From a15a0b5eb954c29636b4257463ef29ab2f5a191c Mon Sep 17 00:00:00 2001
From: Chad Swenson <chadswen@gmail.com>
Date: Wed, 19 Feb 2020 04:28:25 -0600
Subject: [PATCH] Make calico iptables lock timeout configurable (#5658)
Adds `calico_iptables_lock_timeout_secs` variable to calico DS yaml.
---
roles/network_plugin/calico/defaults/main.yml | 3 +++
roles/network_plugin/calico/templates/calico-node.yml.j2 | 6 +-----
2 files changed, 4 insertions(+), 5 deletions(-)
diff --git a/roles/network_plugin/calico/defaults/main.yml b/roles/network_plugin/calico/defaults/main.yml
index dc9000f03..ccf4c6248 100644
--- a/roles/network_plugin/calico/defaults/main.yml
+++ b/roles/network_plugin/calico/defaults/main.yml
@@ -51,6 +51,9 @@ calico_node_ignorelooserpf: false
# Define address on which Felix will respond to health requests
calico_healthhost: "localhost"
+# Configure time in seconds that calico will wait for the iptables lock
+calico_iptables_lock_timeout_secs: 10
+
# Choose Calico iptables backend: "Iptables" or "NFT" (FELIX_IPTABLESBACKEND)
calico_iptables_backend: "Iptables"
diff --git a/roles/network_plugin/calico/templates/calico-node.yml.j2 b/roles/network_plugin/calico/templates/calico-node.yml.j2
index 23e01430d..c57a9d70c 100644
--- a/roles/network_plugin/calico/templates/calico-node.yml.j2
+++ b/roles/network_plugin/calico/templates/calico-node.yml.j2
@@ -209,12 +209,8 @@ spec:
- name: FELIX_IPTABLESBACKEND
value: "{{ calico_iptables_backend }}"
{% endif %}
- # Prior to v3.2.1 iptables didn't acquire the lock, so Calico's own implementation of the lock should be used,
- # this is not required in later versions https://github.com/projectcalico/calico/issues/2179
-{% if calico_version is version('v3.2.1', '<') %}
- name: FELIX_IPTABLESLOCKTIMEOUTSECS
- value: "10"
-{% endif %}
+ value: "{{ calico_iptables_lock_timeout_secs }}"
# should be set in etcd before deployment
# # Configure the IP Pool from which Pod IPs will be chosen.
# - name: CALICO_IPV4POOL_CIDR
--
GitLab