[Calico] Realign Calico v2 chart for upcoming v3.2 upgrade
This PS realigns Calico v2 with the pending Calico v3.2 chart in order to minimize differences. It's mostly refactoring with a few small fixes. Change-Id: Ie5157b4ae324b6eb4c8ccb5cc07d8b9bc5a83ebd
This commit is contained in:
parent
681dee71b7
commit
45275ffefd
@ -80,6 +80,6 @@ EOF
|
||||
# process IPv6 peers
|
||||
{{ if .Values.networking.bgp.ipv6.peers }}
|
||||
cat << EOF | ${CALICOCTL} apply -f -
|
||||
{{ .Values.networking.bgp.ipv4.peers | toYaml }}
|
||||
{{ .Values.networking.bgp.ipv6.peers | toYaml }}
|
||||
EOF
|
||||
{{ end }}
|
||||
|
@ -40,9 +40,11 @@ fi;
|
||||
|
||||
cat <<EOF>/host/opt/cni/bin/calicoctl
|
||||
export ETCD_ENDPOINTS=$ETCD_ENDPOINTS
|
||||
if [ -e $ETCD_KEY_FILE ]; then export ETCD_KEY_FILE=$ETCD_KEY_FILE; fi;
|
||||
if [ -e $ETCD_CERT_FILE ]; then export ETCD_CERT_FILE=$ETCD_CERT_FILE; fi;
|
||||
if [ -e $ETCD_CA_CERT_FILE ]; then export ETCD_CA_CERT_FILE=$ETCD_CA_CERT_FILE; fi;
|
||||
|
||||
[ -e $ETCD_KEY_FILE ] && export ETCD_KEY_FILE=$ETCD_KEY_FILE
|
||||
[ -e $ETCD_CERT_FILE ] && export ETCD_CERT_FILE=$ETCD_CERT_FILE
|
||||
[ -e $ETCD_CA_CERT_FILE ] && export ETCD_CA_CERT_FILE=$ETCD_CA_CERT_FILE
|
||||
|
||||
exec /opt/cni/bin/calicoctl.bin \$*
|
||||
EOF
|
||||
|
||||
|
47
calico/templates/configmap-bird.yaml
Normal file
47
calico/templates/configmap-bird.yaml
Normal file
@ -0,0 +1,47 @@
|
||||
{{/*
|
||||
Copyright 2017 The Openstack-Helm Authors.
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
|
||||
{{- if .Values.manifests.configmap_bird }}
|
||||
{{- $envAll := . }}
|
||||
|
||||
---
|
||||
kind: ConfigMap
|
||||
apiVersion: v1
|
||||
metadata:
|
||||
name: calico-bird
|
||||
data:
|
||||
# we overlay templates found natively in the calico-node container
|
||||
# so that we may override bgp configuration
|
||||
bird6.cfg.mesh.template: |
|
||||
{{ tuple "bird/_bird6.cfg.mesh.template.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
|
||||
bird6.cfg.no-mesh.template: |
|
||||
{{ tuple "bird/_bird6.cfg.no-mesh.template.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
|
||||
bird6_ipam.cfg.template: |
|
||||
{{ tuple "bird/_bird6_ipam.cfg.template.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
|
||||
bird_aggr.cfg.template: |
|
||||
{{ tuple "bird/_bird_aggr.cfg.template.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
|
||||
bird.cfg.mesh.template: |
|
||||
{{ tuple "bird/_bird.cfg.mesh.template.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
|
||||
bird.cfg.no-mesh.template: |
|
||||
{{ tuple "bird/_bird.cfg.no-mesh.template.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
|
||||
bird_ipam.cfg.template: |
|
||||
{{ tuple "bird/_bird_ipam.cfg.template.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
|
||||
custom_filters6.cfg.template: |
|
||||
{{ tuple "bird/_custom_filters6.cfg.template.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
|
||||
custom_filters.cfg.template: |
|
||||
{{ tuple "bird/_custom_filters.cfg.template.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
|
||||
|
||||
{{- end }}
|
@ -30,41 +30,17 @@ limitations under the License.
|
||||
{{- end -}}
|
||||
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
apiVersion: v1
|
||||
metadata:
|
||||
name: calico-etc
|
||||
data:
|
||||
|
||||
# we overlay templates found natively in the calico-node container so that we may override
|
||||
# bgp configuration
|
||||
|
||||
bird6.cfg.mesh.template: |
|
||||
{{ tuple "etc/bird/_bird6.cfg.mesh.template.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
|
||||
bird6.cfg.no-mesh.template: |
|
||||
{{ tuple "etc/bird/_bird6.cfg.no-mesh.template.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
|
||||
bird6_ipam.cfg.template: |
|
||||
{{ tuple "etc/bird/_bird6_ipam.cfg.template.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
|
||||
bird_aggr.cfg.template: |
|
||||
{{ tuple "etc/bird/_bird_aggr.cfg.template.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
|
||||
bird.cfg.mesh.template: |
|
||||
{{ tuple "etc/bird/_bird.cfg.mesh.template.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
|
||||
bird.cfg.no-mesh.template: |
|
||||
{{ tuple "etc/bird/_bird.cfg.no-mesh.template.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
|
||||
bird_ipam.cfg.template: |
|
||||
{{ tuple "etc/bird/_bird_ipam.cfg.template.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
|
||||
custom_filters6.cfg.template: |
|
||||
{{ tuple "etc/bird/_custom_filters6.cfg.template.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
|
||||
custom_filters.cfg.template: |
|
||||
{{ tuple "etc/bird/_custom_filters.cfg.template.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
|
||||
tunl-ip.template: |
|
||||
{{ tuple "etc/bird/_tunl-ip.template.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
|
||||
|
||||
# The location of your etcd cluster. This uses the Service clusterIP
|
||||
# defined below.
|
||||
etcd_endpoints: {{ tuple "etcd" "internal" "client" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" }}
|
||||
|
||||
# The CNI network configuration to install on each node.
|
||||
# The CNI network configuration to install on each node, generated
|
||||
# from (Values.)conf.cni_network_config
|
||||
cni_network_config: |-
|
||||
{{ toJson $envAll.Values.conf.cni_network_config | indent 4 }}
|
||||
|
||||
|
@ -18,12 +18,12 @@ limitations under the License.
|
||||
{{- $envAll := . }}
|
||||
|
||||
{{- $serviceAccountName := "calico-etcd"}}
|
||||
{{ tuple $envAll "etcd" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
|
||||
{{ tuple $envAll "calico-etcd" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
|
||||
---
|
||||
# This manifest installs the Calico etcd on the kubeadm master. This uses a DaemonSet
|
||||
# to force it to run on the master even when the master isn't schedulable, and uses
|
||||
# nodeSelector to ensure it only runs on the master.
|
||||
apiVersion: apps/v1
|
||||
apiVersion: extensions/v1beta1
|
||||
kind: DaemonSet
|
||||
metadata:
|
||||
name: calico-etcd
|
||||
@ -43,19 +43,26 @@ spec:
|
||||
k8s-app: calico-etcd
|
||||
{{ tuple $envAll "calico" "etcd" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
|
||||
annotations:
|
||||
configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
|
||||
# Mark this pod as a critical add-on; when enabled, the critical add-on scheduler
|
||||
# reserves resources for critical add-on pods so that they can be rescheduled after
|
||||
# a failure. This annotation works in tandem with the toleration below.
|
||||
scheduler.alpha.kubernetes.io/critical-pod: ''
|
||||
spec:
|
||||
# Only run this pod on the master.
|
||||
tolerations:
|
||||
# This taint is set by all kubelets running `--cloud-provider=external`
|
||||
# so we should tolerate it to schedule the Calico pods
|
||||
- key: node.cloudprovider.kubernetes.io/uninitialized
|
||||
value: "true"
|
||||
effect: NoSchedule
|
||||
# Allow this pod to run on the master.
|
||||
- key: node-role.kubernetes.io/master
|
||||
effect: NoSchedule
|
||||
# Allow this pod to be rescheduled while the node is in "critical add-ons only" mode.
|
||||
# This, along with the annotation above marks this pod as a critical add-on.
|
||||
- key: CriticalAddonsOnly
|
||||
operator: Exists
|
||||
# Only run this pod on the master.
|
||||
nodeSelector:
|
||||
node-role.kubernetes.io/master: ""
|
||||
hostNetwork: true
|
||||
@ -72,11 +79,13 @@ spec:
|
||||
fieldPath: status.podIP
|
||||
command:
|
||||
- /usr/local/bin/etcd
|
||||
args:
|
||||
- --name=calico
|
||||
- --data-dir=/var/etcd/calico-data
|
||||
- --advertise-client-urls={{ tuple "etcd" "internal" "client" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" }}
|
||||
- --listen-client-urls={{ tuple "etcd" "internal" "client" . | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}://0.0.0.0:{{ tuple "etcd" "internal" "client" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
|
||||
- --listen-peer-urls={{ tuple "etcd" "internal" "peer" . | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}://0.0.0.0:{{ tuple "etcd" "internal" "peer" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
|
||||
- --auto-compaction-retention=1
|
||||
volumeMounts:
|
||||
- name: var-etcd
|
||||
mountPath: /var/etcd
|
||||
|
@ -33,7 +33,6 @@ limitations under the License.
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- $prometheus_annotations := $envAll.Values.monitoring.prometheus.calico_node }}
|
||||
|
||||
{{- $serviceAccountName := printf "%s-%s" .Release.Name "calico-cni-plugin"}}
|
||||
{{ tuple $envAll "calico_node" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
|
||||
@ -67,10 +66,9 @@ rules:
|
||||
# as the Calico CNI plugins and network config on
|
||||
# each master and worker node in a Kubernetes cluster.
|
||||
kind: DaemonSet
|
||||
apiVersion: apps/v1
|
||||
apiVersion: extensions/v1beta1
|
||||
metadata:
|
||||
name: calico-node
|
||||
namespace: kube-system
|
||||
annotations:
|
||||
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
|
||||
labels:
|
||||
@ -81,30 +79,45 @@ spec:
|
||||
matchLabels:
|
||||
k8s-app: calico-node
|
||||
{{ tuple $envAll "calico" "node" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
|
||||
updateStrategy:
|
||||
type: RollingUpdate
|
||||
rollingUpdate:
|
||||
maxUnavailable: 1
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
k8s-app: calico-node
|
||||
{{ tuple $envAll "calico" "node" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
|
||||
annotations:
|
||||
# Mark this pod as a critical add-on; when enabled, the critical add-on scheduler
|
||||
# reserves resources for critical add-on pods so that they can be rescheduled after
|
||||
# a failure. This annotation works in tandem with the toleration below.
|
||||
configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
|
||||
configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
|
||||
configmap-bird-hash: {{ tuple "configmap-bird.yaml" . | include "helm-toolkit.utils.hash" }}
|
||||
# This, along with the CriticalAddonsOnly toleration below,
|
||||
# marks the pod as a critical add-on, ensuring it gets
|
||||
# priority scheduling and that its resources are reserved
|
||||
# if it ever gets evicted.
|
||||
scheduler.alpha.kubernetes.io/critical-pod: ''
|
||||
{{- if .Values.monitoring.prometheus.enabled }}
|
||||
{{- $prometheus_annotations := $envAll.Values.monitoring.prometheus.calico_node }}
|
||||
{{ tuple $prometheus_annotations | include "helm-toolkit.snippets.prometheus_pod_annotations" | indent 8 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
nodeSelector:
|
||||
beta.kubernetes.io/os: linux
|
||||
hostNetwork: true
|
||||
tolerations:
|
||||
- key: node-role.kubernetes.io/master
|
||||
effect: NoSchedule
|
||||
# Allow this pod to be rescheduled while the node is in "critical add-ons only" mode.
|
||||
# This, along with the annotation above marks this pod as a critical add-on.
|
||||
# Make sure calico-node gets scheduled on all nodes.
|
||||
- effect: NoSchedule
|
||||
operator: Exists
|
||||
# Mark the pod as a critical add-on for rescheduling.
|
||||
- key: CriticalAddonsOnly
|
||||
operator: Exists
|
||||
- effect: NoExecute
|
||||
operator: Exists
|
||||
serviceAccountName: {{ $serviceAccountName }}
|
||||
terminationGracePeriodSeconds: {{ .Values.pod.lifecycle.termination_grace_period.node.timeout | default "30" }}
|
||||
# Minimize downtime during a rolling upgrade or deletion; tell Kubernetes to do a "force
|
||||
# deletion": https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods.
|
||||
terminationGracePeriodSeconds: 0
|
||||
initContainers:
|
||||
{{ tuple $envAll "calico_node" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
|
||||
{{ if .Values.manifests.daemonset_calico_node_calicoctl }}
|
||||
@ -119,13 +132,14 @@ spec:
|
||||
configMapKeyRef:
|
||||
name: calico-etc
|
||||
key: etcd_endpoints
|
||||
|
||||
{{ if .Values.endpoints.etcd.auth.client.tls.ca}}
|
||||
- name: ETCD_CA_CERT_FILE
|
||||
value: {{ .Values.endpoints.etcd.auth.client.path.ca }}
|
||||
- name: ETCD_CA_CERT
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: calico-certificates
|
||||
name: calico-etcd-secrets
|
||||
key: tls.ca
|
||||
{{ end }}
|
||||
{{ if .Values.endpoints.etcd.auth.client.tls.key}}
|
||||
@ -134,7 +148,7 @@ spec:
|
||||
- name: ETCD_KEY
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: calico-certificates
|
||||
name: calico-etcd-secrets
|
||||
key: tls.key
|
||||
{{ end }}
|
||||
{{ if .Values.endpoints.etcd.auth.client.tls.crt}}
|
||||
@ -143,7 +157,7 @@ spec:
|
||||
- name: ETCD_CERT
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: calico-certificates
|
||||
name: calico-etcd-secrets
|
||||
key: tls.crt
|
||||
{{ end }}
|
||||
volumeMounts:
|
||||
@ -154,15 +168,15 @@ spec:
|
||||
- mountPath: /tmp/install-calicoctl.sh
|
||||
name: calico-bin
|
||||
subPath: install-calicoctl.sh
|
||||
- name: calico-certificates
|
||||
- name: calico-etcd-secrets
|
||||
mountPath: {{ .Values.endpoints.etcd.auth.client.path.ca }}
|
||||
subPath: tls.ca
|
||||
readOnly: true
|
||||
- name: calico-certificates
|
||||
- name: calico-etcd-secrets
|
||||
mountPath: {{ .Values.endpoints.etcd.auth.client.path.crt }}
|
||||
subPath: tls.crt
|
||||
readOnly: true
|
||||
- name: calico-certificates
|
||||
- name: calico-etcd-secrets
|
||||
mountPath: {{ .Values.endpoints.etcd.auth.client.path.key }}
|
||||
subPath: tls.key
|
||||
readOnly: true
|
||||
@ -175,18 +189,24 @@ spec:
|
||||
{{ tuple $envAll "calico_node" | include "helm-toolkit.snippets.image" | indent 10 }}
|
||||
{{ tuple $envAll $envAll.Values.pod.resources.calico_node | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
|
||||
env:
|
||||
# Values expanded explicitly from conf.node (some of which
|
||||
# might be derived from elsewhere, see values.yaml for an
|
||||
# explanation of this)
|
||||
#
|
||||
{{ include "helm-toolkit.utils.to_k8s_env_vars" .Values.conf.node | indent 12 }}
|
||||
|
||||
# Values explicit in the chart not expected to be found in
|
||||
# conf.node
|
||||
#
|
||||
|
||||
# The location of the Calico etcd cluster.
|
||||
- name: ETCD_ENDPOINTS
|
||||
valueFrom:
|
||||
configMapKeyRef:
|
||||
name: calico-etc
|
||||
key: etcd_endpoints
|
||||
# Set noderef for node controller.
|
||||
- name: CALICO_K8S_NODE_REF
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: spec.nodeName
|
||||
|
||||
# etcd certs
|
||||
{{ if .Values.endpoints.etcd.auth.client.tls.ca}}
|
||||
- name: ETCD_CA_CERT_FILE
|
||||
value: {{ .Values.endpoints.etcd.auth.client.path.ca }}
|
||||
@ -199,8 +219,26 @@ spec:
|
||||
- name: ETCD_CERT_FILE
|
||||
value: {{ .Values.endpoints.etcd.auth.client.path.crt }}
|
||||
{{ end }}
|
||||
|
||||
# Set noderef for node controller.
|
||||
- name: CALICO_K8S_NODE_REF
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: spec.nodeName
|
||||
|
||||
securityContext:
|
||||
privileged: true
|
||||
resources:
|
||||
requests:
|
||||
cpu: 250m
|
||||
livenessProbe:
|
||||
httpGet:
|
||||
path: /liveness
|
||||
port: 9099
|
||||
host: localhost
|
||||
periodSeconds: 10
|
||||
initialDelaySeconds: 10
|
||||
failureThreshold: 6
|
||||
volumeMounts:
|
||||
- mountPath: /lib/modules
|
||||
name: lib-modules
|
||||
@ -208,45 +246,53 @@ spec:
|
||||
- mountPath: /var/run/calico
|
||||
name: var-run-calico
|
||||
readOnly: false
|
||||
- mountPath: /etc/calico/confd/templates/bird6.cfg.mesh.template
|
||||
name: calico-etc
|
||||
subPath: bird6.cfg.mesh.template
|
||||
- mountPath: /etc/calico/confd/templates/bird6.cfg.no-mesh.template
|
||||
name: calico-etc
|
||||
subPath: bird6.cfg.no-mesh.template
|
||||
- mountPath: /etc/calico/confd/templates/bird6_ipam.cfg.template
|
||||
name: calico-etc
|
||||
subPath: bird6_ipam.cfg.template
|
||||
- mountPath: /etc/calico/confd/templates/bird_aggr.cfg.template
|
||||
name: calico-etc
|
||||
subPath: bird_aggr.cfg.template
|
||||
|
||||
# bird template replacements
|
||||
# bird cfg
|
||||
- mountPath: /etc/calico/confd/templates/bird.cfg.mesh.template
|
||||
name: calico-etc
|
||||
name: calico-bird
|
||||
subPath: bird.cfg.mesh.template
|
||||
- mountPath: /etc/calico/confd/templates/bird.cfg.no-mesh.template
|
||||
name: calico-etc
|
||||
name: calico-bird
|
||||
subPath: bird.cfg.no-mesh.template
|
||||
# bird ipam
|
||||
- mountPath: /etc/calico/confd/templates/bird_ipam.cfg.template
|
||||
name: calico-etc
|
||||
name: calico-bird
|
||||
subPath: bird_ipam.cfg.template
|
||||
# bird6 cfg
|
||||
- mountPath: /etc/calico/confd/templates/bird6.cfg.mesh.template
|
||||
name: calico-bird
|
||||
subPath: bird6.cfg.mesh.template
|
||||
- mountPath: /etc/calico/confd/templates/bird6.cfg.no-mesh.template
|
||||
name: calico-bird
|
||||
subPath: bird6.cfg.no-mesh.template
|
||||
# bird6 ipam
|
||||
- mountPath: /etc/calico/confd/templates/bird6_ipam.cfg.template
|
||||
name: calico-bird
|
||||
subPath: bird6_ipam.cfg.template
|
||||
# filters...
|
||||
- mountPath: /etc/calico/confd/templates/bird_aggr.cfg.template
|
||||
name: calico-bird
|
||||
subPath: bird_aggr.cfg.template
|
||||
- mountPath: /etc/calico/confd/templates/custom_filters6.cfg.template
|
||||
name: calico-etc
|
||||
name: calico-bird
|
||||
subPath: custom_filters6.cfg.template
|
||||
- mountPath: /etc/calico/confd/templates/custom_filters.cfg.template
|
||||
name: calico-etc
|
||||
name: calico-bird
|
||||
subPath: custom_filters.cfg.template
|
||||
- mountPath: /etc/calico/confd/templates/tunl-ip.template
|
||||
name: calico-etc
|
||||
subPath: tunl-ip.template
|
||||
- name: calico-certificates
|
||||
# etcd secrets
|
||||
- mountPath: /var/lib/calico
|
||||
name: var-lib-calico
|
||||
readOnly: false
|
||||
- name: calico-etcd-secrets
|
||||
mountPath: {{ .Values.endpoints.etcd.auth.client.path.ca }}
|
||||
subPath: tls.ca
|
||||
readOnly: true
|
||||
- name: calico-certificates
|
||||
- name: calico-etcd-secrets
|
||||
mountPath: {{ .Values.endpoints.etcd.auth.client.path.crt }}
|
||||
subPath: tls.crt
|
||||
readOnly: true
|
||||
- name: calico-certificates
|
||||
- name: calico-etcd-secrets
|
||||
mountPath: {{ .Values.endpoints.etcd.auth.client.path.key }}
|
||||
subPath: tls.key
|
||||
readOnly: true
|
||||
@ -257,6 +303,12 @@ spec:
|
||||
{{ tuple $envAll $envAll.Values.pod.resources.calico_cni | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
|
||||
command: ["/install-cni.sh"]
|
||||
env:
|
||||
# Name of the CNI config file to create.
|
||||
#
|
||||
# NOTE: Calico v2 needs to end in .conf; Calico v3 is
|
||||
# different!
|
||||
- name: CNI_CONF_NAME
|
||||
value: "10-calico.conf"
|
||||
# The location of the Calico etcd cluster.
|
||||
- name: ETCD_ENDPOINTS
|
||||
valueFrom:
|
||||
@ -282,6 +334,9 @@ spec:
|
||||
- name: var-run-calico
|
||||
hostPath:
|
||||
path: /var/run/calico
|
||||
- name: var-lib-calico
|
||||
hostPath:
|
||||
path: /var/lib/calico
|
||||
# Used to install CNI.
|
||||
- name: cni-bin-dir
|
||||
hostPath:
|
||||
@ -296,11 +351,15 @@ spec:
|
||||
configMap:
|
||||
name: calico-etc
|
||||
defaultMode: 0444
|
||||
- name: calico-bird
|
||||
configMap:
|
||||
name: calico-bird
|
||||
defaultMode: 0444
|
||||
- name: calico-bin
|
||||
configMap:
|
||||
name: calico-bin
|
||||
defaultMode: 0555
|
||||
- name: calico-certificates
|
||||
- name: calico-etcd-secrets
|
||||
secret:
|
||||
secretName: calico-certificates
|
||||
secretName: calico-etcd-secrets
|
||||
{{- end }}
|
||||
|
@ -14,14 +14,14 @@ See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
|
||||
{{- if .Values.manifests.deployment_calico_kube_policy_controllers }}
|
||||
{{- if .Values.manifests.deployment_calico_kube_controllers }}
|
||||
{{- $envAll := . }}
|
||||
|
||||
{{- $serviceAccountName := printf "%s-%s" .Release.Name "calico-kube-controllers"}}
|
||||
{{ tuple $envAll "calico_kube_policy_controllers" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
|
||||
{{ tuple $envAll "calico_kube_controllers" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||
kind: ClusterRoleBinding
|
||||
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||
metadata:
|
||||
name: {{ $serviceAccountName }}
|
||||
roleRef:
|
||||
@ -46,68 +46,72 @@ rules:
|
||||
- namespaces
|
||||
- networkpolicies
|
||||
- nodes
|
||||
- serviceaccounts
|
||||
verbs:
|
||||
- watch
|
||||
- list
|
||||
- apiGroups:
|
||||
- networking.k8s.io
|
||||
resources:
|
||||
- networkpolicies
|
||||
verbs:
|
||||
- watch
|
||||
- list
|
||||
---
|
||||
# This manifest deploys the Calico Kubernetes controllers.
|
||||
# See https://github.com/projectcalico/kube-controllers
|
||||
apiVersion: apps/v1
|
||||
apiVersion: extensions/v1beta1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: calico-kube-policy-controllers
|
||||
name: calico-kube-controllers
|
||||
namespace: {{ .Release.Namespace }}
|
||||
annotations:
|
||||
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
|
||||
labels:
|
||||
k8s-app: calico-kube-policy-controllers
|
||||
{{ tuple $envAll "calico" "kube-controller" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
|
||||
k8s-app: calico-kube-controllers
|
||||
{{ tuple $envAll "calico" "kube-controllers" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
|
||||
annotations:
|
||||
scheduler.alpha.kubernetes.io/critical-pod: ''
|
||||
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
|
||||
spec:
|
||||
# The controllers can only have a single active instance.
|
||||
replicas: 1
|
||||
selector:
|
||||
matchLabels:
|
||||
k8s-app: calico-kube-policy-controllers
|
||||
{{ tuple $envAll "calico" "kube-controller" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
|
||||
k8s-app: calico-kube-controllers
|
||||
{{ tuple $envAll "calico" "kube-controllers" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
|
||||
strategy:
|
||||
type: Recreate
|
||||
{{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_deployment" | indent 2 }}
|
||||
template:
|
||||
metadata:
|
||||
name: calico-kube-policy-controllers
|
||||
namespace: kube-system
|
||||
name: calico-kube-controllers
|
||||
labels:
|
||||
k8s-app: calico-kube-policy-controllers
|
||||
{{ tuple $envAll "calico" "kube-controller" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
|
||||
k8s-app: calico-kube-controllers
|
||||
{{ tuple $envAll "calico" "kube-controllers" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
|
||||
annotations:
|
||||
# Mark this pod as a critical add-on; when enabled, the critical add-on scheduler
|
||||
# reserves resources for critical add-on pods so that they can be rescheduled after
|
||||
# a failure. This annotation works in tandem with the toleration below.
|
||||
scheduler.alpha.kubernetes.io/critical-pod: ''
|
||||
configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
|
||||
configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
|
||||
spec:
|
||||
nodeSelector:
|
||||
beta.kubernetes.io/os: linux
|
||||
# The controllers must run in the host network namespace so that
|
||||
# it isn't governed by policy that would prevent it from working.
|
||||
hostNetwork: true
|
||||
tolerations:
|
||||
# this taint is set by all kubelets running `--cloud-provider=external`
|
||||
# so we should tolerate it to schedule the calico pods
|
||||
# Mark the pod as a critical add-on for rescheduling.
|
||||
- key: node.cloudprovider.kubernetes.io/uninitialized
|
||||
value: "true"
|
||||
effect: NoSchedule
|
||||
- key: node-role.kubernetes.io/master
|
||||
effect: NoSchedule
|
||||
# Allow this pod to be rescheduled while the node is in "critical add-ons only" mode.
|
||||
# This, along with the annotation above marks this pod as a critical add-on.
|
||||
- key: CriticalAddonsOnly
|
||||
operator: Exists
|
||||
- key: node-role.kubernetes.io/master
|
||||
effect: NoSchedule
|
||||
serviceAccountName: {{ $serviceAccountName }}
|
||||
initContainers:
|
||||
{{ tuple $envAll "calico_kube_policy_controllers" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
|
||||
terminationGracePeriodSeconds: {{ .Values.pod.lifecycle.termination_grace_period.policy_controller.timeout | default "30" }}
|
||||
{{ tuple $envAll "calico_kube_controllers" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
|
||||
containers:
|
||||
- name: calico-policy-controller
|
||||
{{ tuple $envAll "calico_kube_policy_controller" | include "helm-toolkit.snippets.image" | indent 10 }}
|
||||
{{ tuple $envAll $envAll.Values.pod.resources.calico_kube_policy_controller | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
|
||||
- name: calico-kube-controllers
|
||||
{{ tuple $envAll "calico_kube_controllers" | include "helm-toolkit.snippets.image" | indent 10 }}
|
||||
{{ tuple $envAll $envAll.Values.pod.resources.calico_kube_controllers | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
|
||||
env:
|
||||
# The location of the Calico etcd cluster.
|
||||
- name: ETCD_ENDPOINTS
|
||||
@ -115,7 +119,11 @@ spec:
|
||||
configMapKeyRef:
|
||||
name: calico-etc
|
||||
key: etcd_endpoints
|
||||
{{ include "helm-toolkit.utils.to_k8s_env_vars" .Values.conf.policy_controller | indent 12 }}
|
||||
|
||||
# conf.controllers expanded values
|
||||
{{ include "helm-toolkit.utils.to_k8s_env_vars" .Values.conf.controllers | indent 12 }}
|
||||
|
||||
# etcd tls files
|
||||
{{ if .Values.endpoints.etcd.auth.client.tls.ca}}
|
||||
- name: ETCD_CA_CERT_FILE
|
||||
value: {{ .Values.endpoints.etcd.auth.client.path.ca }}
|
||||
@ -128,21 +136,25 @@ spec:
|
||||
- name: ETCD_CERT_FILE
|
||||
value: {{ .Values.endpoints.etcd.auth.client.path.crt }}
|
||||
{{ end }}
|
||||
|
||||
# etcd tls mounts
|
||||
volumeMounts:
|
||||
- name: calico-certificates
|
||||
- name: calico-etcd-secrets
|
||||
mountPath: {{ .Values.endpoints.etcd.auth.client.path.ca }}
|
||||
subPath: tls.ca
|
||||
readOnly: true
|
||||
- name: calico-certificates
|
||||
- name: calico-etcd-secrets
|
||||
mountPath: {{ .Values.endpoints.etcd.auth.client.path.crt }}
|
||||
subPath: tls.crt
|
||||
readOnly: true
|
||||
- name: calico-certificates
|
||||
- name: calico-etcd-secrets
|
||||
mountPath: {{ .Values.endpoints.etcd.auth.client.path.key }}
|
||||
subPath: tls.key
|
||||
readOnly: true
|
||||
|
||||
volumes:
|
||||
- name: calico-certificates
|
||||
- name: calico-etcd-secrets
|
||||
secret:
|
||||
secretName: calico-certificates
|
||||
secretName: calico-etcd-secrets
|
||||
defaultMode: 0400
|
||||
{{- end }}
|
||||
|
@ -1,7 +0,0 @@
|
||||
We must dump all pool data to this file to trigger a resync.
|
||||
Otherwise, confd notices the file hasn't changed and won't
|
||||
run our python update script.
|
||||
|
||||
{{`{{range ls "/pool"}}`}}{{`{{$data := json (getv (printf "/pool/%s" .))}}`}}
|
||||
{{`{{if $data.ipip}}`}}{{`{{if not $data.disabled}}`}}{{`{{$data.cidr}}`}}{{`{{end}}`}}{{`{{end}}`}}
|
||||
{{`{{end}}`}}
|
@ -30,6 +30,8 @@ spec:
|
||||
template:
|
||||
metadata:
|
||||
annotations:
|
||||
configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
|
||||
configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
|
||||
# Mark this pod as a critical add-on; when enabled, the critical add-on scheduler
|
||||
# reserves resources for critical add-on pods so that they can be rescheduled after
|
||||
# a failure. This annotation works in tandem with the toleration below.
|
||||
@ -78,15 +80,15 @@ spec:
|
||||
mountPath: /tmp/calico-settings.sh
|
||||
subPath: calico-settings.sh
|
||||
readOnly: true
|
||||
- name: calico-certificates
|
||||
- name: calico-etcd-secrets
|
||||
mountPath: {{ .Values.endpoints.etcd.auth.client.path.ca }}
|
||||
subPath: tls.ca
|
||||
readOnly: true
|
||||
- name: calico-certificates
|
||||
- name: calico-etcd-secrets
|
||||
mountPath: {{ .Values.endpoints.etcd.auth.client.path.crt }}
|
||||
subPath: tls.crt
|
||||
readOnly: true
|
||||
- name: calico-certificates
|
||||
- name: calico-etcd-secrets
|
||||
mountPath: {{ .Values.endpoints.etcd.auth.client.path.key }}
|
||||
subPath: tls.key
|
||||
readOnly: true
|
||||
@ -95,7 +97,7 @@ spec:
|
||||
configMap:
|
||||
name: calico-bin
|
||||
defaultMode: 0555
|
||||
- name: calico-certificates
|
||||
- name: calico-etcd-secrets
|
||||
secret:
|
||||
secretName: calico-certificates
|
||||
secretName: calico-etcd-secrets
|
||||
{{- end }}
|
||||
|
@ -20,12 +20,11 @@ limitations under the License.
|
||||
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: calico-certificates
|
||||
type: kubernetes.io/tls
|
||||
metadata:
|
||||
name: calico-etcd-secrets
|
||||
data:
|
||||
tls.ca: {{ .Values.endpoints.etcd.auth.client.tls.ca | default "" | b64enc }}
|
||||
tls.key: {{ .Values.endpoints.etcd.auth.client.tls.key | default "" | b64enc }}
|
||||
tls.crt: {{ .Values.endpoints.etcd.auth.client.tls.crt | default "" | b64enc }}
|
||||
{{ end }}
|
||||
|
||||
{{- end }}
|
@ -33,7 +33,7 @@ spec:
|
||||
{{ tuple $envAll "calico" "etcd" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
|
||||
# This ClusterIP needs to be known in advance, since we cannot rely
|
||||
# on DNS to get access to etcd.
|
||||
clusterIP: 10.96.232.136
|
||||
clusterIP: {{ tuple "etcd" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
|
||||
ports:
|
||||
- port: {{ tuple "etcd" "internal" "client" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
|
||||
{{- end }}
|
||||
|
@ -12,11 +12,6 @@
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
labels:
|
||||
job:
|
||||
node_selector_key: openstack-control-plane
|
||||
node_selector_value: enabled
|
||||
|
||||
images:
|
||||
tags:
|
||||
calico_etcd: quay.io/coreos/etcd:v3.1.14
|
||||
@ -24,7 +19,8 @@ images:
|
||||
calico_cni: quay.io/calico/cni:v1.11.5
|
||||
calico_ctl: quay.io/calico/ctl:v1.6.4
|
||||
calico_settings: quay.io/calico/ctl:v1.6.4
|
||||
calico_kube_policy_controller: quay.io/calico/kube-policy-controller:v0.7.0
|
||||
# NOTE: plural key, singular value
|
||||
calico_kube_controllers: quay.io/calico/kube-policy-controller:v0.7.0
|
||||
dep_check: quay.io/stackanetes/kubernetes-entrypoint:v0.3.1
|
||||
image_repo_sync: docker.io/docker:17.07.0
|
||||
pull_policy: IfNotPresent
|
||||
@ -36,7 +32,7 @@ images:
|
||||
- calico_etcd
|
||||
- calico_node
|
||||
- calico_cni
|
||||
- calico_kube_policy_controller
|
||||
- calico_kube_controllers
|
||||
|
||||
pod:
|
||||
resources:
|
||||
@ -56,7 +52,7 @@ pod:
|
||||
limits:
|
||||
memory: "1024Mi"
|
||||
cpu: "2000m"
|
||||
calico_kube_policy_controller:
|
||||
calico_kube_controllers:
|
||||
requests:
|
||||
memory: "128Mi"
|
||||
cpu: "100m"
|
||||
@ -100,13 +96,8 @@ pod:
|
||||
max_unavailable: 1
|
||||
max_surge: 3
|
||||
disruption_budget:
|
||||
policy_controller:
|
||||
controllers:
|
||||
min_available: 0
|
||||
termination_grace_period:
|
||||
policy_controller:
|
||||
timeout: 5
|
||||
node:
|
||||
timeout: 5
|
||||
|
||||
dependencies:
|
||||
dynamic:
|
||||
@ -118,19 +109,19 @@ dependencies:
|
||||
- endpoint: node
|
||||
service: local_image_registry
|
||||
static:
|
||||
calico_kube_policy_controllers:
|
||||
calico_kube_controllers:
|
||||
services:
|
||||
- endpoint: internal
|
||||
service: etcd
|
||||
service: calico-etcd
|
||||
calico_node:
|
||||
services:
|
||||
- endpoint: internal
|
||||
service: etcd
|
||||
service: calico-etcd
|
||||
calico_settings:
|
||||
services:
|
||||
- endpoint: internal
|
||||
service: etcd
|
||||
etcd:
|
||||
service: calico-etcd
|
||||
calico_etcd:
|
||||
services: null
|
||||
image_repo_sync:
|
||||
services:
|
||||
@ -199,6 +190,7 @@ networking:
|
||||
ippool:
|
||||
ipip:
|
||||
enabled: "true"
|
||||
# lowercase value
|
||||
mode: "always"
|
||||
nat_outgoing: "true"
|
||||
disabled: "false"
|
||||
@ -206,22 +198,24 @@ networking:
|
||||
# our asnumber for bgp peering
|
||||
asnumber: 64512
|
||||
ipv4:
|
||||
# this is a list of peer objects that will be passed
|
||||
# directly to calicoctl - for global peers, the scope
|
||||
# should be global and the node attribute removed
|
||||
# https://docs.projectcalico.org/v2.0/reference/calicoctl/resources/bgppeer
|
||||
#
|
||||
# this is a list of peer objects that will be passed directly to
|
||||
# calicoctl - for global peers, the scope should be global and
|
||||
# the node attribute removed
|
||||
#
|
||||
# apiVersion: v1
|
||||
# kind: bgpPeer
|
||||
# metadata:
|
||||
# peerIP: 10.1.10.39
|
||||
# scope: node
|
||||
# node: hpnode1
|
||||
# node: some.name
|
||||
# spec:
|
||||
# asNumber: 64512
|
||||
peers: []
|
||||
# this is a list of additional IPv4 cidrs that if we
|
||||
# discover IPs within them on a host, we will announce
|
||||
# the address in addition to traditional pod workloads
|
||||
# this is a list of additional IPv4 cidrs that if we discover
|
||||
# IPs within them on a host, we will announce the address in
|
||||
# addition to traditional pod workloads
|
||||
additional_cidrs: []
|
||||
mesh:
|
||||
port:
|
||||
@ -232,22 +226,24 @@ networking:
|
||||
neighbor: 179
|
||||
listen: 179
|
||||
ipv6:
|
||||
# this is a list of peer objects that will be passed
|
||||
# directly to calicoctl - for global peers, the scope
|
||||
# should be global and the node attribute removed
|
||||
# https://docs.projectcalico.org/v2.0/reference/calicoctl/resources/bgppeer
|
||||
#
|
||||
# this is a list of peer objects that will be passed directly to
|
||||
# calicoctl - for global peers, the scope should be global and
|
||||
# the node attribute removed
|
||||
#
|
||||
# apiVersion: v1
|
||||
# kind: bgpPeer
|
||||
# metadata:
|
||||
# peerIP: 2603:3024:1200:7500:7011:1dd6:1462:fa5b
|
||||
# peerIP: 2600:1:2:3::abcd
|
||||
# scope: node
|
||||
# node: hpnode1
|
||||
# node: rack1-host1
|
||||
# spec:
|
||||
# asNumber: 64512
|
||||
peers: []
|
||||
# this is a list of additional IPv6 cidrs that if we
|
||||
# discover IPs within them on a host, we will announce
|
||||
# them in addition to traditional pod workloads
|
||||
# this is a list of additional IPv6 cidrs that if we discover
|
||||
# IPs within them on a host, we will announce them in addition
|
||||
# to traditional pod workloads
|
||||
additional_cidrs: []
|
||||
mesh:
|
||||
port:
|
||||
@ -265,6 +261,7 @@ conf:
|
||||
key: null
|
||||
certificate: null
|
||||
cni_network_config:
|
||||
# https://docs.projectcalico.org/v2.0/reference/cni-plugin/configuration
|
||||
name: k8s-pod-network
|
||||
cniVersion: 0.1.0
|
||||
type: calico
|
||||
@ -279,7 +276,7 @@ conf:
|
||||
k8s_auth_token: __SERVICEACCOUNT_TOKEN__
|
||||
kubernetes:
|
||||
kubeconfig: "/etc/cni/net.d/__KUBECONFIG_FILENAME__"
|
||||
policy_controller:
|
||||
controllers:
|
||||
# The location of the Kubernetes API. Use the default Kubernetes
|
||||
# service for API access.
|
||||
K8S_API: "https://kubernetes.default:443"
|
||||
@ -311,6 +308,7 @@ conf:
|
||||
# Configure the IP Pool from which Pod IPs will be chosen.
|
||||
CALICO_IPV4POOL_CIDR: null
|
||||
# Change this to 'off' in environments with direct L2 communication
|
||||
# lowercase
|
||||
CALICO_IPV4POOL_IPIP: "always"
|
||||
# Disable IPv6 on Kubernetes.
|
||||
FELIX_IPV6SUPPORT: "false"
|
||||
@ -334,10 +332,11 @@ conf:
|
||||
manifests:
|
||||
configmap_bin: true
|
||||
configmap_etc: true
|
||||
configmap_bird: true
|
||||
daemonset_calico_etcd: true
|
||||
daemonset_calico_node: true
|
||||
daemonset_calico_node_calicoctl: true
|
||||
deployment_calico_kube_policy_controllers: true
|
||||
deployment_calico_kube_controllers: true
|
||||
job_image_repo_sync: true
|
||||
job_calico_settings: true
|
||||
service_calico_etcd: true
|
||||
|
Loading…
Reference in New Issue
Block a user