From 0f1af5def162b6ceb67932b5975fef4fb80a386b Mon Sep 17 00:00:00 2001
From: Sheogorath <sheogorath@shivering-isles.com>
Date: Sat, 14 May 2022 20:26:45 +0200
Subject: [PATCH] Upgrade calico to version 3.23.0
This patch Upgrades calico to version 3.23.0, which is a complicated
endeavour since it switches the helm release namespaces from default to
tigera-operator.
Besides the regular upgrade tasks, this reqires some explicit adjusting
of helm annotations and flux labels, in order to convince the cluster,
that's how it always has been.
The following tasks need to be done:
Before you start
---
Disable flux:
```
kubectl scale deployment -n flux-system source-controller --replicas 0
kubectl scale deployment -n flux-system helm-controller --replicas 0
kubectl scale deployment -n flux-system kustomize-controller --replicas 0
```
The upgrade
---
Push/merge this patch. (!!!)
Update helm release annotations:
```
kubectl patch installation default --type=merge -p '{"metadata": {"annotations": {"meta.helm.sh/release-namespace": "tigera-operator"}}}'
kubectl patch apiserver default --type=merge -p '{"metadata": {"annotations": {"meta.helm.sh/release-namespace": "tigera-operator"}}}'
kubectl patch podsecuritypolicy tigera-operator --type=merge -p '{"metadata": {"annotations": {"meta.helm.sh/release-namespace": "tigera-operator"}}}'
kubectl patch -n tigera-operator deployment tigera-operator --type=merge -p '{"metadata": {"annotations": {"meta.helm.sh/release-namespace": "tigera-operator"}}}'
kubectl patch -n tigera-operator serviceaccount tigera-operator --type=merge -p '{"metadata": {"annotations": {"meta.helm.sh/release-namespace": "tigera-operator"}}}'
kubectl patch clusterrole tigera-operator --type=merge -p '{"metadata": {"annotations": {"meta.helm.sh/release-namespace": "tigera-operator"}}}'
kubectl patch clusterrolebinding tigera-operator tigera-operator --type=merge -p '{"metadata": {"annotations": {"meta.helm.sh/release-namespace": "tigera-operator"}}}'
```
Patch flux labels:
```
kubectl patch installation default --type=merge -p '{"metadata": {"labels": {"helm.toolkit.fluxcd.io/namespace": "tigera-operator"}}}'
kubectl patch apiserver default --type=merge -p '{"metadata": {"labels": {"helm.toolkit.fluxcd.io/namespace": "tigera-operator"}}}'
kubectl patch podsecuritypolicy tigera-operator --type=merge -p '{"metadata": {"labels": {"helm.toolkit.fluxcd.io/namespace": "tigera-operator"}}}'
kubectl patch -n tigera-operator deployment tigera-operator --type=merge -p '{"metadata": {"labels": {"helm.toolkit.fluxcd.io/namespace": "tigera-operator"}}}'
kubectl patch -n tigera-operator serviceaccount tigera-operator --type=merge -p '{"metadata": {"labels": {"helm.toolkit.fluxcd.io/namespace": "tigera-operator"}}}'
kubectl patch clusterrole tigera-operator --type=merge -p '{"metadata": {"labels": {"helm.toolkit.fluxcd.io/namespace": "tigera-operator"}}}'
kubectl patch clusterrolebinding tigera-operator tigera-operator --type=merge -p '{"metadata": {"labels": {"helm.toolkit.fluxcd.io/namespace": "tigera-operator"}}}'
```
Remove flux labels from namespace:
```
kubectl label namespace tigera-operator helm.toolkit.fluxcd.io/namespace-
```
Get values:
```
helm get values -n default calico > values.yaml
```
Install calico:
```
helm repo add projectcalico https://projectcalico.docs.tigera.io/charts
helm install calico projectcalico/tigera-operator --version v3.23.0 --namespace tigera-operator --values values.yaml
```
Migrate flux helmrelease:
```
kubectl apply -n tigera-operator -f bootstrap/calico/release.yaml
kubectl patch helmrelease calico --type=json -p="[{'op': 'remove', 'path': '/metadata/finalizers'}]" -n default
kubectl delete helmrelease -n default calico
```
Delete old helm install:
```
kubectl delete secret -n default -l name=calico -l owner=helm
```
Starting flux again
---
```
kubectl scale deployment -n flux-system source-controller --replicas 1
kubectl scale deployment -n flux-system helm-controller --replicas 1
kubectl scale deployment -n flux-system kustomize-controller --replicas 1
```
References:
https://projectcalico.docs.tigera.io/archive/v3.23/release-notes/
---
bootstrap/calico/kustomization.yaml | 3 ++-
bootstrap/calico/namespace.yaml | 6 ++++++
bootstrap/calico/release.yaml | 6 +++---
bootstrap/calico/repository.yaml | 2 +-
4 files changed, 12 insertions(+), 5 deletions(-)
create mode 100644 bootstrap/calico/namespace.yaml
diff --git a/bootstrap/calico/kustomization.yaml b/bootstrap/calico/kustomization.yaml
index d9e0d9152..0ced8b85c 100644
--- a/bootstrap/calico/kustomization.yaml
+++ b/bootstrap/calico/kustomization.yaml
@@ -1,6 +1,7 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
-namespace: default
+namespace: tigera-operator
resources:
+ - namespace.yaml
- repository.yaml
- release.yaml
diff --git a/bootstrap/calico/namespace.yaml b/bootstrap/calico/namespace.yaml
new file mode 100644
index 000000000..27cd9ea11
--- /dev/null
+++ b/bootstrap/calico/namespace.yaml
@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+ name: tigera-operator
+ labels:
+ kyverno.shivering-isles.com/class: "system"
diff --git a/bootstrap/calico/release.yaml b/bootstrap/calico/release.yaml
index b660f0f57..75229c824 100644
--- a/bootstrap/calico/release.yaml
+++ b/bootstrap/calico/release.yaml
@@ -2,7 +2,7 @@ apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: calico
- namespace: default
+ namespace: tigera-operator
spec:
releaseName: calico
chart:
@@ -11,8 +11,8 @@ spec:
sourceRef:
kind: HelmRepository
name: projectcalico
- namespace: default
- version: v3.22.2
+ namespace: tigera-operator
+ version: v3.23.0
interval: 15m
values:
apiServer:
diff --git a/bootstrap/calico/repository.yaml b/bootstrap/calico/repository.yaml
index 157b6cc5b..a73f2fa61 100644
--- a/bootstrap/calico/repository.yaml
+++ b/bootstrap/calico/repository.yaml
@@ -2,7 +2,7 @@ apiVersion: source.toolkit.fluxcd.io/v1beta1
kind: HelmRepository
metadata:
name: projectcalico
- namespace: default
+ namespace: tigera-operator
spec:
interval: 30m
url: https://docs.projectcalico.org/charts
--
GitLab