Add calico 3.7.3 support (#4953)

* Add calico 3.7.3 support * add calico_datastore variable to policy controller role * add missing clusterrole rules for calico policy controller * disable calico kube controller when kdd mode is used for versions < 3.6
2026-02-28 09:39:12 +03:00 · 2019-07-09 21:42:28 +02:00
parent 65065e7fdf
commit 20c7e31ea3
10 changed files with 235 additions and 19 deletions
--- a/roles/kubernetes-apps/policy_controller/calico/defaults/main.yml
+++ b/roles/kubernetes-apps/policy_controller/calico/defaults/main.yml
@@ -8,3 +8,6 @@ calico_policy_controller_memory_requests: 64M
 # SSL
 calico_cert_dir: "/etc/calico/certs"
 canal_cert_dir: "/etc/canal/certs"
+
+# Datastore type
+calico_datastore: "etcd"
--- a/roles/kubernetes-apps/policy_controller/calico/templates/calico-kube-controllers.yml.j2
+++ b/roles/kubernetes-apps/policy_controller/calico/templates/calico-kube-controllers.yml.j2
@@ -46,7 +46,20 @@ spec:
            requests:
              cpu: {{ calico_policy_controller_cpu_requests }}
              memory: {{ calico_policy_controller_memory_requests }}
+{% if calico_version is version('v3.3.0', '>=') %}
+          readinessProbe:
+            exec:
+              command:
+              - /usr/bin/check-status
+              - -r
+{% endif %}
          env:
+{% if calico_datastore == "kdd" and calico_version is version('v3.6.0', '>=') %}
+            - name: ENABLED_CONTROLLERS
+              value: node
+            - name: DATASTORE_TYPE
+              value: kubernetes
+{% else %}
            - name: ETCD_ENDPOINTS
              value: "{{ etcd_access_addresses }}"
            - name: ETCD_CA_CERT_FILE
@@ -55,13 +68,6 @@ spec:
              value: "{{ calico_cert_dir }}/cert.crt"
            - name: ETCD_KEY_FILE
              value: "{{ calico_cert_dir }}/key.pem"
-{% if calico_version is version('v3.3.0', '>=') %}
-          readinessProbe:
-            exec:
-              command:
-              - /usr/bin/check-status
-              - -r
-{% endif %}
          volumeMounts:
          - mountPath: {{ calico_cert_dir }}
            name: etcd-certs
@@ -70,3 +76,4 @@ spec:
      - hostPath:
          path: {{ calico_cert_dir }}
        name: etcd-certs
+{% endif %}
--- a/roles/kubernetes-apps/policy_controller/calico/templates/calico-kube-cr.yml.j2
+++ b/roles/kubernetes-apps/policy_controller/calico/templates/calico-kube-cr.yml.j2
@@ -5,6 +5,7 @@ metadata:
  name: calico-kube-controllers
  namespace: kube-system
 rules:
+{% if calico_datastore == "etcd"  %}
  - apiGroups:
    - ""
    - extensions
@@ -24,3 +25,44 @@ rules:
    verbs:
      - watch
      - list
+{% elif calico_datastore == "kdd" %}
+  # Nodes are watched to monitor for deletions.
+  - apiGroups: [""]
+    resources:
+      - nodes
+    verbs:
+      - watch
+      - list
+      - get
+  # Pods are queried to check for existence.
+  - apiGroups: [""]
+    resources:
+      - pods
+    verbs:
+      - get
+  # IPAM resources are manipulated when nodes are deleted.
+  - apiGroups: ["crd.projectcalico.org"]
+    resources:
+      - ippools
+    verbs:
+      - list
+  - apiGroups: ["crd.projectcalico.org"]
+    resources:
+      - blockaffinities
+      - ipamblocks
+      - ipamhandles
+    verbs:
+      - get
+      - list
+      - create
+      - update
+      - delete
+  # Needs access to update clusterinformations.
+  - apiGroups: ["crd.projectcalico.org"]
+    resources:
+      - clusterinformations
+    verbs:
+      - get
+      - create
+      - update
+{% endif %}