Gitiles
Code Review Sign In
gerrit.hackerspace.pl / hscloud / 4d98cf5ca89b5d3ad38b5a72fa47b12b3a1354ce / . / cluster / kube / lib / calico.libsonnet
blob: 0c3673f304fb81ab0fcecbd9712e50142d3b5fa5 [file] [log] [blame]
Sergiusz Bazanskiaf3be422019-01-17 18:57:19 +0100[diff] [blame]1# Deploy hosted calico with its own etcd.
2
3local kube = import "../../../kube/kube.libsonnet";
Bartosz Stebel4d98cf52021-12-01 00:36:02 +0100[diff] [blame^]4local crdYaml = (std.native("parseYaml"))(importstr "./calico_crd.yml");
5local crdMap = {
6 [x.metadata.name]: x
7 for x in crdYaml if x != null
8};
Sergiusz Bazanskiaf3be422019-01-17 18:57:19 +0100[diff] [blame]9
10local bindServiceAccountClusterRole(sa, cr) = kube.ClusterRoleBinding(cr.metadata.name) {
11 roleRef: {
12 apiGroup: "rbac.authorization.k8s.io",
13 kind: "ClusterRole",
14 name: cr.metadata.name,
15 },
16 subjects: [
17 {
18 kind: "ServiceAccount",
19 name: sa.metadata.name,
20 namespace: sa.metadata.namespace,
21 },
22 ],
23};
24
25{
26 Environment: {
27 local env = self,
28 local cfg = env.cfg,
29 cfg:: {
30 namespace: "kube-system",
Bartosz Stebel12f176c2021-06-18 13:12:41 +0200[diff] [blame]31 version: "v3.15.5",
Sergiusz Bazanskid81bf722020-05-28 16:38:52 +0200[diff] [blame]32 imageController: "calico/kube-controllers:" + cfg.version,
33 imageCNI: "calico/cni:" + cfg.version,
34 imageNode: "calico/node:" + cfg.version,
Sergiusz Bazanskiaf3be422019-01-17 18:57:19 +0100[diff] [blame]35 },
36
Bartosz Stebel4d98cf52021-12-01 00:36:02 +0100[diff] [blame^]37 crds: crdMap,
38
Sergiusz Bazanskiaf3be422019-01-17 18:57:19 +0100[diff] [blame]39 cm: kube.ConfigMap("calico-config") {
40 local cm = self,
41 secretPrefix:: "/calico-secrets/",
42
43 metadata+: {
44 namespace: cfg.namespace,
45 },
46
47 data: {
Sergiusz Bazanskiaf3be422019-01-17 18:57:19 +0100[diff] [blame]48 calico_backend: "bird",
49 veth_mtu: "1440",
50
Sergiusz Bazanskid81bf722020-05-28 16:38:52 +0200[diff] [blame]51 typha_service_name: "none",
52
Sergiusz Bazanskiaf3be422019-01-17 18:57:19 +0100[diff] [blame]53 cni_network_config: |||
54 {
55 "name": "k8s-pod-network",
Sergiusz Bazanskid81bf722020-05-28 16:38:52 +0200[diff] [blame]56 "cniVersion": "0.3.1",
Sergiusz Bazanskiaf3be422019-01-17 18:57:19 +0100[diff] [blame]57 "plugins": [
58 {
59 "type": "calico",
60 "log_level": "info",
Bartosz Stebel4d98cf52021-12-01 00:36:02 +0100[diff] [blame^]61 "datastore_type": "kubernetes",
62 "nodename": "__KUBERNETES_NODE_NAME__",
Sergiusz Bazanskiaf3be422019-01-17 18:57:19 +0100[diff] [blame]63 "mtu": __CNI_MTU__,
64 "ipam": {
65 "type": "calico-ipam"
66 },
67 "policy": {
68 "type": "k8s"
69 },
70 "kubernetes": {
71 "kubeconfig": "__KUBECONFIG_FILEPATH__"
72 }
73 },
74 {
75 "type": "portmap",
76 "snat": true,
77 "capabilities": {"portMappings": true}
Sergiusz Bazanskid81bf722020-05-28 16:38:52 +0200[diff] [blame]78 },
79 {
80 "type": "bandwidth",
81 "capabilities": {"bandwidth": true}
Sergiusz Bazanskiaf3be422019-01-17 18:57:19 +0100[diff] [blame]82 }
83 ]
84 }
85 |||
86 },
87 },
88
89 secrets: kube.Secret("calico-secrets") {
90 metadata+: {
91 namespace: cfg.namespace,
92 },
93
94 data_: {
Sergiusz Bazanskiaf3be422019-01-17 18:57:19 +0100[diff] [blame]95 },
96 },
97
98 saNode: kube.ServiceAccount("calico-node") {
99 metadata+: {
100 namespace: cfg.namespace,
101 },
102 },
103
104 crNode: kube.ClusterRole("calico-node") {
105 rules: [
106 {
107 apiGroups: [""],
108 resources: ["pods", "nodes", "namespaces"],
109 verbs: ["get"],
110 },
111 {
112 apiGroups: [""],
113 resources: ["endpoints", "services"],
Sergiusz Bazanskid81bf722020-05-28 16:38:52 +0200[diff] [blame]114 verbs: ["watch", "list", "get"],
115 },
116 {
117 apiGroups: [""],
118 resources: ["configmaps"],
119 verbs: ["get"],
Sergiusz Bazanskiaf3be422019-01-17 18:57:19 +0100[diff] [blame]120 },
121 {
122 apiGroups: [""],
123 resources: ["nodes/status"],
Sergiusz Bazanskid81bf722020-05-28 16:38:52 +0200[diff] [blame]124 verbs: ["patch", "update"],
125 },
126 {
Bartosz Stebel4d98cf52021-12-01 00:36:02 +0100[diff] [blame^]127 apiGroups: ["networking.k8s.io"],
128 resources: ["networkpolicies"],
129 verbs: ["watch", "list"],
130 },
131 {
132 apiGroups: [""],
133 resources: ["pods", "namespaces", "serviceaccounts"],
134 verbs: ["list", "watch"],
135 },
136 {
Sergiusz Bazanskid81bf722020-05-28 16:38:52 +0200[diff] [blame]137 apiGroups: [""],
138 resources: ["pods/status"],
Sergiusz Bazanskiaf3be422019-01-17 18:57:19 +0100[diff] [blame]139 verbs: ["patch"],
140 },
Sergiusz Bazanskid81bf722020-05-28 16:38:52 +0200[diff] [blame]141 {
Bartosz Stebel4d98cf52021-12-01 00:36:02 +0100[diff] [blame^]142 apiGroups: ["crd.projectcalico.org"],
143 resources: ["globalfelixconfigs", "felixconfigurations", "bgppeers", "globalbgpconfigs", "bgpconfigurations", "ippools", "ipamblocks", "globalnetworkpolicies", "globalnetworksets", "networkpolicies", "networksets", "clusterinformations", "hostendpoints", "blockaffinities"],
144 verbs: ["get", "list", "watch"],
145 },
146 {
147 apiGroups: ["crd.projectcalico.org"],
148 resources: ["ippools", "felixconfigurations", "clusterinformations"],
149 verbs: ["create", "update"],
150 },
151 {
Sergiusz Bazanskid81bf722020-05-28 16:38:52 +0200[diff] [blame]152 apiGroups: [""],
153 resources: ["nodes"],
154 verbs: ["get", "list", "watch"],
155 },
Bartosz Stebel4d98cf52021-12-01 00:36:02 +0100[diff] [blame^]156 {
157 apiGroups: ["crd.projectcalico.org"],
158 resources: ["blockaffinities", "ipamblocks", "ipamhandles"],
159 verbs: ["get", "list", "create", "update", "delete"],
160 },
161 {
162 apiGroups: ["crd.projectcalico.org"],
163 resources: ["ipamconfigs"],
164 verbs: ["get"],
165 },
166 {
167 apiGroups: ["crd.projectcalico.org"],
168 resources: ["blockaffinities"],
169 verbs: ["watch"],
170 },
171 {
172 apiGroups: ["apps"],
173 resources: ["daemonsets"],
174 verbs: ["get"],
175 },
Sergiusz Bazanskiaf3be422019-01-17 18:57:19 +0100[diff] [blame]176 ],
177 },
178
179 crbNode: bindServiceAccountClusterRole(env.saNode, env.crNode),
180
181 saController: kube.ServiceAccount("calico-kube-controllers") {
182 metadata+: {
183 namespace: cfg.namespace,
184 },
185 },
186
187 crController: kube.ClusterRole("calico-kube-controllers") {
188 rules: [
189 {
190 apiGroups: [""],
Bartosz Stebel4d98cf52021-12-01 00:36:02 +0100[diff] [blame^]191 resources: ["nodes"],
Sergiusz Bazanskid81bf722020-05-28 16:38:52 +0200[diff] [blame]192 verbs: ["watch", "list", "get"],
193 },
194 {
Bartosz Stebel4d98cf52021-12-01 00:36:02 +0100[diff] [blame^]195 apiGroups: [""],
196 resources: ["pods"],
197 verbs: ["get"],
198 },
199 {
200 apiGroups: ["crd.projectcalico.org"],
201 resources: ["ippools"],
202 verbs: ["list"],
203 },
204 {
205 apiGroups: ["crd.projectcalico.org"],
206 resources: ["blockaffinities", "ipamblocks", "ipamhandles"],
207 verbs: ["get", "list", "create", "update", "delete"],
208 },
209 {
210 apiGroups: ["crd.projectcalico.org"],
211 resources: ["hostendpoints"],
212 verbs: ["get", "list", "create", "update", "delete"],
213 },
214 {
215 apiGroups: ["crd.projectcalico.org"],
216 resources: ["clusterinformations"],
217 verbs: ["get", "create", "update"],
218 },
219 {
220 apiGroups: ["crd.projectcalico.org"],
221 resources: ["kubecontrollersconfigurations"],
222 verbs: ["get", "create", "update", "watch"],
Sergiusz Bazanskiaf3be422019-01-17 18:57:19 +0100[diff] [blame]223 },
224 ],
225 },
226
227 crbController: bindServiceAccountClusterRole(env.saController, env.crController),
228
229 controller: kube.Deployment("calico-kube-controllers") {
230 metadata+: {
231 namespace: cfg.namespace,
Bartosz Stebel12f176c2021-06-18 13:12:41 +0200[diff] [blame]232 labels+: {
233 "k8s-app": "calico-kube-controllers",
Sergiusz Bazanskiaf3be422019-01-17 18:57:19 +0100[diff] [blame]234 },
235 },
236 spec+: {
237 replicas: 1,
238 strategy: { type: "Recreate" },
239 template+: {
240 spec+: {
Bartosz Stebel12f176c2021-06-18 13:12:41 +0200[diff] [blame]241 nodeSelector: {
242 "kubernetes.io/os": "linux"
243 },
Sergiusz Bazanskiaf3be422019-01-17 18:57:19 +0100[diff] [blame]244 tolerations: [
245 { key: "CriticalAddonsOnly", operator: "Exists" },
Bartosz Stebel12f176c2021-06-18 13:12:41 +0200[diff] [blame]246 { key: "node-role.kubernetes.io/master", effect: "NoSchedule" },
Sergiusz Bazanskiaf3be422019-01-17 18:57:19 +0100[diff] [blame]247 ],
248 serviceAccountName: env.saController.metadata.name,
Bartosz Stebel12f176c2021-06-18 13:12:41 +0200[diff] [blame]249 priorityClassName: "system-cluster-critical",
Sergiusz Bazanskiaf3be422019-01-17 18:57:19 +0100[diff] [blame]250 containers_: {
251 "calico-kube-controllers": kube.Container("calico-kube-controllers") {
252 image: cfg.imageController,
253 env_: {
Bartosz Stebel4d98cf52021-12-01 00:36:02 +0100[diff] [blame^]254 DATASTORE_TYPE: "kubernetes",
255 ENABLED_CONTROLLERS: "node",
Sergiusz Bazanskiaf3be422019-01-17 18:57:19 +0100[diff] [blame]256 },
257 volumeMounts_: {
258 secrets: {
259 mountPath: env.cm.secretPrefix,
260 },
261 },
262 readinessProbe: {
263 exec: {
264 command: [ "/usr/bin/check-status", "-r" ],
265 },
266 },
267 },
268 },
Bartosz Stebel12f176c2021-06-18 13:12:41 +0200[diff] [blame]269 volumes_: {
270 secrets: kube.SecretVolume(env.secrets),
271 },
Sergiusz Bazanskiaf3be422019-01-17 18:57:19 +0100[diff] [blame]272 },
273 },
274 },
275 },
276
Serge Bazanskia5ed6442020-09-20 22:52:57 +0000[diff] [blame]277 # ConfigMap that holds overriden bird.cfg.template and bird_ipam.cfg.template.
278 calicoMetallbBird: kube.ConfigMap("calico-metallb-bird") {
279 metadata+: {
280 namespace: cfg.namespace,
281 },
282 data: {
283 "bird.cfg.template": (importstr "calico-bird.cfg.template"),
284 "bird_ipam.cfg.template": (importstr "calico-bird-ipam.cfg.template"),
285 },
286 },
287
Sergiusz Bazanskiaf3be422019-01-17 18:57:19 +0100[diff] [blame]288 nodeDaemon: kube.DaemonSet("calico-node") {
289 metadata+: {
290 namespace: cfg.namespace,
Bartosz Stebel12f176c2021-06-18 13:12:41 +0200[diff] [blame]291 labels+: {
292 "k8s-app": "calico-node",
293 },
Sergiusz Bazanskiaf3be422019-01-17 18:57:19 +0100[diff] [blame]294 },
295 spec+: {
296 template+: {
Sergiusz Bazanskiaf3be422019-01-17 18:57:19 +0100[diff] [blame]297 spec+: {
Bartosz Stebel12f176c2021-06-18 13:12:41 +0200[diff] [blame]298 nodeSelector: {
299 "kubernetes.io/os": "linux"
300 },
Sergiusz Bazanskiaf3be422019-01-17 18:57:19 +0100[diff] [blame]301 hostNetwork: true,
302 tolerations: [
Bartosz Stebel12f176c2021-06-18 13:12:41 +0200[diff] [blame]303 { effect: "NoSchedule", operator: "Exists" },
Sergiusz Bazanskiaf3be422019-01-17 18:57:19 +0100[diff] [blame]304 { key: "CriticalAddonsOnly", operator: "Exists" },
Serge Bazanskid493ab62019-10-31 17:07:19 +0100[diff] [blame]305 { effect: "NoExecute", operator: "Exists" },
Sergiusz Bazanskiaf3be422019-01-17 18:57:19 +0100[diff] [blame]306 ],
307 serviceAccountName: env.saNode.metadata.name,
308 terminationGracePeriodSeconds: 0,
Bartosz Stebel12f176c2021-06-18 13:12:41 +0200[diff] [blame]309 priorityClassName: "system-cluster-critical",
Sergiusz Bazanskiaf3be422019-01-17 18:57:19 +0100[diff] [blame]310 volumes_: {
Bartosz Stebel12f176c2021-06-18 13:12:41 +0200[diff] [blame]311 lib_modules: kube.HostPathVolume("/run/current-system/kernel-modules/lib/modules"),
312 var_run_calico: kube.HostPathVolume("/var/run/calico"),
313 var_lib_calico: kube.HostPathVolume("/var/lib/calico"),
314 xtables_lock: kube.HostPathVolume("/run/xtables.lock"),
Sergiusz Bazanskiaf3be422019-01-17 18:57:19 +0100[diff] [blame]315 cni_bin: kube.HostPathVolume("/opt/cni/bin"),
316 cni_config: kube.HostPathVolume("/opt/cni/conf"),
317 secrets: kube.SecretVolume(env.secrets),
Serge Bazanskia5ed6442020-09-20 22:52:57 +0000[diff] [blame]318 bird_cfg_template: kube.ConfigMapVolume(env.calicoMetallbBird),
Bartosz Stebel12f176c2021-06-18 13:12:41 +0200[diff] [blame]319 # TODO flexvol-driver-host, policysync
Sergiusz Bazanskiaf3be422019-01-17 18:57:19 +0100[diff] [blame]320 },
321 initContainers_: {
322 installCNI: kube.Container("install-cni") {
323 image: cfg.imageCNI,
324 command: ["/install-cni.sh"],
325 env_: {
Sergiusz Bazanskiaf3be422019-01-17 18:57:19 +0100[diff] [blame]326 CNI_CONF_NAME: "10-calico.conflist",
327 CNI_NETWORK_CONFIG: kube.ConfigMapRef(env.cm, "cni_network_config"),
Bartosz Stebel12f176c2021-06-18 13:12:41 +0200[diff] [blame]328 CNI_MTU: kube.ConfigMapRef(env.cm, "veth_mtu"),
Bartosz Stebeleca1e082021-11-27 01:04:31 +0100[diff] [blame]329 # Important: our directory is changed from the default (/etc/cni/net.d)
330 # to inside /opt/ above in the cni_config HostPathVolume.
331 # See projectcalico/cni-plugin//k8s-install/scripts/install-cni.sh:24 for reference.
332 CNI_NET_DIR: "/opt/cni/conf",
Sergiusz Bazanskiaf3be422019-01-17 18:57:19 +0100[diff] [blame]333 SLEEP: "false",
Sergiusz Bazanskid81bf722020-05-28 16:38:52 +0200[diff] [blame]334 KUBERNETES_NODE_NAME: { fieldRef: { fieldPath: "spec.nodeName" } },
Sergiusz Bazanskiaf3be422019-01-17 18:57:19 +0100[diff] [blame]335 },
336 volumeMounts_: {
337 cni_bin: { mountPath: "/host/opt/cni/bin" },
338 cni_config: { mountPath: "/host/etc/cni/net.d" },
339 secrets: { mountPath: env.cm.secretPrefix },
340 },
Bartosz Stebel12f176c2021-06-18 13:12:41 +0200[diff] [blame]341 securityContext: {
342 privileged: true,
343 },
Sergiusz Bazanskiaf3be422019-01-17 18:57:19 +0100[diff] [blame]344 },
345 },
346 containers_: {
347 calicoNode: kube.Container("calico-node") {
348 image: cfg.imageNode,
349 env_: {
Bartosz Stebel4d98cf52021-12-01 00:36:02 +0100[diff] [blame^]350 WAIT_FOR_DATASTORE: "true",
351 NODENAME: kube.FieldRef("spec.nodeName"),
352 DATASTORE_TYPE: "kubernetes",
Sergiusz Bazanskid81bf722020-05-28 16:38:52 +0200[diff] [blame]353 CALICO_NETWORKING_BACKEND: kube.ConfigMapRef(env.cm, "calico_backend"),
Sergiusz Bazanskiaf3be422019-01-17 18:57:19 +0100[diff] [blame]354 CLUSTER_TYPE: "k8s,bgp",
Sergiusz Bazanskie3af1eb2019-01-18 09:39:57 +0100[diff] [blame]355 IP: "autodetect",
Serge Bazanskid493ab62019-10-31 17:07:19 +0100[diff] [blame]356 IP_AUTODETECTION_METHOD: "can-reach=185.236.240.1",
Sergiusz Bazanskiaf3be422019-01-17 18:57:19 +0100[diff] [blame]357 CALICO_IPV4POOL_IPIP: "Always",
358 FELIX_IPINIPMTU: kube.ConfigMapRef(env.cm, "veth_mtu"),
Bartosz Stebel12f176c2021-06-18 13:12:41 +0200[diff] [blame]359 FELIX_WIREGUARDMTU: kube.ConfigMapRef(env.cm, "veth_mtu"),
Sergiusz Bazanskiaf3be422019-01-17 18:57:19 +0100[diff] [blame]360 CALICO_IPV4POOL_CIDR: "10.10.24.0/21",
361 CALICO_DISABLE_FILE_LOGGING: "true",
362 FELIX_DEFAULTENDPOINTTOHOSTACTION: "ACCEPT",
Sergiusz Bazanskiaf3be422019-01-17 18:57:19 +0100[diff] [blame]363 FELIX_LOGSEVERITYSCREEN: "info",
Bartosz Stebel12f176c2021-06-18 13:12:41 +0200[diff] [blame]364 FELIX_IPV6SUPPORT: "false",
Sergiusz Bazanskiaf3be422019-01-17 18:57:19 +0100[diff] [blame]365 FELIX_HEALTHENABLED: "true",
Serge Bazanskid493ab62019-10-31 17:07:19 +0100[diff] [blame]366 FELIX_HEALTHHOST: "127.0.0.1",
Sergiusz Bazanskiaf3be422019-01-17 18:57:19 +0100[diff] [blame]367 CALICO_ADVERTISE_CLUSTER_IPS: "10.10.12.0/24",
Sergiusz Bazanskid81bf722020-05-28 16:38:52 +0200[diff] [blame]368 KUBERNETES_NODE_NAME: { fieldRef: { fieldPath: "spec.nodeName" } },
Sergiusz Bazanskiaf3be422019-01-17 18:57:19 +0100[diff] [blame]369 },
370 securityContext: {
371 privileged: true,
372 },
373 resources: {
374 requests: { cpu: "250m" },
375 },
376 livenessProbe: {
Sergiusz Bazanskid81bf722020-05-28 16:38:52 +0200[diff] [blame]377 exec: {
378 command: ["/bin/calico-node", "-bird-live", "-felix-live"],
Sergiusz Bazanskiaf3be422019-01-17 18:57:19 +0100[diff] [blame]379 },
380 periodSeconds: 10,
381 initialDelaySeconds: 10,
382 failureThreshold: 6,
383 },
384 readinessProbe: {
385 exec: {
386 command: ["/bin/calico-node", "-bird-ready", "-felix-ready"],
387 },
388 periodSeconds: 10,
389 },
390 volumeMounts_: {
391 lib_modules: { mountPath: "/lib/modules" },
392 xtables_lock: { mountPath: "/run/xtables.lock" },
393 var_run_calico: { mountPath: "/var/run/calico" },
394 var_lib_calico: { mountPath: "/var/lib/calico" },
395 secrets: { mountPath: env.cm.secretPrefix },
396 },
Serge Bazanskia5ed6442020-09-20 22:52:57 +0000[diff] [blame]397 volumeMounts+: [
398 { name: "bird-cfg-template",
399 mountPath: "/etc/calico/confd/templates/bird.cfg.template",
400 subPath: "bird.cfg.template"
401 },
402 { name: "bird-cfg-template",
403 mountPath: "/etc/calico/confd/templates/bird_ipam.cfg.template",
404 subPath: "bird_ipam.cfg.template"
405 },
406 ],
Sergiusz Bazanskiaf3be422019-01-17 18:57:19 +0100[diff] [blame]407 },
408 },
409 },
410 },
411 },
412 },
413 },
414}