{{/* Copyright 2017 The Openstack-Helm Authors. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. */}} {{- if .Values.manifests.daemonset_calico_node }} {{- $envAll := . }} {{/* Robustness, Calico 3.x wants things as Titlecase; this causes pain */}} {{- $_ := set .Values.conf.node "CALICO_IPV4POOL_IPIP" (title .Values.conf.node.CALICO_IPV4POOL_IPIP ) -}} {{- $_ := set .Values.conf.node "CALICO_STARTUP_LOGLEVEL" (title .Values.conf.node.CALICO_STARTUP_LOGLEVEL ) -}} {{- $_ := set .Values.conf.node "FELIX_LOGSEVERITYSCREEN" (title .Values.conf.node.FELIX_LOGSEVERITYSCREEN ) -}} {{/* If using tunnels, and FELIX_IPINIPMTU is not set, make it 20 less than the physical to account for IPIP overhead */}} {{- if empty .Values.conf.node.FELIX_IPINIPMTU -}} {{- if ne .Values.conf.node.CALICO_IPV4POOL_IPIP "Never" -}} {{- $_ := set .Values.conf.node "FELIX_IPINIPMTU" (sub .Values.networking.mtu 20) -}} # Setting tunnel MTU to {{ .Values.conf.node.FELIX_IPINIPMTU }} {{- end -}} {{- end -}} {{/* CNI_MTU is >= than the IPIP mtu, usually the physical MTU of the system */}} {{- if empty .Values.conf.node.CNI_MTU -}} {{- $_ := set .Values.conf.node "CNI_MTU" .Values.networking.mtu -}} {{- end -}} {{- if empty .Values.conf.node.CALICO_IPV4POOL_CIDR -}} {{- $_ := set .Values.conf.node "CALICO_IPV4POOL_CIDR" .Values.networking.podSubnet -}} {{- end -}} {{- $serviceAccountName := "calico-node" }} {{ tuple $envAll "calico_node" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRoleBinding metadata: name: calico-node roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: calico-node subjects: - kind: ServiceAccount name: {{ $serviceAccountName }} namespace: {{ .Release.Namespace }} --- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: name: {{ $serviceAccountName }} rules: - apiGroups: [""] resources: - pods - nodes - namespaces verbs: - get - apiGroups: ["batch" ] resources: ["jobs"] verbs: ["get" ] --- # This manifest installs the calico/node container, as well # as the Calico CNI plugins and network config on # each master and worker node in a Kubernetes cluster. kind: DaemonSet apiVersion: apps/v1 metadata: name: calico-node annotations: {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }} labels: k8s-app: calico-node {{ tuple $envAll "calico" "node" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} spec: selector: matchLabels: k8s-app: calico-node {{ tuple $envAll "calico" "node" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }} updateStrategy: type: RollingUpdate rollingUpdate: maxUnavailable: 1 template: metadata: labels: k8s-app: calico-node {{ tuple $envAll "calico" "node" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} annotations: {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }} configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }} configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }} configmap-bird-hash: {{ tuple "configmap-bird.yaml" . | include "helm-toolkit.utils.hash" }} # This, along with the CriticalAddonsOnly toleration below, # marks the pod as a critical add-on, ensuring it gets # priority scheduling and that its resources are reserved # if it ever gets evicted. scheduler.alpha.kubernetes.io/critical-pod: '' {{ dict "envAll" $envAll "podName" "calico-node" "containerNames" (list "calico-node") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }} {{- if .Values.monitoring.prometheus.enabled }} {{- $prometheus_annotations := $envAll.Values.monitoring.prometheus.calico_node }} {{ tuple $prometheus_annotations | include "helm-toolkit.snippets.prometheus_pod_annotations" | indent 8 }} {{- end }} spec: {{ dict "envAll" $envAll "application" "calico_node" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} nodeSelector: beta.kubernetes.io/os: linux hostNetwork: true tolerations: # Make sure calico-node gets scheduled on all nodes. - effect: NoSchedule operator: Exists # Mark the pod as a critical add-on for rescheduling. - key: CriticalAddonsOnly operator: Exists - effect: NoExecute operator: Exists serviceAccountName: {{ $serviceAccountName }} # Minimize downtime during a rolling upgrade or deletion; tell Kubernetes to do a "force # deletion": https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods. terminationGracePeriodSeconds: 0 initContainers: {{ tuple $envAll "calico_node" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} {{ if .Values.manifests.daemonset_calico_node_calicoctl }} - name: install-calicoctl {{ tuple $envAll "calico_ctl" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.calico_ctl | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} {{ dict "envAll" $envAll "application" "calico_node" "container" "calico_ctl" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} command: - /tmp/install-calicoctl.sh env: - name: ETCD_ENDPOINTS valueFrom: configMapKeyRef: name: calico-etc key: etcd_endpoints {{ if .Values.endpoints.etcd.auth.client.tls.ca }} - name: ETCD_CA_CERT_FILE value: {{ .Values.endpoints.etcd.auth.client.path.ca }} - name: ETCD_CA_CERT valueFrom: secretKeyRef: name: calico-etcd-secrets key: tls.ca {{ end }} {{ if .Values.endpoints.etcd.auth.client.tls.key }} - name: ETCD_KEY_FILE value: {{ .Values.endpoints.etcd.auth.client.path.key }} - name: ETCD_KEY valueFrom: secretKeyRef: name: calico-etcd-secrets key: tls.key {{ end }} {{ if .Values.endpoints.etcd.auth.client.tls.crt }} - name: ETCD_CERT_FILE value: {{ .Values.endpoints.etcd.auth.client.path.crt }} - name: ETCD_CERT valueFrom: secretKeyRef: name: calico-etcd-secrets key: tls.crt {{ end }} volumeMounts: - name: pod-tmp mountPath: /tmp - mountPath: /host/etc/calico name: calico-cert-dir - mountPath: /host/opt/cni/bin name: cni-bin-dir - mountPath: /tmp/install-calicoctl.sh name: calico-bin subPath: install-calicoctl.sh - name: calico-etcd-secrets mountPath: {{ .Values.endpoints.etcd.auth.client.path.ca }} subPath: tls.ca readOnly: true - name: calico-etcd-secrets mountPath: {{ .Values.endpoints.etcd.auth.client.path.crt }} subPath: tls.crt readOnly: true - name: calico-etcd-secrets mountPath: {{ .Values.endpoints.etcd.auth.client.path.key }} subPath: tls.key readOnly: true {{ end }} # This container installs the Calico CNI binaries # and CNI network config file on each node. - name: install-cni {{ tuple $envAll "calico_cni" | include "helm-toolkit.snippets.image" | indent 10 }} {{ dict "envAll" $envAll "application" "calico_node" "container" "install_cni" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} command: ["/install-cni.sh"] env: # Prevents the container from sleeping forever. - name: SLEEP value: "false" # Name of the CNI config file to create. # # NOTE: Calico v3 needs to end in .conflist; Calico v2 is # different! - name: CNI_CONF_NAME value: "10-calico.conflist" # The location of the Calico etcd cluster. - name: ETCD_ENDPOINTS valueFrom: configMapKeyRef: name: calico-etc key: etcd_endpoints # The CNI network config to install on each node. - name: CNI_NETWORK_CONFIG valueFrom: configMapKeyRef: name: calico-etc key: cni_network_config volumeMounts: - name: pod-tmp mountPath: /tmp - name: cni-bin-dir mountPath: /host/opt/cni/bin - name: cni-net-dir mountPath: /host/etc/cni/net.d {{ if .Values.conf.etcd.credentials.ca }} - name: calico-etcd-secrets mountPath: /calico-secrets/etcd-ca subPath: etcd.ca readOnly: true {{ end }} {{ if .Values.conf.etcd.credentials.certificate }} - name: calico-etcd-secrets mountPath: /calico-secrets/etcd-cert subPath: etcd.crt readOnly: true {{ end }} {{ if .Values.conf.etcd.credentials.key }} - name: calico-etcd-secrets mountPath: /calico-secrets/etcd-key subPath: etcd.key readOnly: true {{ end }} volumes: - name: pod-tmp emptyDir: {} # Used by calico/node. - name: lib-modules hostPath: path: /lib/modules - name: var-run-calico hostPath: path: /var/run/calico - name: var-lib-calico hostPath: path: /var/lib/calico - name: xtables-lock hostPath: path: /run/xtables.lock type: FileOrCreate # Used to install CNI. - name: cni-bin-dir hostPath: path: /opt/cni/bin - name: cni-net-dir hostPath: path: /etc/cni/net.d - name: calico-cert-dir hostPath: path: /etc/calico - name: calico-etc configMap: name: calico-etc defaultMode: 0444 - name: calico-bird configMap: name: calico-bird defaultMode: 0444 - name: calico-bin configMap: name: calico-bin defaultMode: 0555 - name: calico-etcd-secrets secret: secretName: calico-etcd-secrets containers: # Runs calico/node container on each Kubernetes node. This # container programs network policy and routes on each # host. - name: calico-node {{ tuple $envAll "calico_node" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.calico_node | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} {{ dict "envAll" $envAll "application" "calico_node" "container" "calico_node" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} env: # Values expanded explicitly from conf.node (some of which # might be derived from elsewhere, see values.yaml for an # explanation of this) # {{ include "helm-toolkit.utils.to_k8s_env_vars" .Values.conf.node | indent 12 }} # Values explicit in the chart not expected to be found in # conf.node # # The location of the Calico etcd cluster. - name: ETCD_ENDPOINTS valueFrom: configMapKeyRef: name: calico-etc key: etcd_endpoints # etcd certs {{ if .Values.endpoints.etcd.auth.client.tls.ca }} - name: ETCD_CA_CERT_FILE value: {{ .Values.endpoints.etcd.auth.client.path.ca }} {{ end }} {{ if .Values.endpoints.etcd.auth.client.tls.key }} - name: ETCD_KEY_FILE value: {{ .Values.endpoints.etcd.auth.client.path.key }} {{ end }} {{ if .Values.endpoints.etcd.auth.client.tls.crt }} - name: ETCD_CERT_FILE value: {{ .Values.endpoints.etcd.auth.client.path.crt }} {{ end }} # Set noderef for node controller. - name: CALICO_K8S_NODE_REF valueFrom: fieldRef: fieldPath: spec.nodeName livenessProbe: httpGet: path: /liveness port: 9099 host: localhost periodSeconds: 10 initialDelaySeconds: 10 failureThreshold: 6 # Only for Calico v3 readinessProbe: exec: command: - /bin/calico-node - -bird-ready - -felix-ready periodSeconds: 10 volumeMounts: - name: pod-tmp mountPath: /tmp - mountPath: /lib/modules name: lib-modules readOnly: true - mountPath: /run/xtables.lock name: xtables-lock readOnly: false - mountPath: /var/run/calico name: var-run-calico readOnly: false # bird template replacements # bird cfg - mountPath: /etc/calico/confd/templates/bird.cfg.template name: calico-bird subPath: bird.cfg.template # bird ipam - mountPath: /etc/calico/confd/templates/bird_ipam.cfg.template name: calico-bird subPath: bird_ipam.cfg.template # bird6 cfg - mountPath: /etc/calico/confd/templates/bird6.cfg.template name: calico-bird subPath: bird6.cfg.template # bird6 ipam - mountPath: /etc/calico/confd/templates/bird6_ipam.cfg.template name: calico-bird subPath: bird6_ipam.cfg.template # etcd secrets - mountPath: /var/lib/calico name: var-lib-calico readOnly: false - name: calico-etcd-secrets mountPath: {{ .Values.endpoints.etcd.auth.client.path.ca }} subPath: tls.ca readOnly: true - name: calico-etcd-secrets mountPath: {{ .Values.endpoints.etcd.auth.client.path.crt }} subPath: tls.crt readOnly: true - name: calico-etcd-secrets mountPath: {{ .Values.endpoints.etcd.auth.client.path.key }} subPath: tls.key readOnly: true {{- end }}