diff --git a/CHANGELOG.rst b/CHANGELOG.rst index dbd224e2876841e56792a441dc314376473c8205..31355b01643c4c1e655d7f5e3da13c9074066472 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -17,6 +17,31 @@ General information about release upgrades are documented at .. towncrier release notes start +v11.0.2 (2025-10-23) +-------------------- + +Bugfixes +~~~~~~~~ + +- A bug in the migration script has been fixed that prevented use of Ansible playbooks directly after migration on OpenStack-based clusters. (`!2179 `_) +- Fixed the assertion that enforces either + the new :ref:`configuration-options.yk8s.infra.ansible_hosts` + or the old :ref:`configuration-options.yk8s.infra.hosts_file` + option is set. (`!2179 `_) +- Fixed a Nix config error + that prevented the use of :ref:`configuration-options.yk8s.infra.hosts_file` + (when :ref:`Terraform is disabled `). (`!2179 `_) +- A bug has been fixed which prevented cluster creation or adding new nodes to an existing cluster if :ref:`configuration-options.yk8s.ch-k8s-lbaas.enable_snat` got disabled. (`!2179 `_) +- A bug has been fixed which caused :ref:`apply-prepare-gw.sh ` to fail after reconfiguring :ref:`configuration-options.yk8s.ch-k8s-lbaas.enable_snat` until :ref:`apply-k8s-supplements.sh ` (more specifically the ``install-ch-k8s-lbaas.yaml`` playbook) has been executed. (`!2179 `_) +- A file permission bug in a migration script has been fixed (`!2179 `_) + + +Other Tasks +~~~~~~~~~~~ + +- `!2179 `_ + + v11.0.1 (2025-10-21) -------------------- @@ -51,28 +76,12 @@ New Features .. warning:: Be aware that disabling SNAT'ing potentially has performance implications. + Have a look at :ref:`configuration-options.yk8s.ch-k8s-lbaas.enable_snat` for further information. - .. tabs:: - - .. tab:: Rollout immediately after release upgrade - - When directly coming from a previous release and you want to disable SNAT'ing right away - without having done a full rollout yet, - you have to adjust the gateway nodes first. - In that case, rollout the necessary changes with: - - .. code:: console - - $ ./managed-k8s/actions/apply-prepare-gw.sh - $ ./managed-k8s/actions/apply-k8s-supplements.sh install-ch-k8s-lbaas.yaml - - .. tab:: Rollout later - - If you already did a rollout with the current release, it's sufficient to do: - - .. code:: console + .. warning:: - $ ./managed-k8s/actions/apply-k8s-supplements.sh install-ch-k8s-lbaas.yaml + Disabling :ref:`configuration-options.yk8s.ch-k8s-lbaas.enable_snat` can only be done after the release migration + including executing :ref:`apply-all.sh ` has been finished. . (`!1943 `_) - The functionality of :ref:`configuration-options.yk8s.kubernetes.apiserver.audit_logs.enabled` has been refined such that the settings take effect on cluster initialization already and modifications to the settings are not applied during Kubernetes upgrades only but on normal rollouts. The settings are also reflected in the ``kube-system/kubeadm-config`` ConfigMap in the cluster now which ensures freshly provisioned control-plane nodes have the setting right away. (`!1956 `_) diff --git a/actions/release-migrations/v11-01-yaml-hosts.sh b/actions/release-migrations/v11-01-yaml-hosts.sh old mode 100644 new mode 100755 index 08946338b6b73a099411f126e1154da8478f582c..d25ce91113459b62f83a154dc6183375532940f4 --- a/actions/release-migrations/v11-01-yaml-hosts.sh +++ b/actions/release-migrations/v11-01-yaml-hosts.sh @@ -6,5 +6,10 @@ actions_dir="$(dirname "$0")/.." # shellcheck source=actions/lib.sh . "$actions_dir/lib.sh" -notef "Removing obsolete state files..." -run git rm -rf "$terraform_state_dir/rendered" +if [ "${tf_usage:-true}" == 'true' ]; then + notef "Removing obsolete state files..." + run git rm -rf "$terraform_state_dir/rendered" + + notef "Running Terraform stage to create output files" + run "$actions_dir/apply-terraform.sh" +fi diff --git a/docs/user/reference/options/yk8s.ch-k8s-lbaas.rst b/docs/user/reference/options/yk8s.ch-k8s-lbaas.rst index 1e7b03759357c5f998713a6366729228687a114a..5a9096c862e21f3706a250f6d1bb9428c7d56948 100644 --- a/docs/user/reference/options/yk8s.ch-k8s-lbaas.rst +++ b/docs/user/reference/options/yk8s.ch-k8s-lbaas.rst @@ -260,6 +260,11 @@ If source-nat'ing is disabled, the frontend nodes will be configured to act as g for the Kubernetes nodes. They will propagate routes via BGP overwriting the default routes of Kubernetes nodes such that **all** traffic is routed via the VIP by default. +.. important:: Administrative Traffic + + Traffic sent via Wireguard is still SNAT'ed as otherwise + freshly provisioned nodes can't be administered. + .. warning:: Implications when running on OpenStack Disabling source-nat'ing has some implications: diff --git a/k8s-supplements/ansible/install-ch-k8s-lbaas.yaml b/k8s-supplements/ansible/install-ch-k8s-lbaas.yaml index b594e2d468629938ba96b33cce0386eea91e1452..f6a488421eb64095c6ab22360d22a9d61395d364 100644 --- a/k8s-supplements/ansible/install-ch-k8s-lbaas.yaml +++ b/k8s-supplements/ansible/install-ch-k8s-lbaas.yaml @@ -1,12 +1,12 @@ --- -- name: Connect to Kubernetes nodes +- name: Connect to Frontend nodes import_playbook: "{{ ansible_k8s_core_dir }}/connect-to-nodes.yaml" vars: - target_hosts: masters:frontend + target_hosts: frontend - name: Fail if node got not bootstrapped once, yet any_errors_fatal: true - hosts: masters:frontend + hosts: frontend tasks: - name: Fail if node got not bootstrapped once, yet when: not ansible_local['bootstrap']['bootstrapped'] | default(False) | bool diff --git a/k8s-supplements/ansible/roles/bird/templates/bird-calico.conf.j2 b/k8s-supplements/ansible/roles/bird/templates/bird-calico.conf.j2 index 76083cf89580d23d95360e6d1ce3ef62ea1ef701..9953cb2502d55318c241dafa83b2b62bb5d450bb 100644 --- a/k8s-supplements/ansible/roles/bird/templates/bird-calico.conf.j2 +++ b/k8s-supplements/ansible/roles/bird/templates/bird-calico.conf.j2 @@ -16,6 +16,26 @@ function filter_organization() { return false; } + +{% if ch_k8s_lbaas_enabled and not ch_k8s_lbaas_enable_snat %} +protocol static { + table master; + # Add routes to basically route everything via the VIP + route 0.0.0.0/1 via {{ networking_fixed_ip }}; + route 128.0.0.0/1 via {{ networking_fixed_ip }}; +} + +# A function used to export the above routes to peers +function filter_default_overwrite() { + if (net = 0.0.0.0/1) || (net = 128.0.0.0/1) then { + bgp_local_pref = 200; # Set local preference to override default route on peers + bgp_next_hop = {{ networking_fixed_ip }}; + return true; + } + return false; +} +{% endif %} + filter k8s_worker { {% if ch_k8s_lbaas_enabled and not ch_k8s_lbaas_enable_snat %} if filter_default_overwrite() then accept; diff --git a/k8s-supplements/ansible/roles/ch-k8s-lbaas-agent/tasks/main.yaml b/k8s-supplements/ansible/roles/ch-k8s-lbaas-agent/tasks/main.yaml index 7f49a5e6bf95eb5217ecfaa7727f19799e50a830..83b3c72c8155f8a437abc91f935bc91f947dd5f3 100644 --- a/k8s-supplements/ansible/roles/ch-k8s-lbaas-agent/tasks/main.yaml +++ b/k8s-supplements/ansible/roles/ch-k8s-lbaas-agent/tasks/main.yaml @@ -86,22 +86,12 @@ notify: - restart ch-k8s-lbaas-agent - - name: Setup no-SNAT configuration - template: - src: bird.no-snat.conf.j2 - dest: /etc/bird.d/01-no-snat.conf - owner: root - group: bird - mode: "u=rw,g=r,o-rwx" - notify: restart bird - when: openstack_enabled and ipv4_enabled and not ch_k8s_lbaas_enable_snat - - - name: Remove no-SNAT configuration + # Migration task, remove me with TAROOK v12 + - name: Remove legacy no-SNAT configuration file: state: absent path: "/etc/bird.d/01-no-snat.conf" notify: restart bird - when: openstack_enabled and ipv4_enabled and ch_k8s_lbaas_enable_snat - name: Start service systemd: diff --git a/k8s-supplements/ansible/roles/ch-k8s-lbaas-agent/templates/bird.no-snat.conf.j2 b/k8s-supplements/ansible/roles/ch-k8s-lbaas-agent/templates/bird.no-snat.conf.j2 deleted file mode 100644 index 70747673425a08a981b3cf05bf97e8b1d953a7db..0000000000000000000000000000000000000000 --- a/k8s-supplements/ansible/roles/ch-k8s-lbaas-agent/templates/bird.no-snat.conf.j2 +++ /dev/null @@ -1,16 +0,0 @@ -protocol static { - table master; - # Add routes to basically route everything via the VIP - route 0.0.0.0/1 via {{ networking_fixed_ip }}; - route 128.0.0.0/1 via {{ networking_fixed_ip }}; -} - -# A function used to export the above routes to peers -function filter_default_overwrite() { - if (net = 0.0.0.0/1) || (net = 128.0.0.0/1) then { - bgp_local_pref = 200; # Set local preference to override default route on peers - bgp_next_hop = {{ networking_fixed_ip }}; - return true; - } - return false; -} diff --git a/k8s-supplements/ansible/roles/nftables/templates/nftables.conf.j2 b/k8s-supplements/ansible/roles/nftables/templates/nftables.conf.j2 index dbad0abaa1e1aacc3e732ef031d12bd5777ff7df..333263ef0c5aaf25c488dbdb24f0fe4fa19c4c68 100644 --- a/k8s-supplements/ansible/roles/nftables/templates/nftables.conf.j2 +++ b/k8s-supplements/ansible/roles/nftables/templates/nftables.conf.j2 @@ -166,9 +166,23 @@ include "/etc/nft.d/*.conf" include "/var/lib/ch-k8s-lbaas-agent/nftables/*.conf" table ip nat { +{% if ch_k8s_lbaas_enabled and not ch_k8s_lbaas_enable_snat %} + set wg_iifnames { + type ifname; + elements = { + {% for ep in wg_endpoints %} + {% if ep.enabled %} + wg{{ ep.id }}, + {% endif %} + {% endfor %} + } + } +{% endif %} + chain postrouting { {% if ch_k8s_lbaas_enabled and not ch_k8s_lbaas_enable_snat %} ip saddr {{ priv_ip_cidr }} masquerade comment "Only SNAT internal traffic"; + iifname @wg_iifnames oifname $wan ip daddr {{ priv_ip_cidr }} masquerade comment "SNAT incoming Wireguard traffic" {% else %} fib saddr type != local masquerade comment "SNAT all traffic"; {% endif %} diff --git a/nix/yk8s/infra.nix b/nix/yk8s/infra.nix index eb60117bbe91eaea2c860278dc4255915201e65c..54757fe08cf86e2dfe672ebc310888bbf6854ba5 100644 --- a/nix/yk8s/infra.nix +++ b/nix/yk8s/infra.nix @@ -158,9 +158,14 @@ in { ''; default = null; apply = v: - if v == null && config.yk8s.terraform.enabled - then builtins.trace "INFO: infra.ansible_hosts is not yet set. Terraform stage needs to be run first." v - else applyGroupSubmoduleAttrs v; + if config.yk8s.terraform.enabled + then + ( + if v == null + then builtins.trace "INFO: infra.ansible_hosts is not yet set. Terraform stage needs to be run first." v + else applyGroupSubmoduleAttrs v + ) + else v; type = types.nullOr (types.submodule { freeformType = types.attrsOf groupSubmodule; options = { @@ -306,8 +311,8 @@ in { message = "config.yk8s.infra.hosts_file must not be set if config.yk8s.infra.ansible_hosts is used (which implicitly happens through Terraform)."; } { - assertion = ! config.yk8s.terraform.enabled -> (cfg.ansible_hosts == null && cfg.hosts_file == null); - message = "One of config.yk8s.infra.hosts_file and config.yk8s.infra.ansible_hosts must be set"; + assertion = ! config.yk8s.terraform.enabled -> ((cfg.ansible_hosts == null && cfg.hosts_file != null) || (cfg.ansible_hosts != null && cfg.hosts_file == null)); + message = "Either config.yk8s.infra.hosts_file or config.yk8s.infra.ansible_hosts must be set"; } { assertion = diff --git a/nix/yk8s/k8s-supplements/ch-k8s-lbaas.nix b/nix/yk8s/k8s-supplements/ch-k8s-lbaas.nix index 28e9dce9e0d641d0abde679d1e41d06895dc9c62..ebbcf87e16e21a0643e2dcef464a9a160046facd 100644 --- a/nix/yk8s/k8s-supplements/ch-k8s-lbaas.nix +++ b/nix/yk8s/k8s-supplements/ch-k8s-lbaas.nix @@ -145,6 +145,11 @@ in { for the Kubernetes nodes. They will propagate routes via BGP overwriting the default routes of Kubernetes nodes such that **all** traffic is routed via the VIP by default. + .. important:: Administrative Traffic + + Traffic sent via Wireguard is still SNAT'ed as otherwise + freshly provisioned nodes can't be administered. + .. warning:: Implications when running on OpenStack Disabling source-nat'ing has some implications: diff --git a/version b/version index 071973805f533cf9fde064908d0c37d4bcce20c0..a1ea332d2835ac2a6b96f97dfedc59309f1459a0 100644 --- a/version +++ b/version @@ -1 +1 @@ -11.0.1 +11.0.2