From 4b44b4354ec17bdcc74b41b483394240d8c118c7 Mon Sep 17 00:00:00 2001 From: Sergiy Markin Date: Tue, 1 Apr 2025 17:30:47 +0000 Subject: [PATCH] Preparation for osh-infra merger Change-Id: I14b3c545a6494c11d7f60b37e31af5ec97ef6782 --- charts/calico/Chart.yaml | 26 + charts/calico/requirements.yaml | 18 + .../templates/bin/_calico-settings.sh.tpl | 102 +++ .../templates/bin/_install-calicoctl.sh.tpl | 57 ++ .../templates/bird/_bird.cfg.template.tpl | 128 ++++ .../templates/bird/_bird6.cfg.template.tpl | 131 ++++ .../bird/_bird6_ipam.cfg.template.tpl | 36 ++ .../bird/_bird_ipam.cfg.template.tpl | 60 ++ charts/calico/templates/configmap-bin.yaml | 29 + charts/calico/templates/configmap-bird.yaml | 34 + charts/calico/templates/configmap-etc.yaml | 32 + .../templates/daemonset-calico-etcd.yaml | 133 ++++ .../templates/daemonset-calico-node.yaml | 414 ++++++++++++ .../deployment-calico-kube-controllers.yaml | 181 ++++++ .../etc/_bird-tar-deposit.base64.txt | 2 + .../calico/templates/job-calico-settings.yaml | 109 ++++ .../calico/templates/job-image-repo-sync.yaml | 19 + .../templates/secret-etcd-certificates.yaml | 31 + charts/calico/templates/secret-registry.yaml | 17 + .../calico/templates/service-calico-etcd.yaml | 37 ++ charts/calico/values.yaml | 595 ++++++++++++++++++ doc/source/configuration/host-system.rst | 4 +- examples/basic/HostSystem.yaml | 2 +- examples/basic/armada-resources.yaml | 12 +- examples/complete/HostSystem.yaml | 2 +- examples/complete/armada-resources.yaml | 13 +- examples/containerd/HostSystem.yaml | 2 +- examples/containerd/armada-resources.yaml | 13 +- examples/gate/HostSystem.yaml | 2 +- examples/gate/armada-resources.yaml | 13 +- tests/unit/api/test_validatedesign.py | 2 +- .../unit/builder_data/simple/HostSystem.yaml | 2 +- .../builder_data/simple/armada-resources.yaml | 13 +- .../bootstrap-armada-config.yaml | 9 +- tools/gate/default-config-env | 2 +- tools/helm_install.sh | 2 +- tools/helm_tk.sh | 4 +- tools/registry/IMAGES | 2 +- zuul.d/jobs.yaml | 4 +- 39 files changed, 2240 insertions(+), 54 deletions(-) create mode 100644 charts/calico/Chart.yaml create mode 100644 charts/calico/requirements.yaml create mode 100644 charts/calico/templates/bin/_calico-settings.sh.tpl create mode 100644 charts/calico/templates/bin/_install-calicoctl.sh.tpl create mode 100644 charts/calico/templates/bird/_bird.cfg.template.tpl create mode 100644 charts/calico/templates/bird/_bird6.cfg.template.tpl create mode 100644 charts/calico/templates/bird/_bird6_ipam.cfg.template.tpl create mode 100644 charts/calico/templates/bird/_bird_ipam.cfg.template.tpl create mode 100644 charts/calico/templates/configmap-bin.yaml create mode 100644 charts/calico/templates/configmap-bird.yaml create mode 100644 charts/calico/templates/configmap-etc.yaml create mode 100644 charts/calico/templates/daemonset-calico-etcd.yaml create mode 100644 charts/calico/templates/daemonset-calico-node.yaml create mode 100644 charts/calico/templates/deployment-calico-kube-controllers.yaml create mode 100644 charts/calico/templates/etc/_bird-tar-deposit.base64.txt create mode 100644 charts/calico/templates/job-calico-settings.yaml create mode 100644 charts/calico/templates/job-image-repo-sync.yaml create mode 100644 charts/calico/templates/secret-etcd-certificates.yaml create mode 100644 charts/calico/templates/secret-registry.yaml create mode 100644 charts/calico/templates/service-calico-etcd.yaml create mode 100644 charts/calico/values.yaml diff --git a/charts/calico/Chart.yaml b/charts/calico/Chart.yaml new file mode 100644 index 00000000..04f949ea --- /dev/null +++ b/charts/calico/Chart.yaml @@ -0,0 +1,26 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +--- +apiVersion: v1 +appVersion: v3.25.1 +description: OpenStack-Helm Calico +name: calico +version: 0.1.8 +home: https://github.com/projectcalico/calico +icon: https://camo.githubusercontent.com/64c8b5ed6ac97553ae367348e8a59a24e2ed5bdc/687474703a2f2f646f63732e70726f6a65637463616c69636f2e6f72672f696d616765732f66656c69782e706e67 +sources: + - https://github.com/projectcalico/calico + - https://opendev.org/openstack/openstack-helm +maintainers: + - name: OpenStack-Helm Authors +... diff --git a/charts/calico/requirements.yaml b/charts/calico/requirements.yaml new file mode 100644 index 00000000..db0df89f --- /dev/null +++ b/charts/calico/requirements.yaml @@ -0,0 +1,18 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +--- +dependencies: + - name: helm-toolkit + repository: file://../deps/helm-toolkit + version: ">= 0.1.0" +... diff --git a/charts/calico/templates/bin/_calico-settings.sh.tpl b/charts/calico/templates/bin/_calico-settings.sh.tpl new file mode 100644 index 00000000..b30727ea --- /dev/null +++ b/charts/calico/templates/bin/_calico-settings.sh.tpl @@ -0,0 +1,102 @@ +#!/bin/sh + +set -eux + + +{{/* Robustness, Calico 3.x wants things as Titlecase; this causes pain */}} +{{- $_ := set .Values.conf.node "CALICO_IPV4POOL_IPIP" (title .Values.conf.node.CALICO_IPV4POOL_IPIP ) -}} +{{- $_ := set .Values.conf.node "CALICO_STARTUP_LOGLEVEL" (title .Values.conf.node.CALICO_STARTUP_LOGLEVEL ) -}} +{{- $_ := set .Values.conf.node "FELIX_LOGSEVERITYSCREEN" (title .Values.conf.node.FELIX_LOGSEVERITYSCREEN ) -}} + + +{{- $envAll := . }} + +{{ if empty .Values.conf.node.CALICO_IPV4POOL_CIDR }} +{{ $_ := set .Values.conf.node "CALICO_IPV4POOL_CIDR" .Values.networking.podSubnet }} +{{ end }} + +# An idempotent script for interacting with calicoctl to instantiate +# peers, and manipulate calico settings that we must perform +# post-deployment. + +CTL=/calicoctl + +# Generate configuration the way we want it to be, it doesn't matter +# if it's already set, in that case Calico will no nothing. + +# BGPConfiguration: nodeToNodeMeshEnabled & asNumber +$CTL apply -f - </host/$ETCD_KEY_FILE +$ETCD_KEY +EOF + chmod 600 /host/$ETCD_KEY_FILE +fi; + +if [ ! -z "$ETCD_CA_CERT" ]; then + DIR=$(dirname /host/$ETCD_CA_CERT_FILE) + mkdir -p $DIR + cat </host/$ETCD_CA_CERT_FILE +$ETCD_CA_CERT +EOF + chmod 600 /host/$ETCD_CA_CERT_FILE +fi; + +if [ ! -z "$ETCD_CERT" ]; then + DIR=$(dirname /host/$ETCD_CERT_FILE) + mkdir -p $DIR + cat </host/$ETCD_CERT_FILE +$ETCD_CERT +EOF + chmod 600 /host/$ETCD_CERT_FILE +fi; + +# This looks a bit funny. Notice that if $ETCD_ENDPOINTS and friends +# are defined in this (calico node initContainer/startup) context; +# generate a shell script to set the values on the host where thse +# variables will *not* be set +cat </host/opt/cni/bin/calicoctl +#!/bin/bash +# +# do *NOT* modify this file; this is autogenerated by the calico-node +# deployment startup process + +export ETCD_ENDPOINTS="${ETCD_ENDPOINTS}" + +[ -e "${ETCD_KEY_FILE}" ] && export ETCD_KEY_FILE="${ETCD_KEY_FILE}" +[ -e "${ETCD_CERT_FILE}" ] && export ETCD_CERT_FILE="${ETCD_CERT_FILE}" +[ -e "${ETCD_CA_CERT_FILE}" ] && export ETCD_CA_CERT_FILE="${ETCD_CA_CERT_FILE}" + +exec /opt/cni/bin/calicoctl.bin \$* +EOF + +chmod +x /host/opt/cni/bin/calicoctl diff --git a/charts/calico/templates/bird/_bird.cfg.template.tpl b/charts/calico/templates/bird/_bird.cfg.template.tpl new file mode 100644 index 00000000..b248d143 --- /dev/null +++ b/charts/calico/templates/bird/_bird.cfg.template.tpl @@ -0,0 +1,128 @@ +# Generated by confd +include "bird_aggr.cfg"; +include "bird_ipam.cfg"; +{{`{{$node_ip_key := printf "/host/%s/ip_addr_v4" (getenv "NODENAME")}}{{$node_ip := getv $node_ip_key}}`}} + +# ensure we only listen to a specific ip and address +listen bgp address {{`{{$node_ip}}`}} port {{.Values.networking.bgp.ipv4.port.listen}}; + +{{`{{$router_id := getenv "CALICO_ROUTER_ID" ""}}`}} +{{`router id {{if ne "" ($router_id)}}{{$router_id}}{{else}}{{$node_ip}}{{end}};`}} + +{{`{{define "LOGGING"}}`}} +{{`{{$node_logging_key := printf "/host/%s/loglevel" (getenv "NODENAME")}}{{if exists $node_logging_key}}{{$logging := getv $node_logging_key}}`}} +{{`{{if eq $logging "debug"}} debug all;{{else if ne $logging "none"}} debug { states };{{end}}`}} +{{`{{else if exists "/global/loglevel"}}{{$logging := getv "/global/loglevel"}}`}} +{{`{{if eq $logging "debug"}} debug all;{{else if ne $logging "none"}} debug { states };{{end}}`}} +{{`{{else}} debug { states };{{end}}`}} +{{`{{end}}`}} + +# Configure synchronization between routing tables and kernel. +protocol kernel { + learn; # Learn all alien routes from the kernel + persist; # Don't remove routes on bird shutdown + scan time 2; # Scan kernel routing table every 2 seconds + import all; + export filter calico_ipip; # Default is export none + graceful restart; # Turn on graceful restart to reduce potential flaps in + # routes when reloading BIRD configuration. With a full + # automatic mesh, there is no way to prevent BGP from + # flapping since multiple nodes update their BGP + # configuration at the same time, GR is not guaranteed to + # work correctly in this scenario. +} + +# Watch interface up/down events. +protocol device { +{{` {{template "LOGGING"}}`}} + scan time 2; # Scan interfaces every 2 seconds +} + +protocol direct { +{{` {{template "LOGGING"}}`}} + interface -"cali*", "*"; # Exclude cali* but include everything else. +} + +{{`{{if eq "" ($node_ip)}}# IPv4 disabled on this node.`}} +{{`{{else}}{{$node_as_key := printf "/host/%s/as_num" (getenv "NODENAME")}}`}} +# Template for all BGP clients +template bgp bgp_template { +{{` {{template "LOGGING"}}`}} + description "Connection to BGP peer"; +{{` local as {{if exists $node_as_key}}{{getv $node_as_key}}{{else}}{{getv "/global/as_num"}}{{end}};`}} + multihop; + gateway recursive; # This should be the default, but just in case. + import all; # Import all routes, since we don't know what the upstream + # topology is and therefore have to trust the ToR/RR. + export filter calico_pools; # Only want to export routes for workloads. +{{` source address {{$node_ip}}; # The local address we use for the TCP connection`}} + add paths on; + graceful restart; # See comment in kernel section about graceful restart. +} + +# ------------- Node-to-node mesh ------------- +{{`{{- $node_cid_key := printf "/host/%s/rr_cluster_id" (getenv "NODENAME")}}`}} +{{`{{- $node_cluster_id := getv $node_cid_key}}`}} +{{`{{- if ne "" ($node_cluster_id)}}`}} +{{`# This node is configured as a route reflector with cluster ID {{$node_cluster_id}};`}} +# ignore node-to-node mesh setting. +{{`{{- else}}`}} +{{`{{if (json (getv "/global/node_mesh")).enabled}}`}} +{{`{{range $host := lsdir "/host"}}`}} +{{`{{$onode_as_key := printf "/host/%s/as_num" .}}`}} +{{`{{$onode_ip_key := printf "/host/%s/ip_addr_v4" .}}{{if exists $onode_ip_key}}{{$onode_ip := getv $onode_ip_key}}`}} +{{`{{$nums := split $onode_ip "."}}{{$id := join $nums "_"}}`}} +{{`# For peer {{$onode_ip_key}}`}} +{{`{{if eq $onode_ip ($node_ip) }}# Skipping ourselves ({{$node_ip}})`}} +{{`{{else if ne "" $onode_ip}}protocol bgp Mesh_{{$id}} from bgp_template {`}} +{{` neighbor {{$onode_ip}} as {{if exists $onode_as_key}}{{getv $onode_as_key}}{{else}}{{getv "/global/as_num"}}{{end}};`}} + neighbor port {{.Values.networking.bgp.ipv4.port.neighbor}}; +{{`}{{end}}{{end}}{{end}}`}} +{{`{{else}}`}} +# Node-to-node mesh disabled +{{`{{end}}`}} +{{`{{- end}}`}} + + +# ------------- Global peers ------------- +{{`{{if ls "/global/peer_v4"}}`}} +{{`{{range gets "/global/peer_v4/*"}}{{$data := json .Value}}`}} +{{`{{$nums := split $data.ip "."}}{{$id := join $nums "_"}}`}} +{{`# For peer {{.Key}}`}} +{{`{{- if eq $data.ip ($node_ip) }}`}} +{{`# Skipping ourselves ({{$node_ip}})`}} +{{`{{- else}}`}} +{{`protocol bgp Global_{{$id}} from bgp_template {`}} +{{` neighbor {{$data.ip}} as {{$data.as_num}};`}} + neighbor port {{.Values.networking.bgp.ipv4.port.neighbor}}; +{{`{{- if and (ne "" ($node_cluster_id)) (ne $data.rr_cluster_id ($node_cluster_id))}}`}} + rr client; +{{` rr cluster id {{$node_cluster_id}};`}} +{{`{{- end}}`}} +} +{{`{{- end}}`}} +{{`{{end}}`}} +{{`{{else}}# No global peers configured.{{end}}`}} + + +# ------------- Node-specific peers ------------- +{{`{{$node_peers_key := printf "/host/%s/peer_v4" (getenv "NODENAME")}}`}} +{{`{{if ls $node_peers_key}}`}} +{{`{{range gets (printf "%s/*" $node_peers_key)}}{{$data := json .Value}}`}} +{{`{{$nums := split $data.ip "."}}{{$id := join $nums "_"}}`}} +{{`# For peer {{.Key}}`}} +{{`{{- if eq $data.ip ($node_ip) }}`}} +{{`# Skipping ourselves ({{$node_ip}})`}} +{{`{{- else}}`}} +{{`protocol bgp Node_{{$id}} from bgp_template {`}} +{{` neighbor {{$data.ip}} as {{$data.as_num}};`}} + neighbor port {{.Values.networking.bgp.ipv4.port.neighbor}}; +{{`{{- if and (ne "" ($node_cluster_id)) (ne $data.rr_cluster_id ($node_cluster_id))}}`}} + rr client; +{{` rr cluster id {{$node_cluster_id}};`}} +{{`{{- end}}`}} +} +{{`{{- end}}`}} +{{`{{end}}`}} +{{`{{else}}# No node-specific peers configured.{{end}}`}} +{{`{{end}}{{/* End of IPv4 enable check */}}`}} diff --git a/charts/calico/templates/bird/_bird6.cfg.template.tpl b/charts/calico/templates/bird/_bird6.cfg.template.tpl new file mode 100644 index 00000000..89d0a03b --- /dev/null +++ b/charts/calico/templates/bird/_bird6.cfg.template.tpl @@ -0,0 +1,131 @@ +# Generated by confd +include "bird6_aggr.cfg"; +include "bird6_ipam.cfg"; +{{`{{$node_ip_key := printf "/host/%s/ip_addr_v4" (getenv "NODENAME")}}{{$node_ip := getv $node_ip_key}}`}} +{{`{{$node_ip6_key := printf "/host/%s/ip_addr_v6" (getenv "NODENAME")}}{{$node_ip6 := getv $node_ip6_key}}`}} + +{{`{{$router_id := getenv "CALICO_ROUTER_ID" ""}}`}} +{{`router id {{if ne "" ($router_id)}}{{$router_id}}{{else}}{{$node_ip}}{{end}}; # Use IPv4 address since router id is 4 octets, even in MP-BGP`}} + +{{`{{define "LOGGING"}}`}} +{{`{{$node_logging_key := printf "/host/%s/loglevel" (getenv "NODENAME")}}{{if exists $node_logging_key}}{{$logging := getv $node_logging_key}}`}} +{{`{{if eq $logging "debug"}} debug all;{{else if ne $logging "none"}} debug { states };{{end}}`}} +{{`{{else if exists "/global/loglevel"}}{{$logging := getv "/global/loglevel"}}`}} +{{`{{if eq $logging "debug"}} debug all;{{else if ne $logging "none"}} debug { states };{{end}}`}} +{{`{{else}} debug { states };{{end}}`}} +{{`{{end}}`}} + +# Configure synchronization between routing tables and kernel. +protocol kernel { + learn; # Learn all alien routes from the kernel + persist; # Don't remove routes on bird shutdown + scan time 2; # Scan kernel routing table every 2 seconds + import all; + export all; # Default is export none + graceful restart; # Turn on graceful restart to reduce potential flaps in + # routes when reloading BIRD configuration. With a full + # automatic mesh, there is no way to prevent BGP from + # flapping since multiple nodes update their BGP + # configuration at the same time, GR is not guaranteed to + # work correctly in this scenario. +} + +# Watch interface up/down events. +protocol device { +{{` {{template "LOGGING"}}`}} + scan time 2; # Scan interfaces every 2 seconds +} + +protocol direct { +{{` {{template "LOGGING"}}`}} + interface -"cali*", "*"; # Exclude cali* but include everything else. +} + +{{`{{if eq "" ($node_ip6)}}# IPv6 disabled on this node.`}} +{{`{{else}}{{$node_as_key := printf "/host/%s/as_num" (getenv "NODENAME")}}`}} + +# ensure we only listen to a specific ip and address +listen bgp address {{`{{$node_ip6}}`}} port {{.Values.networking.bgp.ipv6.port.listen}}; + +# Template for all BGP clients +template bgp bgp_template { +{{` {{template "LOGGING"}}`}} + description "Connection to BGP peer"; +{{` local as {{if exists $node_as_key}}{{getv $node_as_key}}{{else}}{{getv "/global/as_num"}}{{end}};`}} + multihop; + gateway recursive; # This should be the default, but just in case. + import all; # Import all routes, since we don't know what the upstream + # topology is and therefore have to trust the ToR/RR. + export filter calico_pools; # Only want to export routes for workloads. +{{` source address {{$node_ip6}}; # The local address we use for the TCP connection`}} + add paths on; + graceful restart; # See comment in kernel section about graceful restart. +} + +# ------------- Node-to-node mesh ------------- +{{`{{- $node_cid_key := printf "/host/%s/rr_cluster_id" (getenv "NODENAME")}}`}} +{{`{{- $node_cluster_id := getv $node_cid_key}}`}} +{{`{{- if ne "" ($node_cluster_id)}}`}} +{{`# This node is configured as a route reflector with cluster ID {{$node_cluster_id}};`}} +# ignore node-to-node mesh setting. +{{`{{- else}}`}} +{{`{{if (json (getv "/global/node_mesh")).enabled}}`}} +{{`{{range $host := lsdir "/host"}}`}} +{{`{{$onode_as_key := printf "/host/%s/as_num" .}}`}} +{{`{{$onode_ip_key := printf "/host/%s/ip_addr_v6" .}}{{if exists $onode_ip_key}}{{$onode_ip := getv $onode_ip_key}}`}} +{{`{{$nums := split $onode_ip ":"}}{{$id := join $nums "_"}}`}} +{{`# For peer {{$onode_ip_key}}`}} +{{`{{if eq $onode_ip ($node_ip6) }}# Skipping ourselves ({{$node_ip6}})`}} +{{`{{else if eq "" $onode_ip}}# No IPv6 address configured for this node`}} +{{`{{else}}protocol bgp Mesh_{{$id}} from bgp_template {`}} +{{` neighbor {{$onode_ip}} as {{if exists $onode_as_key}}{{getv $onode_as_key}}{{else}}{{getv "/global/as_num"}}{{end}};`}} + neighbor port {{.Values.networking.bgp.ipv6.port.neighbor}}; +{{`}{{end}}{{end}}{{end}}`}} +{{`{{else}}`}} +# Node-to-node mesh disabled +{{`{{end}}`}} +{{`{{- end}}`}} + + +# ------------- Global peers ------------- +{{`{{if ls "/global/peer_v6"}}`}} +{{`{{range gets "/global/peer_v6/*"}}{{$data := json .Value}}`}} +{{`{{$nums := split $data.ip ":"}}{{$id := join $nums "_"}}`}} +{{`# For peer {{.Key}}`}} +{{`{{- if eq $data.ip ($node_ip6) }}`}} +{{`# Skipping ourselves ({{$node_ip6}})`}} +{{`{{- else}}`}} +{{`protocol bgp Global_{{$id}} from bgp_template {`}} +{{` neighbor {{$data.ip}} as {{$data.as_num}};`}} + neighbor port {{.Values.networking.bgp.ipv6.port.neighbor}}; +{{`{{- if and (ne "" ($node_cluster_id)) (ne $data.rr_cluster_id ($node_cluster_id))}}`}} + rr client; +{{` rr cluster id {{$node_cluster_id}};`}} +{{`{{- end}}`}} +} +{{`{{- end}}`}} +{{`{{end}}`}} +{{`{{else}}# No global peers configured.{{end}}`}} + + +# ------------- Node-specific peers ------------- +{{`{{$node_peers_key := printf "/host/%s/peer_v6" (getenv "NODENAME")}}`}} +{{`{{if ls $node_peers_key}}`}} +{{`{{range gets (printf "%s/*" $node_peers_key)}}{{$data := json .Value}}`}} +{{`{{$nums := split $data.ip ":"}}{{$id := join $nums "_"}}`}} +{{`# For peer {{.Key}}`}} +{{`{{- if eq $data.ip ($node_ip6) }}`}} +{{`# Skipping ourselves ({{$node_ip6}})`}} +{{`{{- else}}`}} +{{`protocol bgp Node_{{$id}} from bgp_template {`}} +{{` neighbor {{$data.ip}} as {{$data.as_num}};`}} + neighbor port {{.Values.networking.bgp.ipv6.port.neighbor}}; +{{`{{- if and (ne "" ($node_cluster_id)) (ne $data.rr_cluster_id ($node_cluster_id))}}`}} + rr client; +{{` rr cluster id {{$node_cluster_id}};`}} +{{`{{- end}}`}} +} +{{`{{- end}}`}} +{{`{{end}}`}} +{{`{{else}}# No node-specific peers configured.{{end}}`}} +{{`{{end}}`}} diff --git a/charts/calico/templates/bird/_bird6_ipam.cfg.template.tpl b/charts/calico/templates/bird/_bird6_ipam.cfg.template.tpl new file mode 100644 index 00000000..a73a16ac --- /dev/null +++ b/charts/calico/templates/bird/_bird6_ipam.cfg.template.tpl @@ -0,0 +1,36 @@ +# Generated by confd + +function osh_filters () +{ + # support any addresses matching our secondary announcements +{{- range .Values.networking.bgp.ipv6.additional_cidrs }} + if ( net ~ {{ . }} ) then { accept; } +{{- end }} +} + +function apply_communities () +{ + # Set community value based on dictionary of cidrs +{{- $asnum := .Values.networking.bgp.asnumber }} +{{- range .Values.networking.bgp.ipv6.community_cidr_ref }} + {{- $community := .community }} + {{- $cidr := .cidr }} + {{- with .prefix }} + if ( net ~ {{ $cidr }} ) then { bgp_community.add(({{ . }}, {{ $community }})); } + {{- else }} + if ( net ~ {{ $cidr }} ) then { bgp_community.add(({{ $asnum }}, {{ $community }})); } + {{- end }} +{{- end }} +} + +filter calico_pools { + apply_communities(); + calico_aggr(); + osh_filters(); +{{`{{range ls "/pool"}}{{$data := json (getv (printf "/pool/%s" .))}}`}} +{{` if ( net ~ {{$data.cidr}} ) then {`}} + accept; + } +{{`{{end}}`}} + reject; +} diff --git a/charts/calico/templates/bird/_bird_ipam.cfg.template.tpl b/charts/calico/templates/bird/_bird_ipam.cfg.template.tpl new file mode 100644 index 00000000..29008569 --- /dev/null +++ b/charts/calico/templates/bird/_bird_ipam.cfg.template.tpl @@ -0,0 +1,60 @@ +# Generated by confd + +function osh_filters () +{ + # support any addresses matching our secondary announcements +{{- range .Values.networking.bgp.ipv4.additional_cidrs }} + if ( net ~ {{ . }} ) then { accept; } +{{- end }} +} + +function apply_communities () +{ + # Set community value based on dictionary of cidrs +{{- $asnum := .Values.networking.bgp.asnumber }} +{{- range .Values.networking.bgp.ipv4.community_cidr_ref }} + {{- $community := .community }} + {{- $cidr := .cidr }} + {{- with .prefix }} + if ( net ~ {{ $cidr }} ) then { bgp_community.add(({{ . }}, {{ $community }})); } + {{- else }} + if ( net ~ {{ $cidr }} ) then { bgp_community.add(({{ $asnum }}, {{ $community }})); } + {{- end }} +{{- end }} +} + +filter calico_pools { + apply_communities(); + calico_aggr(); + osh_filters(); +{{`{{range ls "/v1/ipam/v4/pool"}}{{$data := json (getv (printf "/v1/ipam/v4/pool/%s" .))}}`}} +{{` if ( net ~ {{$data.cidr}} ) then {`}} + accept; + } +{{`{{end}}`}} + reject; +} + +{{`{{$network_key := printf "/bgp/v1/host/%s/network_v4" (getenv "NODENAME")}}{{if exists $network_key}}{{$network := getv $network_key}}`}} +filter calico_ipip { +{{`{{range ls "/v1/ipam/v4/pool"}}{{$data := json (getv (printf "/v1/ipam/v4/pool/%s" .))}}`}} +{{` if ( net ~ {{$data.cidr}} ) then {`}} +{{`{{if $data.ipip_mode}}{{if eq $data.ipip_mode "cross-subnet"}}`}} +{{` if defined(bgp_next_hop) && ( bgp_next_hop ~ {{$network}} ) then`}} +{{` krt_tunnel = ""; {{/* Destination in ipPool, mode is cross sub-net, route from-host on subnet, do not use IPIP */}}`}} + else +{{` krt_tunnel = "{{$data.ipip}}"; {{/* Destination in ipPool, mode is cross sub-net, route from-host off subnet, set the tunnel (if IPIP not enabled, value will be "") */}}`}} + accept; +{{` } {{else}}`}} +{{` krt_tunnel = "{{$data.ipip}}"; {{/* Destination in ipPool, mode not cross sub-net, set the tunnel (if IPIP not enabled, value will be "") */}}`}} + accept; +{{` } {{end}} {{else}}`}} +{{` krt_tunnel = "{{$data.ipip}}"; {{/* Destination in ipPool, mode field is not present, set the tunnel (if IPIP not enabled, value will be "") */}}`}} + accept; +{{` } {{end}}`}} +{{`{{end}}`}} +{{` accept; {{/* Destination is not in any ipPool, accept */}}`}} +} +{{`{{else}}`}} +filter calico_ipip { accept; } +{{`{{end}}{{/* End of 'exists $network_key' */}}`}} diff --git a/charts/calico/templates/configmap-bin.yaml b/charts/calico/templates/configmap-bin.yaml new file mode 100644 index 00000000..39e9237c --- /dev/null +++ b/charts/calico/templates/configmap-bin.yaml @@ -0,0 +1,29 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.manifests.configmap_bin }} +{{- $envAll := . }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: calico-bin +data: + image-repo-sync.sh: | +{{- include "helm-toolkit.scripts.image_repo_sync" . | indent 4 }} + install-calicoctl.sh: | +{{ tuple "bin/_install-calicoctl.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} + calico-settings.sh: | +{{ tuple "bin/_calico-settings.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} +{{- end }} diff --git a/charts/calico/templates/configmap-bird.yaml b/charts/calico/templates/configmap-bird.yaml new file mode 100644 index 00000000..f5284a71 --- /dev/null +++ b/charts/calico/templates/configmap-bird.yaml @@ -0,0 +1,34 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.manifests.configmap_bird }} +{{- $envAll := . }} + +--- +kind: ConfigMap +apiVersion: v1 +metadata: + name: calico-bird +data: + # we overlay templates found natively in the calico-node container + # so that we may override bgp configuration + bird.cfg.template: | +{{ tuple "bird/_bird.cfg.template.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} + bird_ipam.cfg.template: | +{{ tuple "bird/_bird_ipam.cfg.template.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} + bird6.cfg.template: | +{{ tuple "bird/_bird6.cfg.template.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} + bird6_ipam.cfg.template: | +{{ tuple "bird/_bird6_ipam.cfg.template.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} +{{- end }} diff --git a/charts/calico/templates/configmap-etc.yaml b/charts/calico/templates/configmap-etc.yaml new file mode 100644 index 00000000..6e32b1a8 --- /dev/null +++ b/charts/calico/templates/configmap-etc.yaml @@ -0,0 +1,32 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.manifests.configmap_etc }} +{{- $envAll := . }} +--- +kind: ConfigMap +apiVersion: v1 +metadata: + name: calico-etc +data: + # The location of your etcd cluster. This uses the Service clusterIP + # defined below. + etcd_endpoints: {{ tuple "etcd" "internal" "client" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" }} + + # The CNI network configuration to install on each node, generated + # from (Values.)conf.cni_network_config + cni_network_config: |- +{{ toJson $envAll.Values.conf.cni_network_config | indent 4 }} + +{{- end }} diff --git a/charts/calico/templates/daemonset-calico-etcd.yaml b/charts/calico/templates/daemonset-calico-etcd.yaml new file mode 100644 index 00000000..bbd87988 --- /dev/null +++ b/charts/calico/templates/daemonset-calico-etcd.yaml @@ -0,0 +1,133 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.manifests.daemonset_calico_etcd }} +{{- $envAll := . }} + +{{- $serviceAccountName := "calico-etcd" }} +{{ tuple $envAll "calico-etcd" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} + +--- +# This manifest installs the Calico etcd on the kubeadm master. This uses a DaemonSet +# to force it to run on the master even when the master isn't schedulable, and uses +# nodeSelector to ensure it only runs on the master. +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: calico-etcd + annotations: + {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }} + labels: + k8s-app: calico-etcd +{{ tuple $envAll "calico" "etcd" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} +spec: + selector: + matchLabels: + k8s-app: calico-etcd +{{ tuple $envAll "calico" "etcd" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }} + template: + metadata: + labels: + k8s-app: calico-etcd +{{ tuple $envAll "calico" "etcd" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} + annotations: +{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }} + configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }} + spec: +{{ dict "envAll" $envAll "application" "etcd" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} + serviceAccountName: {{ $serviceAccountName }} + priorityClassName: system-cluster-critical + tolerations: + # This taint is set by all kubelets running `--cloud-provider=external` + # so we should tolerate it to schedule the Calico pods + - key: node.cloudprovider.kubernetes.io/uninitialized + value: "true" + effect: NoSchedule + # Allow this pod to run on the master/control-plane. + - key: node-role.kubernetes.io/master + effect: NoSchedule + - key: node-role.kubernetes.io/control-plane + effect: NoSchedule + # Allow this pod to be rescheduled while the node is in "critical add-ons only" mode. + # This, along with the annotation above marks this pod as a critical add-on. + - key: CriticalAddonsOnly + operator: Exists + # Only run this pod on the master. + nodeSelector: + node-role.kubernetes.io/master: "" + hostNetwork: true + initContainers: +{{ tuple $envAll "etcd" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} + containers: + - name: calico-etcd +{{ tuple $envAll "calico_etcd" | include "helm-toolkit.snippets.image" | indent 10 }} +{{ tuple $envAll $envAll.Values.pod.resources.calico_etcd | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} +{{ dict "envAll" $envAll "application" "etcd" "container" "calico_etcd" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} + env: + - name: CALICO_ETCD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + command: + - /usr/local/bin/etcd + args: + - --name=calico + - --data-dir=/var/etcd/calico-data +{{ if eq .Values.endpoints.etcd.scheme.default "https" }} + - --client-cert-auth=True + - --peer-client-cert-auth=True + - --trusted-ca-file=/etc/calico-certs/ca.crt + - --cert-file=/etc/calico-certs/server.crt + - --key-file=/etc/calico-certs/server.key + - --peer-trusted-ca-file=/etc/calico-certs/ca.crt + - --peer-cert-file=/etc/calico-certs/server.crt + - --peer-key-file=/etc/calico-certs/server.key +{{ end }} + - --advertise-client-urls={{ tuple "etcd" "internal" "client" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" }} + - --listen-client-urls={{ tuple "etcd" "internal" "client" . | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}://0.0.0.0:{{ tuple "etcd" "internal" "client" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} + - --listen-peer-urls={{ tuple "etcd" "internal" "peer" . | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}://0.0.0.0:{{ tuple "etcd" "internal" "peer" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} + - --auto-compaction-retention=1 + volumeMounts: + - name: pod-tmp + mountPath: /tmp + - name: var-etcd + mountPath: /var/etcd +{{ if .Values.conf.etcd.credentials.ca }} + - name: calico-etcd-secrets + mountPath: /etc/calico-certs/ca.crt + subPath: etcd.ca + readOnly: true +{{ end }} +{{ if .Values.conf.etcd.credentials.certificate }} + - name: calico-etcd-secrets + mountPath: /etc/calico-certs/server.crt + subPath: etcd.crt + readOnly: true +{{ end }} +{{ if .Values.conf.etcd.credentials.key }} + - name: calico-etcd-secrets + mountPath: /etc/calico-certs/server.key + subPath: etcd.key + readOnly: true +{{ end }} + volumes: + - name: pod-tmp + emptyDir: {} + - name: var-etcd + hostPath: + path: /var/etcd + - name: calico-etcd-secrets + secret: + secretName: calico-etcd-secrets +{{- end }} diff --git a/charts/calico/templates/daemonset-calico-node.yaml b/charts/calico/templates/daemonset-calico-node.yaml new file mode 100644 index 00000000..0fee65e8 --- /dev/null +++ b/charts/calico/templates/daemonset-calico-node.yaml @@ -0,0 +1,414 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.manifests.daemonset_calico_node }} +{{- $envAll := . }} + + +{{/* Robustness, Calico 3.x wants things as Titlecase; this causes pain */}} +{{- $_ := set .Values.conf.node "CALICO_IPV4POOL_IPIP" (title .Values.conf.node.CALICO_IPV4POOL_IPIP ) -}} +{{- $_ := set .Values.conf.node "CALICO_STARTUP_LOGLEVEL" (title .Values.conf.node.CALICO_STARTUP_LOGLEVEL ) -}} +{{- $_ := set .Values.conf.node "FELIX_LOGSEVERITYSCREEN" (title .Values.conf.node.FELIX_LOGSEVERITYSCREEN ) -}} + + +{{/* If using tunnels, and FELIX_IPINIPMTU is not set, make it 20 less than the physical to account for IPIP overhead */}} +{{- if empty .Values.conf.node.FELIX_IPINIPMTU -}} +{{- if ne .Values.conf.node.CALICO_IPV4POOL_IPIP "Never" -}} +{{- $_ := set .Values.conf.node "FELIX_IPINIPMTU" (sub .Values.networking.mtu 20) -}} +# Setting tunnel MTU to {{ .Values.conf.node.FELIX_IPINIPMTU }} +{{- end -}} +{{- end -}} + + +{{/* CNI_MTU is >= than the IPIP mtu, usually the physical MTU of the system */}} +{{- if empty .Values.conf.node.CNI_MTU -}} +{{- $_ := set .Values.conf.node "CNI_MTU" .Values.networking.mtu -}} +{{- end -}} + + +{{- if empty .Values.conf.node.CALICO_IPV4POOL_CIDR -}} +{{- $_ := set .Values.conf.node "CALICO_IPV4POOL_CIDR" .Values.networking.podSubnet -}} +{{- end -}} + + + +{{- $serviceAccountName := "calico-node" }} +{{ tuple $envAll "calico_node" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: calico-node +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: calico-node +subjects: +- kind: ServiceAccount + name: {{ $serviceAccountName }} + namespace: {{ .Release.Namespace }} +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ $serviceAccountName }} +rules: + - apiGroups: [""] + resources: + - pods + - nodes + - namespaces + verbs: + - get + - apiGroups: ["batch"] + resources: ["jobs"] + verbs: ["get"] +--- +# This manifest installs the calico/node container, as well +# as the Calico CNI plugins and network config on +# each master and worker node in a Kubernetes cluster. +kind: DaemonSet +apiVersion: apps/v1 +metadata: + name: calico-node + annotations: + {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }} + labels: + k8s-app: calico-node +{{ tuple $envAll "calico" "node" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} +spec: + selector: + matchLabels: + k8s-app: calico-node +{{ tuple $envAll "calico" "node" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }} + updateStrategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 1 + template: + metadata: + labels: + k8s-app: calico-node +{{ tuple $envAll "calico" "node" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} + annotations: +{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }} + configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }} + configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }} + configmap-bird-hash: {{ tuple "configmap-bird.yaml" . | include "helm-toolkit.utils.hash" }} +{{ dict "envAll" $envAll "podName" "calico-node" "containerNames" (list "calico-node") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }} +{{- if .Values.monitoring.prometheus.enabled }} +{{- $prometheus_annotations := $envAll.Values.monitoring.prometheus.calico_node }} +{{ tuple $prometheus_annotations | include "helm-toolkit.snippets.prometheus_pod_annotations" | indent 8 }} +{{- end }} + spec: +{{ dict "envAll" $envAll "application" "calico_node" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} + nodeSelector: + beta.kubernetes.io/os: linux + hostNetwork: true + priorityClassName: system-cluster-critical + tolerations: + # Make sure calico-node gets scheduled on all nodes. + - effect: NoSchedule + operator: Exists + - key: node.kubernetes.io/not-ready + effect: NoSchedule + operator: Exists + # Mark the pod as a critical add-on for rescheduling. + - key: CriticalAddonsOnly + operator: Exists + - effect: NoExecute + operator: Exists + serviceAccountName: {{ $serviceAccountName }} + # Minimize downtime during a rolling upgrade or deletion; tell Kubernetes to do a "force + # deletion": https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods. + terminationGracePeriodSeconds: 0 + + initContainers: +{{ tuple $envAll "calico_node" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} +{{ if .Values.manifests.daemonset_calico_node_calicoctl }} + - name: install-calicoctl +{{ tuple $envAll "calico_ctl" | include "helm-toolkit.snippets.image" | indent 10 }} +{{ tuple $envAll $envAll.Values.pod.resources.calico_ctl | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} +{{ dict "envAll" $envAll "application" "calico_node" "container" "calico_ctl" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} + command: + - /tmp/install-calicoctl.sh + env: + - name: ETCD_ENDPOINTS + valueFrom: + configMapKeyRef: + name: calico-etc + key: etcd_endpoints +{{ if .Values.endpoints.etcd.auth.client.tls.ca }} + - name: ETCD_CA_CERT_FILE + value: {{ .Values.endpoints.etcd.auth.client.path.ca }} + - name: ETCD_CA_CERT + valueFrom: + secretKeyRef: + name: calico-etcd-secrets + key: tls.ca +{{ end }} +{{ if .Values.endpoints.etcd.auth.client.tls.key }} + - name: ETCD_KEY_FILE + value: {{ .Values.endpoints.etcd.auth.client.path.key }} + - name: ETCD_KEY + valueFrom: + secretKeyRef: + name: calico-etcd-secrets + key: tls.key +{{ end }} +{{ if .Values.endpoints.etcd.auth.client.tls.crt }} + - name: ETCD_CERT_FILE + value: {{ .Values.endpoints.etcd.auth.client.path.crt }} + - name: ETCD_CERT + valueFrom: + secretKeyRef: + name: calico-etcd-secrets + key: tls.crt +{{ end }} + volumeMounts: + - name: pod-tmp + mountPath: /tmp + - mountPath: /host/etc/calico + name: calico-cert-dir + - mountPath: /host/opt/cni/bin + name: cni-bin-dir + - mountPath: /tmp/install-calicoctl.sh + name: calico-bin + subPath: install-calicoctl.sh + - name: calico-etcd-secrets + mountPath: {{ .Values.endpoints.etcd.auth.client.path.ca }} + subPath: tls.ca + readOnly: true + - name: calico-etcd-secrets + mountPath: {{ .Values.endpoints.etcd.auth.client.path.crt }} + subPath: tls.crt + readOnly: true + - name: calico-etcd-secrets + mountPath: {{ .Values.endpoints.etcd.auth.client.path.key }} + subPath: tls.key + readOnly: true +{{ end }} + # This container installs the Calico CNI binaries + # and CNI network config file on each node. + - name: install-cni +{{ tuple $envAll "calico_cni" | include "helm-toolkit.snippets.image" | indent 10 }} +{{ dict "envAll" $envAll "application" "calico_node" "container" "install_cni" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} + command: ["/install-cni.sh"] + env: + # Prevents the container from sleeping forever. + - name: SLEEP + value: "false" + # Name of the CNI config file to create. + # + # NOTE: Calico v3 needs to end in .conflist; Calico v2 is + # different! + - name: CNI_CONF_NAME + value: "10-calico.conflist" + # The location of the Calico etcd cluster. + - name: ETCD_ENDPOINTS + valueFrom: + configMapKeyRef: + name: calico-etc + key: etcd_endpoints + # The CNI network config to install on each node. + - name: CNI_NETWORK_CONFIG + valueFrom: + configMapKeyRef: + name: calico-etc + key: cni_network_config + + + volumeMounts: + - name: pod-tmp + mountPath: /tmp + - name: cni-bin-dir + mountPath: /host/opt/cni/bin + - name: cni-net-dir + mountPath: /host/etc/cni/net.d +{{ if .Values.conf.etcd.credentials.ca }} + - name: calico-etcd-secrets + mountPath: /calico-secrets/etcd-ca + subPath: etcd.ca + readOnly: true +{{ end }} +{{ if .Values.conf.etcd.credentials.certificate }} + - name: calico-etcd-secrets + mountPath: /calico-secrets/etcd-cert + subPath: etcd.crt + readOnly: true +{{ end }} +{{ if .Values.conf.etcd.credentials.key }} + - name: calico-etcd-secrets + mountPath: /calico-secrets/etcd-key + subPath: etcd.key + readOnly: true +{{ end }} + volumes: + - name: pod-tmp + emptyDir: {} + # Used by calico/node. + - name: lib-modules + hostPath: + path: /lib/modules + - name: var-run-calico + hostPath: + path: /var/run/calico + - name: var-lib-calico + hostPath: + path: /var/lib/calico + - name: xtables-lock + hostPath: + path: /run/xtables.lock + type: FileOrCreate + # Used to install CNI. + - name: cni-bin-dir + hostPath: + path: /opt/cni/bin + - name: cni-net-dir + hostPath: + path: /etc/cni/net.d + - name: calico-cert-dir + hostPath: + path: /etc/calico + - name: calico-etc + configMap: + name: calico-etc + defaultMode: 0444 + - name: calico-bird + configMap: + name: calico-bird + defaultMode: 0444 + - name: calico-bin + configMap: + name: calico-bin + defaultMode: 0555 + - name: calico-etcd-secrets + secret: + secretName: calico-etcd-secrets + + + + + + containers: + # Runs calico/node container on each Kubernetes node. This + # container programs network policy and routes on each + # host. + - name: calico-node +{{ tuple $envAll "calico_node" | include "helm-toolkit.snippets.image" | indent 10 }} +{{ tuple $envAll $envAll.Values.pod.resources.calico_node | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} +{{ dict "envAll" $envAll "application" "calico_node" "container" "calico_node" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} + env: + # Values expanded explicitly from conf.node (some of which + # might be derived from elsewhere, see values.yaml for an + # explanation of this) + # +{{ include "helm-toolkit.utils.to_k8s_env_vars" .Values.conf.node | indent 12 }} + + # Values explicit in the chart not expected to be found in + # conf.node + # + + # The location of the Calico etcd cluster. + - name: ETCD_ENDPOINTS + valueFrom: + configMapKeyRef: + name: calico-etc + key: etcd_endpoints + + # etcd certs +{{ if .Values.endpoints.etcd.auth.client.tls.ca }} + - name: ETCD_CA_CERT_FILE + value: {{ .Values.endpoints.etcd.auth.client.path.ca }} +{{ end }} +{{ if .Values.endpoints.etcd.auth.client.tls.key }} + - name: ETCD_KEY_FILE + value: {{ .Values.endpoints.etcd.auth.client.path.key }} +{{ end }} +{{ if .Values.endpoints.etcd.auth.client.tls.crt }} + - name: ETCD_CERT_FILE + value: {{ .Values.endpoints.etcd.auth.client.path.crt }} +{{ end }} + + # Set noderef for node controller. + - name: CALICO_K8S_NODE_REF + valueFrom: + fieldRef: + fieldPath: spec.nodeName + + livenessProbe: + httpGet: + path: /liveness + port: 9099 + host: localhost + periodSeconds: 10 + initialDelaySeconds: 10 + failureThreshold: 6 + + # Only for Calico v3 + readinessProbe: + exec: + command: + - /bin/calico-node + - -bird-ready + - -felix-ready + periodSeconds: 10 + volumeMounts: + - name: pod-tmp + mountPath: /tmp + - mountPath: /lib/modules + name: lib-modules + readOnly: true + - mountPath: /run/xtables.lock + name: xtables-lock + readOnly: false + - mountPath: /var/run/calico + name: var-run-calico + readOnly: false + + # bird template replacements + # bird cfg + - mountPath: /etc/calico/confd/templates/bird.cfg.template + name: calico-bird + subPath: bird.cfg.template + # bird ipam + - mountPath: /etc/calico/confd/templates/bird_ipam.cfg.template + name: calico-bird + subPath: bird_ipam.cfg.template + # bird6 cfg + - mountPath: /etc/calico/confd/templates/bird6.cfg.template + name: calico-bird + subPath: bird6.cfg.template + # bird6 ipam + - mountPath: /etc/calico/confd/templates/bird6_ipam.cfg.template + name: calico-bird + subPath: bird6_ipam.cfg.template + # etcd secrets + - mountPath: /var/lib/calico + name: var-lib-calico + readOnly: false + - name: calico-etcd-secrets + mountPath: {{ .Values.endpoints.etcd.auth.client.path.ca }} + subPath: tls.ca + readOnly: true + - name: calico-etcd-secrets + mountPath: {{ .Values.endpoints.etcd.auth.client.path.crt }} + subPath: tls.crt + readOnly: true + - name: calico-etcd-secrets + mountPath: {{ .Values.endpoints.etcd.auth.client.path.key }} + subPath: tls.key + readOnly: true + +{{- end }} diff --git a/charts/calico/templates/deployment-calico-kube-controllers.yaml b/charts/calico/templates/deployment-calico-kube-controllers.yaml new file mode 100644 index 00000000..13313522 --- /dev/null +++ b/charts/calico/templates/deployment-calico-kube-controllers.yaml @@ -0,0 +1,181 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.manifests.deployment_calico_kube_controllers }} +{{- $envAll := . }} + +{{- $serviceAccountName := "calico-kube-controllers" }} +{{ tuple $envAll "calico_kube_controllers" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ $serviceAccountName }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ $serviceAccountName }} +subjects: +- kind: ServiceAccount + name: {{ $serviceAccountName }} + namespace: {{ .Release.Namespace }} +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ $serviceAccountName }} +rules: + - apiGroups: + - "" + - extensions + resources: + - pods + - namespaces + - networkpolicies + - nodes + - serviceaccounts + verbs: + - watch + - list + - apiGroups: + - networking.k8s.io + resources: + - networkpolicies + verbs: + - watch + - list +--- + +# This manifest deploys the Calico Kubernetes controllers. +# See https://github.com/projectcalico/kube-controllers +apiVersion: apps/v1 +kind: Deployment +metadata: + name: calico-kube-controllers + namespace: {{ .Release.Namespace }} + labels: + k8s-app: calico-kube-controllers +{{ tuple $envAll "calico" "kube-controllers" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} + annotations: + {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }} +spec: + priorityClassName: system-cluster-critical + # The controllers can only have a single active instance. + replicas: 1 + selector: + matchLabels: + k8s-app: calico-kube-controllers +{{ tuple $envAll "calico" "kube-controllers" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }} +{{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_deployment" | indent 2 }} + template: + metadata: + name: calico-kube-controllers + labels: + k8s-app: calico-kube-controllers +{{ tuple $envAll "calico" "kube-controllers" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} + annotations: +{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }} + configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }} + configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }} + spec: +{{ dict "envAll" $envAll "application" "kube_controllers" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} + nodeSelector: + beta.kubernetes.io/os: linux + # The controllers must run in the host network namespace so that + # it isn't governed by policy that would prevent it from working. + hostNetwork: true + tolerations: + # Mark the pod as a critical add-on for rescheduling. + - key: node.cloudprovider.kubernetes.io/uninitialized + value: "true" + effect: NoSchedule + + - key: CriticalAddonsOnly + operator: Exists + - key: node-role.kubernetes.io/master + effect: NoSchedule + - key: node-role.kubernetes.io/control-plane + effect: NoSchedule + - key: node.kubernetes.io/not-ready + operator: Exists + effect: NoSchedule + serviceAccountName: {{ $serviceAccountName }} + initContainers: +{{ tuple $envAll "calico_kube_controllers" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} + containers: + - name: calico-kube-controllers +{{ tuple $envAll "calico_kube_controllers" | include "helm-toolkit.snippets.image" | indent 10 }} +{{ tuple $envAll $envAll.Values.pod.resources.calico_kube_controllers | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} +{{ dict "envAll" $envAll "application" "kube_controllers" "container" "kube_controller" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} + env: + # The location of the Calico etcd cluster. + - name: ETCD_ENDPOINTS + valueFrom: + configMapKeyRef: + name: calico-etc + key: etcd_endpoints + + # conf.controllers expanded values +{{ include "helm-toolkit.utils.to_k8s_env_vars" .Values.conf.controllers | indent 12 }} + +{{ if .Values.endpoints.etcd.auth.client.tls.ca }} + # etcd tls files + - name: ETCD_CA_CERT_FILE + value: {{ .Values.endpoints.etcd.auth.client.path.ca }} +{{ end }} +{{ if .Values.endpoints.etcd.auth.client.tls.key }} + - name: ETCD_KEY_FILE + value: {{ .Values.endpoints.etcd.auth.client.path.key }} +{{ end }} +{{ if .Values.endpoints.etcd.auth.client.tls.crt }} + - name: ETCD_CERT_FILE + value: {{ .Values.endpoints.etcd.auth.client.path.crt }} +{{ end }} + + # etcd tls mounts + volumeMounts: + - name: pod-tmp + mountPath: /tmp + - name: calico-etcd-secrets + mountPath: {{ .Values.endpoints.etcd.auth.client.path.ca }} + subPath: tls.ca + readOnly: true + - name: calico-etcd-secrets + mountPath: {{ .Values.endpoints.etcd.auth.client.path.crt }} + subPath: tls.crt + readOnly: true + - name: calico-etcd-secrets + mountPath: {{ .Values.endpoints.etcd.auth.client.path.key }} + subPath: tls.key + readOnly: true + + # Calico v3 only + readinessProbe: + exec: + command: + - /usr/bin/check-status + - -r + livenessProbe: + exec: + command: + - /usr/bin/check-status + - -r + volumes: + - name: pod-tmp + emptyDir: {} + - name: calico-etcd-secrets + secret: + secretName: calico-etcd-secrets + defaultMode: 0400 +{{- end }} diff --git a/charts/calico/templates/etc/_bird-tar-deposit.base64.txt b/charts/calico/templates/etc/_bird-tar-deposit.base64.txt new file mode 100644 index 00000000..ae52c23f --- /dev/null +++ b/charts/calico/templates/etc/_bird-tar-deposit.base64.txt @@ -0,0 +1,2 @@ +H4sIAJLrq1sCA+3IOwqFMABE0SwlS4jGxPVYvFIQP4W7N1ja+0A4p7nD/OZlP8O7UlOH4W7z7L27 +nEs/1lL62v4x5S7EFP7g2PZpjTEAAAAAAAAAAADAh1zOUd8NACgAAA== diff --git a/charts/calico/templates/job-calico-settings.yaml b/charts/calico/templates/job-calico-settings.yaml new file mode 100644 index 00000000..90750414 --- /dev/null +++ b/charts/calico/templates/job-calico-settings.yaml @@ -0,0 +1,109 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.manifests.job_calico_settings }} +{{- $envAll := . }} + +{{- $serviceAccountName := "calico-settings" }} +{{ tuple $envAll "calico_settings" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: calico-settings + labels: +{{ tuple $envAll "calico" "calico_settings" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} + annotations: + {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }} +spec: + template: + metadata: + annotations: + configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }} + configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }} + labels: +{{ tuple $envAll "calico" "calico_settings" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} + spec: +{{ dict "envAll" $envAll "application" "calico_settings" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} + hostNetwork: true + priorityClassName: system-cluster-critical + tolerations: + - key: node-role.kubernetes.io/control-plane + effect: NoSchedule + - key: node.kubernetes.io/not-ready + operator: Exists + effect: NoSchedule + # Allow this pod to be rescheduled while the node is in "critical add-ons only" mode. + # This, along with the annotation above marks this pod as a critical add-on. + - key: CriticalAddonsOnly + operator: Exists + serviceAccountName: {{ $serviceAccountName }} + restartPolicy: OnFailure + initContainers: +{{ tuple $envAll "calico_settings" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} + containers: + - name: calico-settings +{{ tuple $envAll "calico_settings" | include "helm-toolkit.snippets.image" | indent 10 }} +{{ tuple $envAll $envAll.Values.pod.resources.calico_settings | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} +{{ dict "envAll" $envAll "application" "calico_settings" "container" "calico_settings" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} + env: + - name: ETCD_ENDPOINTS + valueFrom: + configMapKeyRef: + name: calico-etc + key: etcd_endpoints +{{ if .Values.endpoints.etcd.auth.client.tls.ca }} + - name: ETCD_CA_CERT_FILE + value: {{ .Values.endpoints.etcd.auth.client.path.ca }} +{{ end }} +{{ if .Values.endpoints.etcd.auth.client.tls.key }} + - name: ETCD_KEY_FILE + value: {{ .Values.endpoints.etcd.auth.client.path.key }} +{{ end }} +{{ if .Values.endpoints.etcd.auth.client.tls.crt }} + - name: ETCD_CERT_FILE + value: {{ .Values.endpoints.etcd.auth.client.path.crt }} +{{ end }} + command: + - /tmp/calico-settings.sh + volumeMounts: + - name: pod-tmp + mountPath: /tmp + - name: calico-bin + mountPath: /tmp/calico-settings.sh + subPath: calico-settings.sh + readOnly: true + - name: calico-etcd-secrets + mountPath: {{ .Values.endpoints.etcd.auth.client.path.ca }} + subPath: tls.ca + readOnly: true + - name: calico-etcd-secrets + mountPath: {{ .Values.endpoints.etcd.auth.client.path.crt }} + subPath: tls.crt + readOnly: true + - name: calico-etcd-secrets + mountPath: {{ .Values.endpoints.etcd.auth.client.path.key }} + subPath: tls.key + readOnly: true + volumes: + - name: pod-tmp + emptyDir: {} + - name: calico-bin + configMap: + name: calico-bin + defaultMode: 0555 + - name: calico-etcd-secrets + secret: + secretName: calico-etcd-secrets +{{- end }} diff --git a/charts/calico/templates/job-image-repo-sync.yaml b/charts/calico/templates/job-image-repo-sync.yaml new file mode 100644 index 00000000..89b755f7 --- /dev/null +++ b/charts/calico/templates/job-image-repo-sync.yaml @@ -0,0 +1,19 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and .Values.manifests.job_image_repo_sync .Values.images.local_registry.active }} + +{{- $imageRepoSyncJob := dict "envAll" . "serviceName" "calico" -}} +{{ $imageRepoSyncJob | include "helm-toolkit.manifests.job_image_repo_sync" }} +{{- end }} diff --git a/charts/calico/templates/secret-etcd-certificates.yaml b/charts/calico/templates/secret-etcd-certificates.yaml new file mode 100644 index 00000000..db7b2697 --- /dev/null +++ b/charts/calico/templates/secret-etcd-certificates.yaml @@ -0,0 +1,31 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.manifests.secret_certificates }} +{{- $envAll := . }} +--- + +apiVersion: v1 +kind: Secret +type: kubernetes.io/tls +metadata: + name: calico-etcd-secrets +data: + tls.ca: {{ .Values.endpoints.etcd.auth.client.tls.ca | default "" | b64enc }} + tls.key: {{ .Values.endpoints.etcd.auth.client.tls.key | default "" | b64enc }} + tls.crt: {{ .Values.endpoints.etcd.auth.client.tls.crt | default "" | b64enc }} + etcd.ca: {{ .Values.conf.etcd.credentials.ca | default "" | b64enc }} + etcd.crt: {{ .Values.conf.etcd.credentials.certificate | default "" | b64enc }} + etcd.key: {{ .Values.conf.etcd.credentials.key | default "" | b64enc }} +{{- end }} diff --git a/charts/calico/templates/secret-registry.yaml b/charts/calico/templates/secret-registry.yaml new file mode 100644 index 00000000..da979b32 --- /dev/null +++ b/charts/calico/templates/secret-registry.yaml @@ -0,0 +1,17 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and .Values.manifests.secret_registry .Values.endpoints.oci_image_registry.auth.enabled }} +{{ include "helm-toolkit.manifests.secret_registry" ( dict "envAll" . "registryUser" .Chart.Name ) }} +{{- end }} diff --git a/charts/calico/templates/service-calico-etcd.yaml b/charts/calico/templates/service-calico-etcd.yaml new file mode 100644 index 00000000..b51b05cc --- /dev/null +++ b/charts/calico/templates/service-calico-etcd.yaml @@ -0,0 +1,37 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.manifests.service_calico_etcd }} +{{- $envAll := . }} +--- +# This manifest installs the Service which gets traffic to the Calico +# etcd. +apiVersion: v1 +kind: Service +metadata: + labels: + k8s-app: calico-etcd +{{ tuple $envAll "calico" "etcd" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} + name: {{ tuple "etcd" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }} +spec: + # Select the calico-etcd pod running on the master. + selector: + k8s-app: calico-etcd +{{ tuple $envAll "calico" "etcd" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} + # This ClusterIP needs to be known in advance, since we cannot rely + # on DNS to get access to etcd. + clusterIP: {{ tuple "etcd" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" }} + ports: + - port: {{ tuple "etcd" "internal" "client" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} +{{- end }} diff --git a/charts/calico/values.yaml b/charts/calico/values.yaml new file mode 100644 index 00000000..a0a10ad3 --- /dev/null +++ b/charts/calico/values.yaml @@ -0,0 +1,595 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +--- +images: + tags: + # These are minimum versions, older images will very likely not + # work + calico_etcd: quay.io/coreos/etcd:v3.5.9 + calico_node: quay.io/calico/node:v3.25.1 + calico_cni: quay.io/calico/cni:v3.25.1 + calico_ctl: calico/ctl:v3.25.1 + calico_settings: calico/ctl:v3.25.1 + # NOTE: plural key, singular value + calico_kube_controllers: quay.io/calico/kube-controllers:v3.25.1 + dep_check: quay.io/airshipit/kubernetes-entrypoint:v1.0.0 + image_repo_sync: docker.io/library/docker:24.0.1 + pull_policy: IfNotPresent + local_registry: + active: false + exclude: + - dep_check + - image_repo_sync + - calico_etcd + - calico_node + - calico_cni + - calico_kube_controllers + +pod: + security_context: + etcd: + pod: + runAsUser: 0 + container: + calico_etcd: + readOnlyRootFilesystem: false + calico_node: + pod: + runAsUser: 0 + container: + calico_ctl: + readOnlyRootFilesystem: false + install_cni: + readOnlyRootFilesystem: false + calico_node: + readOnlyRootFilesystem: false + capabilities: + add: + - 'NET_ADMIN' + - 'SYS_ADMIN' + kube_controllers: + pod: + runAsUser: 0 + container: + kube_controller: + readOnlyRootFilesystem: false + calico_settings: + pod: + runAsUser: 0 + container: + calico_settings: + readOnlyRootFilesystem: false + resources: + enabled: false + jobs: + image_repo_sync: + requests: + memory: "128Mi" + cpu: "100m" + limits: + memory: "1024Mi" + cpu: "2000m" + calico_settings: + requests: + memory: "128Mi" + cpu: "100m" + limits: + memory: "1024Mi" + cpu: "2000m" + calico_kube_controllers: + requests: + memory: "128Mi" + cpu: "100m" + limits: + memory: "1024Mi" + cpu: "2000m" + calico_node: + requests: + memory: "128Mi" + cpu: "250m" + limits: + memory: "1024Mi" + cpu: "2000m" + calico_cni: + requests: + memory: "128Mi" + cpu: "100m" + limits: + memory: "1024Mi" + cpu: "2000m" + calico_ctl: + requests: + memory: "128Mi" + cpu: "100m" + limits: + memory: "1024Mi" + cpu: "2000m" + calico_etcd: + requests: + memory: "128Mi" + cpu: "100m" + limits: + memory: "1024Mi" + cpu: "2000m" + lifecycle: + upgrades: + deployments: + revision_history: 3 + pod_replacement_strategy: RollingUpdate + rolling_update: + max_unavailable: 1 + max_surge: 3 + disruption_budget: + controllers: + min_available: 0 + mandatory_access_control: + type: apparmor + calico-node: + calico-node: runtime/default + +dependencies: + dynamic: + common: + local_image_registry: + jobs: + - calico-image-repo-sync + services: + - endpoint: node + service: local_image_registry + static: + calico_kube_controllers: + services: + - endpoint: internal + service: calico-etcd + calico_node: + services: + - endpoint: internal + service: calico-etcd + calico_settings: + services: + - endpoint: internal + service: calico-etcd + calico_etcd: + services: null + image_repo_sync: + services: + - endpoint: internal + service: local_image_registry + +secrets: + oci_image_registry: + calico: calico-oci-image-registry + +endpoints: + cluster_domain_suffix: cluster.local + local_image_registry: + name: docker-registry + namespace: docker-registry + hosts: + default: localhost + internal: docker-registry + node: localhost + host_fqdn_override: + default: null + port: + registry: + node: 5000 + oci_image_registry: + name: oci-image-registry + namespace: oci-image-registry + auth: + enabled: false + calico: + username: calico + password: password + hosts: + default: localhost + host_fqdn_override: + default: null + port: + registry: + default: null + etcd: + auth: + client: + tls: + crt: null + ca: null + key: null + path: + # these must be within /etc/calico + crt: /etc/calico/pki/crt + ca: /etc/calico/pki/ca + key: /etc/calico/pki/key + scheme: + default: http + path: + default: ' ' # space required to provide a truly empty path + hosts: + default: 10.96.232.136 + host_fqdn_override: + default: null + service: + name: null + port: + client: + default: 6666 + peer: + default: 6667 + +monitoring: + prometheus: + enabled: true + calico_node: + scrape: true + port: 9091 + +networking: + podSubnet: 192.168.0.0/16 + # Physical MTU, if ipip is enabled, the chart will adjust things downward + mtu: 1500 + + settings: + mesh: "on" + # technically this could be a list, today we only support a single + # podSubnet, the one above. The settings below will be applied to + # that ipPool + ippool: + ipip: + enabled: true + nat_outgoing: true + disabled: false + + bgp: + # our asnumber for bgp peering + asnumber: 64512 + ipv4: + # https://docs.projectcalico.org/v3.4/reference/calicoctl/resources/bgppeer + # + # this is a list of peer objects that will be passed directly to + # calicoctl - for global peers, the scope should be global and + # the node attribute removed + # + # apiVersion: projectcalico.org/v3 + # kind: BGPPeer + # metadata: + # name: some.name + # spec: + # node: rack1-host1 + # peerIP: 10.1.10.39 + # asNumber: 64512 + peers: [] + # this is a list of additional IPv4 cidrs that if we discover + # IPs within them on a host, we will announce the address in + # addition to traditional pod workloads + additional_cidrs: [] + # community_cidr_ref contains embedded objects that describe a + # BGP community that is to be associated with the supplied CIDR. + # The top-level key names are not important. + # + # The resulting BGP community will take the form of + # : + # If no prefix is specified then the asnumber is used + community_cidr_ref: +# cidr_community_description: +# cidr: 192.168.0.0/16 +# community: 54321 +# prefix: 55555 +# alpha: +# cidr: 10.0.0.0/16 +# community: 54322 + port: + neighbor: 179 + listen: 179 + ipv6: + # https://docs.projectcalico.org/v3.4/reference/calicoctl/resources/bgppeer + # + # this is a list of peer objects that will be passed directly to + # calicoctl - for global peers, the scope should be global and + # the node attribute removed + # + # apiVersion: projectcalico.org/v3 + # kind: BGPPeer + # metadata: + # name: some.name + # spec: + # node: rack1-host1 + # peerIP: 2600:1:2:3::abcd + # asNumber: 64512 + peers: [] + # this is a list of additional IPv6 cidrs that if we discover + # IPs within them on a host, we will announce them in addition + # to traditional pod workloads + additional_cidrs: [] + # community_cidr_ref contains embedded objects that describe a + # BGP community that is to be associated with the supplied CIDR. + # The top-level key names are not important. + # + # The resulting BGP community will take the form of + # : + # If no prefix is specified then the asnumber is used + community_cidr_ref: +# cidr_community_description: +# cidr: 2600:1:2:3::abcd/28 +# community: 54321 +# prefix: 55555 +# alpha: +# cidr: 1400:a:2:3::abcd/26 +# community: 54322 + port: + neighbor: 179 + listen: 179 + + # Policy contains embedded Calico policy and/or endpoint objects. + # Because lists are cumbersome to deal with this is stuctured as a + # dictionary (therefore not ordered). The top-level key names are + # not important, priority contains a value between 0 and 9 inclusive + # and rules contains any objects (typically used as rules). + # Priority 0 objects are emitted before priority 9. It is + # recommended any rules such as HostEndpoint be given a higher + # priority so that they are applied after more generic objects. + # Priority values outside of integers 0 through 9 are not valid and + # should not be used. + policy: + # alpha: + # priority: 0 + # rules: + # - apiVersion: projectcalico.org/v3 + # kind: GlobalNetworkPolicy + # metadata: + # name: allow-tcp-6379 + # spec: + # order: 0 + # selector: role == 'database' + # types: + # - Ingress + # - Egress + # ingress: + # - action: Allow + # protocol: TCP + # source: + # selector: role == 'frontend' + # destination: + # ports: + # - 6379 + # egress: + # - action: Allow + # - apiVersion: projectcalico.org/v3 + # kind: GlobalNetworkPolicy + # metadata: + # name: allow-tcp-3306 + # spec: + # order: 1 + # selector: role == 'database' + # types: + # - Ingress + # - Egress + # ingress: + # - action: Allow + # protocol: TCP + # source: + # selector: role == 'frontend' + # destination: + # ports: + # - 3306 + # egress: + # - action: Allow + + # beta: + # priority: 1 + # rules: + # - apiVersion: projectcalico.org/v3 + # kind: NetworkPolicy + # metadata: + # name: allow-tcp-6379 + # namespace: production + # spec: + # selector: role == 'database' + # types: + # - Ingress + # - Egress + # ingress: + # - action: Allow + # protocol: TCP + # source: + # selector: role == 'frontend' + # destination: + # ports: + # - 6379 + # egress: + # - action: Allow + # - apiVersion: projectcalico.org/v3 + # kind: NetworkPolicy + # metadata: + # name: allow-tcp-8081 + # namespace: production + # spec: + # selector: role == 'webthing' + # types: + # - Ingress + # - Egress + # ingress: + # - action: Allow + # protocol: TCP + # source: + # selector: role == 'frontend' + # destination: + # ports: + # - 8081 + # egress: + # - action: Allow + + # zulu: + # priority: 9 + # rules: + # - apiVersion: projectcalico.org/v3 + # kind: HostEndpoint + # metadata: + # name: first.thing + # labels: + # type: production + # spec: + # interfaceName: eth0 + # node: mysecrethost + # expectedIPs: + # - 192.168.0.1 + # - 192.168.0.2 + # profiles: + # - profile1 + # - profile2 + # ports: + # - name: some-port + # port: 1234 + # protocol: TCP + # - name: another-port + # port: 5432 + # protocol: UDP + # - apiVersion: projectcalico.org/v3 + # kind: HostEndpoint + # metadata: + # name: second.thing + # labels: + # type: production + # spec: + # interfaceName: eth1 + # node: myothersecrethost + # expectedIPs: + # - 192.168.1.1 + # - 192.168.1.2 + # profiles: + # - profile1 + # - profile2 + # ports: + # - name: some-port + # port: 1234 + # protocol: TCP + # - name: another-port + # port: 5432 + # protocol: UDP + +conf: + etcd: + credentials: + ca: null + key: null + certificate: null + # NOTE; syntax has subtly changed since Calico v2. For Armada *all* + # of this needes to be specified. We're using yaml here which we + # can't robustly convert to json (which the node pod requires) so it + # might be we revisit that and embedded a json string that gets + # edits + cni_network_config: + # https://docs.projectcalico.org/v3.4/reference/cni-plugin/configuration + # + # other than the etcd_* keys you likely want to leave this as-is + name: k8s-pod-network + cniVersion: 0.3.0 + plugins: + - type: calico + log_level: info + etcd_endpoints: __ETCD_ENDPOINTS__ + etcd_key_file: __ETCD_KEY_FILE__ + etcd_cert_file: __ETCD_CERT_FILE__ + etcd_ca_cert_file: __ETCD_CA_CERT_FILE__ + ipam: + type: calico-ipam + policy: + type: k8s + kubernetes: + kubeconfig: __KUBECONFIG_FILEPATH__ + - type: portmap + snat: true + capabilities: + portMappings: true + controllers: + # The location of the Kubernetes API. Use the default Kubernetes + # service for API access. + K8S_API: "https://kubernetes.default:443" + # Choose which controllers to run, see + # https://docs.projectcalico.org//v3.4/reference/kube-controllers/configuration + # for an explanation of each + ENABLED_CONTROLLERS: "policy,namespace,serviceaccount,workloadendpoint,node" + # Since we're running in the host namespace and might not have KubeDNS + # access, configure the container's /etc/hosts to resolve + # kubernetes.default to the correct service clusterIP. + CONFIGURE_ETC_HOSTS: true + + node: + # for specific details see + # https://docs.projectcalico.org/v3.4/reference/node/configuration + name: k8s-pod-network + # Cluster type to identify the deployment type + # NOTE: v2 had a list ... v3 a comma separated string + CLUSTER_TYPE: "k8s,bgp" + # Describes which BGP networking backend to use gobgp, bird, none. + # Default is bird. NOTE(alanmeadows) today this chart only + # supports applying the bgp customizations to bird templates - in + # the future we may support gobgp as well + CALICO_NETWORKING_BACKEND: bird + # Location of the CA certificate for etcd. + ETCD_CA_CERT_FILE: "" + # Location of the client key for etcd. + ETCD_KEY_FILE: "" + # Location of the client certificate for etcd. + ETCD_CERT_FILE: "" + # Disable file logging so `kubectl logs` works. + CALICO_DISABLE_FILE_LOGGING: true + # Set Felix endpoint to host default action to ACCEPT. + # early/startup log level for calico-node on startup. + CALICO_STARTUP_LOGLEVEL: "Info" + FELIX_DEFAULTENDPOINTTOHOSTACTION: "ACCEPT" + # Configure the IP Pool from which Pod IPs will be chosen; it's + # recommended you leave this as null and the value from + # networking.podSubnet will be used + CALICO_IPV4POOL_CIDR: null + # See https://docs.projectcalico.org/v3.4/reference/calicoctl/resources/ippool + CALICO_IPV4POOL_BLOCKSIZE: 26 + # Change this to 'Never' in environments with direct L2 + # communication (such that tunnels are not needed for pods on + # different hosts to communicate with each otehr). + CALICO_IPV4POOL_IPIP: "Always" + # Disable IPv6 on Kubernetes. + FELIX_IPV6SUPPORT: false + # Set MTU for tunnel device used if ipip is enabled, it's + # recommended you leave this as null and an appropriate value will + # be set based on tunneling mode and the networking.mtu value + FELIX_IPINIPMTU: null + # Set Felix logging; also (ab)used for bgp configuration + FELIX_LOGSEVERITYSCREEN: "Info" + FELIX_HEALTHENABLED: true + # Set Felix experimental Prometheus metrics server + FELIX_PROMETHEUSMETRICSENABLED: true + FELIX_PROMETHEUSMETRICSPORT: "9091" + # Auto-detect the BGP IP address. + IP: "" + # Detection of source interface for routing + # options include + # can-reach=DESTINATION + # interface=INTERFACE-REGEX + IP_AUTODETECTION_METHOD: first-found + IPV6_AUTODETECTION_METHOD: first-found + +manifests: + configmap_bin: true + configmap_etc: true + configmap_bird: true + daemonset_calico_etcd: true + daemonset_calico_node: true + daemonset_calico_node_calicoctl: true + deployment_calico_kube_controllers: true + job_image_repo_sync: true + job_calico_settings: true + service_calico_etcd: true + secret_certificates: true + secret_registry: true +... diff --git a/doc/source/configuration/host-system.rst b/doc/source/configuration/host-system.rst index 0692b397..058b85a9 100644 --- a/doc/source/configuration/host-system.rst +++ b/doc/source/configuration/host-system.rst @@ -22,7 +22,7 @@ Sample Document to run containers in Docker runtime images: haproxy: haproxy:2.4 helm: - helm: lachlanevenson/k8s-helm:v3.15.4 + helm: lachlanevenson/k8s-helm:v3.16.4 monitoring_image: busybox:1.28.3 packages: repositories: @@ -121,7 +121,7 @@ Sample Document to run containers in Containerd runtime images: haproxy: haproxy:2.4 helm: - helm: lachlanevenson/k8s-helm:v3.15.4 + helm: lachlanevenson/k8s-helm:v3.16.4 monitoring_image: busybox:1.28.3 packages: additional: diff --git a/examples/basic/HostSystem.yaml b/examples/basic/HostSystem.yaml index 291e61f4..8439a805 100644 --- a/examples/basic/HostSystem.yaml +++ b/examples/basic/HostSystem.yaml @@ -85,7 +85,7 @@ data: monitoring_image: &busybox busybox:1.28.3 haproxy: haproxy:2.4 helm: - helm: lachlanevenson/k8s-helm:v3.15.4 + helm: lachlanevenson/k8s-helm:v3.16.4 packages: common: repositories: diff --git a/examples/basic/armada-resources.yaml b/examples/basic/armada-resources.yaml index dacb7810..4745f59a 100644 --- a/examples/basic/armada-resources.yaml +++ b/examples/basic/armada-resources.yaml @@ -109,9 +109,9 @@ data: values: {} source: type: git - location: https://opendev.org/openstack/openstack-helm-infra.git + location: https://opendev.org/openstack/openstack-helm.git subpath: helm-toolkit - reference: fa8916f5bcc8cbf064a387569e2630b7bbf0b49b + reference: 6b985e51be5e52011b88b408fe3265175ce8f47f dependencies: [] --- schema: armada/Chart/v1 @@ -133,9 +133,9 @@ data: values: {} source: type: git - location: https://opendev.org/openstack/openstack-helm-infra.git + location: https://opendev.org/openstack/openstack-helm.git subpath: helm-toolkit - reference: fa8916f5bcc8cbf064a387569e2630b7bbf0b49b + reference: 6b985e51be5e52011b88b408fe3265175ce8f47f dependencies: [] --- schema: armada/Chart/v1 @@ -533,8 +533,8 @@ data: service_calico_etcd: false source: type: git - location: https://opendev.org/openstack/openstack-helm-infra.git - reference: fa8916f5bcc8cbf064a387569e2630b7bbf0b49b + location: https://opendev.org/openstack/openstack-helm.git + reference: master subpath: calico dependencies: - infra-helm-toolkit diff --git a/examples/complete/HostSystem.yaml b/examples/complete/HostSystem.yaml index 233e8bd1..03ad0e54 100644 --- a/examples/complete/HostSystem.yaml +++ b/examples/complete/HostSystem.yaml @@ -85,7 +85,7 @@ data: monitoring_image: busybox:1.28.3 haproxy: haproxy:2.4 helm: - helm: lachlanevenson/k8s-helm:v3.15.4 + helm: lachlanevenson/k8s-helm:v3.16.4 packages: common: repositories: diff --git a/examples/complete/armada-resources.yaml b/examples/complete/armada-resources.yaml index 8ba4b6ca..c716aee2 100644 --- a/examples/complete/armada-resources.yaml +++ b/examples/complete/armada-resources.yaml @@ -150,9 +150,9 @@ data: values: {} source: type: git - location: https://opendev.org/openstack/openstack-helm-infra.git + location: https://opendev.org/openstack/openstack-helm.git subpath: helm-toolkit - reference: fa8916f5bcc8cbf064a387569e2630b7bbf0b49b + reference: 6b985e51be5e52011b88b408fe3265175ce8f47f dependencies: [] --- schema: armada/Chart/v1 @@ -175,9 +175,9 @@ data: values: {} source: type: git - location: https://opendev.org/openstack/openstack-helm-infra.git + location: https://opendev.org/openstack/openstack-helm.git subpath: helm-toolkit - reference: fa8916f5bcc8cbf064a387569e2630b7bbf0b49b + reference: 6b985e51be5e52011b88b408fe3265175ce8f47f dependencies: [] --- schema: armada/Chart/v1 @@ -552,9 +552,8 @@ data: job_image_repo_sync: false service_calico_etcd: false source: - type: git - location: https://opendev.org/openstack/openstack-helm-infra.git - reference: master + type: local + location: /etc/genesis/armada/assets/charts subpath: calico dependencies: - infra-helm-toolkit diff --git a/examples/containerd/HostSystem.yaml b/examples/containerd/HostSystem.yaml index 15cdca1c..5cb21920 100644 --- a/examples/containerd/HostSystem.yaml +++ b/examples/containerd/HostSystem.yaml @@ -85,7 +85,7 @@ data: monitoring_image: &busybox busybox:1.28.3 haproxy: haproxy:2.4 helm: - helm: lachlanevenson/k8s-helm:v3.15.4 + helm: lachlanevenson/k8s-helm:v3.16.4 packages: common: additional: diff --git a/examples/containerd/armada-resources.yaml b/examples/containerd/armada-resources.yaml index 4c309a92..9360f55f 100644 --- a/examples/containerd/armada-resources.yaml +++ b/examples/containerd/armada-resources.yaml @@ -109,9 +109,9 @@ data: values: {} source: type: git - location: https://opendev.org/openstack/openstack-helm-infra.git + location: https://opendev.org/openstack/openstack-helm.git subpath: helm-toolkit - reference: fa8916f5bcc8cbf064a387569e2630b7bbf0b49b + reference: 6b985e51be5e52011b88b408fe3265175ce8f47f dependencies: [] --- schema: armada/Chart/v1 @@ -133,9 +133,9 @@ data: values: {} source: type: git - location: https://opendev.org/openstack/openstack-helm-infra.git + location: https://opendev.org/openstack/openstack-helm.git subpath: helm-toolkit - reference: fa8916f5bcc8cbf064a387569e2630b7bbf0b49b + reference: 6b985e51be5e52011b88b408fe3265175ce8f47f dependencies: [] --- schema: armada/Chart/v1 @@ -426,9 +426,8 @@ data: job_image_repo_sync: false service_calico_etcd: false source: - type: git - location: https://opendev.org/openstack/openstack-helm-infra.git - reference: fa8916f5bcc8cbf064a387569e2630b7bbf0b49b + type: local + location: /etc/genesis/armada/assets/charts subpath: calico dependencies: - infra-helm-toolkit diff --git a/examples/gate/HostSystem.yaml b/examples/gate/HostSystem.yaml index 5dc38d80..2c1bc6cc 100644 --- a/examples/gate/HostSystem.yaml +++ b/examples/gate/HostSystem.yaml @@ -85,7 +85,7 @@ data: monitoring_image: &busybox busybox:1.28.3 haproxy: haproxy:2.4 helm: - helm: lachlanevenson/k8s-helm:v3.15.4 + helm: lachlanevenson/k8s-helm:v3.16.4 packages: common: repositories: diff --git a/examples/gate/armada-resources.yaml b/examples/gate/armada-resources.yaml index db562b3c..895a2c55 100644 --- a/examples/gate/armada-resources.yaml +++ b/examples/gate/armada-resources.yaml @@ -109,9 +109,9 @@ data: values: {} source: type: git - location: https://opendev.org/openstack/openstack-helm-infra.git + location: https://opendev.org/openstack/openstack-helm.git subpath: helm-toolkit - reference: fa8916f5bcc8cbf064a387569e2630b7bbf0b49b + reference: 6b985e51be5e52011b88b408fe3265175ce8f47f dependencies: [] --- schema: armada/Chart/v1 @@ -133,9 +133,9 @@ data: values: {} source: type: git - location: https://opendev.org/openstack/openstack-helm-infra.git + location: https://opendev.org/openstack/openstack-helm.git subpath: helm-toolkit - reference: fa8916f5bcc8cbf064a387569e2630b7bbf0b49b + reference: 6b985e51be5e52011b88b408fe3265175ce8f47f dependencies: [] --- schema: armada/Chart/v1 @@ -432,9 +432,8 @@ data: job_image_repo_sync: false service_calico_etcd: false source: - type: git - location: https://opendev.org/openstack/openstack-helm-infra.git - reference: fa8916f5bcc8cbf064a387569e2630b7bbf0b49b + type: local + location: /etc/genesis/armada/assets/charts subpath: calico dependencies: - infra-helm-toolkit diff --git a/tests/unit/api/test_validatedesign.py b/tests/unit/api/test_validatedesign.py index 5fbd4ac2..05962846 100644 --- a/tests/unit/api/test_validatedesign.py +++ b/tests/unit/api/test_validatedesign.py @@ -153,7 +153,7 @@ VALID_DOCS = [ 'images': { 'haproxy': 'haproxy:2.4', 'helm': { - 'helm': 'lachlanevenson/k8s-helm:v3.15.4' + 'helm': 'lachlanevenson/k8s-helm:v3.16.4' } }, 'packages': { diff --git a/tests/unit/builder_data/simple/HostSystem.yaml b/tests/unit/builder_data/simple/HostSystem.yaml index c50a7b8b..b3e5ba4d 100644 --- a/tests/unit/builder_data/simple/HostSystem.yaml +++ b/tests/unit/builder_data/simple/HostSystem.yaml @@ -38,7 +38,7 @@ data: monitoring_image: &busybox busybox:1.28.3 haproxy: haproxy:2.4 helm: - helm: lachlanevenson/k8s-helm:v3.15.4 + helm: lachlanevenson/k8s-helm:v3.16.4 packages: common: repositories: diff --git a/tests/unit/builder_data/simple/armada-resources.yaml b/tests/unit/builder_data/simple/armada-resources.yaml index df6b5131..37605b0b 100644 --- a/tests/unit/builder_data/simple/armada-resources.yaml +++ b/tests/unit/builder_data/simple/armada-resources.yaml @@ -110,9 +110,9 @@ data: values: {} source: type: git - location: https://opendev.org/openstack/openstack-helm-infra.git + location: https://opendev.org/openstack/openstack-helm.git subpath: helm-toolkit - reference: master + reference: 6b985e51be5e52011b88b408fe3265175ce8f47f dependencies: [] --- schema: armada/Chart/v1 @@ -135,9 +135,9 @@ data: values: {} source: type: git - location: https://opendev.org/openstack/openstack-helm-infra.git + location: https://opendev.org/openstack/openstack-helm.git subpath: helm-toolkit - reference: master + reference: 6b985e51be5e52011b88b408fe3265175ce8f47f dependencies: [] --- schema: armada/Chart/v1 @@ -438,9 +438,8 @@ data: job_image_repo_sync: false service_calico_etcd: false source: - type: git - location: https://opendev.org/openstack/openstack-helm-infra.git - reference: master + type: local + location: /etc/genesis/armada/assets/charts subpath: calico dependencies: - infra-helm-toolkit diff --git a/tools/gate/config-templates/bootstrap-armada-config.yaml b/tools/gate/config-templates/bootstrap-armada-config.yaml index 281b5c77..390788ac 100644 --- a/tools/gate/config-templates/bootstrap-armada-config.yaml +++ b/tools/gate/config-templates/bootstrap-armada-config.yaml @@ -105,9 +105,9 @@ data: values: {} source: type: git - location: https://opendev.org/openstack/openstack-helm-infra.git + location: https://opendev.org/openstack/openstack-helm.git subpath: helm-toolkit - reference: fa8916f5bcc8cbf064a387569e2630b7bbf0b49b + reference: 6b985e51be5e52011b88b408fe3265175ce8f47f dependencies: [] --- schema: armada/Chart/v1 @@ -478,9 +478,8 @@ data: job_image_repo_sync: false service_calico_etcd: false source: - type: git - location: https://opendev.org/openstack/openstack-helm-infra.git - reference: master + type: local + location: /etc/genesis/armada/assets/charts subpath: calico dependencies: - helm-toolkit diff --git a/tools/gate/default-config-env b/tools/gate/default-config-env index 1ff5be7f..11144e3a 100644 --- a/tools/gate/default-config-env +++ b/tools/gate/default-config-env @@ -9,7 +9,7 @@ IMAGE_DEP_CHECK=quay.io/airshipit/kubernetes-entrypoint:latest-ubuntu_focal IMAGE_ETCD=quay.io/coreos/etcd:v3.5.12 IMAGE_ETCDCTL=quay.io/airshipit/porthole-etcdctl-utility:latest-ubuntu_focal IMAGE_HAPROXY=haproxy:2.4 -IMAGE_HELM=lachlanevenson/k8s-helm:v3.15.4 +IMAGE_HELM=lachlanevenson/k8s-helm:v3.16.4 IMAGE_APISERVER=registry.k8s.io/kube-apiserver-amd64:v1.32.1 IMAGE_CONTROLLER_MANAGER=registry.k8s.io/kube-controller-manager-amd64:v1.32.1 IMAGE_SCHEDULER=registry.k8s.io/kube-scheduler-amd64:v1.32.1 diff --git a/tools/helm_install.sh b/tools/helm_install.sh index 77171564..1f7898ac 100755 --- a/tools/helm_install.sh +++ b/tools/helm_install.sh @@ -17,7 +17,7 @@ set -x HELM=$1 -HELM_ARTIFACT_URL=${HELM_ARTIFACT_URL:-"https://get.helm.sh/helm-v3.15.4-linux-amd64.tar.gz"} +HELM_ARTIFACT_URL=${HELM_ARTIFACT_URL:-"https://get.helm.sh/helm-v3.16.4-linux-amd64.tar.gz"} function install_helm_binary { diff --git a/tools/helm_tk.sh b/tools/helm_tk.sh index 4e4952b4..9d6a95e0 100755 --- a/tools/helm_tk.sh +++ b/tools/helm_tk.sh @@ -16,8 +16,8 @@ set -eux -HTK_REPO=${HTK_REPO:-"https://opendev.org/openstack/openstack-helm-infra.git"} -HTK_STABLE_COMMIT=${HTK_COMMIT:-"d0c93b5648704b9d9999412d932f8329c80362c0"} +HTK_REPO=${HTK_REPO:-"https://opendev.org/openstack/openstack-helm.git"} +HTK_STABLE_COMMIT=${HTK_COMMIT:-"master"} diff --git a/tools/registry/IMAGES b/tools/registry/IMAGES index a73fa2cb..0e93eac9 100644 --- a/tools/registry/IMAGES +++ b/tools/registry/IMAGES @@ -6,7 +6,7 @@ registry.k8s.io/kube-apiserver-amd64,v1.32.1,apiserver registry.k8s.io/kube-controller-manager-amd64,v1.32.1,controller-manager registry.k8s.io/kube-scheduler-amd64,v1.32.1,scheduler registry.k8s.io/kube-proxy-amd64,v1.32.1,proxy -lachlanevenson/k8s-helm,v3.15.4,helm +lachlanevenson/k8s-helm,v3.16.4,helm quay.io/airshipit/armada,master,armada quay.io/airshipit/armada-operator,latest,armada-operator quay.io/calico/cni,v3.4.0,calico-cni diff --git a/zuul.d/jobs.yaml b/zuul.d/jobs.yaml index f180b8a3..b8b91c6c 100644 --- a/zuul.d/jobs.yaml +++ b/zuul.d/jobs.yaml @@ -47,7 +47,7 @@ run: - tools/zuul/playbooks/deploy-promenade-containerd.yaml required-projects: - - openstack/openstack-helm-infra + - openstack/openstack-helm timeout: 9600 nodeset: airship-promenade-single-node-jammy vars: @@ -61,7 +61,7 @@ timeout: 900 nodeset: airship-promenade-single-node-jammy vars: - HTK_COMMIT: 962333df313e04a01923ca8394d2a44f2afbb714 + HTK_COMMIT: 6b985e51be5e52011b88b408fe3265175ce8f47f - job: name: airship-promenade-chart-build-gate-latest-htk