Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

An option to configure the felix via operator #7735

Closed
resworld opened this issue Jun 2, 2023 · 9 comments
Closed

An option to configure the felix via operator #7735

resworld opened this issue Jun 2, 2023 · 9 comments
Labels
kind/enhancement
Milestone
Calico v3.28.0

Comments

@resworld
Copy link

resworld commented Jun 2, 2023

Hello there,

basically I want to be able to configure the felix software via helm installation so I can change some configs defined here: https://docs.tigera.io/archive/v3.7/reference/felix/configuration
I can find that my calico configuration is having felix cfg file, but it is hardcoded in the container: /etc/calico/felix.cfg

Expected Behavior

I am expecting to have ability to configure felix via values.yaml.

Current Behavior

Currently I am seeing it is not possible: https://docs.tigera.io/calico/latest/reference/felix/configuration

If you have installed Calico using the operator, you cannot modify the environment provided to felix directly.

Possible Solution

Maybe would be great if we can add different options in the values.yaml, for example:

installation:
  kubernetesProvider: EKS
  felix:
    LogFilePath: /tmp/logfile.log
    UsageReportingEnabled: false

Steps to Reproduce (for bugs)

Follow instruction for helm install calico

Context

I want to change some configurations in felix

Your Environment

  • Calico version: docker.io/calico/node:v3.25.0
  • Orchestrator version (e.g. kubernetes, mesos, rkt): EKS
@caseydavenport caseydavenport mentioned this issue Jun 2, 2023
Open
7 tasks
@caseydavenport
Copy link
Member

Right now, the way to do this is to create a FelixConfiguration API object. However, this has to happen post-helm, because the API won't exist until after Calico is installed.

@resworld
Copy link
Author

resworld commented Jun 5, 2023

Hi @caseydavenport and thank you for the reply,

Is there any document how to do that? Sorry, I am not very familiar with the Felix and not sure if I know the proper steps I need to follow. Thank you.

@lwr20
Copy link
Member

lwr20 commented Jun 5, 2023
edited
Loading

https://docs.tigera.io/calico/latest/reference/felix/configuration
https://docs.tigera.io/calico/latest/reference/resources/felixconfig

Basically, create the Felixconfig yaml then apply it with calicoctl (or kubectl, IF you installed the calico-apiserver first)

@PauloGDPeixoto PauloGDPeixoto mentioned this issue Jul 5, 2023
Closed
@WoodyWoodsta
Copy link

Is there a way to configure the default FelixConfiguration that is created by the operator?

I want to enable wireguard on all nodes by default. The documentation for felix configuration is this:

Configuration for Felix is read from one of four possible locations, in order, as follows.

  • Environment variables.
  • The Felix configuration file.
  • Host-specific FelixConfiguration resources (node.).
  • The global FelixConfiguration resource (default).

Based on my understanding of this and a bit of experimentation, the only way to set a global default is to update the default resource. However, since this is something that is created by the operator, it cannot be IaC managed, unless the operator exposes configuration via helm.

@caseydavenport
Copy link
Member

@WoodyWoodsta I believe there is some work to expose FelixConfiguration via the helm chart in the works.

You should in the meantime be able to create a default FC with calicoctl. e.g.,

  • kubectl create -f tigera-operator.yaml
  • calicoctl create -f fc.yaml
  • kubectl create -f custom-resources.yaml

This series allows you to set the default prior to the operator creating it. Obviously this would be better if the helm chart just supported it, though. And that's where we''d like to be.

@caseydavenport
Copy link
Member

tigera/docs#1333

This PR documents changes added for the upcoming v3.28 Calico release that allow setting default felix configuration via helm

@caseydavenport caseydavenport added this to the Calico v3.28.0 milestone Feb 27, 2024
@ziptx
Copy link

ziptx commented Aug 20, 2024
edited
Loading

@caseydavenport I am unclear on which yaml file and what version of API to use when trying to create the default resource with a customized FelixConfiguration. Installation requires operator.tigera.io/v1 and FelixConfiguration option requires projectcalico.org/v3.

This is my yaml file for deploying the Calico CNI: [I am trying to set iptablesBackend]. Where is the FelixConfiguration placed in this example?

---
apiVersion: operator.tigera.io/v1
kind: Installation
metadata:
  name: default
spec:
  calicoNetwork:
     # Note: The ipPools section cannot be modified post-install.
    ipPools:
      - blockSize: 122
        cidr: fd00:26c::/64
        encapsulation: VXLAN
        natOutgoing: Enabled
        nodeSelector: all()
---
# This section configures the Calico API server.
# For more information, see: https://docs.tigera.io/calico/latest/reference/installation/api#operator.tigera.io/v1.APIServer
apiVersion: operator.tigera.io/v1
kind: APIServer
metadata:
  name: default
spec: {}

@caseydavenport
Copy link
Member

It would go into the helm values.yaml file as outlined here: https://docs.tigera.io/calico/latest/reference/installation/helm_customization#common-customizations

@ziptx
Copy link

ziptx commented Aug 22, 2024

Thanks for the Helm hint and documentation snippet! There is not a lot of great documentation on installing Operator with Helm. I believe I have combined my original Operator config correctly into this values.yaml file, but the iptablesBackend setting does not seem to be getting to the node/daemonset. There is no FELIX_IPTABLESBACKEND entry after install. Is it your opinion that this projectcalico.org/v3 settings can be pushed with a helm install?

Environment:
Kubernetes 1.30.4
Calico 3.28.1

Using command helm install -f values.yaml calico projectcalico/tigera-operator --namespace tigera-operator

imagePullSecrets: {}
installation:
  enabled: true
  kubernetesProvider: ""
  calicoNetwork:
    ipPools:
    - blockSize: 122
      cidr: fd00:26c::/64
      encapsulation: VXLAN
      natOutgoing: Enabled
      nodeSelector: all()
  
apiServer:
  enabled: true
certs:
  node:
    key:
    cert:
    commonName:
  typha:
    key:
    cert:
    commonName:
    caBundle:

defaultFelixConfiguration:
  enabled: true
  iptablesBackend: NFT

resources: {}
tolerations:
- effect: NoExecute
  operator: Exists
- effect: NoSchedule
  operator: Exists
nodeSelector:
  kubernetes.io/os: linux
podAnnotations: {}
podLabels: {}
tigeraOperator:
  image: tigera/operator
  registry: quay.io
calicoctl:
  image: docker.io/calico/ctl

/var/lib/kubelet
kubeletVolumePluginPath: None
kubernetesServiceEndpoint:
  host: ""
  port: "6443"
kubectl -n calico-system describe pod calico-node-9t4r8 | fgrep FELIX
      FELIX_DEFAULTENDPOINTTOHOSTACTION:  ACCEPT
      FELIX_HEALTHENABLED:                true
      FELIX_HEALTHPORT:                   9099
      FELIX_TYPHAK8SNAMESPACE:            calico-system
      FELIX_TYPHAK8SSERVICENAME:          calico-typha
      FELIX_TYPHACAFILE:                  /etc/pki/tls/certs/tigera-ca-bundle.crt
      FELIX_TYPHACERTFILE:                /node-certs/tls.crt
      FELIX_TYPHAKEYFILE:                 /node-certs/tls.key
      FELIX_TYPHACN:                      typha-server
      FELIX_IPV6SUPPORT:                  true

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/enhancement
Projects
None yet
Milestone
Calico v3.28.0
Development

No branches or pull requests
5 participants
@caseydavenport @lwr20 @WoodyWoodsta @ziptx @resworld