Calico: Difference between revisions

Calico is a virtual network infrastructure that we use to manage Kubernetes networking.

Operations

Calico should be running via a Daemonset on every node of a Kubernetes cluster, establishing a BGP peering with the core routers (see IP and AS allocations#Private AS).

Unfortunately, Calico currently does not set the NetworkUnavailable condition to true on nodes where it is not running or failing, although that will ultimately render the node unusable. Therefore a Prometheus alert will fire in case if fails to scrape Calico metrics from a node.

If you are reading this page because you've seen such an alert:

• Check the nodes state with: kubectl describe node <node fqdn>
• Take a look at the latest events in the cluster: https://logstash.wikimedia.org/app/dashboards#/view/d43f9bf0-17b5-11eb-b848-090a7444f26c
• Check the logs of calico-node Pods: https://logstash.wikimedia.org/app/dashboards#/view/f6a5b090-0020-11ec-81e9-e1226573bad4

Packaging

<dist> below stands for one of the Debian distribution's codenames, e.g. jessie, stretch, buster, bullseye. Make sure you use the one you target

We don't actually build calico but package it's components from upstream binary releases.

Because of that, you will need to set HTTP proxy variables for internet access on the build host.

The general process to follow is:

• Check out operations/debs/calico on your workstation
• Decide if you want to package a new master (production) or future (potential next production) version
• Create a patch to bump the debian changelog

export NEW_VERSION=3.16.5 # Calico version you want to package
dch -v ${NEW_VERSION}-1 -D unstable "Update to v${NEW_VERSION}"
git commit debian/changelog

# If you're packaging a new future version, make sure to submit the patch to the correct branch
git review future

• Merge
• Check out operations/debs/calico on the build host
• Build the packages:

git checkout future # If you want to build a new version not directly to be released to production

# Ensure you allow networking in pbuilder
# This option needs to be in the file, an environment variable will *not* work!
echo "USENETWORKING=yes" >> ~/.pbuilderrc

# Build the package
https_proxy=http://webproxy.$(hostname -d):8080 DIST=<dist> pdebuild

Updating helm charts

There are two helm charts that might need updating, depending on the changes in a newly packaged calico version:

• charts/calico
• charts/calico-crds

Publishing

The Debian Packages

# On apt1001, copy the packages from the build host
rsync -vaz deneb.codfw.wmnet::pbuilder-result/<dist>-amd64/calico*<PACKAGE VERSION>* .

# If you want to import a new production version, import to component main
sudo -i reprepro -C main --ignore=wrongdistribution include <dist>-wikimedia /path/to/<PACKAGE>.changes

# If you want to import a test/pre-production version, import to component calico-future
sudo -i reprepro -C component/calico-future --ignore=wrongdistribution include <dist>-wikimedia /path/to/<PACKAGE>.changes

The Docker Images

Calico also includes a bunch of docker images which need to be published into our docker registry. To simplify the process, the packaging generates a debian package named "calico-images" that includes the images as well as a script to publish them:

# On the build host, extract the calico-images debian package
tmpd=$(mktemp -d)
dpkg -x /var/cache/pbuilder/result/<dist>-amd64/calico-images_<PACKAGE_VERSION>_amd64.deb $tmpd

# Load and push the images
sudo -i CALICO_IMAGE_DIR=${tmpd}/usr/share/calico ${tmpd}/usr/share/calico/push-calico-images.sh
rm -rf $tmpd

Updating

• Update debian packages calicoctl and calico-cni on kubernetes nodes using Debdeploy
• Update image.tag version in helmfile.d/admin_ng/values/<Cluster>/calico-values.yaml
  • Deploy to the cluster(s) that you want updated