Refactor calico route reflector to run in k8s cluster (kubernetes-sig…

…s#4975)

* Refactor calico-rr to run in k8s cluster with taint

Change-Id: I75a3169ff5b36ce8302fc7ef1c32d3eb697b5afa

* add preinstall checks

* rework calico/rr role

Change-Id: I2f0a7e6cb77cf91ad4a615923680760d2e5d9ca8

* add empty calico-rr group

Change-Id: I006c0a60db9b72d02245bf8fdfabcf982144a5ad

cluster.yml

@@ -19,14 +19,14 @@
     - { role: kubespray-defaults}
     - { role: bastion-ssh-config, tags: ["localhost", "bastion"]}
 
-- hosts: k8s-cluster:etcd:calico-rr
+- hosts: k8s-cluster:etcd
   any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
   gather_facts: false
   roles:
     - { role: kubespray-defaults}
     - { role: bootstrap-os, tags: bootstrap-os}
 
-- hosts: k8s-cluster:etcd:calico-rr
+- hosts: k8s-cluster:etcd
   any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
   roles:
     - { role: kubespray-defaults}
@@ -46,7 +46,7 @@
         etcd_events_cluster_setup: "{{ etcd_events_cluster_enabled }}"
       when: not etcd_kubeadm_enabled| default(false)
 
-- hosts: k8s-cluster:calico-rr
+- hosts: k8s-cluster
   any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
   roles:
     - { role: kubespray-defaults}
@@ -79,6 +79,12 @@
     - { role: kubernetes/kubeadm, tags: kubeadm}
     - { role: network_plugin, tags: network }
 
+- hosts: calico-rr
+  any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
+  roles:
+    - { role: kubespray-defaults}
+    - { role: network_plugin/calico/rr, tags: ['network', 'calico_rr']}
+
 - hosts: kube-master[0]
   any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
   roles:
@@ -95,12 +101,6 @@
     - { role: kubernetes-apps/ingress_controller, tags: ingress-controller }
     - { role: kubernetes-apps/external_provisioner, tags: external-provisioner }
 
-- hosts: calico-rr
-  any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
-  roles:
-    - { role: kubespray-defaults}
-    - { role: network_plugin/calico/rr, tags: network }
-
 - hosts: kube-master
   any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
   roles:

docs/calico.md

@@ -119,13 +119,13 @@ recommended here:
 
 You need to edit your inventory and add:
 
-* `calico-rr` group with nodes in it. At the moment it's incompatible with
-  `kube-node` due to BGP port conflict with `calico-node` container. So you
-  should not have nodes in both `calico-rr` and `kube-node` groups.
+* `calico-rr` group with nodes in it. `calico-rr` can be combined with
+  `kube-node` and/or `kube-master`. `calico-rr` group also must be a child
+   group of `k8s-cluster` group.
 * `cluster_id` by route reflector node/group (see details
 [here](https://hub.docker.com/r/calico/routereflector/))
 
-Here's an example of Kubespray inventory with route reflectors:
+Here's an example of Kubespray inventory with standalone route reflectors:
 
 ```
 [all]
@@ -154,6 +154,7 @@ node5
 [k8s-cluster:children]
 kube-node
 kube-master
+calico-rr
 
 [calico-rr]
 rr0

inventory/local/hosts.ini

@@ -12,3 +12,4 @@ node1
 [k8s-cluster:children]
 kube-node
 kube-master
+calico-rr

inventory/sample/inventory.ini

@@ -28,6 +28,9 @@
 # node5
 # node6
 
+[calico-rr]
+
 [k8s-cluster:children]
 kube-master
 kube-node
+calico-rr

roles/kubernetes/kubeadm/templates/kubeadm-client.conf.v1alpha3.j2

@@ -17,3 +17,8 @@ discoveryTokenUnsafeSkipCAVerification: true
 nodeRegistration:
   name: {{ kube_override_hostname }}
   criSocket: {{ cri_socket }}
+{% if 'calico-rr' in group_names and 'kube-node' not in group_names %}
+  taints:
+  - effect: NoSchedule
+    key: node-role.kubernetes.io/calico-rr
+{% endif %}

roles/kubernetes/kubeadm/templates/kubeadm-client.conf.v1beta1.j2

@@ -21,3 +21,8 @@ caCertPath: {{ kube_cert_dir }}/ca.crt
 nodeRegistration:
   name: {{ kube_override_hostname }}
   criSocket: {{ cri_socket }}
+{% if 'calico-rr' in group_names and 'kube-node' not in group_names %}
+  taints:
+  - effect: NoSchedule
+    key: node-role.kubernetes.io/calico-rr
+{% endif %}

roles/kubernetes/preinstall/tasks/0020-verify-settings.yml

@@ -166,6 +166,26 @@
     - inventory_hostname == groups['kube-master'][0]
   run_once: yes
 
+- name: "Check that cluster_id is set if calico_rr enabled"
+  assert:
+    that:
+      - cluster_id is defined
+    msg: "A unique cluster_id is required if using calico_rr"
+  when:
+    - kube_network_plugin == 'calico'
+    - peer_with_calico_rr
+    - inventory_hostname == groups['kube-master'][0]
+  run_once: yes
+
+- name: "Check that calico_rr nodes are in k8s-cluster group"
+  assert:
+    that:
+      - '"k8s-cluster" in group_names'
+    msg: "calico-rr must be a child group of k8s-cluster group"
+  when:
+    - kube_network_plugin == 'calico'
+    - '"calico-rr" in group_names'
+
 - name: "Check that kube_service_addresses is a network range"
   assert:
     that:

roles/network_plugin/calico/rr/defaults/main.yml

@@ -2,15 +2,4 @@
 # Global as_num (/calico/bgp/v1/global/as_num)
 # should be the same as in calico role
 global_as_num: "64512"
-
-calico_cert_dir: /etc/calico/certs
-
-# Limits for apps
-calico_rr_memory_limit: 1000M
-calico_rr_cpu_limit: 300m
-calico_rr_memory_requests: 128M
-calico_rr_cpu_requests: 150m
-
-kube_etcd_cacert_file: ca.pem
-kube_etcd_cert_file: node-{{ inventory_hostname }}.pem
-kube_etcd_key_file: node-{{ inventory_hostname }}-key.pem
+calico_baremetal_nodename: "{{ kube_override_hostname | default(inventory_hostname) }}"

roles/network_plugin/calico/rr/tasks/main.yml

@@ -1,82 +1,29 @@
 ---
-# Required from inventory:
-#   calico_rr_ip - which specific IP to use for RR, defaults to
-#   "ip" from inventory or "ansible_default_ipv4.address"
+- name: Calico-rr | Pre-upgrade tasks
+  include_tasks: pre.yml
 
-- name: Calico-rr | Set IP fact
-  set_fact:
-    rr_ip: "{{ calico_rr_ip | default(ip) | default(fallback_ips[inventory_hostname]) }}"
+- name: Calico-rr | Fetch current node object
+  command: "{{ bin_dir }}/calicoctl.sh get node {{ inventory_hostname }} -oyaml"
+  register: calico_rr_node
 
-- name: Calico-rr | Create calico certs directory
-  file:
-    dest: "{{ calico_cert_dir }}"
-    state: directory
-    mode: 0750
-    owner: root
-    group: root
-
-- name: Calico-rr | Link etcd certificates for calico-node
-  file:
-    src: "{{ etcd_cert_dir }}/{{ item.s }}"
-    dest: "{{ calico_cert_dir }}/{{ item.d }}"
-    state: hard
-    force: yes
-  with_items:
-    - {s: "{{ kube_etcd_cacert_file }}", d: "ca_cert.crt"}
-    - {s: "{{ kube_etcd_cert_file }}", d: "cert.crt"}
-    - {s: "{{ kube_etcd_key_file }}", d: "key.pem"}
-
-- name: Calico-rr | Create dir for logs
-  file:
-    path: /var/log/calico-rr
-    state: directory
-    mode: 0755
-    owner: root
-    group: root
-
-- name: Calico-rr | Write calico-rr.env for systemd init file
-  template:
-    src: calico-rr.env.j2
-    dest: /etc/calico/calico-rr.env
-  notify: restart calico-rr
-
-- name: Calico-rr | Write calico-rr systemd init file
-  template:
-    src: calico-rr-docker.service.j2
-    dest: /etc/systemd/system/calico-rr.service
-  notify: restart calico-rr
-  when:
-    - container_manager in ['crio', 'docker', 'rkt']
-
-- name: Calico-rr | Write calico-rr systemd init file
-  template:
-    src: calico-rr-containerd.service.j2
-    dest: /etc/systemd/system/calico-rr.service
-  notify: restart calico-rr
-  when:
-    - container_manager == 'containerd'
+# FIXME(mattymo): Use jsonpatch when ansible/ansible#52931 is merged
+- name: Calico-rr | Set route reflector cluster ID
+  shell: >-
+    echo -e '{{ calico_rr_node.stdout }}' |
+    sed '/bgp:/a \ \ \ \ routeReflectorClusterID: {{ cluster_id }}'
+  register: calico_rr_node
+  when: '("routeReflectorClusterID: " + cluster_id|string) not in calico_rr_node.stdout_lines'
 
 - name: Calico-rr | Configure route reflector
-  command: |-
-    {{ bin_dir }}/etcdctl \
-    --endpoints={{ etcd_access_addresses }} \
-    put /calico/bgp/v1/rr_v4/{{ rr_ip }} \
-    '{
-       "ip": "{{ rr_ip }}",
-       "cluster_id": "{{ cluster_id }}"
-     }'
-  environment:
-    ETCDCTL_API: 3
-    ETCDCTL_CERT: "{{ etcd_cert_dir }}/admin-{{ groups['etcd'][0] }}.pem"
-    ETCDCTL_KEY: "{{ etcd_cert_dir }}/admin-{{ groups['etcd'][0] }}-key.pem"
+  shell: |-
+    echo -e '{{ calico_rr_node.stdout }}' |
+    {{ bin_dir }}/calicoctl.sh replace -f-
   retries: 4
   delay: "{{ retry_stagger | random + 3 }}"
-  delegate_to: "{{ groups['etcd'][0] }}"
-
-- meta: flush_handlers
 
-- name: Calico-rr | Enable calico-rr
-  service:
-    name: calico-rr
-    state: started
-    enabled: yes
+- name: Calico-rr | Set label for route reflector
+  command: >-
+    {{ bin_dir }}/calicoctl.sh label node {{ inventory_hostname }}
+    'i-am-a-route-reflector=true' --overwrite
+  retries: 4
+  delay: "{{ retry_stagger | random + 3 }}"

roles/network_plugin/calico/rr/tasks/pre.yml

@@ -0,0 +1,15 @@
+---
+- name: Calico-rr | Disable calico-rr service if it exists
+  service:
+    name: calico-rr
+    state: stopped
+    enabled: no
+  failed_when: false
+
+- name: Calico-rr | Delete obsolete files
+  file:
+    path: "{{ item }}"
+    state: absent
+  with_items:
+    - /etc/calico/calico-rr.env
+    - /etc/systemd/system/calico-rr.service