Blame - cluster/kube/lib/calico.libsonnet - hscloud

blob: 0e00ff7c51604fd68624f610f609746d207991f7 [file] [log] [blame]

Sergiusz Bazanski	af3be42	2019-01-17 18:57:19 +0100	[diff] [blame]	1	# Deploy hosted calico with its own etcd.
				2
				3	local kube = import "../../../kube/kube.libsonnet";
				4
				5	local bindServiceAccountClusterRole(sa, cr) = kube.ClusterRoleBinding(cr.metadata.name) {
				6	roleRef: {
				7	apiGroup: "rbac.authorization.k8s.io",
				8	kind: "ClusterRole",
				9	name: cr.metadata.name,
				10	},
				11	subjects: [
				12	{
				13	kind: "ServiceAccount",
				14	name: sa.metadata.name,
				15	namespace: sa.metadata.namespace,
				16	},
				17	],
				18	};
				19
				20	{
				21	Environment: {
				22	local env = self,
				23	local cfg = env.cfg,
				24	cfg:: {
				25	namespace: "kube-system",
				26	version: "v3.4.0",
				27	imageController: "quay.io/calico/kube-controllers:" + cfg.version,
				28	imageCNI: "quay.io/calico/cni:" + cfg.version,
				29	imageNode: "quay.io/calico/node:" + cfg.version,
				30	// TODO(q3k): Separate etcd for calico
				31	etcd: {
				32	endpoints: ["https://bc01n%02d.hswaw.net:2379" % n for n in std.range(1, 3)],
Sergiusz Bazanski	73cef11	2019-04-07 00:06:23 +0200	[diff] [blame]	33	ca: importstr "../../certs/ca-etcd.crt",
				34	cert: importstr "../../certs/etcd-calico.cert",
				35	key: importstr "../../secrets/plain/etcd-calico.key",
Sergiusz Bazanski	af3be42	2019-01-17 18:57:19 +0100	[diff] [blame]	36	},
				37	},
				38
				39	cm: kube.ConfigMap("calico-config") {
				40	local cm = self,
				41	secretPrefix:: "/calico-secrets/",
				42
				43	metadata+: {
				44	namespace: cfg.namespace,
				45	},
				46
				47	data: {
				48	etcd_endpoints: std.join(",", cfg.etcd.endpoints),
				49
				50	etcd_ca: cm.secretPrefix + "etcd-ca",
				51	etcd_cert: cm.secretPrefix + "etcd-cert",
				52	etcd_key: cm.secretPrefix + "etcd-key",
				53
				54	calico_backend: "bird",
				55	veth_mtu: "1440",
				56
				57	cni_network_config: \|\|\|
				58	{
				59	"name": "k8s-pod-network",
				60	"cniVersion": "0.3.0",
				61	"plugins": [
				62	{
				63	"type": "calico",
				64	"log_level": "info",
				65	"etcd_endpoints": "__ETCD_ENDPOINTS__",
				66	"etcd_key_file": "__ETCD_KEY_FILE__",
				67	"etcd_cert_file": "__ETCD_CERT_FILE__",
				68	"etcd_ca_cert_file": "__ETCD_CA_CERT_FILE__",
				69	"mtu": __CNI_MTU__,
				70	"ipam": {
				71	"type": "calico-ipam"
				72	},
				73	"policy": {
				74	"type": "k8s"
				75	},
				76	"kubernetes": {
				77	"kubeconfig": "__KUBECONFIG_FILEPATH__"
				78	}
				79	},
				80	{
				81	"type": "portmap",
				82	"snat": true,
				83	"capabilities": {"portMappings": true}
				84	}
				85	]
				86	}
				87	\|\|\|
				88	},
				89	},
				90
				91	secrets: kube.Secret("calico-secrets") {
				92	metadata+: {
				93	namespace: cfg.namespace,
				94	},
				95
				96	data_: {
				97	"etcd-ca": cfg.etcd.ca,
				98	"etcd-cert": cfg.etcd.cert,
				99	"etcd-key": cfg.etcd.key,
				100	},
				101	},
				102
				103	saNode: kube.ServiceAccount("calico-node") {
				104	metadata+: {
				105	namespace: cfg.namespace,
				106	},
				107	},
				108
				109	crNode: kube.ClusterRole("calico-node") {
				110	rules: [
				111	{
				112	apiGroups: [""],
				113	resources: ["pods", "nodes", "namespaces"],
				114	verbs: ["get"],
				115	},
				116	{
				117	apiGroups: [""],
				118	resources: ["endpoints", "services"],
				119	verbs: ["watch", "list"],
				120	},
				121	{
				122	apiGroups: [""],
				123	resources: ["nodes/status"],
				124	verbs: ["patch"],
				125	},
				126	],
				127	},
				128
				129	crbNode: bindServiceAccountClusterRole(env.saNode, env.crNode),
				130
				131	saController: kube.ServiceAccount("calico-kube-controllers") {
				132	metadata+: {
				133	namespace: cfg.namespace,
				134	},
				135	},
				136
				137	crController: kube.ClusterRole("calico-kube-controllers") {
				138	rules: [
				139	{
				140	apiGroups: [""],
				141	resources: ["pods", "nodes", "namespaces", "serviceaccounts"],
				142	verbs: ["watch", "list"],
				143	},
				144	{
				145	apiGroups: ["networking.k8s.io"],
				146	resources: ["networkpolicies"],
				147	verbs: ["watch", "list"],
				148	},
				149	],
				150	},
				151
				152	crbController: bindServiceAccountClusterRole(env.saController, env.crController),
				153
				154	controller: kube.Deployment("calico-kube-controllers") {
				155	metadata+: {
				156	namespace: cfg.namespace,
				157	annotations+: {
				158	"scheduler.alpha.kubernetes.io/critical-pod": "",
				159	},
				160	},
				161	spec+: {
				162	replicas: 1,
				163	strategy: { type: "Recreate" },
				164	template+: {
				165	spec+: {
				166	hostNetwork: true,
				167	tolerations: [
				168	{ key: "CriticalAddonsOnly", operator: "Exists" },
				169	],
				170	serviceAccountName: env.saController.metadata.name,
				171	volumes_: {
				172	secrets: kube.SecretVolume(env.secrets),
				173	},
				174	containers_: {
				175	"calico-kube-controllers": kube.Container("calico-kube-controllers") {
				176	image: cfg.imageController,
				177	env_: {
				178	ETCD_ENDPOINTS: kube.ConfigMapRef(env.cm, "etcd_endpoints"),
				179	ETCD_CA_CERT_FILE: kube.ConfigMapRef(env.cm, "etcd_ca"),
				180	ETCD_KEY_FILE: kube.ConfigMapRef(env.cm, "etcd_key"),
				181	ETCD_CERT_FILE: kube.ConfigMapRef(env.cm, "etcd_cert"),
				182	ENABLED_CONTROLLERS: "policy,namespace,serviceaccount,workloadendpoint,node",
				183	},
				184	volumeMounts_: {
				185	secrets: {
				186	mountPath: env.cm.secretPrefix,
				187	},
				188	},
				189	readinessProbe: {
				190	exec: {
				191	command: [ "/usr/bin/check-status", "-r" ],
				192	},
				193	},
				194	},
				195	},
				196	},
				197	},
				198	},
				199	},
				200
				201	nodeDaemon: kube.DaemonSet("calico-node") {
				202	metadata+: {
				203	namespace: cfg.namespace,
				204	},
				205	spec+: {
				206	template+: {
				207	metadata+: {
				208	annotations+: {
				209	"scheduler.alpha.kubernetes.io/critical-pod": "",
				210	},
				211	},
				212	spec+: {
				213	hostNetwork: true,
				214	tolerations: [
				215	{ key: "CriticalAddonsOnly", operator: "Exists" },
				216	{ key: "NoExecute", operator: "Exists" },
				217	{ key: "NoSchedule", operator: "Exists" },
				218	],
				219	serviceAccountName: env.saNode.metadata.name,
				220	terminationGracePeriodSeconds: 0,
				221	volumes_: {
				222	cni_bin: kube.HostPathVolume("/opt/cni/bin"),
				223	cni_config: kube.HostPathVolume("/opt/cni/conf"),
				224	secrets: kube.SecretVolume(env.secrets),
				225	lib_modules: kube.HostPathVolume("/run/current-system/kernel-modules/lib/modules"),
				226	xtables_lock: kube.HostPathVolume("/run/xtables.lock"),
				227	var_run_calico: kube.HostPathVolume("/var/run/calico"),
				228	var_lib_calico: kube.HostPathVolume("/var/lib/calico"),
				229	},
				230	initContainers_: {
				231	installCNI: kube.Container("install-cni") {
				232	image: cfg.imageCNI,
				233	command: ["/install-cni.sh"],
				234	env_: {
				235	ETCD_ENDPOINTS: kube.ConfigMapRef(env.cm, "etcd_endpoints"),
				236	CNI_CONF_NAME: "10-calico.conflist",
				237	CNI_NETWORK_CONFIG: kube.ConfigMapRef(env.cm, "cni_network_config"),
				238	CNI_CONF_ETCD_CA_CERT_FILE: kube.ConfigMapRef(env.cm, "etcd_ca"),
				239	CNI_CONF_ETCD_KEY_FILE: kube.ConfigMapRef(env.cm, "etcd_key"),
				240	CNI_CONF_ETCD_CERT_FILE: kube.ConfigMapRef(env.cm, "etcd_cert"),
				241	CNI_MTU: kube.ConfigMapRef(env.cm, "veth_mtu"),
				242	CNI_NET_DIR: "/opt/cni/conf",
				243	SLEEP: "false",
				244	},
				245	volumeMounts_: {
				246	cni_bin: { mountPath: "/host/opt/cni/bin" },
				247	cni_config: { mountPath: "/host/etc/cni/net.d" },
				248	secrets: { mountPath: env.cm.secretPrefix },
				249	},
				250	},
				251	},
				252	containers_: {
				253	calicoNode: kube.Container("calico-node") {
				254	image: cfg.imageNode,
				255	env_: {
				256	ETCD_ENDPOINTS: kube.ConfigMapRef(env.cm, "etcd_endpoints"),
				257	ETCD_CA_CERT_FILE: kube.ConfigMapRef(env.cm, "etcd_ca"),
				258	ETCD_KEY_FILE: kube.ConfigMapRef(env.cm, "etcd_key"),
				259	ETCD_CERT_FILE: kube.ConfigMapRef(env.cm, "etcd_cert"),
				260	CALICO_K8S_NODE_REF: kube.FieldRef("spec.nodeName"),
				261	CALICO_NETWORK_BACKEND: kube.ConfigMapRef(env.cm, "calico_backend"),
				262	CLUSTER_TYPE: "k8s,bgp",
Sergiusz Bazanski	e3af1eb	2019-01-18 09:39:57 +0100	[diff] [blame]	263	IP: "autodetect",
				264	IP_AUTODETECTION_METHOD: "interface=eno.*",
Sergiusz Bazanski	af3be42	2019-01-17 18:57:19 +0100	[diff] [blame]	265	CALICO_IPV4POOL_IPIP: "Always",
				266	FELIX_IPINIPMTU: kube.ConfigMapRef(env.cm, "veth_mtu"),
				267	CALICO_IPV4POOL_CIDR: "10.10.24.0/21",
				268	CALICO_DISABLE_FILE_LOGGING: "true",
				269	FELIX_DEFAULTENDPOINTTOHOSTACTION: "ACCEPT",
				270	FELIX_IPV6SUPPORT: "false",
				271	FELIX_LOGSEVERITYSCREEN: "info",
				272	FELIX_HEALTHENABLED: "true",
				273	CALICO_ADVERTISE_CLUSTER_IPS: "10.10.12.0/24",
				274	},
				275	securityContext: {
				276	privileged: true,
				277	},
				278	resources: {
				279	requests: { cpu: "250m" },
				280	},
				281	livenessProbe: {
				282	httpGet: {
				283	path: "/liveness",
				284	port: 9099,
				285	host: "localhost",
				286	},
				287	periodSeconds: 10,
				288	initialDelaySeconds: 10,
				289	failureThreshold: 6,
				290	},
				291	readinessProbe: {
				292	exec: {
				293	command: ["/bin/calico-node", "-bird-ready", "-felix-ready"],
				294	},
				295	periodSeconds: 10,
				296	},
				297	volumeMounts_: {
				298	lib_modules: { mountPath: "/lib/modules" },
				299	xtables_lock: { mountPath: "/run/xtables.lock" },
				300	var_run_calico: { mountPath: "/var/run/calico" },
				301	var_lib_calico: { mountPath: "/var/lib/calico" },
				302	secrets: { mountPath: env.cm.secretPrefix },
				303	},
				304	},
				305	},
				306	},
				307	},
				308	},
				309	},
				310	},
				311	}