airship/promenade
Code Issues Proposed changes

Preparation for osh-infra merger

Browse Source 
Change-Id: I14b3c545a6494c11d7f60b37e31af5ec97ef6782
This commit is contained in:
Sergiy Markin 2025-04-01 17:30:47 +00:00
parent 754859ce1d
commit 4b44b4354e
39 changed files with 2240 additions and 54 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
charts/calico/Chart.yaml Normal file
View File

@ -0,0 +1,26 @@
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
apiVersion: v1
appVersion: v3.25.1
description: OpenStack-Helm Calico
name: calico
version: 0.1.8
home: https://github.com/projectcalico/calico
icon: https://camo.githubusercontent.com/64c8b5ed6ac97553ae367348e8a59a24e2ed5bdc/687474703a2f2f646f63732e70726f6a65637463616c69636f2e6f72672f696d616765732f66656c69782e706e67
sources:
- https://github.com/projectcalico/calico
- https://opendev.org/openstack/openstack-helm
maintainers:
- name: OpenStack-Helm Authors
...

18
charts/calico/requirements.yaml Normal file
View File

@ -0,0 +1,18 @@
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
dependencies:
- name: helm-toolkit
repository: file://../deps/helm-toolkit
version: ">= 0.1.0"
...

102
charts/calico/templates/bin/_calico-settings.sh.tpl Normal file
View File

@ -0,0 +1,102 @@
#!/bin/sh
set -eux
{{/* Robustness, Calico 3.x wants things as Titlecase; this causes pain */}}
{{- $_ := set .Values.conf.node "CALICO_IPV4POOL_IPIP" (title .Values.conf.node.CALICO_IPV4POOL_IPIP ) -}}
{{- $_ := set .Values.conf.node "CALICO_STARTUP_LOGLEVEL" (title .Values.conf.node.CALICO_STARTUP_LOGLEVEL ) -}}
{{- $_ := set .Values.conf.node "FELIX_LOGSEVERITYSCREEN" (title .Values.conf.node.FELIX_LOGSEVERITYSCREEN ) -}}
{{- $envAll := . }}
{{ if empty .Values.conf.node.CALICO_IPV4POOL_CIDR }}
{{ $_ := set .Values.conf.node "CALICO_IPV4POOL_CIDR" .Values.networking.podSubnet }}
{{ end }}
# An idempotent script for interacting with calicoctl to instantiate
# peers, and manipulate calico settings that we must perform
# post-deployment.
CTL=/calicoctl
# Generate configuration the way we want it to be, it doesn't matter
# if it's already set, in that case Calico will no nothing.
# BGPConfiguration: nodeToNodeMeshEnabled & asNumber
$CTL apply -f - <<EOF
apiVersion: projectcalico.org/v3
kind: BGPConfiguration
metadata:
name: default
spec:
asNumber: {{ .Values.networking.bgp.asnumber }}
logSeverityScreen: {{ .Values.conf.node.FELIX_LOGSEVERITYSCREEN }}
nodeToNodeMeshEnabled: {{ .Values.networking.settings.mesh }}
EOF
# FelixConfiguration: ipipEnabled
$CTL apply -f - <<EOF
apiVersion: projectcalico.org/v3
kind: FelixConfiguration
metadata:
name: default
spec:
ipipEnabled: {{ .Values.networking.settings.ippool.ipip.enabled }}
logSeverityScreen: {{ .Values.conf.node.FELIX_LOGSEVERITYSCREEN }}
EOF
# ipPool - https://docs.projectcalico.org/v3.4/reference/calicoctl/resources/ippool
$CTL apply -f - <<EOF
apiVersion: projectcalico.org/v3
kind: IPPool
metadata:
name: default-ipv4-ippool
spec:
cidr: {{ .Values.conf.node.CALICO_IPV4POOL_CIDR }}
{{- if .Values.conf.node.CALICO_IPV4POOL_BLOCKSIZE }}
blockSize: {{ .Values.conf.node.CALICO_IPV4POOL_BLOCKSIZE }}
{{- end }}
ipipMode: {{ .Values.conf.node.CALICO_IPV4POOL_IPIP }}
natOutgoing: {{ .Values.networking.settings.ippool.nat_outgoing }}
disabled: {{ .Values.networking.settings.ippool.disabled }}
EOF
# IPv4 peers
{{ if .Values.networking.bgp.ipv4.peers }}
$CTL apply -f - <<EOF
{{ .Values.networking.bgp.ipv4.peers | toYaml }}
EOF
{{ end }}
# IPv6 peers
{{ if .Values.networking.bgp.ipv6.peers }}
$CTL apply -f - <<EOF
{{ .Values.networking.bgp.ipv6.peers | toYaml }}
EOF
{{ end }}
{{/* gotpl quirks mean it is easier to loop from 0 to 9 looking for a match in an inner loop than trying to extract and sort */}}
{{ if .Values.networking.policy }}
# Policy and Endpoint rules
{{ range $n, $data := tuple 0 1 2 3 4 5 6 7 8 9 }}
# Priority: {{ $n }} objects
{{- range $section, $data := $envAll.Values.networking.policy }}
{{- if eq (toString $data.priority) (toString $n) }}
{{/* add a safety check so we don't attempt to run calicoctl with an empty resource set */}}
{{- if gt (len $data.rules) 0 }}
# Section: {{ $section }} Priority: {{ $data.priority }} {{ $n }}
$CTL apply -f - <<EOF
{{ $data.rules | toYaml }}
EOF
{{- else }}
echo "Skipping empty rules list."
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{ end }}
exit 0

57
charts/calico/templates/bin/_install-calicoctl.sh.tpl Normal file
View File

@ -0,0 +1,57 @@
#!/bin/sh
set -e
# instantiate calicoctl in /opt/bin/cni, including a wrapper around
# the bin that points to the correct etcd endpoint and etcd
# certificate data
cp -v /calicoctl /host/opt/cni/bin/calicoctl.bin
[ -x /host/opt/cni/bin/calicoctl.bin ] || chmod +x /host/opt/cni/bin/calicoctl.bin
if [ ! -z "$ETCD_KEY" ]; then
DIR=$(dirname /host/$ETCD_KEY_FILE)
mkdir -p $DIR
cat <<EOF>/host/$ETCD_KEY_FILE
$ETCD_KEY
EOF
chmod 600 /host/$ETCD_KEY_FILE
fi;
if [ ! -z "$ETCD_CA_CERT" ]; then
DIR=$(dirname /host/$ETCD_CA_CERT_FILE)
mkdir -p $DIR
cat <<EOF>/host/$ETCD_CA_CERT_FILE
$ETCD_CA_CERT
EOF
chmod 600 /host/$ETCD_CA_CERT_FILE
fi;
if [ ! -z "$ETCD_CERT" ]; then
DIR=$(dirname /host/$ETCD_CERT_FILE)
mkdir -p $DIR
cat <<EOF>/host/$ETCD_CERT_FILE
$ETCD_CERT
EOF
chmod 600 /host/$ETCD_CERT_FILE
fi;
# This looks a bit funny. Notice that if $ETCD_ENDPOINTS and friends
# are defined in this (calico node initContainer/startup) context;
# generate a shell script to set the values on the host where thse
# variables will *not* be set
cat <<EOF>/host/opt/cni/bin/calicoctl
#!/bin/bash
#
# do *NOT* modify this file; this is autogenerated by the calico-node
# deployment startup process
export ETCD_ENDPOINTS="${ETCD_ENDPOINTS}"
[ -e "${ETCD_KEY_FILE}" ] && export ETCD_KEY_FILE="${ETCD_KEY_FILE}"
[ -e "${ETCD_CERT_FILE}" ] && export ETCD_CERT_FILE="${ETCD_CERT_FILE}"
[ -e "${ETCD_CA_CERT_FILE}" ] && export ETCD_CA_CERT_FILE="${ETCD_CA_CERT_FILE}"
exec /opt/cni/bin/calicoctl.bin \$*
EOF
chmod +x /host/opt/cni/bin/calicoctl

128
charts/calico/templates/bird/_bird.cfg.template.tpl Normal file
View File

@ -0,0 +1,128 @@
# Generated by confd
include "bird_aggr.cfg";
include "bird_ipam.cfg";
{{`{{$node_ip_key := printf "/host/%s/ip_addr_v4" (getenv "NODENAME")}}{{$node_ip := getv $node_ip_key}}`}}
# ensure we only listen to a specific ip and address
listen bgp address {{`{{$node_ip}}`}} port {{.Values.networking.bgp.ipv4.port.listen}};
{{`{{$router_id := getenv "CALICO_ROUTER_ID" ""}}`}}
{{`router id {{if ne "" ($router_id)}}{{$router_id}}{{else}}{{$node_ip}}{{end}};`}}
{{`{{define "LOGGING"}}`}}
{{`{{$node_logging_key := printf "/host/%s/loglevel" (getenv "NODENAME")}}{{if exists $node_logging_key}}{{$logging := getv $node_logging_key}}`}}
{{`{{if eq $logging "debug"}} debug all;{{else if ne $logging "none"}} debug { states };{{end}}`}}
{{`{{else if exists "/global/loglevel"}}{{$logging := getv "/global/loglevel"}}`}}
{{`{{if eq $logging "debug"}} debug all;{{else if ne $logging "none"}} debug { states };{{end}}`}}
{{`{{else}} debug { states };{{end}}`}}
{{`{{end}}`}}
# Configure synchronization between routing tables and kernel.
protocol kernel {
learn; # Learn all alien routes from the kernel
persist; # Don't remove routes on bird shutdown
scan time 2; # Scan kernel routing table every 2 seconds
import all;
export filter calico_ipip; # Default is export none
graceful restart; # Turn on graceful restart to reduce potential flaps in
# routes when reloading BIRD configuration. With a full
# automatic mesh, there is no way to prevent BGP from
# flapping since multiple nodes update their BGP
# configuration at the same time, GR is not guaranteed to
# work correctly in this scenario.
}
# Watch interface up/down events.
protocol device {
{{` {{template "LOGGING"}}`}}
scan time 2; # Scan interfaces every 2 seconds
}
protocol direct {
{{` {{template "LOGGING"}}`}}
interface -"cali*", "*"; # Exclude cali* but include everything else.
}
{{`{{if eq "" ($node_ip)}}# IPv4 disabled on this node.`}}
{{`{{else}}{{$node_as_key := printf "/host/%s/as_num" (getenv "NODENAME")}}`}}
# Template for all BGP clients
template bgp bgp_template {
{{` {{template "LOGGING"}}`}}
description "Connection to BGP peer";
{{` local as {{if exists $node_as_key}}{{getv $node_as_key}}{{else}}{{getv "/global/as_num"}}{{end}};`}}
multihop;
gateway recursive; # This should be the default, but just in case.
import all; # Import all routes, since we don't know what the upstream
# topology is and therefore have to trust the ToR/RR.
export filter calico_pools; # Only want to export routes for workloads.
{{` source address {{$node_ip}}; # The local address we use for the TCP connection`}}
add paths on;
graceful restart; # See comment in kernel section about graceful restart.
}
# ------------- Node-to-node mesh -------------
{{`{{- $node_cid_key := printf "/host/%s/rr_cluster_id" (getenv "NODENAME")}}`}}
{{`{{- $node_cluster_id := getv $node_cid_key}}`}}
{{`{{- if ne "" ($node_cluster_id)}}`}}
{{`# This node is configured as a route reflector with cluster ID {{$node_cluster_id}};`}}
# ignore node-to-node mesh setting.
{{`{{- else}}`}}
{{`{{if (json (getv "/global/node_mesh")).enabled}}`}}
{{`{{range $host := lsdir "/host"}}`}}
{{`{{$onode_as_key := printf "/host/%s/as_num" .}}`}}
{{`{{$onode_ip_key := printf "/host/%s/ip_addr_v4" .}}{{if exists $onode_ip_key}}{{$onode_ip := getv $onode_ip_key}}`}}
{{`{{$nums := split $onode_ip "."}}{{$id := join $nums "_"}}`}}
{{`# For peer {{$onode_ip_key}}`}}
{{`{{if eq $onode_ip ($node_ip) }}# Skipping ourselves ({{$node_ip}})`}}
{{`{{else if ne "" $onode_ip}}protocol bgp Mesh_{{$id}} from bgp_template {`}}
{{` neighbor {{$onode_ip}} as {{if exists $onode_as_key}}{{getv $onode_as_key}}{{else}}{{getv "/global/as_num"}}{{end}};`}}
neighbor port {{.Values.networking.bgp.ipv4.port.neighbor}};
{{`}{{end}}{{end}}{{end}}`}}
{{`{{else}}`}}
# Node-to-node mesh disabled
{{`{{end}}`}}
{{`{{- end}}`}}
# ------------- Global peers -------------
{{`{{if ls "/global/peer_v4"}}`}}
{{`{{range gets "/global/peer_v4/*"}}{{$data := json .Value}}`}}
{{`{{$nums := split $data.ip "."}}{{$id := join $nums "_"}}`}}
{{`# For peer {{.Key}}`}}
{{`{{- if eq $data.ip ($node_ip) }}`}}
{{`# Skipping ourselves ({{$node_ip}})`}}
{{`{{- else}}`}}
{{`protocol bgp Global_{{$id}} from bgp_template {`}}
{{` neighbor {{$data.ip}} as {{$data.as_num}};`}}
neighbor port {{.Values.networking.bgp.ipv4.port.neighbor}};
{{`{{- if and (ne "" ($node_cluster_id)) (ne $data.rr_cluster_id ($node_cluster_id))}}`}}
rr client;
{{` rr cluster id {{$node_cluster_id}};`}}
{{`{{- end}}`}}
}
{{`{{- end}}`}}
{{`{{end}}`}}
{{`{{else}}# No global peers configured.{{end}}`}}
# ------------- Node-specific peers -------------
{{`{{$node_peers_key := printf "/host/%s/peer_v4" (getenv "NODENAME")}}`}}
{{`{{if ls $node_peers_key}}`}}
{{`{{range gets (printf "%s/*" $node_peers_key)}}{{$data := json .Value}}`}}
{{`{{$nums := split $data.ip "."}}{{$id := join $nums "_"}}`}}
{{`# For peer {{.Key}}`}}
{{`{{- if eq $data.ip ($node_ip) }}`}}
{{`# Skipping ourselves ({{$node_ip}})`}}
{{`{{- else}}`}}
{{`protocol bgp Node_{{$id}} from bgp_template {`}}
{{` neighbor {{$data.ip}} as {{$data.as_num}};`}}
neighbor port {{.Values.networking.bgp.ipv4.port.neighbor}};
{{`{{- if and (ne "" ($node_cluster_id)) (ne $data.rr_cluster_id ($node_cluster_id))}}`}}
rr client;
{{` rr cluster id {{$node_cluster_id}};`}}
{{`{{- end}}`}}
}
{{`{{- end}}`}}
{{`{{end}}`}}
{{`{{else}}# No node-specific peers configured.{{end}}`}}
{{`{{end}}{{/* End of IPv4 enable check */}}`}}

131
charts/calico/templates/bird/_bird6.cfg.template.tpl Normal file
View File

@ -0,0 +1,131 @@
# Generated by confd
include "bird6_aggr.cfg";
include "bird6_ipam.cfg";
{{`{{$node_ip_key := printf "/host/%s/ip_addr_v4" (getenv "NODENAME")}}{{$node_ip := getv $node_ip_key}}`}}
{{`{{$node_ip6_key := printf "/host/%s/ip_addr_v6" (getenv "NODENAME")}}{{$node_ip6 := getv $node_ip6_key}}`}}
{{`{{$router_id := getenv "CALICO_ROUTER_ID" ""}}`}}
{{`router id {{if ne "" ($router_id)}}{{$router_id}}{{else}}{{$node_ip}}{{end}}; # Use IPv4 address since router id is 4 octets, even in MP-BGP`}}
{{`{{define "LOGGING"}}`}}
{{`{{$node_logging_key := printf "/host/%s/loglevel" (getenv "NODENAME")}}{{if exists $node_logging_key}}{{$logging := getv $node_logging_key}}`}}
{{`{{if eq $logging "debug"}} debug all;{{else if ne $logging "none"}} debug { states };{{end}}`}}
{{`{{else if exists "/global/loglevel"}}{{$logging := getv "/global/loglevel"}}`}}
{{`{{if eq $logging "debug"}} debug all;{{else if ne $logging "none"}} debug { states };{{end}}`}}
{{`{{else}} debug { states };{{end}}`}}
{{`{{end}}`}}
# Configure synchronization between routing tables and kernel.
protocol kernel {
learn; # Learn all alien routes from the kernel
persist; # Don't remove routes on bird shutdown
scan time 2; # Scan kernel routing table every 2 seconds
import all;
export all; # Default is export none
graceful restart; # Turn on graceful restart to reduce potential flaps in
# routes when reloading BIRD configuration. With a full
# automatic mesh, there is no way to prevent BGP from
# flapping since multiple nodes update their BGP
# configuration at the same time, GR is not guaranteed to
# work correctly in this scenario.
}
# Watch interface up/down events.
protocol device {
{{` {{template "LOGGING"}}`}}
scan time 2; # Scan interfaces every 2 seconds
}
protocol direct {
{{` {{template "LOGGING"}}`}}
interface -"cali*", "*"; # Exclude cali* but include everything else.
}
{{`{{if eq "" ($node_ip6)}}# IPv6 disabled on this node.`}}
{{`{{else}}{{$node_as_key := printf "/host/%s/as_num" (getenv "NODENAME")}}`}}
# ensure we only listen to a specific ip and address
listen bgp address {{`{{$node_ip6}}`}} port {{.Values.networking.bgp.ipv6.port.listen}};
# Template for all BGP clients
template bgp bgp_template {
{{` {{template "LOGGING"}}`}}
description "Connection to BGP peer";
{{` local as {{if exists $node_as_key}}{{getv $node_as_key}}{{else}}{{getv "/global/as_num"}}{{end}};`}}
multihop;
gateway recursive; # This should be the default, but just in case.
import all; # Import all routes, since we don't know what the upstream
# topology is and therefore have to trust the ToR/RR.
export filter calico_pools; # Only want to export routes for workloads.
{{` source address {{$node_ip6}}; # The local address we use for the TCP connection`}}
add paths on;
graceful restart; # See comment in kernel section about graceful restart.
}
# ------------- Node-to-node mesh -------------
{{`{{- $node_cid_key := printf "/host/%s/rr_cluster_id" (getenv "NODENAME")}}`}}
{{`{{- $node_cluster_id := getv $node_cid_key}}`}}
{{`{{- if ne "" ($node_cluster_id)}}`}}
{{`# This node is configured as a route reflector with cluster ID {{$node_cluster_id}};`}}
# ignore node-to-node mesh setting.
{{`{{- else}}`}}
{{`{{if (json (getv "/global/node_mesh")).enabled}}`}}
{{`{{range $host := lsdir "/host"}}`}}
{{`{{$onode_as_key := printf "/host/%s/as_num" .}}`}}
{{`{{$onode_ip_key := printf "/host/%s/ip_addr_v6" .}}{{if exists $onode_ip_key}}{{$onode_ip := getv $onode_ip_key}}`}}
{{`{{$nums := split $onode_ip ":"}}{{$id := join $nums "_"}}`}}
{{`# For peer {{$onode_ip_key}}`}}
{{`{{if eq $onode_ip ($node_ip6) }}# Skipping ourselves ({{$node_ip6}})`}}
{{`{{else if eq "" $onode_ip}}# No IPv6 address configured for this node`}}
{{`{{else}}protocol bgp Mesh_{{$id}} from bgp_template {`}}
{{` neighbor {{$onode_ip}} as {{if exists $onode_as_key}}{{getv $onode_as_key}}{{else}}{{getv "/global/as_num"}}{{end}};`}}
neighbor port {{.Values.networking.bgp.ipv6.port.neighbor}};
{{`}{{end}}{{end}}{{end}}`}}
{{`{{else}}`}}
# Node-to-node mesh disabled
{{`{{end}}`}}
{{`{{- end}}`}}
# ------------- Global peers -------------
{{`{{if ls "/global/peer_v6"}}`}}
{{`{{range gets "/global/peer_v6/*"}}{{$data := json .Value}}`}}
{{`{{$nums := split $data.ip ":"}}{{$id := join $nums "_"}}`}}
{{`# For peer {{.Key}}`}}
{{`{{- if eq $data.ip ($node_ip6) }}`}}
{{`# Skipping ourselves ({{$node_ip6}})`}}
{{`{{- else}}`}}
{{`protocol bgp Global_{{$id}} from bgp_template {`}}
{{` neighbor {{$data.ip}} as {{$data.as_num}};`}}
neighbor port {{.Values.networking.bgp.ipv6.port.neighbor}};
{{`{{- if and (ne "" ($node_cluster_id)) (ne $data.rr_cluster_id ($node_cluster_id))}}`}}
rr client;
{{` rr cluster id {{$node_cluster_id}};`}}
{{`{{- end}}`}}
}
{{`{{- end}}`}}
{{`{{end}}`}}
{{`{{else}}# No global peers configured.{{end}}`}}
# ------------- Node-specific peers -------------
{{`{{$node_peers_key := printf "/host/%s/peer_v6" (getenv "NODENAME")}}`}}
{{`{{if ls $node_peers_key}}`}}
{{`{{range gets (printf "%s/*" $node_peers_key)}}{{$data := json .Value}}`}}
{{`{{$nums := split $data.ip ":"}}{{$id := join $nums "_"}}`}}
{{`# For peer {{.Key}}`}}
{{`{{- if eq $data.ip ($node_ip6) }}`}}
{{`# Skipping ourselves ({{$node_ip6}})`}}
{{`{{- else}}`}}
{{`protocol bgp Node_{{$id}} from bgp_template {`}}
{{` neighbor {{$data.ip}} as {{$data.as_num}};`}}
neighbor port {{.Values.networking.bgp.ipv6.port.neighbor}};
{{`{{- if and (ne "" ($node_cluster_id)) (ne $data.rr_cluster_id ($node_cluster_id))}}`}}
rr client;
{{` rr cluster id {{$node_cluster_id}};`}}
{{`{{- end}}`}}
}
{{`{{- end}}`}}
{{`{{end}}`}}
{{`{{else}}# No node-specific peers configured.{{end}}`}}
{{`{{end}}`}}

36
charts/calico/templates/bird/_bird6_ipam.cfg.template.tpl Normal file
View File

@ -0,0 +1,36 @@
# Generated by confd
function osh_filters ()
{
# support any addresses matching our secondary announcements
{{- range .Values.networking.bgp.ipv6.additional_cidrs }}
if ( net ~ {{ . }} ) then { accept; }
{{- end }}
}
function apply_communities ()
{
# Set community value based on dictionary of cidrs
{{- $asnum := .Values.networking.bgp.asnumber }}
{{- range .Values.networking.bgp.ipv6.community_cidr_ref }}
{{- $community := .community }}
{{- $cidr := .cidr }}
{{- with .prefix }}
if ( net ~ {{ $cidr }} ) then { bgp_community.add(({{ . }}, {{ $community }})); }
{{- else }}
if ( net ~ {{ $cidr }} ) then { bgp_community.add(({{ $asnum }}, {{ $community }})); }
{{- end }}
{{- end }}
}
filter calico_pools {
apply_communities();
calico_aggr();
osh_filters();
{{`{{range ls "/pool"}}{{$data := json (getv (printf "/pool/%s" .))}}`}}
{{` if ( net ~ {{$data.cidr}} ) then {`}}
accept;
}
{{`{{end}}`}}
reject;
}

60
charts/calico/templates/bird/_bird_ipam.cfg.template.tpl Normal file
View File

@ -0,0 +1,60 @@
# Generated by confd
function osh_filters ()
{
# support any addresses matching our secondary announcements
{{- range .Values.networking.bgp.ipv4.additional_cidrs }}
if ( net ~ {{ . }} ) then { accept; }
{{- end }}
}
function apply_communities ()
{
# Set community value based on dictionary of cidrs
{{- $asnum := .Values.networking.bgp.asnumber }}
{{- range .Values.networking.bgp.ipv4.community_cidr_ref }}
{{- $community := .community }}
{{- $cidr := .cidr }}
{{- with .prefix }}
if ( net ~ {{ $cidr }} ) then { bgp_community.add(({{ . }}, {{ $community }})); }
{{- else }}
if ( net ~ {{ $cidr }} ) then { bgp_community.add(({{ $asnum }}, {{ $community }})); }
{{- end }}
{{- end }}
}
filter calico_pools {
apply_communities();
calico_aggr();
osh_filters();
{{`{{range ls "/v1/ipam/v4/pool"}}{{$data := json (getv (printf "/v1/ipam/v4/pool/%s" .))}}`}}
{{` if ( net ~ {{$data.cidr}} ) then {`}}
accept;
}
{{`{{end}}`}}
reject;
}
{{`{{$network_key := printf "/bgp/v1/host/%s/network_v4" (getenv "NODENAME")}}{{if exists $network_key}}{{$network := getv $network_key}}`}}
filter calico_ipip {
{{`{{range ls "/v1/ipam/v4/pool"}}{{$data := json (getv (printf "/v1/ipam/v4/pool/%s" .))}}`}}
{{` if ( net ~ {{$data.cidr}} ) then {`}}
{{`{{if $data.ipip_mode}}{{if eq $data.ipip_mode "cross-subnet"}}`}}
{{` if defined(bgp_next_hop) && ( bgp_next_hop ~ {{$network}} ) then`}}
{{` krt_tunnel = ""; {{/* Destination in ipPool, mode is cross sub-net, route from-host on subnet, do not use IPIP */}}`}}
else
{{` krt_tunnel = "{{$data.ipip}}"; {{/* Destination in ipPool, mode is cross sub-net, route from-host off subnet, set the tunnel (if IPIP not enabled, value will be "") */}}`}}
accept;
{{` } {{else}}`}}
{{` krt_tunnel = "{{$data.ipip}}"; {{/* Destination in ipPool, mode not cross sub-net, set the tunnel (if IPIP not enabled, value will be "") */}}`}}
accept;
{{` } {{end}} {{else}}`}}
{{` krt_tunnel = "{{$data.ipip}}"; {{/* Destination in ipPool, mode field is not present, set the tunnel (if IPIP not enabled, value will be "") */}}`}}
accept;
{{` } {{end}}`}}
{{`{{end}}`}}
{{` accept; {{/* Destination is not in any ipPool, accept */}}`}}
}
{{`{{else}}`}}
filter calico_ipip { accept; }
{{`{{end}}{{/* End of 'exists $network_key' */}}`}}

29
charts/calico/templates/configmap-bin.yaml Normal file
View File

@ -0,0 +1,29 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if .Values.manifests.configmap_bin }}
{{- $envAll := . }}
---
apiVersion: v1
kind: ConfigMap
metadata:
name: calico-bin
data:
image-repo-sync.sh: |
{{- include "helm-toolkit.scripts.image_repo_sync" . | indent 4 }}
install-calicoctl.sh: |
{{ tuple "bin/_install-calicoctl.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
calico-settings.sh: |
{{ tuple "bin/_calico-settings.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
{{- end }}

34
charts/calico/templates/configmap-bird.yaml Normal file
View File

@ -0,0 +1,34 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if .Values.manifests.configmap_bird }}
{{- $envAll := . }}
---
kind: ConfigMap
apiVersion: v1
metadata:
name: calico-bird
data:
# we overlay templates found natively in the calico-node container
# so that we may override bgp configuration
bird.cfg.template: |
{{ tuple "bird/_bird.cfg.template.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
bird_ipam.cfg.template: |
{{ tuple "bird/_bird_ipam.cfg.template.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
bird6.cfg.template: |
{{ tuple "bird/_bird6.cfg.template.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
bird6_ipam.cfg.template: |
{{ tuple "bird/_bird6_ipam.cfg.template.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
{{- end }}

32
charts/calico/templates/configmap-etc.yaml Normal file
View File

@ -0,0 +1,32 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if .Values.manifests.configmap_etc }}
{{- $envAll := . }}
---
kind: ConfigMap
apiVersion: v1
metadata:
name: calico-etc
data:
# The location of your etcd cluster. This uses the Service clusterIP
# defined below.
etcd_endpoints: {{ tuple "etcd" "internal" "client" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" }}
# The CNI network configuration to install on each node, generated
# from (Values.)conf.cni_network_config
cni_network_config: |-
{{ toJson $envAll.Values.conf.cni_network_config | indent 4 }}
{{- end }}

133
charts/calico/templates/daemonset-calico-etcd.yaml Normal file
View File

@ -0,0 +1,133 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if .Values.manifests.daemonset_calico_etcd }}
{{- $envAll := . }}
{{- $serviceAccountName := "calico-etcd" }}
{{ tuple $envAll "calico-etcd" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
---
# This manifest installs the Calico etcd on the kubeadm master. This uses a DaemonSet
# to force it to run on the master even when the master isn't schedulable, and uses
# nodeSelector to ensure it only runs on the master.
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: calico-etcd
annotations:
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
labels:
k8s-app: calico-etcd
{{ tuple $envAll "calico" "etcd" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
spec:
selector:
matchLabels:
k8s-app: calico-etcd
{{ tuple $envAll "calico" "etcd" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
template:
metadata:
labels:
k8s-app: calico-etcd
{{ tuple $envAll "calico" "etcd" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
annotations:
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
spec:
{{ dict "envAll" $envAll "application" "etcd" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
serviceAccountName: {{ $serviceAccountName }}
priorityClassName: system-cluster-critical
tolerations:
# This taint is set by all kubelets running `--cloud-provider=external`
# so we should tolerate it to schedule the Calico pods
- key: node.cloudprovider.kubernetes.io/uninitialized
value: "true"
effect: NoSchedule
# Allow this pod to run on the master/control-plane.
- key: node-role.kubernetes.io/master
effect: NoSchedule
- key: node-role.kubernetes.io/control-plane
effect: NoSchedule
# Allow this pod to be rescheduled while the node is in "critical add-ons only" mode.
# This, along with the annotation above marks this pod as a critical add-on.
- key: CriticalAddonsOnly
operator: Exists
# Only run this pod on the master.
nodeSelector:
node-role.kubernetes.io/master: ""
hostNetwork: true
initContainers:
{{ tuple $envAll "etcd" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
containers:
- name: calico-etcd
{{ tuple $envAll "calico_etcd" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.calico_etcd | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
{{ dict "envAll" $envAll "application" "etcd" "container" "calico_etcd" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
env:
- name: CALICO_ETCD_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
command:
- /usr/local/bin/etcd
args:
- --name=calico
- --data-dir=/var/etcd/calico-data
{{ if eq .Values.endpoints.etcd.scheme.default "https" }}
- --client-cert-auth=True
- --peer-client-cert-auth=True
- --trusted-ca-file=/etc/calico-certs/ca.crt
- --cert-file=/etc/calico-certs/server.crt
- --key-file=/etc/calico-certs/server.key
- --peer-trusted-ca-file=/etc/calico-certs/ca.crt
- --peer-cert-file=/etc/calico-certs/server.crt
- --peer-key-file=/etc/calico-certs/server.key
{{ end }}
- --advertise-client-urls={{ tuple "etcd" "internal" "client" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" }}
- --listen-client-urls={{ tuple "etcd" "internal" "client" . | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}://0.0.0.0:{{ tuple "etcd" "internal" "client" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
- --listen-peer-urls={{ tuple "etcd" "internal" "peer" . | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}://0.0.0.0:{{ tuple "etcd" "internal" "peer" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
- --auto-compaction-retention=1
volumeMounts:
- name: pod-tmp
mountPath: /tmp
- name: var-etcd
mountPath: /var/etcd
{{ if .Values.conf.etcd.credentials.ca }}
- name: calico-etcd-secrets
mountPath: /etc/calico-certs/ca.crt
subPath: etcd.ca
readOnly: true
{{ end }}
{{ if .Values.conf.etcd.credentials.certificate }}
- name: calico-etcd-secrets
mountPath: /etc/calico-certs/server.crt
subPath: etcd.crt
readOnly: true
{{ end }}
{{ if .Values.conf.etcd.credentials.key }}
- name: calico-etcd-secrets
mountPath: /etc/calico-certs/server.key
subPath: etcd.key
readOnly: true
{{ end }}
volumes:
- name: pod-tmp
emptyDir: {}
- name: var-etcd
hostPath:
path: /var/etcd
- name: calico-etcd-secrets
secret:
secretName: calico-etcd-secrets
{{- end }}

414
charts/calico/templates/daemonset-calico-node.yaml Normal file
View File

@ -0,0 +1,414 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if .Values.manifests.daemonset_calico_node }}
{{- $envAll := . }}
{{/* Robustness, Calico 3.x wants things as Titlecase; this causes pain */}}
{{- $_ := set .Values.conf.node "CALICO_IPV4POOL_IPIP" (title .Values.conf.node.CALICO_IPV4POOL_IPIP ) -}}
{{- $_ := set .Values.conf.node "CALICO_STARTUP_LOGLEVEL" (title .Values.conf.node.CALICO_STARTUP_LOGLEVEL ) -}}
{{- $_ := set .Values.conf.node "FELIX_LOGSEVERITYSCREEN" (title .Values.conf.node.FELIX_LOGSEVERITYSCREEN ) -}}
{{/* If using tunnels, and FELIX_IPINIPMTU is not set, make it 20 less than the physical to account for IPIP overhead */}}
{{- if empty .Values.conf.node.FELIX_IPINIPMTU -}}
{{- if ne .Values.conf.node.CALICO_IPV4POOL_IPIP "Never" -}}
{{- $_ := set .Values.conf.node "FELIX_IPINIPMTU" (sub .Values.networking.mtu 20) -}}
# Setting tunnel MTU to {{ .Values.conf.node.FELIX_IPINIPMTU }}
{{- end -}}
{{- end -}}
{{/* CNI_MTU is >= than the IPIP mtu, usually the physical MTU of the system */}}
{{- if empty .Values.conf.node.CNI_MTU -}}
{{- $_ := set .Values.conf.node "CNI_MTU" .Values.networking.mtu -}}
{{- end -}}
{{- if empty .Values.conf.node.CALICO_IPV4POOL_CIDR -}}
{{- $_ := set .Values.conf.node "CALICO_IPV4POOL_CIDR" .Values.networking.podSubnet -}}
{{- end -}}
{{- $serviceAccountName := "calico-node" }}
{{ tuple $envAll "calico_node" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: calico-node
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: calico-node
subjects:
- kind: ServiceAccount
name: {{ $serviceAccountName }}
namespace: {{ .Release.Namespace }}
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ $serviceAccountName }}
rules:
- apiGroups: [""]
resources:
- pods
- nodes
- namespaces
verbs:
- get
- apiGroups: ["batch"]
resources: ["jobs"]
verbs: ["get"]
---
# This manifest installs the calico/node container, as well
# as the Calico CNI plugins and network config on
# each master and worker node in a Kubernetes cluster.
kind: DaemonSet
apiVersion: apps/v1
metadata:
name: calico-node
annotations:
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
labels:
k8s-app: calico-node
{{ tuple $envAll "calico" "node" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
spec:
selector:
matchLabels:
k8s-app: calico-node
{{ tuple $envAll "calico" "node" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
updateStrategy:
type: RollingUpdate
rollingUpdate:
maxUnavailable: 1
template:
metadata:
labels:
k8s-app: calico-node
{{ tuple $envAll "calico" "node" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
annotations:
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
configmap-bird-hash: {{ tuple "configmap-bird.yaml" . | include "helm-toolkit.utils.hash" }}
{{ dict "envAll" $envAll "podName" "calico-node" "containerNames" (list "calico-node") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
{{- if .Values.monitoring.prometheus.enabled }}
{{- $prometheus_annotations := $envAll.Values.monitoring.prometheus.calico_node }}
{{ tuple $prometheus_annotations | include "helm-toolkit.snippets.prometheus_pod_annotations" | indent 8 }}
{{- end }}
spec:
{{ dict "envAll" $envAll "application" "calico_node" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
nodeSelector:
beta.kubernetes.io/os: linux
hostNetwork: true
priorityClassName: system-cluster-critical
tolerations:
# Make sure calico-node gets scheduled on all nodes.
- effect: NoSchedule
operator: Exists
- key: node.kubernetes.io/not-ready
effect: NoSchedule
operator: Exists
# Mark the pod as a critical add-on for rescheduling.
- key: CriticalAddonsOnly
operator: Exists
- effect: NoExecute
operator: Exists
serviceAccountName: {{ $serviceAccountName }}
# Minimize downtime during a rolling upgrade or deletion; tell Kubernetes to do a "force
# deletion": https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods.
terminationGracePeriodSeconds: 0
initContainers:
{{ tuple $envAll "calico_node" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
{{ if .Values.manifests.daemonset_calico_node_calicoctl }}
- name: install-calicoctl
{{ tuple $envAll "calico_ctl" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.calico_ctl | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
{{ dict "envAll" $envAll "application" "calico_node" "container" "calico_ctl" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
command:
- /tmp/install-calicoctl.sh
env:
- name: ETCD_ENDPOINTS
valueFrom:
configMapKeyRef:
name: calico-etc
key: etcd_endpoints
{{ if .Values.endpoints.etcd.auth.client.tls.ca }}
- name: ETCD_CA_CERT_FILE
value: {{ .Values.endpoints.etcd.auth.client.path.ca }}
- name: ETCD_CA_CERT
valueFrom:
secretKeyRef:
name: calico-etcd-secrets
key: tls.ca
{{ end }}
{{ if .Values.endpoints.etcd.auth.client.tls.key }}
- name: ETCD_KEY_FILE
value: {{ .Values.endpoints.etcd.auth.client.path.key }}
- name: ETCD_KEY
valueFrom:
secretKeyRef:
name: calico-etcd-secrets
key: tls.key
{{ end }}
{{ if .Values.endpoints.etcd.auth.client.tls.crt }}
- name: ETCD_CERT_FILE
value: {{ .Values.endpoints.etcd.auth.client.path.crt }}
- name: ETCD_CERT
valueFrom:
secretKeyRef:
name: calico-etcd-secrets
key: tls.crt
{{ end }}
volumeMounts:
- name: pod-tmp
mountPath: /tmp
- mountPath: /host/etc/calico
name: calico-cert-dir
- mountPath: /host/opt/cni/bin
name: cni-bin-dir
- mountPath: /tmp/install-calicoctl.sh
name: calico-bin
subPath: install-calicoctl.sh
- name: calico-etcd-secrets
mountPath: {{ .Values.endpoints.etcd.auth.client.path.ca }}
subPath: tls.ca
readOnly: true
- name: calico-etcd-secrets
mountPath: {{ .Values.endpoints.etcd.auth.client.path.crt }}
subPath: tls.crt
readOnly: true
- name: calico-etcd-secrets
mountPath: {{ .Values.endpoints.etcd.auth.client.path.key }}
subPath: tls.key
readOnly: true
{{ end }}
# This container installs the Calico CNI binaries
# and CNI network config file on each node.
- name: install-cni
{{ tuple $envAll "calico_cni" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ dict "envAll" $envAll "application" "calico_node" "container" "install_cni" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
command: ["/install-cni.sh"]
env:
# Prevents the container from sleeping forever.
- name: SLEEP
value: "false"
# Name of the CNI config file to create.
#
# NOTE: Calico v3 needs to end in .conflist; Calico v2 is
# different!
- name: CNI_CONF_NAME
value: "10-calico.conflist"
# The location of the Calico etcd cluster.
- name: ETCD_ENDPOINTS
valueFrom:
configMapKeyRef:
name: calico-etc
key: etcd_endpoints
# The CNI network config to install on each node.
- name: CNI_NETWORK_CONFIG
valueFrom:
configMapKeyRef:
name: calico-etc
key: cni_network_config
volumeMounts:
- name: pod-tmp
mountPath: /tmp
- name: cni-bin-dir
mountPath: /host/opt/cni/bin
- name: cni-net-dir
mountPath: /host/etc/cni/net.d
{{ if .Values.conf.etcd.credentials.ca }}
- name: calico-etcd-secrets
mountPath: /calico-secrets/etcd-ca
subPath: etcd.ca
readOnly: true
{{ end }}
{{ if .Values.conf.etcd.credentials.certificate }}
- name: calico-etcd-secrets
mountPath: /calico-secrets/etcd-cert
subPath: etcd.crt
readOnly: true
{{ end }}
{{ if .Values.conf.etcd.credentials.key }}
- name: calico-etcd-secrets
mountPath: /calico-secrets/etcd-key
subPath: etcd.key
readOnly: true
{{ end }}
volumes:
- name: pod-tmp
emptyDir: {}
# Used by calico/node.
- name: lib-modules
hostPath:
path: /lib/modules
- name: var-run-calico
hostPath:
path: /var/run/calico
- name: var-lib-calico
hostPath:
path: /var/lib/calico
- name: xtables-lock
hostPath:
path: /run/xtables.lock
type: FileOrCreate
# Used to install CNI.
- name: cni-bin-dir
hostPath:
path: /opt/cni/bin
- name: cni-net-dir
hostPath:
path: /etc/cni/net.d
- name: calico-cert-dir
hostPath:
path: /etc/calico
- name: calico-etc
configMap:
name: calico-etc
defaultMode: 0444
- name: calico-bird
configMap:
name: calico-bird
defaultMode: 0444
- name: calico-bin
configMap:
name: calico-bin
defaultMode: 0555
- name: calico-etcd-secrets
secret:
secretName: calico-etcd-secrets
containers:
# Runs calico/node container on each Kubernetes node. This
# container programs network policy and routes on each
# host.
- name: calico-node
{{ tuple $envAll "calico_node" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.calico_node | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
{{ dict "envAll" $envAll "application" "calico_node" "container" "calico_node" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
env:
# Values expanded explicitly from conf.node (some of which
# might be derived from elsewhere, see values.yaml for an
# explanation of this)
#
{{ include "helm-toolkit.utils.to_k8s_env_vars" .Values.conf.node | indent 12 }}
# Values explicit in the chart not expected to be found in
# conf.node
#
# The location of the Calico etcd cluster.
- name: ETCD_ENDPOINTS
valueFrom:
configMapKeyRef:
name: calico-etc
key: etcd_endpoints
# etcd certs
{{ if .Values.endpoints.etcd.auth.client.tls.ca }}
- name: ETCD_CA_CERT_FILE
value: {{ .Values.endpoints.etcd.auth.client.path.ca }}
{{ end }}
{{ if .Values.endpoints.etcd.auth.client.tls.key }}
- name: ETCD_KEY_FILE
value: {{ .Values.endpoints.etcd.auth.client.path.key }}
{{ end }}
{{ if .Values.endpoints.etcd.auth.client.tls.crt }}
- name: ETCD_CERT_FILE
value: {{ .Values.endpoints.etcd.auth.client.path.crt }}
{{ end }}
# Set noderef for node controller.
- name: CALICO_K8S_NODE_REF
valueFrom:
fieldRef:
fieldPath: spec.nodeName
livenessProbe:
httpGet:
path: /liveness
port: 9099
host: localhost
periodSeconds: 10
initialDelaySeconds: 10
failureThreshold: 6
# Only for Calico v3
readinessProbe:
exec:
command:
- /bin/calico-node
- -bird-ready
- -felix-ready
periodSeconds: 10
volumeMounts:
- name: pod-tmp
mountPath: /tmp
- mountPath: /lib/modules
name: lib-modules
readOnly: true
- mountPath: /run/xtables.lock
name: xtables-lock
readOnly: false
- mountPath: /var/run/calico
name: var-run-calico
readOnly: false
# bird template replacements
# bird cfg
- mountPath: /etc/calico/confd/templates/bird.cfg.template
name: calico-bird
subPath: bird.cfg.template
# bird ipam
- mountPath: /etc/calico/confd/templates/bird_ipam.cfg.template
name: calico-bird
subPath: bird_ipam.cfg.template
# bird6 cfg
- mountPath: /etc/calico/confd/templates/bird6.cfg.template
name: calico-bird
subPath: bird6.cfg.template
# bird6 ipam
- mountPath: /etc/calico/confd/templates/bird6_ipam.cfg.template
name: calico-bird
subPath: bird6_ipam.cfg.template
# etcd secrets
- mountPath: /var/lib/calico
name: var-lib-calico
readOnly: false
- name: calico-etcd-secrets
mountPath: {{ .Values.endpoints.etcd.auth.client.path.ca }}
subPath: tls.ca
readOnly: true
- name: calico-etcd-secrets
mountPath: {{ .Values.endpoints.etcd.auth.client.path.crt }}
subPath: tls.crt
readOnly: true
- name: calico-etcd-secrets
mountPath: {{ .Values.endpoints.etcd.auth.client.path.key }}
subPath: tls.key
readOnly: true
{{- end }}

181
charts/calico/templates/deployment-calico-kube-controllers.yaml Normal file
View File

@ -0,0 +1,181 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if .Values.manifests.deployment_calico_kube_controllers }}
{{- $envAll := . }}
{{- $serviceAccountName := "calico-kube-controllers" }}
{{ tuple $envAll "calico_kube_controllers" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ $serviceAccountName }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ $serviceAccountName }}
subjects:
- kind: ServiceAccount
name: {{ $serviceAccountName }}
namespace: {{ .Release.Namespace }}
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ $serviceAccountName }}
rules:
- apiGroups:
- ""
- extensions
resources:
- pods
- namespaces
- networkpolicies
- nodes
- serviceaccounts
verbs:
- watch
- list
- apiGroups:
- networking.k8s.io
resources:
- networkpolicies
verbs:
- watch
- list
---
# This manifest deploys the Calico Kubernetes controllers.
# See https://github.com/projectcalico/kube-controllers
apiVersion: apps/v1
kind: Deployment
metadata:
name: calico-kube-controllers
namespace: {{ .Release.Namespace }}
labels:
k8s-app: calico-kube-controllers
{{ tuple $envAll "calico" "kube-controllers" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
annotations:
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
spec:
priorityClassName: system-cluster-critical
# The controllers can only have a single active instance.
replicas: 1
selector:
matchLabels:
k8s-app: calico-kube-controllers
{{ tuple $envAll "calico" "kube-controllers" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
{{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_deployment" | indent 2 }}
template:
metadata:
name: calico-kube-controllers
labels:
k8s-app: calico-kube-controllers
{{ tuple $envAll "calico" "kube-controllers" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
annotations:
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
spec:
{{ dict "envAll" $envAll "application" "kube_controllers" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
nodeSelector:
beta.kubernetes.io/os: linux
# The controllers must run in the host network namespace so that
# it isn't governed by policy that would prevent it from working.
hostNetwork: true
tolerations:
# Mark the pod as a critical add-on for rescheduling.
- key: node.cloudprovider.kubernetes.io/uninitialized
value: "true"
effect: NoSchedule
- key: CriticalAddonsOnly
operator: Exists
- key: node-role.kubernetes.io/master
effect: NoSchedule
- key: node-role.kubernetes.io/control-plane
effect: NoSchedule
- key: node.kubernetes.io/not-ready
operator: Exists
effect: NoSchedule
serviceAccountName: {{ $serviceAccountName }}
initContainers:
{{ tuple $envAll "calico_kube_controllers" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
containers:
- name: calico-kube-controllers
{{ tuple $envAll "calico_kube_controllers" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.calico_kube_controllers | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
{{ dict "envAll" $envAll "application" "kube_controllers" "container" "kube_controller" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
env:
# The location of the Calico etcd cluster.
- name: ETCD_ENDPOINTS
valueFrom:
configMapKeyRef:
name: calico-etc
key: etcd_endpoints
# conf.controllers expanded values
{{ include "helm-toolkit.utils.to_k8s_env_vars" .Values.conf.controllers | indent 12 }}
{{ if .Values.endpoints.etcd.auth.client.tls.ca }}
# etcd tls files
- name: ETCD_CA_CERT_FILE
value: {{ .Values.endpoints.etcd.auth.client.path.ca }}
{{ end }}
{{ if .Values.endpoints.etcd.auth.client.tls.key }}
- name: ETCD_KEY_FILE
value: {{ .Values.endpoints.etcd.auth.client.path.key }}
{{ end }}
{{ if .Values.endpoints.etcd.auth.client.tls.crt }}
- name: ETCD_CERT_FILE
value: {{ .Values.endpoints.etcd.auth.client.path.crt }}
{{ end }}
# etcd tls mounts
volumeMounts:
- name: pod-tmp
mountPath: /tmp
- name: calico-etcd-secrets
mountPath: {{ .Values.endpoints.etcd.auth.client.path.ca }}
subPath: tls.ca
readOnly: true
- name: calico-etcd-secrets
mountPath: {{ .Values.endpoints.etcd.auth.client.path.crt }}
subPath: tls.crt
readOnly: true
- name: calico-etcd-secrets
mountPath: {{ .Values.endpoints.etcd.auth.client.path.key }}
subPath: tls.key
readOnly: true
# Calico v3 only
readinessProbe:
exec:
command:
- /usr/bin/check-status
- -r
livenessProbe:
exec:
command:
- /usr/bin/check-status
- -r
volumes:
- name: pod-tmp
emptyDir: {}
- name: calico-etcd-secrets
secret:
secretName: calico-etcd-secrets
defaultMode: 0400
{{- end }}

2
charts/calico/templates/etc/_bird-tar-deposit.base64.txt Normal file
View File

@ -0,0 +1,2 @@
H4sIAJLrq1sCA+3IOwqFMABE0SwlS4jGxPVYvFIQP4W7N1ja+0A4p7nD/OZlP8O7UlOH4W7z7L27
nEs/1lL62v4x5S7EFP7g2PZpjTEAAAAAAAAAAADAh1zOUd8NACgAAA==

109
charts/calico/templates/job-calico-settings.yaml Normal file
View File

@ -0,0 +1,109 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if .Values.manifests.job_calico_settings }}
{{- $envAll := . }}
{{- $serviceAccountName := "calico-settings" }}
{{ tuple $envAll "calico_settings" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
---
apiVersion: batch/v1
kind: Job
metadata:
name: calico-settings
labels:
{{ tuple $envAll "calico" "calico_settings" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
annotations:
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
spec:
template:
metadata:
annotations:
configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
labels:
{{ tuple $envAll "calico" "calico_settings" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
spec:
{{ dict "envAll" $envAll "application" "calico_settings" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
hostNetwork: true
priorityClassName: system-cluster-critical
tolerations:
- key: node-role.kubernetes.io/control-plane
effect: NoSchedule
- key: node.kubernetes.io/not-ready
operator: Exists
effect: NoSchedule
# Allow this pod to be rescheduled while the node is in "critical add-ons only" mode.
# This, along with the annotation above marks this pod as a critical add-on.
- key: CriticalAddonsOnly
operator: Exists
serviceAccountName: {{ $serviceAccountName }}
restartPolicy: OnFailure
initContainers:
{{ tuple $envAll "calico_settings" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
containers:
- name: calico-settings
{{ tuple $envAll "calico_settings" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.calico_settings | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
{{ dict "envAll" $envAll "application" "calico_settings" "container" "calico_settings" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
env:
- name: ETCD_ENDPOINTS
valueFrom:
configMapKeyRef:
name: calico-etc
key: etcd_endpoints
{{ if .Values.endpoints.etcd.auth.client.tls.ca }}
- name: ETCD_CA_CERT_FILE
value: {{ .Values.endpoints.etcd.auth.client.path.ca }}
{{ end }}
{{ if .Values.endpoints.etcd.auth.client.tls.key }}
- name: ETCD_KEY_FILE
value: {{ .Values.endpoints.etcd.auth.client.path.key }}
{{ end }}
{{ if .Values.endpoints.etcd.auth.client.tls.crt }}
- name: ETCD_CERT_FILE
value: {{ .Values.endpoints.etcd.auth.client.path.crt }}
{{ end }}
command:
- /tmp/calico-settings.sh
volumeMounts:
- name: pod-tmp
mountPath: /tmp
- name: calico-bin
mountPath: /tmp/calico-settings.sh
subPath: calico-settings.sh
readOnly: true
- name: calico-etcd-secrets
mountPath: {{ .Values.endpoints.etcd.auth.client.path.ca }}
subPath: tls.ca
readOnly: true
- name: calico-etcd-secrets
mountPath: {{ .Values.endpoints.etcd.auth.client.path.crt }}
subPath: tls.crt
readOnly: true
- name: calico-etcd-secrets
mountPath: {{ .Values.endpoints.etcd.auth.client.path.key }}
subPath: tls.key
readOnly: true
volumes:
- name: pod-tmp
emptyDir: {}
- name: calico-bin
configMap:
name: calico-bin
defaultMode: 0555
- name: calico-etcd-secrets
secret:
secretName: calico-etcd-secrets
{{- end }}

19
charts/calico/templates/job-image-repo-sync.yaml Normal file
View File

@ -0,0 +1,19 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if and .Values.manifests.job_image_repo_sync .Values.images.local_registry.active }}
{{- $imageRepoSyncJob := dict "envAll" . "serviceName" "calico" -}}
{{ $imageRepoSyncJob | include "helm-toolkit.manifests.job_image_repo_sync" }}
{{- end }}

31
charts/calico/templates/secret-etcd-certificates.yaml Normal file
View File

@ -0,0 +1,31 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if .Values.manifests.secret_certificates }}
{{- $envAll := . }}
---
apiVersion: v1
kind: Secret
type: kubernetes.io/tls
metadata:
name: calico-etcd-secrets
data:
tls.ca: {{ .Values.endpoints.etcd.auth.client.tls.ca | default "" | b64enc }}
tls.key: {{ .Values.endpoints.etcd.auth.client.tls.key | default "" | b64enc }}
tls.crt: {{ .Values.endpoints.etcd.auth.client.tls.crt | default "" | b64enc }}
etcd.ca: {{ .Values.conf.etcd.credentials.ca | default "" | b64enc }}
etcd.crt: {{ .Values.conf.etcd.credentials.certificate | default "" | b64enc }}
etcd.key: {{ .Values.conf.etcd.credentials.key | default "" | b64enc }}
{{- end }}

17
charts/calico/templates/secret-registry.yaml Normal file
View File

@ -0,0 +1,17 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if and .Values.manifests.secret_registry .Values.endpoints.oci_image_registry.auth.enabled }}
{{ include "helm-toolkit.manifests.secret_registry" ( dict "envAll" . "registryUser" .Chart.Name ) }}
{{- end }}

37
charts/calico/templates/service-calico-etcd.yaml Normal file
View File

@ -0,0 +1,37 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if .Values.manifests.service_calico_etcd }}
{{- $envAll := . }}
---
# This manifest installs the Service which gets traffic to the Calico
# etcd.
apiVersion: v1
kind: Service
metadata:
labels:
k8s-app: calico-etcd
{{ tuple $envAll "calico" "etcd" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
name: {{ tuple "etcd" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
spec:
# Select the calico-etcd pod running on the master.
selector:
k8s-app: calico-etcd
{{ tuple $envAll "calico" "etcd" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
# This ClusterIP needs to be known in advance, since we cannot rely
# on DNS to get access to etcd.
clusterIP: {{ tuple "etcd" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
ports:
- port: {{ tuple "etcd" "internal" "client" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
{{- end }}

595
charts/calico/values.yaml Normal file
View File

@ -0,0 +1,595 @@
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
images:
tags:
# These are minimum versions, older images will very likely not
# work
calico_etcd: quay.io/coreos/etcd:v3.5.9
calico_node: quay.io/calico/node:v3.25.1
calico_cni: quay.io/calico/cni:v3.25.1
calico_ctl: calico/ctl:v3.25.1
calico_settings: calico/ctl:v3.25.1
# NOTE: plural key, singular value
calico_kube_controllers: quay.io/calico/kube-controllers:v3.25.1
dep_check: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
image_repo_sync: docker.io/library/docker:24.0.1
pull_policy: IfNotPresent
local_registry:
active: false
exclude:
- dep_check
- image_repo_sync
- calico_etcd
- calico_node
- calico_cni
- calico_kube_controllers
pod:
security_context:
etcd:
pod:
runAsUser: 0
container:
calico_etcd:
readOnlyRootFilesystem: false
calico_node:
pod:
runAsUser: 0
container:
calico_ctl:
readOnlyRootFilesystem: false
install_cni:
readOnlyRootFilesystem: false
calico_node:
readOnlyRootFilesystem: false
capabilities:
add:
- 'NET_ADMIN'
- 'SYS_ADMIN'
kube_controllers:
pod:
runAsUser: 0
container:
kube_controller:
readOnlyRootFilesystem: false
calico_settings:
pod:
runAsUser: 0
container:
calico_settings:
readOnlyRootFilesystem: false
resources:
enabled: false
jobs:
image_repo_sync:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
calico_settings:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
calico_kube_controllers:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
calico_node:
requests:
memory: "128Mi"
cpu: "250m"
limits:
memory: "1024Mi"
cpu: "2000m"
calico_cni:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
calico_ctl:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
calico_etcd:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
lifecycle:
upgrades:
deployments:
revision_history: 3
pod_replacement_strategy: RollingUpdate
rolling_update:
max_unavailable: 1
max_surge: 3
disruption_budget:
controllers:
min_available: 0
mandatory_access_control:
type: apparmor
calico-node:
calico-node: runtime/default
dependencies:
dynamic:
common:
local_image_registry:
jobs:
- calico-image-repo-sync
services:
- endpoint: node
service: local_image_registry
static:
calico_kube_controllers:
services:
- endpoint: internal
service: calico-etcd
calico_node:
services:
- endpoint: internal
service: calico-etcd
calico_settings:
services:
- endpoint: internal
service: calico-etcd
calico_etcd:
services: null
image_repo_sync:
services:
- endpoint: internal
service: local_image_registry
secrets:
oci_image_registry:
calico: calico-oci-image-registry
endpoints:
cluster_domain_suffix: cluster.local
local_image_registry:
name: docker-registry
namespace: docker-registry
hosts:
default: localhost
internal: docker-registry
node: localhost
host_fqdn_override:
default: null
port:
registry:
node: 5000
oci_image_registry:
name: oci-image-registry
namespace: oci-image-registry
auth:
enabled: false
calico:
username: calico
password: password
hosts:
default: localhost
host_fqdn_override:
default: null
port:
registry:
default: null
etcd:
auth:
client:
tls:
crt: null
ca: null
key: null
path:
# these must be within /etc/calico
crt: /etc/calico/pki/crt
ca: /etc/calico/pki/ca
key: /etc/calico/pki/key
scheme:
default: http
path:
default: ' ' # space required to provide a truly empty path
hosts:
default: 10.96.232.136
host_fqdn_override:
default: null
service:
name: null
port:
client:
default: 6666
peer:
default: 6667
monitoring:
prometheus:
enabled: true
calico_node:
scrape: true
port: 9091
networking:
podSubnet: 192.168.0.0/16
# Physical MTU, if ipip is enabled, the chart will adjust things downward
mtu: 1500
settings:
mesh: "on"
# technically this could be a list, today we only support a single
# podSubnet, the one above. The settings below will be applied to
# that ipPool
ippool:
ipip:
enabled: true
nat_outgoing: true
disabled: false
bgp:
# our asnumber for bgp peering
asnumber: 64512
ipv4:
# https://docs.projectcalico.org/v3.4/reference/calicoctl/resources/bgppeer
#
# this is a list of peer objects that will be passed directly to
# calicoctl - for global peers, the scope should be global and
# the node attribute removed
#
# apiVersion: projectcalico.org/v3
# kind: BGPPeer
# metadata:
# name: some.name
# spec:
# node: rack1-host1
# peerIP: 10.1.10.39
# asNumber: 64512
peers: []
# this is a list of additional IPv4 cidrs that if we discover
# IPs within them on a host, we will announce the address in
# addition to traditional pod workloads
additional_cidrs: []
# community_cidr_ref contains embedded objects that describe a
# BGP community that is to be associated with the supplied CIDR.
# The top-level key names are not important.
#
# The resulting BGP community will take the form of
# <prefix>:<community>
# If no prefix is specified then the asnumber is used
community_cidr_ref:
# cidr_community_description:
# cidr: 192.168.0.0/16
# community: 54321
# prefix: 55555
# alpha:
# cidr: 10.0.0.0/16
# community: 54322
port:
neighbor: 179
listen: 179
ipv6:
# https://docs.projectcalico.org/v3.4/reference/calicoctl/resources/bgppeer
#
# this is a list of peer objects that will be passed directly to
# calicoctl - for global peers, the scope should be global and
# the node attribute removed
#
# apiVersion: projectcalico.org/v3
# kind: BGPPeer
# metadata:
# name: some.name
# spec:
# node: rack1-host1
# peerIP: 2600:1:2:3::abcd
# asNumber: 64512
peers: []
# this is a list of additional IPv6 cidrs that if we discover
# IPs within them on a host, we will announce them in addition
# to traditional pod workloads
additional_cidrs: []
# community_cidr_ref contains embedded objects that describe a
# BGP community that is to be associated with the supplied CIDR.
# The top-level key names are not important.
#
# The resulting BGP community will take the form of
# <prefix>:<community>
# If no prefix is specified then the asnumber is used
community_cidr_ref:
# cidr_community_description:
# cidr: 2600:1:2:3::abcd/28
# community: 54321
# prefix: 55555
# alpha:
# cidr: 1400:a:2:3::abcd/26
# community: 54322
port:
neighbor: 179
listen: 179
# Policy contains embedded Calico policy and/or endpoint objects.
# Because lists are cumbersome to deal with this is stuctured as a
# dictionary (therefore not ordered). The top-level key names are
# not important, priority contains a value between 0 and 9 inclusive
# and rules contains any objects (typically used as rules).
# Priority 0 objects are emitted before priority 9. It is
# recommended any rules such as HostEndpoint be given a higher
# priority so that they are applied after more generic objects.
# Priority values outside of integers 0 through 9 are not valid and
# should not be used.
policy:
# alpha:
# priority: 0
# rules:
# - apiVersion: projectcalico.org/v3
# kind: GlobalNetworkPolicy
# metadata:
# name: allow-tcp-6379
# spec:
# order: 0
# selector: role == 'database'
# types:
# - Ingress
# - Egress
# ingress:
# - action: Allow
# protocol: TCP
# source:
# selector: role == 'frontend'
# destination:
# ports:
# - 6379
# egress:
# - action: Allow
# - apiVersion: projectcalico.org/v3
# kind: GlobalNetworkPolicy
# metadata:
# name: allow-tcp-3306
# spec:
# order: 1
# selector: role == 'database'
# types:
# - Ingress
# - Egress
# ingress:
# - action: Allow
# protocol: TCP
# source:
# selector: role == 'frontend'
# destination:
# ports:
# - 3306
# egress:
# - action: Allow
# beta:
# priority: 1
# rules:
# - apiVersion: projectcalico.org/v3
# kind: NetworkPolicy
# metadata:
# name: allow-tcp-6379
# namespace: production
# spec:
# selector: role == 'database'
# types:
# - Ingress
# - Egress
# ingress:
# - action: Allow
# protocol: TCP
# source:
# selector: role == 'frontend'
# destination:
# ports:
# - 6379
# egress:
# - action: Allow
# - apiVersion: projectcalico.org/v3
# kind: NetworkPolicy
# metadata:
# name: allow-tcp-8081
# namespace: production
# spec:
# selector: role == 'webthing'
# types:
# - Ingress
# - Egress
# ingress:
# - action: Allow
# protocol: TCP
# source:
# selector: role == 'frontend'
# destination:
# ports:
# - 8081
# egress:
# - action: Allow
# zulu:
# priority: 9
# rules:
# - apiVersion: projectcalico.org/v3
# kind: HostEndpoint
# metadata:
# name: first.thing
# labels:
# type: production
# spec:
# interfaceName: eth0
# node: mysecrethost
# expectedIPs:
# - 192.168.0.1
# - 192.168.0.2
# profiles:
# - profile1
# - profile2
# ports:
# - name: some-port
# port: 1234
# protocol: TCP
# - name: another-port
# port: 5432
# protocol: UDP
# - apiVersion: projectcalico.org/v3
# kind: HostEndpoint
# metadata:
# name: second.thing
# labels:
# type: production
# spec:
# interfaceName: eth1
# node: myothersecrethost
# expectedIPs:
# - 192.168.1.1
# - 192.168.1.2
# profiles:
# - profile1
# - profile2
# ports:
# - name: some-port
# port: 1234
# protocol: TCP
# - name: another-port
# port: 5432
# protocol: UDP
conf:
etcd:
credentials:
ca: null
key: null
certificate: null
# NOTE; syntax has subtly changed since Calico v2. For Armada *all*
# of this needes to be specified. We're using yaml here which we
# can't robustly convert to json (which the node pod requires) so it
# might be we revisit that and embedded a json string that gets
# edits
cni_network_config:
# https://docs.projectcalico.org/v3.4/reference/cni-plugin/configuration
#
# other than the etcd_* keys you likely want to leave this as-is
name: k8s-pod-network
cniVersion: 0.3.0
plugins:
- type: calico
log_level: info
etcd_endpoints: __ETCD_ENDPOINTS__
etcd_key_file: __ETCD_KEY_FILE__
etcd_cert_file: __ETCD_CERT_FILE__
etcd_ca_cert_file: __ETCD_CA_CERT_FILE__
ipam:
type: calico-ipam
policy:
type: k8s
kubernetes:
kubeconfig: __KUBECONFIG_FILEPATH__
- type: portmap
snat: true
capabilities:
portMappings: true
controllers:
# The location of the Kubernetes API. Use the default Kubernetes
# service for API access.
K8S_API: "https://kubernetes.default:443"
# Choose which controllers to run, see
# https://docs.projectcalico.org//v3.4/reference/kube-controllers/configuration
# for an explanation of each
ENABLED_CONTROLLERS: "policy,namespace,serviceaccount,workloadendpoint,node"
# Since we're running in the host namespace and might not have KubeDNS
# access, configure the container's /etc/hosts to resolve
# kubernetes.default to the correct service clusterIP.
CONFIGURE_ETC_HOSTS: true
node:
# for specific details see
# https://docs.projectcalico.org/v3.4/reference/node/configuration
name: k8s-pod-network
# Cluster type to identify the deployment type
# NOTE: v2 had a list ... v3 a comma separated string
CLUSTER_TYPE: "k8s,bgp"
# Describes which BGP networking backend to use gobgp, bird, none.
# Default is bird. NOTE(alanmeadows) today this chart only
# supports applying the bgp customizations to bird templates - in
# the future we may support gobgp as well
CALICO_NETWORKING_BACKEND: bird
# Location of the CA certificate for etcd.
ETCD_CA_CERT_FILE: ""
# Location of the client key for etcd.
ETCD_KEY_FILE: ""
# Location of the client certificate for etcd.
ETCD_CERT_FILE: ""
# Disable file logging so `kubectl logs` works.
CALICO_DISABLE_FILE_LOGGING: true
# Set Felix endpoint to host default action to ACCEPT.
# early/startup log level for calico-node on startup.
CALICO_STARTUP_LOGLEVEL: "Info"
FELIX_DEFAULTENDPOINTTOHOSTACTION: "ACCEPT"
# Configure the IP Pool from which Pod IPs will be chosen; it's
# recommended you leave this as null and the value from
# networking.podSubnet will be used
CALICO_IPV4POOL_CIDR: null
# See https://docs.projectcalico.org/v3.4/reference/calicoctl/resources/ippool
CALICO_IPV4POOL_BLOCKSIZE: 26
# Change this to 'Never' in environments with direct L2
# communication (such that tunnels are not needed for pods on
# different hosts to communicate with each otehr).
CALICO_IPV4POOL_IPIP: "Always"
# Disable IPv6 on Kubernetes.
FELIX_IPV6SUPPORT: false
# Set MTU for tunnel device used if ipip is enabled, it's
# recommended you leave this as null and an appropriate value will
# be set based on tunneling mode and the networking.mtu value
FELIX_IPINIPMTU: null
# Set Felix logging; also (ab)used for bgp configuration
FELIX_LOGSEVERITYSCREEN: "Info"
FELIX_HEALTHENABLED: true
# Set Felix experimental Prometheus metrics server
FELIX_PROMETHEUSMETRICSENABLED: true
FELIX_PROMETHEUSMETRICSPORT: "9091"
# Auto-detect the BGP IP address.
IP: ""
# Detection of source interface for routing
# options include
# can-reach=DESTINATION
# interface=INTERFACE-REGEX
IP_AUTODETECTION_METHOD: first-found
IPV6_AUTODETECTION_METHOD: first-found
manifests:
configmap_bin: true
configmap_etc: true
configmap_bird: true
daemonset_calico_etcd: true
daemonset_calico_node: true
daemonset_calico_node_calicoctl: true
deployment_calico_kube_controllers: true
job_image_repo_sync: true
job_calico_settings: true
service_calico_etcd: true
secret_certificates: true
secret_registry: true
...

4
doc/source/configuration/host-system.rst
View File

@ -22,7 +22,7 @@ Sample Document to run containers in Docker runtime
images:
haproxy: haproxy:2.4
helm:
helm: lachlanevenson/k8s-helm:v3.15.4
helm: lachlanevenson/k8s-helm:v3.16.4
monitoring_image: busybox:1.28.3
packages:
repositories:
@ -121,7 +121,7 @@ Sample Document to run containers in Containerd runtime
images:
haproxy: haproxy:2.4
helm:
helm: lachlanevenson/k8s-helm:v3.15.4
helm: lachlanevenson/k8s-helm:v3.16.4
monitoring_image: busybox:1.28.3
packages:
additional:

2
examples/basic/HostSystem.yaml
View File

@ -85,7 +85,7 @@ data:
monitoring_image: &busybox busybox:1.28.3
haproxy: haproxy:2.4
helm:
helm: lachlanevenson/k8s-helm:v3.15.4
helm: lachlanevenson/k8s-helm:v3.16.4
packages:
common:
repositories:

12
examples/basic/armada-resources.yaml
View File

@ -109,9 +109,9 @@ data:
values: {}
source:
type: git
location: https://opendev.org/openstack/openstack-helm-infra.git
location: https://opendev.org/openstack/openstack-helm.git
subpath: helm-toolkit
reference: fa8916f5bcc8cbf064a387569e2630b7bbf0b49b
reference: 6b985e51be5e52011b88b408fe3265175ce8f47f
dependencies: []
---
schema: armada/Chart/v1
@ -133,9 +133,9 @@ data:
values: {}
source:
type: git
location: https://opendev.org/openstack/openstack-helm-infra.git
location: https://opendev.org/openstack/openstack-helm.git
subpath: helm-toolkit
reference: fa8916f5bcc8cbf064a387569e2630b7bbf0b49b
reference: 6b985e51be5e52011b88b408fe3265175ce8f47f
dependencies: []
---
schema: armada/Chart/v1
@ -533,8 +533,8 @@ data:
service_calico_etcd: false
source:
type: git
location: https://opendev.org/openstack/openstack-helm-infra.git
reference: fa8916f5bcc8cbf064a387569e2630b7bbf0b49b
location: https://opendev.org/openstack/openstack-helm.git
reference: master
subpath: calico
dependencies:
- infra-helm-toolkit

2
examples/complete/HostSystem.yaml
View File

@ -85,7 +85,7 @@ data:
monitoring_image: busybox:1.28.3
haproxy: haproxy:2.4
helm:
helm: lachlanevenson/k8s-helm:v3.15.4
helm: lachlanevenson/k8s-helm:v3.16.4
packages:
common:
repositories:

13
examples/complete/armada-resources.yaml
View File

@ -150,9 +150,9 @@ data:
values: {}
source:
type: git
location: https://opendev.org/openstack/openstack-helm-infra.git
location: https://opendev.org/openstack/openstack-helm.git
subpath: helm-toolkit
reference: fa8916f5bcc8cbf064a387569e2630b7bbf0b49b
reference: 6b985e51be5e52011b88b408fe3265175ce8f47f
dependencies: []
---
schema: armada/Chart/v1
@ -175,9 +175,9 @@ data:
values: {}
source:
type: git
location: https://opendev.org/openstack/openstack-helm-infra.git
location: https://opendev.org/openstack/openstack-helm.git
subpath: helm-toolkit
reference: fa8916f5bcc8cbf064a387569e2630b7bbf0b49b
reference: 6b985e51be5e52011b88b408fe3265175ce8f47f
dependencies: []
---
schema: armada/Chart/v1
@ -552,9 +552,8 @@ data:
job_image_repo_sync: false
service_calico_etcd: false
source:
type: git
location: https://opendev.org/openstack/openstack-helm-infra.git
reference: master
type: local
location: /etc/genesis/armada/assets/charts
subpath: calico
dependencies:
- infra-helm-toolkit

2
examples/containerd/HostSystem.yaml
View File

@ -85,7 +85,7 @@ data:
monitoring_image: &busybox busybox:1.28.3
haproxy: haproxy:2.4
helm:
helm: lachlanevenson/k8s-helm:v3.15.4
helm: lachlanevenson/k8s-helm:v3.16.4
packages:
common:
additional:

13
examples/containerd/armada-resources.yaml
View File

@ -109,9 +109,9 @@ data:
values: {}
source:
type: git
location: https://opendev.org/openstack/openstack-helm-infra.git
location: https://opendev.org/openstack/openstack-helm.git
subpath: helm-toolkit
reference: fa8916f5bcc8cbf064a387569e2630b7bbf0b49b
reference: 6b985e51be5e52011b88b408fe3265175ce8f47f
dependencies: []
---
schema: armada/Chart/v1
@ -133,9 +133,9 @@ data:
values: {}
source:
type: git
location: https://opendev.org/openstack/openstack-helm-infra.git
location: https://opendev.org/openstack/openstack-helm.git
subpath: helm-toolkit
reference: fa8916f5bcc8cbf064a387569e2630b7bbf0b49b
reference: 6b985e51be5e52011b88b408fe3265175ce8f47f
dependencies: []
---
schema: armada/Chart/v1
@ -426,9 +426,8 @@ data:
job_image_repo_sync: false
service_calico_etcd: false
source:
type: git
location: https://opendev.org/openstack/openstack-helm-infra.git
reference: fa8916f5bcc8cbf064a387569e2630b7bbf0b49b
type: local
location: /etc/genesis/armada/assets/charts
subpath: calico
dependencies:
- infra-helm-toolkit

2
examples/gate/HostSystem.yaml
View File

@ -85,7 +85,7 @@ data:
monitoring_image: &busybox busybox:1.28.3
haproxy: haproxy:2.4
helm:
helm: lachlanevenson/k8s-helm:v3.15.4
helm: lachlanevenson/k8s-helm:v3.16.4
packages:
common:
repositories:

13
examples/gate/armada-resources.yaml
View File

@ -109,9 +109,9 @@ data:
values: {}
source:
type: git
location: https://opendev.org/openstack/openstack-helm-infra.git
location: https://opendev.org/openstack/openstack-helm.git
subpath: helm-toolkit
reference: fa8916f5bcc8cbf064a387569e2630b7bbf0b49b
reference: 6b985e51be5e52011b88b408fe3265175ce8f47f
dependencies: []
---
schema: armada/Chart/v1
@ -133,9 +133,9 @@ data:
values: {}
source:
type: git
location: https://opendev.org/openstack/openstack-helm-infra.git
location: https://opendev.org/openstack/openstack-helm.git
subpath: helm-toolkit
reference: fa8916f5bcc8cbf064a387569e2630b7bbf0b49b
reference: 6b985e51be5e52011b88b408fe3265175ce8f47f
dependencies: []
---
schema: armada/Chart/v1
@ -432,9 +432,8 @@ data:
job_image_repo_sync: false
service_calico_etcd: false
source:
type: git
location: https://opendev.org/openstack/openstack-helm-infra.git
reference: fa8916f5bcc8cbf064a387569e2630b7bbf0b49b
type: local
location: /etc/genesis/armada/assets/charts
subpath: calico
dependencies:
- infra-helm-toolkit

2
tests/unit/api/test_validatedesign.py
View File

@ -153,7 +153,7 @@ VALID_DOCS = [
'images': {
'haproxy': 'haproxy:2.4',
'helm': {
'helm': 'lachlanevenson/k8s-helm:v3.15.4'
'helm': 'lachlanevenson/k8s-helm:v3.16.4'
}
},
'packages': {

2
tests/unit/builder_data/simple/HostSystem.yaml
View File

@ -38,7 +38,7 @@ data:
monitoring_image: &busybox busybox:1.28.3
haproxy: haproxy:2.4
helm:
helm: lachlanevenson/k8s-helm:v3.15.4
helm: lachlanevenson/k8s-helm:v3.16.4
packages:
common:
repositories:

13
tests/unit/builder_data/simple/armada-resources.yaml
View File

@ -110,9 +110,9 @@ data:
values: {}
source:
type: git
location: https://opendev.org/openstack/openstack-helm-infra.git
location: https://opendev.org/openstack/openstack-helm.git
subpath: helm-toolkit
reference: master
reference: 6b985e51be5e52011b88b408fe3265175ce8f47f
dependencies: []
---
schema: armada/Chart/v1
@ -135,9 +135,9 @@ data:
values: {}
source:
type: git
location: https://opendev.org/openstack/openstack-helm-infra.git
location: https://opendev.org/openstack/openstack-helm.git
subpath: helm-toolkit
reference: master
reference: 6b985e51be5e52011b88b408fe3265175ce8f47f
dependencies: []
---
schema: armada/Chart/v1
@ -438,9 +438,8 @@ data:
job_image_repo_sync: false
service_calico_etcd: false
source:
type: git
location: https://opendev.org/openstack/openstack-helm-infra.git
reference: master
type: local
location: /etc/genesis/armada/assets/charts
subpath: calico
dependencies:
- infra-helm-toolkit

9
tools/gate/config-templates/bootstrap-armada-config.yaml
View File

@ -105,9 +105,9 @@ data:
values: {}
source:
type: git
location: https://opendev.org/openstack/openstack-helm-infra.git
location: https://opendev.org/openstack/openstack-helm.git
subpath: helm-toolkit
reference: fa8916f5bcc8cbf064a387569e2630b7bbf0b49b
reference: 6b985e51be5e52011b88b408fe3265175ce8f47f
dependencies: []
---
schema: armada/Chart/v1
@ -478,9 +478,8 @@ data:
job_image_repo_sync: false
service_calico_etcd: false
source:
type: git
location: https://opendev.org/openstack/openstack-helm-infra.git
reference: master
type: local
location: /etc/genesis/armada/assets/charts
subpath: calico
dependencies:
- helm-toolkit

2
tools/gate/default-config-env
View File

@ -9,7 +9,7 @@ IMAGE_DEP_CHECK=quay.io/airshipit/kubernetes-entrypoint:latest-ubuntu_focal
IMAGE_ETCD=quay.io/coreos/etcd:v3.5.12
IMAGE_ETCDCTL=quay.io/airshipit/porthole-etcdctl-utility:latest-ubuntu_focal
IMAGE_HAPROXY=haproxy:2.4
IMAGE_HELM=lachlanevenson/k8s-helm:v3.15.4
IMAGE_HELM=lachlanevenson/k8s-helm:v3.16.4
IMAGE_APISERVER=registry.k8s.io/kube-apiserver-amd64:v1.32.1
IMAGE_CONTROLLER_MANAGER=registry.k8s.io/kube-controller-manager-amd64:v1.32.1
IMAGE_SCHEDULER=registry.k8s.io/kube-scheduler-amd64:v1.32.1

2
tools/helm_install.sh
View File

@ -17,7 +17,7 @@
set -x
HELM=$1
HELM_ARTIFACT_URL=${HELM_ARTIFACT_URL:-"https://get.helm.sh/helm-v3.15.4-linux-amd64.tar.gz"}
HELM_ARTIFACT_URL=${HELM_ARTIFACT_URL:-"https://get.helm.sh/helm-v3.16.4-linux-amd64.tar.gz"}
function install_helm_binary {

4
tools/helm_tk.sh
View File

@ -16,8 +16,8 @@
set -eux
HTK_REPO=${HTK_REPO:-"https://opendev.org/openstack/openstack-helm-infra.git"}
HTK_STABLE_COMMIT=${HTK_COMMIT:-"d0c93b5648704b9d9999412d932f8329c80362c0"}
HTK_REPO=${HTK_REPO:-"https://opendev.org/openstack/openstack-helm.git"}
HTK_STABLE_COMMIT=${HTK_COMMIT:-"master"}

2
tools/registry/IMAGES
View File

@ -6,7 +6,7 @@ registry.k8s.io/kube-apiserver-amd64,v1.32.1,apiserver
registry.k8s.io/kube-controller-manager-amd64,v1.32.1,controller-manager
registry.k8s.io/kube-scheduler-amd64,v1.32.1,scheduler
registry.k8s.io/kube-proxy-amd64,v1.32.1,proxy
lachlanevenson/k8s-helm,v3.15.4,helm
lachlanevenson/k8s-helm,v3.16.4,helm
quay.io/airshipit/armada,master,armada
quay.io/airshipit/armada-operator,latest,armada-operator
quay.io/calico/cni,v3.4.0,calico-cni

4
zuul.d/jobs.yaml
View File

@ -47,7 +47,7 @@
run:
- tools/zuul/playbooks/deploy-promenade-containerd.yaml
required-projects:
- openstack/openstack-helm-infra
- openstack/openstack-helm
timeout: 9600
nodeset: airship-promenade-single-node-jammy
vars:
@ -61,7 +61,7 @@
timeout: 900
nodeset: airship-promenade-single-node-jammy
vars:
HTK_COMMIT: 962333df313e04a01923ca8394d2a44f2afbb714
HTK_COMMIT: 6b985e51be5e52011b88b408fe3265175ce8f47f
- job:
name: airship-promenade-chart-build-gate-latest-htk