diff --git a/calico/Chart.yaml b/calico/Chart.yaml deleted file mode 100644 index 04f949ea89..0000000000 --- a/calico/Chart.yaml +++ /dev/null @@ -1,26 +0,0 @@ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - ---- -apiVersion: v1 -appVersion: v3.25.1 -description: OpenStack-Helm Calico -name: calico -version: 0.1.8 -home: https://github.com/projectcalico/calico -icon: https://camo.githubusercontent.com/64c8b5ed6ac97553ae367348e8a59a24e2ed5bdc/687474703a2f2f646f63732e70726f6a65637463616c69636f2e6f72672f696d616765732f66656c69782e706e67 -sources: - - https://github.com/projectcalico/calico - - https://opendev.org/openstack/openstack-helm -maintainers: - - name: OpenStack-Helm Authors -... diff --git a/calico/requirements.yaml b/calico/requirements.yaml deleted file mode 100644 index 84f0affae0..0000000000 --- a/calico/requirements.yaml +++ /dev/null @@ -1,18 +0,0 @@ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - ---- -dependencies: - - name: helm-toolkit - repository: file://../helm-toolkit - version: ">= 0.1.0" -... diff --git a/calico/templates/bin/_calico-settings.sh.tpl b/calico/templates/bin/_calico-settings.sh.tpl deleted file mode 100644 index b30727ea24..0000000000 --- a/calico/templates/bin/_calico-settings.sh.tpl +++ /dev/null @@ -1,102 +0,0 @@ -#!/bin/sh - -set -eux - - -{{/* Robustness, Calico 3.x wants things as Titlecase; this causes pain */}} -{{- $_ := set .Values.conf.node "CALICO_IPV4POOL_IPIP" (title .Values.conf.node.CALICO_IPV4POOL_IPIP ) -}} -{{- $_ := set .Values.conf.node "CALICO_STARTUP_LOGLEVEL" (title .Values.conf.node.CALICO_STARTUP_LOGLEVEL ) -}} -{{- $_ := set .Values.conf.node "FELIX_LOGSEVERITYSCREEN" (title .Values.conf.node.FELIX_LOGSEVERITYSCREEN ) -}} - - -{{- $envAll := . }} - -{{ if empty .Values.conf.node.CALICO_IPV4POOL_CIDR }} -{{ $_ := set .Values.conf.node "CALICO_IPV4POOL_CIDR" .Values.networking.podSubnet }} -{{ end }} - -# An idempotent script for interacting with calicoctl to instantiate -# peers, and manipulate calico settings that we must perform -# post-deployment. - -CTL=/calicoctl - -# Generate configuration the way we want it to be, it doesn't matter -# if it's already set, in that case Calico will no nothing. - -# BGPConfiguration: nodeToNodeMeshEnabled & asNumber -$CTL apply -f - </host/$ETCD_KEY_FILE -$ETCD_KEY -EOF - chmod 600 /host/$ETCD_KEY_FILE -fi; - -if [ ! -z "$ETCD_CA_CERT" ]; then - DIR=$(dirname /host/$ETCD_CA_CERT_FILE) - mkdir -p $DIR - cat </host/$ETCD_CA_CERT_FILE -$ETCD_CA_CERT -EOF - chmod 600 /host/$ETCD_CA_CERT_FILE -fi; - -if [ ! -z "$ETCD_CERT" ]; then - DIR=$(dirname /host/$ETCD_CERT_FILE) - mkdir -p $DIR - cat </host/$ETCD_CERT_FILE -$ETCD_CERT -EOF - chmod 600 /host/$ETCD_CERT_FILE -fi; - -# This looks a bit funny. Notice that if $ETCD_ENDPOINTS and friends -# are defined in this (calico node initContainer/startup) context; -# generate a shell script to set the values on the host where thse -# variables will *not* be set -cat </host/opt/cni/bin/calicoctl -#!/bin/bash -# -# do *NOT* modify this file; this is autogenerated by the calico-node -# deployment startup process - -export ETCD_ENDPOINTS="${ETCD_ENDPOINTS}" - -[ -e "${ETCD_KEY_FILE}" ] && export ETCD_KEY_FILE="${ETCD_KEY_FILE}" -[ -e "${ETCD_CERT_FILE}" ] && export ETCD_CERT_FILE="${ETCD_CERT_FILE}" -[ -e "${ETCD_CA_CERT_FILE}" ] && export ETCD_CA_CERT_FILE="${ETCD_CA_CERT_FILE}" - -exec /opt/cni/bin/calicoctl.bin \$* -EOF - -chmod +x /host/opt/cni/bin/calicoctl diff --git a/calico/templates/bird/_bird.cfg.template.tpl b/calico/templates/bird/_bird.cfg.template.tpl deleted file mode 100644 index b248d1431d..0000000000 --- a/calico/templates/bird/_bird.cfg.template.tpl +++ /dev/null @@ -1,128 +0,0 @@ -# Generated by confd -include "bird_aggr.cfg"; -include "bird_ipam.cfg"; -{{`{{$node_ip_key := printf "/host/%s/ip_addr_v4" (getenv "NODENAME")}}{{$node_ip := getv $node_ip_key}}`}} - -# ensure we only listen to a specific ip and address -listen bgp address {{`{{$node_ip}}`}} port {{.Values.networking.bgp.ipv4.port.listen}}; - -{{`{{$router_id := getenv "CALICO_ROUTER_ID" ""}}`}} -{{`router id {{if ne "" ($router_id)}}{{$router_id}}{{else}}{{$node_ip}}{{end}};`}} - -{{`{{define "LOGGING"}}`}} -{{`{{$node_logging_key := printf "/host/%s/loglevel" (getenv "NODENAME")}}{{if exists $node_logging_key}}{{$logging := getv $node_logging_key}}`}} -{{`{{if eq $logging "debug"}} debug all;{{else if ne $logging "none"}} debug { states };{{end}}`}} -{{`{{else if exists "/global/loglevel"}}{{$logging := getv "/global/loglevel"}}`}} -{{`{{if eq $logging "debug"}} debug all;{{else if ne $logging "none"}} debug { states };{{end}}`}} -{{`{{else}} debug { states };{{end}}`}} -{{`{{end}}`}} - -# Configure synchronization between routing tables and kernel. -protocol kernel { - learn; # Learn all alien routes from the kernel - persist; # Don't remove routes on bird shutdown - scan time 2; # Scan kernel routing table every 2 seconds - import all; - export filter calico_ipip; # Default is export none - graceful restart; # Turn on graceful restart to reduce potential flaps in - # routes when reloading BIRD configuration. With a full - # automatic mesh, there is no way to prevent BGP from - # flapping since multiple nodes update their BGP - # configuration at the same time, GR is not guaranteed to - # work correctly in this scenario. -} - -# Watch interface up/down events. -protocol device { -{{` {{template "LOGGING"}}`}} - scan time 2; # Scan interfaces every 2 seconds -} - -protocol direct { -{{` {{template "LOGGING"}}`}} - interface -"cali*", "*"; # Exclude cali* but include everything else. -} - -{{`{{if eq "" ($node_ip)}}# IPv4 disabled on this node.`}} -{{`{{else}}{{$node_as_key := printf "/host/%s/as_num" (getenv "NODENAME")}}`}} -# Template for all BGP clients -template bgp bgp_template { -{{` {{template "LOGGING"}}`}} - description "Connection to BGP peer"; -{{` local as {{if exists $node_as_key}}{{getv $node_as_key}}{{else}}{{getv "/global/as_num"}}{{end}};`}} - multihop; - gateway recursive; # This should be the default, but just in case. - import all; # Import all routes, since we don't know what the upstream - # topology is and therefore have to trust the ToR/RR. - export filter calico_pools; # Only want to export routes for workloads. -{{` source address {{$node_ip}}; # The local address we use for the TCP connection`}} - add paths on; - graceful restart; # See comment in kernel section about graceful restart. -} - -# ------------- Node-to-node mesh ------------- -{{`{{- $node_cid_key := printf "/host/%s/rr_cluster_id" (getenv "NODENAME")}}`}} -{{`{{- $node_cluster_id := getv $node_cid_key}}`}} -{{`{{- if ne "" ($node_cluster_id)}}`}} -{{`# This node is configured as a route reflector with cluster ID {{$node_cluster_id}};`}} -# ignore node-to-node mesh setting. -{{`{{- else}}`}} -{{`{{if (json (getv "/global/node_mesh")).enabled}}`}} -{{`{{range $host := lsdir "/host"}}`}} -{{`{{$onode_as_key := printf "/host/%s/as_num" .}}`}} -{{`{{$onode_ip_key := printf "/host/%s/ip_addr_v4" .}}{{if exists $onode_ip_key}}{{$onode_ip := getv $onode_ip_key}}`}} -{{`{{$nums := split $onode_ip "."}}{{$id := join $nums "_"}}`}} -{{`# For peer {{$onode_ip_key}}`}} -{{`{{if eq $onode_ip ($node_ip) }}# Skipping ourselves ({{$node_ip}})`}} -{{`{{else if ne "" $onode_ip}}protocol bgp Mesh_{{$id}} from bgp_template {`}} -{{` neighbor {{$onode_ip}} as {{if exists $onode_as_key}}{{getv $onode_as_key}}{{else}}{{getv "/global/as_num"}}{{end}};`}} - neighbor port {{.Values.networking.bgp.ipv4.port.neighbor}}; -{{`}{{end}}{{end}}{{end}}`}} -{{`{{else}}`}} -# Node-to-node mesh disabled -{{`{{end}}`}} -{{`{{- end}}`}} - - -# ------------- Global peers ------------- -{{`{{if ls "/global/peer_v4"}}`}} -{{`{{range gets "/global/peer_v4/*"}}{{$data := json .Value}}`}} -{{`{{$nums := split $data.ip "."}}{{$id := join $nums "_"}}`}} -{{`# For peer {{.Key}}`}} -{{`{{- if eq $data.ip ($node_ip) }}`}} -{{`# Skipping ourselves ({{$node_ip}})`}} -{{`{{- else}}`}} -{{`protocol bgp Global_{{$id}} from bgp_template {`}} -{{` neighbor {{$data.ip}} as {{$data.as_num}};`}} - neighbor port {{.Values.networking.bgp.ipv4.port.neighbor}}; -{{`{{- if and (ne "" ($node_cluster_id)) (ne $data.rr_cluster_id ($node_cluster_id))}}`}} - rr client; -{{` rr cluster id {{$node_cluster_id}};`}} -{{`{{- end}}`}} -} -{{`{{- end}}`}} -{{`{{end}}`}} -{{`{{else}}# No global peers configured.{{end}}`}} - - -# ------------- Node-specific peers ------------- -{{`{{$node_peers_key := printf "/host/%s/peer_v4" (getenv "NODENAME")}}`}} -{{`{{if ls $node_peers_key}}`}} -{{`{{range gets (printf "%s/*" $node_peers_key)}}{{$data := json .Value}}`}} -{{`{{$nums := split $data.ip "."}}{{$id := join $nums "_"}}`}} -{{`# For peer {{.Key}}`}} -{{`{{- if eq $data.ip ($node_ip) }}`}} -{{`# Skipping ourselves ({{$node_ip}})`}} -{{`{{- else}}`}} -{{`protocol bgp Node_{{$id}} from bgp_template {`}} -{{` neighbor {{$data.ip}} as {{$data.as_num}};`}} - neighbor port {{.Values.networking.bgp.ipv4.port.neighbor}}; -{{`{{- if and (ne "" ($node_cluster_id)) (ne $data.rr_cluster_id ($node_cluster_id))}}`}} - rr client; -{{` rr cluster id {{$node_cluster_id}};`}} -{{`{{- end}}`}} -} -{{`{{- end}}`}} -{{`{{end}}`}} -{{`{{else}}# No node-specific peers configured.{{end}}`}} -{{`{{end}}{{/* End of IPv4 enable check */}}`}} diff --git a/calico/templates/bird/_bird6.cfg.template.tpl b/calico/templates/bird/_bird6.cfg.template.tpl deleted file mode 100644 index 89d0a03bba..0000000000 --- a/calico/templates/bird/_bird6.cfg.template.tpl +++ /dev/null @@ -1,131 +0,0 @@ -# Generated by confd -include "bird6_aggr.cfg"; -include "bird6_ipam.cfg"; -{{`{{$node_ip_key := printf "/host/%s/ip_addr_v4" (getenv "NODENAME")}}{{$node_ip := getv $node_ip_key}}`}} -{{`{{$node_ip6_key := printf "/host/%s/ip_addr_v6" (getenv "NODENAME")}}{{$node_ip6 := getv $node_ip6_key}}`}} - -{{`{{$router_id := getenv "CALICO_ROUTER_ID" ""}}`}} -{{`router id {{if ne "" ($router_id)}}{{$router_id}}{{else}}{{$node_ip}}{{end}}; # Use IPv4 address since router id is 4 octets, even in MP-BGP`}} - -{{`{{define "LOGGING"}}`}} -{{`{{$node_logging_key := printf "/host/%s/loglevel" (getenv "NODENAME")}}{{if exists $node_logging_key}}{{$logging := getv $node_logging_key}}`}} -{{`{{if eq $logging "debug"}} debug all;{{else if ne $logging "none"}} debug { states };{{end}}`}} -{{`{{else if exists "/global/loglevel"}}{{$logging := getv "/global/loglevel"}}`}} -{{`{{if eq $logging "debug"}} debug all;{{else if ne $logging "none"}} debug { states };{{end}}`}} -{{`{{else}} debug { states };{{end}}`}} -{{`{{end}}`}} - -# Configure synchronization between routing tables and kernel. -protocol kernel { - learn; # Learn all alien routes from the kernel - persist; # Don't remove routes on bird shutdown - scan time 2; # Scan kernel routing table every 2 seconds - import all; - export all; # Default is export none - graceful restart; # Turn on graceful restart to reduce potential flaps in - # routes when reloading BIRD configuration. With a full - # automatic mesh, there is no way to prevent BGP from - # flapping since multiple nodes update their BGP - # configuration at the same time, GR is not guaranteed to - # work correctly in this scenario. -} - -# Watch interface up/down events. -protocol device { -{{` {{template "LOGGING"}}`}} - scan time 2; # Scan interfaces every 2 seconds -} - -protocol direct { -{{` {{template "LOGGING"}}`}} - interface -"cali*", "*"; # Exclude cali* but include everything else. -} - -{{`{{if eq "" ($node_ip6)}}# IPv6 disabled on this node.`}} -{{`{{else}}{{$node_as_key := printf "/host/%s/as_num" (getenv "NODENAME")}}`}} - -# ensure we only listen to a specific ip and address -listen bgp address {{`{{$node_ip6}}`}} port {{.Values.networking.bgp.ipv6.port.listen}}; - -# Template for all BGP clients -template bgp bgp_template { -{{` {{template "LOGGING"}}`}} - description "Connection to BGP peer"; -{{` local as {{if exists $node_as_key}}{{getv $node_as_key}}{{else}}{{getv "/global/as_num"}}{{end}};`}} - multihop; - gateway recursive; # This should be the default, but just in case. - import all; # Import all routes, since we don't know what the upstream - # topology is and therefore have to trust the ToR/RR. - export filter calico_pools; # Only want to export routes for workloads. -{{` source address {{$node_ip6}}; # The local address we use for the TCP connection`}} - add paths on; - graceful restart; # See comment in kernel section about graceful restart. -} - -# ------------- Node-to-node mesh ------------- -{{`{{- $node_cid_key := printf "/host/%s/rr_cluster_id" (getenv "NODENAME")}}`}} -{{`{{- $node_cluster_id := getv $node_cid_key}}`}} -{{`{{- if ne "" ($node_cluster_id)}}`}} -{{`# This node is configured as a route reflector with cluster ID {{$node_cluster_id}};`}} -# ignore node-to-node mesh setting. -{{`{{- else}}`}} -{{`{{if (json (getv "/global/node_mesh")).enabled}}`}} -{{`{{range $host := lsdir "/host"}}`}} -{{`{{$onode_as_key := printf "/host/%s/as_num" .}}`}} -{{`{{$onode_ip_key := printf "/host/%s/ip_addr_v6" .}}{{if exists $onode_ip_key}}{{$onode_ip := getv $onode_ip_key}}`}} -{{`{{$nums := split $onode_ip ":"}}{{$id := join $nums "_"}}`}} -{{`# For peer {{$onode_ip_key}}`}} -{{`{{if eq $onode_ip ($node_ip6) }}# Skipping ourselves ({{$node_ip6}})`}} -{{`{{else if eq "" $onode_ip}}# No IPv6 address configured for this node`}} -{{`{{else}}protocol bgp Mesh_{{$id}} from bgp_template {`}} -{{` neighbor {{$onode_ip}} as {{if exists $onode_as_key}}{{getv $onode_as_key}}{{else}}{{getv "/global/as_num"}}{{end}};`}} - neighbor port {{.Values.networking.bgp.ipv6.port.neighbor}}; -{{`}{{end}}{{end}}{{end}}`}} -{{`{{else}}`}} -# Node-to-node mesh disabled -{{`{{end}}`}} -{{`{{- end}}`}} - - -# ------------- Global peers ------------- -{{`{{if ls "/global/peer_v6"}}`}} -{{`{{range gets "/global/peer_v6/*"}}{{$data := json .Value}}`}} -{{`{{$nums := split $data.ip ":"}}{{$id := join $nums "_"}}`}} -{{`# For peer {{.Key}}`}} -{{`{{- if eq $data.ip ($node_ip6) }}`}} -{{`# Skipping ourselves ({{$node_ip6}})`}} -{{`{{- else}}`}} -{{`protocol bgp Global_{{$id}} from bgp_template {`}} -{{` neighbor {{$data.ip}} as {{$data.as_num}};`}} - neighbor port {{.Values.networking.bgp.ipv6.port.neighbor}}; -{{`{{- if and (ne "" ($node_cluster_id)) (ne $data.rr_cluster_id ($node_cluster_id))}}`}} - rr client; -{{` rr cluster id {{$node_cluster_id}};`}} -{{`{{- end}}`}} -} -{{`{{- end}}`}} -{{`{{end}}`}} -{{`{{else}}# No global peers configured.{{end}}`}} - - -# ------------- Node-specific peers ------------- -{{`{{$node_peers_key := printf "/host/%s/peer_v6" (getenv "NODENAME")}}`}} -{{`{{if ls $node_peers_key}}`}} -{{`{{range gets (printf "%s/*" $node_peers_key)}}{{$data := json .Value}}`}} -{{`{{$nums := split $data.ip ":"}}{{$id := join $nums "_"}}`}} -{{`# For peer {{.Key}}`}} -{{`{{- if eq $data.ip ($node_ip6) }}`}} -{{`# Skipping ourselves ({{$node_ip6}})`}} -{{`{{- else}}`}} -{{`protocol bgp Node_{{$id}} from bgp_template {`}} -{{` neighbor {{$data.ip}} as {{$data.as_num}};`}} - neighbor port {{.Values.networking.bgp.ipv6.port.neighbor}}; -{{`{{- if and (ne "" ($node_cluster_id)) (ne $data.rr_cluster_id ($node_cluster_id))}}`}} - rr client; -{{` rr cluster id {{$node_cluster_id}};`}} -{{`{{- end}}`}} -} -{{`{{- end}}`}} -{{`{{end}}`}} -{{`{{else}}# No node-specific peers configured.{{end}}`}} -{{`{{end}}`}} diff --git a/calico/templates/bird/_bird6_ipam.cfg.template.tpl b/calico/templates/bird/_bird6_ipam.cfg.template.tpl deleted file mode 100644 index a73a16acc6..0000000000 --- a/calico/templates/bird/_bird6_ipam.cfg.template.tpl +++ /dev/null @@ -1,36 +0,0 @@ -# Generated by confd - -function osh_filters () -{ - # support any addresses matching our secondary announcements -{{- range .Values.networking.bgp.ipv6.additional_cidrs }} - if ( net ~ {{ . }} ) then { accept; } -{{- end }} -} - -function apply_communities () -{ - # Set community value based on dictionary of cidrs -{{- $asnum := .Values.networking.bgp.asnumber }} -{{- range .Values.networking.bgp.ipv6.community_cidr_ref }} - {{- $community := .community }} - {{- $cidr := .cidr }} - {{- with .prefix }} - if ( net ~ {{ $cidr }} ) then { bgp_community.add(({{ . }}, {{ $community }})); } - {{- else }} - if ( net ~ {{ $cidr }} ) then { bgp_community.add(({{ $asnum }}, {{ $community }})); } - {{- end }} -{{- end }} -} - -filter calico_pools { - apply_communities(); - calico_aggr(); - osh_filters(); -{{`{{range ls "/pool"}}{{$data := json (getv (printf "/pool/%s" .))}}`}} -{{` if ( net ~ {{$data.cidr}} ) then {`}} - accept; - } -{{`{{end}}`}} - reject; -} diff --git a/calico/templates/bird/_bird_ipam.cfg.template.tpl b/calico/templates/bird/_bird_ipam.cfg.template.tpl deleted file mode 100644 index 2900856950..0000000000 --- a/calico/templates/bird/_bird_ipam.cfg.template.tpl +++ /dev/null @@ -1,60 +0,0 @@ -# Generated by confd - -function osh_filters () -{ - # support any addresses matching our secondary announcements -{{- range .Values.networking.bgp.ipv4.additional_cidrs }} - if ( net ~ {{ . }} ) then { accept; } -{{- end }} -} - -function apply_communities () -{ - # Set community value based on dictionary of cidrs -{{- $asnum := .Values.networking.bgp.asnumber }} -{{- range .Values.networking.bgp.ipv4.community_cidr_ref }} - {{- $community := .community }} - {{- $cidr := .cidr }} - {{- with .prefix }} - if ( net ~ {{ $cidr }} ) then { bgp_community.add(({{ . }}, {{ $community }})); } - {{- else }} - if ( net ~ {{ $cidr }} ) then { bgp_community.add(({{ $asnum }}, {{ $community }})); } - {{- end }} -{{- end }} -} - -filter calico_pools { - apply_communities(); - calico_aggr(); - osh_filters(); -{{`{{range ls "/v1/ipam/v4/pool"}}{{$data := json (getv (printf "/v1/ipam/v4/pool/%s" .))}}`}} -{{` if ( net ~ {{$data.cidr}} ) then {`}} - accept; - } -{{`{{end}}`}} - reject; -} - -{{`{{$network_key := printf "/bgp/v1/host/%s/network_v4" (getenv "NODENAME")}}{{if exists $network_key}}{{$network := getv $network_key}}`}} -filter calico_ipip { -{{`{{range ls "/v1/ipam/v4/pool"}}{{$data := json (getv (printf "/v1/ipam/v4/pool/%s" .))}}`}} -{{` if ( net ~ {{$data.cidr}} ) then {`}} -{{`{{if $data.ipip_mode}}{{if eq $data.ipip_mode "cross-subnet"}}`}} -{{` if defined(bgp_next_hop) && ( bgp_next_hop ~ {{$network}} ) then`}} -{{` krt_tunnel = ""; {{/* Destination in ipPool, mode is cross sub-net, route from-host on subnet, do not use IPIP */}}`}} - else -{{` krt_tunnel = "{{$data.ipip}}"; {{/* Destination in ipPool, mode is cross sub-net, route from-host off subnet, set the tunnel (if IPIP not enabled, value will be "") */}}`}} - accept; -{{` } {{else}}`}} -{{` krt_tunnel = "{{$data.ipip}}"; {{/* Destination in ipPool, mode not cross sub-net, set the tunnel (if IPIP not enabled, value will be "") */}}`}} - accept; -{{` } {{end}} {{else}}`}} -{{` krt_tunnel = "{{$data.ipip}}"; {{/* Destination in ipPool, mode field is not present, set the tunnel (if IPIP not enabled, value will be "") */}}`}} - accept; -{{` } {{end}}`}} -{{`{{end}}`}} -{{` accept; {{/* Destination is not in any ipPool, accept */}}`}} -} -{{`{{else}}`}} -filter calico_ipip { accept; } -{{`{{end}}{{/* End of 'exists $network_key' */}}`}} diff --git a/calico/templates/configmap-bin.yaml b/calico/templates/configmap-bin.yaml deleted file mode 100644 index 39e9237c58..0000000000 --- a/calico/templates/configmap-bin.yaml +++ /dev/null @@ -1,29 +0,0 @@ -{{/* -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/}} - -{{- if .Values.manifests.configmap_bin }} -{{- $envAll := . }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: calico-bin -data: - image-repo-sync.sh: | -{{- include "helm-toolkit.scripts.image_repo_sync" . | indent 4 }} - install-calicoctl.sh: | -{{ tuple "bin/_install-calicoctl.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} - calico-settings.sh: | -{{ tuple "bin/_calico-settings.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} -{{- end }} diff --git a/calico/templates/configmap-bird.yaml b/calico/templates/configmap-bird.yaml deleted file mode 100644 index f5284a7173..0000000000 --- a/calico/templates/configmap-bird.yaml +++ /dev/null @@ -1,34 +0,0 @@ -{{/* -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/}} - -{{- if .Values.manifests.configmap_bird }} -{{- $envAll := . }} - ---- -kind: ConfigMap -apiVersion: v1 -metadata: - name: calico-bird -data: - # we overlay templates found natively in the calico-node container - # so that we may override bgp configuration - bird.cfg.template: | -{{ tuple "bird/_bird.cfg.template.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} - bird_ipam.cfg.template: | -{{ tuple "bird/_bird_ipam.cfg.template.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} - bird6.cfg.template: | -{{ tuple "bird/_bird6.cfg.template.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} - bird6_ipam.cfg.template: | -{{ tuple "bird/_bird6_ipam.cfg.template.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} -{{- end }} diff --git a/calico/templates/configmap-etc.yaml b/calico/templates/configmap-etc.yaml deleted file mode 100644 index 6e32b1a82a..0000000000 --- a/calico/templates/configmap-etc.yaml +++ /dev/null @@ -1,32 +0,0 @@ -{{/* -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/}} - -{{- if .Values.manifests.configmap_etc }} -{{- $envAll := . }} ---- -kind: ConfigMap -apiVersion: v1 -metadata: - name: calico-etc -data: - # The location of your etcd cluster. This uses the Service clusterIP - # defined below. - etcd_endpoints: {{ tuple "etcd" "internal" "client" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" }} - - # The CNI network configuration to install on each node, generated - # from (Values.)conf.cni_network_config - cni_network_config: |- -{{ toJson $envAll.Values.conf.cni_network_config | indent 4 }} - -{{- end }} diff --git a/calico/templates/daemonset-calico-etcd.yaml b/calico/templates/daemonset-calico-etcd.yaml deleted file mode 100644 index bbd8798870..0000000000 --- a/calico/templates/daemonset-calico-etcd.yaml +++ /dev/null @@ -1,133 +0,0 @@ -{{/* -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/}} - -{{- if .Values.manifests.daemonset_calico_etcd }} -{{- $envAll := . }} - -{{- $serviceAccountName := "calico-etcd" }} -{{ tuple $envAll "calico-etcd" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} - ---- -# This manifest installs the Calico etcd on the kubeadm master. This uses a DaemonSet -# to force it to run on the master even when the master isn't schedulable, and uses -# nodeSelector to ensure it only runs on the master. -apiVersion: apps/v1 -kind: DaemonSet -metadata: - name: calico-etcd - annotations: - {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }} - labels: - k8s-app: calico-etcd -{{ tuple $envAll "calico" "etcd" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} -spec: - selector: - matchLabels: - k8s-app: calico-etcd -{{ tuple $envAll "calico" "etcd" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }} - template: - metadata: - labels: - k8s-app: calico-etcd -{{ tuple $envAll "calico" "etcd" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} - annotations: -{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }} - configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }} - spec: -{{ dict "envAll" $envAll "application" "etcd" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} - serviceAccountName: {{ $serviceAccountName }} - priorityClassName: system-cluster-critical - tolerations: - # This taint is set by all kubelets running `--cloud-provider=external` - # so we should tolerate it to schedule the Calico pods - - key: node.cloudprovider.kubernetes.io/uninitialized - value: "true" - effect: NoSchedule - # Allow this pod to run on the master/control-plane. - - key: node-role.kubernetes.io/master - effect: NoSchedule - - key: node-role.kubernetes.io/control-plane - effect: NoSchedule - # Allow this pod to be rescheduled while the node is in "critical add-ons only" mode. - # This, along with the annotation above marks this pod as a critical add-on. - - key: CriticalAddonsOnly - operator: Exists - # Only run this pod on the master. - nodeSelector: - node-role.kubernetes.io/master: "" - hostNetwork: true - initContainers: -{{ tuple $envAll "etcd" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} - containers: - - name: calico-etcd -{{ tuple $envAll "calico_etcd" | include "helm-toolkit.snippets.image" | indent 10 }} -{{ tuple $envAll $envAll.Values.pod.resources.calico_etcd | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} -{{ dict "envAll" $envAll "application" "etcd" "container" "calico_etcd" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} - env: - - name: CALICO_ETCD_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - command: - - /usr/local/bin/etcd - args: - - --name=calico - - --data-dir=/var/etcd/calico-data -{{ if eq .Values.endpoints.etcd.scheme.default "https" }} - - --client-cert-auth=True - - --peer-client-cert-auth=True - - --trusted-ca-file=/etc/calico-certs/ca.crt - - --cert-file=/etc/calico-certs/server.crt - - --key-file=/etc/calico-certs/server.key - - --peer-trusted-ca-file=/etc/calico-certs/ca.crt - - --peer-cert-file=/etc/calico-certs/server.crt - - --peer-key-file=/etc/calico-certs/server.key -{{ end }} - - --advertise-client-urls={{ tuple "etcd" "internal" "client" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" }} - - --listen-client-urls={{ tuple "etcd" "internal" "client" . | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}://0.0.0.0:{{ tuple "etcd" "internal" "client" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} - - --listen-peer-urls={{ tuple "etcd" "internal" "peer" . | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}://0.0.0.0:{{ tuple "etcd" "internal" "peer" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} - - --auto-compaction-retention=1 - volumeMounts: - - name: pod-tmp - mountPath: /tmp - - name: var-etcd - mountPath: /var/etcd -{{ if .Values.conf.etcd.credentials.ca }} - - name: calico-etcd-secrets - mountPath: /etc/calico-certs/ca.crt - subPath: etcd.ca - readOnly: true -{{ end }} -{{ if .Values.conf.etcd.credentials.certificate }} - - name: calico-etcd-secrets - mountPath: /etc/calico-certs/server.crt - subPath: etcd.crt - readOnly: true -{{ end }} -{{ if .Values.conf.etcd.credentials.key }} - - name: calico-etcd-secrets - mountPath: /etc/calico-certs/server.key - subPath: etcd.key - readOnly: true -{{ end }} - volumes: - - name: pod-tmp - emptyDir: {} - - name: var-etcd - hostPath: - path: /var/etcd - - name: calico-etcd-secrets - secret: - secretName: calico-etcd-secrets -{{- end }} diff --git a/calico/templates/daemonset-calico-node.yaml b/calico/templates/daemonset-calico-node.yaml deleted file mode 100644 index 0fee65e8f9..0000000000 --- a/calico/templates/daemonset-calico-node.yaml +++ /dev/null @@ -1,414 +0,0 @@ -{{/* -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/}} - -{{- if .Values.manifests.daemonset_calico_node }} -{{- $envAll := . }} - - -{{/* Robustness, Calico 3.x wants things as Titlecase; this causes pain */}} -{{- $_ := set .Values.conf.node "CALICO_IPV4POOL_IPIP" (title .Values.conf.node.CALICO_IPV4POOL_IPIP ) -}} -{{- $_ := set .Values.conf.node "CALICO_STARTUP_LOGLEVEL" (title .Values.conf.node.CALICO_STARTUP_LOGLEVEL ) -}} -{{- $_ := set .Values.conf.node "FELIX_LOGSEVERITYSCREEN" (title .Values.conf.node.FELIX_LOGSEVERITYSCREEN ) -}} - - -{{/* If using tunnels, and FELIX_IPINIPMTU is not set, make it 20 less than the physical to account for IPIP overhead */}} -{{- if empty .Values.conf.node.FELIX_IPINIPMTU -}} -{{- if ne .Values.conf.node.CALICO_IPV4POOL_IPIP "Never" -}} -{{- $_ := set .Values.conf.node "FELIX_IPINIPMTU" (sub .Values.networking.mtu 20) -}} -# Setting tunnel MTU to {{ .Values.conf.node.FELIX_IPINIPMTU }} -{{- end -}} -{{- end -}} - - -{{/* CNI_MTU is >= than the IPIP mtu, usually the physical MTU of the system */}} -{{- if empty .Values.conf.node.CNI_MTU -}} -{{- $_ := set .Values.conf.node "CNI_MTU" .Values.networking.mtu -}} -{{- end -}} - - -{{- if empty .Values.conf.node.CALICO_IPV4POOL_CIDR -}} -{{- $_ := set .Values.conf.node "CALICO_IPV4POOL_CIDR" .Values.networking.podSubnet -}} -{{- end -}} - - - -{{- $serviceAccountName := "calico-node" }} -{{ tuple $envAll "calico_node" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: calico-node -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: calico-node -subjects: -- kind: ServiceAccount - name: {{ $serviceAccountName }} - namespace: {{ .Release.Namespace }} ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: {{ $serviceAccountName }} -rules: - - apiGroups: [""] - resources: - - pods - - nodes - - namespaces - verbs: - - get - - apiGroups: ["batch"] - resources: ["jobs"] - verbs: ["get"] ---- -# This manifest installs the calico/node container, as well -# as the Calico CNI plugins and network config on -# each master and worker node in a Kubernetes cluster. -kind: DaemonSet -apiVersion: apps/v1 -metadata: - name: calico-node - annotations: - {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }} - labels: - k8s-app: calico-node -{{ tuple $envAll "calico" "node" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} -spec: - selector: - matchLabels: - k8s-app: calico-node -{{ tuple $envAll "calico" "node" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }} - updateStrategy: - type: RollingUpdate - rollingUpdate: - maxUnavailable: 1 - template: - metadata: - labels: - k8s-app: calico-node -{{ tuple $envAll "calico" "node" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} - annotations: -{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }} - configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }} - configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }} - configmap-bird-hash: {{ tuple "configmap-bird.yaml" . | include "helm-toolkit.utils.hash" }} -{{ dict "envAll" $envAll "podName" "calico-node" "containerNames" (list "calico-node") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }} -{{- if .Values.monitoring.prometheus.enabled }} -{{- $prometheus_annotations := $envAll.Values.monitoring.prometheus.calico_node }} -{{ tuple $prometheus_annotations | include "helm-toolkit.snippets.prometheus_pod_annotations" | indent 8 }} -{{- end }} - spec: -{{ dict "envAll" $envAll "application" "calico_node" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} - nodeSelector: - beta.kubernetes.io/os: linux - hostNetwork: true - priorityClassName: system-cluster-critical - tolerations: - # Make sure calico-node gets scheduled on all nodes. - - effect: NoSchedule - operator: Exists - - key: node.kubernetes.io/not-ready - effect: NoSchedule - operator: Exists - # Mark the pod as a critical add-on for rescheduling. - - key: CriticalAddonsOnly - operator: Exists - - effect: NoExecute - operator: Exists - serviceAccountName: {{ $serviceAccountName }} - # Minimize downtime during a rolling upgrade or deletion; tell Kubernetes to do a "force - # deletion": https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods. - terminationGracePeriodSeconds: 0 - - initContainers: -{{ tuple $envAll "calico_node" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} -{{ if .Values.manifests.daemonset_calico_node_calicoctl }} - - name: install-calicoctl -{{ tuple $envAll "calico_ctl" | include "helm-toolkit.snippets.image" | indent 10 }} -{{ tuple $envAll $envAll.Values.pod.resources.calico_ctl | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} -{{ dict "envAll" $envAll "application" "calico_node" "container" "calico_ctl" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} - command: - - /tmp/install-calicoctl.sh - env: - - name: ETCD_ENDPOINTS - valueFrom: - configMapKeyRef: - name: calico-etc - key: etcd_endpoints -{{ if .Values.endpoints.etcd.auth.client.tls.ca }} - - name: ETCD_CA_CERT_FILE - value: {{ .Values.endpoints.etcd.auth.client.path.ca }} - - name: ETCD_CA_CERT - valueFrom: - secretKeyRef: - name: calico-etcd-secrets - key: tls.ca -{{ end }} -{{ if .Values.endpoints.etcd.auth.client.tls.key }} - - name: ETCD_KEY_FILE - value: {{ .Values.endpoints.etcd.auth.client.path.key }} - - name: ETCD_KEY - valueFrom: - secretKeyRef: - name: calico-etcd-secrets - key: tls.key -{{ end }} -{{ if .Values.endpoints.etcd.auth.client.tls.crt }} - - name: ETCD_CERT_FILE - value: {{ .Values.endpoints.etcd.auth.client.path.crt }} - - name: ETCD_CERT - valueFrom: - secretKeyRef: - name: calico-etcd-secrets - key: tls.crt -{{ end }} - volumeMounts: - - name: pod-tmp - mountPath: /tmp - - mountPath: /host/etc/calico - name: calico-cert-dir - - mountPath: /host/opt/cni/bin - name: cni-bin-dir - - mountPath: /tmp/install-calicoctl.sh - name: calico-bin - subPath: install-calicoctl.sh - - name: calico-etcd-secrets - mountPath: {{ .Values.endpoints.etcd.auth.client.path.ca }} - subPath: tls.ca - readOnly: true - - name: calico-etcd-secrets - mountPath: {{ .Values.endpoints.etcd.auth.client.path.crt }} - subPath: tls.crt - readOnly: true - - name: calico-etcd-secrets - mountPath: {{ .Values.endpoints.etcd.auth.client.path.key }} - subPath: tls.key - readOnly: true -{{ end }} - # This container installs the Calico CNI binaries - # and CNI network config file on each node. - - name: install-cni -{{ tuple $envAll "calico_cni" | include "helm-toolkit.snippets.image" | indent 10 }} -{{ dict "envAll" $envAll "application" "calico_node" "container" "install_cni" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} - command: ["/install-cni.sh"] - env: - # Prevents the container from sleeping forever. - - name: SLEEP - value: "false" - # Name of the CNI config file to create. - # - # NOTE: Calico v3 needs to end in .conflist; Calico v2 is - # different! - - name: CNI_CONF_NAME - value: "10-calico.conflist" - # The location of the Calico etcd cluster. - - name: ETCD_ENDPOINTS - valueFrom: - configMapKeyRef: - name: calico-etc - key: etcd_endpoints - # The CNI network config to install on each node. - - name: CNI_NETWORK_CONFIG - valueFrom: - configMapKeyRef: - name: calico-etc - key: cni_network_config - - - volumeMounts: - - name: pod-tmp - mountPath: /tmp - - name: cni-bin-dir - mountPath: /host/opt/cni/bin - - name: cni-net-dir - mountPath: /host/etc/cni/net.d -{{ if .Values.conf.etcd.credentials.ca }} - - name: calico-etcd-secrets - mountPath: /calico-secrets/etcd-ca - subPath: etcd.ca - readOnly: true -{{ end }} -{{ if .Values.conf.etcd.credentials.certificate }} - - name: calico-etcd-secrets - mountPath: /calico-secrets/etcd-cert - subPath: etcd.crt - readOnly: true -{{ end }} -{{ if .Values.conf.etcd.credentials.key }} - - name: calico-etcd-secrets - mountPath: /calico-secrets/etcd-key - subPath: etcd.key - readOnly: true -{{ end }} - volumes: - - name: pod-tmp - emptyDir: {} - # Used by calico/node. - - name: lib-modules - hostPath: - path: /lib/modules - - name: var-run-calico - hostPath: - path: /var/run/calico - - name: var-lib-calico - hostPath: - path: /var/lib/calico - - name: xtables-lock - hostPath: - path: /run/xtables.lock - type: FileOrCreate - # Used to install CNI. - - name: cni-bin-dir - hostPath: - path: /opt/cni/bin - - name: cni-net-dir - hostPath: - path: /etc/cni/net.d - - name: calico-cert-dir - hostPath: - path: /etc/calico - - name: calico-etc - configMap: - name: calico-etc - defaultMode: 0444 - - name: calico-bird - configMap: - name: calico-bird - defaultMode: 0444 - - name: calico-bin - configMap: - name: calico-bin - defaultMode: 0555 - - name: calico-etcd-secrets - secret: - secretName: calico-etcd-secrets - - - - - - containers: - # Runs calico/node container on each Kubernetes node. This - # container programs network policy and routes on each - # host. - - name: calico-node -{{ tuple $envAll "calico_node" | include "helm-toolkit.snippets.image" | indent 10 }} -{{ tuple $envAll $envAll.Values.pod.resources.calico_node | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} -{{ dict "envAll" $envAll "application" "calico_node" "container" "calico_node" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} - env: - # Values expanded explicitly from conf.node (some of which - # might be derived from elsewhere, see values.yaml for an - # explanation of this) - # -{{ include "helm-toolkit.utils.to_k8s_env_vars" .Values.conf.node | indent 12 }} - - # Values explicit in the chart not expected to be found in - # conf.node - # - - # The location of the Calico etcd cluster. - - name: ETCD_ENDPOINTS - valueFrom: - configMapKeyRef: - name: calico-etc - key: etcd_endpoints - - # etcd certs -{{ if .Values.endpoints.etcd.auth.client.tls.ca }} - - name: ETCD_CA_CERT_FILE - value: {{ .Values.endpoints.etcd.auth.client.path.ca }} -{{ end }} -{{ if .Values.endpoints.etcd.auth.client.tls.key }} - - name: ETCD_KEY_FILE - value: {{ .Values.endpoints.etcd.auth.client.path.key }} -{{ end }} -{{ if .Values.endpoints.etcd.auth.client.tls.crt }} - - name: ETCD_CERT_FILE - value: {{ .Values.endpoints.etcd.auth.client.path.crt }} -{{ end }} - - # Set noderef for node controller. - - name: CALICO_K8S_NODE_REF - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - livenessProbe: - httpGet: - path: /liveness - port: 9099 - host: localhost - periodSeconds: 10 - initialDelaySeconds: 10 - failureThreshold: 6 - - # Only for Calico v3 - readinessProbe: - exec: - command: - - /bin/calico-node - - -bird-ready - - -felix-ready - periodSeconds: 10 - volumeMounts: - - name: pod-tmp - mountPath: /tmp - - mountPath: /lib/modules - name: lib-modules - readOnly: true - - mountPath: /run/xtables.lock - name: xtables-lock - readOnly: false - - mountPath: /var/run/calico - name: var-run-calico - readOnly: false - - # bird template replacements - # bird cfg - - mountPath: /etc/calico/confd/templates/bird.cfg.template - name: calico-bird - subPath: bird.cfg.template - # bird ipam - - mountPath: /etc/calico/confd/templates/bird_ipam.cfg.template - name: calico-bird - subPath: bird_ipam.cfg.template - # bird6 cfg - - mountPath: /etc/calico/confd/templates/bird6.cfg.template - name: calico-bird - subPath: bird6.cfg.template - # bird6 ipam - - mountPath: /etc/calico/confd/templates/bird6_ipam.cfg.template - name: calico-bird - subPath: bird6_ipam.cfg.template - # etcd secrets - - mountPath: /var/lib/calico - name: var-lib-calico - readOnly: false - - name: calico-etcd-secrets - mountPath: {{ .Values.endpoints.etcd.auth.client.path.ca }} - subPath: tls.ca - readOnly: true - - name: calico-etcd-secrets - mountPath: {{ .Values.endpoints.etcd.auth.client.path.crt }} - subPath: tls.crt - readOnly: true - - name: calico-etcd-secrets - mountPath: {{ .Values.endpoints.etcd.auth.client.path.key }} - subPath: tls.key - readOnly: true - -{{- end }} diff --git a/calico/templates/deployment-calico-kube-controllers.yaml b/calico/templates/deployment-calico-kube-controllers.yaml deleted file mode 100644 index 133135220e..0000000000 --- a/calico/templates/deployment-calico-kube-controllers.yaml +++ /dev/null @@ -1,181 +0,0 @@ -{{/* -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/}} - -{{- if .Values.manifests.deployment_calico_kube_controllers }} -{{- $envAll := . }} - -{{- $serviceAccountName := "calico-kube-controllers" }} -{{ tuple $envAll "calico_kube_controllers" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: {{ $serviceAccountName }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: {{ $serviceAccountName }} -subjects: -- kind: ServiceAccount - name: {{ $serviceAccountName }} - namespace: {{ .Release.Namespace }} ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: {{ $serviceAccountName }} -rules: - - apiGroups: - - "" - - extensions - resources: - - pods - - namespaces - - networkpolicies - - nodes - - serviceaccounts - verbs: - - watch - - list - - apiGroups: - - networking.k8s.io - resources: - - networkpolicies - verbs: - - watch - - list ---- - -# This manifest deploys the Calico Kubernetes controllers. -# See https://github.com/projectcalico/kube-controllers -apiVersion: apps/v1 -kind: Deployment -metadata: - name: calico-kube-controllers - namespace: {{ .Release.Namespace }} - labels: - k8s-app: calico-kube-controllers -{{ tuple $envAll "calico" "kube-controllers" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} - annotations: - {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }} -spec: - priorityClassName: system-cluster-critical - # The controllers can only have a single active instance. - replicas: 1 - selector: - matchLabels: - k8s-app: calico-kube-controllers -{{ tuple $envAll "calico" "kube-controllers" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }} -{{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_deployment" | indent 2 }} - template: - metadata: - name: calico-kube-controllers - labels: - k8s-app: calico-kube-controllers -{{ tuple $envAll "calico" "kube-controllers" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} - annotations: -{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }} - configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }} - configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }} - spec: -{{ dict "envAll" $envAll "application" "kube_controllers" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} - nodeSelector: - beta.kubernetes.io/os: linux - # The controllers must run in the host network namespace so that - # it isn't governed by policy that would prevent it from working. - hostNetwork: true - tolerations: - # Mark the pod as a critical add-on for rescheduling. - - key: node.cloudprovider.kubernetes.io/uninitialized - value: "true" - effect: NoSchedule - - - key: CriticalAddonsOnly - operator: Exists - - key: node-role.kubernetes.io/master - effect: NoSchedule - - key: node-role.kubernetes.io/control-plane - effect: NoSchedule - - key: node.kubernetes.io/not-ready - operator: Exists - effect: NoSchedule - serviceAccountName: {{ $serviceAccountName }} - initContainers: -{{ tuple $envAll "calico_kube_controllers" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} - containers: - - name: calico-kube-controllers -{{ tuple $envAll "calico_kube_controllers" | include "helm-toolkit.snippets.image" | indent 10 }} -{{ tuple $envAll $envAll.Values.pod.resources.calico_kube_controllers | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} -{{ dict "envAll" $envAll "application" "kube_controllers" "container" "kube_controller" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} - env: - # The location of the Calico etcd cluster. - - name: ETCD_ENDPOINTS - valueFrom: - configMapKeyRef: - name: calico-etc - key: etcd_endpoints - - # conf.controllers expanded values -{{ include "helm-toolkit.utils.to_k8s_env_vars" .Values.conf.controllers | indent 12 }} - -{{ if .Values.endpoints.etcd.auth.client.tls.ca }} - # etcd tls files - - name: ETCD_CA_CERT_FILE - value: {{ .Values.endpoints.etcd.auth.client.path.ca }} -{{ end }} -{{ if .Values.endpoints.etcd.auth.client.tls.key }} - - name: ETCD_KEY_FILE - value: {{ .Values.endpoints.etcd.auth.client.path.key }} -{{ end }} -{{ if .Values.endpoints.etcd.auth.client.tls.crt }} - - name: ETCD_CERT_FILE - value: {{ .Values.endpoints.etcd.auth.client.path.crt }} -{{ end }} - - # etcd tls mounts - volumeMounts: - - name: pod-tmp - mountPath: /tmp - - name: calico-etcd-secrets - mountPath: {{ .Values.endpoints.etcd.auth.client.path.ca }} - subPath: tls.ca - readOnly: true - - name: calico-etcd-secrets - mountPath: {{ .Values.endpoints.etcd.auth.client.path.crt }} - subPath: tls.crt - readOnly: true - - name: calico-etcd-secrets - mountPath: {{ .Values.endpoints.etcd.auth.client.path.key }} - subPath: tls.key - readOnly: true - - # Calico v3 only - readinessProbe: - exec: - command: - - /usr/bin/check-status - - -r - livenessProbe: - exec: - command: - - /usr/bin/check-status - - -r - volumes: - - name: pod-tmp - emptyDir: {} - - name: calico-etcd-secrets - secret: - secretName: calico-etcd-secrets - defaultMode: 0400 -{{- end }} diff --git a/calico/templates/etc/_bird-tar-deposit.base64.txt b/calico/templates/etc/_bird-tar-deposit.base64.txt deleted file mode 100644 index ae52c23f74..0000000000 --- a/calico/templates/etc/_bird-tar-deposit.base64.txt +++ /dev/null @@ -1,2 +0,0 @@ -H4sIAJLrq1sCA+3IOwqFMABE0SwlS4jGxPVYvFIQP4W7N1ja+0A4p7nD/OZlP8O7UlOH4W7z7L27 -nEs/1lL62v4x5S7EFP7g2PZpjTEAAAAAAAAAAADAh1zOUd8NACgAAA== diff --git a/calico/templates/job-calico-settings.yaml b/calico/templates/job-calico-settings.yaml deleted file mode 100644 index 9075041446..0000000000 --- a/calico/templates/job-calico-settings.yaml +++ /dev/null @@ -1,109 +0,0 @@ -{{/* -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/}} - -{{- if .Values.manifests.job_calico_settings }} -{{- $envAll := . }} - -{{- $serviceAccountName := "calico-settings" }} -{{ tuple $envAll "calico_settings" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} ---- -apiVersion: batch/v1 -kind: Job -metadata: - name: calico-settings - labels: -{{ tuple $envAll "calico" "calico_settings" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} - annotations: - {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }} -spec: - template: - metadata: - annotations: - configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }} - configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }} - labels: -{{ tuple $envAll "calico" "calico_settings" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} - spec: -{{ dict "envAll" $envAll "application" "calico_settings" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} - hostNetwork: true - priorityClassName: system-cluster-critical - tolerations: - - key: node-role.kubernetes.io/control-plane - effect: NoSchedule - - key: node.kubernetes.io/not-ready - operator: Exists - effect: NoSchedule - # Allow this pod to be rescheduled while the node is in "critical add-ons only" mode. - # This, along with the annotation above marks this pod as a critical add-on. - - key: CriticalAddonsOnly - operator: Exists - serviceAccountName: {{ $serviceAccountName }} - restartPolicy: OnFailure - initContainers: -{{ tuple $envAll "calico_settings" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} - containers: - - name: calico-settings -{{ tuple $envAll "calico_settings" | include "helm-toolkit.snippets.image" | indent 10 }} -{{ tuple $envAll $envAll.Values.pod.resources.calico_settings | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} -{{ dict "envAll" $envAll "application" "calico_settings" "container" "calico_settings" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} - env: - - name: ETCD_ENDPOINTS - valueFrom: - configMapKeyRef: - name: calico-etc - key: etcd_endpoints -{{ if .Values.endpoints.etcd.auth.client.tls.ca }} - - name: ETCD_CA_CERT_FILE - value: {{ .Values.endpoints.etcd.auth.client.path.ca }} -{{ end }} -{{ if .Values.endpoints.etcd.auth.client.tls.key }} - - name: ETCD_KEY_FILE - value: {{ .Values.endpoints.etcd.auth.client.path.key }} -{{ end }} -{{ if .Values.endpoints.etcd.auth.client.tls.crt }} - - name: ETCD_CERT_FILE - value: {{ .Values.endpoints.etcd.auth.client.path.crt }} -{{ end }} - command: - - /tmp/calico-settings.sh - volumeMounts: - - name: pod-tmp - mountPath: /tmp - - name: calico-bin - mountPath: /tmp/calico-settings.sh - subPath: calico-settings.sh - readOnly: true - - name: calico-etcd-secrets - mountPath: {{ .Values.endpoints.etcd.auth.client.path.ca }} - subPath: tls.ca - readOnly: true - - name: calico-etcd-secrets - mountPath: {{ .Values.endpoints.etcd.auth.client.path.crt }} - subPath: tls.crt - readOnly: true - - name: calico-etcd-secrets - mountPath: {{ .Values.endpoints.etcd.auth.client.path.key }} - subPath: tls.key - readOnly: true - volumes: - - name: pod-tmp - emptyDir: {} - - name: calico-bin - configMap: - name: calico-bin - defaultMode: 0555 - - name: calico-etcd-secrets - secret: - secretName: calico-etcd-secrets -{{- end }} diff --git a/calico/templates/job-image-repo-sync.yaml b/calico/templates/job-image-repo-sync.yaml deleted file mode 100644 index 89b755f79f..0000000000 --- a/calico/templates/job-image-repo-sync.yaml +++ /dev/null @@ -1,19 +0,0 @@ -{{/* -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/}} - -{{- if and .Values.manifests.job_image_repo_sync .Values.images.local_registry.active }} - -{{- $imageRepoSyncJob := dict "envAll" . "serviceName" "calico" -}} -{{ $imageRepoSyncJob | include "helm-toolkit.manifests.job_image_repo_sync" }} -{{- end }} diff --git a/calico/templates/secret-etcd-certificates.yaml b/calico/templates/secret-etcd-certificates.yaml deleted file mode 100644 index db7b26976a..0000000000 --- a/calico/templates/secret-etcd-certificates.yaml +++ /dev/null @@ -1,31 +0,0 @@ -{{/* -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/}} - -{{- if .Values.manifests.secret_certificates }} -{{- $envAll := . }} ---- - -apiVersion: v1 -kind: Secret -type: kubernetes.io/tls -metadata: - name: calico-etcd-secrets -data: - tls.ca: {{ .Values.endpoints.etcd.auth.client.tls.ca | default "" | b64enc }} - tls.key: {{ .Values.endpoints.etcd.auth.client.tls.key | default "" | b64enc }} - tls.crt: {{ .Values.endpoints.etcd.auth.client.tls.crt | default "" | b64enc }} - etcd.ca: {{ .Values.conf.etcd.credentials.ca | default "" | b64enc }} - etcd.crt: {{ .Values.conf.etcd.credentials.certificate | default "" | b64enc }} - etcd.key: {{ .Values.conf.etcd.credentials.key | default "" | b64enc }} -{{- end }} diff --git a/calico/templates/secret-registry.yaml b/calico/templates/secret-registry.yaml deleted file mode 100644 index da979b3223..0000000000 --- a/calico/templates/secret-registry.yaml +++ /dev/null @@ -1,17 +0,0 @@ -{{/* -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/}} - -{{- if and .Values.manifests.secret_registry .Values.endpoints.oci_image_registry.auth.enabled }} -{{ include "helm-toolkit.manifests.secret_registry" ( dict "envAll" . "registryUser" .Chart.Name ) }} -{{- end }} diff --git a/calico/templates/service-calico-etcd.yaml b/calico/templates/service-calico-etcd.yaml deleted file mode 100644 index b51b05cc14..0000000000 --- a/calico/templates/service-calico-etcd.yaml +++ /dev/null @@ -1,37 +0,0 @@ -{{/* -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/}} - -{{- if .Values.manifests.service_calico_etcd }} -{{- $envAll := . }} ---- -# This manifest installs the Service which gets traffic to the Calico -# etcd. -apiVersion: v1 -kind: Service -metadata: - labels: - k8s-app: calico-etcd -{{ tuple $envAll "calico" "etcd" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} - name: {{ tuple "etcd" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }} -spec: - # Select the calico-etcd pod running on the master. - selector: - k8s-app: calico-etcd -{{ tuple $envAll "calico" "etcd" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} - # This ClusterIP needs to be known in advance, since we cannot rely - # on DNS to get access to etcd. - clusterIP: {{ tuple "etcd" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" }} - ports: - - port: {{ tuple "etcd" "internal" "client" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} -{{- end }} diff --git a/calico/values.yaml b/calico/values.yaml deleted file mode 100644 index a0a10ad360..0000000000 --- a/calico/values.yaml +++ /dev/null @@ -1,595 +0,0 @@ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - ---- -images: - tags: - # These are minimum versions, older images will very likely not - # work - calico_etcd: quay.io/coreos/etcd:v3.5.9 - calico_node: quay.io/calico/node:v3.25.1 - calico_cni: quay.io/calico/cni:v3.25.1 - calico_ctl: calico/ctl:v3.25.1 - calico_settings: calico/ctl:v3.25.1 - # NOTE: plural key, singular value - calico_kube_controllers: quay.io/calico/kube-controllers:v3.25.1 - dep_check: quay.io/airshipit/kubernetes-entrypoint:v1.0.0 - image_repo_sync: docker.io/library/docker:24.0.1 - pull_policy: IfNotPresent - local_registry: - active: false - exclude: - - dep_check - - image_repo_sync - - calico_etcd - - calico_node - - calico_cni - - calico_kube_controllers - -pod: - security_context: - etcd: - pod: - runAsUser: 0 - container: - calico_etcd: - readOnlyRootFilesystem: false - calico_node: - pod: - runAsUser: 0 - container: - calico_ctl: - readOnlyRootFilesystem: false - install_cni: - readOnlyRootFilesystem: false - calico_node: - readOnlyRootFilesystem: false - capabilities: - add: - - 'NET_ADMIN' - - 'SYS_ADMIN' - kube_controllers: - pod: - runAsUser: 0 - container: - kube_controller: - readOnlyRootFilesystem: false - calico_settings: - pod: - runAsUser: 0 - container: - calico_settings: - readOnlyRootFilesystem: false - resources: - enabled: false - jobs: - image_repo_sync: - requests: - memory: "128Mi" - cpu: "100m" - limits: - memory: "1024Mi" - cpu: "2000m" - calico_settings: - requests: - memory: "128Mi" - cpu: "100m" - limits: - memory: "1024Mi" - cpu: "2000m" - calico_kube_controllers: - requests: - memory: "128Mi" - cpu: "100m" - limits: - memory: "1024Mi" - cpu: "2000m" - calico_node: - requests: - memory: "128Mi" - cpu: "250m" - limits: - memory: "1024Mi" - cpu: "2000m" - calico_cni: - requests: - memory: "128Mi" - cpu: "100m" - limits: - memory: "1024Mi" - cpu: "2000m" - calico_ctl: - requests: - memory: "128Mi" - cpu: "100m" - limits: - memory: "1024Mi" - cpu: "2000m" - calico_etcd: - requests: - memory: "128Mi" - cpu: "100m" - limits: - memory: "1024Mi" - cpu: "2000m" - lifecycle: - upgrades: - deployments: - revision_history: 3 - pod_replacement_strategy: RollingUpdate - rolling_update: - max_unavailable: 1 - max_surge: 3 - disruption_budget: - controllers: - min_available: 0 - mandatory_access_control: - type: apparmor - calico-node: - calico-node: runtime/default - -dependencies: - dynamic: - common: - local_image_registry: - jobs: - - calico-image-repo-sync - services: - - endpoint: node - service: local_image_registry - static: - calico_kube_controllers: - services: - - endpoint: internal - service: calico-etcd - calico_node: - services: - - endpoint: internal - service: calico-etcd - calico_settings: - services: - - endpoint: internal - service: calico-etcd - calico_etcd: - services: null - image_repo_sync: - services: - - endpoint: internal - service: local_image_registry - -secrets: - oci_image_registry: - calico: calico-oci-image-registry - -endpoints: - cluster_domain_suffix: cluster.local - local_image_registry: - name: docker-registry - namespace: docker-registry - hosts: - default: localhost - internal: docker-registry - node: localhost - host_fqdn_override: - default: null - port: - registry: - node: 5000 - oci_image_registry: - name: oci-image-registry - namespace: oci-image-registry - auth: - enabled: false - calico: - username: calico - password: password - hosts: - default: localhost - host_fqdn_override: - default: null - port: - registry: - default: null - etcd: - auth: - client: - tls: - crt: null - ca: null - key: null - path: - # these must be within /etc/calico - crt: /etc/calico/pki/crt - ca: /etc/calico/pki/ca - key: /etc/calico/pki/key - scheme: - default: http - path: - default: ' ' # space required to provide a truly empty path - hosts: - default: 10.96.232.136 - host_fqdn_override: - default: null - service: - name: null - port: - client: - default: 6666 - peer: - default: 6667 - -monitoring: - prometheus: - enabled: true - calico_node: - scrape: true - port: 9091 - -networking: - podSubnet: 192.168.0.0/16 - # Physical MTU, if ipip is enabled, the chart will adjust things downward - mtu: 1500 - - settings: - mesh: "on" - # technically this could be a list, today we only support a single - # podSubnet, the one above. The settings below will be applied to - # that ipPool - ippool: - ipip: - enabled: true - nat_outgoing: true - disabled: false - - bgp: - # our asnumber for bgp peering - asnumber: 64512 - ipv4: - # https://docs.projectcalico.org/v3.4/reference/calicoctl/resources/bgppeer - # - # this is a list of peer objects that will be passed directly to - # calicoctl - for global peers, the scope should be global and - # the node attribute removed - # - # apiVersion: projectcalico.org/v3 - # kind: BGPPeer - # metadata: - # name: some.name - # spec: - # node: rack1-host1 - # peerIP: 10.1.10.39 - # asNumber: 64512 - peers: [] - # this is a list of additional IPv4 cidrs that if we discover - # IPs within them on a host, we will announce the address in - # addition to traditional pod workloads - additional_cidrs: [] - # community_cidr_ref contains embedded objects that describe a - # BGP community that is to be associated with the supplied CIDR. - # The top-level key names are not important. - # - # The resulting BGP community will take the form of - # : - # If no prefix is specified then the asnumber is used - community_cidr_ref: -# cidr_community_description: -# cidr: 192.168.0.0/16 -# community: 54321 -# prefix: 55555 -# alpha: -# cidr: 10.0.0.0/16 -# community: 54322 - port: - neighbor: 179 - listen: 179 - ipv6: - # https://docs.projectcalico.org/v3.4/reference/calicoctl/resources/bgppeer - # - # this is a list of peer objects that will be passed directly to - # calicoctl - for global peers, the scope should be global and - # the node attribute removed - # - # apiVersion: projectcalico.org/v3 - # kind: BGPPeer - # metadata: - # name: some.name - # spec: - # node: rack1-host1 - # peerIP: 2600:1:2:3::abcd - # asNumber: 64512 - peers: [] - # this is a list of additional IPv6 cidrs that if we discover - # IPs within them on a host, we will announce them in addition - # to traditional pod workloads - additional_cidrs: [] - # community_cidr_ref contains embedded objects that describe a - # BGP community that is to be associated with the supplied CIDR. - # The top-level key names are not important. - # - # The resulting BGP community will take the form of - # : - # If no prefix is specified then the asnumber is used - community_cidr_ref: -# cidr_community_description: -# cidr: 2600:1:2:3::abcd/28 -# community: 54321 -# prefix: 55555 -# alpha: -# cidr: 1400:a:2:3::abcd/26 -# community: 54322 - port: - neighbor: 179 - listen: 179 - - # Policy contains embedded Calico policy and/or endpoint objects. - # Because lists are cumbersome to deal with this is stuctured as a - # dictionary (therefore not ordered). The top-level key names are - # not important, priority contains a value between 0 and 9 inclusive - # and rules contains any objects (typically used as rules). - # Priority 0 objects are emitted before priority 9. It is - # recommended any rules such as HostEndpoint be given a higher - # priority so that they are applied after more generic objects. - # Priority values outside of integers 0 through 9 are not valid and - # should not be used. - policy: - # alpha: - # priority: 0 - # rules: - # - apiVersion: projectcalico.org/v3 - # kind: GlobalNetworkPolicy - # metadata: - # name: allow-tcp-6379 - # spec: - # order: 0 - # selector: role == 'database' - # types: - # - Ingress - # - Egress - # ingress: - # - action: Allow - # protocol: TCP - # source: - # selector: role == 'frontend' - # destination: - # ports: - # - 6379 - # egress: - # - action: Allow - # - apiVersion: projectcalico.org/v3 - # kind: GlobalNetworkPolicy - # metadata: - # name: allow-tcp-3306 - # spec: - # order: 1 - # selector: role == 'database' - # types: - # - Ingress - # - Egress - # ingress: - # - action: Allow - # protocol: TCP - # source: - # selector: role == 'frontend' - # destination: - # ports: - # - 3306 - # egress: - # - action: Allow - - # beta: - # priority: 1 - # rules: - # - apiVersion: projectcalico.org/v3 - # kind: NetworkPolicy - # metadata: - # name: allow-tcp-6379 - # namespace: production - # spec: - # selector: role == 'database' - # types: - # - Ingress - # - Egress - # ingress: - # - action: Allow - # protocol: TCP - # source: - # selector: role == 'frontend' - # destination: - # ports: - # - 6379 - # egress: - # - action: Allow - # - apiVersion: projectcalico.org/v3 - # kind: NetworkPolicy - # metadata: - # name: allow-tcp-8081 - # namespace: production - # spec: - # selector: role == 'webthing' - # types: - # - Ingress - # - Egress - # ingress: - # - action: Allow - # protocol: TCP - # source: - # selector: role == 'frontend' - # destination: - # ports: - # - 8081 - # egress: - # - action: Allow - - # zulu: - # priority: 9 - # rules: - # - apiVersion: projectcalico.org/v3 - # kind: HostEndpoint - # metadata: - # name: first.thing - # labels: - # type: production - # spec: - # interfaceName: eth0 - # node: mysecrethost - # expectedIPs: - # - 192.168.0.1 - # - 192.168.0.2 - # profiles: - # - profile1 - # - profile2 - # ports: - # - name: some-port - # port: 1234 - # protocol: TCP - # - name: another-port - # port: 5432 - # protocol: UDP - # - apiVersion: projectcalico.org/v3 - # kind: HostEndpoint - # metadata: - # name: second.thing - # labels: - # type: production - # spec: - # interfaceName: eth1 - # node: myothersecrethost - # expectedIPs: - # - 192.168.1.1 - # - 192.168.1.2 - # profiles: - # - profile1 - # - profile2 - # ports: - # - name: some-port - # port: 1234 - # protocol: TCP - # - name: another-port - # port: 5432 - # protocol: UDP - -conf: - etcd: - credentials: - ca: null - key: null - certificate: null - # NOTE; syntax has subtly changed since Calico v2. For Armada *all* - # of this needes to be specified. We're using yaml here which we - # can't robustly convert to json (which the node pod requires) so it - # might be we revisit that and embedded a json string that gets - # edits - cni_network_config: - # https://docs.projectcalico.org/v3.4/reference/cni-plugin/configuration - # - # other than the etcd_* keys you likely want to leave this as-is - name: k8s-pod-network - cniVersion: 0.3.0 - plugins: - - type: calico - log_level: info - etcd_endpoints: __ETCD_ENDPOINTS__ - etcd_key_file: __ETCD_KEY_FILE__ - etcd_cert_file: __ETCD_CERT_FILE__ - etcd_ca_cert_file: __ETCD_CA_CERT_FILE__ - ipam: - type: calico-ipam - policy: - type: k8s - kubernetes: - kubeconfig: __KUBECONFIG_FILEPATH__ - - type: portmap - snat: true - capabilities: - portMappings: true - controllers: - # The location of the Kubernetes API. Use the default Kubernetes - # service for API access. - K8S_API: "https://kubernetes.default:443" - # Choose which controllers to run, see - # https://docs.projectcalico.org//v3.4/reference/kube-controllers/configuration - # for an explanation of each - ENABLED_CONTROLLERS: "policy,namespace,serviceaccount,workloadendpoint,node" - # Since we're running in the host namespace and might not have KubeDNS - # access, configure the container's /etc/hosts to resolve - # kubernetes.default to the correct service clusterIP. - CONFIGURE_ETC_HOSTS: true - - node: - # for specific details see - # https://docs.projectcalico.org/v3.4/reference/node/configuration - name: k8s-pod-network - # Cluster type to identify the deployment type - # NOTE: v2 had a list ... v3 a comma separated string - CLUSTER_TYPE: "k8s,bgp" - # Describes which BGP networking backend to use gobgp, bird, none. - # Default is bird. NOTE(alanmeadows) today this chart only - # supports applying the bgp customizations to bird templates - in - # the future we may support gobgp as well - CALICO_NETWORKING_BACKEND: bird - # Location of the CA certificate for etcd. - ETCD_CA_CERT_FILE: "" - # Location of the client key for etcd. - ETCD_KEY_FILE: "" - # Location of the client certificate for etcd. - ETCD_CERT_FILE: "" - # Disable file logging so `kubectl logs` works. - CALICO_DISABLE_FILE_LOGGING: true - # Set Felix endpoint to host default action to ACCEPT. - # early/startup log level for calico-node on startup. - CALICO_STARTUP_LOGLEVEL: "Info" - FELIX_DEFAULTENDPOINTTOHOSTACTION: "ACCEPT" - # Configure the IP Pool from which Pod IPs will be chosen; it's - # recommended you leave this as null and the value from - # networking.podSubnet will be used - CALICO_IPV4POOL_CIDR: null - # See https://docs.projectcalico.org/v3.4/reference/calicoctl/resources/ippool - CALICO_IPV4POOL_BLOCKSIZE: 26 - # Change this to 'Never' in environments with direct L2 - # communication (such that tunnels are not needed for pods on - # different hosts to communicate with each otehr). - CALICO_IPV4POOL_IPIP: "Always" - # Disable IPv6 on Kubernetes. - FELIX_IPV6SUPPORT: false - # Set MTU for tunnel device used if ipip is enabled, it's - # recommended you leave this as null and an appropriate value will - # be set based on tunneling mode and the networking.mtu value - FELIX_IPINIPMTU: null - # Set Felix logging; also (ab)used for bgp configuration - FELIX_LOGSEVERITYSCREEN: "Info" - FELIX_HEALTHENABLED: true - # Set Felix experimental Prometheus metrics server - FELIX_PROMETHEUSMETRICSENABLED: true - FELIX_PROMETHEUSMETRICSPORT: "9091" - # Auto-detect the BGP IP address. - IP: "" - # Detection of source interface for routing - # options include - # can-reach=DESTINATION - # interface=INTERFACE-REGEX - IP_AUTODETECTION_METHOD: first-found - IPV6_AUTODETECTION_METHOD: first-found - -manifests: - configmap_bin: true - configmap_etc: true - configmap_bird: true - daemonset_calico_etcd: true - daemonset_calico_node: true - daemonset_calico_node_calicoctl: true - deployment_calico_kube_controllers: true - job_image_repo_sync: true - job_calico_settings: true - service_calico_etcd: true - secret_certificates: true - secret_registry: true -... diff --git a/releasenotes/notes/calico.yaml b/releasenotes/notes/calico.yaml deleted file mode 100644 index f83036e406..0000000000 --- a/releasenotes/notes/calico.yaml +++ /dev/null @@ -1,12 +0,0 @@ ---- -calico: - - 0.1.0 Initial Chart - - 0.1.1 Change helm-toolkit dependency version to ">= 0.1.0" - - 0.1.2 Use full image ref for docker official images - - 0.1.3 Helm 3 - Fix Job labels - - 0.1.4 Update htk requirements - - 0.1.5 Added OCI registry authentication - - 0.1.6 Replace node-role.kubernetes.io/master with control-plane - - 0.1.7 Update calico to v3.25.1 - - 0.1.8 replace scheduler.alpha.kubernetes.io/critical-pod with priorityClassName -...