From 179e19543dc9c14346a1af3c0a76c0532e3000db Mon Sep 17 00:00:00 2001 From: Caio Bruchert Date: Fri, 19 Jul 2024 08:49:12 -0300 Subject: [PATCH] Disable IPIP tunnel in Calico Currently the default IPv4 IPPool configuration sets ipipMode to always, enabling Calico to use an overlay networking for the pods to communicate between different nodes using IPIP encapsulation. This overlay has caused some problems in the past and, since it's not needed, it will be removed by this change. The default IPv6 IPPool already uses the flat networking model, so it needs no changes. Besides a supporting fresh install with IPIP disabled, release upgrades should also support disabling IPIP during data migration. That's implemented through a new upgrade script. Note: it was not possible to test a full upgrade using AIO-DX due to USM bugs. This test will be done again when USM is stable. Test Plan: PASS: AIO-DX: fresh install: check pod communicating without encap PASS: AIO-SX: upgrade: check that IPIP was disabled PASS: AIO-SX: upgrade rollback: check that IPIP was re-enabled Story: 2011124 Task: 50617 Change-Id: I8685057fc67735f9bafed442ef553cff3c6da1e6 Signed-off-by: Caio Bruchert --- puppet-manifests/src/modules/platform/manifests/kubernetes.pp | 2 -- .../src/modules/platform/templates/callico_ippool.yaml.erb | 2 +- 2 files changed, 1 insertion(+), 3 deletions(-) diff --git a/puppet-manifests/src/modules/platform/manifests/kubernetes.pp b/puppet-manifests/src/modules/platform/manifests/kubernetes.pp index 0b3de7e82..ba2565788 100644 --- a/puppet-manifests/src/modules/platform/manifests/kubernetes.pp +++ b/puppet-manifests/src/modules/platform/manifests/kubernetes.pp @@ -2142,7 +2142,6 @@ class platform::kubernetes::dual_stack::ipv4::runtime { logoutput => true, } if $state == true { - $ipip_mode = 'Always' file { $def_pool_filename: ensure => file, content => template('platform/callico_ippool.yaml.erb'), @@ -2224,7 +2223,6 @@ class platform::kubernetes::dual_stack::ipv6::runtime { logoutput => true, } if $state == true { - $ipip_mode = 'Never' file { $def_pool_filename: ensure => file, content => template('platform/callico_ippool.yaml.erb'), diff --git a/puppet-manifests/src/modules/platform/templates/callico_ippool.yaml.erb b/puppet-manifests/src/modules/platform/templates/callico_ippool.yaml.erb index 2af7c2bbf..01a2e3cb8 100644 --- a/puppet-manifests/src/modules/platform/templates/callico_ippool.yaml.erb +++ b/puppet-manifests/src/modules/platform/templates/callico_ippool.yaml.erb @@ -6,6 +6,6 @@ metadata: name: default-<%= @protocol %>-ippool spec: cidr: <%= @pod_sec_subnet %> - ipipMode: <%= @ipip_mode %> + ipipMode: Never natOutgoing: true vxlanMode: Never