From e655386bc74311b1bcaf97fc382e833801981077 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Franti=C5=A1ek=20Dvo=C5=99=C3=A1k?= <valtri@civ.zcu.cz>
Date: Fri, 14 Jun 2024 07:30:03 +0000
Subject: [PATCH] Update versions - kubernetes to 1.30.2
* k8s
* helm
* calico
* prometheus
* grafana
---
cesnet-central/playbooks/files/calico.yaml | 90 ++++++++++++++--------
cesnet-central/playbooks/k8s.yaml | 16 ++--
cesnet-central/playbooks/upgrade.yaml | 6 +-
3 files changed, 69 insertions(+), 43 deletions(-)
diff --git a/cesnet-central/playbooks/files/calico.yaml b/cesnet-central/playbooks/files/calico.yaml
index 3998fd1..7f4cb47 100644
--- a/cesnet-central/playbooks/files/calico.yaml
+++ b/cesnet-central/playbooks/files/calico.yaml
@@ -475,7 +475,7 @@ spec:
numAllowedLocalASNumbers:
description: Maximum number of local AS numbers that are allowed in
the AS path for received routes. This removes BGP loop prevention
- and should only be used if absolutely necesssary.
+ and should only be used if absolutely necessary.
format: int32
type: integer
password:
@@ -1057,6 +1057,13 @@ spec:
Loose]'
pattern: ^(?i)(Disabled|Strict|Loose)?$
type: string
+ bpfExcludeCIDRsFromNAT:
+ description: BPFExcludeCIDRsFromNAT is a list of CIDRs that are to
+ be excluded from NAT resolution so that host can handle them. A
+ typical usecase is node local DNS cache.
+ items:
+ type: string
+ type: array
bpfExtToServiceConnmark:
description: 'BPFExtToServiceConnmark in BPF mode, control a 32bit
mark that is set on connections from an external client to a local
@@ -1099,8 +1106,9 @@ spec:
- Disabled
type: string
bpfKubeProxyEndpointSlicesEnabled:
- description: BPFKubeProxyEndpointSlicesEnabled in BPF mode, controls
- whether Felix's embedded kube-proxy accepts EndpointSlices or not.
+ description: BPFKubeProxyEndpointSlicesEnabled is deprecated and has
+ no effect. BPF kube-proxy always accepts endpoint slices. This option
+ will be removed in the next release.
type: boolean
bpfKubeProxyIptablesCleanupEnabled:
description: 'BPFKubeProxyIptablesCleanupEnabled, if enabled in BPF
@@ -1219,11 +1227,23 @@ spec:
type: string
debugDisableLogDropping:
type: boolean
+ debugHost:
+ description: DebugHost is the host IP or hostname to bind the debug
+ port to. Only used if DebugPort is set. [Default:localhost]
+ type: string
debugMemoryProfilePath:
type: string
+ debugPort:
+ description: DebugPort if set, enables Felix's debug HTTP port, which
+ allows memory and CPU profiles to be retrieved. The debug port
+ is not secure, it should not be exposed to the internet.
+ type: integer
debugSimulateCalcGraphHangAfter:
pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
type: string
+ debugSimulateDataplaneApplyDelay:
+ pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
+ type: string
debugSimulateDataplaneHangAfter:
pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
type: string
@@ -1263,6 +1283,12 @@ spec:
type: string
endpointReportingEnabled:
type: boolean
+ endpointStatusPathPrefix:
+ description: "EndpointStatusPathPrefix is the path to the directory
+ where endpoint status will be written. Endpoint status file reporting
+ is disabled if field is left empty. \n Chosen directory should match
+ the directory used by the CNI for PodStartupDelay. [Default: \"\"]"
+ type: string
externalNodesList:
description: ExternalNodesCIDRList is a list of CIDR's of external-non-calico-nodes
which may source tunnel traffic and have the tunneled traffic be
@@ -1534,7 +1560,7 @@ spec:
description: 'MetadataAddr is the IP address or domain name of the
server that can answer VM queries for cloud-init metadata. In OpenStack,
this corresponds to the machine running nova-api (or in Ubuntu,
- nova-api-metadata). A value of none (case insensitive) means that
+ nova-api-metadata). A value of none (case-insensitive) means that
Felix should not set up any NAT rule for the metadata path. [Default:
127.0.0.1]'
type: string
@@ -2627,17 +2653,17 @@ spec:
any DNAT.
type: boolean
selector:
- description: "The selector is an expression used to pick pick out
- the endpoints that the policy should be applied to. \n Selector
- expressions follow this syntax: \n \tlabel == \"string_literal\"
- \ -> comparison, e.g. my_label == \"foo bar\" \tlabel != \"string_literal\"
- \ -> not equal; also matches if label is not present \tlabel in
- { \"a\", \"b\", \"c\", ... } -> true if the value of label X is
- one of \"a\", \"b\", \"c\" \tlabel not in { \"a\", \"b\", \"c\",
- ... } -> true if the value of label X is not one of \"a\", \"b\",
- \"c\" \thas(label_name) -> True if that label is present \t! expr
- -> negation of expr \texpr && expr -> Short-circuit and \texpr
- || expr -> Short-circuit or \t( expr ) -> parens for grouping \tall()
+ description: "The selector is an expression used to pick out the endpoints
+ that the policy should be applied to. \n Selector expressions follow
+ this syntax: \n \tlabel == \"string_literal\" -> comparison, e.g.
+ my_label == \"foo bar\" \tlabel != \"string_literal\" -> not
+ equal; also matches if label is not present \tlabel in { \"a\",
+ \"b\", \"c\", ... } -> true if the value of label X is one of
+ \"a\", \"b\", \"c\" \tlabel not in { \"a\", \"b\", \"c\", ... }
+ \ -> true if the value of label X is not one of \"a\", \"b\", \"c\"
+ \thas(label_name) -> True if that label is present \t! expr ->
+ negation of expr \texpr && expr -> Short-circuit and \texpr ||
+ expr -> Short-circuit or \t( expr ) -> parens for grouping \tall()
or the empty selector -> matches all endpoints. \n Label names are
allowed to contain alphanumerics, -, _ and /. String literals are
more permissive but they do not support escape characters. \n Examples
@@ -4295,17 +4321,17 @@ spec:
type: string
type: array
selector:
- description: "The selector is an expression used to pick pick out
- the endpoints that the policy should be applied to. \n Selector
- expressions follow this syntax: \n \tlabel == \"string_literal\"
- \ -> comparison, e.g. my_label == \"foo bar\" \tlabel != \"string_literal\"
- \ -> not equal; also matches if label is not present \tlabel in
- { \"a\", \"b\", \"c\", ... } -> true if the value of label X is
- one of \"a\", \"b\", \"c\" \tlabel not in { \"a\", \"b\", \"c\",
- ... } -> true if the value of label X is not one of \"a\", \"b\",
- \"c\" \thas(label_name) -> True if that label is present \t! expr
- -> negation of expr \texpr && expr -> Short-circuit and \texpr
- || expr -> Short-circuit or \t( expr ) -> parens for grouping \tall()
+ description: "The selector is an expression used to pick out the endpoints
+ that the policy should be applied to. \n Selector expressions follow
+ this syntax: \n \tlabel == \"string_literal\" -> comparison, e.g.
+ my_label == \"foo bar\" \tlabel != \"string_literal\" -> not
+ equal; also matches if label is not present \tlabel in { \"a\",
+ \"b\", \"c\", ... } -> true if the value of label X is one of
+ \"a\", \"b\", \"c\" \tlabel not in { \"a\", \"b\", \"c\", ... }
+ \ -> true if the value of label X is not one of \"a\", \"b\", \"c\"
+ \thas(label_name) -> True if that label is present \t! expr ->
+ negation of expr \texpr && expr -> Short-circuit and \texpr ||
+ expr -> Short-circuit or \t( expr ) -> parens for grouping \tall()
or the empty selector -> matches all endpoints. \n Label names are
allowed to contain alphanumerics, -, _ and /. String literals are
more permissive but they do not support escape characters. \n Examples
@@ -4591,7 +4617,7 @@ rules:
- create
- update
# Calico must update some CRDs.
- - apiGroups: [ "crd.projectcalico.org" ]
+ - apiGroups: ["crd.projectcalico.org"]
resources:
- caliconodestatuses
verbs:
@@ -4770,7 +4796,7 @@ spec:
# It can be deleted if this is a fresh installation, or if you have already
# upgraded to use calico-ipam.
- name: upgrade-ipam
- image: docker.io/calico/cni:v3.27.0
+ image: docker.io/calico/cni:v3.28.0
imagePullPolicy: IfNotPresent
command: ["/opt/cni/bin/calico-ipam", "-upgrade"]
envFrom:
@@ -4798,7 +4824,7 @@ spec:
# This container installs the CNI binaries
# and CNI network config file on each node.
- name: install-cni
- image: docker.io/calico/cni:v3.27.0
+ image: docker.io/calico/cni:v3.28.0
imagePullPolicy: IfNotPresent
command: ["/opt/cni/bin/install"]
envFrom:
@@ -4841,7 +4867,7 @@ spec:
# i.e. bpf at /sys/fs/bpf and cgroup2 at /run/calico/cgroup. Calico-node initialisation is executed
# in best effort fashion, i.e. no failure for errors, to not disrupt pod creation in iptable mode.
- name: "mount-bpffs"
- image: docker.io/calico/node:v3.27.0
+ image: docker.io/calico/node:v3.28.0
imagePullPolicy: IfNotPresent
command: ["calico-node", "-init", "-best-effort"]
volumeMounts:
@@ -4867,7 +4893,7 @@ spec:
# container programs network policy and routes on each
# host.
- name: calico-node
- image: docker.io/calico/node:v3.27.0
+ image: docker.io/calico/node:v3.28.0
imagePullPolicy: IfNotPresent
envFrom:
- configMapRef:
@@ -5084,7 +5110,7 @@ spec:
priorityClassName: system-cluster-critical
containers:
- name: calico-kube-controllers
- image: docker.io/calico/kube-controllers:v3.27.0
+ image: docker.io/calico/kube-controllers:v3.28.0
imagePullPolicy: IfNotPresent
env:
# Choose which controllers to run.
diff --git a/cesnet-central/playbooks/k8s.yaml b/cesnet-central/playbooks/k8s.yaml
index 5ff3340..96a651e 100644
--- a/cesnet-central/playbooks/k8s.yaml
+++ b/cesnet-central/playbooks/k8s.yaml
@@ -142,10 +142,10 @@
# kube_nvidia_device_plugin_version: "v0.12.2"
# kube_nvidia_driver_version: "515" # "525"
kube_nvidia_support: true
- kube_version: 1.29.4
+ kube_version: 1.30.2
kube_network: 'none' # custom network installation
kube_install_helm: true
- kube_install_helm_version: 'v3.13.0'
+ kube_install_helm_version: 'v3.15.2'
kube_install_metrics: true
tasks:
- name: Create kubectl config dir
@@ -170,11 +170,11 @@
- name: K8s network deployment
hosts: master
vars:
- calicoctl_version: 3.27.0
+ calicoctl_version: 3.28.0
tasks:
- name: Calico config
copy:
- # https://raw.githubusercontent.com/projectcalico/calico/v3.27.0/manifests/calico.yaml
+ # https://raw.githubusercontent.com/projectcalico/calico/v3.28.0/manifests/calico.yaml
src: files/calico.yaml
dest: /tmp/calico-net.yaml
mode: 0644
@@ -205,7 +205,7 @@
# must be IPv4 address or hostname
kube_server: "{{ hostvars[groups['master'][0]].kube_server | default(groups['master'][0]) }}"
kube_type_of_node: wn
- kube_version: 1.29.4
+ kube_version: 1.30.2
kubelet_extra_args: '--volume-stats-agg-period 0'
tasks:
- name: Overlay2 mountpoint workaround to docker.service unit
@@ -353,7 +353,7 @@
when: true
- name: Cert-manager
vars:
- version: 1.13.3
+ version: 1.15.0
config: >-
--version={{ version }}
--set ingressShim.defaultIssuerName=letsencrypt-prod
@@ -465,7 +465,7 @@
- name: Prometheus
vars:
config: >-
- --version=25.8.2
+ --version=25.21.0
-f /tmp/prometheus.yaml
shell: |-
helm status --namespace prometheus prometheus
@@ -513,7 +513,7 @@
- name: Grafana
vars:
config: >-
- --version=7.0.3
+ --version=8.0.2
-f /tmp/grafana.yaml
shell: |-
helm status --namespace grafana grafana
diff --git a/cesnet-central/playbooks/upgrade.yaml b/cesnet-central/playbooks/upgrade.yaml
index 9c041da..2c76219 100644
--- a/cesnet-central/playbooks/upgrade.yaml
+++ b/cesnet-central/playbooks/upgrade.yaml
@@ -6,7 +6,7 @@
#
# Usage example:
#
-# VERSION=1.29.4
+# VERSION=1.30.2
# ansible-playbook playbooks/upgrade.yaml --extra-vars "version=$VERSION"
#
- name: Upgrade and hold kubeadm package
@@ -15,8 +15,8 @@
tasks:
- name: New k8s repository
copy:
- dest: /etc/apt/sources.list.d/pkgs_k8s_io_core_stable_v1_29_deb.list
- content: deb https://pkgs.k8s.io/core:/stable:/v1.29/deb/ /
+ dest: /etc/apt/sources.list.d/pkgs_k8s_io_core_stable_v1_30_deb.list
+ content: deb https://pkgs.k8s.io/core:/stable:/v1.30/deb/ /
mode: 0644
- name: Upgrade packages
apt:
--
GitLab