feat(multus)!: Move to thin

.archive/music-assistant/ks.yaml

@@ -18,7 +18,7 @@ spec:
     name: home-ops-kubernetes
   wait: false
   dependsOn:
-    - name: multus-config
+    - name: multus-networks
     - name: rook-ceph-cluster
     - name: volsync
   postBuild:

kubernetes/main/apps/home-automation/esphome/ks.yaml

@@ -18,7 +18,7 @@ spec:
     name: home-ops-kubernetes
   wait: false
   dependsOn:
-    - name: multus-config
+    - name: multus-networks
     - name: rook-ceph-cluster
     - name: volsync
     - name: external-secrets-stores

kubernetes/main/apps/home-automation/home-assistant/ks.yaml

@@ -18,7 +18,7 @@ spec:
     name: home-ops-kubernetes
   wait: false
   dependsOn:
-    - name: multus-config
+    - name: multus-networks
     - name: rook-ceph-cluster
     - name: volsync
     - name: external-secrets-stores

kubernetes/main/apps/home-automation/scrypted/ks.yaml

@@ -19,7 +19,7 @@ spec:
     name: home-ops-kubernetes
   wait: false
   dependsOn:
-    - name: multus-config
+    - name: multus-networks
     - name: rook-ceph-cluster
     - name: volsync
     - name: external-secrets-stores

kubernetes/main/apps/network/multus/app/helmrelease.yaml

@@ -17,23 +17,6 @@ spec:
         namespace: flux-system
 
   values:
-    configMaps:
-      daemon-config:
-        data:
-          daemon-config.json: |
-            {
-              "cniVersion": "0.3.1",
-              "logToStderr": true,
-              "logLevel": "error",
-              "binDir": "/opt/cni/bin",
-              "chrootDir": "/hostroot",
-              "cniConfigDir": "/host/etc/cni/net.d",
-              "confDir": "/host/etc/cni/net.d",
-              "multusAutoconfigDir": "/host/etc/cni/net.d",
-              "multusConfigFile": "auto",
-              "socketDir": "/host/run/multus/"
-            }
-
     controllers:
       uninstall:
         type: job
@@ -72,144 +55,41 @@ spec:
 
         pod:
           hostNetwork: true
-          hostPID: true
 
         containers:
-          multus-daemon:
-            image: &image
+          multus:
+            image:
               repository: ghcr.io/k8snetworkplumbingwg/multus-cni
-              tag: v4.1.4-thick
-            env:
-              MULTUS_NODE_NAME:
-                valueFrom:
-                  fieldRef:
-                    fieldPath: spec.nodeName
+              tag: v4.1.4
+            command:
+              - /thin_entrypoint
+            args:
+              - --multus-conf-file=/config/00-multus.conf
+              - --cni-bin-dir=/opt/cni/bin
+              - --cni-conf-dir=/etc/cni/net.d
             resources:
               requests:
-                cpu: "5m"
-                memory: "96Mi"
+                cpu: "10m"
               limits:
                 memory: "512Mi"
             securityContext:
               privileged: true
 
-        initContainers:
-          cni-plugins-installer:
-            image:
-              repository: ghcr.io/angelnu/cni-plugins
-              tag: 1.6.1
-            resources:
-              requests:
-                cpu: "10m"
-                memory: "15Mi"
-            securityContext:
-              capabilities:
-                drop:
-                  - ALL
-            terminationMessagePath: /dev/termination-log
-            terminationMessagePolicy: FallbackToLogsOnError
-
-          multus-shim-installer:
-            image: *image
-            command:
-              - /bin/sh
-              - -c
-            args: |
-              set -x
-              cp -f /usr/src/multus-cni/bin/multus-shim /host/opt/cni/bin/multus-shim
-            resources:
-              requests:
-                cpu: "10m"
-                memory: "15Mi"
-            securityContext:
-              capabilities:
-                drop:
-                  - ALL
-            terminationMessagePath: /dev/termination-log
-            terminationMessagePolicy: FallbackToLogsOnError
-
     persistence:
-      cni:
-        type: hostPath
-        hostPath: /etc/cni/net.d
-        advancedMounts:
-          uninstall:
-            uninstall:
-              - path: /host/etc/cni/net.d
-          multus:
-            multus-daemon:
-              - path: /host/etc/cni/net.d
-
-      cnibin:
-        type: hostPath
-        hostPath: /opt/cni/bin
-        advancedMounts:
-          uninstall:
-            uninstall:
-              - path: /host/opt/cni/bin
-          multus:
-            cni-plugins-installer:
-              - path: /host/opt/cni/bin
-            multus-shim-installer:
-              - path: /host/opt/cni/bin
-            multus-daemon:
-              # multus-daemon expects that cnibin path must be identical between pod and container host.
-              # e.g. if the cni bin is in '/opt/cni/bin' on the container host side, then it should be
-              # mount to '/opt/cni/bin' in multus-daemon, not to any other directory, like '/opt/bin' or
-              # '/usr/bin'.
-              - path: /opt/cni/bin
-
       config:
         type: configMap
-        name: multus-daemon-config
-        advancedMounts:
-          multus:
-            multus-daemon:
-              - path: /etc/cni/net.d/multus.d
-      hostroot:
-        type: hostPath
-        hostPath: /
-        advancedMounts:
-          multus:
-            multus-daemon:
-              - path: /hostroot
-                mountPropagation: HostToContainer
-      host-run:
+        name: multus-configmap
+        globalMounts:
+          - path: /config/00-multus.conf
+            subPath: 00-multus.conf
+            readOnly: true
+      etc-cni-net-d:
         type: hostPath
-        hostPath: /run
-        advancedMounts:
-          multus:
-            multus-daemon:
-              - path: /host/run
-      host-var-lib-cni-multus:
-        type: hostPath
-        hostPath: /var/lib/cni/multus
-        advancedMounts:
-          multus:
-            multus-daemon:
-              - path: /var/lib/cni/multus
-      host-var-lib-kubelet:
-        type: hostPath
-        hostPath: /var/lib/kubelet
-        advancedMounts:
-          multus:
-            multus-daemon:
-              - path: /var/lib/kubelet
-      host-run-k8s-cni-cncf-io:
-        type: hostPath
-        hostPath: /run/k8s.cni.cncf.io
-        advancedMounts:
-          multus:
-            multus-daemon:
-              - path: /run/k8s.cni.cncf.io
-      host-run-netns:
+        hostPath: /etc/cni/net.d
+      opt-cni-bin:
         type: hostPath
-        hostPath: /var/run/netns/
-        advancedMounts:
-          multus:
-            multus-daemon:
-              - path: /run/netns/
-                mountPropagation: HostToContainer
+        hostPath: /opt/cni/bin
 
     serviceAccount:
       create: true
+      name: multus

kubernetes/main/apps/network/multus/app/kustomization.yaml

@@ -3,6 +3,13 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
+  # renovate: depName=k8snetworkplumbingwg/network-attachment-definition-client datasource=github-releases
+  - https://raw.githubusercontent.com/k8snetworkplumbingwg/network-attachment-definition-client/refs/tags/v1.7.5/artifacts/networks-crd.yaml
   - ./helmrelease.yaml
   - ./rbac.yaml
-  - ./crd.yaml
+configMapGenerator:
+  - name: multus-configmap
+    files:
+      - ./resources/00-multus.conf
+generatorOptions:
+  disableNameSuffixHash: true

kubernetes/main/apps/network/multus/app/rbac.yaml

@@ -4,39 +4,38 @@ kind: ClusterRole
 metadata:
   name: multus
 rules:
-  - apiGroups: ["k8s.cni.cncf.io"]
+  - apiGroups:
+      - "k8s.cni.cncf.io"
     resources:
       - "*"
     verbs:
       - "*"
   - apiGroups:
       - ""
     resources:
-      - pods
-      - pods/status
+      - "pods"
+      - "pods/status"
     verbs:
-      - get
-      - list
-      - update
-      - watch
+      - "get"
+      - "update"
   - apiGroups:
       - ""
-      - events.k8s.io
+      - "events.k8s.io"
     resources:
-      - events
+      - "events"
     verbs:
-      - create
-      - patch
-      - update
+      - "create"
+      - "patch"
+      - "update"
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   name: multus
 roleRef:
-  apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
   name: multus
+  apiGroup: rbac.authorization.k8s.io
 subjects:
   - kind: ServiceAccount
     name: multus

kubernetes/main/apps/network/multus/app/resources/00-multus.conf

@@ -0,0 +1,15 @@
+{
+  "cniVersion": "0.3.1",
+  "name": "multus-cni-network",
+  "type": "multus",
+  "delegates": [
+    {
+      "type": "cilium-cni",
+      "name": "cilium",
+      "delegate": {
+        "isDefaultGateway": true
+      }
+    }
+  ],
+  "kubeconfig": "/etc/cni/net.d/multus.d/multus.kubeconfig"
+}

kubernetes/main/apps/network/multus/ks.yaml

@@ -23,7 +23,7 @@ spec:
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
-  name: &appname multus-config
+  name: &appname multus-networks
   namespace: flux-system
 spec:
   targetNamespace: network

kubernetes/main/apps/network/multus/networks/kustomization.yaml

@@ -3,4 +3,4 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-  - ./net-attach-iot.yaml
+  - ./iot.yaml