openstack
/
openstack-helm-infra
Code Issues Proposed changes
openstack-helm-infra/calico/templates/daemonset-calico-node.yaml

312 lines
12 KiB
YAML
Raw Blame History

{{/*
Copyright 2017 The Openstack-Helm Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if .Values.manifests.daemonset_calico_node }}
{{- $envAll := . }}
{{- if empty .Values.conf.node.CALICO_IPV4POOL_CIDR -}}
{{- set .Values.conf.node "CALICO_IPV4POOL_CIDR" .Values.networking.podSubnet | quote | trunc 0 -}}
{{- end -}}
{{- if empty .Values.conf.node.FELIX_IPINIPMTU -}}
{{/*
#NOTE(portdirect): to err on the side of caution we subtract 20 from the physical
# MTU to account for IPIP overhead unless explicty turned off.
*/}}
{{- if eq .Values.conf.node.CALICO_IPV4POOL_IPIP "off" -}}
{{- set .Values.conf.node "FELIX_IPINIPMTU" .Values.networking.mtu | quote | trunc 0 -}}
{{- else -}}
{{- set .Values.conf.node "FELIX_IPINIPMTU" (sub .Values.networking.mtu 20) | quote | trunc 0 -}}
{{- end -}}
{{- end -}}
{{- if .Values.images.local_registry.active -}}
{{- $_ := set .Values "pod_dependency" dict -}}
{{- $_ := include "helm-toolkit.utils.merge" (tuple .Values.pod_dependency .Values.dependencies.static.calico_node .Values.dependencies.dynamic.common.local_image_registry) -}}
{{- else -}}
{{- $_ := set .Values "pod_dependency" .Values.dependencies.static.calico_node -}}
{{- end -}}
{{- $prometheus_annotations := $envAll.Values.monitoring.prometheus.calico_node }}
{{- $serviceAccountName := printf "%s-%s" .Release.Name "calico-cni-plugin"}}
{{ tuple $envAll $envAll.Values.pod_dependency $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: calico-cni-plugin
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ $serviceAccountName }}
subjects:
- kind: ServiceAccount
name: {{ $serviceAccountName }}
namespace: {{ .Release.Namespace }}
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: {{ $serviceAccountName }}
rules:
- apiGroups: [""]
resources:
- pods
- nodes
verbs:
- get
---
# This manifest installs the calico/node container, as well
# as the Calico CNI plugins and network config on
# each master and worker node in a Kubernetes cluster.
kind: DaemonSet
apiVersion: extensions/v1beta1
metadata:
name: calico-node
namespace: kube-system
labels:
k8s-app: calico-node
{{ tuple $envAll "calico" "node" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
spec:
selector:
matchLabels:
k8s-app: calico-node
{{ tuple $envAll "calico" "node" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
template:
metadata:
labels:
k8s-app: calico-node
{{ tuple $envAll "calico" "node" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
annotations:
# Mark this pod as a critical add-on; when enabled, the critical add-on scheduler
# reserves resources for critical add-on pods so that they can be rescheduled after
# a failure. This annotation works in tandem with the toleration below.
scheduler.alpha.kubernetes.io/critical-pod: ''
{{- if .Values.monitoring.prometheus.enabled }}
{{ tuple $prometheus_annotations | include "helm-toolkit.snippets.prometheus_pod_annotations" | indent 8 }}
{{- end }}
spec:
hostNetwork: true
tolerations:
- key: node-role.kubernetes.io/master
effect: NoSchedule
# Allow this pod to be rescheduled while the node is in "critical add-ons only" mode.
# This, along with the annotation above marks this pod as a critical add-on.
- key: CriticalAddonsOnly
operator: Exists
serviceAccountName: {{ $serviceAccountName }}
terminationGracePeriodSeconds: {{ .Values.pod.lifecycle.termination_grace_period.node.timeout | default "30" }}
initContainers:
{{ tuple $envAll .Values.pod_dependency list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
containers:
# Runs calico/node container on each Kubernetes node. This
# container programs network policy and routes on each
# host.
- name: calico-node
{{ tuple $envAll "calico_node" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.calico_node | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
env:
{{ include "helm-toolkit.utils.to_k8s_env_vars" .Values.conf.node | indent 12 }}
# The location of the Calico etcd cluster.
- name: ETCD_ENDPOINTS
valueFrom:
configMapKeyRef:
name: calico-etc
key: etcd_endpoints
# Set noderef for node controller.
- name: CALICO_K8S_NODE_REF
valueFrom:
fieldRef:
fieldPath: spec.nodeName
{{ if .Values.endpoints.etcd.auth.client.tls.ca}}
- name: ETCD_CA_CERT_FILE
value: {{ .Values.endpoints.etcd.auth.client.path.ca }}
{{ end }}
{{ if .Values.endpoints.etcd.auth.client.tls.key}}
- name: ETCD_KEY_FILE
value: {{ .Values.endpoints.etcd.auth.client.path.key }}
{{ end }}
{{ if .Values.endpoints.etcd.auth.client.tls.crt}}
- name: ETCD_CERT_FILE
value: {{ .Values.endpoints.etcd.auth.client.path.crt }}
{{ end }}
securityContext:
privileged: true
volumeMounts:
- mountPath: /lib/modules
name: lib-modules
readOnly: true
- mountPath: /var/run/calico
name: var-run-calico
readOnly: false
- mountPath: /etc/calico/confd/templates/bird6.cfg.mesh.template
name: calico-etc
subPath: bird6.cfg.mesh.template
- mountPath: /etc/calico/confd/templates/bird6.cfg.no-mesh.template
name: calico-etc
subPath: bird6.cfg.no-mesh.template
- mountPath: /etc/calico/confd/templates/bird6_ipam.cfg.template
name: calico-etc
subPath: bird6_ipam.cfg.template
- mountPath: /etc/calico/confd/templates/bird_aggr.cfg.template
name: calico-etc
subPath: bird_aggr.cfg.template
- mountPath: /etc/calico/confd/templates/bird.cfg.mesh.template
name: calico-etc
subPath: bird.cfg.mesh.template
- mountPath: /etc/calico/confd/templates/bird.cfg.no-mesh.template
name: calico-etc
subPath: bird.cfg.no-mesh.template
- mountPath: /etc/calico/confd/templates/bird_ipam.cfg.template
name: calico-etc
subPath: bird_ipam.cfg.template
- mountPath: /etc/calico/confd/templates/custom_filters6.cfg.template
name: calico-etc
subPath: custom_filters6.cfg.template
- mountPath: /etc/calico/confd/templates/custom_filters.cfg.template
name: calico-etc
subPath: custom_filters.cfg.template
- mountPath: /etc/calico/confd/templates/tunl-ip.template
name: calico-etc
subPath: tunl-ip.template
- name: calico-certificates
mountPath: {{ .Values.endpoints.etcd.auth.client.path.ca }}
subPath: tls.ca
readOnly: true
- name: calico-certificates
mountPath: {{ .Values.endpoints.etcd.auth.client.path.crt }}
subPath: tls.crt
readOnly: true
- name: calico-certificates
mountPath: {{ .Values.endpoints.etcd.auth.client.path.key }}
subPath: tls.key
readOnly: true
# This container installs the Calico CNI binaries
# and CNI network config file on each node.
- name: install-cni
{{ tuple $envAll "calico_cni" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.calico_cni | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
command: ["/install-cni.sh"]
env:
# The location of the Calico etcd cluster.
- name: ETCD_ENDPOINTS
valueFrom:
configMapKeyRef:
name: calico-etc
key: etcd_endpoints
# The CNI network config to install on each node.
- name: CNI_NETWORK_CONFIG
valueFrom:
configMapKeyRef:
name: calico-etc
key: cni_network_config
volumeMounts:
- name: cni-bin-dir
mountPath: /host/opt/cni/bin
- name: cni-net-dir
mountPath: /host/etc/cni/net.d
{{ if .Values.manifests.daemonset_calico_node_calicoctl }}
- name: install-calicoctl
{{ tuple $envAll "calico_ctl" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.calico_ctl | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
command:
- /tmp/install-calicoctl.sh
env:
- name: ETCD_ENDPOINTS
valueFrom:
configMapKeyRef:
name: calico-etc
key: etcd_endpoints
{{ if .Values.endpoints.etcd.auth.client.tls.ca}}
- name: ETCD_CA_CERT_FILE
value: {{ .Values.endpoints.etcd.auth.client.path.ca }}
- name: ETCD_CA_CERT
valueFrom:
secretKeyRef:
name: calico-certificates
key: tls.ca
{{ end }}
{{ if .Values.endpoints.etcd.auth.client.tls.key}}
- name: ETCD_KEY_FILE
value: {{ .Values.endpoints.etcd.auth.client.path.key }}
- name: ETCD_KEY
valueFrom:
secretKeyRef:
name: calico-certificates
key: tls.key
{{ end }}
{{ if .Values.endpoints.etcd.auth.client.tls.crt}}
- name: ETCD_CERT_FILE
value: {{ .Values.endpoints.etcd.auth.client.path.crt }}
- name: ETCD_CERT
valueFrom:
secretKeyRef:
name: calico-certificates
key: tls.crt
{{ end }}
volumeMounts:
- mountPath: /host/etc/calico
name: calico-cert-dir
- mountPath: /host/opt/cni/bin
name: cni-bin-dir
- mountPath: /tmp/install-calicoctl.sh
name: calico-bin
subPath: install-calicoctl.sh
- name: calico-certificates
mountPath: {{ .Values.endpoints.etcd.auth.client.path.ca }}
subPath: tls.ca
readOnly: true
- name: calico-certificates
mountPath: {{ .Values.endpoints.etcd.auth.client.path.crt }}
subPath: tls.crt
readOnly: true
- name: calico-certificates
mountPath: {{ .Values.endpoints.etcd.auth.client.path.key }}
subPath: tls.key
readOnly: true
{{ end }}
volumes:
# Used by calico/node.
- name: lib-modules
hostPath:
path: /lib/modules
- name: var-run-calico
hostPath:
path: /var/run/calico
# Used to install CNI.
- name: cni-bin-dir
hostPath:
path: /opt/cni/bin
- name: cni-net-dir
hostPath:
path: /etc/cni/net.d
- name: calico-cert-dir
hostPath:
path: /etc/calico
- name: calico-etc
configMap:
name: calico-etc
defaultMode: 0444
- name: calico-bin
configMap:
name: calico-bin
defaultMode: 0555
- name: calico-certificates
secret:
secretName: calico-certificates
{{- end }}
View Git Blame Copy Permalink