No longer use networking.settings.ippool.ipip.mode, rather take from
conf.node.CALICO_IPV4POOL_IPIP (this avoids duplication and
possibility of setting them differently).
Logging values previously required Titlecase in some places, lower in
others (and it changed across versions); have the chart DTRT where it
matters to avoid configuration problems.
Change-Id: Idb7ccb5be8f9e1cb184ed86a9fd0875704912564
PS provides possibility to use TLS in etcd (for Calico).
The ansible scripts were updated as well.
Change-Id: I522a78043a125660153aaa60f13d61ba8e325e75
This creates a new section in calico/values.yaml that enables
BGP communities to be applied to a cidr by using the bird_ipam
templates.
Change-Id: I4dbbc8d8e761e0484eeb7c8bf0fefa28d29493e5
Update the comment URL references to v3.4 to match the code; other
than ipPool (which was extended) the previous objects versions match
the current version.
Change-Id: I1dae92c99992e3a808bea2c270b9d6070274e9f6
- If a rule set in the network policy override for the calico
chart is empty, it causes the calico-settings job to fail. This
safety valve should handle the empty list gracefully.
Change-Id: I4b8a39941f05a8eb86734ff129b2d73830883236
Expose the early logging level for calico-node.
Use conf.node.FELIX_LOGSEVERITYSCREEN to set logging level in
BGPConfiguration and FelixConfiguration (whilst this is an odd
name/location it backwards compatible and will in most cases set
things as expected).
Change-Id: I70c3028423eddb4721456f645c4475da4af7ced5
- Adds AppArmor profile to the privileged pod
using kubernetes_manadatory_access_control_annotation.
- Added apparmor install to the gate jobs.
Change-Id: I8b53e0b8ddc2695fa278481edf5688efa23ab06b
Allow Calico resources such as NetworkPolicy, GlobalNetworkPolicy,
WorkloadEndpoint, etc to be specified using values.
To avoid the complexities of list management with helm we use a
dictionary that contains a relative priority and set of objects
(called rules).
For example:
network:
policy:
someName:
priority: 0
rules:
- apiVersion: projectcalico.org/v3
... some useful resource object ...
- apiVersion: projectcalico.org/v3
... some other useful resource object ...
someOtherName:
priority: 1
rules:
- apiVersion: projectcalico.org/v3
... rules that come later ...
lastSetOfRules:
priority: 9
rules:
- apiVersion: projectcalico.org/v3
... rules that come last ... maybe hostendpoints ...
By having named groups of rules each with it's own priority you can
update, delete and amend individual sets of rules without provided you
set the appropriate "priority" value.
Change-Id: Id441350bcc8b95a91ef4d1b89d1bc3c417f50b13
This PS realigns Calico v2 with the pending Calico v3.2 chart in order
to minimize differences. It's mostly refactoring with a few small fixes.
Change-Id: Ie5157b4ae324b6eb4c8ccb5cc07d8b9bc5a83ebd
This PS adds the ability to attach a release uuid to pods and rc
objects as desired. A follow up ps will add the ability to add arbitary
annotations to the same objects.
Change-Id: Iceedba457a03387f6fc44eb763a00fd57f9d84a5
Signed-off-by: Pete Birley <pete@port.direct>
This removes some obsolete calico version information that
was leftover from the original manifest after which this chart
was modeled.
Change-Id: Ic592923484c498216025bb5a7b0bda1f2be9e871
This PS removes the use of the `quote and truncate` approach to
suppress output from gotpl actions in templates and replaces it
with the recommended practice of defining `$_` instead.
Change-Id: I5fedc3471dcbecef37d2fe1302bf9760b3163467
Signed-off-by: Pete Birley <pete@port.direct>
This PS moves to use the current ga version for kubernetes daemonsets,
additionally any remaining deployments that were using the
`extensions/v1beta1` have been updated to `apps/v1`.
Story: 2002205
Task: 21735
Change-Id: If9703162dc472af1e6096bf2b9062802fd5ce8ab
Signed-off-by: Pete Birley <pete@port.direct>
Move to v0.3.1 of kubernetes-entrypoint which has 2 breaking changes to
pod dependencies, and also adds support for depending on jobs via
labels.
Change-Id: I2bafc2153ddd46b3833b253a2e7950bccbccf8ed
This ps proposes adding a common template for the image_repo_sync
jobs for consumption by the charts
Change-Id: I48476d1e4fd94bd1b08b13b46983e3d999f8d8ca
This ps adds more granular node selectors for the charts in osh
infra to match what is currently done in osh
Change-Id: I8957a95053b9fb3ea329fd37ff049cd223a7695d
This PS simplify the logic for dyanmicly merging the image management
depenencies into pod deps when active.
Change-Id: I0cf6c93173bc5fbce697ac15be8697d3b1326d0a
Adds support for a new feature of kubernetes-entrypoint, pod
dependencies, that was added in v0.3.0.
Change-Id: I78d9e0545ca3b837cd2386783386a253f7f5a2d6
This PS moves existing dynamic common dependencies under a
'dynamic.common' key to simplify the yaml tree.
Change-Id: I4332bcfdf11197488e7bd5d8cf4c25565ea1c7b6
This PS moves static dependencies unser a 'static' key to allow
expansion to cover dynamic dependencies.
Change-Id: Ia0e853564955e0fbbe5a9e91a8b8924c703b1b02
This PS includes the release name in the cluster role to prevent
colision if the chart is deployed multiple times in the same
cluster.
Change-Id: I7166e5ee25b3d4c89879393c5f84c869585a2681
Adds "helm-toolkit.utils.merge" which is a replacement for the
upstream sprig "merge" function which didn't quite do what we
wanted, specifically it didn't merge slices, it just overrode
one with the other. This PS also updates existing callsites
of the sprig merge with "helm-toolkit.utils.merge".
Change-Id: I456349558d4cf941d1bcb07fc76d0688b0a10782
* Ingests the bird templates so that we can override them
to support things such as custom BGP ports (listen) and
neighbors (remote)
* Supports announcing addresses that are within the
.Values.networking.bgp.ipv4|6.additional_cidrs list
in support of ingress controllers that can create
dummy interfaces and assign addresses to be announced
* Introduces a new job to perform calicoctl manipulation to
support manipulating the mesh, adding peers, and changing the
ipPool settings which is value driven
* Support custom port binding and specific interface binding
to allow custom BGP port selection for IPv4 and IPv6
* Instantiates calicoctl as a utility on hosts
* Adds a new function to helm-toolkit to retrieve the http
or https prefix for an endpoint
* Supports https based etcd backends with new certificate
parameters
* Finally, introduces more strict bgp listening to allow
multiple hostNet bgp speakers to run in parallel
Change-Id: Ib4d00befddbd8498b9dcc693409b8b2577458497
This adds checks for the fields in the service annotations for
prometheus, similar to the checks made for the pod annotations.
It also moves prometheus annotations under a prometheus: key
under a top-level monitoring tree to allow for other monitoring
mechanisms independent of the endpoints tree
Change-Id: I4be6d6ad8e74e8ca52bd224ceddad785577bf6c7
This PS drives basic CNI options via ansible playbook in the
KubeADM-AIO container and modifies the calico chart to support
configuration via values.
Change-Id: Iaf2f9807438c3a34e797c62c2c6913edb677997c
This adds the prometheus annotations to the calico-node daemonset
to allow prometheus to create a scrape config for calico metrics.
This requires adding a annotation tree in the chart's values.yaml
file
Change-Id: I0e62fce34ea8de6d0241ea00aaae66187b808c81
Currently, services have two serviceaccounts: one specified in the
chart that cannot read anything, and one injected via helm-toolkit
that can read everything. This patch set refactors the logic to:
- cleanup the roles and their binding automatically when the helm
chart is deleted;
- remove the need to separately mount a serviceaccount with secret;
- better handling of namespaces resource restriction.
Co-Authored-By: portdirect <pete@port.direct>
Change-Id: I47d41e0cad9b5b002f59fc9652bad2cc025538dc
This PS introduces support for using a local docker repo to
store images if desired, and adds multiple namespace support
to the entrypoint lookup functions.
Change-Id: Ib51aa30d3cc033795fe13f6c40a57d46171ad586
This PS update the calico chart and deployment to use
Kubernetes entrypoint, and apply appropriate RBAC rules to
the pods.
Change-Id: I9d875f50c4767b6714a4931b9ade0a6f94b533c2
