Fold enterprise components into the calico mono-image#4782
Open
caseydavenport wants to merge 18 commits intotigera:masterfrom
Open
Fold enterprise components into the calico mono-image#4782caseydavenport wants to merge 18 commits intotigera:masterfrom
caseydavenport wants to merge 18 commits intotigera:masterfrom
Conversation
Linseed now ships as a cobra subcommand of the combined calico binary, so render the deployment with the calico image and dispatch via "calico component linseed". Probes use the matching ready/live subcommands.
Render the tigera-prometheus authn-proxy container with the calico image and dispatch via "calico component prometheus-service".
Render the policy-recommendation-controller container with the calico image and dispatch via "calico component policy-recommendation".
Drop ComponentSecurityEventWebhooksProcessor from the enterprise component list and point the webhooks-processor container in the intrusion detection render at CombinedCalicoImage with the "calico component webhooks-processor" entrypoint.
Drop ComponentQueryServer from the enterprise component list and point the queryserver container in the apiserver render at CombinedCalicoImage with the "calico component queryserver" entrypoint. Also drop the stale ComponentTigeraPrometheusService list reference in the enterprise template that was left behind by the prometheus-service migration.
Drop ComponentPacketCapture from the enterprise component list and point the packetcapture container in the packet-capture API render at CombinedCalicoImage with the "calico component packetcapture" entrypoint.
Point the l7-collector container at CombinedCalicoImage with command [/usr/bin/calico component l7-collector]. ComponentL7Collector and its config/template entries are dropped — the collector now ships inside the combined calico image.
The packet capture api is enterprise-only, so the test installations need to declare the Enterprise variant for CombinedCalicoImage to resolve to the tigera image. Was relying on the empty default before the move to CombinedCalicoImage.
Point the calico-l7-admission-controller container at CombinedCalicoImage with command [/usr/bin/calico component l7-admission-controller]. ComponentL7AdmissionController and its config/template entries are removed - it ships inside the combined calico image now.
Drop ComponentUIAPIs from enterprise.go, the gen-versions template, and config/enterprise_versions.yml, and point both the ui-apis and dashboard-api containers in the manager deployment at CombinedCalicoImage(installation) with the corresponding 'calico component <name>' entrypoints. The dashboard readiness probe becomes 'calico component dashboards ready'.
…snapshotter Compliance server, controller, reporter, and snapshotter now run from the calico mono-image via "calico component <name>" subcommands. Benchmarker stays on its own image since it bundles kube-bench and kubectl.
IDC now runs from the calico mono-image via "calico component intrusion-detection-controller". Liveness probe uses the generic calico health exec command against port 50000.
Runs from the calico mono-image via "calico component elasticsearch-metrics".
Migrate es-gateway to run as a subcommand of the calico mono-image binary.
Migrate waf-http-filter to run as a subcommand of the calico mono-image binary.
…imageset entries Fallout from folding linseed and other components into the calico mono-image. The shared imageset fixtures still listed tigera/linseed and had multiple tigera/calico entries with different digests, which caused the reconcilers to either reject the imageset or pick the wrong digest.
Pair to the calico-private change that brings back a thin IDC image wrapping calico with the GeoIP databases layered on top. Operator points the IDC controller container back at ComponentIntrusionDetectionController so the deployment pulls the wrapper instead of the bare calico image. The binary itself still ships as a cobra subcommand of calico - the wrapper image's entrypoint is calico component intrusion-detection-controller.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Operator companion to https://github.com/tigera/calico-private/pull/11681. Each migrated enterprise component is pointed at
CombinedCalicoImage(installation)with a containerCommandof[/usr/bin/calico, component, <name>], and where probes used per-component health binaries they switch to the genericcalico health --port=<port> --type=...form.ComponentXentries are removed frompkg/components/enterprise.go,hack/gen-versions/enterprise.go.tpl, andconfig/enterprise_versions.yml. Render and controller tests are updated to expecttigera/calicorather than the per-component image.Components migrated
voltron, manager (ui-apis + dashboard-api), apiserver/l7-admission-controller, applicationlayer/l7-collector, packetcapture, prometheus-service, webhooks-processor, queryserver, policy-recommendation, linseed, compliance (server/controller/reporter/snapshotter), intrusion-detection-controller, elasticsearch-metrics, es-gateway, gateway/waf-http-filter.
Notes
Variant: TigeraSecureEnterpriseset explicitly, otherwiseCombinedCalicoImagereturnscalico/calico(OSS) and the tests fall through. Same pattern as the packetcapture commit.flag.tigera/linseedplus multipletigera/calicoentries with different digests, which made the reconcilers either reject the imageset or pick the wrong digest.