Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Implement cilium upgrade using Helm #1492

Merged
merged 6 commits into from
Apr 18, 2023
Merged

Implement cilium upgrade using Helm #1492

merged 6 commits into from
Apr 18, 2023

Conversation

asauber
Copy link
Member

@asauber asauber commented Apr 5, 2023
edited

Summary

Implements the cilium upgrade command using a thin wrapper around Helm rather than direct Kubernetes API calls.

A few of the self-contained features are broken down into separate commits.

Motivation

This implementation allows for more consistent documentation and behavior among Cilium installation methods, such as those docs which use only Helm directly.

This implementation includes an alternate implementation for the cilium {clustermesh,hubble} {enable,disable} family of commands. The "legacy" implementation of those commands came from a time when using Helm was insecure (it installed a daemon into the cluster with cluster-admin privileges. Helm is now relatively safe to use, thus we use Helm here as a library to implement all features for Cilium installation, upgrade, and feature enable/disable whcih are currently implemented in the Cilium Helm chart.

Example Usage

For example, we can use this new upgrade command to enable Cluster Mesh on a set of two Cilium clusters with the following procedure.

Create a kind cluster with the following config

kind: Cluster
apiVersion: kind.x-k8s.io/v1alpha4
name: c1
nodes:
  - role: control-plane
  - role: worker
  - role: worker
  - role: worker
networking:
  disableDefaultCNI: true
  podSubnet: "10.10.0.0/16"
  serviceSubnet: "10.50.0.0/16"
kind create cluster --config c1.kindconfig.yaml

Test that the kind cluster came up with k get pods -A

Install Cilium using the CLI, making sure to set a Cluster ID and Cluster Name

export CILIUM_CLI_MODE=helm
cilium install --help
# note the suggestion to use --helm-set flags
cilium install --helm-set cluster.id=1 --helm-set cluster.name=cluster1

Create a second cluster using kind with the following config

kind: Cluster
apiVersion: kind.x-k8s.io/v1alpha4
name: c2
nodes:
  - role: control-plane
  - role: worker
  - role: worker
  - role: worker
networking:
  disableDefaultCNI: true
  podSubnet: "10.11.0.0/16"
  serviceSubnet: "10.51.0.0/16"
kind create cluster --config c2.kindconfig.yaml

Check that you are authed for Cluster kind-c2

Run k get pods -A and look for kube-apiserver-c2-control-plane

Install Cilium using the CLI, making sure to set a Cluster ID and Cluster Name

export CILIUM_CLI_MODE=helm
cilium install --help
# note the suggestion to use --helm-set flags
cilium install --helm-set cluster.id=2 --helm-set cluster.name=cluster2

Enable clustermesh on Cluster 1 using the new Helm upgrade command

export CILIUM_CLI_MODE=helm
cilium upgrade --help
# note the suggestion to use --helm-set flags
cilium upgrade --context $CLUSTER1 \
    --helm-set clustermesh.useAPIServer=true \
    --helm-set clustermesh.apiserver.service.type=NodePort
# observe that the clustermesh apiserver is running
k get pods -A

Prep environment for the clustermesh enable.

export CLUSTER1=kind-c1 CLUSTER2=kind-c2

Extract the CA cert from Cluster 1 and install it into Cluster 2, then restart Cilium on Cluster 2

kubectl --context $CLUSTER2 delete secret -n kube-system cilium-ca && \
kubectl --context $CLUSTER1 get secrets -n kube-system cilium-ca -oyaml \
    | kubectl --context $CLUSTER2 apply -f -
# you should see the following output
# secret "cilium-ca" deleted
# secret/cilium-ca created
# proceed to restart Cilium on kind-c2
kubectl --context $CLUSTER2 delete pod -l app.kubernetes.io/part-of=cilium -A

Enable clustermesh on Cluster 2 using the new Helm upgrade command

export CILIUM_CLI_MODE=helm
cilium upgrade --help
# note the suggestion to use --helm-set flags
cilium upgrade --context $CLUSTER2 \
    --helm-set clustermesh.useAPIServer=true \
    --helm-set clustermesh.apiserver.service.type=NodePort

Move the secrets expected by the cilium clustermesh connect command (this quirk to be fixed with a helm-mode PR for that command)

k get secrets --context $CLUSTER1 -n kube-system clustermesh-apiserver-remote-cert \
    -oyaml \
    | sed 's/name: .*/name: clustermesh-apiserver-client-cert/' \
    | k apply --context $CLUSTER1 -f -

k get secrets --context $CLUSTER2 -n kube-system clustermesh-apiserver-remote-cert \
    -oyaml \
    | sed 's/name: .*/name: clustermesh-apiserver-client-cert/' \
    | k apply --context $CLUSTER2 -f -

Connect the two clusters using ClusterMesh

cilium clustermesh connect --context $CLUSTER1 --destination-context $CLUSTER2

Run the Multi-Cluster connectivity tests.

cilium connectivity test --context $CLUSTER1 --multi-cluster $CLUSTER2

(This has been included as a CI workflow)

closes #1493

@asauber asauber added the dont-merge/preview-only Only for preview or testing, don't merge it. label Apr 5, 2023
@asauber asauber self-assigned this Apr 5, 2023
@asauber asauber temporarily deployed to ci April 5, 2023 22:07 — with GitHub Actions Inactive
@asauber asauber temporarily deployed to ci April 5, 2023 22:10 — with GitHub Actions Inactive
@asauber asauber temporarily deployed to ci April 10, 2023 20:02 — with GitHub Actions Inactive
@asauber asauber temporarily deployed to ci April 13, 2023 14:06 — with GitHub Actions Inactive
@asauber asauber temporarily deployed to ci April 13, 2023 19:14 — with GitHub Actions Inactive
@asauber asauber changed the title Helm implementation for clustermesh commands Implement cilium upgrade using Helm. This also provides an implementation for the clustermesh {enable,disable} commands. Apr 13, 2023
@asauber asauber changed the title Implement cilium upgrade using Helm. This also provides an implementation for the clustermesh {enable,disable} commands. Implement cilium upgrade using Helm. Provides an implementation for the clustermesh {enable,disable} commands. Apr 13, 2023
@asauber asauber changed the title Implement cilium upgrade using Helm. Provides an implementation for the clustermesh {enable,disable} commands. Implement cilium upgrade using Helm Apr 13, 2023
@asauber asauber temporarily deployed to ci April 13, 2023 19:25 — with GitHub Actions Inactive
@asauber asauber temporarily deployed to ci April 13, 2023 19:28 — with GitHub Actions Inactive
@cilium cilium deleted a comment from maintainer-s-little-helper bot Apr 13, 2023
asauber
asauber commented Apr 13, 2023
View reviewed changes
internal/helm/helm.go Outdated Show resolved Hide resolved
@asauber asauber removed the dont-merge/preview-only Only for preview or testing, don't merge it. label Apr 14, 2023
asauber
asauber commented Apr 14, 2023
View reviewed changes
install/install.go Outdated Show resolved Hide resolved
@asauber asauber temporarily deployed to ci April 14, 2023 13:12 — with GitHub Actions Inactive
@asauber asauber temporarily deployed to ci April 14, 2023 13:21 — with GitHub Actions Inactive
@asauber asauber temporarily deployed to ci April 14, 2023 13:29 — with GitHub Actions Inactive
@asauber asauber temporarily deployed to ci April 14, 2023 13:33 — with GitHub Actions Inactive
@asauber asauber requested review from a team as code owners April 17, 2023 19:05
@asauber asauber requested a review from nbusseneau April 17, 2023 19:05
@asauber asauber temporarily deployed to ci April 17, 2023 19:05 — with GitHub Actions Inactive
@asauber
Copy link
Member Author

asauber commented Apr 17, 2023

Fix dry run

@asauber asauber temporarily deployed to ci April 17, 2023 21:57 — with GitHub Actions Inactive
@asauber asauber temporarily deployed to ci April 18, 2023 14:51 — with GitHub Actions Inactive
michi-covalent
michi-covalent reviewed Apr 18, 2023
View reviewed changes
Copy link
Contributor

@michi-covalent michi-covalent left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm once the conflict is resolved

@asauber asauber temporarily deployed to ci April 18, 2023 15:06 — with GitHub Actions Inactive
@asauber
Factor out ListVersions from preinstall
b651b9f 
This makes the early-return explicit, and works towards making the
preflight checks more understandable.

Signed-off-by: Andrew Sauber <andrew.sauber@isovalent.com>
@asauber
Add upgrade implementation using Helm
83fb438 
Adds upgrade implementation using a Helm update action directly if the
environment variable CILIUM_CLI_MODE=helm is set.

Signed-off-by: Andrew Sauber <andrew.sauber@isovalent.com>
@asauber
Expose helm reset/reuse values as flags for upgrade
e713a69 
Signed-off-by: Andrew Sauber <andrew.sauber@isovalent.com>
@asauber
Add chart version as parameter for upgrade
175c80b 
The chart version is either that of the current release or initialized
during k.getHelmValues

Signed-off-by: Andrew Sauber <andrew.sauber@isovalent.com>
@asauber
Clean up signature and usage of helm Upgrade func
de438da 
* Rename UpgradeCurrentRelease to Upgrade
* Move Chart parameter into params struct
* Don't query for latest chart when we don't need to

Signed-off-by: Andrew Sauber <andrew.sauber@isovalent.com>
@asauber
Default Helm Upgrade to not reuse values
54f3d05 
Previously, we were defaulting Helm's reuseValues flag to true. This
ended up not giving us the expected behavior when only our --version
flag was passed to an upgrade command (the most common case
for this flag). The result was that prior image versions from the
current release would override that version. By defaulting this flag to
false, we get the expect behavior in the common case.

Signed-off-by: Andrew Sauber <andrew.sauber@isovalent.com>
@asauber asauber temporarily deployed to ci April 18, 2023 15:51 — with GitHub Actions Inactive
@michi-covalent
Copy link
Contributor

removing github-sec and ci-structure from reviewers. this pr got updated, and now it's only modifying files owned by cli and sig-hubble teams.

@michi-covalent michi-covalent removed request for a team and nbusseneau April 18, 2023 15:59
@michi-covalent
Copy link
Contributor

EKS (ENI): failed #1514

@michi-covalent michi-covalent merged commit b4376d8 into master Apr 18, 2023
12 checks passed
@michi-covalent michi-covalent deleted the pr/asauber/clustermesh branch April 18, 2023 17:36
@tklauser tklauser mentioned this pull request Apr 19, 2023
Merged
@ZhongRuoyu ZhongRuoyu mentioned this pull request Apr 24, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@michi-covalent michi-covalent michi-covalent approved these changes

Assignees

@asauber asauber

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

cilium upgrade doesn't support --chart-directory
2 participants
@asauber @michi-covalent