[Calico] Realign Calico v2 chart for upcoming v3.2 upgrade
This PS realigns Calico v2 with the pending Calico v3.2 chart in order to minimize differences. It's mostly refactoring with a few small fixes. Change-Id: Ie5157b4ae324b6eb4c8ccb5cc07d8b9bc5a83ebd
This commit is contained in:
parent
681dee71b7
commit
45275ffefd
@ -80,6 +80,6 @@ EOF
|
|||||||
# process IPv6 peers
|
# process IPv6 peers
|
||||||
{{ if .Values.networking.bgp.ipv6.peers }}
|
{{ if .Values.networking.bgp.ipv6.peers }}
|
||||||
cat << EOF | ${CALICOCTL} apply -f -
|
cat << EOF | ${CALICOCTL} apply -f -
|
||||||
{{ .Values.networking.bgp.ipv4.peers | toYaml }}
|
{{ .Values.networking.bgp.ipv6.peers | toYaml }}
|
||||||
EOF
|
EOF
|
||||||
{{ end }}
|
{{ end }}
|
||||||
|
@ -40,9 +40,11 @@ fi;
|
|||||||
|
|
||||||
cat <<EOF>/host/opt/cni/bin/calicoctl
|
cat <<EOF>/host/opt/cni/bin/calicoctl
|
||||||
export ETCD_ENDPOINTS=$ETCD_ENDPOINTS
|
export ETCD_ENDPOINTS=$ETCD_ENDPOINTS
|
||||||
if [ -e $ETCD_KEY_FILE ]; then export ETCD_KEY_FILE=$ETCD_KEY_FILE; fi;
|
|
||||||
if [ -e $ETCD_CERT_FILE ]; then export ETCD_CERT_FILE=$ETCD_CERT_FILE; fi;
|
[ -e $ETCD_KEY_FILE ] && export ETCD_KEY_FILE=$ETCD_KEY_FILE
|
||||||
if [ -e $ETCD_CA_CERT_FILE ]; then export ETCD_CA_CERT_FILE=$ETCD_CA_CERT_FILE; fi;
|
[ -e $ETCD_CERT_FILE ] && export ETCD_CERT_FILE=$ETCD_CERT_FILE
|
||||||
|
[ -e $ETCD_CA_CERT_FILE ] && export ETCD_CA_CERT_FILE=$ETCD_CA_CERT_FILE
|
||||||
|
|
||||||
exec /opt/cni/bin/calicoctl.bin \$*
|
exec /opt/cni/bin/calicoctl.bin \$*
|
||||||
EOF
|
EOF
|
||||||
|
|
||||||
|
47
calico/templates/configmap-bird.yaml
Normal file
47
calico/templates/configmap-bird.yaml
Normal file
@ -0,0 +1,47 @@
|
|||||||
|
{{/*
|
||||||
|
Copyright 2017 The Openstack-Helm Authors.
|
||||||
|
|
||||||
|
Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
you may not use this file except in compliance with the License.
|
||||||
|
You may obtain a copy of the License at
|
||||||
|
|
||||||
|
http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
|
||||||
|
Unless required by applicable law or agreed to in writing, software
|
||||||
|
distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
See the License for the specific language governing permissions and
|
||||||
|
limitations under the License.
|
||||||
|
*/}}
|
||||||
|
|
||||||
|
{{- if .Values.manifests.configmap_bird }}
|
||||||
|
{{- $envAll := . }}
|
||||||
|
|
||||||
|
---
|
||||||
|
kind: ConfigMap
|
||||||
|
apiVersion: v1
|
||||||
|
metadata:
|
||||||
|
name: calico-bird
|
||||||
|
data:
|
||||||
|
# we overlay templates found natively in the calico-node container
|
||||||
|
# so that we may override bgp configuration
|
||||||
|
bird6.cfg.mesh.template: |
|
||||||
|
{{ tuple "bird/_bird6.cfg.mesh.template.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
|
||||||
|
bird6.cfg.no-mesh.template: |
|
||||||
|
{{ tuple "bird/_bird6.cfg.no-mesh.template.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
|
||||||
|
bird6_ipam.cfg.template: |
|
||||||
|
{{ tuple "bird/_bird6_ipam.cfg.template.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
|
||||||
|
bird_aggr.cfg.template: |
|
||||||
|
{{ tuple "bird/_bird_aggr.cfg.template.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
|
||||||
|
bird.cfg.mesh.template: |
|
||||||
|
{{ tuple "bird/_bird.cfg.mesh.template.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
|
||||||
|
bird.cfg.no-mesh.template: |
|
||||||
|
{{ tuple "bird/_bird.cfg.no-mesh.template.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
|
||||||
|
bird_ipam.cfg.template: |
|
||||||
|
{{ tuple "bird/_bird_ipam.cfg.template.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
|
||||||
|
custom_filters6.cfg.template: |
|
||||||
|
{{ tuple "bird/_custom_filters6.cfg.template.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
|
||||||
|
custom_filters.cfg.template: |
|
||||||
|
{{ tuple "bird/_custom_filters.cfg.template.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
|
||||||
|
|
||||||
|
{{- end }}
|
@ -30,41 +30,17 @@ limitations under the License.
|
|||||||
{{- end -}}
|
{{- end -}}
|
||||||
|
|
||||||
---
|
---
|
||||||
apiVersion: v1
|
|
||||||
kind: ConfigMap
|
kind: ConfigMap
|
||||||
|
apiVersion: v1
|
||||||
metadata:
|
metadata:
|
||||||
name: calico-etc
|
name: calico-etc
|
||||||
data:
|
data:
|
||||||
|
|
||||||
# we overlay templates found natively in the calico-node container so that we may override
|
|
||||||
# bgp configuration
|
|
||||||
|
|
||||||
bird6.cfg.mesh.template: |
|
|
||||||
{{ tuple "etc/bird/_bird6.cfg.mesh.template.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
|
|
||||||
bird6.cfg.no-mesh.template: |
|
|
||||||
{{ tuple "etc/bird/_bird6.cfg.no-mesh.template.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
|
|
||||||
bird6_ipam.cfg.template: |
|
|
||||||
{{ tuple "etc/bird/_bird6_ipam.cfg.template.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
|
|
||||||
bird_aggr.cfg.template: |
|
|
||||||
{{ tuple "etc/bird/_bird_aggr.cfg.template.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
|
|
||||||
bird.cfg.mesh.template: |
|
|
||||||
{{ tuple "etc/bird/_bird.cfg.mesh.template.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
|
|
||||||
bird.cfg.no-mesh.template: |
|
|
||||||
{{ tuple "etc/bird/_bird.cfg.no-mesh.template.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
|
|
||||||
bird_ipam.cfg.template: |
|
|
||||||
{{ tuple "etc/bird/_bird_ipam.cfg.template.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
|
|
||||||
custom_filters6.cfg.template: |
|
|
||||||
{{ tuple "etc/bird/_custom_filters6.cfg.template.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
|
|
||||||
custom_filters.cfg.template: |
|
|
||||||
{{ tuple "etc/bird/_custom_filters.cfg.template.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
|
|
||||||
tunl-ip.template: |
|
|
||||||
{{ tuple "etc/bird/_tunl-ip.template.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
|
|
||||||
|
|
||||||
# The location of your etcd cluster. This uses the Service clusterIP
|
# The location of your etcd cluster. This uses the Service clusterIP
|
||||||
# defined below.
|
# defined below.
|
||||||
etcd_endpoints: {{ tuple "etcd" "internal" "client" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" }}
|
etcd_endpoints: {{ tuple "etcd" "internal" "client" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" }}
|
||||||
|
|
||||||
# The CNI network configuration to install on each node.
|
# The CNI network configuration to install on each node, generated
|
||||||
|
# from (Values.)conf.cni_network_config
|
||||||
cni_network_config: |-
|
cni_network_config: |-
|
||||||
{{ toJson $envAll.Values.conf.cni_network_config | indent 4 }}
|
{{ toJson $envAll.Values.conf.cni_network_config | indent 4 }}
|
||||||
|
|
||||||
|
@ -18,12 +18,12 @@ limitations under the License.
|
|||||||
{{- $envAll := . }}
|
{{- $envAll := . }}
|
||||||
|
|
||||||
{{- $serviceAccountName := "calico-etcd"}}
|
{{- $serviceAccountName := "calico-etcd"}}
|
||||||
{{ tuple $envAll "etcd" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
|
{{ tuple $envAll "calico-etcd" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
|
||||||
---
|
---
|
||||||
# This manifest installs the Calico etcd on the kubeadm master. This uses a DaemonSet
|
# This manifest installs the Calico etcd on the kubeadm master. This uses a DaemonSet
|
||||||
# to force it to run on the master even when the master isn't schedulable, and uses
|
# to force it to run on the master even when the master isn't schedulable, and uses
|
||||||
# nodeSelector to ensure it only runs on the master.
|
# nodeSelector to ensure it only runs on the master.
|
||||||
apiVersion: apps/v1
|
apiVersion: extensions/v1beta1
|
||||||
kind: DaemonSet
|
kind: DaemonSet
|
||||||
metadata:
|
metadata:
|
||||||
name: calico-etcd
|
name: calico-etcd
|
||||||
@ -43,19 +43,26 @@ spec:
|
|||||||
k8s-app: calico-etcd
|
k8s-app: calico-etcd
|
||||||
{{ tuple $envAll "calico" "etcd" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
|
{{ tuple $envAll "calico" "etcd" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
|
||||||
annotations:
|
annotations:
|
||||||
|
configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
|
||||||
# Mark this pod as a critical add-on; when enabled, the critical add-on scheduler
|
# Mark this pod as a critical add-on; when enabled, the critical add-on scheduler
|
||||||
# reserves resources for critical add-on pods so that they can be rescheduled after
|
# reserves resources for critical add-on pods so that they can be rescheduled after
|
||||||
# a failure. This annotation works in tandem with the toleration below.
|
# a failure. This annotation works in tandem with the toleration below.
|
||||||
scheduler.alpha.kubernetes.io/critical-pod: ''
|
scheduler.alpha.kubernetes.io/critical-pod: ''
|
||||||
spec:
|
spec:
|
||||||
# Only run this pod on the master.
|
|
||||||
tolerations:
|
tolerations:
|
||||||
|
# This taint is set by all kubelets running `--cloud-provider=external`
|
||||||
|
# so we should tolerate it to schedule the Calico pods
|
||||||
|
- key: node.cloudprovider.kubernetes.io/uninitialized
|
||||||
|
value: "true"
|
||||||
|
effect: NoSchedule
|
||||||
|
# Allow this pod to run on the master.
|
||||||
- key: node-role.kubernetes.io/master
|
- key: node-role.kubernetes.io/master
|
||||||
effect: NoSchedule
|
effect: NoSchedule
|
||||||
# Allow this pod to be rescheduled while the node is in "critical add-ons only" mode.
|
# Allow this pod to be rescheduled while the node is in "critical add-ons only" mode.
|
||||||
# This, along with the annotation above marks this pod as a critical add-on.
|
# This, along with the annotation above marks this pod as a critical add-on.
|
||||||
- key: CriticalAddonsOnly
|
- key: CriticalAddonsOnly
|
||||||
operator: Exists
|
operator: Exists
|
||||||
|
# Only run this pod on the master.
|
||||||
nodeSelector:
|
nodeSelector:
|
||||||
node-role.kubernetes.io/master: ""
|
node-role.kubernetes.io/master: ""
|
||||||
hostNetwork: true
|
hostNetwork: true
|
||||||
@ -72,11 +79,13 @@ spec:
|
|||||||
fieldPath: status.podIP
|
fieldPath: status.podIP
|
||||||
command:
|
command:
|
||||||
- /usr/local/bin/etcd
|
- /usr/local/bin/etcd
|
||||||
|
args:
|
||||||
- --name=calico
|
- --name=calico
|
||||||
- --data-dir=/var/etcd/calico-data
|
- --data-dir=/var/etcd/calico-data
|
||||||
- --advertise-client-urls={{ tuple "etcd" "internal" "client" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" }}
|
- --advertise-client-urls={{ tuple "etcd" "internal" "client" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" }}
|
||||||
- --listen-client-urls={{ tuple "etcd" "internal" "client" . | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}://0.0.0.0:{{ tuple "etcd" "internal" "client" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
|
- --listen-client-urls={{ tuple "etcd" "internal" "client" . | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}://0.0.0.0:{{ tuple "etcd" "internal" "client" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
|
||||||
- --listen-peer-urls={{ tuple "etcd" "internal" "peer" . | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}://0.0.0.0:{{ tuple "etcd" "internal" "peer" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
|
- --listen-peer-urls={{ tuple "etcd" "internal" "peer" . | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}://0.0.0.0:{{ tuple "etcd" "internal" "peer" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
|
||||||
|
- --auto-compaction-retention=1
|
||||||
volumeMounts:
|
volumeMounts:
|
||||||
- name: var-etcd
|
- name: var-etcd
|
||||||
mountPath: /var/etcd
|
mountPath: /var/etcd
|
||||||
|
@ -33,7 +33,6 @@ limitations under the License.
|
|||||||
{{- end -}}
|
{{- end -}}
|
||||||
{{- end -}}
|
{{- end -}}
|
||||||
|
|
||||||
{{- $prometheus_annotations := $envAll.Values.monitoring.prometheus.calico_node }}
|
|
||||||
|
|
||||||
{{- $serviceAccountName := printf "%s-%s" .Release.Name "calico-cni-plugin"}}
|
{{- $serviceAccountName := printf "%s-%s" .Release.Name "calico-cni-plugin"}}
|
||||||
{{ tuple $envAll "calico_node" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
|
{{ tuple $envAll "calico_node" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
|
||||||
@ -67,10 +66,9 @@ rules:
|
|||||||
# as the Calico CNI plugins and network config on
|
# as the Calico CNI plugins and network config on
|
||||||
# each master and worker node in a Kubernetes cluster.
|
# each master and worker node in a Kubernetes cluster.
|
||||||
kind: DaemonSet
|
kind: DaemonSet
|
||||||
apiVersion: apps/v1
|
apiVersion: extensions/v1beta1
|
||||||
metadata:
|
metadata:
|
||||||
name: calico-node
|
name: calico-node
|
||||||
namespace: kube-system
|
|
||||||
annotations:
|
annotations:
|
||||||
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
|
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
|
||||||
labels:
|
labels:
|
||||||
@ -81,30 +79,45 @@ spec:
|
|||||||
matchLabels:
|
matchLabels:
|
||||||
k8s-app: calico-node
|
k8s-app: calico-node
|
||||||
{{ tuple $envAll "calico" "node" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
|
{{ tuple $envAll "calico" "node" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
|
||||||
|
updateStrategy:
|
||||||
|
type: RollingUpdate
|
||||||
|
rollingUpdate:
|
||||||
|
maxUnavailable: 1
|
||||||
template:
|
template:
|
||||||
metadata:
|
metadata:
|
||||||
labels:
|
labels:
|
||||||
k8s-app: calico-node
|
k8s-app: calico-node
|
||||||
{{ tuple $envAll "calico" "node" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
|
{{ tuple $envAll "calico" "node" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
|
||||||
annotations:
|
annotations:
|
||||||
# Mark this pod as a critical add-on; when enabled, the critical add-on scheduler
|
configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
|
||||||
# reserves resources for critical add-on pods so that they can be rescheduled after
|
configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
|
||||||
# a failure. This annotation works in tandem with the toleration below.
|
configmap-bird-hash: {{ tuple "configmap-bird.yaml" . | include "helm-toolkit.utils.hash" }}
|
||||||
|
# This, along with the CriticalAddonsOnly toleration below,
|
||||||
|
# marks the pod as a critical add-on, ensuring it gets
|
||||||
|
# priority scheduling and that its resources are reserved
|
||||||
|
# if it ever gets evicted.
|
||||||
scheduler.alpha.kubernetes.io/critical-pod: ''
|
scheduler.alpha.kubernetes.io/critical-pod: ''
|
||||||
{{- if .Values.monitoring.prometheus.enabled }}
|
{{- if .Values.monitoring.prometheus.enabled }}
|
||||||
|
{{- $prometheus_annotations := $envAll.Values.monitoring.prometheus.calico_node }}
|
||||||
{{ tuple $prometheus_annotations | include "helm-toolkit.snippets.prometheus_pod_annotations" | indent 8 }}
|
{{ tuple $prometheus_annotations | include "helm-toolkit.snippets.prometheus_pod_annotations" | indent 8 }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
spec:
|
spec:
|
||||||
|
nodeSelector:
|
||||||
|
beta.kubernetes.io/os: linux
|
||||||
hostNetwork: true
|
hostNetwork: true
|
||||||
tolerations:
|
tolerations:
|
||||||
- key: node-role.kubernetes.io/master
|
# Make sure calico-node gets scheduled on all nodes.
|
||||||
effect: NoSchedule
|
- effect: NoSchedule
|
||||||
# Allow this pod to be rescheduled while the node is in "critical add-ons only" mode.
|
operator: Exists
|
||||||
# This, along with the annotation above marks this pod as a critical add-on.
|
# Mark the pod as a critical add-on for rescheduling.
|
||||||
- key: CriticalAddonsOnly
|
- key: CriticalAddonsOnly
|
||||||
operator: Exists
|
operator: Exists
|
||||||
|
- effect: NoExecute
|
||||||
|
operator: Exists
|
||||||
serviceAccountName: {{ $serviceAccountName }}
|
serviceAccountName: {{ $serviceAccountName }}
|
||||||
terminationGracePeriodSeconds: {{ .Values.pod.lifecycle.termination_grace_period.node.timeout | default "30" }}
|
# Minimize downtime during a rolling upgrade or deletion; tell Kubernetes to do a "force
|
||||||
|
# deletion": https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods.
|
||||||
|
terminationGracePeriodSeconds: 0
|
||||||
initContainers:
|
initContainers:
|
||||||
{{ tuple $envAll "calico_node" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
|
{{ tuple $envAll "calico_node" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
|
||||||
{{ if .Values.manifests.daemonset_calico_node_calicoctl }}
|
{{ if .Values.manifests.daemonset_calico_node_calicoctl }}
|
||||||
@ -119,13 +132,14 @@ spec:
|
|||||||
configMapKeyRef:
|
configMapKeyRef:
|
||||||
name: calico-etc
|
name: calico-etc
|
||||||
key: etcd_endpoints
|
key: etcd_endpoints
|
||||||
|
|
||||||
{{ if .Values.endpoints.etcd.auth.client.tls.ca}}
|
{{ if .Values.endpoints.etcd.auth.client.tls.ca}}
|
||||||
- name: ETCD_CA_CERT_FILE
|
- name: ETCD_CA_CERT_FILE
|
||||||
value: {{ .Values.endpoints.etcd.auth.client.path.ca }}
|
value: {{ .Values.endpoints.etcd.auth.client.path.ca }}
|
||||||
- name: ETCD_CA_CERT
|
- name: ETCD_CA_CERT
|
||||||
valueFrom:
|
valueFrom:
|
||||||
secretKeyRef:
|
secretKeyRef:
|
||||||
name: calico-certificates
|
name: calico-etcd-secrets
|
||||||
key: tls.ca
|
key: tls.ca
|
||||||
{{ end }}
|
{{ end }}
|
||||||
{{ if .Values.endpoints.etcd.auth.client.tls.key}}
|
{{ if .Values.endpoints.etcd.auth.client.tls.key}}
|
||||||
@ -134,7 +148,7 @@ spec:
|
|||||||
- name: ETCD_KEY
|
- name: ETCD_KEY
|
||||||
valueFrom:
|
valueFrom:
|
||||||
secretKeyRef:
|
secretKeyRef:
|
||||||
name: calico-certificates
|
name: calico-etcd-secrets
|
||||||
key: tls.key
|
key: tls.key
|
||||||
{{ end }}
|
{{ end }}
|
||||||
{{ if .Values.endpoints.etcd.auth.client.tls.crt}}
|
{{ if .Values.endpoints.etcd.auth.client.tls.crt}}
|
||||||
@ -143,7 +157,7 @@ spec:
|
|||||||
- name: ETCD_CERT
|
- name: ETCD_CERT
|
||||||
valueFrom:
|
valueFrom:
|
||||||
secretKeyRef:
|
secretKeyRef:
|
||||||
name: calico-certificates
|
name: calico-etcd-secrets
|
||||||
key: tls.crt
|
key: tls.crt
|
||||||
{{ end }}
|
{{ end }}
|
||||||
volumeMounts:
|
volumeMounts:
|
||||||
@ -154,15 +168,15 @@ spec:
|
|||||||
- mountPath: /tmp/install-calicoctl.sh
|
- mountPath: /tmp/install-calicoctl.sh
|
||||||
name: calico-bin
|
name: calico-bin
|
||||||
subPath: install-calicoctl.sh
|
subPath: install-calicoctl.sh
|
||||||
- name: calico-certificates
|
- name: calico-etcd-secrets
|
||||||
mountPath: {{ .Values.endpoints.etcd.auth.client.path.ca }}
|
mountPath: {{ .Values.endpoints.etcd.auth.client.path.ca }}
|
||||||
subPath: tls.ca
|
subPath: tls.ca
|
||||||
readOnly: true
|
readOnly: true
|
||||||
- name: calico-certificates
|
- name: calico-etcd-secrets
|
||||||
mountPath: {{ .Values.endpoints.etcd.auth.client.path.crt }}
|
mountPath: {{ .Values.endpoints.etcd.auth.client.path.crt }}
|
||||||
subPath: tls.crt
|
subPath: tls.crt
|
||||||
readOnly: true
|
readOnly: true
|
||||||
- name: calico-certificates
|
- name: calico-etcd-secrets
|
||||||
mountPath: {{ .Values.endpoints.etcd.auth.client.path.key }}
|
mountPath: {{ .Values.endpoints.etcd.auth.client.path.key }}
|
||||||
subPath: tls.key
|
subPath: tls.key
|
||||||
readOnly: true
|
readOnly: true
|
||||||
@ -175,18 +189,24 @@ spec:
|
|||||||
{{ tuple $envAll "calico_node" | include "helm-toolkit.snippets.image" | indent 10 }}
|
{{ tuple $envAll "calico_node" | include "helm-toolkit.snippets.image" | indent 10 }}
|
||||||
{{ tuple $envAll $envAll.Values.pod.resources.calico_node | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
|
{{ tuple $envAll $envAll.Values.pod.resources.calico_node | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
|
||||||
env:
|
env:
|
||||||
|
# Values expanded explicitly from conf.node (some of which
|
||||||
|
# might be derived from elsewhere, see values.yaml for an
|
||||||
|
# explanation of this)
|
||||||
|
#
|
||||||
{{ include "helm-toolkit.utils.to_k8s_env_vars" .Values.conf.node | indent 12 }}
|
{{ include "helm-toolkit.utils.to_k8s_env_vars" .Values.conf.node | indent 12 }}
|
||||||
|
|
||||||
|
# Values explicit in the chart not expected to be found in
|
||||||
|
# conf.node
|
||||||
|
#
|
||||||
|
|
||||||
# The location of the Calico etcd cluster.
|
# The location of the Calico etcd cluster.
|
||||||
- name: ETCD_ENDPOINTS
|
- name: ETCD_ENDPOINTS
|
||||||
valueFrom:
|
valueFrom:
|
||||||
configMapKeyRef:
|
configMapKeyRef:
|
||||||
name: calico-etc
|
name: calico-etc
|
||||||
key: etcd_endpoints
|
key: etcd_endpoints
|
||||||
# Set noderef for node controller.
|
|
||||||
- name: CALICO_K8S_NODE_REF
|
# etcd certs
|
||||||
valueFrom:
|
|
||||||
fieldRef:
|
|
||||||
fieldPath: spec.nodeName
|
|
||||||
{{ if .Values.endpoints.etcd.auth.client.tls.ca}}
|
{{ if .Values.endpoints.etcd.auth.client.tls.ca}}
|
||||||
- name: ETCD_CA_CERT_FILE
|
- name: ETCD_CA_CERT_FILE
|
||||||
value: {{ .Values.endpoints.etcd.auth.client.path.ca }}
|
value: {{ .Values.endpoints.etcd.auth.client.path.ca }}
|
||||||
@ -199,8 +219,26 @@ spec:
|
|||||||
- name: ETCD_CERT_FILE
|
- name: ETCD_CERT_FILE
|
||||||
value: {{ .Values.endpoints.etcd.auth.client.path.crt }}
|
value: {{ .Values.endpoints.etcd.auth.client.path.crt }}
|
||||||
{{ end }}
|
{{ end }}
|
||||||
|
|
||||||
|
# Set noderef for node controller.
|
||||||
|
- name: CALICO_K8S_NODE_REF
|
||||||
|
valueFrom:
|
||||||
|
fieldRef:
|
||||||
|
fieldPath: spec.nodeName
|
||||||
|
|
||||||
securityContext:
|
securityContext:
|
||||||
privileged: true
|
privileged: true
|
||||||
|
resources:
|
||||||
|
requests:
|
||||||
|
cpu: 250m
|
||||||
|
livenessProbe:
|
||||||
|
httpGet:
|
||||||
|
path: /liveness
|
||||||
|
port: 9099
|
||||||
|
host: localhost
|
||||||
|
periodSeconds: 10
|
||||||
|
initialDelaySeconds: 10
|
||||||
|
failureThreshold: 6
|
||||||
volumeMounts:
|
volumeMounts:
|
||||||
- mountPath: /lib/modules
|
- mountPath: /lib/modules
|
||||||
name: lib-modules
|
name: lib-modules
|
||||||
@ -208,45 +246,53 @@ spec:
|
|||||||
- mountPath: /var/run/calico
|
- mountPath: /var/run/calico
|
||||||
name: var-run-calico
|
name: var-run-calico
|
||||||
readOnly: false
|
readOnly: false
|
||||||
- mountPath: /etc/calico/confd/templates/bird6.cfg.mesh.template
|
|
||||||
name: calico-etc
|
# bird template replacements
|
||||||
subPath: bird6.cfg.mesh.template
|
# bird cfg
|
||||||
- mountPath: /etc/calico/confd/templates/bird6.cfg.no-mesh.template
|
|
||||||
name: calico-etc
|
|
||||||
subPath: bird6.cfg.no-mesh.template
|
|
||||||
- mountPath: /etc/calico/confd/templates/bird6_ipam.cfg.template
|
|
||||||
name: calico-etc
|
|
||||||
subPath: bird6_ipam.cfg.template
|
|
||||||
- mountPath: /etc/calico/confd/templates/bird_aggr.cfg.template
|
|
||||||
name: calico-etc
|
|
||||||
subPath: bird_aggr.cfg.template
|
|
||||||
- mountPath: /etc/calico/confd/templates/bird.cfg.mesh.template
|
- mountPath: /etc/calico/confd/templates/bird.cfg.mesh.template
|
||||||
name: calico-etc
|
name: calico-bird
|
||||||
subPath: bird.cfg.mesh.template
|
subPath: bird.cfg.mesh.template
|
||||||
- mountPath: /etc/calico/confd/templates/bird.cfg.no-mesh.template
|
- mountPath: /etc/calico/confd/templates/bird.cfg.no-mesh.template
|
||||||
name: calico-etc
|
name: calico-bird
|
||||||
subPath: bird.cfg.no-mesh.template
|
subPath: bird.cfg.no-mesh.template
|
||||||
|
# bird ipam
|
||||||
- mountPath: /etc/calico/confd/templates/bird_ipam.cfg.template
|
- mountPath: /etc/calico/confd/templates/bird_ipam.cfg.template
|
||||||
name: calico-etc
|
name: calico-bird
|
||||||
subPath: bird_ipam.cfg.template
|
subPath: bird_ipam.cfg.template
|
||||||
|
# bird6 cfg
|
||||||
|
- mountPath: /etc/calico/confd/templates/bird6.cfg.mesh.template
|
||||||
|
name: calico-bird
|
||||||
|
subPath: bird6.cfg.mesh.template
|
||||||
|
- mountPath: /etc/calico/confd/templates/bird6.cfg.no-mesh.template
|
||||||
|
name: calico-bird
|
||||||
|
subPath: bird6.cfg.no-mesh.template
|
||||||
|
# bird6 ipam
|
||||||
|
- mountPath: /etc/calico/confd/templates/bird6_ipam.cfg.template
|
||||||
|
name: calico-bird
|
||||||
|
subPath: bird6_ipam.cfg.template
|
||||||
|
# filters...
|
||||||
|
- mountPath: /etc/calico/confd/templates/bird_aggr.cfg.template
|
||||||
|
name: calico-bird
|
||||||
|
subPath: bird_aggr.cfg.template
|
||||||
- mountPath: /etc/calico/confd/templates/custom_filters6.cfg.template
|
- mountPath: /etc/calico/confd/templates/custom_filters6.cfg.template
|
||||||
name: calico-etc
|
name: calico-bird
|
||||||
subPath: custom_filters6.cfg.template
|
subPath: custom_filters6.cfg.template
|
||||||
- mountPath: /etc/calico/confd/templates/custom_filters.cfg.template
|
- mountPath: /etc/calico/confd/templates/custom_filters.cfg.template
|
||||||
name: calico-etc
|
name: calico-bird
|
||||||
subPath: custom_filters.cfg.template
|
subPath: custom_filters.cfg.template
|
||||||
- mountPath: /etc/calico/confd/templates/tunl-ip.template
|
# etcd secrets
|
||||||
name: calico-etc
|
- mountPath: /var/lib/calico
|
||||||
subPath: tunl-ip.template
|
name: var-lib-calico
|
||||||
- name: calico-certificates
|
readOnly: false
|
||||||
|
- name: calico-etcd-secrets
|
||||||
mountPath: {{ .Values.endpoints.etcd.auth.client.path.ca }}
|
mountPath: {{ .Values.endpoints.etcd.auth.client.path.ca }}
|
||||||
subPath: tls.ca
|
subPath: tls.ca
|
||||||
readOnly: true
|
readOnly: true
|
||||||
- name: calico-certificates
|
- name: calico-etcd-secrets
|
||||||
mountPath: {{ .Values.endpoints.etcd.auth.client.path.crt }}
|
mountPath: {{ .Values.endpoints.etcd.auth.client.path.crt }}
|
||||||
subPath: tls.crt
|
subPath: tls.crt
|
||||||
readOnly: true
|
readOnly: true
|
||||||
- name: calico-certificates
|
- name: calico-etcd-secrets
|
||||||
mountPath: {{ .Values.endpoints.etcd.auth.client.path.key }}
|
mountPath: {{ .Values.endpoints.etcd.auth.client.path.key }}
|
||||||
subPath: tls.key
|
subPath: tls.key
|
||||||
readOnly: true
|
readOnly: true
|
||||||
@ -257,6 +303,12 @@ spec:
|
|||||||
{{ tuple $envAll $envAll.Values.pod.resources.calico_cni | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
|
{{ tuple $envAll $envAll.Values.pod.resources.calico_cni | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
|
||||||
command: ["/install-cni.sh"]
|
command: ["/install-cni.sh"]
|
||||||
env:
|
env:
|
||||||
|
# Name of the CNI config file to create.
|
||||||
|
#
|
||||||
|
# NOTE: Calico v2 needs to end in .conf; Calico v3 is
|
||||||
|
# different!
|
||||||
|
- name: CNI_CONF_NAME
|
||||||
|
value: "10-calico.conf"
|
||||||
# The location of the Calico etcd cluster.
|
# The location of the Calico etcd cluster.
|
||||||
- name: ETCD_ENDPOINTS
|
- name: ETCD_ENDPOINTS
|
||||||
valueFrom:
|
valueFrom:
|
||||||
@ -282,6 +334,9 @@ spec:
|
|||||||
- name: var-run-calico
|
- name: var-run-calico
|
||||||
hostPath:
|
hostPath:
|
||||||
path: /var/run/calico
|
path: /var/run/calico
|
||||||
|
- name: var-lib-calico
|
||||||
|
hostPath:
|
||||||
|
path: /var/lib/calico
|
||||||
# Used to install CNI.
|
# Used to install CNI.
|
||||||
- name: cni-bin-dir
|
- name: cni-bin-dir
|
||||||
hostPath:
|
hostPath:
|
||||||
@ -296,11 +351,15 @@ spec:
|
|||||||
configMap:
|
configMap:
|
||||||
name: calico-etc
|
name: calico-etc
|
||||||
defaultMode: 0444
|
defaultMode: 0444
|
||||||
|
- name: calico-bird
|
||||||
|
configMap:
|
||||||
|
name: calico-bird
|
||||||
|
defaultMode: 0444
|
||||||
- name: calico-bin
|
- name: calico-bin
|
||||||
configMap:
|
configMap:
|
||||||
name: calico-bin
|
name: calico-bin
|
||||||
defaultMode: 0555
|
defaultMode: 0555
|
||||||
- name: calico-certificates
|
- name: calico-etcd-secrets
|
||||||
secret:
|
secret:
|
||||||
secretName: calico-certificates
|
secretName: calico-etcd-secrets
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
@ -14,14 +14,14 @@ See the License for the specific language governing permissions and
|
|||||||
limitations under the License.
|
limitations under the License.
|
||||||
*/}}
|
*/}}
|
||||||
|
|
||||||
{{- if .Values.manifests.deployment_calico_kube_policy_controllers }}
|
{{- if .Values.manifests.deployment_calico_kube_controllers }}
|
||||||
{{- $envAll := . }}
|
{{- $envAll := . }}
|
||||||
|
|
||||||
{{- $serviceAccountName := printf "%s-%s" .Release.Name "calico-kube-controllers"}}
|
{{- $serviceAccountName := printf "%s-%s" .Release.Name "calico-kube-controllers"}}
|
||||||
{{ tuple $envAll "calico_kube_policy_controllers" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
|
{{ tuple $envAll "calico_kube_controllers" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
|
||||||
---
|
---
|
||||||
apiVersion: rbac.authorization.k8s.io/v1beta1
|
|
||||||
kind: ClusterRoleBinding
|
kind: ClusterRoleBinding
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||||
metadata:
|
metadata:
|
||||||
name: {{ $serviceAccountName }}
|
name: {{ $serviceAccountName }}
|
||||||
roleRef:
|
roleRef:
|
||||||
@ -46,68 +46,72 @@ rules:
|
|||||||
- namespaces
|
- namespaces
|
||||||
- networkpolicies
|
- networkpolicies
|
||||||
- nodes
|
- nodes
|
||||||
|
- serviceaccounts
|
||||||
|
verbs:
|
||||||
|
- watch
|
||||||
|
- list
|
||||||
|
- apiGroups:
|
||||||
|
- networking.k8s.io
|
||||||
|
resources:
|
||||||
|
- networkpolicies
|
||||||
verbs:
|
verbs:
|
||||||
- watch
|
- watch
|
||||||
- list
|
- list
|
||||||
---
|
---
|
||||||
# This manifest deploys the Calico Kubernetes controllers.
|
# This manifest deploys the Calico Kubernetes controllers.
|
||||||
# See https://github.com/projectcalico/kube-controllers
|
# See https://github.com/projectcalico/kube-controllers
|
||||||
apiVersion: apps/v1
|
apiVersion: extensions/v1beta1
|
||||||
kind: Deployment
|
kind: Deployment
|
||||||
metadata:
|
metadata:
|
||||||
name: calico-kube-policy-controllers
|
name: calico-kube-controllers
|
||||||
namespace: {{ .Release.Namespace }}
|
namespace: {{ .Release.Namespace }}
|
||||||
annotations:
|
|
||||||
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
|
|
||||||
labels:
|
labels:
|
||||||
k8s-app: calico-kube-policy-controllers
|
k8s-app: calico-kube-controllers
|
||||||
{{ tuple $envAll "calico" "kube-controller" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
|
{{ tuple $envAll "calico" "kube-controllers" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
|
||||||
|
annotations:
|
||||||
|
scheduler.alpha.kubernetes.io/critical-pod: ''
|
||||||
|
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
|
||||||
spec:
|
spec:
|
||||||
# The controllers can only have a single active instance.
|
# The controllers can only have a single active instance.
|
||||||
replicas: 1
|
replicas: 1
|
||||||
selector:
|
selector:
|
||||||
matchLabels:
|
matchLabels:
|
||||||
k8s-app: calico-kube-policy-controllers
|
k8s-app: calico-kube-controllers
|
||||||
{{ tuple $envAll "calico" "kube-controller" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
|
{{ tuple $envAll "calico" "kube-controllers" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
|
||||||
strategy:
|
strategy:
|
||||||
type: Recreate
|
type: Recreate
|
||||||
{{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_deployment" | indent 2 }}
|
{{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_deployment" | indent 2 }}
|
||||||
template:
|
template:
|
||||||
metadata:
|
metadata:
|
||||||
name: calico-kube-policy-controllers
|
name: calico-kube-controllers
|
||||||
namespace: kube-system
|
|
||||||
labels:
|
labels:
|
||||||
k8s-app: calico-kube-policy-controllers
|
k8s-app: calico-kube-controllers
|
||||||
{{ tuple $envAll "calico" "kube-controller" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
|
{{ tuple $envAll "calico" "kube-controllers" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
|
||||||
annotations:
|
annotations:
|
||||||
# Mark this pod as a critical add-on; when enabled, the critical add-on scheduler
|
configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
|
||||||
# reserves resources for critical add-on pods so that they can be rescheduled after
|
configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
|
||||||
# a failure. This annotation works in tandem with the toleration below.
|
|
||||||
scheduler.alpha.kubernetes.io/critical-pod: ''
|
|
||||||
spec:
|
spec:
|
||||||
|
nodeSelector:
|
||||||
|
beta.kubernetes.io/os: linux
|
||||||
# The controllers must run in the host network namespace so that
|
# The controllers must run in the host network namespace so that
|
||||||
# it isn't governed by policy that would prevent it from working.
|
# it isn't governed by policy that would prevent it from working.
|
||||||
hostNetwork: true
|
hostNetwork: true
|
||||||
tolerations:
|
tolerations:
|
||||||
# this taint is set by all kubelets running `--cloud-provider=external`
|
# Mark the pod as a critical add-on for rescheduling.
|
||||||
# so we should tolerate it to schedule the calico pods
|
|
||||||
- key: node.cloudprovider.kubernetes.io/uninitialized
|
- key: node.cloudprovider.kubernetes.io/uninitialized
|
||||||
value: "true"
|
value: "true"
|
||||||
effect: NoSchedule
|
effect: NoSchedule
|
||||||
- key: node-role.kubernetes.io/master
|
|
||||||
effect: NoSchedule
|
|
||||||
# Allow this pod to be rescheduled while the node is in "critical add-ons only" mode.
|
|
||||||
# This, along with the annotation above marks this pod as a critical add-on.
|
|
||||||
- key: CriticalAddonsOnly
|
- key: CriticalAddonsOnly
|
||||||
operator: Exists
|
operator: Exists
|
||||||
|
- key: node-role.kubernetes.io/master
|
||||||
|
effect: NoSchedule
|
||||||
serviceAccountName: {{ $serviceAccountName }}
|
serviceAccountName: {{ $serviceAccountName }}
|
||||||
initContainers:
|
initContainers:
|
||||||
{{ tuple $envAll "calico_kube_policy_controllers" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
|
{{ tuple $envAll "calico_kube_controllers" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
|
||||||
terminationGracePeriodSeconds: {{ .Values.pod.lifecycle.termination_grace_period.policy_controller.timeout | default "30" }}
|
|
||||||
containers:
|
containers:
|
||||||
- name: calico-policy-controller
|
- name: calico-kube-controllers
|
||||||
{{ tuple $envAll "calico_kube_policy_controller" | include "helm-toolkit.snippets.image" | indent 10 }}
|
{{ tuple $envAll "calico_kube_controllers" | include "helm-toolkit.snippets.image" | indent 10 }}
|
||||||
{{ tuple $envAll $envAll.Values.pod.resources.calico_kube_policy_controller | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
|
{{ tuple $envAll $envAll.Values.pod.resources.calico_kube_controllers | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
|
||||||
env:
|
env:
|
||||||
# The location of the Calico etcd cluster.
|
# The location of the Calico etcd cluster.
|
||||||
- name: ETCD_ENDPOINTS
|
- name: ETCD_ENDPOINTS
|
||||||
@ -115,7 +119,11 @@ spec:
|
|||||||
configMapKeyRef:
|
configMapKeyRef:
|
||||||
name: calico-etc
|
name: calico-etc
|
||||||
key: etcd_endpoints
|
key: etcd_endpoints
|
||||||
{{ include "helm-toolkit.utils.to_k8s_env_vars" .Values.conf.policy_controller | indent 12 }}
|
|
||||||
|
# conf.controllers expanded values
|
||||||
|
{{ include "helm-toolkit.utils.to_k8s_env_vars" .Values.conf.controllers | indent 12 }}
|
||||||
|
|
||||||
|
# etcd tls files
|
||||||
{{ if .Values.endpoints.etcd.auth.client.tls.ca}}
|
{{ if .Values.endpoints.etcd.auth.client.tls.ca}}
|
||||||
- name: ETCD_CA_CERT_FILE
|
- name: ETCD_CA_CERT_FILE
|
||||||
value: {{ .Values.endpoints.etcd.auth.client.path.ca }}
|
value: {{ .Values.endpoints.etcd.auth.client.path.ca }}
|
||||||
@ -128,21 +136,25 @@ spec:
|
|||||||
- name: ETCD_CERT_FILE
|
- name: ETCD_CERT_FILE
|
||||||
value: {{ .Values.endpoints.etcd.auth.client.path.crt }}
|
value: {{ .Values.endpoints.etcd.auth.client.path.crt }}
|
||||||
{{ end }}
|
{{ end }}
|
||||||
|
|
||||||
|
# etcd tls mounts
|
||||||
volumeMounts:
|
volumeMounts:
|
||||||
- name: calico-certificates
|
- name: calico-etcd-secrets
|
||||||
mountPath: {{ .Values.endpoints.etcd.auth.client.path.ca }}
|
mountPath: {{ .Values.endpoints.etcd.auth.client.path.ca }}
|
||||||
subPath: tls.ca
|
subPath: tls.ca
|
||||||
readOnly: true
|
readOnly: true
|
||||||
- name: calico-certificates
|
- name: calico-etcd-secrets
|
||||||
mountPath: {{ .Values.endpoints.etcd.auth.client.path.crt }}
|
mountPath: {{ .Values.endpoints.etcd.auth.client.path.crt }}
|
||||||
subPath: tls.crt
|
subPath: tls.crt
|
||||||
readOnly: true
|
readOnly: true
|
||||||
- name: calico-certificates
|
- name: calico-etcd-secrets
|
||||||
mountPath: {{ .Values.endpoints.etcd.auth.client.path.key }}
|
mountPath: {{ .Values.endpoints.etcd.auth.client.path.key }}
|
||||||
subPath: tls.key
|
subPath: tls.key
|
||||||
readOnly: true
|
readOnly: true
|
||||||
|
|
||||||
volumes:
|
volumes:
|
||||||
- name: calico-certificates
|
- name: calico-etcd-secrets
|
||||||
secret:
|
secret:
|
||||||
secretName: calico-certificates
|
secretName: calico-etcd-secrets
|
||||||
|
defaultMode: 0400
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
@ -1,7 +0,0 @@
|
|||||||
We must dump all pool data to this file to trigger a resync.
|
|
||||||
Otherwise, confd notices the file hasn't changed and won't
|
|
||||||
run our python update script.
|
|
||||||
|
|
||||||
{{`{{range ls "/pool"}}`}}{{`{{$data := json (getv (printf "/pool/%s" .))}}`}}
|
|
||||||
{{`{{if $data.ipip}}`}}{{`{{if not $data.disabled}}`}}{{`{{$data.cidr}}`}}{{`{{end}}`}}{{`{{end}}`}}
|
|
||||||
{{`{{end}}`}}
|
|
@ -30,6 +30,8 @@ spec:
|
|||||||
template:
|
template:
|
||||||
metadata:
|
metadata:
|
||||||
annotations:
|
annotations:
|
||||||
|
configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
|
||||||
|
configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
|
||||||
# Mark this pod as a critical add-on; when enabled, the critical add-on scheduler
|
# Mark this pod as a critical add-on; when enabled, the critical add-on scheduler
|
||||||
# reserves resources for critical add-on pods so that they can be rescheduled after
|
# reserves resources for critical add-on pods so that they can be rescheduled after
|
||||||
# a failure. This annotation works in tandem with the toleration below.
|
# a failure. This annotation works in tandem with the toleration below.
|
||||||
@ -78,15 +80,15 @@ spec:
|
|||||||
mountPath: /tmp/calico-settings.sh
|
mountPath: /tmp/calico-settings.sh
|
||||||
subPath: calico-settings.sh
|
subPath: calico-settings.sh
|
||||||
readOnly: true
|
readOnly: true
|
||||||
- name: calico-certificates
|
- name: calico-etcd-secrets
|
||||||
mountPath: {{ .Values.endpoints.etcd.auth.client.path.ca }}
|
mountPath: {{ .Values.endpoints.etcd.auth.client.path.ca }}
|
||||||
subPath: tls.ca
|
subPath: tls.ca
|
||||||
readOnly: true
|
readOnly: true
|
||||||
- name: calico-certificates
|
- name: calico-etcd-secrets
|
||||||
mountPath: {{ .Values.endpoints.etcd.auth.client.path.crt }}
|
mountPath: {{ .Values.endpoints.etcd.auth.client.path.crt }}
|
||||||
subPath: tls.crt
|
subPath: tls.crt
|
||||||
readOnly: true
|
readOnly: true
|
||||||
- name: calico-certificates
|
- name: calico-etcd-secrets
|
||||||
mountPath: {{ .Values.endpoints.etcd.auth.client.path.key }}
|
mountPath: {{ .Values.endpoints.etcd.auth.client.path.key }}
|
||||||
subPath: tls.key
|
subPath: tls.key
|
||||||
readOnly: true
|
readOnly: true
|
||||||
@ -95,7 +97,7 @@ spec:
|
|||||||
configMap:
|
configMap:
|
||||||
name: calico-bin
|
name: calico-bin
|
||||||
defaultMode: 0555
|
defaultMode: 0555
|
||||||
- name: calico-certificates
|
- name: calico-etcd-secrets
|
||||||
secret:
|
secret:
|
||||||
secretName: calico-certificates
|
secretName: calico-etcd-secrets
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
@ -20,12 +20,11 @@ limitations under the License.
|
|||||||
|
|
||||||
apiVersion: v1
|
apiVersion: v1
|
||||||
kind: Secret
|
kind: Secret
|
||||||
metadata:
|
|
||||||
name: calico-certificates
|
|
||||||
type: kubernetes.io/tls
|
type: kubernetes.io/tls
|
||||||
|
metadata:
|
||||||
|
name: calico-etcd-secrets
|
||||||
data:
|
data:
|
||||||
tls.ca: {{ .Values.endpoints.etcd.auth.client.tls.ca | default "" | b64enc }}
|
tls.ca: {{ .Values.endpoints.etcd.auth.client.tls.ca | default "" | b64enc }}
|
||||||
tls.key: {{ .Values.endpoints.etcd.auth.client.tls.key | default "" | b64enc }}
|
tls.key: {{ .Values.endpoints.etcd.auth.client.tls.key | default "" | b64enc }}
|
||||||
tls.crt: {{ .Values.endpoints.etcd.auth.client.tls.crt | default "" | b64enc }}
|
tls.crt: {{ .Values.endpoints.etcd.auth.client.tls.crt | default "" | b64enc }}
|
||||||
{{ end }}
|
{{- end }}
|
||||||
|
|
@ -33,7 +33,7 @@ spec:
|
|||||||
{{ tuple $envAll "calico" "etcd" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
|
{{ tuple $envAll "calico" "etcd" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
|
||||||
# This ClusterIP needs to be known in advance, since we cannot rely
|
# This ClusterIP needs to be known in advance, since we cannot rely
|
||||||
# on DNS to get access to etcd.
|
# on DNS to get access to etcd.
|
||||||
clusterIP: 10.96.232.136
|
clusterIP: {{ tuple "etcd" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
|
||||||
ports:
|
ports:
|
||||||
- port: {{ tuple "etcd" "internal" "client" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
|
- port: {{ tuple "etcd" "internal" "client" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
@ -12,11 +12,6 @@
|
|||||||
# See the License for the specific language governing permissions and
|
# See the License for the specific language governing permissions and
|
||||||
# limitations under the License.
|
# limitations under the License.
|
||||||
|
|
||||||
labels:
|
|
||||||
job:
|
|
||||||
node_selector_key: openstack-control-plane
|
|
||||||
node_selector_value: enabled
|
|
||||||
|
|
||||||
images:
|
images:
|
||||||
tags:
|
tags:
|
||||||
calico_etcd: quay.io/coreos/etcd:v3.1.14
|
calico_etcd: quay.io/coreos/etcd:v3.1.14
|
||||||
@ -24,7 +19,8 @@ images:
|
|||||||
calico_cni: quay.io/calico/cni:v1.11.5
|
calico_cni: quay.io/calico/cni:v1.11.5
|
||||||
calico_ctl: quay.io/calico/ctl:v1.6.4
|
calico_ctl: quay.io/calico/ctl:v1.6.4
|
||||||
calico_settings: quay.io/calico/ctl:v1.6.4
|
calico_settings: quay.io/calico/ctl:v1.6.4
|
||||||
calico_kube_policy_controller: quay.io/calico/kube-policy-controller:v0.7.0
|
# NOTE: plural key, singular value
|
||||||
|
calico_kube_controllers: quay.io/calico/kube-policy-controller:v0.7.0
|
||||||
dep_check: quay.io/stackanetes/kubernetes-entrypoint:v0.3.1
|
dep_check: quay.io/stackanetes/kubernetes-entrypoint:v0.3.1
|
||||||
image_repo_sync: docker.io/docker:17.07.0
|
image_repo_sync: docker.io/docker:17.07.0
|
||||||
pull_policy: IfNotPresent
|
pull_policy: IfNotPresent
|
||||||
@ -36,7 +32,7 @@ images:
|
|||||||
- calico_etcd
|
- calico_etcd
|
||||||
- calico_node
|
- calico_node
|
||||||
- calico_cni
|
- calico_cni
|
||||||
- calico_kube_policy_controller
|
- calico_kube_controllers
|
||||||
|
|
||||||
pod:
|
pod:
|
||||||
resources:
|
resources:
|
||||||
@ -56,7 +52,7 @@ pod:
|
|||||||
limits:
|
limits:
|
||||||
memory: "1024Mi"
|
memory: "1024Mi"
|
||||||
cpu: "2000m"
|
cpu: "2000m"
|
||||||
calico_kube_policy_controller:
|
calico_kube_controllers:
|
||||||
requests:
|
requests:
|
||||||
memory: "128Mi"
|
memory: "128Mi"
|
||||||
cpu: "100m"
|
cpu: "100m"
|
||||||
@ -100,13 +96,8 @@ pod:
|
|||||||
max_unavailable: 1
|
max_unavailable: 1
|
||||||
max_surge: 3
|
max_surge: 3
|
||||||
disruption_budget:
|
disruption_budget:
|
||||||
policy_controller:
|
controllers:
|
||||||
min_available: 0
|
min_available: 0
|
||||||
termination_grace_period:
|
|
||||||
policy_controller:
|
|
||||||
timeout: 5
|
|
||||||
node:
|
|
||||||
timeout: 5
|
|
||||||
|
|
||||||
dependencies:
|
dependencies:
|
||||||
dynamic:
|
dynamic:
|
||||||
@ -118,19 +109,19 @@ dependencies:
|
|||||||
- endpoint: node
|
- endpoint: node
|
||||||
service: local_image_registry
|
service: local_image_registry
|
||||||
static:
|
static:
|
||||||
calico_kube_policy_controllers:
|
calico_kube_controllers:
|
||||||
services:
|
services:
|
||||||
- endpoint: internal
|
- endpoint: internal
|
||||||
service: etcd
|
service: calico-etcd
|
||||||
calico_node:
|
calico_node:
|
||||||
services:
|
services:
|
||||||
- endpoint: internal
|
- endpoint: internal
|
||||||
service: etcd
|
service: calico-etcd
|
||||||
calico_settings:
|
calico_settings:
|
||||||
services:
|
services:
|
||||||
- endpoint: internal
|
- endpoint: internal
|
||||||
service: etcd
|
service: calico-etcd
|
||||||
etcd:
|
calico_etcd:
|
||||||
services: null
|
services: null
|
||||||
image_repo_sync:
|
image_repo_sync:
|
||||||
services:
|
services:
|
||||||
@ -199,6 +190,7 @@ networking:
|
|||||||
ippool:
|
ippool:
|
||||||
ipip:
|
ipip:
|
||||||
enabled: "true"
|
enabled: "true"
|
||||||
|
# lowercase value
|
||||||
mode: "always"
|
mode: "always"
|
||||||
nat_outgoing: "true"
|
nat_outgoing: "true"
|
||||||
disabled: "false"
|
disabled: "false"
|
||||||
@ -206,22 +198,24 @@ networking:
|
|||||||
# our asnumber for bgp peering
|
# our asnumber for bgp peering
|
||||||
asnumber: 64512
|
asnumber: 64512
|
||||||
ipv4:
|
ipv4:
|
||||||
# this is a list of peer objects that will be passed
|
# https://docs.projectcalico.org/v2.0/reference/calicoctl/resources/bgppeer
|
||||||
# directly to calicoctl - for global peers, the scope
|
#
|
||||||
# should be global and the node attribute removed
|
# this is a list of peer objects that will be passed directly to
|
||||||
|
# calicoctl - for global peers, the scope should be global and
|
||||||
|
# the node attribute removed
|
||||||
#
|
#
|
||||||
# apiVersion: v1
|
# apiVersion: v1
|
||||||
# kind: bgpPeer
|
# kind: bgpPeer
|
||||||
# metadata:
|
# metadata:
|
||||||
# peerIP: 10.1.10.39
|
# peerIP: 10.1.10.39
|
||||||
# scope: node
|
# scope: node
|
||||||
# node: hpnode1
|
# node: some.name
|
||||||
# spec:
|
# spec:
|
||||||
# asNumber: 64512
|
# asNumber: 64512
|
||||||
peers: []
|
peers: []
|
||||||
# this is a list of additional IPv4 cidrs that if we
|
# this is a list of additional IPv4 cidrs that if we discover
|
||||||
# discover IPs within them on a host, we will announce
|
# IPs within them on a host, we will announce the address in
|
||||||
# the address in addition to traditional pod workloads
|
# addition to traditional pod workloads
|
||||||
additional_cidrs: []
|
additional_cidrs: []
|
||||||
mesh:
|
mesh:
|
||||||
port:
|
port:
|
||||||
@ -232,22 +226,24 @@ networking:
|
|||||||
neighbor: 179
|
neighbor: 179
|
||||||
listen: 179
|
listen: 179
|
||||||
ipv6:
|
ipv6:
|
||||||
# this is a list of peer objects that will be passed
|
# https://docs.projectcalico.org/v2.0/reference/calicoctl/resources/bgppeer
|
||||||
# directly to calicoctl - for global peers, the scope
|
#
|
||||||
# should be global and the node attribute removed
|
# this is a list of peer objects that will be passed directly to
|
||||||
|
# calicoctl - for global peers, the scope should be global and
|
||||||
|
# the node attribute removed
|
||||||
#
|
#
|
||||||
# apiVersion: v1
|
# apiVersion: v1
|
||||||
# kind: bgpPeer
|
# kind: bgpPeer
|
||||||
# metadata:
|
# metadata:
|
||||||
# peerIP: 2603:3024:1200:7500:7011:1dd6:1462:fa5b
|
# peerIP: 2600:1:2:3::abcd
|
||||||
# scope: node
|
# scope: node
|
||||||
# node: hpnode1
|
# node: rack1-host1
|
||||||
# spec:
|
# spec:
|
||||||
# asNumber: 64512
|
# asNumber: 64512
|
||||||
peers: []
|
peers: []
|
||||||
# this is a list of additional IPv6 cidrs that if we
|
# this is a list of additional IPv6 cidrs that if we discover
|
||||||
# discover IPs within them on a host, we will announce
|
# IPs within them on a host, we will announce them in addition
|
||||||
# them in addition to traditional pod workloads
|
# to traditional pod workloads
|
||||||
additional_cidrs: []
|
additional_cidrs: []
|
||||||
mesh:
|
mesh:
|
||||||
port:
|
port:
|
||||||
@ -265,6 +261,7 @@ conf:
|
|||||||
key: null
|
key: null
|
||||||
certificate: null
|
certificate: null
|
||||||
cni_network_config:
|
cni_network_config:
|
||||||
|
# https://docs.projectcalico.org/v2.0/reference/cni-plugin/configuration
|
||||||
name: k8s-pod-network
|
name: k8s-pod-network
|
||||||
cniVersion: 0.1.0
|
cniVersion: 0.1.0
|
||||||
type: calico
|
type: calico
|
||||||
@ -279,7 +276,7 @@ conf:
|
|||||||
k8s_auth_token: __SERVICEACCOUNT_TOKEN__
|
k8s_auth_token: __SERVICEACCOUNT_TOKEN__
|
||||||
kubernetes:
|
kubernetes:
|
||||||
kubeconfig: "/etc/cni/net.d/__KUBECONFIG_FILENAME__"
|
kubeconfig: "/etc/cni/net.d/__KUBECONFIG_FILENAME__"
|
||||||
policy_controller:
|
controllers:
|
||||||
# The location of the Kubernetes API. Use the default Kubernetes
|
# The location of the Kubernetes API. Use the default Kubernetes
|
||||||
# service for API access.
|
# service for API access.
|
||||||
K8S_API: "https://kubernetes.default:443"
|
K8S_API: "https://kubernetes.default:443"
|
||||||
@ -311,6 +308,7 @@ conf:
|
|||||||
# Configure the IP Pool from which Pod IPs will be chosen.
|
# Configure the IP Pool from which Pod IPs will be chosen.
|
||||||
CALICO_IPV4POOL_CIDR: null
|
CALICO_IPV4POOL_CIDR: null
|
||||||
# Change this to 'off' in environments with direct L2 communication
|
# Change this to 'off' in environments with direct L2 communication
|
||||||
|
# lowercase
|
||||||
CALICO_IPV4POOL_IPIP: "always"
|
CALICO_IPV4POOL_IPIP: "always"
|
||||||
# Disable IPv6 on Kubernetes.
|
# Disable IPv6 on Kubernetes.
|
||||||
FELIX_IPV6SUPPORT: "false"
|
FELIX_IPV6SUPPORT: "false"
|
||||||
@ -334,10 +332,11 @@ conf:
|
|||||||
manifests:
|
manifests:
|
||||||
configmap_bin: true
|
configmap_bin: true
|
||||||
configmap_etc: true
|
configmap_etc: true
|
||||||
|
configmap_bird: true
|
||||||
daemonset_calico_etcd: true
|
daemonset_calico_etcd: true
|
||||||
daemonset_calico_node: true
|
daemonset_calico_node: true
|
||||||
daemonset_calico_node_calicoctl: true
|
daemonset_calico_node_calicoctl: true
|
||||||
deployment_calico_kube_policy_controllers: true
|
deployment_calico_kube_controllers: true
|
||||||
job_image_repo_sync: true
|
job_image_repo_sync: true
|
||||||
job_calico_settings: true
|
job_calico_settings: true
|
||||||
service_calico_etcd: true
|
service_calico_etcd: true
|
||||||
|
Loading…
Reference in New Issue
Block a user