Gitiles
Code Review Sign In
gerrit.hackerspace.pl / hscloud / e3dd96adb07b69e57fe74b8b4bf9b1be7911b1fe / . / cluster / kube / lib / calico.libsonnet
blob: eb813a8d63dad82ae338c81f89688095d0db50d9 [file] [log] [blame]
Sergiusz Bazanskiaf3be422019-01-17 18:57:19 +0100[diff] [blame]1# Deploy hosted calico with its own etcd.
2
3local kube = import "../../../kube/kube.libsonnet";
4
5local bindServiceAccountClusterRole(sa, cr) = kube.ClusterRoleBinding(cr.metadata.name) {
6 roleRef: {
7 apiGroup: "rbac.authorization.k8s.io",
8 kind: "ClusterRole",
9 name: cr.metadata.name,
10 },
11 subjects: [
12 {
13 kind: "ServiceAccount",
14 name: sa.metadata.name,
15 namespace: sa.metadata.namespace,
16 },
17 ],
18};
19
20{
21 Environment: {
22 local env = self,
23 local cfg = env.cfg,
24 cfg:: {
25 namespace: "kube-system",
Bartosz Stebel12f176c2021-06-18 13:12:41 +0200[diff] [blame]26 version: "v3.15.5",
Sergiusz Bazanskid81bf722020-05-28 16:38:52 +0200[diff] [blame]27 imageController: "calico/kube-controllers:" + cfg.version,
28 imageCNI: "calico/cni:" + cfg.version,
29 imageNode: "calico/node:" + cfg.version,
Bartosz Stebel12f176c2021-06-18 13:12:41 +0200[diff] [blame]30 // TODO(implr): migrate calico from etcd to apiserver
Sergiusz Bazanskiaf3be422019-01-17 18:57:19 +0100[diff] [blame]31 etcd: {
Serge Bazanskib0e36932022-04-04 18:28:35 +0000[diff] [blame]32 endpoints: [
33 "https://bc01n01.hswaw.net:2379",
34 "https://bc01n02.hswaw.net:2379",
35 "https://dcr01s22.hswaw.net:2379",
36 "https://dcr01s24.hswaw.net:2379",
37 ],
Sergiusz Bazanski73cef112019-04-07 00:06:23 +0200[diff] [blame]38 ca: importstr "../../certs/ca-etcd.crt",
39 cert: importstr "../../certs/etcd-calico.cert",
40 key: importstr "../../secrets/plain/etcd-calico.key",
Sergiusz Bazanskiaf3be422019-01-17 18:57:19 +0100[diff] [blame]41 },
42 },
43
44 cm: kube.ConfigMap("calico-config") {
45 local cm = self,
46 secretPrefix:: "/calico-secrets/",
47
48 metadata+: {
49 namespace: cfg.namespace,
50 },
51
52 data: {
53 etcd_endpoints: std.join(",", cfg.etcd.endpoints),
54
55 etcd_ca: cm.secretPrefix + "etcd-ca",
56 etcd_cert: cm.secretPrefix + "etcd-cert",
57 etcd_key: cm.secretPrefix + "etcd-key",
58
59 calico_backend: "bird",
60 veth_mtu: "1440",
61
Sergiusz Bazanskid81bf722020-05-28 16:38:52 +0200[diff] [blame]62 typha_service_name: "none",
63
Sergiusz Bazanskiaf3be422019-01-17 18:57:19 +0100[diff] [blame]64 cni_network_config: |||
65 {
66 "name": "k8s-pod-network",
Sergiusz Bazanskid81bf722020-05-28 16:38:52 +0200[diff] [blame]67 "cniVersion": "0.3.1",
Sergiusz Bazanskiaf3be422019-01-17 18:57:19 +0100[diff] [blame]68 "plugins": [
69 {
70 "type": "calico",
71 "log_level": "info",
72 "etcd_endpoints": "__ETCD_ENDPOINTS__",
73 "etcd_key_file": "__ETCD_KEY_FILE__",
74 "etcd_cert_file": "__ETCD_CERT_FILE__",
75 "etcd_ca_cert_file": "__ETCD_CA_CERT_FILE__",
Sergiusz Bazanskid81bf722020-05-28 16:38:52 +0200[diff] [blame]76 "datastore_type": "etcdv3",
Sergiusz Bazanskiaf3be422019-01-17 18:57:19 +0100[diff] [blame]77 "mtu": __CNI_MTU__,
78 "ipam": {
79 "type": "calico-ipam"
80 },
81 "policy": {
82 "type": "k8s"
83 },
84 "kubernetes": {
85 "kubeconfig": "__KUBECONFIG_FILEPATH__"
86 }
87 },
88 {
89 "type": "portmap",
90 "snat": true,
91 "capabilities": {"portMappings": true}
Sergiusz Bazanskid81bf722020-05-28 16:38:52 +0200[diff] [blame]92 },
93 {
94 "type": "bandwidth",
95 "capabilities": {"bandwidth": true}
Sergiusz Bazanskiaf3be422019-01-17 18:57:19 +0100[diff] [blame]96 }
97 ]
98 }
99 |||
100 },
101 },
102
103 secrets: kube.Secret("calico-secrets") {
104 metadata+: {
105 namespace: cfg.namespace,
106 },
107
108 data_: {
109 "etcd-ca": cfg.etcd.ca,
110 "etcd-cert": cfg.etcd.cert,
111 "etcd-key": cfg.etcd.key,
112 },
113 },
114
115 saNode: kube.ServiceAccount("calico-node") {
116 metadata+: {
117 namespace: cfg.namespace,
118 },
119 },
120
121 crNode: kube.ClusterRole("calico-node") {
122 rules: [
123 {
124 apiGroups: [""],
125 resources: ["pods", "nodes", "namespaces"],
126 verbs: ["get"],
127 },
128 {
129 apiGroups: [""],
130 resources: ["endpoints", "services"],
Sergiusz Bazanskid81bf722020-05-28 16:38:52 +0200[diff] [blame]131 verbs: ["watch", "list", "get"],
132 },
133 {
134 apiGroups: [""],
135 resources: ["configmaps"],
136 verbs: ["get"],
Sergiusz Bazanskiaf3be422019-01-17 18:57:19 +0100[diff] [blame]137 },
138 {
139 apiGroups: [""],
140 resources: ["nodes/status"],
Sergiusz Bazanskid81bf722020-05-28 16:38:52 +0200[diff] [blame]141 verbs: ["patch", "update"],
142 },
143 {
Sergiusz Bazanskid81bf722020-05-28 16:38:52 +0200[diff] [blame]144 apiGroups: [""],
145 resources: ["pods/status"],
Sergiusz Bazanskiaf3be422019-01-17 18:57:19 +0100[diff] [blame]146 verbs: ["patch"],
147 },
Sergiusz Bazanskid81bf722020-05-28 16:38:52 +0200[diff] [blame]148 {
149 apiGroups: [""],
150 resources: ["nodes"],
151 verbs: ["get", "list", "watch"],
152 },
Sergiusz Bazanskiaf3be422019-01-17 18:57:19 +0100[diff] [blame]153 ],
154 },
155
156 crbNode: bindServiceAccountClusterRole(env.saNode, env.crNode),
157
158 saController: kube.ServiceAccount("calico-kube-controllers") {
159 metadata+: {
160 namespace: cfg.namespace,
161 },
162 },
163
164 crController: kube.ClusterRole("calico-kube-controllers") {
165 rules: [
166 {
167 apiGroups: [""],
Sergiusz Bazanskie55493f2020-05-30 17:57:05 +0200[diff] [blame]168 resources: ["nodes", "pods", "namespaces", "serviceaccounts"],
Sergiusz Bazanskid81bf722020-05-28 16:38:52 +0200[diff] [blame]169 verbs: ["watch", "list", "get"],
170 },
171 {
Sergiusz Bazanskiaf3be422019-01-17 18:57:19 +0100[diff] [blame]172 apiGroups: ["networking.k8s.io"],
173 resources: ["networkpolicies"],
174 verbs: ["watch", "list"],
175 },
176 ],
177 },
178
179 crbController: bindServiceAccountClusterRole(env.saController, env.crController),
180
181 controller: kube.Deployment("calico-kube-controllers") {
182 metadata+: {
183 namespace: cfg.namespace,
Bartosz Stebel12f176c2021-06-18 13:12:41 +0200[diff] [blame]184 labels+: {
185 "k8s-app": "calico-kube-controllers",
Sergiusz Bazanskiaf3be422019-01-17 18:57:19 +0100[diff] [blame]186 },
187 },
188 spec+: {
189 replicas: 1,
190 strategy: { type: "Recreate" },
191 template+: {
192 spec+: {
Bartosz Stebel12f176c2021-06-18 13:12:41 +0200[diff] [blame]193 nodeSelector: {
194 "kubernetes.io/os": "linux"
195 },
Sergiusz Bazanskiaf3be422019-01-17 18:57:19 +0100[diff] [blame]196 tolerations: [
197 { key: "CriticalAddonsOnly", operator: "Exists" },
Bartosz Stebel12f176c2021-06-18 13:12:41 +0200[diff] [blame]198 { key: "node-role.kubernetes.io/master", effect: "NoSchedule" },
Sergiusz Bazanskiaf3be422019-01-17 18:57:19 +0100[diff] [blame]199 ],
200 serviceAccountName: env.saController.metadata.name,
Bartosz Stebel12f176c2021-06-18 13:12:41 +0200[diff] [blame]201 priorityClassName: "system-cluster-critical",
202 hostNetwork: true,
Sergiusz Bazanskiaf3be422019-01-17 18:57:19 +0100[diff] [blame]203 containers_: {
204 "calico-kube-controllers": kube.Container("calico-kube-controllers") {
205 image: cfg.imageController,
206 env_: {
207 ETCD_ENDPOINTS: kube.ConfigMapRef(env.cm, "etcd_endpoints"),
208 ETCD_CA_CERT_FILE: kube.ConfigMapRef(env.cm, "etcd_ca"),
209 ETCD_KEY_FILE: kube.ConfigMapRef(env.cm, "etcd_key"),
210 ETCD_CERT_FILE: kube.ConfigMapRef(env.cm, "etcd_cert"),
211 ENABLED_CONTROLLERS: "policy,namespace,serviceaccount,workloadendpoint,node",
212 },
213 volumeMounts_: {
214 secrets: {
215 mountPath: env.cm.secretPrefix,
216 },
217 },
218 readinessProbe: {
219 exec: {
220 command: [ "/usr/bin/check-status", "-r" ],
221 },
222 },
223 },
224 },
Bartosz Stebel12f176c2021-06-18 13:12:41 +0200[diff] [blame]225 volumes_: {
226 secrets: kube.SecretVolume(env.secrets),
227 },
Sergiusz Bazanskiaf3be422019-01-17 18:57:19 +0100[diff] [blame]228 },
229 },
230 },
231 },
232
Serge Bazanskia5ed6442020-09-20 22:52:57 +0000[diff] [blame]233 # ConfigMap that holds overriden bird.cfg.template and bird_ipam.cfg.template.
234 calicoMetallbBird: kube.ConfigMap("calico-metallb-bird") {
235 metadata+: {
236 namespace: cfg.namespace,
237 },
238 data: {
239 "bird.cfg.template": (importstr "calico-bird.cfg.template"),
240 "bird_ipam.cfg.template": (importstr "calico-bird-ipam.cfg.template"),
241 },
242 },
243
Sergiusz Bazanskiaf3be422019-01-17 18:57:19 +0100[diff] [blame]244 nodeDaemon: kube.DaemonSet("calico-node") {
245 metadata+: {
246 namespace: cfg.namespace,
Bartosz Stebel12f176c2021-06-18 13:12:41 +0200[diff] [blame]247 labels+: {
248 "k8s-app": "calico-node",
249 },
Sergiusz Bazanskiaf3be422019-01-17 18:57:19 +0100[diff] [blame]250 },
251 spec+: {
252 template+: {
Sergiusz Bazanskiaf3be422019-01-17 18:57:19 +0100[diff] [blame]253 spec+: {
Bartosz Stebel12f176c2021-06-18 13:12:41 +0200[diff] [blame]254 nodeSelector: {
255 "kubernetes.io/os": "linux"
256 },
Sergiusz Bazanskiaf3be422019-01-17 18:57:19 +0100[diff] [blame]257 hostNetwork: true,
258 tolerations: [
Bartosz Stebel12f176c2021-06-18 13:12:41 +0200[diff] [blame]259 { effect: "NoSchedule", operator: "Exists" },
Sergiusz Bazanskiaf3be422019-01-17 18:57:19 +0100[diff] [blame]260 { key: "CriticalAddonsOnly", operator: "Exists" },
Serge Bazanskid493ab62019-10-31 17:07:19 +0100[diff] [blame]261 { effect: "NoExecute", operator: "Exists" },
Sergiusz Bazanskiaf3be422019-01-17 18:57:19 +0100[diff] [blame]262 ],
263 serviceAccountName: env.saNode.metadata.name,
264 terminationGracePeriodSeconds: 0,
Bartosz Stebel12f176c2021-06-18 13:12:41 +0200[diff] [blame]265 priorityClassName: "system-cluster-critical",
Sergiusz Bazanskiaf3be422019-01-17 18:57:19 +0100[diff] [blame]266 volumes_: {
Bartosz Stebel12f176c2021-06-18 13:12:41 +0200[diff] [blame]267 lib_modules: kube.HostPathVolume("/run/current-system/kernel-modules/lib/modules"),
268 var_run_calico: kube.HostPathVolume("/var/run/calico"),
269 var_lib_calico: kube.HostPathVolume("/var/lib/calico"),
270 xtables_lock: kube.HostPathVolume("/run/xtables.lock"),
Sergiusz Bazanskiaf3be422019-01-17 18:57:19 +0100[diff] [blame]271 cni_bin: kube.HostPathVolume("/opt/cni/bin"),
272 cni_config: kube.HostPathVolume("/opt/cni/conf"),
273 secrets: kube.SecretVolume(env.secrets),
Serge Bazanskia5ed6442020-09-20 22:52:57 +0000[diff] [blame]274 bird_cfg_template: kube.ConfigMapVolume(env.calicoMetallbBird),
Bartosz Stebel12f176c2021-06-18 13:12:41 +0200[diff] [blame]275 # TODO flexvol-driver-host, policysync
Sergiusz Bazanskiaf3be422019-01-17 18:57:19 +0100[diff] [blame]276 },
277 initContainers_: {
278 installCNI: kube.Container("install-cni") {
279 image: cfg.imageCNI,
280 command: ["/install-cni.sh"],
281 env_: {
Sergiusz Bazanskiaf3be422019-01-17 18:57:19 +0100[diff] [blame]282 CNI_CONF_NAME: "10-calico.conflist",
283 CNI_NETWORK_CONFIG: kube.ConfigMapRef(env.cm, "cni_network_config"),
Bartosz Stebel12f176c2021-06-18 13:12:41 +0200[diff] [blame]284 ETCD_ENDPOINTS: kube.ConfigMapRef(env.cm, "etcd_endpoints"),
285 CNI_MTU: kube.ConfigMapRef(env.cm, "veth_mtu"),
Bartosz Stebeleca1e082021-11-27 01:04:31 +0100[diff] [blame]286 # Important: our directory is changed from the default (/etc/cni/net.d)
287 # to inside /opt/ above in the cni_config HostPathVolume.
288 # See projectcalico/cni-plugin//k8s-install/scripts/install-cni.sh:24 for reference.
289 CNI_NET_DIR: "/opt/cni/conf",
Bartosz Stebel12f176c2021-06-18 13:12:41 +0200[diff] [blame]290 # TODO(implr) needed?
Sergiusz Bazanskiaf3be422019-01-17 18:57:19 +0100[diff] [blame]291 CNI_CONF_ETCD_CA_CERT_FILE: kube.ConfigMapRef(env.cm, "etcd_ca"),
292 CNI_CONF_ETCD_KEY_FILE: kube.ConfigMapRef(env.cm, "etcd_key"),
293 CNI_CONF_ETCD_CERT_FILE: kube.ConfigMapRef(env.cm, "etcd_cert"),
Sergiusz Bazanskiaf3be422019-01-17 18:57:19 +0100[diff] [blame]294 SLEEP: "false",
Sergiusz Bazanskid81bf722020-05-28 16:38:52 +0200[diff] [blame]295 KUBERNETES_NODE_NAME: { fieldRef: { fieldPath: "spec.nodeName" } },
Sergiusz Bazanskiaf3be422019-01-17 18:57:19 +0100[diff] [blame]296 },
297 volumeMounts_: {
298 cni_bin: { mountPath: "/host/opt/cni/bin" },
299 cni_config: { mountPath: "/host/etc/cni/net.d" },
300 secrets: { mountPath: env.cm.secretPrefix },
301 },
Bartosz Stebel12f176c2021-06-18 13:12:41 +0200[diff] [blame]302 securityContext: {
303 privileged: true,
304 },
Sergiusz Bazanskiaf3be422019-01-17 18:57:19 +0100[diff] [blame]305 },
306 },
307 containers_: {
308 calicoNode: kube.Container("calico-node") {
309 image: cfg.imageNode,
310 env_: {
Sergiusz Bazanskid81bf722020-05-28 16:38:52 +0200[diff] [blame]311 DATASTORE_TYPE: "etcdv3",
Sergiusz Bazanskiaf3be422019-01-17 18:57:19 +0100[diff] [blame]312 ETCD_ENDPOINTS: kube.ConfigMapRef(env.cm, "etcd_endpoints"),
313 ETCD_CA_CERT_FILE: kube.ConfigMapRef(env.cm, "etcd_ca"),
314 ETCD_KEY_FILE: kube.ConfigMapRef(env.cm, "etcd_key"),
315 ETCD_CERT_FILE: kube.ConfigMapRef(env.cm, "etcd_cert"),
316 CALICO_K8S_NODE_REF: kube.FieldRef("spec.nodeName"),
Sergiusz Bazanskid81bf722020-05-28 16:38:52 +0200[diff] [blame]317 CALICO_NETWORKING_BACKEND: kube.ConfigMapRef(env.cm, "calico_backend"),
Sergiusz Bazanskiaf3be422019-01-17 18:57:19 +0100[diff] [blame]318 CLUSTER_TYPE: "k8s,bgp",
Sergiusz Bazanskie3af1eb2019-01-18 09:39:57 +0100[diff] [blame]319 IP: "autodetect",
Serge Bazanskid493ab62019-10-31 17:07:19 +0100[diff] [blame]320 IP_AUTODETECTION_METHOD: "can-reach=185.236.240.1",
Sergiusz Bazanskiaf3be422019-01-17 18:57:19 +0100[diff] [blame]321 CALICO_IPV4POOL_IPIP: "Always",
322 FELIX_IPINIPMTU: kube.ConfigMapRef(env.cm, "veth_mtu"),
Bartosz Stebel12f176c2021-06-18 13:12:41 +0200[diff] [blame]323 FELIX_WIREGUARDMTU: kube.ConfigMapRef(env.cm, "veth_mtu"),
Sergiusz Bazanskiaf3be422019-01-17 18:57:19 +0100[diff] [blame]324 CALICO_IPV4POOL_CIDR: "10.10.24.0/21",
325 CALICO_DISABLE_FILE_LOGGING: "true",
326 FELIX_DEFAULTENDPOINTTOHOSTACTION: "ACCEPT",
Sergiusz Bazanskiaf3be422019-01-17 18:57:19 +0100[diff] [blame]327 FELIX_LOGSEVERITYSCREEN: "info",
Bartosz Stebel12f176c2021-06-18 13:12:41 +0200[diff] [blame]328 FELIX_IPV6SUPPORT: "false",
Sergiusz Bazanskiaf3be422019-01-17 18:57:19 +0100[diff] [blame]329 FELIX_HEALTHENABLED: "true",
Serge Bazanskid493ab62019-10-31 17:07:19 +0100[diff] [blame]330 FELIX_HEALTHHOST: "127.0.0.1",
Sergiusz Bazanskiaf3be422019-01-17 18:57:19 +0100[diff] [blame]331 CALICO_ADVERTISE_CLUSTER_IPS: "10.10.12.0/24",
Sergiusz Bazanskid81bf722020-05-28 16:38:52 +0200[diff] [blame]332 KUBERNETES_NODE_NAME: { fieldRef: { fieldPath: "spec.nodeName" } },
Sergiusz Bazanskiaf3be422019-01-17 18:57:19 +0100[diff] [blame]333 },
334 securityContext: {
335 privileged: true,
336 },
337 resources: {
338 requests: { cpu: "250m" },
339 },
340 livenessProbe: {
Sergiusz Bazanskid81bf722020-05-28 16:38:52 +0200[diff] [blame]341 exec: {
342 command: ["/bin/calico-node", "-bird-live", "-felix-live"],
Sergiusz Bazanskiaf3be422019-01-17 18:57:19 +0100[diff] [blame]343 },
344 periodSeconds: 10,
345 initialDelaySeconds: 10,
346 failureThreshold: 6,
347 },
348 readinessProbe: {
349 exec: {
350 command: ["/bin/calico-node", "-bird-ready", "-felix-ready"],
351 },
352 periodSeconds: 10,
353 },
354 volumeMounts_: {
355 lib_modules: { mountPath: "/lib/modules" },
356 xtables_lock: { mountPath: "/run/xtables.lock" },
357 var_run_calico: { mountPath: "/var/run/calico" },
358 var_lib_calico: { mountPath: "/var/lib/calico" },
359 secrets: { mountPath: env.cm.secretPrefix },
360 },
Serge Bazanskia5ed6442020-09-20 22:52:57 +0000[diff] [blame]361 volumeMounts+: [
362 { name: "bird-cfg-template",
363 mountPath: "/etc/calico/confd/templates/bird.cfg.template",
364 subPath: "bird.cfg.template"
365 },
366 { name: "bird-cfg-template",
367 mountPath: "/etc/calico/confd/templates/bird_ipam.cfg.template",
368 subPath: "bird_ipam.cfg.template"
369 },
370 ],
Sergiusz Bazanskiaf3be422019-01-17 18:57:19 +0100[diff] [blame]371 },
372 },
373 },
374 },
375 },
376 },
377 },
378}