From 7bb9552e94e753aef2663ce98406762c5fcc3b84 Mon Sep 17 00:00:00 2001 From: ChengHao Yang <17496418+tico88612@users.noreply.github.com> Date: Sat, 24 May 2025 19:57:32 +0800 Subject: [PATCH 1/2] Fix: add cilium remove old resources option Give users two options: besides skip Cilium, add `cilium_remove_old_resources`, default is `false`, when set to `true`, it will remove the content of the old version, but it will cause the downtime, need to be careful to use. Signed-off-by: ChengHao Yang <17496418+tico88612@users.noreply.github.com> --- roles/network_plugin/cilium/defaults/main.yml | 3 ++ roles/network_plugin/cilium/tasks/main.yml | 5 +++ .../cilium/tasks/remove_old_resources.yml | 45 +++++++++++++++++++ 3 files changed, 53 insertions(+) create mode 100644 roles/network_plugin/cilium/tasks/remove_old_resources.yml diff --git a/roles/network_plugin/cilium/defaults/main.yml b/roles/network_plugin/cilium/defaults/main.yml index 4f75d0009..efa954d8b 100644 --- a/roles/network_plugin/cilium/defaults/main.yml +++ b/roles/network_plugin/cilium/defaults/main.yml @@ -1,5 +1,8 @@ --- cilium_min_version_required: "1.15" + +# remove migrate after 2.29 released +cilium_remove_old_resources: false # Log-level cilium_debug: false diff --git a/roles/network_plugin/cilium/tasks/main.yml b/roles/network_plugin/cilium/tasks/main.yml index 8123c5a4c..dcdad1f94 100644 --- a/roles/network_plugin/cilium/tasks/main.yml +++ b/roles/network_plugin/cilium/tasks/main.yml @@ -5,5 +5,10 @@ - name: Cilium install include_tasks: install.yml +# Remove after 2.29 released +- name: Cilium remove old resources + when: cilium_remove_old_resources + include_tasks: remove_old_resources.yml + - name: Cilium apply include_tasks: apply.yml diff --git a/roles/network_plugin/cilium/tasks/remove_old_resources.yml b/roles/network_plugin/cilium/tasks/remove_old_resources.yml new file mode 100644 index 000000000..93bbcafac --- /dev/null +++ b/roles/network_plugin/cilium/tasks/remove_old_resources.yml @@ -0,0 +1,45 @@ +--- +# Remove after 2.29 released +- name: Cilium | Delete Old Resource + command: | + {{ kubectl }} delete {{ item.kind | lower }} {{ item.name }} \ + {{ '-n kube-system' if item.kind not in ['ClusterRole', 'ClusterRoleBinding'] else '' }} \ + loop: + - { kind: ServiceAccount, name: cilium } + - { kind: ServiceAccount, name: cilium-operator } + - { kind: ServiceAccount, name: hubble-generate-certs } + - { kind: ServiceAccount, name: hubble-relay } + - { kind: ServiceAccount, name: hubble-ui } + - { kind: Service, name: hubble-metrics } + - { kind: Service, name: hubble-relay-metrics } + - { kind: Service, name: hubble-relay } + - { kind: Service, name: hubble-ui } + - { kind: Service, name: hubble-peer } + - { kind: Deployment, name: cilium-operator } + - { kind: Deployment, name: hubble-relay } + - { kind: Deployment, name: hubble-ui } + - { kind: DaemonSet, name: cilium } + - { kind: CronJob, name: hubble-generate-certs } + - { kind: Job, name: hubble-generate-certs } + - { kind: ConfigMap, name: cilium-config } + - { kind: ConfigMap, name: ip-masq-agent } + - { kind: ConfigMap, name: hubble-relay-config } + - { kind: ConfigMap, name: hubble-ui-nginx } + - { kind: ClusterRole, name: cilium } + - { kind: ClusterRole, name: cilium-operator } + - { kind: ClusterRole, name: hubble-generate-certs } + - { kind: ClusterRole, name: hubble-relay } + - { kind: ClusterRole, name: hubble-ui } + - { kind: ClusterRoleBinding, name: cilium } + - { kind: ClusterRoleBinding, name: cilium-operator } + - { kind: ClusterRoleBinding, name: hubble-generate-certs } + - { kind: ClusterRoleBinding, name: hubble-relay } + - { kind: ClusterRoleBinding, name: hubble-ui } + - { kind: Secret, name: hubble-ca-secret } + - { kind: Secret, name: hubble-relay-client-certs } + - { kind: Secret, name: hubble-server-certs } + register: patch_result + when: inventory_hostname == groups['kube_control_plane'][0] + failed_when: + - patch_result.rc != 0 + - "'not found' not in patch_result.stderr" From 1f9020f0b496871dbfa01b7c2388b13ebdad6654 Mon Sep 17 00:00:00 2001 From: ChengHao Yang <17496418+tico88612@users.noreply.github.com> Date: Sat, 24 May 2025 20:00:16 +0800 Subject: [PATCH 2/2] Fix: if cilium release exist, the action will set upgrade `cilium install` is equivalent to `helm install`, it will failed if cilium relase exist. `cilium version` can know the release exist without helm binary Signed-off-by: ChengHao Yang <17496418+tico88612@users.noreply.github.com> --- roles/network_plugin/cilium/tasks/apply.yml | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/roles/network_plugin/cilium/tasks/apply.yml b/roles/network_plugin/cilium/tasks/apply.yml index 04a761c47..b150b3384 100644 --- a/roles/network_plugin/cilium/tasks/apply.yml +++ b/roles/network_plugin/cilium/tasks/apply.yml @@ -1,6 +1,17 @@ --- +- name: Check if Cilium Helm release exists (via cilium version) + command: "{{ bin_dir }}/cilium version" + register: cilium_release_info + when: inventory_hostname == groups['kube_control_plane'][0] + failed_when: false + changed_when: false + +- name: Set action to install or upgrade + set_fact: + cilium_action: "{{ 'install' if ('release: not found' in cilium_release_info.stderr | default('') or 'release: not found' in cilium_release_info.stdout | default('')) else 'upgrade' }}" + - name: Cilium | Install - command: "{{ bin_dir }}/cilium install --version {{ cilium_version }} -f {{ kube_config_dir }}/cilium-values.yaml" + command: "{{ bin_dir }}/cilium {{ cilium_action }} --version {{ cilium_version }} -f {{ kube_config_dir }}/cilium-values.yaml" when: inventory_hostname == groups['kube_control_plane'][0] - name: Cilium | Wait for pods to run