Gitiles
Code Review Sign In
gerrit.hackerspace.pl / hscloud / eca1e080d7ca016da62a1557d85efe59cb96f984 / . / cluster / kube / lib / calico.libsonnet
blob: d58019762a97d84d0713db3a29d80998111540cc [file] [log] [blame]
Sergiusz Bazanskiaf3be422019-01-17 18:57:19 +0100[diff] [blame]1# Deploy hosted calico with its own etcd.
2
3local kube = import "../../../kube/kube.libsonnet";
4
5local bindServiceAccountClusterRole(sa, cr) = kube.ClusterRoleBinding(cr.metadata.name) {
6 roleRef: {
7 apiGroup: "rbac.authorization.k8s.io",
8 kind: "ClusterRole",
9 name: cr.metadata.name,
10 },
11 subjects: [
12 {
13 kind: "ServiceAccount",
14 name: sa.metadata.name,
15 namespace: sa.metadata.namespace,
16 },
17 ],
18};
19
20{
21 Environment: {
22 local env = self,
23 local cfg = env.cfg,
24 cfg:: {
25 namespace: "kube-system",
Bartosz Stebel12f176c2021-06-18 13:12:41 +0200[diff] [blame]26 version: "v3.15.5",
Sergiusz Bazanskid81bf722020-05-28 16:38:52 +0200[diff] [blame]27 imageController: "calico/kube-controllers:" + cfg.version,
28 imageCNI: "calico/cni:" + cfg.version,
29 imageNode: "calico/node:" + cfg.version,
Bartosz Stebel12f176c2021-06-18 13:12:41 +0200[diff] [blame]30 // TODO(implr): migrate calico from etcd to apiserver
Sergiusz Bazanskiaf3be422019-01-17 18:57:19 +0100[diff] [blame]31 etcd: {
32 endpoints: ["https://bc01n%02d.hswaw.net:2379" % n for n in std.range(1, 3)],
Sergiusz Bazanski73cef112019-04-07 00:06:23 +0200[diff] [blame]33 ca: importstr "../../certs/ca-etcd.crt",
34 cert: importstr "../../certs/etcd-calico.cert",
35 key: importstr "../../secrets/plain/etcd-calico.key",
Sergiusz Bazanskiaf3be422019-01-17 18:57:19 +0100[diff] [blame]36 },
37 },
38
39 cm: kube.ConfigMap("calico-config") {
40 local cm = self,
41 secretPrefix:: "/calico-secrets/",
42
43 metadata+: {
44 namespace: cfg.namespace,
45 },
46
47 data: {
48 etcd_endpoints: std.join(",", cfg.etcd.endpoints),
49
50 etcd_ca: cm.secretPrefix + "etcd-ca",
51 etcd_cert: cm.secretPrefix + "etcd-cert",
52 etcd_key: cm.secretPrefix + "etcd-key",
53
54 calico_backend: "bird",
55 veth_mtu: "1440",
56
Sergiusz Bazanskid81bf722020-05-28 16:38:52 +0200[diff] [blame]57 typha_service_name: "none",
58
Sergiusz Bazanskiaf3be422019-01-17 18:57:19 +0100[diff] [blame]59 cni_network_config: |||
60 {
61 "name": "k8s-pod-network",
Sergiusz Bazanskid81bf722020-05-28 16:38:52 +0200[diff] [blame]62 "cniVersion": "0.3.1",
Sergiusz Bazanskiaf3be422019-01-17 18:57:19 +0100[diff] [blame]63 "plugins": [
64 {
65 "type": "calico",
66 "log_level": "info",
67 "etcd_endpoints": "__ETCD_ENDPOINTS__",
68 "etcd_key_file": "__ETCD_KEY_FILE__",
69 "etcd_cert_file": "__ETCD_CERT_FILE__",
70 "etcd_ca_cert_file": "__ETCD_CA_CERT_FILE__",
Sergiusz Bazanskid81bf722020-05-28 16:38:52 +0200[diff] [blame]71 "datastore_type": "etcdv3",
Sergiusz Bazanskiaf3be422019-01-17 18:57:19 +0100[diff] [blame]72 "mtu": __CNI_MTU__,
73 "ipam": {
74 "type": "calico-ipam"
75 },
76 "policy": {
77 "type": "k8s"
78 },
79 "kubernetes": {
80 "kubeconfig": "__KUBECONFIG_FILEPATH__"
81 }
82 },
83 {
84 "type": "portmap",
85 "snat": true,
86 "capabilities": {"portMappings": true}
Sergiusz Bazanskid81bf722020-05-28 16:38:52 +0200[diff] [blame]87 },
88 {
89 "type": "bandwidth",
90 "capabilities": {"bandwidth": true}
Sergiusz Bazanskiaf3be422019-01-17 18:57:19 +0100[diff] [blame]91 }
92 ]
93 }
94 |||
95 },
96 },
97
98 secrets: kube.Secret("calico-secrets") {
99 metadata+: {
100 namespace: cfg.namespace,
101 },
102
103 data_: {
104 "etcd-ca": cfg.etcd.ca,
105 "etcd-cert": cfg.etcd.cert,
106 "etcd-key": cfg.etcd.key,
107 },
108 },
109
110 saNode: kube.ServiceAccount("calico-node") {
111 metadata+: {
112 namespace: cfg.namespace,
113 },
114 },
115
116 crNode: kube.ClusterRole("calico-node") {
117 rules: [
118 {
119 apiGroups: [""],
120 resources: ["pods", "nodes", "namespaces"],
121 verbs: ["get"],
122 },
123 {
124 apiGroups: [""],
125 resources: ["endpoints", "services"],
Sergiusz Bazanskid81bf722020-05-28 16:38:52 +0200[diff] [blame]126 verbs: ["watch", "list", "get"],
127 },
128 {
129 apiGroups: [""],
130 resources: ["configmaps"],
131 verbs: ["get"],
Sergiusz Bazanskiaf3be422019-01-17 18:57:19 +0100[diff] [blame]132 },
133 {
134 apiGroups: [""],
135 resources: ["nodes/status"],
Sergiusz Bazanskid81bf722020-05-28 16:38:52 +0200[diff] [blame]136 verbs: ["patch", "update"],
137 },
138 {
Sergiusz Bazanskid81bf722020-05-28 16:38:52 +0200[diff] [blame]139 apiGroups: [""],
140 resources: ["pods/status"],
Sergiusz Bazanskiaf3be422019-01-17 18:57:19 +0100[diff] [blame]141 verbs: ["patch"],
142 },
Sergiusz Bazanskid81bf722020-05-28 16:38:52 +0200[diff] [blame]143 {
144 apiGroups: [""],
145 resources: ["nodes"],
146 verbs: ["get", "list", "watch"],
147 },
Sergiusz Bazanskiaf3be422019-01-17 18:57:19 +0100[diff] [blame]148 ],
149 },
150
151 crbNode: bindServiceAccountClusterRole(env.saNode, env.crNode),
152
153 saController: kube.ServiceAccount("calico-kube-controllers") {
154 metadata+: {
155 namespace: cfg.namespace,
156 },
157 },
158
159 crController: kube.ClusterRole("calico-kube-controllers") {
160 rules: [
161 {
162 apiGroups: [""],
Sergiusz Bazanskie55493f2020-05-30 17:57:05 +0200[diff] [blame]163 resources: ["nodes", "pods", "namespaces", "serviceaccounts"],
Sergiusz Bazanskid81bf722020-05-28 16:38:52 +0200[diff] [blame]164 verbs: ["watch", "list", "get"],
165 },
166 {
Sergiusz Bazanskiaf3be422019-01-17 18:57:19 +0100[diff] [blame]167 apiGroups: ["networking.k8s.io"],
168 resources: ["networkpolicies"],
169 verbs: ["watch", "list"],
170 },
171 ],
172 },
173
174 crbController: bindServiceAccountClusterRole(env.saController, env.crController),
175
176 controller: kube.Deployment("calico-kube-controllers") {
177 metadata+: {
178 namespace: cfg.namespace,
Bartosz Stebel12f176c2021-06-18 13:12:41 +0200[diff] [blame]179 labels+: {
180 "k8s-app": "calico-kube-controllers",
Sergiusz Bazanskiaf3be422019-01-17 18:57:19 +0100[diff] [blame]181 },
182 },
183 spec+: {
184 replicas: 1,
185 strategy: { type: "Recreate" },
186 template+: {
187 spec+: {
Bartosz Stebel12f176c2021-06-18 13:12:41 +0200[diff] [blame]188 nodeSelector: {
189 "kubernetes.io/os": "linux"
190 },
Sergiusz Bazanskiaf3be422019-01-17 18:57:19 +0100[diff] [blame]191 tolerations: [
192 { key: "CriticalAddonsOnly", operator: "Exists" },
Bartosz Stebel12f176c2021-06-18 13:12:41 +0200[diff] [blame]193 { key: "node-role.kubernetes.io/master", effect: "NoSchedule" },
Sergiusz Bazanskiaf3be422019-01-17 18:57:19 +0100[diff] [blame]194 ],
195 serviceAccountName: env.saController.metadata.name,
Bartosz Stebel12f176c2021-06-18 13:12:41 +0200[diff] [blame]196 priorityClassName: "system-cluster-critical",
197 hostNetwork: true,
Sergiusz Bazanskiaf3be422019-01-17 18:57:19 +0100[diff] [blame]198 containers_: {
199 "calico-kube-controllers": kube.Container("calico-kube-controllers") {
200 image: cfg.imageController,
201 env_: {
202 ETCD_ENDPOINTS: kube.ConfigMapRef(env.cm, "etcd_endpoints"),
203 ETCD_CA_CERT_FILE: kube.ConfigMapRef(env.cm, "etcd_ca"),
204 ETCD_KEY_FILE: kube.ConfigMapRef(env.cm, "etcd_key"),
205 ETCD_CERT_FILE: kube.ConfigMapRef(env.cm, "etcd_cert"),
206 ENABLED_CONTROLLERS: "policy,namespace,serviceaccount,workloadendpoint,node",
207 },
208 volumeMounts_: {
209 secrets: {
210 mountPath: env.cm.secretPrefix,
211 },
212 },
213 readinessProbe: {
214 exec: {
215 command: [ "/usr/bin/check-status", "-r" ],
216 },
217 },
218 },
219 },
Bartosz Stebel12f176c2021-06-18 13:12:41 +0200[diff] [blame]220 volumes_: {
221 secrets: kube.SecretVolume(env.secrets),
222 },
Sergiusz Bazanskiaf3be422019-01-17 18:57:19 +0100[diff] [blame]223 },
224 },
225 },
226 },
227
Serge Bazanskia5ed6442020-09-20 22:52:57 +0000[diff] [blame]228 # ConfigMap that holds overriden bird.cfg.template and bird_ipam.cfg.template.
229 calicoMetallbBird: kube.ConfigMap("calico-metallb-bird") {
230 metadata+: {
231 namespace: cfg.namespace,
232 },
233 data: {
234 "bird.cfg.template": (importstr "calico-bird.cfg.template"),
235 "bird_ipam.cfg.template": (importstr "calico-bird-ipam.cfg.template"),
236 },
237 },
238
Sergiusz Bazanskiaf3be422019-01-17 18:57:19 +0100[diff] [blame]239 nodeDaemon: kube.DaemonSet("calico-node") {
240 metadata+: {
241 namespace: cfg.namespace,
Bartosz Stebel12f176c2021-06-18 13:12:41 +0200[diff] [blame]242 labels+: {
243 "k8s-app": "calico-node",
244 },
Sergiusz Bazanskiaf3be422019-01-17 18:57:19 +0100[diff] [blame]245 },
246 spec+: {
247 template+: {
Sergiusz Bazanskiaf3be422019-01-17 18:57:19 +0100[diff] [blame]248 spec+: {
Bartosz Stebel12f176c2021-06-18 13:12:41 +0200[diff] [blame]249 nodeSelector: {
250 "kubernetes.io/os": "linux"
251 },
Sergiusz Bazanskiaf3be422019-01-17 18:57:19 +0100[diff] [blame]252 hostNetwork: true,
253 tolerations: [
Bartosz Stebel12f176c2021-06-18 13:12:41 +0200[diff] [blame]254 { effect: "NoSchedule", operator: "Exists" },
Sergiusz Bazanskiaf3be422019-01-17 18:57:19 +0100[diff] [blame]255 { key: "CriticalAddonsOnly", operator: "Exists" },
Serge Bazanskid493ab62019-10-31 17:07:19 +0100[diff] [blame]256 { effect: "NoExecute", operator: "Exists" },
Sergiusz Bazanskiaf3be422019-01-17 18:57:19 +0100[diff] [blame]257 ],
258 serviceAccountName: env.saNode.metadata.name,
259 terminationGracePeriodSeconds: 0,
Bartosz Stebel12f176c2021-06-18 13:12:41 +0200[diff] [blame]260 priorityClassName: "system-cluster-critical",
Sergiusz Bazanskiaf3be422019-01-17 18:57:19 +0100[diff] [blame]261 volumes_: {
Bartosz Stebel12f176c2021-06-18 13:12:41 +0200[diff] [blame]262 lib_modules: kube.HostPathVolume("/run/current-system/kernel-modules/lib/modules"),
263 var_run_calico: kube.HostPathVolume("/var/run/calico"),
264 var_lib_calico: kube.HostPathVolume("/var/lib/calico"),
265 xtables_lock: kube.HostPathVolume("/run/xtables.lock"),
Sergiusz Bazanskiaf3be422019-01-17 18:57:19 +0100[diff] [blame]266 cni_bin: kube.HostPathVolume("/opt/cni/bin"),
267 cni_config: kube.HostPathVolume("/opt/cni/conf"),
268 secrets: kube.SecretVolume(env.secrets),
Serge Bazanskia5ed6442020-09-20 22:52:57 +0000[diff] [blame]269 bird_cfg_template: kube.ConfigMapVolume(env.calicoMetallbBird),
Bartosz Stebel12f176c2021-06-18 13:12:41 +0200[diff] [blame]270 # TODO flexvol-driver-host, policysync
Sergiusz Bazanskiaf3be422019-01-17 18:57:19 +0100[diff] [blame]271 },
272 initContainers_: {
273 installCNI: kube.Container("install-cni") {
274 image: cfg.imageCNI,
275 command: ["/install-cni.sh"],
276 env_: {
Sergiusz Bazanskiaf3be422019-01-17 18:57:19 +0100[diff] [blame]277 CNI_CONF_NAME: "10-calico.conflist",
278 CNI_NETWORK_CONFIG: kube.ConfigMapRef(env.cm, "cni_network_config"),
Bartosz Stebel12f176c2021-06-18 13:12:41 +0200[diff] [blame]279 ETCD_ENDPOINTS: kube.ConfigMapRef(env.cm, "etcd_endpoints"),
280 CNI_MTU: kube.ConfigMapRef(env.cm, "veth_mtu"),
Bartosz Stebeleca1e082021-11-27 01:04:31 +0100[diff] [blame^]281 # Important: our directory is changed from the default (/etc/cni/net.d)
282 # to inside /opt/ above in the cni_config HostPathVolume.
283 # See projectcalico/cni-plugin//k8s-install/scripts/install-cni.sh:24 for reference.
284 CNI_NET_DIR: "/opt/cni/conf",
Bartosz Stebel12f176c2021-06-18 13:12:41 +0200[diff] [blame]285 # TODO(implr) needed?
Sergiusz Bazanskiaf3be422019-01-17 18:57:19 +0100[diff] [blame]286 CNI_CONF_ETCD_CA_CERT_FILE: kube.ConfigMapRef(env.cm, "etcd_ca"),
287 CNI_CONF_ETCD_KEY_FILE: kube.ConfigMapRef(env.cm, "etcd_key"),
288 CNI_CONF_ETCD_CERT_FILE: kube.ConfigMapRef(env.cm, "etcd_cert"),
Sergiusz Bazanskiaf3be422019-01-17 18:57:19 +0100[diff] [blame]289 SLEEP: "false",
Sergiusz Bazanskid81bf722020-05-28 16:38:52 +0200[diff] [blame]290 KUBERNETES_NODE_NAME: { fieldRef: { fieldPath: "spec.nodeName" } },
Sergiusz Bazanskiaf3be422019-01-17 18:57:19 +0100[diff] [blame]291 },
292 volumeMounts_: {
293 cni_bin: { mountPath: "/host/opt/cni/bin" },
294 cni_config: { mountPath: "/host/etc/cni/net.d" },
295 secrets: { mountPath: env.cm.secretPrefix },
296 },
Bartosz Stebel12f176c2021-06-18 13:12:41 +0200[diff] [blame]297 securityContext: {
298 privileged: true,
299 },
Sergiusz Bazanskiaf3be422019-01-17 18:57:19 +0100[diff] [blame]300 },
301 },
302 containers_: {
303 calicoNode: kube.Container("calico-node") {
304 image: cfg.imageNode,
305 env_: {
Sergiusz Bazanskid81bf722020-05-28 16:38:52 +0200[diff] [blame]306 DATASTORE_TYPE: "etcdv3",
Sergiusz Bazanskiaf3be422019-01-17 18:57:19 +0100[diff] [blame]307 ETCD_ENDPOINTS: kube.ConfigMapRef(env.cm, "etcd_endpoints"),
308 ETCD_CA_CERT_FILE: kube.ConfigMapRef(env.cm, "etcd_ca"),
309 ETCD_KEY_FILE: kube.ConfigMapRef(env.cm, "etcd_key"),
310 ETCD_CERT_FILE: kube.ConfigMapRef(env.cm, "etcd_cert"),
311 CALICO_K8S_NODE_REF: kube.FieldRef("spec.nodeName"),
Sergiusz Bazanskid81bf722020-05-28 16:38:52 +0200[diff] [blame]312 CALICO_NETWORKING_BACKEND: kube.ConfigMapRef(env.cm, "calico_backend"),
Sergiusz Bazanskiaf3be422019-01-17 18:57:19 +0100[diff] [blame]313 CLUSTER_TYPE: "k8s,bgp",
Sergiusz Bazanskie3af1eb2019-01-18 09:39:57 +0100[diff] [blame]314 IP: "autodetect",
Serge Bazanskid493ab62019-10-31 17:07:19 +0100[diff] [blame]315 IP_AUTODETECTION_METHOD: "can-reach=185.236.240.1",
Sergiusz Bazanskiaf3be422019-01-17 18:57:19 +0100[diff] [blame]316 CALICO_IPV4POOL_IPIP: "Always",
317 FELIX_IPINIPMTU: kube.ConfigMapRef(env.cm, "veth_mtu"),
Bartosz Stebel12f176c2021-06-18 13:12:41 +0200[diff] [blame]318 FELIX_WIREGUARDMTU: kube.ConfigMapRef(env.cm, "veth_mtu"),
Sergiusz Bazanskiaf3be422019-01-17 18:57:19 +0100[diff] [blame]319 CALICO_IPV4POOL_CIDR: "10.10.24.0/21",
320 CALICO_DISABLE_FILE_LOGGING: "true",
321 FELIX_DEFAULTENDPOINTTOHOSTACTION: "ACCEPT",
Sergiusz Bazanskiaf3be422019-01-17 18:57:19 +0100[diff] [blame]322 FELIX_LOGSEVERITYSCREEN: "info",
Bartosz Stebel12f176c2021-06-18 13:12:41 +0200[diff] [blame]323 FELIX_IPV6SUPPORT: "false",
Sergiusz Bazanskiaf3be422019-01-17 18:57:19 +0100[diff] [blame]324 FELIX_HEALTHENABLED: "true",
Serge Bazanskid493ab62019-10-31 17:07:19 +0100[diff] [blame]325 FELIX_HEALTHHOST: "127.0.0.1",
Sergiusz Bazanskiaf3be422019-01-17 18:57:19 +0100[diff] [blame]326 CALICO_ADVERTISE_CLUSTER_IPS: "10.10.12.0/24",
Sergiusz Bazanskid81bf722020-05-28 16:38:52 +0200[diff] [blame]327 KUBERNETES_NODE_NAME: { fieldRef: { fieldPath: "spec.nodeName" } },
Sergiusz Bazanskiaf3be422019-01-17 18:57:19 +0100[diff] [blame]328 },
329 securityContext: {
330 privileged: true,
331 },
332 resources: {
333 requests: { cpu: "250m" },
334 },
335 livenessProbe: {
Sergiusz Bazanskid81bf722020-05-28 16:38:52 +0200[diff] [blame]336 exec: {
337 command: ["/bin/calico-node", "-bird-live", "-felix-live"],
Sergiusz Bazanskiaf3be422019-01-17 18:57:19 +0100[diff] [blame]338 },
339 periodSeconds: 10,
340 initialDelaySeconds: 10,
341 failureThreshold: 6,
342 },
343 readinessProbe: {
344 exec: {
345 command: ["/bin/calico-node", "-bird-ready", "-felix-ready"],
346 },
347 periodSeconds: 10,
348 },
349 volumeMounts_: {
350 lib_modules: { mountPath: "/lib/modules" },
351 xtables_lock: { mountPath: "/run/xtables.lock" },
352 var_run_calico: { mountPath: "/var/run/calico" },
353 var_lib_calico: { mountPath: "/var/lib/calico" },
354 secrets: { mountPath: env.cm.secretPrefix },
355 },
Serge Bazanskia5ed6442020-09-20 22:52:57 +0000[diff] [blame]356 volumeMounts+: [
357 { name: "bird-cfg-template",
358 mountPath: "/etc/calico/confd/templates/bird.cfg.template",
359 subPath: "bird.cfg.template"
360 },
361 { name: "bird-cfg-template",
362 mountPath: "/etc/calico/confd/templates/bird_ipam.cfg.template",
363 subPath: "bird_ipam.cfg.template"
364 },
365 ],
Sergiusz Bazanskiaf3be422019-01-17 18:57:19 +0100[diff] [blame]366 },
367 },
368 },
369 },
370 },
371 },
372 },
373}