# Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. --- images: tags: # These are minimum versions, older images will very likely not # work calico_etcd: quay.io/coreos/etcd:v3.5.9 calico_node: quay.io/calico/node:v3.25.1 calico_cni: quay.io/calico/cni:v3.25.1 calico_ctl: calico/ctl:v3.25.1 calico_settings: calico/ctl:v3.25.1 # NOTE: plural key, singular value calico_kube_controllers: quay.io/calico/kube-controllers:v3.25.1 dep_check: quay.io/airshipit/kubernetes-entrypoint:v1.0.0 image_repo_sync: docker.io/library/docker:24.0.1 pull_policy: IfNotPresent local_registry: active: false exclude: - dep_check - image_repo_sync - calico_etcd - calico_node - calico_cni - calico_kube_controllers pod: security_context: etcd: pod: runAsUser: 0 container: calico_etcd: readOnlyRootFilesystem: false calico_node: pod: runAsUser: 0 container: calico_ctl: readOnlyRootFilesystem: false install_cni: readOnlyRootFilesystem: false calico_node: readOnlyRootFilesystem: false capabilities: add: - 'NET_ADMIN' - 'SYS_ADMIN' kube_controllers: pod: runAsUser: 0 container: kube_controller: readOnlyRootFilesystem: false calico_settings: pod: runAsUser: 0 container: calico_settings: readOnlyRootFilesystem: false resources: enabled: false jobs: image_repo_sync: requests: memory: "128Mi" cpu: "100m" limits: memory: "1024Mi" cpu: "2000m" calico_settings: requests: memory: "128Mi" cpu: "100m" limits: memory: "1024Mi" cpu: "2000m" calico_kube_controllers: requests: memory: "128Mi" cpu: "100m" limits: memory: "1024Mi" cpu: "2000m" calico_node: requests: memory: "128Mi" cpu: "250m" limits: memory: "1024Mi" cpu: "2000m" calico_cni: requests: memory: "128Mi" cpu: "100m" limits: memory: "1024Mi" cpu: "2000m" calico_ctl: requests: memory: "128Mi" cpu: "100m" limits: memory: "1024Mi" cpu: "2000m" calico_etcd: requests: memory: "128Mi" cpu: "100m" limits: memory: "1024Mi" cpu: "2000m" lifecycle: upgrades: deployments: revision_history: 3 pod_replacement_strategy: RollingUpdate rolling_update: max_unavailable: 1 max_surge: 3 disruption_budget: controllers: min_available: 0 mandatory_access_control: type: apparmor calico-node: calico-node: runtime/default dependencies: dynamic: common: local_image_registry: jobs: - calico-image-repo-sync services: - endpoint: node service: local_image_registry static: calico_kube_controllers: services: - endpoint: internal service: calico-etcd calico_node: services: - endpoint: internal service: calico-etcd calico_settings: services: - endpoint: internal service: calico-etcd calico_etcd: services: null image_repo_sync: services: - endpoint: internal service: local_image_registry secrets: oci_image_registry: calico: calico-oci-image-registry endpoints: cluster_domain_suffix: cluster.local local_image_registry: name: docker-registry namespace: docker-registry hosts: default: localhost internal: docker-registry node: localhost host_fqdn_override: default: null port: registry: node: 5000 oci_image_registry: name: oci-image-registry namespace: oci-image-registry auth: enabled: false calico: username: calico password: password hosts: default: localhost host_fqdn_override: default: null port: registry: default: null etcd: auth: client: tls: crt: null ca: null key: null path: # these must be within /etc/calico crt: /etc/calico/pki/crt ca: /etc/calico/pki/ca key: /etc/calico/pki/key scheme: default: http path: default: ' ' # space required to provide a truly empty path hosts: default: 10.96.232.136 host_fqdn_override: default: null service: name: null port: client: default: 6666 peer: default: 6667 monitoring: prometheus: enabled: true calico_node: scrape: true port: 9091 networking: podSubnet: 192.168.0.0/16 # Physical MTU, if ipip is enabled, the chart will adjust things downward mtu: 1500 settings: mesh: "on" # technically this could be a list, today we only support a single # podSubnet, the one above. The settings below will be applied to # that ipPool ippool: ipip: enabled: true nat_outgoing: true disabled: false bgp: # our asnumber for bgp peering asnumber: 64512 ipv4: # https://docs.projectcalico.org/v3.4/reference/calicoctl/resources/bgppeer # # this is a list of peer objects that will be passed directly to # calicoctl - for global peers, the scope should be global and # the node attribute removed # # apiVersion: projectcalico.org/v3 # kind: BGPPeer # metadata: # name: some.name # spec: # node: rack1-host1 # peerIP: 10.1.10.39 # asNumber: 64512 peers: [] # this is a list of additional IPv4 cidrs that if we discover # IPs within them on a host, we will announce the address in # addition to traditional pod workloads additional_cidrs: [] # community_cidr_ref contains embedded objects that describe a # BGP community that is to be associated with the supplied CIDR. # The top-level key names are not important. # # The resulting BGP community will take the form of # : # If no prefix is specified then the asnumber is used community_cidr_ref: # cidr_community_description: # cidr: 192.168.0.0/16 # community: 54321 # prefix: 55555 # alpha: # cidr: 10.0.0.0/16 # community: 54322 port: neighbor: 179 listen: 179 ipv6: # https://docs.projectcalico.org/v3.4/reference/calicoctl/resources/bgppeer # # this is a list of peer objects that will be passed directly to # calicoctl - for global peers, the scope should be global and # the node attribute removed # # apiVersion: projectcalico.org/v3 # kind: BGPPeer # metadata: # name: some.name # spec: # node: rack1-host1 # peerIP: 2600:1:2:3::abcd # asNumber: 64512 peers: [] # this is a list of additional IPv6 cidrs that if we discover # IPs within them on a host, we will announce them in addition # to traditional pod workloads additional_cidrs: [] # community_cidr_ref contains embedded objects that describe a # BGP community that is to be associated with the supplied CIDR. # The top-level key names are not important. # # The resulting BGP community will take the form of # : # If no prefix is specified then the asnumber is used community_cidr_ref: # cidr_community_description: # cidr: 2600:1:2:3::abcd/28 # community: 54321 # prefix: 55555 # alpha: # cidr: 1400:a:2:3::abcd/26 # community: 54322 port: neighbor: 179 listen: 179 # Policy contains embedded Calico policy and/or endpoint objects. # Because lists are cumbersome to deal with this is stuctured as a # dictionary (therefore not ordered). The top-level key names are # not important, priority contains a value between 0 and 9 inclusive # and rules contains any objects (typically used as rules). # Priority 0 objects are emitted before priority 9. It is # recommended any rules such as HostEndpoint be given a higher # priority so that they are applied after more generic objects. # Priority values outside of integers 0 through 9 are not valid and # should not be used. policy: # alpha: # priority: 0 # rules: # - apiVersion: projectcalico.org/v3 # kind: GlobalNetworkPolicy # metadata: # name: allow-tcp-6379 # spec: # order: 0 # selector: role == 'database' # types: # - Ingress # - Egress # ingress: # - action: Allow # protocol: TCP # source: # selector: role == 'frontend' # destination: # ports: # - 6379 # egress: # - action: Allow # - apiVersion: projectcalico.org/v3 # kind: GlobalNetworkPolicy # metadata: # name: allow-tcp-3306 # spec: # order: 1 # selector: role == 'database' # types: # - Ingress # - Egress # ingress: # - action: Allow # protocol: TCP # source: # selector: role == 'frontend' # destination: # ports: # - 3306 # egress: # - action: Allow # beta: # priority: 1 # rules: # - apiVersion: projectcalico.org/v3 # kind: NetworkPolicy # metadata: # name: allow-tcp-6379 # namespace: production # spec: # selector: role == 'database' # types: # - Ingress # - Egress # ingress: # - action: Allow # protocol: TCP # source: # selector: role == 'frontend' # destination: # ports: # - 6379 # egress: # - action: Allow # - apiVersion: projectcalico.org/v3 # kind: NetworkPolicy # metadata: # name: allow-tcp-8081 # namespace: production # spec: # selector: role == 'webthing' # types: # - Ingress # - Egress # ingress: # - action: Allow # protocol: TCP # source: # selector: role == 'frontend' # destination: # ports: # - 8081 # egress: # - action: Allow # zulu: # priority: 9 # rules: # - apiVersion: projectcalico.org/v3 # kind: HostEndpoint # metadata: # name: first.thing # labels: # type: production # spec: # interfaceName: eth0 # node: mysecrethost # expectedIPs: # - 192.168.0.1 # - 192.168.0.2 # profiles: # - profile1 # - profile2 # ports: # - name: some-port # port: 1234 # protocol: TCP # - name: another-port # port: 5432 # protocol: UDP # - apiVersion: projectcalico.org/v3 # kind: HostEndpoint # metadata: # name: second.thing # labels: # type: production # spec: # interfaceName: eth1 # node: myothersecrethost # expectedIPs: # - 192.168.1.1 # - 192.168.1.2 # profiles: # - profile1 # - profile2 # ports: # - name: some-port # port: 1234 # protocol: TCP # - name: another-port # port: 5432 # protocol: UDP conf: etcd: credentials: ca: null key: null certificate: null # NOTE; syntax has subtly changed since Calico v2. For Armada *all* # of this needes to be specified. We're using yaml here which we # can't robustly convert to json (which the node pod requires) so it # might be we revisit that and embedded a json string that gets # edits cni_network_config: # https://docs.projectcalico.org/v3.4/reference/cni-plugin/configuration # # other than the etcd_* keys you likely want to leave this as-is name: k8s-pod-network cniVersion: 0.3.0 plugins: - type: calico log_level: info etcd_endpoints: __ETCD_ENDPOINTS__ etcd_key_file: __ETCD_KEY_FILE__ etcd_cert_file: __ETCD_CERT_FILE__ etcd_ca_cert_file: __ETCD_CA_CERT_FILE__ ipam: type: calico-ipam policy: type: k8s kubernetes: kubeconfig: __KUBECONFIG_FILEPATH__ - type: portmap snat: true capabilities: portMappings: true controllers: # The location of the Kubernetes API. Use the default Kubernetes # service for API access. K8S_API: "https://kubernetes.default:443" # Choose which controllers to run, see # https://docs.projectcalico.org//v3.4/reference/kube-controllers/configuration # for an explanation of each ENABLED_CONTROLLERS: "policy,namespace,serviceaccount,workloadendpoint,node" # Since we're running in the host namespace and might not have KubeDNS # access, configure the container's /etc/hosts to resolve # kubernetes.default to the correct service clusterIP. CONFIGURE_ETC_HOSTS: true node: # for specific details see # https://docs.projectcalico.org/v3.4/reference/node/configuration name: k8s-pod-network # Cluster type to identify the deployment type # NOTE: v2 had a list ... v3 a comma separated string CLUSTER_TYPE: "k8s,bgp" # Describes which BGP networking backend to use gobgp, bird, none. # Default is bird. NOTE(alanmeadows) today this chart only # supports applying the bgp customizations to bird templates - in # the future we may support gobgp as well CALICO_NETWORKING_BACKEND: bird # Location of the CA certificate for etcd. ETCD_CA_CERT_FILE: "" # Location of the client key for etcd. ETCD_KEY_FILE: "" # Location of the client certificate for etcd. ETCD_CERT_FILE: "" # Disable file logging so `kubectl logs` works. CALICO_DISABLE_FILE_LOGGING: true # Set Felix endpoint to host default action to ACCEPT. # early/startup log level for calico-node on startup. CALICO_STARTUP_LOGLEVEL: "Info" FELIX_DEFAULTENDPOINTTOHOSTACTION: "ACCEPT" # Configure the IP Pool from which Pod IPs will be chosen; it's # recommended you leave this as null and the value from # networking.podSubnet will be used CALICO_IPV4POOL_CIDR: null # See https://docs.projectcalico.org/v3.4/reference/calicoctl/resources/ippool CALICO_IPV4POOL_BLOCKSIZE: 26 # Change this to 'Never' in environments with direct L2 # communication (such that tunnels are not needed for pods on # different hosts to communicate with each otehr). CALICO_IPV4POOL_IPIP: "Always" # Disable IPv6 on Kubernetes. FELIX_IPV6SUPPORT: false # Set MTU for tunnel device used if ipip is enabled, it's # recommended you leave this as null and an appropriate value will # be set based on tunneling mode and the networking.mtu value FELIX_IPINIPMTU: null # Set Felix logging; also (ab)used for bgp configuration FELIX_LOGSEVERITYSCREEN: "Info" FELIX_HEALTHENABLED: true # Set Felix experimental Prometheus metrics server FELIX_PROMETHEUSMETRICSENABLED: true FELIX_PROMETHEUSMETRICSPORT: "9091" # Auto-detect the BGP IP address. IP: "" # Detection of source interface for routing # options include # can-reach=DESTINATION # interface=INTERFACE-REGEX IP_AUTODETECTION_METHOD: first-found IPV6_AUTODETECTION_METHOD: first-found manifests: configmap_bin: true configmap_etc: true configmap_bird: true daemonset_calico_etcd: true daemonset_calico_node: true daemonset_calico_node_calicoctl: true deployment_calico_kube_controllers: true job_image_repo_sync: true job_calico_settings: true service_calico_etcd: true secret_certificates: true secret_registry: true ...