Make sure initialising data store is not stopped because of the failure in creating default and adminnetworkpolicy tiers. Calico node and typha do not have create permission, and as such attempts to create those tiers result in unauthorised errors which in the end result in:
Node not to create felixConfig which results in other deployment errors.
This PR fixes the issue in two ways:
Detect and log unathorised error during attempts to create those tiers. Then, ignore the error as other components like calico-kube-controller would eventually create them.
Do not fail data store initialisation when unauthorised error happen while creating default and adminnetworkpolicy tiers. Those tiers eventually get created by another component.
Reminder for the reviewer
Make sure that this PR has the correct labels and milestone set.
Every PR needs one docs-* label.
docs-pr-required: This change requires a change to the documentation that has not been completed yet.
docs-completed: This change has all necessary documentation completed.
docs-not-required: This change has no user-facing impact and requires no docs.
Every PR needs one release-note-* label.
release-note-required: This PR has user-facing changes. Most PRs should have this label.
release-note-not-required: This PR has no user-facing changes.
Other optional labels:
cherry-pick-candidate: This PR should be cherry-picked to an earlier release. For bug fixes only.
needs-operator-pr: This PR is related to install and requires a corresponding change to the operator.
Description
Make sure initialising data store is not stopped because of the failure in creating
defaultandadminnetworkpolicytiers. Calico node and typha do not havecreatepermission, and as such attempts to create those tiers result inunauthorisederrors which in the end result in:felixConfigwhich results in other deployment errors.This PR fixes the issue in two ways:
unathorisederror during attempts to create those tiers. Then, ignore the error as other components like calico-kube-controller would eventually create them.createpermission to calico node and typha permission to calico manifests. This is similar to operator approach like https://github.com/tigera/operator/blob/1f9a7a9afbadd33d2c216e033360ccbd540a4421/pkg/render/node.go#L482.The PR also enables deploying typha as part of kind cluster. Having it enabled, would have allowed detecting the issue earlier.
Related issues/PRs
GH issue: https://github.com/projectcalico/calico/issues/9442 https://github.com/projectcalico/calico/issues/9444 Cherry pick of https://github.com/projectcalico/calico/pull/9446
Todos
Release Note
Reminder for the reviewer
Make sure that this PR has the correct labels and milestone set.
Every PR needs one
docs-*label.docs-pr-required: This change requires a change to the documentation that has not been completed yet.docs-completed: This change has all necessary documentation completed.docs-not-required: This change has no user-facing impact and requires no docs.Every PR needs one
release-note-*label.release-note-required: This PR has user-facing changes. Most PRs should have this label.release-note-not-required: This PR has no user-facing changes.Other optional labels:
cherry-pick-candidate: This PR should be cherry-picked to an earlier release. For bug fixes only.needs-operator-pr: This PR is related to install and requires a corresponding change to the operator.