Enable calico apiserver

Bogdan Antoherequested to merge
calico-apiserver into main

What does this MR do and why?

The aim of this MR is to enabled calico-apiserver and allow doing changes on calico resources (ex: ippool) throught tigera operator. As it's described into issue #3270 (closed), changes made on ippool inside installation configuration are not propagated due to absence of calico-apiserver which by default is disabled.

I've noticed that on a fresh install we can enable it by adding apiServer.enabled: true which will successfully deploy the apiserver component of calico, but the problem comes when we want to enable it on an existing cluster because the tigera-operator is not allowed to update PSA to calico-apiserver ns due to rancher admission webhook:

message: 'Error creating / updating resource: admission webhook "rancher.cattle.io.namespaces.create-non-kubesystem"
denied the request: Unauthorized'

In order to bypass this issue we should provide the tigera-operator permissions to update PSA by creating clusterrole and clusterrolebinding. Similar issue (and resolution) has been reported in https://support.scc.suse.com/s/kb/Tigera-operator-Pod-operations-failing-due-to-rancher-webhook-unauthorized-errors-in-a-Rancher-provisioned-RKE2-cluster?language=en_US and https://github.com/rancher/rancher/issues/41191.

By default, I keep this feature disable but we could discuss if it's necessary to activate it.

Related reference(s)

Closes #3270 (closed).

Test coverage

CI tests with calico-apiserver enabled: https://gitlab.com/sylva-projects/sylva-core/-/pipelines/2229509293.

Having calico-apiserver deployed , I've changed parameter in ippool configuration to disableBGPExport: true and check if it was updated as we desired.

NAME                                READY   STATUS    RESTARTS   AGE
calico-apiserver-7657566cfc-ns5sr   1/1     Running   0          19h
calico-apiserver-7657566cfc-qxbcr   1/1     Running   0          19h

apiserver   True        False         False      19h
calico      True        False         False      3d21h
ippools     True        False         False      19h
 k get installations.operator.tigera.io default -o yaml | yq .status.computed.calicoNetwork.ipPools
- allowedUses:
    - Workload
    - Tunnel
  assignmentMode: Automatic
  blockSize: 26
  cidr: 100.72.0.0/16
  disableBGPExport: true <==
  disableNewAllocations: false
  encapsulation: VXLAN
  name: default-ipv4-ippool
  natOutgoing: Enabled
  nodeSelector: all()

k get ippools default-ipv4-ippool -o yaml | yq .spec
allowedUses:
  - Workload
  - Tunnel
assignmentMode: Automatic
blockSize: 26
cidr: 100.72.0.0/16
disableBGPExport: true <==
ipipMode: Never
natOutgoing: true
nodeSelector: all()
vxlanMode: Always

CI configuration

Below you can choose test deployment variants to run in this MR's CI.

Click to open to CI configuration

Legend:

Icon Meaning Available values
☁️ Infra Provider capd, capo, capm3
🚀 Bootstrap Provider kubeadm (alias kadm), rke2, okd, ck8s
🐧 Node OS ubuntu, suse, na, leapmicro
🛠️ Deployment Options light-deploy, dev-sources, ha, misc, maxsurge-0, logging, no-logging, cilium
🎬 Pipeline Scenarios Available scenario list and description
🟢 Enabled units Any available units name, by default apply to management and workload cluster. Can be prefixed by mgmt: or wkld: to be applied only to a specific cluster type
🏗️ Target platform Can be used to select specific deployment environment (i.e real-bmh for capm3 )

  • 🎬 preview ☁️ capd 🚀 kadm 🐧 ubuntu

  • 🎬 preview ☁️ capo 🚀 rke2 🐧 suse

  • 🎬 preview ☁️ capm3 🚀 rke2 🐧 ubuntu

  • ☁️ capd 🚀 kadm 🛠️ light-deploy 🐧 ubuntu

  • ☁️ capd 🚀 rke2 🛠️ light-deploy 🐧 suse

  • ☁️ capo 🚀 rke2 🎬 sylva-upgrade-from-1.6.x 🐧 suse

  • ☁️ capo 🚀 rke2 🐧 leapmicro

  • ☁️ capo 🚀 kadm 🎬 sylva-upgrade-from-1.6.x 🛠️ ha 🐧 ubuntu

  • ☁️ capo 🚀 kadm 🐧 ubuntu 🟢 neuvector,mgmt:harbor

  • ☁️ capo 🚀 rke2 🎬 rolling-update 🛠️ ha 🐧 ubuntu

  • ☁️ capo 🚀 kadm 🎬 wkld-k8s-upgrade 🐧 ubuntu

  • ☁️ capo 🚀 rke2 🎬 rolling-update-no-wkld 🛠️ ha 🐧 suse

  • ☁️ capo 🚀 rke2 🎬 sylva-upgrade 🛠️ ha 🐧 ubuntu

  • ☁️ capo 🚀 rke2 🎬 sylva-upgrade-from-1.6.x 🛠️ ha,misc 🐧 ubuntu

  • ☁️ capo 🚀 rke2 🛠️ ha,misc 🐧 ubuntu

  • ☁️ capo 🚀 rke2 🛠️ ha,misc,openbao🐧 suse

  • ☁️ capo 🚀 rke2 🐧 suse 🎬 upgrade-from-prev-tag

  • ☁️ capm3 🚀 rke2 🐧 suse

  • ☁️ capm3 🚀 kadm 🐧 ubuntu

  • ☁️ capm3 🚀 ck8s 🐧 ubuntu

  • ☁️ capm3 🚀 kadm 🎬 rolling-update-no-wkld 🛠️ ha,misc 🐧 ubuntu

  • ☁️ capm3 🚀 rke2 🎬 wkld-k8s-upgrade 🛠️ ha 🐧 suse

  • ☁️ capm3 🚀 kadm 🎬 rolling-update 🛠️ ha 🐧 ubuntu

  • ☁️ capm3 🚀 rke2 🎬 upgrade-from-prev-release-branch 🛠️ ha 🐧 suse

  • ☁️ capm3 🚀 rke2 🛠️ misc,ha 🐧 suse

  • ☁️ capm3 🚀 rke2 🎬 sylva-upgrade 🛠️ ha,misc 🐧 suse

  • ☁️ capm3 🚀 kadm 🎬 rolling-update 🛠️ ha 🐧 suse

  • ☁️ capm3 🚀 ck8s 🎬 rolling-update 🛠️ ha 🐧 ubuntu

  • ☁️ capm3 🚀 rke2|okd 🎬 no-update 🐧 ubuntu|na

  • ☁️ capm3 🚀 rke2 🐧 suse 🎬 upgrade-from-release-1.5

  • ☁️ capm3 🚀 rke2 🐧 suse 🎬 upgrade-to-main

Global config for deployment pipelines

  • autorun pipelines
  • allow failure on pipelines
  • record sylvactl events

Notes:

  • Enabling autorun will make deployment pipelines to be run automatically without human interaction
  • Disabling allow failure will make deployment pipelines mandatory for pipeline success.
  • if both autorun and allow failure are disabled, deployment pipelines will need manual triggering but will be blocking the pipeline

Be aware: after configuration change, pipeline is not triggered automatically. Please run it manually (by clicking the run pipeline button in Pipelines tab) or push new code.

Edited by Bogdan Antohe

Merge request reports