From 45275ffefd81bec0234dcb492e694671622276be Mon Sep 17 00:00:00 2001 From: Chris Wedgwood Date: Mon, 1 Oct 2018 23:21:12 +0000 Subject: [PATCH] [Calico] Realign Calico v2 chart for upcoming v3.2 upgrade This PS realigns Calico v2 with the pending Calico v3.2 chart in order to minimize differences. It's mostly refactoring with a few small fixes. Change-Id: Ie5157b4ae324b6eb4c8ccb5cc07d8b9bc5a83ebd --- calico/templates/bin/_calico-settings.sh.tpl | 2 +- .../templates/bin/_install-calicoctl.sh.tpl | 8 +- .../bird/_bird.cfg.mesh.template.tpl | 0 .../bird/_bird.cfg.no-mesh.template.tpl | 0 .../bird/_bird6.cfg.mesh.template.tpl | 0 .../bird/_bird6.cfg.no-mesh.template.tpl | 0 .../bird/_bird6_ipam.cfg.template.tpl | 0 .../bird/_bird_aggr.cfg.template.tpl | 0 .../bird/_bird_ipam.cfg.template.tpl | 0 .../bird/_custom_filters.cfg.template.tpl | 0 .../bird/_custom_filters6.cfg.template.tpl | 0 calico/templates/configmap-bird.yaml | 47 ++++++ calico/templates/configmap-etc.yaml | 30 +--- calico/templates/daemonset-calico-etcd.yaml | 15 +- calico/templates/daemonset-calico-node.yaml | 153 ++++++++++++------ .../deployment-calico-kube-controllers.yaml | 84 +++++----- .../templates/etc/bird/_tunl-ip.template.tpl | 7 - calico/templates/job-calico-settings.yaml | 12 +- ...tes.yaml => secret-etcd-certificates.yaml} | 7 +- calico/templates/service-calico-etcd.yaml | 2 +- calico/values.yaml | 71 ++++---- 21 files changed, 268 insertions(+), 170 deletions(-) rename calico/templates/{etc => }/bird/_bird.cfg.mesh.template.tpl (100%) rename calico/templates/{etc => }/bird/_bird.cfg.no-mesh.template.tpl (100%) rename calico/templates/{etc => }/bird/_bird6.cfg.mesh.template.tpl (100%) rename calico/templates/{etc => }/bird/_bird6.cfg.no-mesh.template.tpl (100%) rename calico/templates/{etc => }/bird/_bird6_ipam.cfg.template.tpl (100%) rename calico/templates/{etc => }/bird/_bird_aggr.cfg.template.tpl (100%) rename calico/templates/{etc => }/bird/_bird_ipam.cfg.template.tpl (100%) rename calico/templates/{etc => }/bird/_custom_filters.cfg.template.tpl (100%) rename calico/templates/{etc => }/bird/_custom_filters6.cfg.template.tpl (100%) create mode 100644 calico/templates/configmap-bird.yaml delete mode 100644 calico/templates/etc/bird/_tunl-ip.template.tpl rename calico/templates/{secret-certificates.yaml => secret-etcd-certificates.yaml} (96%) diff --git a/calico/templates/bin/_calico-settings.sh.tpl b/calico/templates/bin/_calico-settings.sh.tpl index c08a95129..6780ea7e3 100644 --- a/calico/templates/bin/_calico-settings.sh.tpl +++ b/calico/templates/bin/_calico-settings.sh.tpl @@ -80,6 +80,6 @@ EOF # process IPv6 peers {{ if .Values.networking.bgp.ipv6.peers }} cat << EOF | ${CALICOCTL} apply -f - -{{ .Values.networking.bgp.ipv4.peers | toYaml }} +{{ .Values.networking.bgp.ipv6.peers | toYaml }} EOF {{ end }} diff --git a/calico/templates/bin/_install-calicoctl.sh.tpl b/calico/templates/bin/_install-calicoctl.sh.tpl index fb24f96c4..28fe2157a 100644 --- a/calico/templates/bin/_install-calicoctl.sh.tpl +++ b/calico/templates/bin/_install-calicoctl.sh.tpl @@ -40,9 +40,11 @@ fi; cat </host/opt/cni/bin/calicoctl export ETCD_ENDPOINTS=$ETCD_ENDPOINTS -if [ -e $ETCD_KEY_FILE ]; then export ETCD_KEY_FILE=$ETCD_KEY_FILE; fi; -if [ -e $ETCD_CERT_FILE ]; then export ETCD_CERT_FILE=$ETCD_CERT_FILE; fi; -if [ -e $ETCD_CA_CERT_FILE ]; then export ETCD_CA_CERT_FILE=$ETCD_CA_CERT_FILE; fi; + +[ -e $ETCD_KEY_FILE ] && export ETCD_KEY_FILE=$ETCD_KEY_FILE +[ -e $ETCD_CERT_FILE ] && export ETCD_CERT_FILE=$ETCD_CERT_FILE +[ -e $ETCD_CA_CERT_FILE ] && export ETCD_CA_CERT_FILE=$ETCD_CA_CERT_FILE + exec /opt/cni/bin/calicoctl.bin \$* EOF diff --git a/calico/templates/etc/bird/_bird.cfg.mesh.template.tpl b/calico/templates/bird/_bird.cfg.mesh.template.tpl similarity index 100% rename from calico/templates/etc/bird/_bird.cfg.mesh.template.tpl rename to calico/templates/bird/_bird.cfg.mesh.template.tpl diff --git a/calico/templates/etc/bird/_bird.cfg.no-mesh.template.tpl b/calico/templates/bird/_bird.cfg.no-mesh.template.tpl similarity index 100% rename from calico/templates/etc/bird/_bird.cfg.no-mesh.template.tpl rename to calico/templates/bird/_bird.cfg.no-mesh.template.tpl diff --git a/calico/templates/etc/bird/_bird6.cfg.mesh.template.tpl b/calico/templates/bird/_bird6.cfg.mesh.template.tpl similarity index 100% rename from calico/templates/etc/bird/_bird6.cfg.mesh.template.tpl rename to calico/templates/bird/_bird6.cfg.mesh.template.tpl diff --git a/calico/templates/etc/bird/_bird6.cfg.no-mesh.template.tpl b/calico/templates/bird/_bird6.cfg.no-mesh.template.tpl similarity index 100% rename from calico/templates/etc/bird/_bird6.cfg.no-mesh.template.tpl rename to calico/templates/bird/_bird6.cfg.no-mesh.template.tpl diff --git a/calico/templates/etc/bird/_bird6_ipam.cfg.template.tpl b/calico/templates/bird/_bird6_ipam.cfg.template.tpl similarity index 100% rename from calico/templates/etc/bird/_bird6_ipam.cfg.template.tpl rename to calico/templates/bird/_bird6_ipam.cfg.template.tpl diff --git a/calico/templates/etc/bird/_bird_aggr.cfg.template.tpl b/calico/templates/bird/_bird_aggr.cfg.template.tpl similarity index 100% rename from calico/templates/etc/bird/_bird_aggr.cfg.template.tpl rename to calico/templates/bird/_bird_aggr.cfg.template.tpl diff --git a/calico/templates/etc/bird/_bird_ipam.cfg.template.tpl b/calico/templates/bird/_bird_ipam.cfg.template.tpl similarity index 100% rename from calico/templates/etc/bird/_bird_ipam.cfg.template.tpl rename to calico/templates/bird/_bird_ipam.cfg.template.tpl diff --git a/calico/templates/etc/bird/_custom_filters.cfg.template.tpl b/calico/templates/bird/_custom_filters.cfg.template.tpl similarity index 100% rename from calico/templates/etc/bird/_custom_filters.cfg.template.tpl rename to calico/templates/bird/_custom_filters.cfg.template.tpl diff --git a/calico/templates/etc/bird/_custom_filters6.cfg.template.tpl b/calico/templates/bird/_custom_filters6.cfg.template.tpl similarity index 100% rename from calico/templates/etc/bird/_custom_filters6.cfg.template.tpl rename to calico/templates/bird/_custom_filters6.cfg.template.tpl diff --git a/calico/templates/configmap-bird.yaml b/calico/templates/configmap-bird.yaml new file mode 100644 index 000000000..98479f98f --- /dev/null +++ b/calico/templates/configmap-bird.yaml @@ -0,0 +1,47 @@ +{{/* +Copyright 2017 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.manifests.configmap_bird }} +{{- $envAll := . }} + +--- +kind: ConfigMap +apiVersion: v1 +metadata: + name: calico-bird +data: + # we overlay templates found natively in the calico-node container + # so that we may override bgp configuration + bird6.cfg.mesh.template: | +{{ tuple "bird/_bird6.cfg.mesh.template.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} + bird6.cfg.no-mesh.template: | +{{ tuple "bird/_bird6.cfg.no-mesh.template.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} + bird6_ipam.cfg.template: | +{{ tuple "bird/_bird6_ipam.cfg.template.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} + bird_aggr.cfg.template: | +{{ tuple "bird/_bird_aggr.cfg.template.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} + bird.cfg.mesh.template: | +{{ tuple "bird/_bird.cfg.mesh.template.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} + bird.cfg.no-mesh.template: | +{{ tuple "bird/_bird.cfg.no-mesh.template.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} + bird_ipam.cfg.template: | +{{ tuple "bird/_bird_ipam.cfg.template.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} + custom_filters6.cfg.template: | +{{ tuple "bird/_custom_filters6.cfg.template.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} + custom_filters.cfg.template: | +{{ tuple "bird/_custom_filters.cfg.template.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} + +{{- end }} diff --git a/calico/templates/configmap-etc.yaml b/calico/templates/configmap-etc.yaml index 39629f090..01ee59942 100644 --- a/calico/templates/configmap-etc.yaml +++ b/calico/templates/configmap-etc.yaml @@ -30,41 +30,17 @@ limitations under the License. {{- end -}} --- -apiVersion: v1 kind: ConfigMap +apiVersion: v1 metadata: name: calico-etc data: - - # we overlay templates found natively in the calico-node container so that we may override - # bgp configuration - - bird6.cfg.mesh.template: | -{{ tuple "etc/bird/_bird6.cfg.mesh.template.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} - bird6.cfg.no-mesh.template: | -{{ tuple "etc/bird/_bird6.cfg.no-mesh.template.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} - bird6_ipam.cfg.template: | -{{ tuple "etc/bird/_bird6_ipam.cfg.template.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} - bird_aggr.cfg.template: | -{{ tuple "etc/bird/_bird_aggr.cfg.template.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} - bird.cfg.mesh.template: | -{{ tuple "etc/bird/_bird.cfg.mesh.template.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} - bird.cfg.no-mesh.template: | -{{ tuple "etc/bird/_bird.cfg.no-mesh.template.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} - bird_ipam.cfg.template: | -{{ tuple "etc/bird/_bird_ipam.cfg.template.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} - custom_filters6.cfg.template: | -{{ tuple "etc/bird/_custom_filters6.cfg.template.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} - custom_filters.cfg.template: | -{{ tuple "etc/bird/_custom_filters.cfg.template.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} - tunl-ip.template: | -{{ tuple "etc/bird/_tunl-ip.template.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} - # The location of your etcd cluster. This uses the Service clusterIP # defined below. etcd_endpoints: {{ tuple "etcd" "internal" "client" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" }} - # The CNI network configuration to install on each node. + # The CNI network configuration to install on each node, generated + # from (Values.)conf.cni_network_config cni_network_config: |- {{ toJson $envAll.Values.conf.cni_network_config | indent 4 }} diff --git a/calico/templates/daemonset-calico-etcd.yaml b/calico/templates/daemonset-calico-etcd.yaml index d3c0c8a78..1699141df 100644 --- a/calico/templates/daemonset-calico-etcd.yaml +++ b/calico/templates/daemonset-calico-etcd.yaml @@ -18,12 +18,12 @@ limitations under the License. {{- $envAll := . }} {{- $serviceAccountName := "calico-etcd"}} -{{ tuple $envAll "etcd" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} +{{ tuple $envAll "calico-etcd" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- # This manifest installs the Calico etcd on the kubeadm master. This uses a DaemonSet # to force it to run on the master even when the master isn't schedulable, and uses # nodeSelector to ensure it only runs on the master. -apiVersion: apps/v1 +apiVersion: extensions/v1beta1 kind: DaemonSet metadata: name: calico-etcd @@ -43,19 +43,26 @@ spec: k8s-app: calico-etcd {{ tuple $envAll "calico" "etcd" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} annotations: + configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }} # Mark this pod as a critical add-on; when enabled, the critical add-on scheduler # reserves resources for critical add-on pods so that they can be rescheduled after # a failure. This annotation works in tandem with the toleration below. scheduler.alpha.kubernetes.io/critical-pod: '' spec: - # Only run this pod on the master. tolerations: + # This taint is set by all kubelets running `--cloud-provider=external` + # so we should tolerate it to schedule the Calico pods + - key: node.cloudprovider.kubernetes.io/uninitialized + value: "true" + effect: NoSchedule + # Allow this pod to run on the master. - key: node-role.kubernetes.io/master effect: NoSchedule # Allow this pod to be rescheduled while the node is in "critical add-ons only" mode. # This, along with the annotation above marks this pod as a critical add-on. - key: CriticalAddonsOnly operator: Exists + # Only run this pod on the master. nodeSelector: node-role.kubernetes.io/master: "" hostNetwork: true @@ -72,11 +79,13 @@ spec: fieldPath: status.podIP command: - /usr/local/bin/etcd + args: - --name=calico - --data-dir=/var/etcd/calico-data - --advertise-client-urls={{ tuple "etcd" "internal" "client" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" }} - --listen-client-urls={{ tuple "etcd" "internal" "client" . | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}://0.0.0.0:{{ tuple "etcd" "internal" "client" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} - --listen-peer-urls={{ tuple "etcd" "internal" "peer" . | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}://0.0.0.0:{{ tuple "etcd" "internal" "peer" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} + - --auto-compaction-retention=1 volumeMounts: - name: var-etcd mountPath: /var/etcd diff --git a/calico/templates/daemonset-calico-node.yaml b/calico/templates/daemonset-calico-node.yaml index c5c9f48b2..890a2f0f2 100644 --- a/calico/templates/daemonset-calico-node.yaml +++ b/calico/templates/daemonset-calico-node.yaml @@ -33,7 +33,6 @@ limitations under the License. {{- end -}} {{- end -}} -{{- $prometheus_annotations := $envAll.Values.monitoring.prometheus.calico_node }} {{- $serviceAccountName := printf "%s-%s" .Release.Name "calico-cni-plugin"}} {{ tuple $envAll "calico_node" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} @@ -67,10 +66,9 @@ rules: # as the Calico CNI plugins and network config on # each master and worker node in a Kubernetes cluster. kind: DaemonSet -apiVersion: apps/v1 +apiVersion: extensions/v1beta1 metadata: name: calico-node - namespace: kube-system annotations: {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }} labels: @@ -81,30 +79,45 @@ spec: matchLabels: k8s-app: calico-node {{ tuple $envAll "calico" "node" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }} + updateStrategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 1 template: metadata: labels: k8s-app: calico-node {{ tuple $envAll "calico" "node" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} annotations: - # Mark this pod as a critical add-on; when enabled, the critical add-on scheduler - # reserves resources for critical add-on pods so that they can be rescheduled after - # a failure. This annotation works in tandem with the toleration below. + configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }} + configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }} + configmap-bird-hash: {{ tuple "configmap-bird.yaml" . | include "helm-toolkit.utils.hash" }} + # This, along with the CriticalAddonsOnly toleration below, + # marks the pod as a critical add-on, ensuring it gets + # priority scheduling and that its resources are reserved + # if it ever gets evicted. scheduler.alpha.kubernetes.io/critical-pod: '' {{- if .Values.monitoring.prometheus.enabled }} +{{- $prometheus_annotations := $envAll.Values.monitoring.prometheus.calico_node }} {{ tuple $prometheus_annotations | include "helm-toolkit.snippets.prometheus_pod_annotations" | indent 8 }} {{- end }} spec: + nodeSelector: + beta.kubernetes.io/os: linux hostNetwork: true tolerations: - - key: node-role.kubernetes.io/master - effect: NoSchedule - # Allow this pod to be rescheduled while the node is in "critical add-ons only" mode. - # This, along with the annotation above marks this pod as a critical add-on. + # Make sure calico-node gets scheduled on all nodes. + - effect: NoSchedule + operator: Exists + # Mark the pod as a critical add-on for rescheduling. - key: CriticalAddonsOnly operator: Exists + - effect: NoExecute + operator: Exists serviceAccountName: {{ $serviceAccountName }} - terminationGracePeriodSeconds: {{ .Values.pod.lifecycle.termination_grace_period.node.timeout | default "30" }} + # Minimize downtime during a rolling upgrade or deletion; tell Kubernetes to do a "force + # deletion": https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods. + terminationGracePeriodSeconds: 0 initContainers: {{ tuple $envAll "calico_node" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} {{ if .Values.manifests.daemonset_calico_node_calicoctl }} @@ -119,13 +132,14 @@ spec: configMapKeyRef: name: calico-etc key: etcd_endpoints + {{ if .Values.endpoints.etcd.auth.client.tls.ca}} - name: ETCD_CA_CERT_FILE value: {{ .Values.endpoints.etcd.auth.client.path.ca }} - name: ETCD_CA_CERT valueFrom: secretKeyRef: - name: calico-certificates + name: calico-etcd-secrets key: tls.ca {{ end }} {{ if .Values.endpoints.etcd.auth.client.tls.key}} @@ -134,7 +148,7 @@ spec: - name: ETCD_KEY valueFrom: secretKeyRef: - name: calico-certificates + name: calico-etcd-secrets key: tls.key {{ end }} {{ if .Values.endpoints.etcd.auth.client.tls.crt}} @@ -143,7 +157,7 @@ spec: - name: ETCD_CERT valueFrom: secretKeyRef: - name: calico-certificates + name: calico-etcd-secrets key: tls.crt {{ end }} volumeMounts: @@ -154,15 +168,15 @@ spec: - mountPath: /tmp/install-calicoctl.sh name: calico-bin subPath: install-calicoctl.sh - - name: calico-certificates + - name: calico-etcd-secrets mountPath: {{ .Values.endpoints.etcd.auth.client.path.ca }} subPath: tls.ca readOnly: true - - name: calico-certificates + - name: calico-etcd-secrets mountPath: {{ .Values.endpoints.etcd.auth.client.path.crt }} subPath: tls.crt readOnly: true - - name: calico-certificates + - name: calico-etcd-secrets mountPath: {{ .Values.endpoints.etcd.auth.client.path.key }} subPath: tls.key readOnly: true @@ -175,18 +189,24 @@ spec: {{ tuple $envAll "calico_node" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.calico_node | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} env: + # Values expanded explicitly from conf.node (some of which + # might be derived from elsewhere, see values.yaml for an + # explanation of this) + # {{ include "helm-toolkit.utils.to_k8s_env_vars" .Values.conf.node | indent 12 }} + + # Values explicit in the chart not expected to be found in + # conf.node + # + # The location of the Calico etcd cluster. - name: ETCD_ENDPOINTS valueFrom: configMapKeyRef: name: calico-etc key: etcd_endpoints - # Set noderef for node controller. - - name: CALICO_K8S_NODE_REF - valueFrom: - fieldRef: - fieldPath: spec.nodeName + + # etcd certs {{ if .Values.endpoints.etcd.auth.client.tls.ca}} - name: ETCD_CA_CERT_FILE value: {{ .Values.endpoints.etcd.auth.client.path.ca }} @@ -199,8 +219,26 @@ spec: - name: ETCD_CERT_FILE value: {{ .Values.endpoints.etcd.auth.client.path.crt }} {{ end }} + + # Set noderef for node controller. + - name: CALICO_K8S_NODE_REF + valueFrom: + fieldRef: + fieldPath: spec.nodeName + securityContext: privileged: true + resources: + requests: + cpu: 250m + livenessProbe: + httpGet: + path: /liveness + port: 9099 + host: localhost + periodSeconds: 10 + initialDelaySeconds: 10 + failureThreshold: 6 volumeMounts: - mountPath: /lib/modules name: lib-modules @@ -208,45 +246,53 @@ spec: - mountPath: /var/run/calico name: var-run-calico readOnly: false - - mountPath: /etc/calico/confd/templates/bird6.cfg.mesh.template - name: calico-etc - subPath: bird6.cfg.mesh.template - - mountPath: /etc/calico/confd/templates/bird6.cfg.no-mesh.template - name: calico-etc - subPath: bird6.cfg.no-mesh.template - - mountPath: /etc/calico/confd/templates/bird6_ipam.cfg.template - name: calico-etc - subPath: bird6_ipam.cfg.template - - mountPath: /etc/calico/confd/templates/bird_aggr.cfg.template - name: calico-etc - subPath: bird_aggr.cfg.template + + # bird template replacements + # bird cfg - mountPath: /etc/calico/confd/templates/bird.cfg.mesh.template - name: calico-etc + name: calico-bird subPath: bird.cfg.mesh.template - mountPath: /etc/calico/confd/templates/bird.cfg.no-mesh.template - name: calico-etc + name: calico-bird subPath: bird.cfg.no-mesh.template + # bird ipam - mountPath: /etc/calico/confd/templates/bird_ipam.cfg.template - name: calico-etc + name: calico-bird subPath: bird_ipam.cfg.template + # bird6 cfg + - mountPath: /etc/calico/confd/templates/bird6.cfg.mesh.template + name: calico-bird + subPath: bird6.cfg.mesh.template + - mountPath: /etc/calico/confd/templates/bird6.cfg.no-mesh.template + name: calico-bird + subPath: bird6.cfg.no-mesh.template + # bird6 ipam + - mountPath: /etc/calico/confd/templates/bird6_ipam.cfg.template + name: calico-bird + subPath: bird6_ipam.cfg.template + # filters... + - mountPath: /etc/calico/confd/templates/bird_aggr.cfg.template + name: calico-bird + subPath: bird_aggr.cfg.template - mountPath: /etc/calico/confd/templates/custom_filters6.cfg.template - name: calico-etc + name: calico-bird subPath: custom_filters6.cfg.template - mountPath: /etc/calico/confd/templates/custom_filters.cfg.template - name: calico-etc + name: calico-bird subPath: custom_filters.cfg.template - - mountPath: /etc/calico/confd/templates/tunl-ip.template - name: calico-etc - subPath: tunl-ip.template - - name: calico-certificates + # etcd secrets + - mountPath: /var/lib/calico + name: var-lib-calico + readOnly: false + - name: calico-etcd-secrets mountPath: {{ .Values.endpoints.etcd.auth.client.path.ca }} subPath: tls.ca readOnly: true - - name: calico-certificates + - name: calico-etcd-secrets mountPath: {{ .Values.endpoints.etcd.auth.client.path.crt }} subPath: tls.crt readOnly: true - - name: calico-certificates + - name: calico-etcd-secrets mountPath: {{ .Values.endpoints.etcd.auth.client.path.key }} subPath: tls.key readOnly: true @@ -257,6 +303,12 @@ spec: {{ tuple $envAll $envAll.Values.pod.resources.calico_cni | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} command: ["/install-cni.sh"] env: + # Name of the CNI config file to create. + # + # NOTE: Calico v2 needs to end in .conf; Calico v3 is + # different! + - name: CNI_CONF_NAME + value: "10-calico.conf" # The location of the Calico etcd cluster. - name: ETCD_ENDPOINTS valueFrom: @@ -282,6 +334,9 @@ spec: - name: var-run-calico hostPath: path: /var/run/calico + - name: var-lib-calico + hostPath: + path: /var/lib/calico # Used to install CNI. - name: cni-bin-dir hostPath: @@ -296,11 +351,15 @@ spec: configMap: name: calico-etc defaultMode: 0444 + - name: calico-bird + configMap: + name: calico-bird + defaultMode: 0444 - name: calico-bin configMap: name: calico-bin defaultMode: 0555 - - name: calico-certificates + - name: calico-etcd-secrets secret: - secretName: calico-certificates + secretName: calico-etcd-secrets {{- end }} diff --git a/calico/templates/deployment-calico-kube-controllers.yaml b/calico/templates/deployment-calico-kube-controllers.yaml index 9a779f6f9..50b3be88b 100644 --- a/calico/templates/deployment-calico-kube-controllers.yaml +++ b/calico/templates/deployment-calico-kube-controllers.yaml @@ -14,14 +14,14 @@ See the License for the specific language governing permissions and limitations under the License. */}} -{{- if .Values.manifests.deployment_calico_kube_policy_controllers }} +{{- if .Values.manifests.deployment_calico_kube_controllers }} {{- $envAll := . }} {{- $serviceAccountName := printf "%s-%s" .Release.Name "calico-kube-controllers"}} -{{ tuple $envAll "calico_kube_policy_controllers" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} +{{ tuple $envAll "calico_kube_controllers" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- -apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: name: {{ $serviceAccountName }} roleRef: @@ -46,68 +46,72 @@ rules: - namespaces - networkpolicies - nodes + - serviceaccounts + verbs: + - watch + - list + - apiGroups: + - networking.k8s.io + resources: + - networkpolicies verbs: - watch - list --- # This manifest deploys the Calico Kubernetes controllers. # See https://github.com/projectcalico/kube-controllers -apiVersion: apps/v1 +apiVersion: extensions/v1beta1 kind: Deployment metadata: - name: calico-kube-policy-controllers + name: calico-kube-controllers namespace: {{ .Release.Namespace }} - annotations: - {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }} labels: - k8s-app: calico-kube-policy-controllers -{{ tuple $envAll "calico" "kube-controller" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} + k8s-app: calico-kube-controllers +{{ tuple $envAll "calico" "kube-controllers" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} + annotations: + scheduler.alpha.kubernetes.io/critical-pod: '' + {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }} spec: # The controllers can only have a single active instance. replicas: 1 selector: matchLabels: - k8s-app: calico-kube-policy-controllers -{{ tuple $envAll "calico" "kube-controller" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }} + k8s-app: calico-kube-controllers +{{ tuple $envAll "calico" "kube-controllers" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }} strategy: type: Recreate {{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_deployment" | indent 2 }} template: metadata: - name: calico-kube-policy-controllers - namespace: kube-system + name: calico-kube-controllers labels: - k8s-app: calico-kube-policy-controllers -{{ tuple $envAll "calico" "kube-controller" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} + k8s-app: calico-kube-controllers +{{ tuple $envAll "calico" "kube-controllers" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} annotations: - # Mark this pod as a critical add-on; when enabled, the critical add-on scheduler - # reserves resources for critical add-on pods so that they can be rescheduled after - # a failure. This annotation works in tandem with the toleration below. - scheduler.alpha.kubernetes.io/critical-pod: '' + configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }} + configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }} spec: + nodeSelector: + beta.kubernetes.io/os: linux # The controllers must run in the host network namespace so that # it isn't governed by policy that would prevent it from working. hostNetwork: true tolerations: - # this taint is set by all kubelets running `--cloud-provider=external` - # so we should tolerate it to schedule the calico pods + # Mark the pod as a critical add-on for rescheduling. - key: node.cloudprovider.kubernetes.io/uninitialized value: "true" effect: NoSchedule - - key: node-role.kubernetes.io/master - effect: NoSchedule - # Allow this pod to be rescheduled while the node is in "critical add-ons only" mode. - # This, along with the annotation above marks this pod as a critical add-on. - key: CriticalAddonsOnly operator: Exists + - key: node-role.kubernetes.io/master + effect: NoSchedule serviceAccountName: {{ $serviceAccountName }} initContainers: -{{ tuple $envAll "calico_kube_policy_controllers" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} - terminationGracePeriodSeconds: {{ .Values.pod.lifecycle.termination_grace_period.policy_controller.timeout | default "30" }} +{{ tuple $envAll "calico_kube_controllers" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} containers: - - name: calico-policy-controller -{{ tuple $envAll "calico_kube_policy_controller" | include "helm-toolkit.snippets.image" | indent 10 }} -{{ tuple $envAll $envAll.Values.pod.resources.calico_kube_policy_controller | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} + - name: calico-kube-controllers +{{ tuple $envAll "calico_kube_controllers" | include "helm-toolkit.snippets.image" | indent 10 }} +{{ tuple $envAll $envAll.Values.pod.resources.calico_kube_controllers | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} env: # The location of the Calico etcd cluster. - name: ETCD_ENDPOINTS @@ -115,7 +119,11 @@ spec: configMapKeyRef: name: calico-etc key: etcd_endpoints -{{ include "helm-toolkit.utils.to_k8s_env_vars" .Values.conf.policy_controller | indent 12 }} + + # conf.controllers expanded values +{{ include "helm-toolkit.utils.to_k8s_env_vars" .Values.conf.controllers | indent 12 }} + + # etcd tls files {{ if .Values.endpoints.etcd.auth.client.tls.ca}} - name: ETCD_CA_CERT_FILE value: {{ .Values.endpoints.etcd.auth.client.path.ca }} @@ -128,21 +136,25 @@ spec: - name: ETCD_CERT_FILE value: {{ .Values.endpoints.etcd.auth.client.path.crt }} {{ end }} + + # etcd tls mounts volumeMounts: - - name: calico-certificates + - name: calico-etcd-secrets mountPath: {{ .Values.endpoints.etcd.auth.client.path.ca }} subPath: tls.ca readOnly: true - - name: calico-certificates + - name: calico-etcd-secrets mountPath: {{ .Values.endpoints.etcd.auth.client.path.crt }} subPath: tls.crt readOnly: true - - name: calico-certificates + - name: calico-etcd-secrets mountPath: {{ .Values.endpoints.etcd.auth.client.path.key }} subPath: tls.key readOnly: true + volumes: - - name: calico-certificates + - name: calico-etcd-secrets secret: - secretName: calico-certificates + secretName: calico-etcd-secrets + defaultMode: 0400 {{- end }} diff --git a/calico/templates/etc/bird/_tunl-ip.template.tpl b/calico/templates/etc/bird/_tunl-ip.template.tpl deleted file mode 100644 index 01b63c67f..000000000 --- a/calico/templates/etc/bird/_tunl-ip.template.tpl +++ /dev/null @@ -1,7 +0,0 @@ -We must dump all pool data to this file to trigger a resync. -Otherwise, confd notices the file hasn't changed and won't -run our python update script. - -{{`{{range ls "/pool"}}`}}{{`{{$data := json (getv (printf "/pool/%s" .))}}`}} - {{`{{if $data.ipip}}`}}{{`{{if not $data.disabled}}`}}{{`{{$data.cidr}}`}}{{`{{end}}`}}{{`{{end}}`}} -{{`{{end}}`}} diff --git a/calico/templates/job-calico-settings.yaml b/calico/templates/job-calico-settings.yaml index 44e211e53..6c86d5230 100644 --- a/calico/templates/job-calico-settings.yaml +++ b/calico/templates/job-calico-settings.yaml @@ -30,6 +30,8 @@ spec: template: metadata: annotations: + configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }} + configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }} # Mark this pod as a critical add-on; when enabled, the critical add-on scheduler # reserves resources for critical add-on pods so that they can be rescheduled after # a failure. This annotation works in tandem with the toleration below. @@ -78,15 +80,15 @@ spec: mountPath: /tmp/calico-settings.sh subPath: calico-settings.sh readOnly: true - - name: calico-certificates + - name: calico-etcd-secrets mountPath: {{ .Values.endpoints.etcd.auth.client.path.ca }} subPath: tls.ca readOnly: true - - name: calico-certificates + - name: calico-etcd-secrets mountPath: {{ .Values.endpoints.etcd.auth.client.path.crt }} subPath: tls.crt readOnly: true - - name: calico-certificates + - name: calico-etcd-secrets mountPath: {{ .Values.endpoints.etcd.auth.client.path.key }} subPath: tls.key readOnly: true @@ -95,7 +97,7 @@ spec: configMap: name: calico-bin defaultMode: 0555 - - name: calico-certificates + - name: calico-etcd-secrets secret: - secretName: calico-certificates + secretName: calico-etcd-secrets {{- end }} diff --git a/calico/templates/secret-certificates.yaml b/calico/templates/secret-etcd-certificates.yaml similarity index 96% rename from calico/templates/secret-certificates.yaml rename to calico/templates/secret-etcd-certificates.yaml index 4a1ad1223..44f945514 100644 --- a/calico/templates/secret-certificates.yaml +++ b/calico/templates/secret-etcd-certificates.yaml @@ -20,12 +20,11 @@ limitations under the License. apiVersion: v1 kind: Secret -metadata: - name: calico-certificates type: kubernetes.io/tls +metadata: + name: calico-etcd-secrets data: tls.ca: {{ .Values.endpoints.etcd.auth.client.tls.ca | default "" | b64enc }} tls.key: {{ .Values.endpoints.etcd.auth.client.tls.key | default "" | b64enc }} tls.crt: {{ .Values.endpoints.etcd.auth.client.tls.crt | default "" | b64enc }} -{{ end }} - +{{- end }} diff --git a/calico/templates/service-calico-etcd.yaml b/calico/templates/service-calico-etcd.yaml index 75c5187cb..3be48f511 100644 --- a/calico/templates/service-calico-etcd.yaml +++ b/calico/templates/service-calico-etcd.yaml @@ -33,7 +33,7 @@ spec: {{ tuple $envAll "calico" "etcd" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} # This ClusterIP needs to be known in advance, since we cannot rely # on DNS to get access to etcd. - clusterIP: 10.96.232.136 + clusterIP: {{ tuple "etcd" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" }} ports: - port: {{ tuple "etcd" "internal" "client" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} {{- end }} diff --git a/calico/values.yaml b/calico/values.yaml index 4d8b9b1cb..59ec238b2 100644 --- a/calico/values.yaml +++ b/calico/values.yaml @@ -12,11 +12,6 @@ # See the License for the specific language governing permissions and # limitations under the License. -labels: - job: - node_selector_key: openstack-control-plane - node_selector_value: enabled - images: tags: calico_etcd: quay.io/coreos/etcd:v3.1.14 @@ -24,7 +19,8 @@ images: calico_cni: quay.io/calico/cni:v1.11.5 calico_ctl: quay.io/calico/ctl:v1.6.4 calico_settings: quay.io/calico/ctl:v1.6.4 - calico_kube_policy_controller: quay.io/calico/kube-policy-controller:v0.7.0 + # NOTE: plural key, singular value + calico_kube_controllers: quay.io/calico/kube-policy-controller:v0.7.0 dep_check: quay.io/stackanetes/kubernetes-entrypoint:v0.3.1 image_repo_sync: docker.io/docker:17.07.0 pull_policy: IfNotPresent @@ -36,7 +32,7 @@ images: - calico_etcd - calico_node - calico_cni - - calico_kube_policy_controller + - calico_kube_controllers pod: resources: @@ -56,7 +52,7 @@ pod: limits: memory: "1024Mi" cpu: "2000m" - calico_kube_policy_controller: + calico_kube_controllers: requests: memory: "128Mi" cpu: "100m" @@ -100,13 +96,8 @@ pod: max_unavailable: 1 max_surge: 3 disruption_budget: - policy_controller: + controllers: min_available: 0 - termination_grace_period: - policy_controller: - timeout: 5 - node: - timeout: 5 dependencies: dynamic: @@ -118,19 +109,19 @@ dependencies: - endpoint: node service: local_image_registry static: - calico_kube_policy_controllers: + calico_kube_controllers: services: - endpoint: internal - service: etcd + service: calico-etcd calico_node: services: - endpoint: internal - service: etcd + service: calico-etcd calico_settings: services: - endpoint: internal - service: etcd - etcd: + service: calico-etcd + calico_etcd: services: null image_repo_sync: services: @@ -199,6 +190,7 @@ networking: ippool: ipip: enabled: "true" + # lowercase value mode: "always" nat_outgoing: "true" disabled: "false" @@ -206,22 +198,24 @@ networking: # our asnumber for bgp peering asnumber: 64512 ipv4: - # this is a list of peer objects that will be passed - # directly to calicoctl - for global peers, the scope - # should be global and the node attribute removed + # https://docs.projectcalico.org/v2.0/reference/calicoctl/resources/bgppeer + # + # this is a list of peer objects that will be passed directly to + # calicoctl - for global peers, the scope should be global and + # the node attribute removed # # apiVersion: v1 # kind: bgpPeer # metadata: # peerIP: 10.1.10.39 # scope: node - # node: hpnode1 + # node: some.name # spec: # asNumber: 64512 peers: [] - # this is a list of additional IPv4 cidrs that if we - # discover IPs within them on a host, we will announce - # the address in addition to traditional pod workloads + # this is a list of additional IPv4 cidrs that if we discover + # IPs within them on a host, we will announce the address in + # addition to traditional pod workloads additional_cidrs: [] mesh: port: @@ -232,22 +226,24 @@ networking: neighbor: 179 listen: 179 ipv6: - # this is a list of peer objects that will be passed - # directly to calicoctl - for global peers, the scope - # should be global and the node attribute removed + # https://docs.projectcalico.org/v2.0/reference/calicoctl/resources/bgppeer + # + # this is a list of peer objects that will be passed directly to + # calicoctl - for global peers, the scope should be global and + # the node attribute removed # # apiVersion: v1 # kind: bgpPeer # metadata: - # peerIP: 2603:3024:1200:7500:7011:1dd6:1462:fa5b + # peerIP: 2600:1:2:3::abcd # scope: node - # node: hpnode1 + # node: rack1-host1 # spec: # asNumber: 64512 peers: [] - # this is a list of additional IPv6 cidrs that if we - # discover IPs within them on a host, we will announce - # them in addition to traditional pod workloads + # this is a list of additional IPv6 cidrs that if we discover + # IPs within them on a host, we will announce them in addition + # to traditional pod workloads additional_cidrs: [] mesh: port: @@ -265,6 +261,7 @@ conf: key: null certificate: null cni_network_config: + # https://docs.projectcalico.org/v2.0/reference/cni-plugin/configuration name: k8s-pod-network cniVersion: 0.1.0 type: calico @@ -279,7 +276,7 @@ conf: k8s_auth_token: __SERVICEACCOUNT_TOKEN__ kubernetes: kubeconfig: "/etc/cni/net.d/__KUBECONFIG_FILENAME__" - policy_controller: + controllers: # The location of the Kubernetes API. Use the default Kubernetes # service for API access. K8S_API: "https://kubernetes.default:443" @@ -311,6 +308,7 @@ conf: # Configure the IP Pool from which Pod IPs will be chosen. CALICO_IPV4POOL_CIDR: null # Change this to 'off' in environments with direct L2 communication + # lowercase CALICO_IPV4POOL_IPIP: "always" # Disable IPv6 on Kubernetes. FELIX_IPV6SUPPORT: "false" @@ -334,10 +332,11 @@ conf: manifests: configmap_bin: true configmap_etc: true + configmap_bird: true daemonset_calico_etcd: true daemonset_calico_node: true daemonset_calico_node_calicoctl: true - deployment_calico_kube_policy_controllers: true + deployment_calico_kube_controllers: true job_image_repo_sync: true job_calico_settings: true service_calico_etcd: true