| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688 |
- ---
- kind: ClusterRole
- apiVersion: v1
- metadata:
- name: calico-kube-controllers
- namespace: kube-system
- rules:
- - apiGroups:
- - ""
- - extensions
- resources:
- - pods
- - namespaces
- - networkpolicies
- - nodes
- verbs:
- - watch
- - list
- - apiGroups:
- - networking.k8s.io
- resources:
- - networkpolicies
- verbs:
- - watch
- - list
- ---
- kind: ClusterRoleBinding
- apiVersion: v1
- metadata:
- name: calico-kube-controllers
- roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: calico-kube-controllers
- subjects:
- - kind: ServiceAccount
- name: calico-kube-controllers
- namespace: kube-system
- ---
- kind: ClusterRole
- apiVersion: v1
- metadata:
- name: calico-node
- namespace: kube-system
- rules:
- - apiGroups: [""]
- resources:
- - pods
- - nodes
- verbs:
- - get
- ---
- apiVersion: v1
- kind: ClusterRoleBinding
- metadata:
- name: calico-node
- roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: calico-node
- subjects:
- - kind: ServiceAccount
- name: calico-node
- namespace: kube-system
- ---
- kind: ClusterRole
- apiVersion: v1
- metadata:
- name: calico-upgrade-job
- namespace: kube-system
- rules:
- - apiGroups:
- - extensions
- resources:
- - daemonsets
- verbs:
- - get
- - list
- - watch
- ---
- apiVersion: v1
- kind: ClusterRoleBinding
- metadata:
- name: calico-upgrade-job
- roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: calico-upgrade-job
- subjects:
- - kind: ServiceAccount
- name: calico-upgrade-job
- namespace: kube-system
- ---
- # This ConfigMap is used to configure a self-hosted Calico installation.
- kind: ConfigMap
- apiVersion: v1
- metadata:
- name: calico-config
- namespace: kube-system
- data:
- # Configure this with the location of your etcd cluster.
- etcd_endpoints: "{{ calico_etcd_endpoints }}"
- node_image: "{{ calico_node_image }}"
- # Configure the Calico backend to use.
- calico_backend: "bird"
- # The CNI network configuration to install on each node.
- cni_network_config: |-
- {
- "name": "k8s-pod-network",
- "cniVersion": "0.3.0",
- "plugins": [
- {
- "type": "calico",
- "etcd_endpoints": "__ETCD_ENDPOINTS__",
- "etcd_key_file": "__ETCD_KEY_FILE__",
- "etcd_cert_file": "__ETCD_CERT_FILE__",
- "etcd_ca_cert_file": "__ETCD_CA_CERT_FILE__",
- "log_level": "info",
- "mtu": 1500,
- "ipam": {
- "type": "calico-ipam"
- },
- "policy": {
- "type": "k8s"
- },
- "kubernetes": {
- "kubeconfig": "__KUBECONFIG_FILEPATH__"
- }
- },
- {
- "type": "portmap",
- "snat": true,
- "capabilities": {"portMappings": true}
- }
- ]
- }
- # If you're using TLS enabled etcd uncomment the following.
- # You must also populate the Secret below with these files.
- etcd_ca: "/calico-secrets/etcd-ca"
- etcd_cert: "/calico-secrets/etcd-cert"
- etcd_key: "/calico-secrets/etcd-key"
- ---
- # This manifest installs the calico/node container, as well
- # as the Calico CNI plugins and network config on
- # each master and worker node in a Kubernetes cluster.
- kind: DaemonSet
- apiVersion: extensions/v1beta1
- metadata:
- name: calico-node
- namespace: kube-system
- labels:
- k8s-app: calico-node
- spec:
- selector:
- matchLabels:
- k8s-app: calico-node
- updateStrategy:
- type: RollingUpdate
- rollingUpdate:
- maxUnavailable: 1
- template:
- metadata:
- labels:
- k8s-app: calico-node
- annotations:
- scheduler.alpha.kubernetes.io/critical-pod: ''
- spec:
- {% if calico_image_credentials is defined %}
- imagePullSecrets:
- - name: calico-pull-secret
- {% endif %}
- nodeSelector:
- projectcalico.org/ds-ready: "true"
- hostNetwork: true
- tolerations:
- # Make sure calico/node gets scheduled on all nodes.
- - effect: NoSchedule
- operator: Exists
- # Mark the pod as a critical add-on for rescheduling.
- - key: CriticalAddonsOnly
- operator: Exists
- - effect: NoExecute
- operator: Exists
- serviceAccountName: calico-node
- # Minimize downtime during a rolling upgrade or deletion; tell Kubernetes to do a "force
- # deletion": https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods.
- terminationGracePeriodSeconds: 0
- initContainers:
- - name: migrate
- image: {{ calico_upgrade_image }}
- command: ['/bin/sh', '-c', '/node-init-container.sh']
- env:
- # The location of the Calico etcd cluster.
- - name: CALICO_ETCD_ENDPOINTS
- valueFrom:
- configMapKeyRef:
- name: calico-config
- key: etcd_endpoints
- - name: CALICO_ETCD_CA_CERT_FILE
- valueFrom:
- configMapKeyRef:
- name: calico-config
- key: etcd_ca
- # Location of the client key for etcd.
- - name: CALICO_ETCD_KEY_FILE
- valueFrom:
- configMapKeyRef:
- name: calico-config
- key: etcd_key
- # Location of the client certificate for etcd.
- - name: CALICO_ETCD_CERT_FILE
- valueFrom:
- configMapKeyRef:
- name: calico-config
- key: etcd_cert
- # The location of the Calico etcd cluster.
- - name: CALICO_APIV1_ETCD_ENDPOINTS
- valueFrom:
- configMapKeyRef:
- name: calico-config
- key: etcd_endpoints
- - name: CALICO_APIV1_ETCD_CA_CERT_FILE
- valueFrom:
- configMapKeyRef:
- name: calico-config
- key: etcd_ca
- # Location of the client key for etcd.
- - name: CALICO_APIV1_ETCD_KEY_FILE
- valueFrom:
- configMapKeyRef:
- name: calico-config
- key: etcd_key
- # Location of the client certificate for etcd.
- - name: CALICO_APIV1_ETCD_CERT_FILE
- valueFrom:
- configMapKeyRef:
- name: calico-config
- key: etcd_cert
- - name: CALICO_APIV1_DATASTORE_TYPE
- value: "etcdv2"
- volumeMounts:
- - mountPath: /calico-secrets
- name: etcd-certs
- containers:
- # Runs calico/node container on each Kubernetes node. This
- # container programs network policy and routes on each
- # host.
- - name: calico-node
- image: {{ calico_node_image }}
- env:
- # The location of the Calico etcd cluster.
- - name: ETCD_ENDPOINTS
- valueFrom:
- configMapKeyRef:
- name: calico-config
- key: etcd_endpoints
- # Choose the backend to use.
- - name: CALICO_NETWORKING_BACKEND
- valueFrom:
- configMapKeyRef:
- name: calico-config
- key: calico_backend
- # Cluster type to identify the deployment type
- - name: CLUSTER_TYPE
- value: "origin,bgp"
- # Disable file logging so 'kubectl logs' works.
- - name: CALICO_DISABLE_FILE_LOGGING
- value: "true"
- # Set noderef for node controller.
- - name: CALICO_K8S_NODE_REF
- valueFrom:
- fieldRef:
- fieldPath: spec.nodeName
- # Set Felix endpoint to host default action to ACCEPT.
- - name: FELIX_DEFAULTENDPOINTTOHOSTACTION
- value: "ACCEPT"
- # The default IPv4 pool to create on startup if none exists. Pod IPs will be
- # chosen from this range. Changing this value after installation will have
- # no effect. This should fall within '--cluster-cidr'.
- - name: CALICO_IPV4POOL_CIDR
- value: "{{ openshift.master.sdn_cluster_network_cidr }}"
- - name: CALICO_IPV4POOL_IPIP
- value: "{{ calico_ipv4pool_ipip }}"
- # Disable IPv6 on Kubernetes.
- - name: FELIX_IPV6SUPPORT
- value: "false"
- # Set Felix logging to "info"
- - name: FELIX_LOGSEVERITYSCREEN
- value: "info"
- # Set MTU for tunnel device used if ipip is enabled
- - name: FELIX_IPINIPMTU
- value: "1440"
- - name: ETCD_ENDPOINTS
- valueFrom:
- configMapKeyRef:
- name: calico-config
- key: etcd_endpoints
- # Location of the CA certificate for etcd.
- - name: ETCD_CA_CERT_FILE
- valueFrom:
- configMapKeyRef:
- name: calico-config
- key: etcd_ca
- # Location of the client key for etcd.
- - name: ETCD_KEY_FILE
- valueFrom:
- configMapKeyRef:
- name: calico-config
- key: etcd_key
- # Location of the client certificate for etcd.
- - name: ETCD_CERT_FILE
- valueFrom:
- configMapKeyRef:
- name: calico-config
- key: etcd_cert
- # Auto-detect the BGP IP address.
- - name: IP
- value: "autodetect"
- - name: FELIX_HEALTHENABLED
- value: "true"
- securityContext:
- privileged: true
- resources:
- requests:
- cpu: 250m
- livenessProbe:
- httpGet:
- path: /liveness
- port: 9099
- {% if calico_binary_checks %}
- host: localhost
- {% endif %}
- periodSeconds: 10
- initialDelaySeconds: 10
- failureThreshold: 6
- readinessProbe:
- {% if calico_binary_checks %}
- exec:
- command:
- - /bin/calico-node
- - -bird-ready
- - -felix-ready
- {% else %}
- httpGet:
- path: /readiness
- port: 9099
- {% endif %}
- periodSeconds: 10
- volumeMounts:
- - mountPath: /lib/modules
- name: lib-modules
- readOnly: true
- - mountPath: /var/run/calico
- name: var-run-calico
- readOnly: false
- - mountPath: /var/lib/calico
- name: var-lib-calico
- readOnly: false
- - mountPath: /calico-secrets
- name: etcd-certs
- # This container installs the Calico CNI binaries
- # and CNI network config file on each node.
- - name: install-cni
- securityContext:
- privileged: true
- image: {{ calico_cni_image }}
- command: ["/install-cni.sh"]
- env:
- # Name of the CNI config file to create.
- - name: CNI_CONF_NAME
- value: "10-calico.conflist"
- # The location of the Calico etcd cluster.
- - name: ETCD_ENDPOINTS
- valueFrom:
- configMapKeyRef:
- name: calico-config
- key: etcd_endpoints
- # The CNI network config to install on each node.
- - name: CNI_NETWORK_CONFIG
- valueFrom:
- configMapKeyRef:
- name: calico-config
- key: cni_network_config
- # Location of the CA certificate for etcd.
- - name: CNI_CONF_ETCD_CA
- valueFrom:
- configMapKeyRef:
- name: calico-config
- key: etcd_ca
- # Location of the client key for etcd.
- - name: CNI_CONF_ETCD_KEY
- valueFrom:
- configMapKeyRef:
- name: calico-config
- key: etcd_key
- # Location of the client certificate for etcd.
- - name: CNI_CONF_ETCD_CERT
- valueFrom:
- configMapKeyRef:
- name: calico-config
- key: etcd_cert
- volumeMounts:
- - mountPath: /host/opt/cni/bin
- name: cni-bin-dir
- - mountPath: /host/etc/cni/net.d
- name: cni-net-dir
- - mountPath: /calico-secrets
- name: etcd-certs
- volumes:
- # Used by calico/node.
- - name: lib-modules
- hostPath:
- path: /lib/modules
- - name: var-run-calico
- hostPath:
- path: /var/run/calico
- - name: var-lib-calico
- hostPath:
- path: /var/lib/calico
- # Used to install CNI.
- - name: cni-bin-dir
- hostPath:
- path: {{ cni_bin_dir }}
- - name: cni-net-dir
- hostPath:
- path: {{ cni_conf_dir }}
- # Mount in the etcd TLS secrets with mode 400.
- # See https://kubernetes.io/docs/concepts/configuration/secret/
- - name: etcd-certs
- secret:
- secretName: calico-etcd-secrets
- defaultMode: 0400
- ---
- # This manifest deploys the Calico Kubernetes controllers.
- # See https://github.com/projectcalico/kube-controllers
- apiVersion: extensions/v1beta1
- kind: Deployment
- metadata:
- name: calico-kube-controllers
- namespace: kube-system
- labels:
- k8s-app: calico-kube-controllers
- annotations:
- scheduler.alpha.kubernetes.io/critical-pod: ''
- spec:
- # The controllers can only have a single active instance.
- replicas: 1
- strategy:
- type: Recreate
- template:
- metadata:
- name: calico-kube-controllers
- namespace: kube-system
- labels:
- k8s-app: calico-kube-controllers
- spec:
- # The controllers must run in the host network namespace so that
- # it isn't governed by policy that would prevent it from working.
- hostNetwork: true
- tolerations:
- # Mark the pod as a critical add-on for rescheduling.
- - key: CriticalAddonsOnly
- operator: Exists
- - key: node-role.kubernetes.io/master
- effect: NoSchedule
- serviceAccountName: calico-kube-controllers
- initContainers:
- - name: migrate
- image: {{ calico_upgrade_image }}
- command: ['/bin/sh', '-c', '/controller-init.sh']
- env:
- # The location of the Calico etcd cluster.
- - name: CALICO_ETCD_ENDPOINTS
- valueFrom:
- configMapKeyRef:
- name: calico-config
- key: etcd_endpoints
- - name: CALICO_ETCD_CA_CERT_FILE
- valueFrom:
- configMapKeyRef:
- name: calico-config
- key: etcd_ca
- # Location of the client key for etcd.
- - name: CALICO_ETCD_KEY_FILE
- valueFrom:
- configMapKeyRef:
- name: calico-config
- key: etcd_key
- # Location of the client certificate for etcd.
- - name: CALICO_ETCD_CERT_FILE
- valueFrom:
- configMapKeyRef:
- name: calico-config
- key: etcd_cert
- # The location of the Calico etcd cluster.
- - name: CALICO_APIV1_ETCD_ENDPOINTS
- valueFrom:
- configMapKeyRef:
- name: calico-config
- key: etcd_endpoints
- - name: CALICO_APIV1_ETCD_CA_CERT_FILE
- valueFrom:
- configMapKeyRef:
- name: calico-config
- key: etcd_ca
- # Location of the client key for etcd.
- - name: CALICO_APIV1_ETCD_KEY_FILE
- valueFrom:
- configMapKeyRef:
- name: calico-config
- key: etcd_key
- # Location of the client certificate for etcd.
- - name: CALICO_APIV1_ETCD_CERT_FILE
- valueFrom:
- configMapKeyRef:
- name: calico-config
- key: etcd_cert
- - name: CALICO_APIV1_DATASTORE_TYPE
- value: "etcdv2"
- volumeMounts:
- - mountPath: /calico-secrets
- name: etcd-certs
- containers:
- - name: calico-kube-controllers
- image: {{ calico_url_policy_controller }}
- securityContext:
- privileged: true
- env:
- # The location of the Calico etcd cluster.
- - name: ETCD_ENDPOINTS
- valueFrom:
- configMapKeyRef:
- name: calico-config
- key: etcd_endpoints
- # Location of the CA certificate for etcd.
- - name: ETCD_CA_CERT_FILE
- valueFrom:
- configMapKeyRef:
- name: calico-config
- key: etcd_ca
- # Location of the client key for etcd.
- - name: ETCD_KEY_FILE
- valueFrom:
- configMapKeyRef:
- name: calico-config
- key: etcd_key
- # Location of the client certificate for etcd.
- - name: ETCD_CERT_FILE
- valueFrom:
- configMapKeyRef:
- name: calico-config
- key: etcd_cert
- # Choose which controllers to run.
- - name: ENABLED_CONTROLLERS
- value: policy,profile,workloadendpoint,node
- volumeMounts:
- # Mount in the etcd TLS secrets.
- - mountPath: /calico-secrets
- name: etcd-certs
- volumes:
- # Mount in the etcd TLS secrets with mode 400.
- # See https://kubernetes.io/docs/concepts/configuration/secret/
- - name: etcd-certs
- secret:
- secretName: calico-etcd-secrets
- defaultMode: 0400
- ---
- apiVersion: batch/v1
- kind: Job
- metadata:
- name: complete-upgrade
- namespace: kube-system
- spec:
- template:
- spec:
- hostNetwork: true
- serviceAccountName: calico-upgrade-job
- restartPolicy: OnFailure
- containers:
- - name: migrate-completion
- image: {{ calico_upgrade_image }}
- command: ['/bin/sh', '-c', '/completion-job.sh']
- env:
- - name: EXPECTED_NODE_IMAGE
- valueFrom:
- configMapKeyRef:
- name: calico-config
- key: node_image
- # The location of the Calico etcd cluster.
- - name: CALICO_ETCD_ENDPOINTS
- valueFrom:
- configMapKeyRef:
- name: calico-config
- key: etcd_endpoints
- - name: CALICO_ETCD_CA_CERT_FILE
- valueFrom:
- configMapKeyRef:
- name: calico-config
- key: etcd_ca
- # Location of the client key for etcd.
- - name: CALICO_ETCD_KEY_FILE
- valueFrom:
- configMapKeyRef:
- name: calico-config
- key: etcd_key
- # Location of the client certificate for etcd.
- - name: CALICO_ETCD_CERT_FILE
- valueFrom:
- configMapKeyRef:
- name: calico-config
- key: etcd_cert
- # The location of the Calico etcd cluster.
- - name: CALICO_APIV1_ETCD_ENDPOINTS
- valueFrom:
- configMapKeyRef:
- name: calico-config
- key: etcd_endpoints
- - name: CALICO_APIV1_ETCD_CA_CERT_FILE
- valueFrom:
- configMapKeyRef:
- name: calico-config
- key: etcd_ca
- # Location of the client key for etcd.
- - name: CALICO_APIV1_ETCD_KEY_FILE
- valueFrom:
- configMapKeyRef:
- name: calico-config
- key: etcd_key
- # Location of the client certificate for etcd.
- - name: CALICO_APIV1_ETCD_CERT_FILE
- valueFrom:
- configMapKeyRef:
- name: calico-config
- key: etcd_cert
- - name: CALICO_APIV1_DATASTORE_TYPE
- value: "etcdv2"
- volumeMounts:
- - mountPath: /calico-secrets
- name: etcd-certs
- volumes:
- # Mount in the etcd TLS secrets with mode 400.
- # See https://kubernetes.io/docs/concepts/configuration/secret/
- - name: etcd-certs
- secret:
- secretName: calico-etcd-secrets
- defaultMode: 0400
- ---
- apiVersion: v1
- kind: ServiceAccount
- metadata:
- name: calico-upgrade-job
- namespace: kube-system
- ---
- apiVersion: v1
- kind: ServiceAccount
- metadata:
- name: calico-kube-controllers
- namespace: kube-system
- ---
- apiVersion: v1
- kind: ServiceAccount
- metadata:
- name: calico-node
- namespace: kube-system
|
