ci: finalize changes

Author: jpayne3506

docs/feature/swift-v2/setup-guide-azcni.md

@@ -1,37 +1,32 @@
-# Swiftv2 Cilium Upgrade Guide
+# Swiftv2 Cilium In-place Upgrade Guide
 
 ## Steps
 ### Clone repo + checkout branch for *.yamls
 ```
 git clone https://github.com/Azure/azure-container-networking.git
-git checkout jpayne3506/conflist-generation < TODO Change before merge >
+git checkout master
 ```
 
 ### Update Conflist
-Leverage a cni build from branch or use `acnpublic.azurecr.io/azure-cni:linux-amd64-v1.7.5-3-g93d32acd0` < TODO Change before merge >
-- This will install our chained conflist through the use of `test/integration/manifests/cni/conflist-installer.yaml`
 
 ```
 export CONFLIST=azure-chained-cilium.conflist
 export CONFLIST_PRIORITY=05
-export CNI_IMAGE=acnpublic.azurecr.io/azure-cni:linux-amd64-v1.7.5-3-g93d32acd0
+export CNI_IMAGE=acnpublic.azurecr.io/public/containernetworking/azure-cni:v1.7.5-3
 envsubst '${CONFLIST},${CONFLIST_PRIORITY},${CNI_IMAGE}' < test/integration/manifests/cni/conflist-installer.yaml | kubectl apply -f -
 ```
 
-> NOTE: if your current conflist file name starts with `05` then change our previous filename to one with higher priority to ensure that it is consumed. i.e. `03-azure-chained-cilium.conflist`
 
-
-### Apply cilium config
+### Apply Cilium config
 ```
 export DIR=1.17
 export CILIUM_VERSION_TAG=v1.17.7-250927
 export CILIUM_IMAGE_REGISTRY=mcr.microsoft.com/containernetworking
 kubectl apply -f test/integration/manifests/cilium/v${DIR}/cilium-config/cilium-chained-config.yaml
 ```
 
-- Remove `kube-proxy-replacement-healthz-bind-address: "0.0.0.0:10256"` from configmap if kube-proxy is current on nodes
 
-### Apply cilium Agent + Operator + RBAC
+### Apply Cilium Agent + Operator + RBAC
 ```
 kubectl apply -f test/integration/manifests/cilium/v${DIR}/cilium-operator/files
 kubectl apply -f test/integration/manifests/cilium/v${DIR}/cilium-agent/files
@@ -41,30 +36,11 @@ envsubst '${CILIUM_VERSION_TAG},${CILIUM_IMAGE_REGISTRY}' < test/integration/man
 
 
 ### Quick Summary
-- Apply conflist installer to update conflist on BYON
-- Apply/Edit Cilium Config with
-  - `cni-chaining-mode: generic-veth`
-  - remove `kube-proxy-replacement-healthz-bind-address`
-    - You do not need to remove if node does not have kube-proxy enabled
-  - If applied before agent is in ready state then no need to restart agent
+- Apply conflist installer to update conflist on all nodes
+- Apply Cilium Config
 - Apply Agent + Operator + RBAC
 
 
 ## Quick Vaildation testing
-- Create pods from deploy
-  - test/integration/manifests/swiftv2/mt-deploy.yaml
-  - Creates `container-*` pods on default namespace
-- Create Cilium Network Policies
-  - test/integration/manifests/cilium/netpol/default-allow.yaml
-  - Will only allow cilium managed endpoints to transmit traffic through default namespace
 - Check Cilium Management with
   - `kubectl get cep -A`
-  - `kubectl get cnp -A`
-- Check connectivity
-  - exec -it <container-*> -- sh
-  - ip a
-    - look for delegatedNIC IP
-  - ping <IP>
-  - confirm CNP working by attempting to ping coredns pods
-    - should fail if both are being maintained by cilium
-    - confirm with `kubectl get cep -A`

docs/feature/swift-v2/setup-guide-cil.md

@@ -1,37 +1,29 @@
-# Swiftv2 Cilium Setup Guide
+# Swiftv2 Managed Cilium Setup Guide
 
 ## Steps
 ### Clone repo + checkout branch for *.yamls
 ```
 git clone https://github.com/Azure/azure-container-networking.git
-git checkout jpayne3506/conflist-generation < TODO Change before merge >
+git checkout master
 ```
 
 ### Update Conflist
-Leverage a cni build from branch or use `acnpublic.azurecr.io/azure-cni:linux-amd64-v1.7.5-3-g93d32acd0` < TODO Change before merge >
-- This will install our chained conflist through the use of `test/integration/manifests/cni/conflist-installer.yaml`
 
 ```
 export CONFLIST=azure-chained-cilium.conflist
 export CONFLIST_PRIORITY=05
-export CNI_IMAGE=acnpublic.azurecr.io/azure-cni:linux-amd64-v1.7.5-3-g93d32acd0
-envsubst '${CONFLIST},${CONFLIST_PRIORITY},${CNI_IMAGE}' < test/integration/manifests/cni/conflist-installer.yaml | kubectl apply -f -
+export CNI_IMAGE=acnpublic.azurecr.io/public/containernetworking/azure-cni:v1.7.5-3
+envsubst '${CONFLIST},${CONFLIST_PRIORITY},${CNI_IMAGE}' < test/integration/manifests/cni/conflist-installer-byon.yaml | kubectl apply -f -
 ```
 
-> NOTE: if your current conflist file name starts with `05` then change our previous filename to one with higher priority to ensure that it is consumed. i.e. `03-azure-chained-cilium.conflist`
-
 
 ### Apply Watcher
 ```
 kubectl apply -f test/integration/manifests/cilium/watcher/deployment.yaml
 ```
 
-- Watcher obtains existing RBAC and DS from managed node
-  - We overwrite CM values through the use of DS args on the `cilium-agent` container
-i.e. overwrites `--cni-chaining-mode`
-```
-yq eval '.spec.template.spec.containers[0].args += ["--cni-chaining-mode=generic-veth"]' -i "$temp_file"
-```
+- Watcher obtains existing Cilium RBAC and Daemonset from managed node
+  - We overwrite Cilium Configmap values through the use of args on the `cilium-agent` container within the watcher deployment.
 
 
 
@@ -40,20 +32,5 @@ yq eval '.spec.template.spec.containers[0].args += ["--cni-chaining-mode=generic
 - Apply Watcher and Overwrite existing CM values through `cilium-agent` container
 
 ## Quick Vaildation testing
-- Create pods from deploy
-  - test/integration/manifests/swiftv2/mt-deploy.yaml
-  - Creates `container-*` pods on default namespace
-- Create Cilium Network Policies
-  - test/integration/manifests/cilium/netpol/default-allow.yaml
-  - Will only allow cilium managed endpoints to transmit traffic through default namespace
-- Check Cilium Management with
-  - `kubectl get cep -A`
-  - `kubectl get cnp -A`
-- Check connectivity
-  - exec -it <container-*> -- sh
-  - ip a
-    - look for delegatedNIC IP
-  - ping <IP>
-  - confirm CNP working by attempting to ping coredns pods
-    - should fail if both are being maintained by cilium
-    - confirm with `kubectl get cep -A`
+Check Cilium Management with
+- `kubectl get cep -A`

test/integration/manifests/cilium/v1.17/cilium-config/cilium-chained-config.yaml

@@ -47,7 +47,6 @@ data:
   install-no-conntrack-iptables-rules: "false"
   ipam: delegated-plugin
   kube-proxy-replacement: "true"
-  kube-proxy-replacement-healthz-bind-address: "0.0.0.0:10256" ## Remove if kube-proxy is enabled
   local-router-ipv4: 169.254.23.0
   metrics: +cilium_bpf_map_pressure
   monitor-aggregation: medium

test/integration/manifests/cilium/watcher/deployment.yaml

@@ -231,13 +231,6 @@ spec:
                 yq eval '.spec.template.spec.containers[0].args += ["--cni-chaining-mode=generic-veth"]' -i "$temp_file"
                 # yq eval '.spec.template.spec.containers[0].args += ["--enable-host-legacy-routing=false"]' -i "$temp_file"
 
-                ### TODO / TESTING
-                # Remove if present
-                # yq eval 'del(.spec.template.spec.containers[0].args[] | select(. == "--kube-proxy-replacement=probe"))' -i "$temp_file"
-                # kube-proxy-replacement-healthz-bind-address: "0.0.0.0:10256"
-                #
-
-
                 # Replace service account name
                 yq eval '.spec.template.spec.serviceAccountName = strenv(MODIFIED_DAEMONSET)' -i "$temp_file"
                 yq eval '.spec.template.spec.serviceAccount = strenv(MODIFIED_DAEMONSET)' -i "$temp_file"

test/integration/manifests/cni/conflist-installer-byon.yaml

@@ -0,0 +1,67 @@
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: azure-cni-conflist-installer
+  namespace: kube-system
+  labels:
+    app: azure-cni
+spec:
+  selector:
+    matchLabels:
+      k8s-app: azure-cni
+  template:
+    metadata:
+      labels:
+        k8s-app: azure-cni
+    spec:
+      affinity:
+        nodeAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            nodeSelectorTerms:
+            - matchExpressions:
+              - key: type
+                operator: NotIn
+                values:
+                - virtual-kubelet
+              - key: kubernetes.io/os
+                operator: In
+                values:
+                - linux
+              - key: kubernetes.azure.com/managed
+                operator: In
+                values:
+                - "false"
+      priorityClassName: system-node-critical
+      tolerations:
+        - key: CriticalAddonsOnly
+          operator: Exists
+        - operator: "Exists"
+          effect: NoExecute
+        - operator: "Exists"
+          effect: NoSchedule
+      initContainers:
+        - name: cni-installer
+          image:  ${CNI_IMAGE}
+          imagePullPolicy: Always
+          command: ["/dropgz"]
+          args:
+            - deploy
+            - --skip-verify
+            - ${CONFLIST}
+            - -o
+            - /etc/cni/net.d/${CONFLIST_PRIORITY}-${CONFLIST}
+          volumeMounts:
+            - name: cni-conflist
+              mountPath: /etc/cni/net.d
+      containers:
+        - name: pause
+          image: mcr.microsoft.com/oss/kubernetes/pause:3.6
+      hostNetwork: true
+      volumes:
+        - name: cni-conflist
+          hostPath:
+            path: /etc/cni/net.d
+            type: Directory
+
+# acnpublic.azurecr.io/azure-cni:linux-amd64-v1.7.5-3-g93d32acd0
+# envsubst '${CONFLIST},${CONFLIST_PRIORITY},${CNI_IMAGE}' < test/integration/manifests/cni/conflist-installer.yaml | kubectl apply -f -

test/integration/manifests/cni/conflist-installer.yaml

@@ -27,10 +27,6 @@ spec:
                 operator: In
                 values:
                 - linux
-              - key: kubernetes.azure.com/managed
-                operator: In
-                values:
-                - "false"
       priorityClassName: system-node-critical
       tolerations:
         - key: CriticalAddonsOnly

test/integration/manifests/swiftv2/mt-deploy.yaml

@@ -8,10 +8,8 @@ spec:
     matchLabels:
       app: container
   replicas: 1
-  template: # create pods using pod definition in this template
+  template:
     metadata:
-      # unlike pod-nginx.yaml, the name is not included in the meta data as a unique name is
-      # generated from the deployment name
       labels:
         app: container
         kubernetes.azure.com/pod-network-instance: pni