elastisys
diff --git a/‎migration/calico-to-cilium/20-migrate-node.sh‎
Lines changed: 62 additions & 0 deletions b/‎migration/calico-to-cilium/20-migrate-node.sh‎
Lines changed: 62 additions & 0 deletions
diff --git a/‎migration/calico-to-cilium/80-switch-to-cilium.sh‎
Lines changed: 35 additions & 0 deletions b/‎migration/calico-to-cilium/80-switch-to-cilium.sh‎
Lines changed: 35 additions & 0 deletions
diff --git a/‎migration/calico-to-cilium/90-cleanup-calico.sh‎
Lines changed: 10 additions & 0 deletions b/‎migration/calico-to-cilium/90-cleanup-calico.sh‎
Lines changed: 10 additions & 0 deletions
diff --git a/‎migration/calico-to-cilium/README.md‎
Lines changed: 179 additions & 0 deletions b/‎migration/calico-to-cilium/README.md‎
Lines changed: 179 additions & 0 deletions
diff --git a/‎migration/calico-to-cilium/cilium-chart-values/cilium-extra.yaml‎
Lines changed: 35 additions & 0 deletions b/‎migration/calico-to-cilium/cilium-chart-values/cilium-extra.yaml‎
Lines changed: 35 additions & 0 deletions
@@ -0,0 +1,62 @@
+#!/usr/bin/env bash
+
+set -eu
+
+here="$(dirname "$(readlink -f "${BASH_SOURCE[0]}")")"
+# shellcheck source=migration/calico-to-cilium/common.sh
+source "${here}/common.sh"
+
+check_bin kubectl
+check_bin cilium-cli
+check_bin kubectl-evict
+
+NODE="${1:-}"
+if [[ -z "${NODE}" ]]; then
+  log_error "FATAL: need a node name" >&2
+  exit 1
+fi
+NODE_HASH="$(hash_node "${NODE}")"
+
+CALICO_TO_CILIUM=true
+EVICT_PODS_WITH_IP_PREFIX="${CALICO_IP_PREFIX}"
+if [[ "${2:-}" == "--rollback" ]]; then
+  CALICO_TO_CILIUM=false
+  EVICT_PODS_WITH_IP_PREFIX="${CILIUM_IP_PREFIX}"
+fi
+
+log_info "Starging migration for node $(yellow_text "${NODE}") with hash $(yellow_text "${NODE_HASH}")"
+
+deferred_cleanup() {
+  # Remove the 'skip-taint' label
+  unlabel_node "${NODE}" "skip-taint"
+
+  # Remove the temporary taints from other nodes
+  log_info "Removing temporary taint from all nodes"
+  untaint_nodes "cilium-guard-${NODE_HASH}" "$(get_all_nodes)"
+}
+trap deferred_cleanup EXIT
+
+# Mark the node to allow cilium per-node configuration + skip from tainting
+label_node "${NODE}" "cilium-default"
+label_node "${NODE}" "skip-taint"
+
+if ${CALICO_TO_CILIUM}; then
+  # Cycle the cilium pod of the node to trigger CNI re-configuration
+  log_info "Cycling cilium pod on $(yellow_text "${NODE}")"
+  kubectl -n kube-system delete pod --field-selector spec.nodeName="${NODE}" -l k8s-app=cilium
+  kubectl -n kube-system rollout status daemonset/cilium --watch
+
+  # Check the node connectivity
+  if ! check_node_connectivity "${NODE}" "${NODE_HASH}"; then
+    log_error "FATAL: could not confirm network connectivity for node ${NODE}"
+    exit 1
+  fi
+fi
+
+# Add a temporary taint to all OTHER nodes (prevents scheduling elsewhere)
+log_info "Tainting all nodes not labeled with $(yellow_text "${LABEL_PREFIX}/skip-taint")"
+taint_nodes "cilium-guard-${NODE_HASH}" "$(get_unlabeled_nodes "skip-taint")"
+
+# Evict node pods managed by Calico one by one, with retries, thus respecting PDBs
+# -> since we tainted every other node, they should be scheduling on the node we're processing
+get_node_pods_with_ip_prefix "${NODE}" "${EVICT_PODS_WITH_IP_PREFIX}" | xargs "${here}/evict_queue.py"
@@ -0,0 +1,35 @@
+#!/usr/bin/env bash
+
+set -eu
+
+here="$(dirname "$(readlink -f "${BASH_SOURCE[0]}")")"
+# shellcheck source=migration/calico-to-cilium/common.sh
+source "${here}/common.sh"
+
+CONFIG_DIR="${CK8S_CONFIG_PATH}/${TARGET_CLUSTER}-config/group_vars/k8s_cluster"
+
+patch_yaml_config() {
+  local -r patch_file="${1}"
+  local -r config_file="${2}"
+
+  log_info "Patching $(yellow_text "${CONFIG_DIR}/${config_file}") with $(yellow_text "${here}/${patch_file}")"
+
+  # shellcheck disable=SC2016
+  yq eval-all '. as $item ireduce ({}; . * $item)' "${here}/${patch_file}" "${CONFIG_DIR}/${config_file}" >"${CONFIG_DIR}/${config_file}.new"
+  mv -f "${CONFIG_DIR}/${config_file}.new" "${CONFIG_DIR}/${config_file}"
+}
+
+enable_monitoring() {
+  local -r config="${CONFIG_DIR}/ck8s-cilium.yaml"
+
+  log_info "Enabling service monitors for Cilium"
+
+  yq -i '.ck8s_cilium.operator.monitoring.installServiceMonitor = true' "${config}"
+  yq -i '.ck8s_cilium.hubble.monitoring.installServiceMonitor = true' "${config}"
+  yq -i '.ck8s_cilium.prometheus.installServiceMonitor = true' "${config}"
+}
+
+patch_yaml_config k8s-cluster-config/enable-cilium.yaml ck8s-k8s-cluster.yaml
+if kubectl get crd servicemonitors.monitoring.coreos.com >/dev/null; then
+  enable_monitoring
+fi
@@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+
+kubectl delete -n kube-system daemonset calico-node --wait --ignore-not-found
+kubectl delete -n kube-system daemonset calico-accountant --wait --ignore-not-found
+kubectl delete -n kube-system deployment calico-kube-controllers --wait --ignore-not-found
+
+mapfile -t CALICO_CRDS < <(kubectl api-resources --api-group=crd.projectcalico.org -o name)
+if [[ "${#CALICO_CRDS[@]}" -gt 0 ]]; then
+  kubectl delete crds "${CALICO_CRDS[@]}"
+fi
@@ -0,0 +1,179 @@
+# Migrating Kubespray clusters from Calico to Cilium CNI
+
+> [!NOTE]
+> Clusters will be migrated one at a time depending on the environment variable `TARGET_CLUSTER`.
+>
+> It does not matter which cluster is migrated first, but it is recommended to start the migration with the _service_ cluster.
+>
+> It's also worth mentioning that full network connectivity is maintained between the Calico and Cilium subnets during the migration.
+>
+> For reference, it takes about 5 minutes to complete the disruptive parts of this guide, on a cluster with 5 nodes.
+
+> [!IMPORTANT]
+> This guide assumes all commands are run from the `migration/calico-to-cilium` directory of the `compliantkubernetes-kubespray` repository.
+
+> [!IMPORTANT]
+> The Cilium pod subnet is preconfigured to `10.235.64.0/18`, in accordance with the recommended value from the official documentation.
+>
+> This should prevent any overlaps with the Calico subnet, assumed to have the `10.233.0.0/16` prefix.
+
+## Prerequisites
+
+The migration uses the Cilium CLI for status checks, as well as the `evict` plugin for `kubectl`.
+
+You will need to install the following on your system:
+
+### Golang
+
+On Ubuntu: `sudo apt install golang-go`
+
+### The Cilium CLI
+
+Grab the binary from the [GitHub releases page](https://github.com/cilium/cilium-cli/releases) and put it somewhere in your `PATH`.
+
+To have it installed under `${HOME}/.local/bin`:
+
+```shell
+mkdir -p "${HOME}/.local/bin"
+curl -fsSL -o- https://github.com/cilium/cilium-cli/releases/download/v0.18.7/cilium-linux-amd64.tar.gz | tar -zxv -C "${HOME}/.local/bin"
+mv "${HOME}/.local/bin/cilium" "${HOME}/.local/bin/cilium-cli"
+```
+
+> [!NOTE]
+> This assumes that the `${HOME}/.local/bin` directory is within your `PATH`. If that's not the case:
+> `export PATH="$PATH:$HOME/.local/bin"`
+
+> [!IMPORTANT]
+> The migration scripts assume the executable name for the Cilium CLI is `cilium-cli` and _NOT_ `cilium`.
+
+### The `evict` plugin for `kubectl`
+
+```shell
+go install github.com/ueokande/kubectl-evict@latest
+```
+
+## Prepare
+
+These steps can be performed without any disruption to the target cluster.
+
+- Prepare environment variables:
+
+  ```bash
+  export TARGET_CLUSTER="<sc|wc>"
+  export CK8S_CONFIG_PATH="/path/to/cluster/config"
+  export KUBECONFIG="${CK8S_CONFIG_PATH}/.state/kube_config_${TARGET_CLUSTER}.yaml"
+  ```
+
+- This guide includes a complete Kubespray run for the target cluster. For OpenStack clusters, credentials must be sourced:
+
+  ```bash
+  test -f ${CK8S_CONFIG_PATH}/openrc.sh && source ${CK8S_CONFIG_PATH}/openrc.sh
+  test -f ${CK8S_CONFIG_PATH}/secret/openstack-app-credentials-for-kubespray.sh && source <(sops -d ${CK8S_CONFIG_PATH}/secret/openstack-app-credentials-for-kubespray.sh)
+  ```
+
+- Ensure that the checked out tag or commit in your Kubespray repository matches the version in the cluster:
+
+  ```bash
+  KUBESPRAY_REF="$(yq '.ck8sKubesprayVersion' ${CK8S_CONFIG_PATH}/${TARGET_CLUSTER}-config/group_vars/all/ck8s-kubespray-general.yaml)"
+  git switch --detach "${KUBESPRAY_REF}"
+
+  # update the kubespray submodule if needed
+  git submodule sync
+  git submodule update --init --recursive
+  ```
+
+- Switch `kube_owner` to `root` and apply the changes:
+
+  ```bash
+  yq -i '.kube_owner = "root"' "${CK8S_CONFIG_PATH}/${TARGET_CLUSTER}-config/group_vars/k8s_cluster/ck8s-k8s-cluster.yaml"
+  ../../bin/ck8s-kubespray apply $TARGET_CLUSTER -b -e=ignore_assert_errors=true --skip-tags=multus
+  ```
+
+- Install Cilium using the values provided in the `cilium-chart-values` directory and wait for the `DaemonSet` rollout:
+
+  ```bash
+  cilium-cli install --version 1.17.5 -f cilium-chart-values/cilium-values.yaml -f cilium-chart-values/cilium-extra.yaml
+  kubectl -n kube-system rollout status daemonset/cilium --watch
+  ```
+
+- Enable the [Per-node configuration](https://docs.cilium.io/en/v1.17/configuration/per-node-config/) feature:
+
+  ```bash
+  kubectl apply -f cilium-node-config/during-migration.yaml
+  ```
+
+## Execute
+
+These steps will cause disruption in the target cluster.
+
+### 1. Temporarily allow all traffic through Calico
+
+```bash
+kubectl apply -f policies/calico-allow-all.yaml
+```
+
+### 2. Migrate worker nodes
+
+Get the list of worker nodes and migrate them one by one, passing the node name as argument to the `./20-migrate-node.sh` script.
+
+For example:
+
+```bash
+kubectl get nodes --no-headers -o custom-columns=":metadata.name" |
+  grep -v 'control-plane' |
+  xargs -rt -I{} --interactive ./20-migrate-node.sh {}
+```
+
+> [!TIP]
+> To skip confirmation prompts for each node, remove the `--interactive` flag from `xargs`.
+
+### 3. Migrate control plane nodes
+
+Get the list of control plane nodes and migrate them one by one, passing the node name as argument to the `./20-migrate-node.sh` script.
+
+For example:
+
+```bash
+kubectl get nodes --no-headers -o custom-columns=":metadata.name" |
+  grep 'control-plane' |
+  xargs -rt -I{} --interactive ./20-migrate-node.sh {}
+```
+
+### 4. Switch the Kubespray configuration to Cilium
+
+```bash
+./80-switch-to-cilium.sh
+../../bin/ck8s-kubespray apply $TARGET_CLUSTER -b -e=ignore_assert_errors=true --tags="download,network"
+```
+
+### 5. Cleanup
+
+- Remove the per-node Cilium configuration:
+
+  ```bash
+  kubectl -n kube-system delete ciliumnodeconfigs.cilium.io cilium-default
+  ```
+
+- Remove Calico remnants:
+
+  ```bash
+  ./90-cleanup-calico.sh
+  ```
+
+### 6. (Optional) Reconfigure Apps
+
+If Welkin Apps has been deployed in the environment, it will require a reconfiguration step:
+
+```bash
+export CK8S_APPS_REPOSITORY_PATH=/path/to/welkin-apps
+
+yq -i '.networkPlugin.type = "cilium"' "${CK8S_CONFIG_PATH}/common-config.yaml"
+yq -i '.networkPlugin.calico.calicoAccountant.enabled = false' "${CK8S_CONFIG_PATH}/common-config.yaml"
+yq -i '.networkPlugin.calico.calicoFelixMetrics.enabled = false' "${CK8S_CONFIG_PATH}/common-config.yaml"
+
+${CK8S_APPS_REPOSITORY_PATH}/bin/update-ips.bash both dry-run
+${CK8S_APPS_REPOSITORY_PATH}/bin/update-ips.bash both apply
+
+${CK8S_APPS_REPOSITORY_PATH}/bin/ck8s apply sc --concurrency=$(nproc)
+${CK8S_APPS_REPOSITORY_PATH}/bin/ck8s apply wc --concurrency=$(nproc)
+```
@@ -0,0 +1,35 @@
+annotateK8sNode: true
+encryption:
+  enabled: true
+  strictMode:
+    enabled: false
+  type: wireguard
+envoy:
+  enabled: false
+hubble:
+  enabled: true
+  metrics:
+    enabled:
+    - drop:labelsContext=traffic_direction,source_pod,source_namespace,source_ip,destination_pod,destination_namespace,destination_ip
+    - flow:labelsContext=traffic_direction,source_pod,source_namespace,source_ip,destination_pod,destination_namespace,destination_ip
+    - dns
+    - tcp
+    - icmp
+    - httpV2
+    servicejonitor:
+      enabled: true
+operator:
+  prometheus:
+    enabled: true
+    serviceMonitor:
+      enabled: true
+  unmanagedPodWatcher:
+    restart: false
+policyAuditMode: false
+policyCIDRMatchMode: nodes
+policyEnforcementMode: never
+prometheus:
+  enabled: true
+  serviceMonitor:
+    enabled: true
+    trustCRDsExist: true