diff --git a/calicoctl-utility/Chart.yaml b/calicoctl-utility/Chart.yaml new file mode 100644 index 00000000..4398e258 --- /dev/null +++ b/calicoctl-utility/Chart.yaml @@ -0,0 +1,18 @@ +# Copyright 2019 The Openstack-Helm Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +description: OpenStack-Helm Calicoctl Client +name: calicoctl-utility +version: 0.1.0 diff --git a/calicoctl-utility/requirements.yaml b/calicoctl-utility/requirements.yaml new file mode 100644 index 00000000..e69c985d --- /dev/null +++ b/calicoctl-utility/requirements.yaml @@ -0,0 +1,18 @@ +# Copyright 2019 The Openstack-Helm Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +dependencies: + - name: helm-toolkit + repository: http://localhost:8879/charts + version: 0.1.0 diff --git a/calicoctl-utility/templates/bin/_bootstrap.sh.tpl b/calicoctl-utility/templates/bin/_bootstrap.sh.tpl new file mode 100644 index 00000000..f79e49e3 --- /dev/null +++ b/calicoctl-utility/templates/bin/_bootstrap.sh.tpl @@ -0,0 +1,18 @@ +#!/bin/sh +{{/* +Copyright 2019 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +exec sudo socat -d -v -s -t0 -T0 -u UNIX-RECV:/dev/log,reuseaddr stdout diff --git a/calicoctl-utility/templates/bin/_calicoctl-utility-rootwrap.tpl b/calicoctl-utility/templates/bin/_calicoctl-utility-rootwrap.tpl new file mode 100644 index 00000000..89931824 --- /dev/null +++ b/calicoctl-utility/templates/bin/_calicoctl-utility-rootwrap.tpl @@ -0,0 +1,54 @@ +#!/usr/bin/python +{{/* +Copyright 2019 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +import logging +import os +import sys + +from oslo_rootwrap.cmd import main + +exec_name = sys.argv[0] +host_name = os.environ.get("HOSTNAME") +log_level = {{ .Values.conf.calicoctl_rootwrap.DEFAULT.syslog_log_level | quote }} +facility = {{ .Values.conf.calicoctl_rootwrap.DEFAULT.syslog_log_facility | quote }} + +if "OS_USERNAME" in os.environ: + user_id = os.environ.get("OS_USERNAME") +elif "OS_USERNAME" not in os.environ and 'c1' == '{{ .Values.conf.utility.location_corridor }}': + os.environ["OS_USERNAME"] = "devlab" + user_id = os.environ.get("OS_USERNAME") +else: + print("User environment not configured properly, please follow the steps as mentioned " + "on wiki to execute commands on a utility container.") + exit() + +try: + handler = logging.handlers.SysLogHandler(address='/dev/log',facility=facility) +except IOError: + print("Unable to setup logging, for security reasons pod will not start") + exit() + +formatter = logging.Formatter('%(asctime)s ' + host_name + ' ' + + os.path.basename(exec_name) + ': ' + 'ActualUser=' + user_id + ': %(message)s') +handler.setFormatter(formatter) +root = logging.getLogger() +root.setLevel(log_level) +root.addHandler(handler) + + +if __name__ == "__main__": + sys.exit(main()) diff --git a/calicoctl-utility/templates/bin/_nccli-sudo.tpl b/calicoctl-utility/templates/bin/_nccli-sudo.tpl new file mode 100644 index 00000000..c0bd50ea --- /dev/null +++ b/calicoctl-utility/templates/bin/_nccli-sudo.tpl @@ -0,0 +1,20 @@ +{{/* +Copyright 2019 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +nobody ALL = (root) NOPASSWD: /usr/bin/socat -d -v -s -t0 -T0 -u \ + UNIX-RECV\:/dev/log\,reuseaddr stdout, \ + /usr/local/bin/calicoctl-utility-rootwrap /etc/calicoctl/rootwrap.conf *, \ + /usr/local/bin/calicoctl version diff --git a/calicoctl-utility/templates/bin/_nccli.tpl b/calicoctl-utility/templates/bin/_nccli.tpl new file mode 100644 index 00000000..1b1df077 --- /dev/null +++ b/calicoctl-utility/templates/bin/_nccli.tpl @@ -0,0 +1,18 @@ +#!/bin/sh +{{/* +Copyright 2019 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +sudo /usr/local/bin/calicoctl-utility-rootwrap /etc/calicoctl/rootwrap.conf $* diff --git a/calicoctl-utility/templates/bin/_version_check.sh.tpl b/calicoctl-utility/templates/bin/_version_check.sh.tpl new file mode 100644 index 00000000..fb12c52a --- /dev/null +++ b/calicoctl-utility/templates/bin/_version_check.sh.tpl @@ -0,0 +1,39 @@ +#!/bin/sh +{{/* +Copyright 2019 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +set -euxo pipefail + +function check_version() { + while IFS=":" read -r key val + do + if [ "${key}" = "Client Version" ]; then + CLIENT_VER=$(echo "${val}"|xargs) + fi + if [ "${key}" = "Cluster Version" ]; then + CLUSTER_VER=$(echo "${val}"|xargs) + fi + done + if [ ! -z "${CLIENT_VER}" ] && [ ! -z "${CLUSTER_VER}" ] && \ + [ "${CLIENT_VER}" = "${CLUSTER_VER}" ]; then + exit 0 + else + echo "Calico client and cluster version mismatch" + exit 1 + fi +} + +sudo calicoctl version | check_version diff --git a/calicoctl-utility/templates/configmap-bin.yaml b/calicoctl-utility/templates/configmap-bin.yaml new file mode 100644 index 00000000..57cba03c --- /dev/null +++ b/calicoctl-utility/templates/configmap-bin.yaml @@ -0,0 +1,46 @@ +{{/* +Copyright 2019 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.manifests.configmap_bin }} +{{- $envAll := . }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ printf "%s-%s" $envAll.Release.Name "bin" }} +data: + image-repo-sync.sh: | +{{- include "helm-toolkit.scripts.image_repo_sync" . | indent 4 }} + + calicoctl-utility-rootwrap: | +{{ tuple "bin/_calicoctl-utility-rootwrap.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} + +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ printf "%s-%s" $envAll.Release.Name "bin-nccli" }} +data: + version_check.sh: | +{{ tuple "bin/_version_check.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} + + bootstrap.sh: | +{{ tuple "bin/_bootstrap.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} + + nccli: | +{{ tuple "bin/_nccli.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} + +{{- end }} diff --git a/calicoctl-utility/templates/configmap-etc.yaml b/calicoctl-utility/templates/configmap-etc.yaml new file mode 100644 index 00000000..b65c5c9b --- /dev/null +++ b/calicoctl-utility/templates/configmap-etc.yaml @@ -0,0 +1,51 @@ +{{/* +Copyright 2019 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.manifests.configmap_etc_client }} +{{- $envAll := . }} +--- +kind: ConfigMap +apiVersion: v1 +metadata: + name: {{ printf "%s-%s" $envAll.Release.Name "etc" }} +data: + rootwrap.conf: | +{{ include "helm-toolkit.utils.to_ini" .Values.conf.calicoctl_rootwrap | indent 4 }} + + calicoctl.filter: | +{{ include "helm-toolkit.utils.to_ini" .Values.conf.calicoctl_filter | indent 4 }} + + calicoctl.cfg: | + apiVersion: projectcalico.org/v3 + kind: CalicoAPIConfig + metadata: + spec: + datastoreType: "etcdv3" + etcdEndpoints: {{ tuple "etcd" "internal" "client" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" }} + etcdCertFile: {{ .Values.endpoints.etcd.auth.client.path.crt }} + etcdCACertFile: {{ .Values.endpoints.etcd.auth.client.path.ca }} + etcdKeyFile: {{ .Values.endpoints.etcd.auth.client.path.key }} + +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ printf "%s-%s" $envAll.Release.Name "sudoers" }} +data: + nccli-sudo: | +{{ tuple "bin/_nccli-sudo.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} + +{{- end }} diff --git a/calicoctl-utility/templates/deployment-calicoctl-utility.yaml b/calicoctl-utility/templates/deployment-calicoctl-utility.yaml new file mode 100644 index 00000000..6a695a77 --- /dev/null +++ b/calicoctl-utility/templates/deployment-calicoctl-utility.yaml @@ -0,0 +1,174 @@ +{{/* +Copyright 2019 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.manifests.deployment_calicoctl_utility }} +{{- $envAll := . }} + +{{- $serviceAccountName := printf "%s" $envAll.Release.Name }} +{{ tuple $envAll "utility" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: {{ $serviceAccountName }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ $serviceAccountName }} +subjects: +- kind: ServiceAccount + name: {{ $serviceAccountName }} + namespace: {{ .Release.Namespace }} +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: {{ $serviceAccountName }} +rules: + - apiGroups: [""] + resources: + - namespaces + - nodes + - pods + verbs: + - get + - list + - apiGroups: ["crd.projectcalico.org"] + resources: + - bgppeers + - bgpconfigurations + - clusterinformations + - felixconfigurations + - globalnetworkpolicies + - ippools + - networkpolicies + verbs: + - get + - list +--- +kind: Deployment +apiVersion: apps/v1 +metadata: + name: {{ printf "%s" $envAll.Release.Name }} + labels: +{{ tuple $envAll "utility" "calicoctl-util" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} +spec: + replicas: {{ .Values.pod.replicas.utility }} + selector: + matchLabels: +{{ tuple $envAll "utility" "calicoctl-util" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }} + template: + metadata: + name: {{ printf "%s" $envAll.Release.Name }} + labels: +{{ tuple $envAll "utility" "calicoctl-util" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} + annotations: + configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }} + configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }} + spec: + securityContext: + runAsUser: {{ $envAll.Values.pod.sec_context.run_as_user }} + allowPrivilegeEscalation: false + serviceAccountName: {{ $serviceAccountName }} + nodeSelector: + {{ .Values.labels.utility.node_selector_key }}: {{ .Values.labels.utility.node_selector_value }} + containers: + - name: {{ printf "%s" $envAll.Release.Name }} +{{ tuple $envAll "calicoctl_utility" | include "helm-toolkit.snippets.image" | indent 10 }} +{{ tuple $envAll $envAll.Values.pod.resources.calicoctl_utility | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} + command: + - "bootstrap.sh" + readinessProbe: + exec: + command: + - /usr/local/bin/version_check.sh + initialDelaySeconds: 5 + periodSeconds: 15 + livenessProbe: + exec: + command: + - sudo + - calicoctl + - version + initialDelaySeconds: 5 + periodSeconds: 15 + volumeMounts: + - name: calico-etcd-secrets + mountPath: {{ .Values.endpoints.etcd.auth.client.path.ca }} + subPath: tls.ca + readOnly: true + - name: calico-etcd-secrets + mountPath: {{ .Values.endpoints.etcd.auth.client.path.crt }} + subPath: tls.crt + readOnly: true + - name: calico-etcd-secrets + mountPath: {{ .Values.endpoints.etcd.auth.client.path.key }} + subPath: tls.key + readOnly: true + - name: calicoctl-utility-bin-nccli + mountPath: /usr/local/bin/version_check.sh + subPath: version_check.sh + readOnly: true + - name: calicoctl-utility-bin-nccli + mountPath: /usr/local/bin/bootstrap.sh + subPath: bootstrap.sh + readOnly: true + - name: calicoctl-utility-bin-nccli + mountPath: /usr/local/bin/nccli + subPath: nccli + readOnly: true + - name: calicoctl-utility-bin + mountPath: /usr/local/bin/calicoctl-utility-rootwrap + subPath: calicoctl-utility-rootwrap + readOnly: true + - name: calicoctl-utility-sudoers + mountPath: /etc/sudoers.d/nobody + subPath: nccli-sudo + readOnly: true + - name: calicoctl-utility-etc + mountPath: /etc/calicoctl/rootwrap.d/calicoctl.filter + subPath: calicoctl.filter + readOnly: true + - name: calicoctl-utility-etc + mountPath: /etc/calicoctl/rootwrap.conf + subPath: rootwrap.conf + readOnly: true + - name: calicoctl-utility-etc + mountPath: /etc/calico/calicoctl.cfg + subPath: calicoctl.cfg + readOnly: true + volumes: + - name: calicoctl-utility-sudoers + configMap: + name: {{ printf "%s-%s" $envAll.Release.Name "sudoers" }} + defaultMode: 0644 + - name: calicoctl-utility-bin + configMap: + name: {{ printf "%s-%s" $envAll.Release.Name "bin" }} + defaultMode: 0500 + - name: calicoctl-utility-bin-nccli + configMap: + name: {{ printf "%s-%s" $envAll.Release.Name "bin-nccli" }} + defaultMode: 0555 + - name: calicoctl-utility-etc + configMap: + name: {{ printf "%s-%s" $envAll.Release.Name "etc" }} + defaultMode: 0400 + - name: calico-etcd-secrets + secret: + secretName: calico-etcd-secrets + defaultMode: 0400 +{{- end }} diff --git a/calicoctl-utility/templates/job-image-repo-sync.yaml b/calicoctl-utility/templates/job-image-repo-sync.yaml new file mode 100644 index 00000000..166f571b --- /dev/null +++ b/calicoctl-utility/templates/job-image-repo-sync.yaml @@ -0,0 +1,21 @@ +{{/* +Copyright 2019 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and .Values.manifests.job_image_repo_sync .Values.images.local_registry.active }} + +{{- $imageRepoSyncJob := dict "envAll" . "serviceName" "calicoctl-utility" -}} +{{ $imageRepoSyncJob | include "helm-toolkit.manifests.job_image_repo_sync" }} +{{- end }} diff --git a/calicoctl-utility/templates/secret-etcd-certificates.yaml b/calicoctl-utility/templates/secret-etcd-certificates.yaml new file mode 100644 index 00000000..df631c06 --- /dev/null +++ b/calicoctl-utility/templates/secret-etcd-certificates.yaml @@ -0,0 +1,30 @@ +{{/* +Copyright 2019 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.manifests.secret_certificates }} +{{- $envAll := . }} +--- + +apiVersion: v1 +kind: Secret +type: kubernetes.io/tls +metadata: + name: calico-etcd-secrets +data: + tls.ca: {{ .Values.endpoints.etcd.auth.client.tls.ca | default "" | b64enc }} + tls.key: {{ .Values.endpoints.etcd.auth.client.tls.key | default "" | b64enc }} + tls.crt: {{ .Values.endpoints.etcd.auth.client.tls.crt | default "" | b64enc }} +{{- end }} diff --git a/calicoctl-utility/values.yaml b/calicoctl-utility/values.yaml new file mode 100644 index 00000000..2a278d65 --- /dev/null +++ b/calicoctl-utility/values.yaml @@ -0,0 +1,204 @@ +# Copyright 2019 The Openstack-Helm Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# Default values for calicoctl-client. +# This is a YAML-formatted file. +# Declare name/value pairs to be passed into your templates. +# name: value + +images: + tags: + calicoctl_utility: 'docker.io/deepakdt/ctl:v3.4.0' + image_repo_sync: docker.io/docker:17.07.0 + pull_policy: IfNotPresent + local_registry: + active: false + exclude: + - dep_check + - image_repo_sync + - calicoctl_utility + +pod: + resources: + enabled: true + jobs: + image_repo_sync: + requests: + memory: "128Mi" + cpu: "100m" + limits: + memory: "1024Mi" + cpu: "2000m" + utility: + requests: + memory: "100Mi" + cpu: "250m" + limits: + memory: "250Mi" + cpu: "500m" + dns_policy: "ClusterFirstWithHostNet" + replicas: + utility: 1 + sec_context: + run_as_user: 65534 + +release_group: null + +labels: + utility: + node_selector_key: util-calicoctl + node_selector_value: enabled + job: + node_selector_key: openstack-helm-node-class + node_selector_value: primary + +dependencies: + dynamic: + common: + local_image_registry: + jobs: + - calicoctl-utility-image-repo-sync + services: + - endpoint: node + service: local_image_registry + static: + image_repo_sync: + services: + - endpoint: internal + service: local_image_registry + calicoctl_utility: + services: + - endpoint: internal + service: calico-etcd + +endpoints: + cluster_domain_suffix: cluster.local + local_image_registry: + name: docker-registry + namespace: docker-registry + hosts: + default: localhost + internal: docker-registry + node: localhost + host_fqdn_override: + default: null + port: + registry: + node: 5000 + etcd: + auth: + client: + tls: + crt: null + ca: null + key: null + path: + # these must be within /etc/calico + crt: /etc/calico/pki/crt + ca: /etc/calico/pki/ca + key: /etc/calico/pki/key + scheme: + default: https + path: + default: ' ' # space required to provide a truly empty path + hosts: + default: 10.96.232.136 + host_fqdn_override: + default: null + service: + name: null + port: + client: + default: 6666 + peer: + default: 6667 + +conf: + calicoctl_filter: + Filters: + # calicoctl-rootwrap command filters for calicoctl utility container + # This file should be owned by (and only-writable by) the root user + # Below are example command filters. access can be restricted by creating a user with less privileges + # calicoctl_00: CommandFilter, calicoctl, root + # Below are examples of RegExpFilter. This will restrict available calicoctl options even with admin user + calicoctl_help_00: RegExpFilter, calicoctl, root, calicoctl, -h + calicoctl_help_01: RegExpFilter, calicoctl, root, calicoctl, -l, (?i)panic|fatal|error|warn|info|debug, -h + calicoctl_get_01: RegExpFilter, calicoctl, root, calicoctl, get, .* + calicoctl_get_03: RegExpFilter, calicoctl, root, calicoctl, -l, (?i)panic|fatal|error|warn|info|debug, get, .* + calicoctl_get_04: RegExpFilter, calicoctl, root, calicoctl, get, .*, --export + calicoctl_get_05: RegExpFilter, calicoctl, root, calicoctl, -l, (?i)panic|fatal|error|warn|info|debug, get, .*, --export + calicoctl_get_06: RegExpFilter, calicoctl, root, calicoctl, get, .*, -f|--filename|-o|--output|-n|--namespace, .* + calicoctl_get_07: RegExpFilter, calicoctl, root, calicoctl, -l, (?i)panic|fatal|error|warn|info|debug, get, .*, -f|--filename|-o|--output|-n|--namespace, .* + calicoctl_get_08: RegExpFilter, calicoctl, root, calicoctl, get, .*, -f|--filename|-o|--output|-n|--namespace, .*, --export + calicoctl_get_09: RegExpFilter, calicoctl, root, calicoctl, -l, (?i)panic|fatal|error|warn|info|debug, get, .*, -f|--filename|-o|--output|-n|--namespace, .*, --export + calicoctl_get_10: RegExpFilter, calicoctl, root, calicoctl, get, .*, -f|--filename, .*, -o|--output .* + calicoctl_get_11: RegExpFilter, calicoctl, root, calicoctl, -l, (?i)panic|fatal|error|warn|info|debug, get, .*, -f|--filename, .*, -o|--output .* + calicoctl_get_12: RegExpFilter, calicoctl, root, calicoctl, get, .*, -f|--filename, .*, -o|--output .*, --export + calicoctl_get_13: RegExpFilter, calicoctl, root, calicoctl, -l, (?i)panic|fatal|error|warn|info|debug, get, .*, -f|--filename, .*, -o|--output .*, --export + calicoctl_get_14: RegExpFilter, calicoctl, root, calicoctl, get, .*, -f|--filename, .*, -o|--output .*, -n|--namespace, .* + calicoctl_get_15: RegExpFilter, calicoctl, root, calicoctl, -l, (?i)panic|fatal|error|warn|info|debug, get, .*, -f|--filename, .*, -o|--output .*, -n|--namespace, .* + calicoctl_get_16: RegExpFilter, calicoctl, root, calicoctl, get, .*, -f|--filename, .*, -o|--output .*, -n|--namespace, .*, --export + calicoctl_get_17: RegExpFilter, calicoctl, root, calicoctl, -l, (?i)panic|fatal|error|warn|info|debug, get, .*, -f|--filename, .*, -o|--output .*, -n|--namespace, .*, --export + calicoctl_get_18: RegExpFilter, calicoctl, root, calicoctl, get, .*, -f|--filename, .*, -o|--output .*, --all-namespaces + calicoctl_get_19: RegExpFilter, calicoctl, root, calicoctl, -l, (?i)panic|fatal|error|warn|info|debug, get, .*, -f|--filename, .*, -o|--output .*, --all-namespaces + calicoctl_get_20: RegExpFilter, calicoctl, root, calicoctl, get, .*, -f|--filename, .*, -o|--output .*, --all-namespaces, --export + calicoctl_get_21: RegExpFilter, calicoctl, root, calicoctl, -l, (?i)panic|fatal|error|warn|info|debug, get, .*, -f|--filename, .*, -o|--output .*, --all-namespaces, --export + + calicoctl_convert_00: RegExpFilter, calicoctl, root, calicoctl, convert, -h + calicoctl_convert_01: RegExpFilter, calicoctl, root, calicoctl, convert, -f|--filename|-o|--output, .* + calicoctl_convert_02: RegExpFilter, calicoctl, root, calicoctl, -l, (?i)panic|fatal|error|warn|info|debug, convert, -f|--filename|-o|--output, .* + calicoctl_convert_03: RegExpFilter, calicoctl, root, calicoctl, convert, -f|--filename|-o|--output, .*, --ignore-validation + calicoctl_convert_04: RegExpFilter, calicoctl, root, calicoctl, -l, (?i)panic|fatal|error|warn|info|debug, convert, -f|--filename|-o|--output, .*, --ignore-validation + calicoctl_convert_05: RegExpFilter, calicoctl, root, calicoctl, convert, -f|--filename, .*, -o|--output, .* + calicoctl_convert_06: RegExpFilter, calicoctl, root, calicoctl, -l, (?i)panic|fatal|error|warn|info|debug, convert, -f|--filename, .*, -o|--output, .* + calicoctl_convert_07: RegExpFilter, calicoctl, root, calicoctl, convert, -f|--filename, .*, -o|--output, .*, --ignore-validation + calicoctl_convert_08: RegExpFilter, calicoctl, root, calicoctl, -l, (?i)panic|fatal|error|warn|info|debug, convert, -f|--filename, .*, -o|--output, .*, --ignore-validation + + calicoctl_ipam_00: RegExpFilter, calicoctl, root, calicoctl, ipam, show, --ip=.* + calicoctl_ipam_01: RegExpFilter, calicoctl, root, calicoctl, -l, (?i)panic|fatal|error|warn|info|debug, ipam, show, --ip=.* + + calicoctl_version_00: RegExpFilter, calicoctl, root, calicoctl, version + calicoctl_version_01: RegExpFilter, calicoctl, root, calicoctl, -l, (?i)panic|fatal|error|warn|info|debug, version + calicoctl_rootwrap: + DEFAULT: + # Configuration for calicoctl-rootwrap + # This file should be owned by (and only-writeable by) the root user + # List of directories to load filter definitions from (separated by ','). + # These directories MUST all be only writeable by root ! + filters_path: /etc/calicoctl/rootwrap.d + # List of directories to search executables in, in case filters do not + # explicitely specify a full path (separated by ',') + # If not specified, defaults to system PATH environment variable. + # These directories MUST all be only writeable by root ! + exec_dirs: /sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin,/tmp + # Enable logging to syslog + # Default value is False + use_syslog: true + # Which syslog facility to use. + # Valid values include auth, authpriv, syslog, local0, local1... + # Default value is 'syslog' + syslog_log_facility: syslog + # Which messages to log. + # INFO means log all usage + # ERROR means only log unsuccessful attempts + syslog_log_level: DEBUG + utility: + location_corridor: c1 + +manifests: + configmap_bin: true + configmap_etc_client: true + deployment_calicoctl_utility: true + job_image_repo_sync: false + secret_certificates: true