode=kvstore
+# - Ref: https://docs.cilium.io/en/stable/internals/cilium_operator/#kvstore-operations
+cilium_identity_allocation_mode: kvstore
# Etcd SSL dirs
cilium_cert_dir: /etc/cilium/certs
diff --git a/roles/network_plugin/cilium/tasks/check.yml b/roles/network_plugin/cilium/tasks/check.yml
index 2a9ddc7c1..086eb91b4 100644
--- a/roles/network_plugin/cilium/tasks/check.yml
+++ b/roles/network_plugin/cilium/tasks/check.yml
@@ -10,5 +10,5 @@
- name: Stop if bad Cilium identity allocation mode
assert:
- that: identity_allocation_mode in ['crd', 'kvstore']
- msg: "identity_allocation_mode must be either 'crd' or 'kvstore'"
+ that: cilium_identity_allocation_mode in ['crd', 'kvstore']
+ msg: "cilium_identity_allocation_mode must be either 'crd' or 'kvstore'"
diff --git a/roles/network_plugin/cilium/tasks/install.yml b/roles/network_plugin/cilium/tasks/install.yml
index 6c402a936..c394b6119 100644
--- a/roles/network_plugin/cilium/tasks/install.yml
+++ b/roles/network_plugin/cilium/tasks/install.yml
@@ -14,7 +14,7 @@
owner: root
group: root
when:
- - identity_allocation_mode == "kvstore"
+ - cilium_identity_allocation_mode == "kvstore"
- name: Cilium | Link etcd certificates for cilium
file:
@@ -28,7 +28,7 @@
- {s: "{{ kube_etcd_cert_file }}", d: "cert.crt"}
- {s: "{{ kube_etcd_key_file }}", d: "key.pem"}
when:
- - identity_allocation_mode == "kvstore"
+ - cilium_identity_allocation_mode == "kvstore"
- name: Cilium | Create hubble dir
file:
diff --git a/roles/network_plugin/cilium/templates/cilium-config.yml.j2 b/roles/network_plugin/cilium/templates/cilium-config.yml.j2
index 7d6adfe59..820d214c7 100644
--- a/roles/network_plugin/cilium/templates/cilium-config.yml.j2
+++ b/roles/network_plugin/cilium/templates/cilium-config.yml.j2
@@ -5,9 +5,9 @@ metadata:
name: cilium-config
namespace: kube-system
data:
- identity-allocation-mode: {{ identity_allocation_mode }}
+ identity-allocation-mode: {{ cilium_identity_allocation_mode }}
-{% if identity_allocation_mode == "kvstore" %}
+{% if cilium_identity_allocation_mode == "kvstore" %}
# This etcd-config contains the etcd endpoints of your cluster. If you use
# TLS please make sure you follow the tutorial in https://cilium.link/etcd-config
etcd-config: |-
diff --git a/roles/network_plugin/cilium/templates/cilium-deploy.yml.j2 b/roles/network_plugin/cilium/templates/cilium-deploy.yml.j2
index 854d96022..44dcea2b6 100644
--- a/roles/network_plugin/cilium/templates/cilium-deploy.yml.j2
+++ b/roles/network_plugin/cilium/templates/cilium-deploy.yml.j2
@@ -135,7 +135,7 @@ spec:
periodSeconds: 10
timeoutSeconds: 3
volumeMounts:
-{% if identity_allocation_mode == "kvstore" %}
+{% if cilium_identity_allocation_mode == "kvstore" %}
- mountPath: /var/lib/etcd-config
name: etcd-config-path
readOnly: true
@@ -155,7 +155,7 @@ spec:
tolerations:
- operator: Exists
volumes:
-{% if identity_allocation_mode == "kvstore" %}
+{% if cilium_identity_allocation_mode == "kvstore" %}
# To read the etcd config stored in config maps
- configMap:
defaultMode: 420
diff --git a/roles/network_plugin/cilium/templates/cilium-ds.yml.j2 b/roles/network_plugin/cilium/templates/cilium-ds.yml.j2
index 7dd601e31..9589465ca 100644
--- a/roles/network_plugin/cilium/templates/cilium-ds.yml.j2
+++ b/roles/network_plugin/cilium/templates/cilium-ds.yml.j2
@@ -146,7 +146,7 @@ spec:
mountPath: {{ cri_socket }}
readOnly: true
{% endif %}
-{% if identity_allocation_mode == "kvstore" %}
+{% if cilium_identity_allocation_mode == "kvstore" %}
- mountPath: /var/lib/etcd-config
name: etcd-config-path
readOnly: true
@@ -272,7 +272,7 @@ spec:
path: /run/xtables.lock
type: FileOrCreate
name: xtables-lock
-{% if identity_allocation_mode == "kvstore" %}
+{% if cilium_identity_allocation_mode == "kvstore" %}
# To read the etcd config stored in config maps
- configMap:
defaultMode: 420
--
GitLab