From abacfadc12b1090982edd4a4a6151e4536ef951b Mon Sep 17 00:00:00 2001 From: Pedro Coutinho Date: Thu, 19 Dec 2024 12:02:26 -0800 Subject: [PATCH 1/3] Add required steps for installing OSS Calico on Openshift v4.16+ on AWS --- .../kubernetes/openshift/installation.mdx | 32 +++++++++++++++++++ .../kubernetes/openshift/installation.mdx | 32 +++++++++++++++++++ .../kubernetes/openshift/installation.mdx | 32 +++++++++++++++++++ 3 files changed, 96 insertions(+) diff --git a/calico/getting-started/kubernetes/openshift/installation.mdx b/calico/getting-started/kubernetes/openshift/installation.mdx index c1db796ad6..35592afb49 100644 --- a/calico/getting-started/kubernetes/openshift/installation.mdx +++ b/calico/getting-started/kubernetes/openshift/installation.mdx @@ -68,6 +68,38 @@ Now generate the Kubernetes manifests using your configuration file: openshift-install create manifests ``` +:::note + +If you are using OpenShift **v4.16 or newer** on **AWS**, at this point you need to edit the OpenShift cluster-api manifests +that configure AWS security groups to allow BGP, typha and IP-in-IP encapsulation traffic in your cluster. + +Edit `spec.network.cni.cniIngressRules` in the `cluster-api/02_infra-cluster.yaml` file to add the following rules: + +``` + cniIngressRules: + (...) + - description: BGP (calico) + fromPort: 179 + protocol: tcp + toPort: 179 + - description: IP-in-IP (calico) + fromPort: -1 + protocol: "4" + toPort: -1 + - description: Typha (calico) + fromPort: 5473 + protocol: tcp + toPort: 5473 +``` + +Alternatively, you can use the [yq tool](https://github.com/kislyuk/yq) to patch the file with a single command: + +``` +yq -y -i '.spec.network.cni.cniIngressRules += [{ "description": "BGP (calico)", "fromPort": 179, "protocol": "tcp", "toPort": 179 }, { "description": "IP-in-IP (calico)", "fromPort": -1, "protocol": "4", "toPort": -1 }, { "description": "Typha (calico)", "fromPort": 5473, "protocol": "tcp", "toPort": 5473 }]' cluster-api/02_infra-cluster.yaml +``` + +::: + ### Optionally provide additional configuration diff --git a/calico_versioned_docs/version-3.28/getting-started/kubernetes/openshift/installation.mdx b/calico_versioned_docs/version-3.28/getting-started/kubernetes/openshift/installation.mdx index 5742a2f6f7..5f2c896a19 100644 --- a/calico_versioned_docs/version-3.28/getting-started/kubernetes/openshift/installation.mdx +++ b/calico_versioned_docs/version-3.28/getting-started/kubernetes/openshift/installation.mdx @@ -68,6 +68,38 @@ Now generate the Kubernetes manifests using your configuration file: openshift-install create manifests ``` +:::note + +If you are using OpenShift **v4.16 or newer** on **AWS**, at this point you need to edit the OpenShift cluster-api manifests +that configure AWS security groups to allow BGP, typha and IP-in-IP encapsulation traffic in your cluster. + +Edit `spec.network.cni.cniIngressRules` in the `cluster-api/02_infra-cluster.yaml` file to add the following rules: + +``` + cniIngressRules: + (...) + - description: BGP (calico) + fromPort: 179 + protocol: tcp + toPort: 179 + - description: IP-in-IP (calico) + fromPort: -1 + protocol: "4" + toPort: -1 + - description: Typha (calico) + fromPort: 5473 + protocol: tcp + toPort: 5473 +``` + +Alternatively, you can use the [yq tool](https://github.com/kislyuk/yq) to patch the file with a single command: + +``` +yq -y -i '.spec.network.cni.cniIngressRules += [{ "description": "BGP (calico)", "fromPort": 179, "protocol": "tcp", "toPort": 179 }, { "description": "IP-in-IP (calico)", "fromPort": -1, "protocol": "4", "toPort": -1 }, { "description": "Typha (calico)", "fromPort": 5473, "protocol": "tcp", "toPort": 5473 }]' cluster-api/02_infra-cluster.yaml +``` + +::: + ### Optionally provide additional configuration diff --git a/calico_versioned_docs/version-3.29/getting-started/kubernetes/openshift/installation.mdx b/calico_versioned_docs/version-3.29/getting-started/kubernetes/openshift/installation.mdx index c61d1f004f..b40869ed8e 100644 --- a/calico_versioned_docs/version-3.29/getting-started/kubernetes/openshift/installation.mdx +++ b/calico_versioned_docs/version-3.29/getting-started/kubernetes/openshift/installation.mdx @@ -68,6 +68,38 @@ Now generate the Kubernetes manifests using your configuration file: openshift-install create manifests ``` +:::note + +If you are using OpenShift **v4.16 or newer** on **AWS**, at this point you need to edit the OpenShift cluster-api manifests +that configure AWS security groups to allow BGP, typha and IP-in-IP encapsulation traffic in your cluster. + +Edit `spec.network.cni.cniIngressRules` in the `cluster-api/02_infra-cluster.yaml` file to add the following rules: + +``` + cniIngressRules: + (...) + - description: BGP (calico) + fromPort: 179 + protocol: tcp + toPort: 179 + - description: IP-in-IP (calico) + fromPort: -1 + protocol: "4" + toPort: -1 + - description: Typha (calico) + fromPort: 5473 + protocol: tcp + toPort: 5473 +``` + +Alternatively, you can use the [yq tool](https://github.com/kislyuk/yq) to patch the file with a single command: + +``` +yq -y -i '.spec.network.cni.cniIngressRules += [{ "description": "BGP (calico)", "fromPort": 179, "protocol": "tcp", "toPort": 179 }, { "description": "IP-in-IP (calico)", "fromPort": -1, "protocol": "4", "toPort": -1 }, { "description": "Typha (calico)", "fromPort": 5473, "protocol": "tcp", "toPort": 5473 }]' cluster-api/02_infra-cluster.yaml +``` + +::: + ### Optionally provide additional configuration From 56f94fcf38a67b8b78ca8ab20792b9b3c04eaf92 Mon Sep 17 00:00:00 2001 From: Pedro Coutinho Date: Fri, 20 Dec 2024 16:37:23 -0800 Subject: [PATCH 2/3] Update calico_versioned_docs/version-3.29/getting-started/kubernetes/openshift/installation.mdx Co-authored-by: tuti. --- .../getting-started/kubernetes/openshift/installation.mdx | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/calico_versioned_docs/version-3.29/getting-started/kubernetes/openshift/installation.mdx b/calico_versioned_docs/version-3.29/getting-started/kubernetes/openshift/installation.mdx index b40869ed8e..4e41defd3c 100644 --- a/calico_versioned_docs/version-3.29/getting-started/kubernetes/openshift/installation.mdx +++ b/calico_versioned_docs/version-3.29/getting-started/kubernetes/openshift/installation.mdx @@ -70,8 +70,7 @@ openshift-install create manifests :::note -If you are using OpenShift **v4.16 or newer** on **AWS**, at this point you need to edit the OpenShift cluster-api manifests -that configure AWS security groups to allow BGP, typha and IP-in-IP encapsulation traffic in your cluster. +For OpenShift **v4.16 or newer** on **AWS**, configure AWS security groups to allow BGP, typha and IP-in-IP encapsulation traffic by editing the OpenShift cluster-api manifests Edit `spec.network.cni.cniIngressRules` in the `cluster-api/02_infra-cluster.yaml` file to add the following rules: From 3622f15a174fb64c81ed4eea576feb9c8a5332fd Mon Sep 17 00:00:00 2001 From: Pedro Coutinho Date: Fri, 20 Dec 2024 16:40:54 -0800 Subject: [PATCH 3/3] Address review comments --- .../kubernetes/openshift/installation.mdx | 9 +-------- .../kubernetes/openshift/installation.mdx | 9 +-------- .../kubernetes/openshift/installation.mdx | 8 +------- 3 files changed, 3 insertions(+), 23 deletions(-) diff --git a/calico/getting-started/kubernetes/openshift/installation.mdx b/calico/getting-started/kubernetes/openshift/installation.mdx index 35592afb49..dbb756ac4f 100644 --- a/calico/getting-started/kubernetes/openshift/installation.mdx +++ b/calico/getting-started/kubernetes/openshift/installation.mdx @@ -70,8 +70,7 @@ openshift-install create manifests :::note -If you are using OpenShift **v4.16 or newer** on **AWS**, at this point you need to edit the OpenShift cluster-api manifests -that configure AWS security groups to allow BGP, typha and IP-in-IP encapsulation traffic in your cluster. +For OpenShift **v4.16 or newer** on **AWS**, configure AWS security groups to allow BGP, typha and IP-in-IP encapsulation traffic by editing the OpenShift cluster-api manifests. Edit `spec.network.cni.cniIngressRules` in the `cluster-api/02_infra-cluster.yaml` file to add the following rules: @@ -92,12 +91,6 @@ Edit `spec.network.cni.cniIngressRules` in the `cluster-api/02_infra-cluster.yam toPort: 5473 ``` -Alternatively, you can use the [yq tool](https://github.com/kislyuk/yq) to patch the file with a single command: - -``` -yq -y -i '.spec.network.cni.cniIngressRules += [{ "description": "BGP (calico)", "fromPort": 179, "protocol": "tcp", "toPort": 179 }, { "description": "IP-in-IP (calico)", "fromPort": -1, "protocol": "4", "toPort": -1 }, { "description": "Typha (calico)", "fromPort": 5473, "protocol": "tcp", "toPort": 5473 }]' cluster-api/02_infra-cluster.yaml -``` - ::: diff --git a/calico_versioned_docs/version-3.28/getting-started/kubernetes/openshift/installation.mdx b/calico_versioned_docs/version-3.28/getting-started/kubernetes/openshift/installation.mdx index 5f2c896a19..a62fe91647 100644 --- a/calico_versioned_docs/version-3.28/getting-started/kubernetes/openshift/installation.mdx +++ b/calico_versioned_docs/version-3.28/getting-started/kubernetes/openshift/installation.mdx @@ -70,8 +70,7 @@ openshift-install create manifests :::note -If you are using OpenShift **v4.16 or newer** on **AWS**, at this point you need to edit the OpenShift cluster-api manifests -that configure AWS security groups to allow BGP, typha and IP-in-IP encapsulation traffic in your cluster. +For OpenShift **v4.16 or newer** on **AWS**, configure AWS security groups to allow BGP, typha and IP-in-IP encapsulation traffic by editing the OpenShift cluster-api manifests. Edit `spec.network.cni.cniIngressRules` in the `cluster-api/02_infra-cluster.yaml` file to add the following rules: @@ -92,12 +91,6 @@ Edit `spec.network.cni.cniIngressRules` in the `cluster-api/02_infra-cluster.yam toPort: 5473 ``` -Alternatively, you can use the [yq tool](https://github.com/kislyuk/yq) to patch the file with a single command: - -``` -yq -y -i '.spec.network.cni.cniIngressRules += [{ "description": "BGP (calico)", "fromPort": 179, "protocol": "tcp", "toPort": 179 }, { "description": "IP-in-IP (calico)", "fromPort": -1, "protocol": "4", "toPort": -1 }, { "description": "Typha (calico)", "fromPort": 5473, "protocol": "tcp", "toPort": 5473 }]' cluster-api/02_infra-cluster.yaml -``` - ::: diff --git a/calico_versioned_docs/version-3.29/getting-started/kubernetes/openshift/installation.mdx b/calico_versioned_docs/version-3.29/getting-started/kubernetes/openshift/installation.mdx index 4e41defd3c..93b35a8824 100644 --- a/calico_versioned_docs/version-3.29/getting-started/kubernetes/openshift/installation.mdx +++ b/calico_versioned_docs/version-3.29/getting-started/kubernetes/openshift/installation.mdx @@ -70,7 +70,7 @@ openshift-install create manifests :::note -For OpenShift **v4.16 or newer** on **AWS**, configure AWS security groups to allow BGP, typha and IP-in-IP encapsulation traffic by editing the OpenShift cluster-api manifests +For OpenShift **v4.16 or newer** on **AWS**, configure AWS security groups to allow BGP, typha and IP-in-IP encapsulation traffic by editing the OpenShift cluster-api manifests. Edit `spec.network.cni.cniIngressRules` in the `cluster-api/02_infra-cluster.yaml` file to add the following rules: @@ -91,12 +91,6 @@ Edit `spec.network.cni.cniIngressRules` in the `cluster-api/02_infra-cluster.yam toPort: 5473 ``` -Alternatively, you can use the [yq tool](https://github.com/kislyuk/yq) to patch the file with a single command: - -``` -yq -y -i '.spec.network.cni.cniIngressRules += [{ "description": "BGP (calico)", "fromPort": 179, "protocol": "tcp", "toPort": 179 }, { "description": "IP-in-IP (calico)", "fromPort": -1, "protocol": "4", "toPort": -1 }, { "description": "Typha (calico)", "fromPort": 5473, "protocol": "tcp", "toPort": 5473 }]' cluster-api/02_infra-cluster.yaml -``` - :::