From 4eed2c3486c20a3f05d576e0e39df17b047665b9 Mon Sep 17 00:00:00 2001 From: Vladimir Kozhukalov Date: Mon, 5 Feb 2024 15:17:13 -0800 Subject: [PATCH] Remove calico chart Tigera provides tools for managing Calico deployments (helm chart, operator and even plain kubectl manifest). Also there are plenty of other networking solutions on the market and it looks like users can choose on their own the CNI implementation. There have not been many contributions to this chart for quite some time and we don't use this chart in any test jobs. In the deploy-env role we use the upstream Calico manifest. Change-Id: I6005e85946888c52e0d273c61d38f4787e43c20a --- calico/Chart.yaml | 26 - calico/requirements.yaml | 18 - calico/templates/bin/_calico-settings.sh.tpl | 102 --- .../templates/bin/_install-calicoctl.sh.tpl | 57 -- calico/templates/bird/_bird.cfg.template.tpl | 128 ---- calico/templates/bird/_bird6.cfg.template.tpl | 131 ---- .../bird/_bird6_ipam.cfg.template.tpl | 36 -- .../bird/_bird_ipam.cfg.template.tpl | 60 -- calico/templates/configmap-bin.yaml | 29 - calico/templates/configmap-bird.yaml | 34 - calico/templates/configmap-etc.yaml | 32 - calico/templates/daemonset-calico-etcd.yaml | 133 ---- calico/templates/daemonset-calico-node.yaml | 414 ------------ .../deployment-calico-kube-controllers.yaml | 181 ------ .../etc/_bird-tar-deposit.base64.txt | 2 - calico/templates/job-calico-settings.yaml | 109 ---- calico/templates/job-image-repo-sync.yaml | 19 - .../templates/secret-etcd-certificates.yaml | 31 - calico/templates/secret-registry.yaml | 17 - calico/templates/service-calico-etcd.yaml | 37 -- calico/values.yaml | 595 ------------------ releasenotes/notes/calico.yaml | 12 - 22 files changed, 2203 deletions(-) delete mode 100644 calico/Chart.yaml delete mode 100644 calico/requirements.yaml delete mode 100644 calico/templates/bin/_calico-settings.sh.tpl delete mode 100644 calico/templates/bin/_install-calicoctl.sh.tpl delete mode 100644 calico/templates/bird/_bird.cfg.template.tpl delete mode 100644 calico/templates/bird/_bird6.cfg.template.tpl delete mode 100644 calico/templates/bird/_bird6_ipam.cfg.template.tpl delete mode 100644 calico/templates/bird/_bird_ipam.cfg.template.tpl delete mode 100644 calico/templates/configmap-bin.yaml delete mode 100644 calico/templates/configmap-bird.yaml delete mode 100644 calico/templates/configmap-etc.yaml delete mode 100644 calico/templates/daemonset-calico-etcd.yaml delete mode 100644 calico/templates/daemonset-calico-node.yaml delete mode 100644 calico/templates/deployment-calico-kube-controllers.yaml delete mode 100644 calico/templates/etc/_bird-tar-deposit.base64.txt delete mode 100644 calico/templates/job-calico-settings.yaml delete mode 100644 calico/templates/job-image-repo-sync.yaml delete mode 100644 calico/templates/secret-etcd-certificates.yaml delete mode 100644 calico/templates/secret-registry.yaml delete mode 100644 calico/templates/service-calico-etcd.yaml delete mode 100644 calico/values.yaml delete mode 100644 releasenotes/notes/calico.yaml diff --git a/calico/Chart.yaml b/calico/Chart.yaml deleted file mode 100644 index 04f949ea8..000000000 --- a/calico/Chart.yaml +++ /dev/null @@ -1,26 +0,0 @@ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - ---- -apiVersion: v1 -appVersion: v3.25.1 -description: OpenStack-Helm Calico -name: calico -version: 0.1.8 -home: https://github.com/projectcalico/calico -icon: https://camo.githubusercontent.com/64c8b5ed6ac97553ae367348e8a59a24e2ed5bdc/687474703a2f2f646f63732e70726f6a65637463616c69636f2e6f72672f696d616765732f66656c69782e706e67 -sources: - - https://github.com/projectcalico/calico - - https://opendev.org/openstack/openstack-helm -maintainers: - - name: OpenStack-Helm Authors -... diff --git a/calico/requirements.yaml b/calico/requirements.yaml deleted file mode 100644 index 84f0affae..000000000 --- a/calico/requirements.yaml +++ /dev/null @@ -1,18 +0,0 @@ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - ---- -dependencies: - - name: helm-toolkit - repository: file://../helm-toolkit - version: ">= 0.1.0" -... diff --git a/calico/templates/bin/_calico-settings.sh.tpl b/calico/templates/bin/_calico-settings.sh.tpl deleted file mode 100644 index b30727ea2..000000000 --- a/calico/templates/bin/_calico-settings.sh.tpl +++ /dev/null @@ -1,102 +0,0 @@ -#!/bin/sh - -set -eux - - -{{/* Robustness, Calico 3.x wants things as Titlecase; this causes pain */}} -{{- $_ := set .Values.conf.node "CALICO_IPV4POOL_IPIP" (title .Values.conf.node.CALICO_IPV4POOL_IPIP ) -}} -{{- $_ := set .Values.conf.node "CALICO_STARTUP_LOGLEVEL" (title .Values.conf.node.CALICO_STARTUP_LOGLEVEL ) -}} -{{- $_ := set .Values.conf.node "FELIX_LOGSEVERITYSCREEN" (title .Values.conf.node.FELIX_LOGSEVERITYSCREEN ) -}} - - -{{- $envAll := . }} - -{{ if empty .Values.conf.node.CALICO_IPV4POOL_CIDR }} -{{ $_ := set .Values.conf.node "CALICO_IPV4POOL_CIDR" .Values.networking.podSubnet }} -{{ end }} - -# An idempotent script for interacting with calicoctl to instantiate -# peers, and manipulate calico settings that we must perform -# post-deployment. - -CTL=/calicoctl - -# Generate configuration the way we want it to be, it doesn't matter -# if it's already set, in that case Calico will no nothing. - -# BGPConfiguration: nodeToNodeMeshEnabled & asNumber -$CTL apply -f - </host/$ETCD_KEY_FILE -$ETCD_KEY -EOF - chmod 600 /host/$ETCD_KEY_FILE -fi; - -if [ ! -z "$ETCD_CA_CERT" ]; then - DIR=$(dirname /host/$ETCD_CA_CERT_FILE) - mkdir -p $DIR - cat </host/$ETCD_CA_CERT_FILE -$ETCD_CA_CERT -EOF - chmod 600 /host/$ETCD_CA_CERT_FILE -fi; - -if [ ! -z "$ETCD_CERT" ]; then - DIR=$(dirname /host/$ETCD_CERT_FILE) - mkdir -p $DIR - cat </host/$ETCD_CERT_FILE -$ETCD_CERT -EOF - chmod 600 /host/$ETCD_CERT_FILE -fi; - -# This looks a bit funny. Notice that if $ETCD_ENDPOINTS and friends -# are defined in this (calico node initContainer/startup) context; -# generate a shell script to set the values on the host where thse -# variables will *not* be set -cat </host/opt/cni/bin/calicoctl -#!/bin/bash -# -# do *NOT* modify this file; this is autogenerated by the calico-node -# deployment startup process - -export ETCD_ENDPOINTS="${ETCD_ENDPOINTS}" - -[ -e "${ETCD_KEY_FILE}" ] && export ETCD_KEY_FILE="${ETCD_KEY_FILE}" -[ -e "${ETCD_CERT_FILE}" ] && export ETCD_CERT_FILE="${ETCD_CERT_FILE}" -[ -e "${ETCD_CA_CERT_FILE}" ] && export ETCD_CA_CERT_FILE="${ETCD_CA_CERT_FILE}" - -exec /opt/cni/bin/calicoctl.bin \$* -EOF - -chmod +x /host/opt/cni/bin/calicoctl diff --git a/calico/templates/bird/_bird.cfg.template.tpl b/calico/templates/bird/_bird.cfg.template.tpl deleted file mode 100644 index b248d1431..000000000 --- a/calico/templates/bird/_bird.cfg.template.tpl +++ /dev/null @@ -1,128 +0,0 @@ -# Generated by confd -include "bird_aggr.cfg"; -include "bird_ipam.cfg"; -{{`{{$node_ip_key := printf "/host/%s/ip_addr_v4" (getenv "NODENAME")}}{{$node_ip := getv $node_ip_key}}`}} - -# ensure we only listen to a specific ip and address -listen bgp address {{`{{$node_ip}}`}} port {{.Values.networking.bgp.ipv4.port.listen}}; - -{{`{{$router_id := getenv "CALICO_ROUTER_ID" ""}}`}} -{{`router id {{if ne "" ($router_id)}}{{$router_id}}{{else}}{{$node_ip}}{{end}};`}} - -{{`{{define "LOGGING"}}`}} -{{`{{$node_logging_key := printf "/host/%s/loglevel" (getenv "NODENAME")}}{{if exists $node_logging_key}}{{$logging := getv $node_logging_key}}`}} -{{`{{if eq $logging "debug"}} debug all;{{else if ne $logging "none"}} debug { states };{{end}}`}} -{{`{{else if exists "/global/loglevel"}}{{$logging := getv "/global/loglevel"}}`}} -{{`{{if eq $logging "debug"}} debug all;{{else if ne $logging "none"}} debug { states };{{end}}`}} -{{`{{else}} debug { states };{{end}}`}} -{{`{{end}}`}} - -# Configure synchronization between routing tables and kernel. -protocol kernel { - learn; # Learn all alien routes from the kernel - persist; # Don't remove routes on bird shutdown - scan time 2; # Scan kernel routing table every 2 seconds - import all; - export filter calico_ipip; # Default is export none - graceful restart; # Turn on graceful restart to reduce potential flaps in - # routes when reloading BIRD configuration. With a full - # automatic mesh, there is no way to prevent BGP from - # flapping since multiple nodes update their BGP - # configuration at the same time, GR is not guaranteed to - # work correctly in this scenario. -} - -# Watch interface up/down events. -protocol device { -{{` {{template "LOGGING"}}`}} - scan time 2; # Scan interfaces every 2 seconds -} - -protocol direct { -{{` {{template "LOGGING"}}`}} - interface -"cali*", "*"; # Exclude cali* but include everything else. -} - -{{`{{if eq "" ($node_ip)}}# IPv4 disabled on this node.`}} -{{`{{else}}{{$node_as_key := printf "/host/%s/as_num" (getenv "NODENAME")}}`}} -# Template for all BGP clients -template bgp bgp_template { -{{` {{template "LOGGING"}}`}} - description "Connection to BGP peer"; -{{` local as {{if exists $node_as_key}}{{getv $node_as_key}}{{else}}{{getv "/global/as_num"}}{{end}};`}} - multihop; - gateway recursive; # This should be the default, but just in case. - import all; # Import all routes, since we don't know what the upstream - # topology is and therefore have to trust the ToR/RR. - export filter calico_pools; # Only want to export routes for workloads. -{{` source address {{$node_ip}}; # The local address we use for the TCP connection`}} - add paths on; - graceful restart; # See comment in kernel section about graceful restart. -} - -# ------------- Node-to-node mesh ------------- -{{`{{- $node_cid_key := printf "/host/%s/rr_cluster_id" (getenv "NODENAME")}}`}} -{{`{{- $node_cluster_id := getv $node_cid_key}}`}} -{{`{{- if ne "" ($node_cluster_id)}}`}} -{{`# This node is configured as a route reflector with cluster ID {{$node_cluster_id}};`}} -# ignore node-to-node mesh setting. -{{`{{- else}}`}} -{{`{{if (json (getv "/global/node_mesh")).enabled}}`}} -{{`{{range $host := lsdir "/host"}}`}} -{{`{{$onode_as_key := printf "/host/%s/as_num" .}}`}} -{{`{{$onode_ip_key := printf "/host/%s/ip_addr_v4" .}}{{if exists $onode_ip_key}}{{$onode_ip := getv $onode_ip_key}}`}} -{{`{{$nums := split $onode_ip "."}}{{$id := join $nums "_"}}`}} -{{`# For peer {{$onode_ip_key}}`}} -{{`{{if eq $onode_ip ($node_ip) }}# Skipping ourselves ({{$node_ip}})`}} -{{`{{else if ne "" $onode_ip}}protocol bgp Mesh_{{$id}} from bgp_template {`}} -{{` neighbor {{$onode_ip}} as {{if exists $onode_as_key}}{{getv $onode_as_key}}{{else}}{{getv "/global/as_num"}}{{end}};`}} - neighbor port {{.Values.networking.bgp.ipv4.port.neighbor}}; -{{`}{{end}}{{end}}{{end}}`}} -{{`{{else}}`}} -# Node-to-node mesh disabled -{{`{{end}}`}} -{{`{{- end}}`}} - - -# ------------- Global peers ------------- -{{`{{if ls "/global/peer_v4"}}`}} -{{`{{range gets "/global/peer_v4/*"}}{{$data := json .Value}}`}} -{{`{{$nums := split $data.ip "."}}{{$id := join $nums "_"}}`}} -{{`# For peer {{.Key}}`}} -{{`{{- if eq $data.ip ($node_ip) }}`}} -{{`# Skipping ourselves ({{$node_ip}})`}} -{{`{{- else}}`}} -{{`protocol bgp Global_{{$id}} from bgp_template {`}} -{{` neighbor {{$data.ip}} as {{$data.as_num}};`}} - neighbor port {{.Values.networking.bgp.ipv4.port.neighbor}}; -{{`{{- if and (ne "" ($node_cluster_id)) (ne $data.rr_cluster_id ($node_cluster_id))}}`}} - rr client; -{{` rr cluster id {{$node_cluster_id}};`}} -{{`{{- end}}`}} -} -{{`{{- end}}`}} -{{`{{end}}`}} -{{`{{else}}# No global peers configured.{{end}}`}} - - -# ------------- Node-specific peers ------------- -{{`{{$node_peers_key := printf "/host/%s/peer_v4" (getenv "NODENAME")}}`}} -{{`{{if ls $node_peers_key}}`}} -{{`{{range gets (printf "%s/*" $node_peers_key)}}{{$data := json .Value}}`}} -{{`{{$nums := split $data.ip "."}}{{$id := join $nums "_"}}`}} -{{`# For peer {{.Key}}`}} -{{`{{- if eq $data.ip ($node_ip) }}`}} -{{`# Skipping ourselves ({{$node_ip}})`}} -{{`{{- else}}`}} -{{`protocol bgp Node_{{$id}} from bgp_template {`}} -{{` neighbor {{$data.ip}} as {{$data.as_num}};`}} - neighbor port {{.Values.networking.bgp.ipv4.port.neighbor}}; -{{`{{- if and (ne "" ($node_cluster_id)) (ne $data.rr_cluster_id ($node_cluster_id))}}`}} - rr client; -{{` rr cluster id {{$node_cluster_id}};`}} -{{`{{- end}}`}} -} -{{`{{- end}}`}} -{{`{{end}}`}} -{{`{{else}}# No node-specific peers configured.{{end}}`}} -{{`{{end}}{{/* End of IPv4 enable check */}}`}} diff --git a/calico/templates/bird/_bird6.cfg.template.tpl b/calico/templates/bird/_bird6.cfg.template.tpl deleted file mode 100644 index 89d0a03bb..000000000 --- a/calico/templates/bird/_bird6.cfg.template.tpl +++ /dev/null @@ -1,131 +0,0 @@ -# Generated by confd -include "bird6_aggr.cfg"; -include "bird6_ipam.cfg"; -{{`{{$node_ip_key := printf "/host/%s/ip_addr_v4" (getenv "NODENAME")}}{{$node_ip := getv $node_ip_key}}`}} -{{`{{$node_ip6_key := printf "/host/%s/ip_addr_v6" (getenv "NODENAME")}}{{$node_ip6 := getv $node_ip6_key}}`}} - -{{`{{$router_id := getenv "CALICO_ROUTER_ID" ""}}`}} -{{`router id {{if ne "" ($router_id)}}{{$router_id}}{{else}}{{$node_ip}}{{end}}; # Use IPv4 address since router id is 4 octets, even in MP-BGP`}} - -{{`{{define "LOGGING"}}`}} -{{`{{$node_logging_key := printf "/host/%s/loglevel" (getenv "NODENAME")}}{{if exists $node_logging_key}}{{$logging := getv $node_logging_key}}`}} -{{`{{if eq $logging "debug"}} debug all;{{else if ne $logging "none"}} debug { states };{{end}}`}} -{{`{{else if exists "/global/loglevel"}}{{$logging := getv "/global/loglevel"}}`}} -{{`{{if eq $logging "debug"}} debug all;{{else if ne $logging "none"}} debug { states };{{end}}`}} -{{`{{else}} debug { states };{{end}}`}} -{{`{{end}}`}} - -# Configure synchronization between routing tables and kernel. -protocol kernel { - learn; # Learn all alien routes from the kernel - persist; # Don't remove routes on bird shutdown - scan time 2; # Scan kernel routing table every 2 seconds - import all; - export all; # Default is export none - graceful restart; # Turn on graceful restart to reduce potential flaps in - # routes when reloading BIRD configuration. With a full - # automatic mesh, there is no way to prevent BGP from - # flapping since multiple nodes update their BGP - # configuration at the same time, GR is not guaranteed to - # work correctly in this scenario. -} - -# Watch interface up/down events. -protocol device { -{{` {{template "LOGGING"}}`}} - scan time 2; # Scan interfaces every 2 seconds -} - -protocol direct { -{{` {{template "LOGGING"}}`}} - interface -"cali*", "*"; # Exclude cali* but include everything else. -} - -{{`{{if eq "" ($node_ip6)}}# IPv6 disabled on this node.`}} -{{`{{else}}{{$node_as_key := printf "/host/%s/as_num" (getenv "NODENAME")}}`}} - -# ensure we only listen to a specific ip and address -listen bgp address {{`{{$node_ip6}}`}} port {{.Values.networking.bgp.ipv6.port.listen}}; - -# Template for all BGP clients -template bgp bgp_template { -{{` {{template "LOGGING"}}`}} - description "Connection to BGP peer"; -{{` local as {{if exists $node_as_key}}{{getv $node_as_key}}{{else}}{{getv "/global/as_num"}}{{end}};`}} - multihop; - gateway recursive; # This should be the default, but just in case. - import all; # Import all routes, since we don't know what the upstream - # topology is and therefore have to trust the ToR/RR. - export filter calico_pools; # Only want to export routes for workloads. -{{` source address {{$node_ip6}}; # The local address we use for the TCP connection`}} - add paths on; - graceful restart; # See comment in kernel section about graceful restart. -} - -# ------------- Node-to-node mesh ------------- -{{`{{- $node_cid_key := printf "/host/%s/rr_cluster_id" (getenv "NODENAME")}}`}} -{{`{{- $node_cluster_id := getv $node_cid_key}}`}} -{{`{{- if ne "" ($node_cluster_id)}}`}} -{{`# This node is configured as a route reflector with cluster ID {{$node_cluster_id}};`}} -# ignore node-to-node mesh setting. -{{`{{- else}}`}} -{{`{{if (json (getv "/global/node_mesh")).enabled}}`}} -{{`{{range $host := lsdir "/host"}}`}} -{{`{{$onode_as_key := printf "/host/%s/as_num" .}}`}} -{{`{{$onode_ip_key := printf "/host/%s/ip_addr_v6" .}}{{if exists $onode_ip_key}}{{$onode_ip := getv $onode_ip_key}}`}} -{{`{{$nums := split $onode_ip ":"}}{{$id := join $nums "_"}}`}} -{{`# For peer {{$onode_ip_key}}`}} -{{`{{if eq $onode_ip ($node_ip6) }}# Skipping ourselves ({{$node_ip6}})`}} -{{`{{else if eq "" $onode_ip}}# No IPv6 address configured for this node`}} -{{`{{else}}protocol bgp Mesh_{{$id}} from bgp_template {`}} -{{` neighbor {{$onode_ip}} as {{if exists $onode_as_key}}{{getv $onode_as_key}}{{else}}{{getv "/global/as_num"}}{{end}};`}} - neighbor port {{.Values.networking.bgp.ipv6.port.neighbor}}; -{{`}{{end}}{{end}}{{end}}`}} -{{`{{else}}`}} -# Node-to-node mesh disabled -{{`{{end}}`}} -{{`{{- end}}`}} - - -# ------------- Global peers ------------- -{{`{{if ls "/global/peer_v6"}}`}} -{{`{{range gets "/global/peer_v6/*"}}{{$data := json .Value}}`}} -{{`{{$nums := split $data.ip ":"}}{{$id := join $nums "_"}}`}} -{{`# For peer {{.Key}}`}} -{{`{{- if eq $data.ip ($node_ip6) }}`}} -{{`# Skipping ourselves ({{$node_ip6}})`}} -{{`{{- else}}`}} -{{`protocol bgp Global_{{$id}} from bgp_template {`}} -{{` neighbor {{$data.ip}} as {{$data.as_num}};`}} - neighbor port {{.Values.networking.bgp.ipv6.port.neighbor}}; -{{`{{- if and (ne "" ($node_cluster_id)) (ne $data.rr_cluster_id ($node_cluster_id))}}`}} - rr client; -{{` rr cluster id {{$node_cluster_id}};`}} -{{`{{- end}}`}} -} -{{`{{- end}}`}} -{{`{{end}}`}} -{{`{{else}}# No global peers configured.{{end}}`}} - - -# ------------- Node-specific peers ------------- -{{`{{$node_peers_key := printf "/host/%s/peer_v6" (getenv "NODENAME")}}`}} -{{`{{if ls $node_peers_key}}`}} -{{`{{range gets (printf "%s/*" $node_peers_key)}}{{$data := json .Value}}`}} -{{`{{$nums := split $data.ip ":"}}{{$id := join $nums "_"}}`}} -{{`# For peer {{.Key}}`}} -{{`{{- if eq $data.ip ($node_ip6) }}`}} -{{`# Skipping ourselves ({{$node_ip6}})`}} -{{`{{- else}}`}} -{{`protocol bgp Node_{{$id}} from bgp_template {`}} -{{` neighbor {{$data.ip}} as {{$data.as_num}};`}} - neighbor port {{.Values.networking.bgp.ipv6.port.neighbor}}; -{{`{{- if and (ne "" ($node_cluster_id)) (ne $data.rr_cluster_id ($node_cluster_id))}}`}} - rr client; -{{` rr cluster id {{$node_cluster_id}};`}} -{{`{{- end}}`}} -} -{{`{{- end}}`}} -{{`{{end}}`}} -{{`{{else}}# No node-specific peers configured.{{end}}`}} -{{`{{end}}`}} diff --git a/calico/templates/bird/_bird6_ipam.cfg.template.tpl b/calico/templates/bird/_bird6_ipam.cfg.template.tpl deleted file mode 100644 index a73a16acc..000000000 --- a/calico/templates/bird/_bird6_ipam.cfg.template.tpl +++ /dev/null @@ -1,36 +0,0 @@ -# Generated by confd - -function osh_filters () -{ - # support any addresses matching our secondary announcements -{{- range .Values.networking.bgp.ipv6.additional_cidrs }} - if ( net ~ {{ . }} ) then { accept; } -{{- end }} -} - -function apply_communities () -{ - # Set community value based on dictionary of cidrs -{{- $asnum := .Values.networking.bgp.asnumber }} -{{- range .Values.networking.bgp.ipv6.community_cidr_ref }} - {{- $community := .community }} - {{- $cidr := .cidr }} - {{- with .prefix }} - if ( net ~ {{ $cidr }} ) then { bgp_community.add(({{ . }}, {{ $community }})); } - {{- else }} - if ( net ~ {{ $cidr }} ) then { bgp_community.add(({{ $asnum }}, {{ $community }})); } - {{- end }} -{{- end }} -} - -filter calico_pools { - apply_communities(); - calico_aggr(); - osh_filters(); -{{`{{range ls "/pool"}}{{$data := json (getv (printf "/pool/%s" .))}}`}} -{{` if ( net ~ {{$data.cidr}} ) then {`}} - accept; - } -{{`{{end}}`}} - reject; -} diff --git a/calico/templates/bird/_bird_ipam.cfg.template.tpl b/calico/templates/bird/_bird_ipam.cfg.template.tpl deleted file mode 100644 index 290085695..000000000 --- a/calico/templates/bird/_bird_ipam.cfg.template.tpl +++ /dev/null @@ -1,60 +0,0 @@ -# Generated by confd - -function osh_filters () -{ - # support any addresses matching our secondary announcements -{{- range .Values.networking.bgp.ipv4.additional_cidrs }} - if ( net ~ {{ . }} ) then { accept; } -{{- end }} -} - -function apply_communities () -{ - # Set community value based on dictionary of cidrs -{{- $asnum := .Values.networking.bgp.asnumber }} -{{- range .Values.networking.bgp.ipv4.community_cidr_ref }} - {{- $community := .community }} - {{- $cidr := .cidr }} - {{- with .prefix }} - if ( net ~ {{ $cidr }} ) then { bgp_community.add(({{ . }}, {{ $community }})); } - {{- else }} - if ( net ~ {{ $cidr }} ) then { bgp_community.add(({{ $asnum }}, {{ $community }})); } - {{- end }} -{{- end }} -} - -filter calico_pools { - apply_communities(); - calico_aggr(); - osh_filters(); -{{`{{range ls "/v1/ipam/v4/pool"}}{{$data := json (getv (printf "/v1/ipam/v4/pool/%s" .))}}`}} -{{` if ( net ~ {{$data.cidr}} ) then {`}} - accept; - } -{{`{{end}}`}} - reject; -} - -{{`{{$network_key := printf "/bgp/v1/host/%s/network_v4" (getenv "NODENAME")}}{{if exists $network_key}}{{$network := getv $network_key}}`}} -filter calico_ipip { -{{`{{range ls "/v1/ipam/v4/pool"}}{{$data := json (getv (printf "/v1/ipam/v4/pool/%s" .))}}`}} -{{` if ( net ~ {{$data.cidr}} ) then {`}} -{{`{{if $data.ipip_mode}}{{if eq $data.ipip_mode "cross-subnet"}}`}} -{{` if defined(bgp_next_hop) && ( bgp_next_hop ~ {{$network}} ) then`}} -{{` krt_tunnel = ""; {{/* Destination in ipPool, mode is cross sub-net, route from-host on subnet, do not use IPIP */}}`}} - else -{{` krt_tunnel = "{{$data.ipip}}"; {{/* Destination in ipPool, mode is cross sub-net, route from-host off subnet, set the tunnel (if IPIP not enabled, value will be "") */}}`}} - accept; -{{` } {{else}}`}} -{{` krt_tunnel = "{{$data.ipip}}"; {{/* Destination in ipPool, mode not cross sub-net, set the tunnel (if IPIP not enabled, value will be "") */}}`}} - accept; -{{` } {{end}} {{else}}`}} -{{` krt_tunnel = "{{$data.ipip}}"; {{/* Destination in ipPool, mode field is not present, set the tunnel (if IPIP not enabled, value will be "") */}}`}} - accept; -{{` } {{end}}`}} -{{`{{end}}`}} -{{` accept; {{/* Destination is not in any ipPool, accept */}}`}} -} -{{`{{else}}`}} -filter calico_ipip { accept; } -{{`{{end}}{{/* End of 'exists $network_key' */}}`}} diff --git a/calico/templates/configmap-bin.yaml b/calico/templates/configmap-bin.yaml deleted file mode 100644 index 39e9237c5..000000000 --- a/calico/templates/configmap-bin.yaml +++ /dev/null @@ -1,29 +0,0 @@ -{{/* -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/}} - -{{- if .Values.manifests.configmap_bin }} -{{- $envAll := . }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: calico-bin -data: - image-repo-sync.sh: | -{{- include "helm-toolkit.scripts.image_repo_sync" . | indent 4 }} - install-calicoctl.sh: | -{{ tuple "bin/_install-calicoctl.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} - calico-settings.sh: | -{{ tuple "bin/_calico-settings.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} -{{- end }} diff --git a/calico/templates/configmap-bird.yaml b/calico/templates/configmap-bird.yaml deleted file mode 100644 index f5284a717..000000000 --- a/calico/templates/configmap-bird.yaml +++ /dev/null @@ -1,34 +0,0 @@ -{{/* -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/}} - -{{- if .Values.manifests.configmap_bird }} -{{- $envAll := . }} - ---- -kind: ConfigMap -apiVersion: v1 -metadata: - name: calico-bird -data: - # we overlay templates found natively in the calico-node container - # so that we may override bgp configuration - bird.cfg.template: | -{{ tuple "bird/_bird.cfg.template.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} - bird_ipam.cfg.template: | -{{ tuple "bird/_bird_ipam.cfg.template.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} - bird6.cfg.template: | -{{ tuple "bird/_bird6.cfg.template.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} - bird6_ipam.cfg.template: | -{{ tuple "bird/_bird6_ipam.cfg.template.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} -{{- end }} diff --git a/calico/templates/configmap-etc.yaml b/calico/templates/configmap-etc.yaml deleted file mode 100644 index 6e32b1a82..000000000 --- a/calico/templates/configmap-etc.yaml +++ /dev/null @@ -1,32 +0,0 @@ -{{/* -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/}} - -{{- if .Values.manifests.configmap_etc }} -{{- $envAll := . }} ---- -kind: ConfigMap -apiVersion: v1 -metadata: - name: calico-etc -data: - # The location of your etcd cluster. This uses the Service clusterIP - # defined below. - etcd_endpoints: {{ tuple "etcd" "internal" "client" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" }} - - # The CNI network configuration to install on each node, generated - # from (Values.)conf.cni_network_config - cni_network_config: |- -{{ toJson $envAll.Values.conf.cni_network_config | indent 4 }} - -{{- end }} diff --git a/calico/templates/daemonset-calico-etcd.yaml b/calico/templates/daemonset-calico-etcd.yaml deleted file mode 100644 index bbd879887..000000000 --- a/calico/templates/daemonset-calico-etcd.yaml +++ /dev/null @@ -1,133 +0,0 @@ -{{/* -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/}} - -{{- if .Values.manifests.daemonset_calico_etcd }} -{{- $envAll := . }} - -{{- $serviceAccountName := "calico-etcd" }} -{{ tuple $envAll "calico-etcd" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} - ---- -# This manifest installs the Calico etcd on the kubeadm master. This uses a DaemonSet -# to force it to run on the master even when the master isn't schedulable, and uses -# nodeSelector to ensure it only runs on the master. -apiVersion: apps/v1 -kind: DaemonSet -metadata: - name: calico-etcd - annotations: - {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }} - labels: - k8s-app: calico-etcd -{{ tuple $envAll "calico" "etcd" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} -spec: - selector: - matchLabels: - k8s-app: calico-etcd -{{ tuple $envAll "calico" "etcd" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }} - template: - metadata: - labels: - k8s-app: calico-etcd -{{ tuple $envAll "calico" "etcd" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} - annotations: -{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }} - configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }} - spec: -{{ dict "envAll" $envAll "application" "etcd" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} - serviceAccountName: {{ $serviceAccountName }} - priorityClassName: system-cluster-critical - tolerations: - # This taint is set by all kubelets running `--cloud-provider=external` - # so we should tolerate it to schedule the Calico pods - - key: node.cloudprovider.kubernetes.io/uninitialized - value: "true" - effect: NoSchedule - # Allow this pod to run on the master/control-plane. - - key: node-role.kubernetes.io/master - effect: NoSchedule - - key: node-role.kubernetes.io/control-plane - effect: NoSchedule - # Allow this pod to be rescheduled while the node is in "critical add-ons only" mode. - # This, along with the annotation above marks this pod as a critical add-on. - - key: CriticalAddonsOnly - operator: Exists - # Only run this pod on the master. - nodeSelector: - node-role.kubernetes.io/master: "" - hostNetwork: true - initContainers: -{{ tuple $envAll "etcd" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} - containers: - - name: calico-etcd -{{ tuple $envAll "calico_etcd" | include "helm-toolkit.snippets.image" | indent 10 }} -{{ tuple $envAll $envAll.Values.pod.resources.calico_etcd | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} -{{ dict "envAll" $envAll "application" "etcd" "container" "calico_etcd" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} - env: - - name: CALICO_ETCD_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - command: - - /usr/local/bin/etcd - args: - - --name=calico - - --data-dir=/var/etcd/calico-data -{{ if eq .Values.endpoints.etcd.scheme.default "https" }} - - --client-cert-auth=True - - --peer-client-cert-auth=True - - --trusted-ca-file=/etc/calico-certs/ca.crt - - --cert-file=/etc/calico-certs/server.crt - - --key-file=/etc/calico-certs/server.key - - --peer-trusted-ca-file=/etc/calico-certs/ca.crt - - --peer-cert-file=/etc/calico-certs/server.crt - - --peer-key-file=/etc/calico-certs/server.key -{{ end }} - - --advertise-client-urls={{ tuple "etcd" "internal" "client" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" }} - - --listen-client-urls={{ tuple "etcd" "internal" "client" . | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}://0.0.0.0:{{ tuple "etcd" "internal" "client" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} - - --listen-peer-urls={{ tuple "etcd" "internal" "peer" . | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}://0.0.0.0:{{ tuple "etcd" "internal" "peer" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} - - --auto-compaction-retention=1 - volumeMounts: - - name: pod-tmp - mountPath: /tmp - - name: var-etcd - mountPath: /var/etcd -{{ if .Values.conf.etcd.credentials.ca }} - - name: calico-etcd-secrets - mountPath: /etc/calico-certs/ca.crt - subPath: etcd.ca - readOnly: true -{{ end }} -{{ if .Values.conf.etcd.credentials.certificate }} - - name: calico-etcd-secrets - mountPath: /etc/calico-certs/server.crt - subPath: etcd.crt - readOnly: true -{{ end }} -{{ if .Values.conf.etcd.credentials.key }} - - name: calico-etcd-secrets - mountPath: /etc/calico-certs/server.key - subPath: etcd.key - readOnly: true -{{ end }} - volumes: - - name: pod-tmp - emptyDir: {} - - name: var-etcd - hostPath: - path: /var/etcd - - name: calico-etcd-secrets - secret: - secretName: calico-etcd-secrets -{{- end }} diff --git a/calico/templates/daemonset-calico-node.yaml b/calico/templates/daemonset-calico-node.yaml deleted file mode 100644 index 0fee65e8f..000000000 --- a/calico/templates/daemonset-calico-node.yaml +++ /dev/null @@ -1,414 +0,0 @@ -{{/* -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/}} - -{{- if .Values.manifests.daemonset_calico_node }} -{{- $envAll := . }} - - -{{/* Robustness, Calico 3.x wants things as Titlecase; this causes pain */}} -{{- $_ := set .Values.conf.node "CALICO_IPV4POOL_IPIP" (title .Values.conf.node.CALICO_IPV4POOL_IPIP ) -}} -{{- $_ := set .Values.conf.node "CALICO_STARTUP_LOGLEVEL" (title .Values.conf.node.CALICO_STARTUP_LOGLEVEL ) -}} -{{- $_ := set .Values.conf.node "FELIX_LOGSEVERITYSCREEN" (title .Values.conf.node.FELIX_LOGSEVERITYSCREEN ) -}} - - -{{/* If using tunnels, and FELIX_IPINIPMTU is not set, make it 20 less than the physical to account for IPIP overhead */}} -{{- if empty .Values.conf.node.FELIX_IPINIPMTU -}} -{{- if ne .Values.conf.node.CALICO_IPV4POOL_IPIP "Never" -}} -{{- $_ := set .Values.conf.node "FELIX_IPINIPMTU" (sub .Values.networking.mtu 20) -}} -# Setting tunnel MTU to {{ .Values.conf.node.FELIX_IPINIPMTU }} -{{- end -}} -{{- end -}} - - -{{/* CNI_MTU is >= than the IPIP mtu, usually the physical MTU of the system */}} -{{- if empty .Values.conf.node.CNI_MTU -}} -{{- $_ := set .Values.conf.node "CNI_MTU" .Values.networking.mtu -}} -{{- end -}} - - -{{- if empty .Values.conf.node.CALICO_IPV4POOL_CIDR -}} -{{- $_ := set .Values.conf.node "CALICO_IPV4POOL_CIDR" .Values.networking.podSubnet -}} -{{- end -}} - - - -{{- $serviceAccountName := "calico-node" }} -{{ tuple $envAll "calico_node" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: calico-node -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: calico-node -subjects: -- kind: ServiceAccount - name: {{ $serviceAccountName }} - namespace: {{ .Release.Namespace }} ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: {{ $serviceAccountName }} -rules: - - apiGroups: [""] - resources: - - pods - - nodes - - namespaces - verbs: - - get - - apiGroups: ["batch"] - resources: ["jobs"] - verbs: ["get"] ---- -# This manifest installs the calico/node container, as well -# as the Calico CNI plugins and network config on -# each master and worker node in a Kubernetes cluster. -kind: DaemonSet -apiVersion: apps/v1 -metadata: - name: calico-node - annotations: - {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }} - labels: - k8s-app: calico-node -{{ tuple $envAll "calico" "node" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} -spec: - selector: - matchLabels: - k8s-app: calico-node -{{ tuple $envAll "calico" "node" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }} - updateStrategy: - type: RollingUpdate - rollingUpdate: - maxUnavailable: 1 - template: - metadata: - labels: - k8s-app: calico-node -{{ tuple $envAll "calico" "node" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} - annotations: -{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }} - configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }} - configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }} - configmap-bird-hash: {{ tuple "configmap-bird.yaml" . | include "helm-toolkit.utils.hash" }} -{{ dict "envAll" $envAll "podName" "calico-node" "containerNames" (list "calico-node") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }} -{{- if .Values.monitoring.prometheus.enabled }} -{{- $prometheus_annotations := $envAll.Values.monitoring.prometheus.calico_node }} -{{ tuple $prometheus_annotations | include "helm-toolkit.snippets.prometheus_pod_annotations" | indent 8 }} -{{- end }} - spec: -{{ dict "envAll" $envAll "application" "calico_node" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} - nodeSelector: - beta.kubernetes.io/os: linux - hostNetwork: true - priorityClassName: system-cluster-critical - tolerations: - # Make sure calico-node gets scheduled on all nodes. - - effect: NoSchedule - operator: Exists - - key: node.kubernetes.io/not-ready - effect: NoSchedule - operator: Exists - # Mark the pod as a critical add-on for rescheduling. - - key: CriticalAddonsOnly - operator: Exists - - effect: NoExecute - operator: Exists - serviceAccountName: {{ $serviceAccountName }} - # Minimize downtime during a rolling upgrade or deletion; tell Kubernetes to do a "force - # deletion": https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods. - terminationGracePeriodSeconds: 0 - - initContainers: -{{ tuple $envAll "calico_node" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} -{{ if .Values.manifests.daemonset_calico_node_calicoctl }} - - name: install-calicoctl -{{ tuple $envAll "calico_ctl" | include "helm-toolkit.snippets.image" | indent 10 }} -{{ tuple $envAll $envAll.Values.pod.resources.calico_ctl | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} -{{ dict "envAll" $envAll "application" "calico_node" "container" "calico_ctl" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} - command: - - /tmp/install-calicoctl.sh - env: - - name: ETCD_ENDPOINTS - valueFrom: - configMapKeyRef: - name: calico-etc - key: etcd_endpoints -{{ if .Values.endpoints.etcd.auth.client.tls.ca }} - - name: ETCD_CA_CERT_FILE - value: {{ .Values.endpoints.etcd.auth.client.path.ca }} - - name: ETCD_CA_CERT - valueFrom: - secretKeyRef: - name: calico-etcd-secrets - key: tls.ca -{{ end }} -{{ if .Values.endpoints.etcd.auth.client.tls.key }} - - name: ETCD_KEY_FILE - value: {{ .Values.endpoints.etcd.auth.client.path.key }} - - name: ETCD_KEY - valueFrom: - secretKeyRef: - name: calico-etcd-secrets - key: tls.key -{{ end }} -{{ if .Values.endpoints.etcd.auth.client.tls.crt }} - - name: ETCD_CERT_FILE - value: {{ .Values.endpoints.etcd.auth.client.path.crt }} - - name: ETCD_CERT - valueFrom: - secretKeyRef: - name: calico-etcd-secrets - key: tls.crt -{{ end }} - volumeMounts: - - name: pod-tmp - mountPath: /tmp - - mountPath: /host/etc/calico - name: calico-cert-dir - - mountPath: /host/opt/cni/bin - name: cni-bin-dir - - mountPath: /tmp/install-calicoctl.sh - name: calico-bin - subPath: install-calicoctl.sh - - name: calico-etcd-secrets - mountPath: {{ .Values.endpoints.etcd.auth.client.path.ca }} - subPath: tls.ca - readOnly: true - - name: calico-etcd-secrets - mountPath: {{ .Values.endpoints.etcd.auth.client.path.crt }} - subPath: tls.crt - readOnly: true - - name: calico-etcd-secrets - mountPath: {{ .Values.endpoints.etcd.auth.client.path.key }} - subPath: tls.key - readOnly: true -{{ end }} - # This container installs the Calico CNI binaries - # and CNI network config file on each node. - - name: install-cni -{{ tuple $envAll "calico_cni" | include "helm-toolkit.snippets.image" | indent 10 }} -{{ dict "envAll" $envAll "application" "calico_node" "container" "install_cni" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} - command: ["/install-cni.sh"] - env: - # Prevents the container from sleeping forever. - - name: SLEEP - value: "false" - # Name of the CNI config file to create. - # - # NOTE: Calico v3 needs to end in .conflist; Calico v2 is - # different! - - name: CNI_CONF_NAME - value: "10-calico.conflist" - # The location of the Calico etcd cluster. - - name: ETCD_ENDPOINTS - valueFrom: - configMapKeyRef: - name: calico-etc - key: etcd_endpoints - # The CNI network config to install on each node. - - name: CNI_NETWORK_CONFIG - valueFrom: - configMapKeyRef: - name: calico-etc - key: cni_network_config - - - volumeMounts: - - name: pod-tmp - mountPath: /tmp - - name: cni-bin-dir - mountPath: /host/opt/cni/bin - - name: cni-net-dir - mountPath: /host/etc/cni/net.d -{{ if .Values.conf.etcd.credentials.ca }} - - name: calico-etcd-secrets - mountPath: /calico-secrets/etcd-ca - subPath: etcd.ca - readOnly: true -{{ end }} -{{ if .Values.conf.etcd.credentials.certificate }} - - name: calico-etcd-secrets - mountPath: /calico-secrets/etcd-cert - subPath: etcd.crt - readOnly: true -{{ end }} -{{ if .Values.conf.etcd.credentials.key }} - - name: calico-etcd-secrets - mountPath: /calico-secrets/etcd-key - subPath: etcd.key - readOnly: true -{{ end }} - volumes: - - name: pod-tmp - emptyDir: {} - # Used by calico/node. - - name: lib-modules - hostPath: - path: /lib/modules - - name: var-run-calico - hostPath: - path: /var/run/calico - - name: var-lib-calico - hostPath: - path: /var/lib/calico - - name: xtables-lock - hostPath: - path: /run/xtables.lock - type: FileOrCreate - # Used to install CNI. - - name: cni-bin-dir - hostPath: - path: /opt/cni/bin - - name: cni-net-dir - hostPath: - path: /etc/cni/net.d - - name: calico-cert-dir - hostPath: - path: /etc/calico - - name: calico-etc - configMap: - name: calico-etc - defaultMode: 0444 - - name: calico-bird - configMap: - name: calico-bird - defaultMode: 0444 - - name: calico-bin - configMap: - name: calico-bin - defaultMode: 0555 - - name: calico-etcd-secrets - secret: - secretName: calico-etcd-secrets - - - - - - containers: - # Runs calico/node container on each Kubernetes node. This - # container programs network policy and routes on each - # host. - - name: calico-node -{{ tuple $envAll "calico_node" | include "helm-toolkit.snippets.image" | indent 10 }} -{{ tuple $envAll $envAll.Values.pod.resources.calico_node | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} -{{ dict "envAll" $envAll "application" "calico_node" "container" "calico_node" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} - env: - # Values expanded explicitly from conf.node (some of which - # might be derived from elsewhere, see values.yaml for an - # explanation of this) - # -{{ include "helm-toolkit.utils.to_k8s_env_vars" .Values.conf.node | indent 12 }} - - # Values explicit in the chart not expected to be found in - # conf.node - # - - # The location of the Calico etcd cluster. - - name: ETCD_ENDPOINTS - valueFrom: - configMapKeyRef: - name: calico-etc - key: etcd_endpoints - - # etcd certs -{{ if .Values.endpoints.etcd.auth.client.tls.ca }} - - name: ETCD_CA_CERT_FILE - value: {{ .Values.endpoints.etcd.auth.client.path.ca }} -{{ end }} -{{ if .Values.endpoints.etcd.auth.client.tls.key }} - - name: ETCD_KEY_FILE - value: {{ .Values.endpoints.etcd.auth.client.path.key }} -{{ end }} -{{ if .Values.endpoints.etcd.auth.client.tls.crt }} - - name: ETCD_CERT_FILE - value: {{ .Values.endpoints.etcd.auth.client.path.crt }} -{{ end }} - - # Set noderef for node controller. - - name: CALICO_K8S_NODE_REF - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - livenessProbe: - httpGet: - path: /liveness - port: 9099 - host: localhost - periodSeconds: 10 - initialDelaySeconds: 10 - failureThreshold: 6 - - # Only for Calico v3 - readinessProbe: - exec: - command: - - /bin/calico-node - - -bird-ready - - -felix-ready - periodSeconds: 10 - volumeMounts: - - name: pod-tmp - mountPath: /tmp - - mountPath: /lib/modules - name: lib-modules - readOnly: true - - mountPath: /run/xtables.lock - name: xtables-lock - readOnly: false - - mountPath: /var/run/calico - name: var-run-calico - readOnly: false - - # bird template replacements - # bird cfg - - mountPath: /etc/calico/confd/templates/bird.cfg.template - name: calico-bird - subPath: bird.cfg.template - # bird ipam - - mountPath: /etc/calico/confd/templates/bird_ipam.cfg.template - name: calico-bird - subPath: bird_ipam.cfg.template - # bird6 cfg - - mountPath: /etc/calico/confd/templates/bird6.cfg.template - name: calico-bird - subPath: bird6.cfg.template - # bird6 ipam - - mountPath: /etc/calico/confd/templates/bird6_ipam.cfg.template - name: calico-bird - subPath: bird6_ipam.cfg.template - # etcd secrets - - mountPath: /var/lib/calico - name: var-lib-calico - readOnly: false - - name: calico-etcd-secrets - mountPath: {{ .Values.endpoints.etcd.auth.client.path.ca }} - subPath: tls.ca - readOnly: true - - name: calico-etcd-secrets - mountPath: {{ .Values.endpoints.etcd.auth.client.path.crt }} - subPath: tls.crt - readOnly: true - - name: calico-etcd-secrets - mountPath: {{ .Values.endpoints.etcd.auth.client.path.key }} - subPath: tls.key - readOnly: true - -{{- end }} diff --git a/calico/templates/deployment-calico-kube-controllers.yaml b/calico/templates/deployment-calico-kube-controllers.yaml deleted file mode 100644 index 133135220..000000000 --- a/calico/templates/deployment-calico-kube-controllers.yaml +++ /dev/null @@ -1,181 +0,0 @@ -{{/* -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/}} - -{{- if .Values.manifests.deployment_calico_kube_controllers }} -{{- $envAll := . }} - -{{- $serviceAccountName := "calico-kube-controllers" }} -{{ tuple $envAll "calico_kube_controllers" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: {{ $serviceAccountName }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: {{ $serviceAccountName }} -subjects: -- kind: ServiceAccount - name: {{ $serviceAccountName }} - namespace: {{ .Release.Namespace }} ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: {{ $serviceAccountName }} -rules: - - apiGroups: - - "" - - extensions - resources: - - pods - - namespaces - - networkpolicies - - nodes - - serviceaccounts - verbs: - - watch - - list - - apiGroups: - - networking.k8s.io - resources: - - networkpolicies - verbs: - - watch - - list ---- - -# This manifest deploys the Calico Kubernetes controllers. -# See https://github.com/projectcalico/kube-controllers -apiVersion: apps/v1 -kind: Deployment -metadata: - name: calico-kube-controllers - namespace: {{ .Release.Namespace }} - labels: - k8s-app: calico-kube-controllers -{{ tuple $envAll "calico" "kube-controllers" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} - annotations: - {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }} -spec: - priorityClassName: system-cluster-critical - # The controllers can only have a single active instance. - replicas: 1 - selector: - matchLabels: - k8s-app: calico-kube-controllers -{{ tuple $envAll "calico" "kube-controllers" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }} -{{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_deployment" | indent 2 }} - template: - metadata: - name: calico-kube-controllers - labels: - k8s-app: calico-kube-controllers -{{ tuple $envAll "calico" "kube-controllers" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} - annotations: -{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }} - configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }} - configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }} - spec: -{{ dict "envAll" $envAll "application" "kube_controllers" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} - nodeSelector: - beta.kubernetes.io/os: linux - # The controllers must run in the host network namespace so that - # it isn't governed by policy that would prevent it from working. - hostNetwork: true - tolerations: - # Mark the pod as a critical add-on for rescheduling. - - key: node.cloudprovider.kubernetes.io/uninitialized - value: "true" - effect: NoSchedule - - - key: CriticalAddonsOnly - operator: Exists - - key: node-role.kubernetes.io/master - effect: NoSchedule - - key: node-role.kubernetes.io/control-plane - effect: NoSchedule - - key: node.kubernetes.io/not-ready - operator: Exists - effect: NoSchedule - serviceAccountName: {{ $serviceAccountName }} - initContainers: -{{ tuple $envAll "calico_kube_controllers" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} - containers: - - name: calico-kube-controllers -{{ tuple $envAll "calico_kube_controllers" | include "helm-toolkit.snippets.image" | indent 10 }} -{{ tuple $envAll $envAll.Values.pod.resources.calico_kube_controllers | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} -{{ dict "envAll" $envAll "application" "kube_controllers" "container" "kube_controller" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} - env: - # The location of the Calico etcd cluster. - - name: ETCD_ENDPOINTS - valueFrom: - configMapKeyRef: - name: calico-etc - key: etcd_endpoints - - # conf.controllers expanded values -{{ include "helm-toolkit.utils.to_k8s_env_vars" .Values.conf.controllers | indent 12 }} - -{{ if .Values.endpoints.etcd.auth.client.tls.ca }} - # etcd tls files - - name: ETCD_CA_CERT_FILE - value: {{ .Values.endpoints.etcd.auth.client.path.ca }} -{{ end }} -{{ if .Values.endpoints.etcd.auth.client.tls.key }} - - name: ETCD_KEY_FILE - value: {{ .Values.endpoints.etcd.auth.client.path.key }} -{{ end }} -{{ if .Values.endpoints.etcd.auth.client.tls.crt }} - - name: ETCD_CERT_FILE - value: {{ .Values.endpoints.etcd.auth.client.path.crt }} -{{ end }} - - # etcd tls mounts - volumeMounts: - - name: pod-tmp - mountPath: /tmp - - name: calico-etcd-secrets - mountPath: {{ .Values.endpoints.etcd.auth.client.path.ca }} - subPath: tls.ca - readOnly: true - - name: calico-etcd-secrets - mountPath: {{ .Values.endpoints.etcd.auth.client.path.crt }} - subPath: tls.crt - readOnly: true - - name: calico-etcd-secrets - mountPath: {{ .Values.endpoints.etcd.auth.client.path.key }} - subPath: tls.key - readOnly: true - - # Calico v3 only - readinessProbe: - exec: - command: - - /usr/bin/check-status - - -r - livenessProbe: - exec: - command: - - /usr/bin/check-status - - -r - volumes: - - name: pod-tmp - emptyDir: {} - - name: calico-etcd-secrets - secret: - secretName: calico-etcd-secrets - defaultMode: 0400 -{{- end }} diff --git a/calico/templates/etc/_bird-tar-deposit.base64.txt b/calico/templates/etc/_bird-tar-deposit.base64.txt deleted file mode 100644 index ae52c23f7..000000000 --- a/calico/templates/etc/_bird-tar-deposit.base64.txt +++ /dev/null @@ -1,2 +0,0 @@ -H4sIAJLrq1sCA+3IOwqFMABE0SwlS4jGxPVYvFIQP4W7N1ja+0A4p7nD/OZlP8O7UlOH4W7z7L27 -nEs/1lL62v4x5S7EFP7g2PZpjTEAAAAAAAAAAADAh1zOUd8NACgAAA== diff --git a/calico/templates/job-calico-settings.yaml b/calico/templates/job-calico-settings.yaml deleted file mode 100644 index 907504144..000000000 --- a/calico/templates/job-calico-settings.yaml +++ /dev/null @@ -1,109 +0,0 @@ -{{/* -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/}} - -{{- if .Values.manifests.job_calico_settings }} -{{- $envAll := . }} - -{{- $serviceAccountName := "calico-settings" }} -{{ tuple $envAll "calico_settings" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} ---- -apiVersion: batch/v1 -kind: Job -metadata: - name: calico-settings - labels: -{{ tuple $envAll "calico" "calico_settings" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} - annotations: - {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }} -spec: - template: - metadata: - annotations: - configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }} - configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }} - labels: -{{ tuple $envAll "calico" "calico_settings" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} - spec: -{{ dict "envAll" $envAll "application" "calico_settings" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} - hostNetwork: true - priorityClassName: system-cluster-critical - tolerations: - - key: node-role.kubernetes.io/control-plane - effect: NoSchedule - - key: node.kubernetes.io/not-ready - operator: Exists - effect: NoSchedule - # Allow this pod to be rescheduled while the node is in "critical add-ons only" mode. - # This, along with the annotation above marks this pod as a critical add-on. - - key: CriticalAddonsOnly - operator: Exists - serviceAccountName: {{ $serviceAccountName }} - restartPolicy: OnFailure - initContainers: -{{ tuple $envAll "calico_settings" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} - containers: - - name: calico-settings -{{ tuple $envAll "calico_settings" | include "helm-toolkit.snippets.image" | indent 10 }} -{{ tuple $envAll $envAll.Values.pod.resources.calico_settings | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} -{{ dict "envAll" $envAll "application" "calico_settings" "container" "calico_settings" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} - env: - - name: ETCD_ENDPOINTS - valueFrom: - configMapKeyRef: - name: calico-etc - key: etcd_endpoints -{{ if .Values.endpoints.etcd.auth.client.tls.ca }} - - name: ETCD_CA_CERT_FILE - value: {{ .Values.endpoints.etcd.auth.client.path.ca }} -{{ end }} -{{ if .Values.endpoints.etcd.auth.client.tls.key }} - - name: ETCD_KEY_FILE - value: {{ .Values.endpoints.etcd.auth.client.path.key }} -{{ end }} -{{ if .Values.endpoints.etcd.auth.client.tls.crt }} - - name: ETCD_CERT_FILE - value: {{ .Values.endpoints.etcd.auth.client.path.crt }} -{{ end }} - command: - - /tmp/calico-settings.sh - volumeMounts: - - name: pod-tmp - mountPath: /tmp - - name: calico-bin - mountPath: /tmp/calico-settings.sh - subPath: calico-settings.sh - readOnly: true - - name: calico-etcd-secrets - mountPath: {{ .Values.endpoints.etcd.auth.client.path.ca }} - subPath: tls.ca - readOnly: true - - name: calico-etcd-secrets - mountPath: {{ .Values.endpoints.etcd.auth.client.path.crt }} - subPath: tls.crt - readOnly: true - - name: calico-etcd-secrets - mountPath: {{ .Values.endpoints.etcd.auth.client.path.key }} - subPath: tls.key - readOnly: true - volumes: - - name: pod-tmp - emptyDir: {} - - name: calico-bin - configMap: - name: calico-bin - defaultMode: 0555 - - name: calico-etcd-secrets - secret: - secretName: calico-etcd-secrets -{{- end }} diff --git a/calico/templates/job-image-repo-sync.yaml b/calico/templates/job-image-repo-sync.yaml deleted file mode 100644 index 89b755f79..000000000 --- a/calico/templates/job-image-repo-sync.yaml +++ /dev/null @@ -1,19 +0,0 @@ -{{/* -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/}} - -{{- if and .Values.manifests.job_image_repo_sync .Values.images.local_registry.active }} - -{{- $imageRepoSyncJob := dict "envAll" . "serviceName" "calico" -}} -{{ $imageRepoSyncJob | include "helm-toolkit.manifests.job_image_repo_sync" }} -{{- end }} diff --git a/calico/templates/secret-etcd-certificates.yaml b/calico/templates/secret-etcd-certificates.yaml deleted file mode 100644 index db7b26976..000000000 --- a/calico/templates/secret-etcd-certificates.yaml +++ /dev/null @@ -1,31 +0,0 @@ -{{/* -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/}} - -{{- if .Values.manifests.secret_certificates }} -{{- $envAll := . }} ---- - -apiVersion: v1 -kind: Secret -type: kubernetes.io/tls -metadata: - name: calico-etcd-secrets -data: - tls.ca: {{ .Values.endpoints.etcd.auth.client.tls.ca | default "" | b64enc }} - tls.key: {{ .Values.endpoints.etcd.auth.client.tls.key | default "" | b64enc }} - tls.crt: {{ .Values.endpoints.etcd.auth.client.tls.crt | default "" | b64enc }} - etcd.ca: {{ .Values.conf.etcd.credentials.ca | default "" | b64enc }} - etcd.crt: {{ .Values.conf.etcd.credentials.certificate | default "" | b64enc }} - etcd.key: {{ .Values.conf.etcd.credentials.key | default "" | b64enc }} -{{- end }} diff --git a/calico/templates/secret-registry.yaml b/calico/templates/secret-registry.yaml deleted file mode 100644 index da979b322..000000000 --- a/calico/templates/secret-registry.yaml +++ /dev/null @@ -1,17 +0,0 @@ -{{/* -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/}} - -{{- if and .Values.manifests.secret_registry .Values.endpoints.oci_image_registry.auth.enabled }} -{{ include "helm-toolkit.manifests.secret_registry" ( dict "envAll" . "registryUser" .Chart.Name ) }} -{{- end }} diff --git a/calico/templates/service-calico-etcd.yaml b/calico/templates/service-calico-etcd.yaml deleted file mode 100644 index b51b05cc1..000000000 --- a/calico/templates/service-calico-etcd.yaml +++ /dev/null @@ -1,37 +0,0 @@ -{{/* -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/}} - -{{- if .Values.manifests.service_calico_etcd }} -{{- $envAll := . }} ---- -# This manifest installs the Service which gets traffic to the Calico -# etcd. -apiVersion: v1 -kind: Service -metadata: - labels: - k8s-app: calico-etcd -{{ tuple $envAll "calico" "etcd" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} - name: {{ tuple "etcd" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }} -spec: - # Select the calico-etcd pod running on the master. - selector: - k8s-app: calico-etcd -{{ tuple $envAll "calico" "etcd" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} - # This ClusterIP needs to be known in advance, since we cannot rely - # on DNS to get access to etcd. - clusterIP: {{ tuple "etcd" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" }} - ports: - - port: {{ tuple "etcd" "internal" "client" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} -{{- end }} diff --git a/calico/values.yaml b/calico/values.yaml deleted file mode 100644 index a0a10ad36..000000000 --- a/calico/values.yaml +++ /dev/null @@ -1,595 +0,0 @@ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - ---- -images: - tags: - # These are minimum versions, older images will very likely not - # work - calico_etcd: quay.io/coreos/etcd:v3.5.9 - calico_node: quay.io/calico/node:v3.25.1 - calico_cni: quay.io/calico/cni:v3.25.1 - calico_ctl: calico/ctl:v3.25.1 - calico_settings: calico/ctl:v3.25.1 - # NOTE: plural key, singular value - calico_kube_controllers: quay.io/calico/kube-controllers:v3.25.1 - dep_check: quay.io/airshipit/kubernetes-entrypoint:v1.0.0 - image_repo_sync: docker.io/library/docker:24.0.1 - pull_policy: IfNotPresent - local_registry: - active: false - exclude: - - dep_check - - image_repo_sync - - calico_etcd - - calico_node - - calico_cni - - calico_kube_controllers - -pod: - security_context: - etcd: - pod: - runAsUser: 0 - container: - calico_etcd: - readOnlyRootFilesystem: false - calico_node: - pod: - runAsUser: 0 - container: - calico_ctl: - readOnlyRootFilesystem: false - install_cni: - readOnlyRootFilesystem: false - calico_node: - readOnlyRootFilesystem: false - capabilities: - add: - - 'NET_ADMIN' - - 'SYS_ADMIN' - kube_controllers: - pod: - runAsUser: 0 - container: - kube_controller: - readOnlyRootFilesystem: false - calico_settings: - pod: - runAsUser: 0 - container: - calico_settings: - readOnlyRootFilesystem: false - resources: - enabled: false - jobs: - image_repo_sync: - requests: - memory: "128Mi" - cpu: "100m" - limits: - memory: "1024Mi" - cpu: "2000m" - calico_settings: - requests: - memory: "128Mi" - cpu: "100m" - limits: - memory: "1024Mi" - cpu: "2000m" - calico_kube_controllers: - requests: - memory: "128Mi" - cpu: "100m" - limits: - memory: "1024Mi" - cpu: "2000m" - calico_node: - requests: - memory: "128Mi" - cpu: "250m" - limits: - memory: "1024Mi" - cpu: "2000m" - calico_cni: - requests: - memory: "128Mi" - cpu: "100m" - limits: - memory: "1024Mi" - cpu: "2000m" - calico_ctl: - requests: - memory: "128Mi" - cpu: "100m" - limits: - memory: "1024Mi" - cpu: "2000m" - calico_etcd: - requests: - memory: "128Mi" - cpu: "100m" - limits: - memory: "1024Mi" - cpu: "2000m" - lifecycle: - upgrades: - deployments: - revision_history: 3 - pod_replacement_strategy: RollingUpdate - rolling_update: - max_unavailable: 1 - max_surge: 3 - disruption_budget: - controllers: - min_available: 0 - mandatory_access_control: - type: apparmor - calico-node: - calico-node: runtime/default - -dependencies: - dynamic: - common: - local_image_registry: - jobs: - - calico-image-repo-sync - services: - - endpoint: node - service: local_image_registry - static: - calico_kube_controllers: - services: - - endpoint: internal - service: calico-etcd - calico_node: - services: - - endpoint: internal - service: calico-etcd - calico_settings: - services: - - endpoint: internal - service: calico-etcd - calico_etcd: - services: null - image_repo_sync: - services: - - endpoint: internal - service: local_image_registry - -secrets: - oci_image_registry: - calico: calico-oci-image-registry - -endpoints: - cluster_domain_suffix: cluster.local - local_image_registry: - name: docker-registry - namespace: docker-registry - hosts: - default: localhost - internal: docker-registry - node: localhost - host_fqdn_override: - default: null - port: - registry: - node: 5000 - oci_image_registry: - name: oci-image-registry - namespace: oci-image-registry - auth: - enabled: false - calico: - username: calico - password: password - hosts: - default: localhost - host_fqdn_override: - default: null - port: - registry: - default: null - etcd: - auth: - client: - tls: - crt: null - ca: null - key: null - path: - # these must be within /etc/calico - crt: /etc/calico/pki/crt - ca: /etc/calico/pki/ca - key: /etc/calico/pki/key - scheme: - default: http - path: - default: ' ' # space required to provide a truly empty path - hosts: - default: 10.96.232.136 - host_fqdn_override: - default: null - service: - name: null - port: - client: - default: 6666 - peer: - default: 6667 - -monitoring: - prometheus: - enabled: true - calico_node: - scrape: true - port: 9091 - -networking: - podSubnet: 192.168.0.0/16 - # Physical MTU, if ipip is enabled, the chart will adjust things downward - mtu: 1500 - - settings: - mesh: "on" - # technically this could be a list, today we only support a single - # podSubnet, the one above. The settings below will be applied to - # that ipPool - ippool: - ipip: - enabled: true - nat_outgoing: true - disabled: false - - bgp: - # our asnumber for bgp peering - asnumber: 64512 - ipv4: - # https://docs.projectcalico.org/v3.4/reference/calicoctl/resources/bgppeer - # - # this is a list of peer objects that will be passed directly to - # calicoctl - for global peers, the scope should be global and - # the node attribute removed - # - # apiVersion: projectcalico.org/v3 - # kind: BGPPeer - # metadata: - # name: some.name - # spec: - # node: rack1-host1 - # peerIP: 10.1.10.39 - # asNumber: 64512 - peers: [] - # this is a list of additional IPv4 cidrs that if we discover - # IPs within them on a host, we will announce the address in - # addition to traditional pod workloads - additional_cidrs: [] - # community_cidr_ref contains embedded objects that describe a - # BGP community that is to be associated with the supplied CIDR. - # The top-level key names are not important. - # - # The resulting BGP community will take the form of - # : - # If no prefix is specified then the asnumber is used - community_cidr_ref: -# cidr_community_description: -# cidr: 192.168.0.0/16 -# community: 54321 -# prefix: 55555 -# alpha: -# cidr: 10.0.0.0/16 -# community: 54322 - port: - neighbor: 179 - listen: 179 - ipv6: - # https://docs.projectcalico.org/v3.4/reference/calicoctl/resources/bgppeer - # - # this is a list of peer objects that will be passed directly to - # calicoctl - for global peers, the scope should be global and - # the node attribute removed - # - # apiVersion: projectcalico.org/v3 - # kind: BGPPeer - # metadata: - # name: some.name - # spec: - # node: rack1-host1 - # peerIP: 2600:1:2:3::abcd - # asNumber: 64512 - peers: [] - # this is a list of additional IPv6 cidrs that if we discover - # IPs within them on a host, we will announce them in addition - # to traditional pod workloads - additional_cidrs: [] - # community_cidr_ref contains embedded objects that describe a - # BGP community that is to be associated with the supplied CIDR. - # The top-level key names are not important. - # - # The resulting BGP community will take the form of - # : - # If no prefix is specified then the asnumber is used - community_cidr_ref: -# cidr_community_description: -# cidr: 2600:1:2:3::abcd/28 -# community: 54321 -# prefix: 55555 -# alpha: -# cidr: 1400:a:2:3::abcd/26 -# community: 54322 - port: - neighbor: 179 - listen: 179 - - # Policy contains embedded Calico policy and/or endpoint objects. - # Because lists are cumbersome to deal with this is stuctured as a - # dictionary (therefore not ordered). The top-level key names are - # not important, priority contains a value between 0 and 9 inclusive - # and rules contains any objects (typically used as rules). - # Priority 0 objects are emitted before priority 9. It is - # recommended any rules such as HostEndpoint be given a higher - # priority so that they are applied after more generic objects. - # Priority values outside of integers 0 through 9 are not valid and - # should not be used. - policy: - # alpha: - # priority: 0 - # rules: - # - apiVersion: projectcalico.org/v3 - # kind: GlobalNetworkPolicy - # metadata: - # name: allow-tcp-6379 - # spec: - # order: 0 - # selector: role == 'database' - # types: - # - Ingress - # - Egress - # ingress: - # - action: Allow - # protocol: TCP - # source: - # selector: role == 'frontend' - # destination: - # ports: - # - 6379 - # egress: - # - action: Allow - # - apiVersion: projectcalico.org/v3 - # kind: GlobalNetworkPolicy - # metadata: - # name: allow-tcp-3306 - # spec: - # order: 1 - # selector: role == 'database' - # types: - # - Ingress - # - Egress - # ingress: - # - action: Allow - # protocol: TCP - # source: - # selector: role == 'frontend' - # destination: - # ports: - # - 3306 - # egress: - # - action: Allow - - # beta: - # priority: 1 - # rules: - # - apiVersion: projectcalico.org/v3 - # kind: NetworkPolicy - # metadata: - # name: allow-tcp-6379 - # namespace: production - # spec: - # selector: role == 'database' - # types: - # - Ingress - # - Egress - # ingress: - # - action: Allow - # protocol: TCP - # source: - # selector: role == 'frontend' - # destination: - # ports: - # - 6379 - # egress: - # - action: Allow - # - apiVersion: projectcalico.org/v3 - # kind: NetworkPolicy - # metadata: - # name: allow-tcp-8081 - # namespace: production - # spec: - # selector: role == 'webthing' - # types: - # - Ingress - # - Egress - # ingress: - # - action: Allow - # protocol: TCP - # source: - # selector: role == 'frontend' - # destination: - # ports: - # - 8081 - # egress: - # - action: Allow - - # zulu: - # priority: 9 - # rules: - # - apiVersion: projectcalico.org/v3 - # kind: HostEndpoint - # metadata: - # name: first.thing - # labels: - # type: production - # spec: - # interfaceName: eth0 - # node: mysecrethost - # expectedIPs: - # - 192.168.0.1 - # - 192.168.0.2 - # profiles: - # - profile1 - # - profile2 - # ports: - # - name: some-port - # port: 1234 - # protocol: TCP - # - name: another-port - # port: 5432 - # protocol: UDP - # - apiVersion: projectcalico.org/v3 - # kind: HostEndpoint - # metadata: - # name: second.thing - # labels: - # type: production - # spec: - # interfaceName: eth1 - # node: myothersecrethost - # expectedIPs: - # - 192.168.1.1 - # - 192.168.1.2 - # profiles: - # - profile1 - # - profile2 - # ports: - # - name: some-port - # port: 1234 - # protocol: TCP - # - name: another-port - # port: 5432 - # protocol: UDP - -conf: - etcd: - credentials: - ca: null - key: null - certificate: null - # NOTE; syntax has subtly changed since Calico v2. For Armada *all* - # of this needes to be specified. We're using yaml here which we - # can't robustly convert to json (which the node pod requires) so it - # might be we revisit that and embedded a json string that gets - # edits - cni_network_config: - # https://docs.projectcalico.org/v3.4/reference/cni-plugin/configuration - # - # other than the etcd_* keys you likely want to leave this as-is - name: k8s-pod-network - cniVersion: 0.3.0 - plugins: - - type: calico - log_level: info - etcd_endpoints: __ETCD_ENDPOINTS__ - etcd_key_file: __ETCD_KEY_FILE__ - etcd_cert_file: __ETCD_CERT_FILE__ - etcd_ca_cert_file: __ETCD_CA_CERT_FILE__ - ipam: - type: calico-ipam - policy: - type: k8s - kubernetes: - kubeconfig: __KUBECONFIG_FILEPATH__ - - type: portmap - snat: true - capabilities: - portMappings: true - controllers: - # The location of the Kubernetes API. Use the default Kubernetes - # service for API access. - K8S_API: "https://kubernetes.default:443" - # Choose which controllers to run, see - # https://docs.projectcalico.org//v3.4/reference/kube-controllers/configuration - # for an explanation of each - ENABLED_CONTROLLERS: "policy,namespace,serviceaccount,workloadendpoint,node" - # Since we're running in the host namespace and might not have KubeDNS - # access, configure the container's /etc/hosts to resolve - # kubernetes.default to the correct service clusterIP. - CONFIGURE_ETC_HOSTS: true - - node: - # for specific details see - # https://docs.projectcalico.org/v3.4/reference/node/configuration - name: k8s-pod-network - # Cluster type to identify the deployment type - # NOTE: v2 had a list ... v3 a comma separated string - CLUSTER_TYPE: "k8s,bgp" - # Describes which BGP networking backend to use gobgp, bird, none. - # Default is bird. NOTE(alanmeadows) today this chart only - # supports applying the bgp customizations to bird templates - in - # the future we may support gobgp as well - CALICO_NETWORKING_BACKEND: bird - # Location of the CA certificate for etcd. - ETCD_CA_CERT_FILE: "" - # Location of the client key for etcd. - ETCD_KEY_FILE: "" - # Location of the client certificate for etcd. - ETCD_CERT_FILE: "" - # Disable file logging so `kubectl logs` works. - CALICO_DISABLE_FILE_LOGGING: true - # Set Felix endpoint to host default action to ACCEPT. - # early/startup log level for calico-node on startup. - CALICO_STARTUP_LOGLEVEL: "Info" - FELIX_DEFAULTENDPOINTTOHOSTACTION: "ACCEPT" - # Configure the IP Pool from which Pod IPs will be chosen; it's - # recommended you leave this as null and the value from - # networking.podSubnet will be used - CALICO_IPV4POOL_CIDR: null - # See https://docs.projectcalico.org/v3.4/reference/calicoctl/resources/ippool - CALICO_IPV4POOL_BLOCKSIZE: 26 - # Change this to 'Never' in environments with direct L2 - # communication (such that tunnels are not needed for pods on - # different hosts to communicate with each otehr). - CALICO_IPV4POOL_IPIP: "Always" - # Disable IPv6 on Kubernetes. - FELIX_IPV6SUPPORT: false - # Set MTU for tunnel device used if ipip is enabled, it's - # recommended you leave this as null and an appropriate value will - # be set based on tunneling mode and the networking.mtu value - FELIX_IPINIPMTU: null - # Set Felix logging; also (ab)used for bgp configuration - FELIX_LOGSEVERITYSCREEN: "Info" - FELIX_HEALTHENABLED: true - # Set Felix experimental Prometheus metrics server - FELIX_PROMETHEUSMETRICSENABLED: true - FELIX_PROMETHEUSMETRICSPORT: "9091" - # Auto-detect the BGP IP address. - IP: "" - # Detection of source interface for routing - # options include - # can-reach=DESTINATION - # interface=INTERFACE-REGEX - IP_AUTODETECTION_METHOD: first-found - IPV6_AUTODETECTION_METHOD: first-found - -manifests: - configmap_bin: true - configmap_etc: true - configmap_bird: true - daemonset_calico_etcd: true - daemonset_calico_node: true - daemonset_calico_node_calicoctl: true - deployment_calico_kube_controllers: true - job_image_repo_sync: true - job_calico_settings: true - service_calico_etcd: true - secret_certificates: true - secret_registry: true -... diff --git a/releasenotes/notes/calico.yaml b/releasenotes/notes/calico.yaml deleted file mode 100644 index f83036e40..000000000 --- a/releasenotes/notes/calico.yaml +++ /dev/null @@ -1,12 +0,0 @@ ---- -calico: - - 0.1.0 Initial Chart - - 0.1.1 Change helm-toolkit dependency version to ">= 0.1.0" - - 0.1.2 Use full image ref for docker official images - - 0.1.3 Helm 3 - Fix Job labels - - 0.1.4 Update htk requirements - - 0.1.5 Added OCI registry authentication - - 0.1.6 Replace node-role.kubernetes.io/master with control-plane - - 0.1.7 Update calico to v3.25.1 - - 0.1.8 replace scheduler.alpha.kubernetes.io/critical-pod with priorityClassName -...