[Do not merge]Move apiserver component into calico-system ns for enterprise #3960
Conversation
vara2504
force-pushed
the
mfp_ns_apiserver
branch
from
fb938ce to
ac6d107
Compare
vara2504
changed the title
| // deployment becomes unhealthy and reconciliation of non-NetworkPolicy resources in the apiserver controller | ||
| // would resolve it, we render the network policies of components last to prevent a chicken-and-egg scenario. | ||
| if includeV3NetworkPolicy { | ||
| components = append(components, render.APIServerPolicy(&apiServerCfg)) |
There was a problem hiding this comment.
Moved includeV3NetworkPolicy from later in the render sequence (line 455) to the beginning. This ensures the cnx-apiserver-access NetworkPolicy is created early during upgrades, while API server pods are still running in the tigera-system namespace. This prevents default deny issues in calico-system when new API server pods start there.
Even though the default deny policy in calico-system is updated to exclude API server pods, applying that update still requires a healthy API server — hence the need to ensure access first
There was a problem hiding this comment.
Can we rename this from cnx-access as part of this move? cnx is confusing and has no meaning.
There was a problem hiding this comment.
OK if not, but if it's easy that would be nice.
| @@ -408,6 +418,10 @@ func (r *ReconcileAPIServer) Reconcile(ctx context.Context, request reconcile.Re | |||
| return reconcile.Result{}, err | |||
| } | |||
|
|
|||
| // Check if the legacy namespace 'tigera-system' exists and can be cleaned up | |||
| canCleanupOlderResources := false | |||
There was a problem hiding this comment.
Looks like line 422 can be removed. Optionally, 423 can be removed and called in-line @446.
| @@ -2063,3 +2063,20 @@ func crdPoolsToOperator(crds []crdv1.IPPool) []operator.IPPool { | |||
| } | |||
| return pools | |||
| } | |||
|
|
|||
| func allowTigeraDefaultDenyForCalicoSystem(namespace string) *v3.NetworkPolicy { | |||
There was a problem hiding this comment.
No need for passing a namespace.
pkg/controller/utils/utils.go
Outdated
| @@ -1039,3 +1039,15 @@ func MaintainInstallationFinalizer( | |||
| // Update the installation with any finalizer changes. | |||
| return c.Patch(ctx, installation, patchFrom) | |||
| } | |||
|
|
|||
| func IsTigeraStatusReady(ts *operatorv1.TigeraStatus, l logr.Logger) bool { | |||
There was a problem hiding this comment.
Should we perhaps make an available() method on the object itself? Logging can be removed or handled outside of the func.
Update default deny policy in calico-system to exclude API server pods Create a separate CA bundle for the API server in calico-system Clean up the legacy tigera-system namespace Update all references from tigera-system to calico-system
vara2504
force-pushed
the
mfp_ns_apiserver
branch
from
461172e to
c5066b9
Compare
Need to be merged along with the calico-private changes.
Changes to move the API server component into the calico-system namespace for the enterprise variant
Update default deny policy in calico-system to exclude API server pods
Create a separate CA bundle for the API server in calico-system
Clean up the legacy tigera-system namespace
Update all references from tigera-system to calico-system
Description
For PR author
make gen-filesmake gen-versionsFor PR reviewers
A note for code reviewers - all pull requests must have the following:
kind/bugif this is a bugfix.kind/enhancementif this is a a new feature.enterpriseif this PR applies to Calico Enterprise only.