🛂 switch from L2 to BGP for metallb

anokfireball · anokfireball · commit 47e1c0a01ba8 · 2025-06-10T07:22:28.000+02:00
Closes #840.
diff --git a/README.md b/README.md
@@ -54,7 +54,7 @@ At the highest possible level, this repo and HaC workflow consists of three part
 | [Ansible](https://ansible.com/)                                      | OS Configuration                       |                                                                                    |
 | [kubeadm](https://kubernetes.io/docs/reference/setup-tools/kubeadm/) | k8s _Distribution_ / Install Mechanism | stacked HA controlplanes                                                           |
 | [containerd](https://containerd.io/)                                 | OCI Runtime                            |                                                                                    |
-| [Calico](https://www.tigera.io/tigera-products/calico/)              | CNI                                    | dual-stack nodes and services                                                      |
+| [Calico](https://www.tigera.io/tigera-products/calico/)              | CNI                                    | used in BGP mode                                                                   |
 | [kube-vip](https://kube-vip.io/)                                     | Virtual IP for controlplane Nodes      | used in L2/ARP mode                                                                |
 | [Flux2](https://fluxcd.io)                                           | GitOps Automation inside the Cluster   |                                                                                    |
 | [SOPS](https://getsops.io/)                                          | Secrets Management                     | [age](https://age-encryption.org/) rather than pgp, but not any more user-friendly |
@@ -74,7 +74,7 @@ At the highest possible level, this repo and HaC workflow consists of three part
         <td><img width="32" src="https://raw.githubusercontent.com/metallb/metallb/refs/heads/main/website/static/images/logo/metallb-blue.svg"></td>
         <td><a href="https://metallb.io/">metallb</a></td>
         <td>Cloud-Native Service LoadBalancer</td>
-        <td>used in L2/ARP mode, so only VIP rather than true LB</td>
+        <td>used in BGP mode</td>
     </tr>
     <tr>
         <td><img width="32" src="https://raw.githubusercontent.com/kubernetes-sigs/external-dns/refs/heads/master/docs/img/external-dns.png"></td>
@@ -363,12 +363,12 @@ At the highest possible level, this repo and HaC workflow consists of three part
 
 While the ultimate goal is to have as self-sufficient of a setup as possible, some external services are still required for proper operation.
 
-| Service                                                  | Purpose                                    | Notes                                                                    |
-| -------------------------------------------------------- | ------------------------------------------ | ------------------------------------------------------------------------ |
-| [GitHub](https://github.com/)                            | Git Repository Hosting, GitOps Source      |                                                                          |
-| [INWX](https://www.inwx.de/)                             | Domain Registrar                           |                                                                          |
-| [Cloudflare](https://www.cloudflare.com/)                | Public DNS Auth Hosting                    |                                                                          |
-| [netcup](https://www.netcup.de/)                         | Public Reverse-Proxy for Relevant Services | not _yet_ managed here since the number of public services is tiny       |
-| [BackBlaze](https://www.backblaze.com/)                  | Cloud Storage for Backups                  | the "3" in 3-2-1 for the really important data                           |
-| [TailScale](https://tailscale.com/)                      | Overlay VPN                                | used for split-horizon and a direct connection back home                 |
-| VPN Provider                                             | VPN Gateway                                | different external IP for all the Linux ISOs                             |
+| Service                                   | Purpose                                    | Notes                                                              |
+| ----------------------------------------- | ------------------------------------------ | ------------------------------------------------------------------ |
+| [GitHub](https://github.com/)             | Git Repository Hosting, GitOps Source      |                                                                    |
+| [INWX](https://www.inwx.de/)              | Domain Registrar                           |                                                                    |
+| [Cloudflare](https://www.cloudflare.com/) | Public DNS Auth Hosting                    |                                                                    |
+| [netcup](https://www.netcup.de/)          | Public Reverse-Proxy for Relevant Services | not _yet_ managed here since the number of public services is tiny |
+| [BackBlaze](https://www.backblaze.com/)   | Cloud Storage for Backups                  | the "3" in 3-2-1 for the really important data                     |
+| [TailScale](https://tailscale.com/)       | Overlay VPN                                | used for split-horizon and a direct connection back home           |
+| VPN Provider                              | VPN Gateway                                | different external IP for all the Linux ISOs                       |
diff --git a/ansible/cluster.yaml b/ansible/cluster.yaml
@@ -8,5 +8,5 @@
     - { role: os_base }
     - { role: os_power }
     - { role: k8s_cluster }
-    - { role: k8s_flux }
     - { role: k8s_longhorn }
+    - { role: k8s_flux }
diff --git a/ansible/roles/k8s_cluster/tasks/main.yaml b/ansible/roles/k8s_cluster/tasks/main.yaml
@@ -78,7 +78,6 @@
 - when: "'controlplane' in group_names"
   block:
     - import_tasks: tasks/kube-vip.yaml
-    - import_tasks: tasks/oidc.yaml
 
 - when: not k8s_upgrade
   block:
@@ -87,6 +86,10 @@
 
 - import_tasks: join.yaml
 
+- when: "'controlplane' in group_names"
+  block:
+    - import_tasks: tasks/oidc.yaml
+
 - when: k8s_upgrade
   import_tasks: upgrade.yaml
 
diff --git a/ansible/roles/k8s_cluster/tasks/tasks/calico.yaml b/ansible/roles/k8s_cluster/tasks/tasks/calico.yaml
@@ -1,9 +1,37 @@
 ---
+# CRD bundles too large to use kubectl apply
 - name: create calico config directory
   file:
     path: /etc/calico
     state: directory
 
+- name: download calico operator CRDs
+  get_url:
+    url: |
+      https://raw.githubusercontent.com/projectcalico/calico/{{ calico_version }}/manifests/operator-crds.yaml
+    dest: /etc/calico/operator-crds.yaml
+  register: calico_crds_manifest
+
+- name: check if calico operator CRDs already exist
+  shell: |
+    set -o pipefail
+    # figure out if a CRD with name "apiservers.operator.tigera.io" exists
+    kubectl get crds -o json | jq '.items[] | select(.metadata.name == "apiservers.operator.tigera.io")' | wc -l
+  args:
+    executable: /bin/bash
+  environment:
+    KUBECONFIG: /etc/kubernetes/admin.conf
+  register: calico_crds_exists
+  ignore_errors: true
+  changed_when: calico_crds_exists.stdout == '0'
+
+- name: apply calico operator CRDs
+  command: |
+    kubectl {{ 'create' if calico_crds_exists.stdout == '0' else 'replace' }} -f /etc/calico/operator-crds.yaml
+  environment:
+    KUBECONFIG: /etc/kubernetes/admin.conf
+  changed_when: calico_crds_exists.stdout == '0' or calico_crds_manifest.changed
+
 - name: download calico operator manifest
   get_url:
     url: |
@@ -24,7 +52,6 @@
   changed_when: calico_operator_exists.stdout == '0'
 
 - name: apply calico operator manifest
-  # CRD bundle too large to use kubectl apply
   command: |
     kubectl {{ 'create' if calico_operator_exists.stdout == '0' else 'replace' }} -f /etc/calico/tigera-operator.yaml
   environment:
@@ -55,3 +82,16 @@
   environment:
     KUBECONFIG: /etc/kubernetes/admin.conf
   changed_when: calico_custom_resource_exists.stdout == '0' or calico_custom_resource_manifest.changed
+
+- name: copy BGP configuration
+  template:
+    src: bgp-config.yaml.j2
+    dest: /etc/calico/bgp-config.yaml
+  register: calico_bgp_config_manifest
+
+- name: apply calico BGP config manifest
+  command: |
+    kubectl apply -f /etc/calico/bgp-config.yaml
+  environment:
+    KUBECONFIG: /etc/kubernetes/admin.conf
+  changed_when: calico_bgp_config_manifest.changed
diff --git a/ansible/roles/k8s_cluster/tasks/tasks/containerd.yaml b/ansible/roles/k8s_cluster/tasks/tasks/containerd.yaml
@@ -35,12 +35,12 @@
 
 - name: modify containerd config
   shell: >
-      set -o pipefail &&
-      containerd config default
-      | tomlq '.plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc.options.SystemdCgroup  = true' -t
-      | tomlq '.plugins."io.containerd.grpc.v1.cri".registry.config_path = "/etc/containerd/certs.d"' -t
-      | tomlq '.plugins."io.containerd.grpc.v1.cri".containerd.discard_unpacked_layers = false' -t
-      > /etc/containerd/config.toml
+    set -o pipefail &&
+    containerd config default
+    | tomlq '.plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc.options.SystemdCgroup  = true' -t
+    | tomlq '.plugins."io.containerd.grpc.v1.cri".registry.config_path = "/etc/containerd/certs.d"' -t
+    | tomlq '.plugins."io.containerd.grpc.v1.cri".containerd.discard_unpacked_layers = false' -t
+    > /etc/containerd/config.toml
   args:
     executable: /bin/bash
   changed_when: false
diff --git a/ansible/roles/k8s_cluster/tasks/tasks/kubelet.yaml b/ansible/roles/k8s_cluster/tasks/tasks/kubelet.yaml
@@ -23,7 +23,6 @@
   apt:
     pkg:
       - "cri-tools={{ k8s_version_stripped }}.*"
-    allow_downgrade: true
     allow_change_held_packages: true
     state: present
   notify:
diff --git a/ansible/roles/k8s_cluster/tasks/tasks/upgrade-node.yaml b/ansible/roles/k8s_cluster/tasks/tasks/upgrade-node.yaml
@@ -14,4 +14,4 @@
       command: "kubectl uncordon {{ node_name }}"
       environment:
         KUBECONFIG: /etc/kubernetes/admin.conf
-      delegate_to: "{{ delegate }}"
+      delegate_to: "{{ delegate }}"
diff --git a/ansible/roles/k8s_cluster/templates/bgp-config.yaml.j2 b/ansible/roles/k8s_cluster/templates/bgp-config.yaml.j2
@@ -0,0 +1,32 @@
+apiVersion: projectcalico.org/v3
+kind: BGPFilter
+metadata:
+  name: deny-pods
+spec:
+  exportV4:
+    - action: Reject
+      matchOperator: In
+      cidr: {{ pod_network_cidr_v4 }}
+---
+apiVersion: projectcalico.org/v3
+kind: BGPPeer
+metadata:
+  name: default
+spec:
+  peerIP: {{ bgp_router_ip }}
+  asNumber: {{ bgp_router_as }}
+  keepOriginalNextHop: true
+  filters:
+    - deny-pods
+---
+apiVersion: projectcalico.org/v3
+kind: BGPConfiguration
+metadata:
+  name: default
+spec:
+  asNumber: {{ bgp_cluster_as }}
+  nodeToNodeMeshEnabled: true
+  serviceClusterIPs:
+    - cidr: {{ service_cidr_v4 }}
+  serviceLoadBalancerIPs:
+    - cidr: {{ loadbalancer_cidr_v4 }}
diff --git a/ansible/roles/k8s_cluster/templates/custom-resources.yaml.j2 b/ansible/roles/k8s_cluster/templates/custom-resources.yaml.j2
@@ -1,12 +1,11 @@
 # This section includes base Calico installation configuration.
-# For more information, see: https://docs.tigera.io/calico/3.29/reference/installation/api#operator.tigera.io/v1.Installation
+# For more information, see: https://docs.tigera.io/calico/3.30/reference/installation/api#operator.tigera.io/v1.Installation
 apiVersion: operator.tigera.io/v1
 kind: Installation
 metadata:
   name: default
 spec:
   calicoNetwork:
-    bgp: Disabled
     ipPools:
     - name: default-ipv4-ippool
       blockSize: {{ calico_node_subnet_prefix_length_v4 }}
@@ -20,13 +19,23 @@ spec:
       encapsulation: VXLANCrossSubnet
       natOutgoing: Enabled
       nodeSelector: all()
-
 ---
-
 # This section configures the Calico API server.
-# For more information, see: https://docs.tigera.io/calico/3.29/reference/installation/api#operator.tigera.io/v1.APIServer
+# For more information, see: https://docs.tigera.io/calico/3.30/reference/installation/api#operator.tigera.io/v1.APIServer
 apiVersion: operator.tigera.io/v1
 kind: APIServer
 metadata:
   name: default
 spec: {}
+---
+# Configures the Calico Goldmane flow aggregator.
+apiVersion: operator.tigera.io/v1
+kind: Goldmane
+metadata:
+  name: default
+---
+# Configures the Calico Whisker observability UI.
+apiVersion: operator.tigera.io/v1
+kind: Whisker
+metadata:
+  name: default
diff --git a/ansible/roles/k8s_cluster/vars/main.yaml b/ansible/roles/k8s_cluster/vars/main.yaml
@@ -11,6 +11,7 @@ pod_network_cidr_v4: 172.32.0.0/16
 pod_network_cidr_v6: fd08:172:32::/56
 service_cidr_v4: 172.16.0.0/24
 service_cidr_v6: fd08:172:16::/112
+loadbalancer_cidr_v4: 192.168.2.0/24
 
 kube_vip_version: v0.9.1
 vip: 192.168.1.210
@@ -22,5 +23,9 @@ calico_node_subnet_prefix_length_v4: 24
 # range: [116:128]
 calico_node_subnet_prefix_length_v6: 120
 
+bgp_router_ip: 192.168.1.1
+bgp_router_as: 64512
+bgp_cluster_as: 64513
+
 reset_cluster: false
 reset_confirmation: ""
diff --git a/flux/system/app-controllers/nginx.yaml b/flux/system/app-controllers/nginx.yaml
@@ -16,12 +16,13 @@ spec:
   values:
     controller:
       service:
-        ipFamilyPolicy: RequireDualStack
+        ipFamilyPolicy: SingleStack
         ipFamilies:
           - IPv4
-          - IPv6
+        externalTrafficPolicy: Local
         annotations:
           metallb.io/allow-shared-ip: default
+      kind: DaemonSet
       metrics:
         enabled: true
         serviceMonitor:
diff --git a/flux/system/infrastructure-configs/metallb.yaml b/flux/system/infrastructure-configs/metallb.yaml
@@ -6,16 +6,4 @@ metadata:
   namespace: metallb-system
 spec:
   addresses:
-    - 192.168.1.220/32
-    - fd08:192:168:1::220/128
----
-apiVersion: metallb.io/v1beta1
-kind: L2Advertisement
-metadata:
-  name: default
-  namespace: metallb-system
-spec:
-  ipAddressPools:
-    - service-vip
-  interfaces:
-    - eth0
+    - 192.168.2.0/24
