KubeOne and Calico

I tried to deploy Kubernetes with Calico as a kubeone addon and it failed.

When deploying Calico with etcd datastore, Calico needs access to the etcd certificates created by the KubeOne deployment. The Calico manifest used as an addon for KubeOne creates a “secrets” resource where it needs to have encoded the contents of the etcd certificates. As KubeOne deploys Kubernetes with the etcd datastore and Calico at the same time, there is no way for me of knowing beforehand what the etcd certificates will be so I can pass them to the Calico manifest before deployment.

Do you have any suggestions on how I could workaround this issue? I thought about doing a KubeOne deployment with a default CNI and then upgrade to Calico, but in the documentation, it’s stated that the CNI cannot be changed after the initial KubeOne deployment.

The control-plane etcd should not ever be used by anyone except kubeapi-server.

I’d suggest not to use etcd store. At least not mix control-plane etcd with anything else. Calico itself perfectly well works with kubeapi as a storage.

Please consult https://docs.projectcalico.org/manifests/calico-vxlan.yaml manifest, specifically, search for DATASTORE_TYPE (or datastore_type in lower case too) in it to see how to configure calico to use kubernetes as datastore.

Following up this topic: I’ve created a PR which demonstrates how to use Calico as external CNI, configured to use kubernetes as datasource.




Thank you @kron4eg . I was looking at the same time of deploying Calico and basically ended up doing the same thing as in your example

@vbotez please note this, as it’s important

Yes! Thank you! I actually modified the manifest and hardcoded the value (for testing purposes) but it’s true that we can get the value like you suggested.