Page MenuHomePhabricator
Create Task
Maniphest T250863

Upgrade calico to a more recent version (current is 3.14.0)
Closed, ResolvedPublic
Actions

Description

Since calico is containerized, the update should be fairly simple. However, comparison of the config and considerations such as iptables changes must be taken into account first. Our version is 3.8.0.

Details

SubjectRepoBranchLines +/-
toolforge-kubeadm: calico upgrade changesoperations/puppetproduction+226 -13
Customize query in gerrit

Related Objects
Search...

Event Timeline

Bstorm created this task.Apr 21 2020, 9:04 PM
Bstorm removed a project: Epic.
Bstorm mentioned this in T246122: Upgrade the Toolforge Kubernetes cluster to v1.16.
JHedden triaged this task as Low priority.May 5 2020, 4:16 PM
JHedden moved this task from Inbox to Soon! on the cloud-services-team (Kanban) board.
Stashbot added a comment.May 12 2020, 5:35 PM

Mentioned in SAL (#wikimedia-cloud) [2020-05-12T17:35:56Z] <bstorm_> deployed an updated bit of yaml for calico without upgrading the version first T250863

Bstorm added a comment.May 12 2020, 5:39 PM

The new liveness probe does NOT work in 3.8.0. Trying with the upgrade.

Stashbot added a comment.May 12 2020, 5:44 PM

Mentioned in SAL (#wikimedia-cloud) [2020-05-12T17:44:16Z] <bstorm_> set the calico version to v3.14.0 because the new liveness probe isn't compatible with the old version. T250863

Bstorm added a comment.May 12 2020, 5:46 PM

I can confirm that calico upgrades are rolling with no real impact to network traffic. This makes sense because it should just impact changes to the network. That's a bit harder to see, but I have to have faith that the daemonsets maintain a reconciliation loop around that.

Bstorm added a comment.May 12 2020, 6:03 PM

Messing with adding an option to enable typha because it is totally unnecessary for toolsbeta (and we might need another node just to deploy it there).

Stashbot added a comment.May 12 2020, 6:35 PM

Mentioned in SAL (#wikimedia-cloud) [2020-05-12T18:35:41Z] <bstorm_> upgraded to using typha and rolled back to not doing so -- no affect on existing network T250863

gerritbot added a comment.May 12 2020, 6:40 PM

Change 596012 had a related patch set uploaded (by Bstorm; owner: Bstorm):
[operations/puppet@production] toolforge-kubeadm: calico upgrade changes

https://gerrit.wikimedia.org/r/596012

gerritbot added a project: Patch-For-Review.May 12 2020, 6:40 PM
Bstorm added a subscriber: aborrero.May 12 2020, 6:41 PM

@aborrero I *think* this will mean we won't need to worry about the iptables fixup anymore once this is the standard in Toolforge, right?

Bstorm renamed this task from Upgrade calico to a more recent version (current is 3.13.2) to Upgrade calico to a more recent version (current is 3.14.0).May 12 2020, 6:41 PM
Bstorm moved this task from Soon! to Doing on the cloud-services-team (Kanban) board.May 12 2020, 6:44 PM
aborrero added a comment.May 13 2020, 8:46 AM
In T250863#6130660, @Bstorm wrote:

@aborrero I *think* this will mean we won't need to worry about the iptables fixup anymore once this is the standard in Toolforge, right?

To be on the safe side we would need to make another round of testing:

  • calico/felix. Probably needs FELIX_IPTABLESBACKEND=NFT
  • docker: make sure it plays well with iptables-nft
  • kube-proxy: make sure it plays well with iptables-nft

If we could validate all these, I would be confident on dropping the workaround.

On the other hand, our workaround (using iptables-legacy) is pretty harmless at least in this Buster release cycle. It may make more sense resource-wise to just keep using iptables-legacy for now?
There is technical debt here, but it should be primarily addressed by the upstream projects I mentioned.

Also, a side note, if we eventually start playing with IPv6 seriously we will need kube-proxy in ipvs mode, and all this stuff will change.

Bstorm added a comment.May 13 2020, 4:33 PM
In T250863#6132245, @aborrero wrote:

On the other hand, our workaround (using iptables-legacy) is pretty harmless at least in this Buster release cycle. It may make more sense resource-wise to just keep using iptables-legacy for now?
There is technical debt here, but it should be primarily addressed by the upstream projects I mentioned.

Oh yeah! I don't mean right away. That would likely break things. Good notes on what to change, too.

Also, a side note, if we eventually start playing with IPv6 seriously we will need kube-proxy in ipvs mode, and all this stuff will change.

Heh, fair! We might not even want to think about it until then, in that case.

gerritbot added a comment.May 13 2020, 5:45 PM

Change 596012 merged by Bstorm:
[operations/puppet@production] toolforge-kubeadm: calico upgrade changes

https://gerrit.wikimedia.org/r/596012

Stashbot added a comment.May 13 2020, 6:10 PM

Mentioned in SAL (#wikimedia-cloud) [2020-05-13T18:10:21Z] <bstorm_> set "profile::toolforge::k8s::typha_enabled: true" in tools project for calico upgrade T250863

Maintenance_bot removed a project: Patch-For-Review.May 13 2020, 6:12 PM
Stashbot added a comment.May 13 2020, 6:14 PM

Mentioned in SAL (#wikimedia-cloud) [2020-05-13T18:14:15Z] <bstorm_> upgrading calico to 3.14.0 with typha enabled in Toolforge K8s T250863

Bstorm added a comment.May 13 2020, 6:21 PM

So far it looks good! 3 typha pods are stable and the calico-node pods are stable as they come up.

Bstorm added a comment.May 13 2020, 6:25 PM

Better yet, the 3 typha pods scheduled on separate nodes:

root@tools-k8s-control-1:~# kubectl -n kube-system get pods calico-typha-5cb967996c-j2klg -o wide
NAME                            READY   STATUS    RESTARTS   AGE     IP            NODE                  NOMINATED NODE   READINESS GATES
calico-typha-5cb967996c-j2klg   1/1     Running   0          9m27s   172.16.1.87   tools-k8s-worker-40   <none>           <none>
root@tools-k8s-control-1:~# kubectl -n kube-system get pods calico-typha-5cb967996c-xdkb4 -o wide
NAME                            READY   STATUS    RESTARTS   AGE     IP            NODE                  NOMINATED NODE   READINESS GATES
calico-typha-5cb967996c-xdkb4   1/1     Running   0          9m42s   172.16.1.70   tools-k8s-worker-41   <none>           <none>
root@tools-k8s-control-1:~# kubectl -n kube-system get pods calico-typha-5cb967996c-xzb6f -o wide
NAME                            READY   STATUS    RESTARTS   AGE     IP             NODE                  NOMINATED NODE   READINESS GATES
calico-typha-5cb967996c-xzb6f   1/1     Running   0          9m59s   172.16.1.170   tools-k8s-worker-56   <none>           <none>
Bstorm added a comment.May 13 2020, 7:01 PM

Upgrade is complete. Overall difference in load is not easy to see because there are normally spikes here and there on the control plane. We'll have to observe over a longer period to see if typha makes a difference. It likely will make a difference as we grow more than anything.

Bstorm closed this task as Resolved.May 13 2020, 7:04 PM
Bstorm claimed this task.
mdaniels5757 unsubscribed.May 28 2020, 7:38 PM
taavi mentioned this in T280342: Upgrade Calico to 3.18.Apr 16 2021, 10:57 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits