Upgrade calico to 3.29

[marosset]

What type of PR is this?
/kind cleanup

What this PR does / why we need it:

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):
Fixes #5498

This PR replaces #5688

Special notes for your reviewer:

TODOs:

• squashed commits
• includes documentation
• adds unit tests
• cherry-pick candidate

Release note:

Update Calico to 3.29

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 46.94%. Comparing base (ea0c2f4) to head (7e5d556).
⚠️ Report is 25 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #5844   +/-   ##
=======================================
  Coverage   46.94%   46.94%           
=======================================
  Files         279      279           
  Lines       29687    29687           
=======================================
  Hits        13936    13936           
  Misses      14938    14938           
  Partials      813      813           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[marosset]

I found another image that we'll need to add to the acr cache

Aug 27 19:44:32.767285 capz-conf-wsj56g-md-0-mldvh-nnnss kubelet[1614]: E0827 19:44:32.767196 1614 pod_workers.go:1301] "Error syncing pod, skipping" err="failed to "StartContainer" for "flexvol-driver" with ImagePullBackOff: "Back-off pulling image \"capzcicommunity.azurecr.io/calico/pod2daemon-flexvol:v3.29.4\": ErrImagePull: rpc error: code = NotFound desc = failed to pull and unpack image \"capzcicommunity.azurecr.io/calico/pod2daemon-flexvol:v3.29.4\": failed to resolve reference \"capzcicommunity.azurecr.io/calico/pod2daemon-flexvol:v3.29.4\": capzcicommunity.azurecr.io/calico/pod2daemon-flexvol:v3.29.4: not found"" pod="calico-system/calico-node-bssgs" podUID="53cae7ce-964c-4de3-9047-994cb2b71cef"

[marosset]

/test pull-cluster-api-provider-azure-conformance

[marosset]

/test pull-cluster-api-provider-azure-conformance

[marosset]

/test pull-cluster-api-provider-azure-conformance

[marosset]

/test pull-cluster-api-provider-azure-conformance

[marosset]

/retest

[marosset]

/retest

[marosset]

/retest

[marosset]

/test pull-cluster-api-provider-azure-e2e

[marosset]

/test pull-cluster-api-provider-azure-conformance-with-ci-artifacts-dra

[marosset]

/test pull-cluster-api-provider-azure-conformance

[marosset]

/test pull-cluster-api-provider-azure-conformance-azl3-with-ci-artifacts

[marosset]

/skip pull-cluster-api-provider-azure-conformance-azl3-with-ci-artifacts

[marosset]

/test pull-cluster-api-provider-azure-conformance-with-ci-artifacts-dra

[k8s-ci-robot]

LGTM label has been added.

Git tree hash: c0fc47f9df3510b51aac80483a943d0187696280

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: nojnhuh

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [nojnhuh]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[marosset]

/retest

[nojnhuh]

@marosset I'm seeing logs like this for most nodes across all the e2e jobs:

Failed to get logs for Machine capz-06jj60-md-0-xdh7f-vv66g, Cluster default/capz-06jj60: running command "cat /var/log/calico/cni/cni.log": Process exited with status 1

In particular, that seems to be bottlenecking the scale jobs where collecting logs from each node is taking a whole minute:

Failed to get logs for Machine capz-06jj60-md-0-xdh7f-vv66g, Cluster default/capz-06jj60: running command "cat /var/log/calico/cni/cni.log": Process exited with status 1
  Sep 11 21:59:39.640: INFO: Collecting logs for Linux node capz-06jj60-md-0-xdh7f-vxb9f in cluster capz-06jj60 in namespace default
  Sep 11 22:00:40.543: INFO: Collecting boot logs for resource group capz-06jj60, VM capz-06jj60-md-0-xdh7f-vxb9f
Failed to get logs for Machine capz-06jj60-md-0-xdh7f-vxb9f, Cluster default/capz-06jj60: running command "cat /var/log/calico/cni/cni.log": Process exited with status 1
  Sep 11 22:00:41.167: INFO: Collecting logs for Linux node capz-06jj60-md-0-xdh7f-w4pgh in cluster capz-06jj60 in namespace default
  Sep 11 22:01:41.169: INFO: Collecting boot logs for resource group capz-06jj60, VM capz-06jj60-md-0-xdh7f-w4pgh
Failed to get logs for Machine capz-06jj60-md-0-xdh7f-w4pgh, Cluster default/capz-06jj60: running command "cat /var/log/calico/cni/cni.log": Process exited with status 1
  Sep 11 22:01:41.797: INFO: Collecting logs for Linux node capz-06jj60-md-0-xdh7f-wcs98 in cluster capz-06jj60 in namespace default
  Sep 11 22:02:42.731: INFO: Collecting boot logs for resource group capz-06jj60, VM capz-06jj60-md-0-xdh7f-wcs98
Failed to get logs for Machine capz-06jj60-md-0-xdh7f-wcs98, Cluster default/capz-06jj60: running command "cat /var/log/calico/cni/cni.log": Process exited with status 1
  Sep 11 22:02:43.430: INFO: Collecting logs for Linux node capz-06jj60-md-0-xdh7f-x6cm2 in cluster capz-06jj60 in namespace default
  Sep 11 22:03:43.431: INFO: Collecting boot logs for resource group capz-06jj60, VM capz-06jj60-md-0-xdh7f-x6cm2
Failed to get logs for Machine capz-06jj60-md-0-xdh7f-x6cm2, Cluster default/capz-06jj60: running command "cat /var/log/calico/cni/cni.log": Process exited with status 1
  Sep 11 22:03:44.088: INFO: Collecting logs for Linux node capz-06jj60-md-0-xdh7f-xfp8s in cluster capz-06jj60 in namespace default

Could that be related to this change?

[marosset]

@marosset I'm seeing logs like this for most nodes across all the e2e jobs:

Failed to get logs for Machine capz-06jj60-md-0-xdh7f-vv66g, Cluster default/capz-06jj60: running command "cat /var/log/calico/cni/cni.log": Process exited with status 1

In particular, that seems to be bottlenecking the scale jobs where collecting logs from each node is taking a whole minute:

Failed to get logs for Machine capz-06jj60-md-0-xdh7f-vv66g, Cluster default/capz-06jj60: running command "cat /var/log/calico/cni/cni.log": Process exited with status 1
  Sep 11 21:59:39.640: INFO: Collecting logs for Linux node capz-06jj60-md-0-xdh7f-vxb9f in cluster capz-06jj60 in namespace default
  Sep 11 22:00:40.543: INFO: Collecting boot logs for resource group capz-06jj60, VM capz-06jj60-md-0-xdh7f-vxb9f
Failed to get logs for Machine capz-06jj60-md-0-xdh7f-vxb9f, Cluster default/capz-06jj60: running command "cat /var/log/calico/cni/cni.log": Process exited with status 1
  Sep 11 22:00:41.167: INFO: Collecting logs for Linux node capz-06jj60-md-0-xdh7f-w4pgh in cluster capz-06jj60 in namespace default
  Sep 11 22:01:41.169: INFO: Collecting boot logs for resource group capz-06jj60, VM capz-06jj60-md-0-xdh7f-w4pgh
Failed to get logs for Machine capz-06jj60-md-0-xdh7f-w4pgh, Cluster default/capz-06jj60: running command "cat /var/log/calico/cni/cni.log": Process exited with status 1
  Sep 11 22:01:41.797: INFO: Collecting logs for Linux node capz-06jj60-md-0-xdh7f-wcs98 in cluster capz-06jj60 in namespace default
  Sep 11 22:02:42.731: INFO: Collecting boot logs for resource group capz-06jj60, VM capz-06jj60-md-0-xdh7f-wcs98
Failed to get logs for Machine capz-06jj60-md-0-xdh7f-wcs98, Cluster default/capz-06jj60: running command "cat /var/log/calico/cni/cni.log": Process exited with status 1
  Sep 11 22:02:43.430: INFO: Collecting logs for Linux node capz-06jj60-md-0-xdh7f-x6cm2 in cluster capz-06jj60 in namespace default
  Sep 11 22:03:43.431: INFO: Collecting boot logs for resource group capz-06jj60, VM capz-06jj60-md-0-xdh7f-x6cm2
Failed to get logs for Machine capz-06jj60-md-0-xdh7f-x6cm2, Cluster default/capz-06jj60: running command "cat /var/log/calico/cni/cni.log": Process exited with status 1
  Sep 11 22:03:44.088: INFO: Collecting logs for Linux node capz-06jj60-md-0-xdh7f-xfp8s in cluster capz-06jj60 in namespace default

Could that be related to this change?

No idea

@marosset I'm seeing logs like this for most nodes across all the e2e jobs:

Failed to get logs for Machine capz-06jj60-md-0-xdh7f-vv66g, Cluster default/capz-06jj60: running command "cat /var/log/calico/cni/cni.log": Process exited with status 1

In particular, that seems to be bottlenecking the scale jobs where collecting logs from each node is taking a whole minute:

Failed to get logs for Machine capz-06jj60-md-0-xdh7f-vv66g, Cluster default/capz-06jj60: running command "cat /var/log/calico/cni/cni.log": Process exited with status 1
  Sep 11 21:59:39.640: INFO: Collecting logs for Linux node capz-06jj60-md-0-xdh7f-vxb9f in cluster capz-06jj60 in namespace default
  Sep 11 22:00:40.543: INFO: Collecting boot logs for resource group capz-06jj60, VM capz-06jj60-md-0-xdh7f-vxb9f
Failed to get logs for Machine capz-06jj60-md-0-xdh7f-vxb9f, Cluster default/capz-06jj60: running command "cat /var/log/calico/cni/cni.log": Process exited with status 1
  Sep 11 22:00:41.167: INFO: Collecting logs for Linux node capz-06jj60-md-0-xdh7f-w4pgh in cluster capz-06jj60 in namespace default
  Sep 11 22:01:41.169: INFO: Collecting boot logs for resource group capz-06jj60, VM capz-06jj60-md-0-xdh7f-w4pgh
Failed to get logs for Machine capz-06jj60-md-0-xdh7f-w4pgh, Cluster default/capz-06jj60: running command "cat /var/log/calico/cni/cni.log": Process exited with status 1
  Sep 11 22:01:41.797: INFO: Collecting logs for Linux node capz-06jj60-md-0-xdh7f-wcs98 in cluster capz-06jj60 in namespace default
  Sep 11 22:02:42.731: INFO: Collecting boot logs for resource group capz-06jj60, VM capz-06jj60-md-0-xdh7f-wcs98
Failed to get logs for Machine capz-06jj60-md-0-xdh7f-wcs98, Cluster default/capz-06jj60: running command "cat /var/log/calico/cni/cni.log": Process exited with status 1
  Sep 11 22:02:43.430: INFO: Collecting logs for Linux node capz-06jj60-md-0-xdh7f-x6cm2 in cluster capz-06jj60 in namespace default
  Sep 11 22:03:43.431: INFO: Collecting boot logs for resource group capz-06jj60, VM capz-06jj60-md-0-xdh7f-x6cm2
Failed to get logs for Machine capz-06jj60-md-0-xdh7f-x6cm2, Cluster default/capz-06jj60: running command "cat /var/log/calico/cni/cni.log": Process exited with status 1
  Sep 11 22:03:44.088: INFO: Collecting logs for Linux node capz-06jj60-md-0-xdh7f-xfp8s in cluster capz-06jj60 in namespace default

Could that be related to this change?

No idea but I'll try and look into it

[nojnhuh]

Hm, I'm still seeing that same error even with the volume change. Firing up a cluster I see this on one of the nodes:

capi@aso-20320-controlplane-hj2gb:~$ cat /var/log/calico/cni/cni.log
cat: /var/log/calico/cni/cni.log: Permission denied
capi@aso-20320-controlplane-hj2gb:~$ ll /var/log/calico/cni/cni.log 
-rw------- 1 root root 108794 Sep 12 03:58 /var/log/calico/cni/cni.log

Building the exact same cluster with the older Calico version I see this:

capi@aso-23097-controlplane-fmsbp:~$ ll /var/log/calico/cni/cni.log 
-rw-r--r-- 1 root root 85870 Sep 12 04:07 /var/log/calico/cni/cni.log

A sudo on the cat seems to do the trick with the newer Calico.

I opened #5868 to make these things easier to spot next time.

[nojnhuh]

A sudo on the cat seems to do the trick with the newer Calico.

This change alone seems to fix things even without the volume changes. Happy to keep those anyway if there's some other benefit, otherwise I think we can revert them.

[marosset]

A sudo on the cat seems to do the trick with the newer Calico.

This change alone seems to fix things even without the volume changes. Happy to keep those anyway if there's some other benefit, otherwise I think we can revert them.

Ah - I'll drop the volume changes and add a sudo to our logging script

[marosset]

@nojnhuh - I see cni.log files for the machines now.
Thanks again!

[nojnhuh]

/lgtm

I'll leave the hold in case you're planning to squash this into one or a few commits. Feel free to drop that when you're done. As long as you don't rebase while you're cleaning things up the LGTM should stick.

Thanks!

[k8s-ci-robot]

LGTM label has been added.

Git tree hash: 317d128ac674e8db02b7f456983d710692318edb

[nojnhuh]

#5866 should fix the AKS job

/test pull-cluster-api-provider-azure-e2e-aks

[marosset]

/test pull-cluster-api-provider-azure-e2e

[marosset]

/hold cancel
This should be fine to merge once CI passes!

[k8s-ci-robot]

@marosset: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
pull-cluster-api-provider-azure-conformance-azl3-with-ci-artifacts	cef4469	link	false	/test pull-cluster-api-provider-azure-conformance-azl3-with-ci-artifacts
pull-cluster-api-provider-azure-load-test-custom-builds	21d54b5	link	false	/test pull-cluster-api-provider-azure-load-test-custom-builds
pull-cluster-api-provider-azure-conformance-with-ci-artifacts-dra	7e5d556	link	false	/test pull-cluster-api-provider-azure-conformance-with-ci-artifacts-dra

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[nojnhuh]

https://prow.k8s.io/view/gs/kubernetes-ci-logs/pr-logs/pull/kubernetes-sigs_cluster-api-provider-azure/5844/pull-cluster-api-provider-azure-conformance-with-ci-artifacts-dra/1966592810257747968

#5690

Not a required job and the last run passed without any changes so I'll let it go.