149 lines
5.8 KiB
YAML
149 lines
5.8 KiB
YAML
{{/*
|
|
Copyright 2017 The Openstack-Helm Authors.
|
|
|
|
Licensed under the Apache License, Version 2.0 (the "License");
|
|
you may not use this file except in compliance with the License.
|
|
You may obtain a copy of the License at
|
|
|
|
http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
Unless required by applicable law or agreed to in writing, software
|
|
distributed under the License is distributed on an "AS IS" BASIS,
|
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
See the License for the specific language governing permissions and
|
|
limitations under the License.
|
|
*/}}
|
|
|
|
{{- if .Values.manifests.deployment_calico_kube_policy_controllers }}
|
|
{{- $envAll := . }}
|
|
|
|
{{- $serviceAccountName := printf "%s-%s" .Release.Name "calico-kube-controllers"}}
|
|
{{ tuple $envAll "calico_kube_policy_controllers" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1beta1
|
|
kind: ClusterRoleBinding
|
|
metadata:
|
|
name: {{ $serviceAccountName }}
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: ClusterRole
|
|
name: {{ $serviceAccountName }}
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: {{ $serviceAccountName }}
|
|
namespace: {{ .Release.Namespace }}
|
|
---
|
|
kind: ClusterRole
|
|
apiVersion: rbac.authorization.k8s.io/v1beta1
|
|
metadata:
|
|
name: {{ $serviceAccountName }}
|
|
rules:
|
|
- apiGroups:
|
|
- ""
|
|
- extensions
|
|
resources:
|
|
- pods
|
|
- namespaces
|
|
- networkpolicies
|
|
- nodes
|
|
verbs:
|
|
- watch
|
|
- list
|
|
---
|
|
# This manifest deploys the Calico Kubernetes controllers.
|
|
# See https://github.com/projectcalico/kube-controllers
|
|
apiVersion: apps/v1
|
|
kind: Deployment
|
|
metadata:
|
|
name: calico-kube-policy-controllers
|
|
namespace: {{ .Release.Namespace }}
|
|
annotations:
|
|
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
|
|
labels:
|
|
k8s-app: calico-kube-policy-controllers
|
|
{{ tuple $envAll "calico" "kube-controller" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
|
|
spec:
|
|
# The controllers can only have a single active instance.
|
|
replicas: 1
|
|
selector:
|
|
matchLabels:
|
|
k8s-app: calico-kube-policy-controllers
|
|
{{ tuple $envAll "calico" "kube-controller" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
|
|
strategy:
|
|
type: Recreate
|
|
{{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_deployment" | indent 2 }}
|
|
template:
|
|
metadata:
|
|
name: calico-kube-policy-controllers
|
|
namespace: kube-system
|
|
labels:
|
|
k8s-app: calico-kube-policy-controllers
|
|
{{ tuple $envAll "calico" "kube-controller" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
|
|
annotations:
|
|
# Mark this pod as a critical add-on; when enabled, the critical add-on scheduler
|
|
# reserves resources for critical add-on pods so that they can be rescheduled after
|
|
# a failure. This annotation works in tandem with the toleration below.
|
|
scheduler.alpha.kubernetes.io/critical-pod: ''
|
|
spec:
|
|
# The controllers must run in the host network namespace so that
|
|
# it isn't governed by policy that would prevent it from working.
|
|
hostNetwork: true
|
|
tolerations:
|
|
# this taint is set by all kubelets running `--cloud-provider=external`
|
|
# so we should tolerate it to schedule the calico pods
|
|
- key: node.cloudprovider.kubernetes.io/uninitialized
|
|
value: "true"
|
|
effect: NoSchedule
|
|
- key: node-role.kubernetes.io/master
|
|
effect: NoSchedule
|
|
# Allow this pod to be rescheduled while the node is in "critical add-ons only" mode.
|
|
# This, along with the annotation above marks this pod as a critical add-on.
|
|
- key: CriticalAddonsOnly
|
|
operator: Exists
|
|
serviceAccountName: {{ $serviceAccountName }}
|
|
initContainers:
|
|
{{ tuple $envAll "calico_kube_policy_controllers" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
|
|
terminationGracePeriodSeconds: {{ .Values.pod.lifecycle.termination_grace_period.policy_controller.timeout | default "30" }}
|
|
containers:
|
|
- name: calico-policy-controller
|
|
{{ tuple $envAll "calico_kube_policy_controller" | include "helm-toolkit.snippets.image" | indent 10 }}
|
|
{{ tuple $envAll $envAll.Values.pod.resources.calico_kube_policy_controller | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
|
|
env:
|
|
# The location of the Calico etcd cluster.
|
|
- name: ETCD_ENDPOINTS
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
name: calico-etc
|
|
key: etcd_endpoints
|
|
{{ include "helm-toolkit.utils.to_k8s_env_vars" .Values.conf.policy_controller | indent 12 }}
|
|
{{ if .Values.endpoints.etcd.auth.client.tls.ca}}
|
|
- name: ETCD_CA_CERT_FILE
|
|
value: {{ .Values.endpoints.etcd.auth.client.path.ca }}
|
|
{{ end }}
|
|
{{ if .Values.endpoints.etcd.auth.client.tls.key}}
|
|
- name: ETCD_KEY_FILE
|
|
value: {{ .Values.endpoints.etcd.auth.client.path.key }}
|
|
{{ end }}
|
|
{{ if .Values.endpoints.etcd.auth.client.tls.crt}}
|
|
- name: ETCD_CERT_FILE
|
|
value: {{ .Values.endpoints.etcd.auth.client.path.crt }}
|
|
{{ end }}
|
|
volumeMounts:
|
|
- name: calico-certificates
|
|
mountPath: {{ .Values.endpoints.etcd.auth.client.path.ca }}
|
|
subPath: tls.ca
|
|
readOnly: true
|
|
- name: calico-certificates
|
|
mountPath: {{ .Values.endpoints.etcd.auth.client.path.crt }}
|
|
subPath: tls.crt
|
|
readOnly: true
|
|
- name: calico-certificates
|
|
mountPath: {{ .Values.endpoints.etcd.auth.client.path.key }}
|
|
subPath: tls.key
|
|
readOnly: true
|
|
volumes:
|
|
- name: calico-certificates
|
|
secret:
|
|
secretName: calico-certificates
|
|
{{- end }}
|