[Calico] Realign Calico v2 chart for upcoming v3.2 upgrade

This PS realigns Calico v2 with the pending Calico v3.2 chart in order
to minimize differences.  It's mostly refactoring with a few small fixes.

Change-Id: Ie5157b4ae324b6eb4c8ccb5cc07d8b9bc5a83ebd
This commit is contained in:
Chris Wedgwood 2018-10-01 23:21:12 +00:00 committed by Tin Lam
parent 681dee71b7
commit 45275ffefd
21 changed files with 268 additions and 170 deletions

View File

@ -80,6 +80,6 @@ EOF
# process IPv6 peers
{{ if .Values.networking.bgp.ipv6.peers }}
cat << EOF | ${CALICOCTL} apply -f -
{{ .Values.networking.bgp.ipv4.peers | toYaml }}
{{ .Values.networking.bgp.ipv6.peers | toYaml }}
EOF
{{ end }}

View File

@ -40,9 +40,11 @@ fi;
cat <<EOF>/host/opt/cni/bin/calicoctl
export ETCD_ENDPOINTS=$ETCD_ENDPOINTS
if [ -e $ETCD_KEY_FILE ]; then export ETCD_KEY_FILE=$ETCD_KEY_FILE; fi;
if [ -e $ETCD_CERT_FILE ]; then export ETCD_CERT_FILE=$ETCD_CERT_FILE; fi;
if [ -e $ETCD_CA_CERT_FILE ]; then export ETCD_CA_CERT_FILE=$ETCD_CA_CERT_FILE; fi;
[ -e $ETCD_KEY_FILE ] && export ETCD_KEY_FILE=$ETCD_KEY_FILE
[ -e $ETCD_CERT_FILE ] && export ETCD_CERT_FILE=$ETCD_CERT_FILE
[ -e $ETCD_CA_CERT_FILE ] && export ETCD_CA_CERT_FILE=$ETCD_CA_CERT_FILE
exec /opt/cni/bin/calicoctl.bin \$*
EOF

View File

@ -0,0 +1,47 @@
{{/*
Copyright 2017 The Openstack-Helm Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if .Values.manifests.configmap_bird }}
{{- $envAll := . }}
---
kind: ConfigMap
apiVersion: v1
metadata:
name: calico-bird
data:
# we overlay templates found natively in the calico-node container
# so that we may override bgp configuration
bird6.cfg.mesh.template: |
{{ tuple "bird/_bird6.cfg.mesh.template.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
bird6.cfg.no-mesh.template: |
{{ tuple "bird/_bird6.cfg.no-mesh.template.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
bird6_ipam.cfg.template: |
{{ tuple "bird/_bird6_ipam.cfg.template.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
bird_aggr.cfg.template: |
{{ tuple "bird/_bird_aggr.cfg.template.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
bird.cfg.mesh.template: |
{{ tuple "bird/_bird.cfg.mesh.template.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
bird.cfg.no-mesh.template: |
{{ tuple "bird/_bird.cfg.no-mesh.template.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
bird_ipam.cfg.template: |
{{ tuple "bird/_bird_ipam.cfg.template.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
custom_filters6.cfg.template: |
{{ tuple "bird/_custom_filters6.cfg.template.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
custom_filters.cfg.template: |
{{ tuple "bird/_custom_filters.cfg.template.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
{{- end }}

View File

@ -30,41 +30,17 @@ limitations under the License.
{{- end -}}
---
apiVersion: v1
kind: ConfigMap
apiVersion: v1
metadata:
name: calico-etc
data:
# we overlay templates found natively in the calico-node container so that we may override
# bgp configuration
bird6.cfg.mesh.template: |
{{ tuple "etc/bird/_bird6.cfg.mesh.template.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
bird6.cfg.no-mesh.template: |
{{ tuple "etc/bird/_bird6.cfg.no-mesh.template.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
bird6_ipam.cfg.template: |
{{ tuple "etc/bird/_bird6_ipam.cfg.template.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
bird_aggr.cfg.template: |
{{ tuple "etc/bird/_bird_aggr.cfg.template.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
bird.cfg.mesh.template: |
{{ tuple "etc/bird/_bird.cfg.mesh.template.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
bird.cfg.no-mesh.template: |
{{ tuple "etc/bird/_bird.cfg.no-mesh.template.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
bird_ipam.cfg.template: |
{{ tuple "etc/bird/_bird_ipam.cfg.template.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
custom_filters6.cfg.template: |
{{ tuple "etc/bird/_custom_filters6.cfg.template.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
custom_filters.cfg.template: |
{{ tuple "etc/bird/_custom_filters.cfg.template.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
tunl-ip.template: |
{{ tuple "etc/bird/_tunl-ip.template.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
# The location of your etcd cluster. This uses the Service clusterIP
# defined below.
etcd_endpoints: {{ tuple "etcd" "internal" "client" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" }}
# The CNI network configuration to install on each node.
# The CNI network configuration to install on each node, generated
# from (Values.)conf.cni_network_config
cni_network_config: |-
{{ toJson $envAll.Values.conf.cni_network_config | indent 4 }}

View File

@ -18,12 +18,12 @@ limitations under the License.
{{- $envAll := . }}
{{- $serviceAccountName := "calico-etcd"}}
{{ tuple $envAll "etcd" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
{{ tuple $envAll "calico-etcd" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
---
# This manifest installs the Calico etcd on the kubeadm master. This uses a DaemonSet
# to force it to run on the master even when the master isn't schedulable, and uses
# nodeSelector to ensure it only runs on the master.
apiVersion: apps/v1
apiVersion: extensions/v1beta1
kind: DaemonSet
metadata:
name: calico-etcd
@ -43,19 +43,26 @@ spec:
k8s-app: calico-etcd
{{ tuple $envAll "calico" "etcd" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
annotations:
configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
# Mark this pod as a critical add-on; when enabled, the critical add-on scheduler
# reserves resources for critical add-on pods so that they can be rescheduled after
# a failure. This annotation works in tandem with the toleration below.
scheduler.alpha.kubernetes.io/critical-pod: ''
spec:
# Only run this pod on the master.
tolerations:
# This taint is set by all kubelets running `--cloud-provider=external`
# so we should tolerate it to schedule the Calico pods
- key: node.cloudprovider.kubernetes.io/uninitialized
value: "true"
effect: NoSchedule
# Allow this pod to run on the master.
- key: node-role.kubernetes.io/master
effect: NoSchedule
# Allow this pod to be rescheduled while the node is in "critical add-ons only" mode.
# This, along with the annotation above marks this pod as a critical add-on.
- key: CriticalAddonsOnly
operator: Exists
# Only run this pod on the master.
nodeSelector:
node-role.kubernetes.io/master: ""
hostNetwork: true
@ -72,11 +79,13 @@ spec:
fieldPath: status.podIP
command:
- /usr/local/bin/etcd
args:
- --name=calico
- --data-dir=/var/etcd/calico-data
- --advertise-client-urls={{ tuple "etcd" "internal" "client" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" }}
- --listen-client-urls={{ tuple "etcd" "internal" "client" . | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}://0.0.0.0:{{ tuple "etcd" "internal" "client" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
- --listen-peer-urls={{ tuple "etcd" "internal" "peer" . | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}://0.0.0.0:{{ tuple "etcd" "internal" "peer" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
- --auto-compaction-retention=1
volumeMounts:
- name: var-etcd
mountPath: /var/etcd

View File

@ -33,7 +33,6 @@ limitations under the License.
{{- end -}}
{{- end -}}
{{- $prometheus_annotations := $envAll.Values.monitoring.prometheus.calico_node }}
{{- $serviceAccountName := printf "%s-%s" .Release.Name "calico-cni-plugin"}}
{{ tuple $envAll "calico_node" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
@ -67,10 +66,9 @@ rules:
# as the Calico CNI plugins and network config on
# each master and worker node in a Kubernetes cluster.
kind: DaemonSet
apiVersion: apps/v1
apiVersion: extensions/v1beta1
metadata:
name: calico-node
namespace: kube-system
annotations:
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
labels:
@ -81,30 +79,45 @@ spec:
matchLabels:
k8s-app: calico-node
{{ tuple $envAll "calico" "node" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
updateStrategy:
type: RollingUpdate
rollingUpdate:
maxUnavailable: 1
template:
metadata:
labels:
k8s-app: calico-node
{{ tuple $envAll "calico" "node" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
annotations:
# Mark this pod as a critical add-on; when enabled, the critical add-on scheduler
# reserves resources for critical add-on pods so that they can be rescheduled after
# a failure. This annotation works in tandem with the toleration below.
configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
configmap-bird-hash: {{ tuple "configmap-bird.yaml" . | include "helm-toolkit.utils.hash" }}
# This, along with the CriticalAddonsOnly toleration below,
# marks the pod as a critical add-on, ensuring it gets
# priority scheduling and that its resources are reserved
# if it ever gets evicted.
scheduler.alpha.kubernetes.io/critical-pod: ''
{{- if .Values.monitoring.prometheus.enabled }}
{{- $prometheus_annotations := $envAll.Values.monitoring.prometheus.calico_node }}
{{ tuple $prometheus_annotations | include "helm-toolkit.snippets.prometheus_pod_annotations" | indent 8 }}
{{- end }}
spec:
nodeSelector:
beta.kubernetes.io/os: linux
hostNetwork: true
tolerations:
- key: node-role.kubernetes.io/master
effect: NoSchedule
# Allow this pod to be rescheduled while the node is in "critical add-ons only" mode.
# This, along with the annotation above marks this pod as a critical add-on.
# Make sure calico-node gets scheduled on all nodes.
- effect: NoSchedule
operator: Exists
# Mark the pod as a critical add-on for rescheduling.
- key: CriticalAddonsOnly
operator: Exists
- effect: NoExecute
operator: Exists
serviceAccountName: {{ $serviceAccountName }}
terminationGracePeriodSeconds: {{ .Values.pod.lifecycle.termination_grace_period.node.timeout | default "30" }}
# Minimize downtime during a rolling upgrade or deletion; tell Kubernetes to do a "force
# deletion": https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods.
terminationGracePeriodSeconds: 0
initContainers:
{{ tuple $envAll "calico_node" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
{{ if .Values.manifests.daemonset_calico_node_calicoctl }}
@ -119,13 +132,14 @@ spec:
configMapKeyRef:
name: calico-etc
key: etcd_endpoints
{{ if .Values.endpoints.etcd.auth.client.tls.ca}}
- name: ETCD_CA_CERT_FILE
value: {{ .Values.endpoints.etcd.auth.client.path.ca }}
- name: ETCD_CA_CERT
valueFrom:
secretKeyRef:
name: calico-certificates
name: calico-etcd-secrets
key: tls.ca
{{ end }}
{{ if .Values.endpoints.etcd.auth.client.tls.key}}
@ -134,7 +148,7 @@ spec:
- name: ETCD_KEY
valueFrom:
secretKeyRef:
name: calico-certificates
name: calico-etcd-secrets
key: tls.key
{{ end }}
{{ if .Values.endpoints.etcd.auth.client.tls.crt}}
@ -143,7 +157,7 @@ spec:
- name: ETCD_CERT
valueFrom:
secretKeyRef:
name: calico-certificates
name: calico-etcd-secrets
key: tls.crt
{{ end }}
volumeMounts:
@ -154,15 +168,15 @@ spec:
- mountPath: /tmp/install-calicoctl.sh
name: calico-bin
subPath: install-calicoctl.sh
- name: calico-certificates
- name: calico-etcd-secrets
mountPath: {{ .Values.endpoints.etcd.auth.client.path.ca }}
subPath: tls.ca
readOnly: true
- name: calico-certificates
- name: calico-etcd-secrets
mountPath: {{ .Values.endpoints.etcd.auth.client.path.crt }}
subPath: tls.crt
readOnly: true
- name: calico-certificates
- name: calico-etcd-secrets
mountPath: {{ .Values.endpoints.etcd.auth.client.path.key }}
subPath: tls.key
readOnly: true
@ -175,18 +189,24 @@ spec:
{{ tuple $envAll "calico_node" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.calico_node | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
env:
# Values expanded explicitly from conf.node (some of which
# might be derived from elsewhere, see values.yaml for an
# explanation of this)
#
{{ include "helm-toolkit.utils.to_k8s_env_vars" .Values.conf.node | indent 12 }}
# Values explicit in the chart not expected to be found in
# conf.node
#
# The location of the Calico etcd cluster.
- name: ETCD_ENDPOINTS
valueFrom:
configMapKeyRef:
name: calico-etc
key: etcd_endpoints
# Set noderef for node controller.
- name: CALICO_K8S_NODE_REF
valueFrom:
fieldRef:
fieldPath: spec.nodeName
# etcd certs
{{ if .Values.endpoints.etcd.auth.client.tls.ca}}
- name: ETCD_CA_CERT_FILE
value: {{ .Values.endpoints.etcd.auth.client.path.ca }}
@ -199,8 +219,26 @@ spec:
- name: ETCD_CERT_FILE
value: {{ .Values.endpoints.etcd.auth.client.path.crt }}
{{ end }}
# Set noderef for node controller.
- name: CALICO_K8S_NODE_REF
valueFrom:
fieldRef:
fieldPath: spec.nodeName
securityContext:
privileged: true
resources:
requests:
cpu: 250m
livenessProbe:
httpGet:
path: /liveness
port: 9099
host: localhost
periodSeconds: 10
initialDelaySeconds: 10
failureThreshold: 6
volumeMounts:
- mountPath: /lib/modules
name: lib-modules
@ -208,45 +246,53 @@ spec:
- mountPath: /var/run/calico
name: var-run-calico
readOnly: false
- mountPath: /etc/calico/confd/templates/bird6.cfg.mesh.template
name: calico-etc
subPath: bird6.cfg.mesh.template
- mountPath: /etc/calico/confd/templates/bird6.cfg.no-mesh.template
name: calico-etc
subPath: bird6.cfg.no-mesh.template
- mountPath: /etc/calico/confd/templates/bird6_ipam.cfg.template
name: calico-etc
subPath: bird6_ipam.cfg.template
- mountPath: /etc/calico/confd/templates/bird_aggr.cfg.template
name: calico-etc
subPath: bird_aggr.cfg.template
# bird template replacements
# bird cfg
- mountPath: /etc/calico/confd/templates/bird.cfg.mesh.template
name: calico-etc
name: calico-bird
subPath: bird.cfg.mesh.template
- mountPath: /etc/calico/confd/templates/bird.cfg.no-mesh.template
name: calico-etc
name: calico-bird
subPath: bird.cfg.no-mesh.template
# bird ipam
- mountPath: /etc/calico/confd/templates/bird_ipam.cfg.template
name: calico-etc
name: calico-bird
subPath: bird_ipam.cfg.template
# bird6 cfg
- mountPath: /etc/calico/confd/templates/bird6.cfg.mesh.template
name: calico-bird
subPath: bird6.cfg.mesh.template
- mountPath: /etc/calico/confd/templates/bird6.cfg.no-mesh.template
name: calico-bird
subPath: bird6.cfg.no-mesh.template
# bird6 ipam
- mountPath: /etc/calico/confd/templates/bird6_ipam.cfg.template
name: calico-bird
subPath: bird6_ipam.cfg.template
# filters...
- mountPath: /etc/calico/confd/templates/bird_aggr.cfg.template
name: calico-bird
subPath: bird_aggr.cfg.template
- mountPath: /etc/calico/confd/templates/custom_filters6.cfg.template
name: calico-etc
name: calico-bird
subPath: custom_filters6.cfg.template
- mountPath: /etc/calico/confd/templates/custom_filters.cfg.template
name: calico-etc
name: calico-bird
subPath: custom_filters.cfg.template
- mountPath: /etc/calico/confd/templates/tunl-ip.template
name: calico-etc
subPath: tunl-ip.template
- name: calico-certificates
# etcd secrets
- mountPath: /var/lib/calico
name: var-lib-calico
readOnly: false
- name: calico-etcd-secrets
mountPath: {{ .Values.endpoints.etcd.auth.client.path.ca }}
subPath: tls.ca
readOnly: true
- name: calico-certificates
- name: calico-etcd-secrets
mountPath: {{ .Values.endpoints.etcd.auth.client.path.crt }}
subPath: tls.crt
readOnly: true
- name: calico-certificates
- name: calico-etcd-secrets
mountPath: {{ .Values.endpoints.etcd.auth.client.path.key }}
subPath: tls.key
readOnly: true
@ -257,6 +303,12 @@ spec:
{{ tuple $envAll $envAll.Values.pod.resources.calico_cni | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
command: ["/install-cni.sh"]
env:
# Name of the CNI config file to create.
#
# NOTE: Calico v2 needs to end in .conf; Calico v3 is
# different!
- name: CNI_CONF_NAME
value: "10-calico.conf"
# The location of the Calico etcd cluster.
- name: ETCD_ENDPOINTS
valueFrom:
@ -282,6 +334,9 @@ spec:
- name: var-run-calico
hostPath:
path: /var/run/calico
- name: var-lib-calico
hostPath:
path: /var/lib/calico
# Used to install CNI.
- name: cni-bin-dir
hostPath:
@ -296,11 +351,15 @@ spec:
configMap:
name: calico-etc
defaultMode: 0444
- name: calico-bird
configMap:
name: calico-bird
defaultMode: 0444
- name: calico-bin
configMap:
name: calico-bin
defaultMode: 0555
- name: calico-certificates
- name: calico-etcd-secrets
secret:
secretName: calico-certificates
secretName: calico-etcd-secrets
{{- end }}

View File

@ -14,14 +14,14 @@ See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if .Values.manifests.deployment_calico_kube_policy_controllers }}
{{- if .Values.manifests.deployment_calico_kube_controllers }}
{{- $envAll := . }}
{{- $serviceAccountName := printf "%s-%s" .Release.Name "calico-kube-controllers"}}
{{ tuple $envAll "calico_kube_policy_controllers" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
{{ tuple $envAll "calico_kube_controllers" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: {{ $serviceAccountName }}
roleRef:
@ -46,68 +46,72 @@ rules:
- namespaces
- networkpolicies
- nodes
- serviceaccounts
verbs:
- watch
- list
- apiGroups:
- networking.k8s.io
resources:
- networkpolicies
verbs:
- watch
- list
---
# This manifest deploys the Calico Kubernetes controllers.
# See https://github.com/projectcalico/kube-controllers
apiVersion: apps/v1
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: calico-kube-policy-controllers
name: calico-kube-controllers
namespace: {{ .Release.Namespace }}
annotations:
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
labels:
k8s-app: calico-kube-policy-controllers
{{ tuple $envAll "calico" "kube-controller" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
k8s-app: calico-kube-controllers
{{ tuple $envAll "calico" "kube-controllers" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
annotations:
scheduler.alpha.kubernetes.io/critical-pod: ''
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
spec:
# The controllers can only have a single active instance.
replicas: 1
selector:
matchLabels:
k8s-app: calico-kube-policy-controllers
{{ tuple $envAll "calico" "kube-controller" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
k8s-app: calico-kube-controllers
{{ tuple $envAll "calico" "kube-controllers" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
strategy:
type: Recreate
{{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_deployment" | indent 2 }}
template:
metadata:
name: calico-kube-policy-controllers
namespace: kube-system
name: calico-kube-controllers
labels:
k8s-app: calico-kube-policy-controllers
{{ tuple $envAll "calico" "kube-controller" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
k8s-app: calico-kube-controllers
{{ tuple $envAll "calico" "kube-controllers" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
annotations:
# Mark this pod as a critical add-on; when enabled, the critical add-on scheduler
# reserves resources for critical add-on pods so that they can be rescheduled after
# a failure. This annotation works in tandem with the toleration below.
scheduler.alpha.kubernetes.io/critical-pod: ''
configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
spec:
nodeSelector:
beta.kubernetes.io/os: linux
# The controllers must run in the host network namespace so that
# it isn't governed by policy that would prevent it from working.
hostNetwork: true
tolerations:
# this taint is set by all kubelets running `--cloud-provider=external`
# so we should tolerate it to schedule the calico pods
# Mark the pod as a critical add-on for rescheduling.
- key: node.cloudprovider.kubernetes.io/uninitialized
value: "true"
effect: NoSchedule
- key: node-role.kubernetes.io/master
effect: NoSchedule
# Allow this pod to be rescheduled while the node is in "critical add-ons only" mode.
# This, along with the annotation above marks this pod as a critical add-on.
- key: CriticalAddonsOnly
operator: Exists
- key: node-role.kubernetes.io/master
effect: NoSchedule
serviceAccountName: {{ $serviceAccountName }}
initContainers:
{{ tuple $envAll "calico_kube_policy_controllers" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
terminationGracePeriodSeconds: {{ .Values.pod.lifecycle.termination_grace_period.policy_controller.timeout | default "30" }}
{{ tuple $envAll "calico_kube_controllers" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
containers:
- name: calico-policy-controller
{{ tuple $envAll "calico_kube_policy_controller" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.calico_kube_policy_controller | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
- name: calico-kube-controllers
{{ tuple $envAll "calico_kube_controllers" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.calico_kube_controllers | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
env:
# The location of the Calico etcd cluster.
- name: ETCD_ENDPOINTS
@ -115,7 +119,11 @@ spec:
configMapKeyRef:
name: calico-etc
key: etcd_endpoints
{{ include "helm-toolkit.utils.to_k8s_env_vars" .Values.conf.policy_controller | indent 12 }}
# conf.controllers expanded values
{{ include "helm-toolkit.utils.to_k8s_env_vars" .Values.conf.controllers | indent 12 }}
# etcd tls files
{{ if .Values.endpoints.etcd.auth.client.tls.ca}}
- name: ETCD_CA_CERT_FILE
value: {{ .Values.endpoints.etcd.auth.client.path.ca }}
@ -128,21 +136,25 @@ spec:
- name: ETCD_CERT_FILE
value: {{ .Values.endpoints.etcd.auth.client.path.crt }}
{{ end }}
# etcd tls mounts
volumeMounts:
- name: calico-certificates
- name: calico-etcd-secrets
mountPath: {{ .Values.endpoints.etcd.auth.client.path.ca }}
subPath: tls.ca
readOnly: true
- name: calico-certificates
- name: calico-etcd-secrets
mountPath: {{ .Values.endpoints.etcd.auth.client.path.crt }}
subPath: tls.crt
readOnly: true
- name: calico-certificates
- name: calico-etcd-secrets
mountPath: {{ .Values.endpoints.etcd.auth.client.path.key }}
subPath: tls.key
readOnly: true
volumes:
- name: calico-certificates
- name: calico-etcd-secrets
secret:
secretName: calico-certificates
secretName: calico-etcd-secrets
defaultMode: 0400
{{- end }}

View File

@ -1,7 +0,0 @@
We must dump all pool data to this file to trigger a resync.
Otherwise, confd notices the file hasn't changed and won't
run our python update script.
{{`{{range ls "/pool"}}`}}{{`{{$data := json (getv (printf "/pool/%s" .))}}`}}
{{`{{if $data.ipip}}`}}{{`{{if not $data.disabled}}`}}{{`{{$data.cidr}}`}}{{`{{end}}`}}{{`{{end}}`}}
{{`{{end}}`}}

View File

@ -30,6 +30,8 @@ spec:
template:
metadata:
annotations:
configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
# Mark this pod as a critical add-on; when enabled, the critical add-on scheduler
# reserves resources for critical add-on pods so that they can be rescheduled after
# a failure. This annotation works in tandem with the toleration below.
@ -78,15 +80,15 @@ spec:
mountPath: /tmp/calico-settings.sh
subPath: calico-settings.sh
readOnly: true
- name: calico-certificates
- name: calico-etcd-secrets
mountPath: {{ .Values.endpoints.etcd.auth.client.path.ca }}
subPath: tls.ca
readOnly: true
- name: calico-certificates
- name: calico-etcd-secrets
mountPath: {{ .Values.endpoints.etcd.auth.client.path.crt }}
subPath: tls.crt
readOnly: true
- name: calico-certificates
- name: calico-etcd-secrets
mountPath: {{ .Values.endpoints.etcd.auth.client.path.key }}
subPath: tls.key
readOnly: true
@ -95,7 +97,7 @@ spec:
configMap:
name: calico-bin
defaultMode: 0555
- name: calico-certificates
- name: calico-etcd-secrets
secret:
secretName: calico-certificates
secretName: calico-etcd-secrets
{{- end }}

View File

@ -20,12 +20,11 @@ limitations under the License.
apiVersion: v1
kind: Secret
metadata:
name: calico-certificates
type: kubernetes.io/tls
metadata:
name: calico-etcd-secrets
data:
tls.ca: {{ .Values.endpoints.etcd.auth.client.tls.ca | default "" | b64enc }}
tls.key: {{ .Values.endpoints.etcd.auth.client.tls.key | default "" | b64enc }}
tls.crt: {{ .Values.endpoints.etcd.auth.client.tls.crt | default "" | b64enc }}
{{ end }}
{{- end }}

View File

@ -33,7 +33,7 @@ spec:
{{ tuple $envAll "calico" "etcd" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
# This ClusterIP needs to be known in advance, since we cannot rely
# on DNS to get access to etcd.
clusterIP: 10.96.232.136
clusterIP: {{ tuple "etcd" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
ports:
- port: {{ tuple "etcd" "internal" "client" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
{{- end }}

View File

@ -12,11 +12,6 @@
# See the License for the specific language governing permissions and
# limitations under the License.
labels:
job:
node_selector_key: openstack-control-plane
node_selector_value: enabled
images:
tags:
calico_etcd: quay.io/coreos/etcd:v3.1.14
@ -24,7 +19,8 @@ images:
calico_cni: quay.io/calico/cni:v1.11.5
calico_ctl: quay.io/calico/ctl:v1.6.4
calico_settings: quay.io/calico/ctl:v1.6.4
calico_kube_policy_controller: quay.io/calico/kube-policy-controller:v0.7.0
# NOTE: plural key, singular value
calico_kube_controllers: quay.io/calico/kube-policy-controller:v0.7.0
dep_check: quay.io/stackanetes/kubernetes-entrypoint:v0.3.1
image_repo_sync: docker.io/docker:17.07.0
pull_policy: IfNotPresent
@ -36,7 +32,7 @@ images:
- calico_etcd
- calico_node
- calico_cni
- calico_kube_policy_controller
- calico_kube_controllers
pod:
resources:
@ -56,7 +52,7 @@ pod:
limits:
memory: "1024Mi"
cpu: "2000m"
calico_kube_policy_controller:
calico_kube_controllers:
requests:
memory: "128Mi"
cpu: "100m"
@ -100,13 +96,8 @@ pod:
max_unavailable: 1
max_surge: 3
disruption_budget:
policy_controller:
controllers:
min_available: 0
termination_grace_period:
policy_controller:
timeout: 5
node:
timeout: 5
dependencies:
dynamic:
@ -118,19 +109,19 @@ dependencies:
- endpoint: node
service: local_image_registry
static:
calico_kube_policy_controllers:
calico_kube_controllers:
services:
- endpoint: internal
service: etcd
service: calico-etcd
calico_node:
services:
- endpoint: internal
service: etcd
service: calico-etcd
calico_settings:
services:
- endpoint: internal
service: etcd
etcd:
service: calico-etcd
calico_etcd:
services: null
image_repo_sync:
services:
@ -199,6 +190,7 @@ networking:
ippool:
ipip:
enabled: "true"
# lowercase value
mode: "always"
nat_outgoing: "true"
disabled: "false"
@ -206,22 +198,24 @@ networking:
# our asnumber for bgp peering
asnumber: 64512
ipv4:
# this is a list of peer objects that will be passed
# directly to calicoctl - for global peers, the scope
# should be global and the node attribute removed
# https://docs.projectcalico.org/v2.0/reference/calicoctl/resources/bgppeer
#
# this is a list of peer objects that will be passed directly to
# calicoctl - for global peers, the scope should be global and
# the node attribute removed
#
# apiVersion: v1
# kind: bgpPeer
# metadata:
# peerIP: 10.1.10.39
# scope: node
# node: hpnode1
# node: some.name
# spec:
# asNumber: 64512
peers: []
# this is a list of additional IPv4 cidrs that if we
# discover IPs within them on a host, we will announce
# the address in addition to traditional pod workloads
# this is a list of additional IPv4 cidrs that if we discover
# IPs within them on a host, we will announce the address in
# addition to traditional pod workloads
additional_cidrs: []
mesh:
port:
@ -232,22 +226,24 @@ networking:
neighbor: 179
listen: 179
ipv6:
# this is a list of peer objects that will be passed
# directly to calicoctl - for global peers, the scope
# should be global and the node attribute removed
# https://docs.projectcalico.org/v2.0/reference/calicoctl/resources/bgppeer
#
# this is a list of peer objects that will be passed directly to
# calicoctl - for global peers, the scope should be global and
# the node attribute removed
#
# apiVersion: v1
# kind: bgpPeer
# metadata:
# peerIP: 2603:3024:1200:7500:7011:1dd6:1462:fa5b
# peerIP: 2600:1:2:3::abcd
# scope: node
# node: hpnode1
# node: rack1-host1
# spec:
# asNumber: 64512
peers: []
# this is a list of additional IPv6 cidrs that if we
# discover IPs within them on a host, we will announce
# them in addition to traditional pod workloads
# this is a list of additional IPv6 cidrs that if we discover
# IPs within them on a host, we will announce them in addition
# to traditional pod workloads
additional_cidrs: []
mesh:
port:
@ -265,6 +261,7 @@ conf:
key: null
certificate: null
cni_network_config:
# https://docs.projectcalico.org/v2.0/reference/cni-plugin/configuration
name: k8s-pod-network
cniVersion: 0.1.0
type: calico
@ -279,7 +276,7 @@ conf:
k8s_auth_token: __SERVICEACCOUNT_TOKEN__
kubernetes:
kubeconfig: "/etc/cni/net.d/__KUBECONFIG_FILENAME__"
policy_controller:
controllers:
# The location of the Kubernetes API. Use the default Kubernetes
# service for API access.
K8S_API: "https://kubernetes.default:443"
@ -311,6 +308,7 @@ conf:
# Configure the IP Pool from which Pod IPs will be chosen.
CALICO_IPV4POOL_CIDR: null
# Change this to 'off' in environments with direct L2 communication
# lowercase
CALICO_IPV4POOL_IPIP: "always"
# Disable IPv6 on Kubernetes.
FELIX_IPV6SUPPORT: "false"
@ -334,10 +332,11 @@ conf:
manifests:
configmap_bin: true
configmap_etc: true
configmap_bird: true
daemonset_calico_etcd: true
daemonset_calico_node: true
daemonset_calico_node_calicoctl: true
deployment_calico_kube_policy_controllers: true
deployment_calico_kube_controllers: true
job_image_repo_sync: true
job_calico_settings: true
service_calico_etcd: true