openstack-helm-infra/calico/templates/daemonset-calico-etcd.yaml
Rahul Khiyani 7520f9b8e7 readOnlyRootFilesystem: true for Calico chart
Fix for adding readOnlyRootFilesystem flag at pod
level

Change-Id: I79fd55e582487ffe91a750a51c7a2c5bed13f777
2019-03-07 15:19:47 +00:00

132 lines
5.6 KiB
YAML

{{/*
Copyright 2017 The Openstack-Helm Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if .Values.manifests.daemonset_calico_etcd }}
{{- $envAll := . }}
{{- $serviceAccountName := "calico-etcd" }}
{{ tuple $envAll "calico-etcd" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
---
# This manifest installs the Calico etcd on the kubeadm master. This uses a DaemonSet
# to force it to run on the master even when the master isn't schedulable, and uses
# nodeSelector to ensure it only runs on the master.
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: calico-etcd
annotations:
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
labels:
k8s-app: calico-etcd
{{ tuple $envAll "calico" "etcd" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
spec:
selector:
matchLabels:
k8s-app: calico-etcd
{{ tuple $envAll "calico" "etcd" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
template:
metadata:
labels:
k8s-app: calico-etcd
{{ tuple $envAll "calico" "etcd" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
annotations:
configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
# Mark this pod as a critical add-on; when enabled, the critical add-on scheduler
# reserves resources for critical add-on pods so that they can be rescheduled after
# a failure. This annotation works in tandem with the toleration below.
scheduler.alpha.kubernetes.io/critical-pod: ''
spec:
securityContext:
readOnlyRootFilesystem: true
serviceAccountName: {{ $serviceAccountName }}
tolerations:
# This taint is set by all kubelets running `--cloud-provider=external`
# so we should tolerate it to schedule the Calico pods
- key: node.cloudprovider.kubernetes.io/uninitialized
value: "true"
effect: NoSchedule
# Allow this pod to run on the master.
- key: node-role.kubernetes.io/master
effect: NoSchedule
# Allow this pod to be rescheduled while the node is in "critical add-ons only" mode.
# This, along with the annotation above marks this pod as a critical add-on.
- key: CriticalAddonsOnly
operator: Exists
# Only run this pod on the master.
nodeSelector:
node-role.kubernetes.io/master: ""
hostNetwork: true
initContainers:
{{ tuple $envAll "etcd" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
containers:
- name: calico-etcd
{{ tuple $envAll "calico_etcd" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.calico_etcd | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
env:
- name: CALICO_ETCD_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
command:
- /usr/local/bin/etcd
args:
- --name=calico
- --data-dir=/var/etcd/calico-data
{{ if eq .Values.endpoints.etcd.scheme.default "https" }}
- --client-cert-auth=True
- --peer-client-cert-auth=True
- --trusted-ca-file=/etc/calico-certs/ca.crt
- --cert-file=/etc/calico-certs/server.crt
- --key-file=/etc/calico-certs/server.key
- --peer-trusted-ca-file=/etc/calico-certs/ca.crt
- --peer-cert-file=/etc/calico-certs/server.crt
- --peer-key-file=/etc/calico-certs/server.key
{{ end }}
- --advertise-client-urls={{ tuple "etcd" "internal" "client" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" }}
- --listen-client-urls={{ tuple "etcd" "internal" "client" . | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}://0.0.0.0:{{ tuple "etcd" "internal" "client" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
- --listen-peer-urls={{ tuple "etcd" "internal" "peer" . | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}://0.0.0.0:{{ tuple "etcd" "internal" "peer" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
- --auto-compaction-retention=1
volumeMounts:
- name: var-etcd
mountPath: /var/etcd
{{ if .Values.conf.etcd.credentials.ca }}
- name: calico-etcd-secrets
mountPath: /etc/calico-certs/ca.crt
subPath: etcd.ca
readOnly: true
{{ end }}
{{ if .Values.conf.etcd.credentials.certificate }}
- name: calico-etcd-secrets
mountPath: /etc/calico-certs/server.crt
subPath: etcd.crt
readOnly: true
{{ end }}
{{ if .Values.conf.etcd.credentials.key }}
- name: calico-etcd-secrets
mountPath: /etc/calico-certs/server.key
subPath: etcd.key
readOnly: true
{{ end }}
volumes:
- name: var-etcd
hostPath:
path: /var/etcd
- name: calico-etcd-secrets
secret:
secretName: calico-etcd-secrets
{{- end }}