# Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # Default values for calicoctl-client. # This is a YAML-formatted file. # Declare name/value pairs to be passed into your templates. # name: value images: tags: calicoctl_utility: 'quay.io/airshipit/porthole-calicoctl-utility:latest-ubuntu_jammy' image_repo_sync: docker.io/docker:18.09.02 pull_policy: IfNotPresent local_registry: active: false exclude: - dep_check - image_repo_sync - calicoctl_utility pod: security_context: calico: pod: runAsUser: 65534 container: calicoctl_utility: allowPrivilegeEscalation: true readOnlyRootFilesystem: false mandatory_access_control: type: apparmor calicoctl-utility: calicoctl-utility: runtime/default resources: enabled: true jobs: image_repo_sync: requests: memory: "128Mi" cpu: "100m" limits: memory: "1024Mi" cpu: "2000m" utility: requests: memory: "100Mi" cpu: "250m" limits: memory: "250Mi" cpu: "500m" dns_policy: "ClusterFirstWithHostNet" replicas: utility: 1 release_group: null labels: utility: node_selector_key: openstack-control-plane node_selector_value: enabled job: node_selector_key: openstack-control-plane node_selector_value: enabled dependencies: dynamic: common: local_image_registry: jobs: - calicoctl-utility-image-repo-sync services: - endpoint: node service: local_image_registry static: image_repo_sync: services: - endpoint: internal service: local_image_registry calicoctl_utility: services: - endpoint: internal service: calico-etcd # which data store is used by calico # allowed values are: 'kubernetes' or 'etcdv3' datastore: kubernetes endpoints: cluster_domain_suffix: cluster.local local_image_registry: name: docker-registry namespace: docker-registry hosts: default: localhost internal: docker-registry node: localhost host_fqdn_override: default: null port: registry: node: 5000 etcd: auth: client: tls: crt: null ca: null key: null path: # these must be within /etc/calico crt: /etc/calico/pki/crt ca: /etc/calico/pki/ca key: /etc/calico/pki/key scheme: default: https path: default: ' ' # space required to provide a truly empty path hosts: default: 10.96.232.136 host_fqdn_override: default: null service: name: null port: client: default: 6666 peer: default: 6667 conf: calicoctl_filter: Filters: # calicoctl-rootwrap command filters for calicoctl utility container # This file should be owned by (and only-writable by) the root user # Below are example command filters. access can be restricted by creating a user with less privileges # calicoctl_00: CommandFilter, calicoctl, root # Below are examples of RegExpFilter. This will restrict available calicoctl options even with admin user calicoctl_help_000: RegExpFilter, calicoctl, root, calicoctl, -h calicoctl_help_010: RegExpFilter, calicoctl, root, calicoctl, -l, (?i)panic|fatal|error|warn|info|debug, -h calicoctl_get_010: RegExpFilter, calicoctl, root, calicoctl, get, .* calicoctl_get_020: RegExpFilter, calicoctl, root, calicoctl, get, .*, .* calicoctl_get_030: RegExpFilter, calicoctl, root, calicoctl, -l, (?i)panic|fatal|error|warn|info|debug, get, .* calicoctl_get_040: RegExpFilter, calicoctl, root, calicoctl, -l, (?i)panic|fatal|error|warn|info|debug, get, .*, .* calicoctl_get_050: RegExpFilter, calicoctl, root, calicoctl, get, .*, --export calicoctl_get_060: RegExpFilter, calicoctl, root, calicoctl, get, .*, .*, --export calicoctl_get_070: RegExpFilter, calicoctl, root, calicoctl, -l, (?i)panic|fatal|error|warn|info|debug, get, .*, --export calicoctl_get_080: RegExpFilter, calicoctl, root, calicoctl, -l, (?i)panic|fatal|error|warn|info|debug, get, .*, .*, --export calicoctl_get_090: RegExpFilter, calicoctl, root, calicoctl, get, .*, -f|--filename|-o|--output|-n|--namespace, .* calicoctl_get_100: RegExpFilter, calicoctl, root, calicoctl, get, .*, .*, -f|--filename|-o|--output|-n|--namespace, .* calicoctl_get_110: RegExpFilter, calicoctl, root, calicoctl, -l, (?i)panic|fatal|error|warn|info|debug, get, .*, -f|--filename|-o|--output|-n|--namespace, .* calicoctl_get_120: RegExpFilter, calicoctl, root, calicoctl, -l, (?i)panic|fatal|error|warn|info|debug, get, .*, .*, -f|--filename|-o|--output|-n|--namespace, .* calicoctl_get_130: RegExpFilter, calicoctl, root, calicoctl, get, .*, -f|--filename|-o|--output|-n|--namespace, .*, --export calicoctl_get_140: RegExpFilter, calicoctl, root, calicoctl, get, .*, .*, -f|--filename|-o|--output|-n|--namespace, .*, --export calicoctl_get_150: RegExpFilter, calicoctl, root, calicoctl, -l, (?i)panic|fatal|error|warn|info|debug, get, .*, -f|--filename|-o|--output|-n|--namespace, .*, --export calicoctl_get_160: RegExpFilter, calicoctl, root, calicoctl, -l, (?i)panic|fatal|error|warn|info|debug, get, .*, .*, -f|--filename|-o|--output|-n|--namespace, .*, --export calicoctl_get_170: RegExpFilter, calicoctl, root, calicoctl, get, .*, -f|--filename, .*, -o|--output .* calicoctl_get_180: RegExpFilter, calicoctl, root, calicoctl, get, .*, .*, -f|--filename, .*, -o|--output .* calicoctl_get_190: RegExpFilter, calicoctl, root, calicoctl, -l, (?i)panic|fatal|error|warn|info|debug, get, .*, -f|--filename, .*, -o|--output .* calicoctl_get_200: RegExpFilter, calicoctl, root, calicoctl, -l, (?i)panic|fatal|error|warn|info|debug, get, .*, .*, -f|--filename, .*, -o|--output .* calicoctl_get_210: RegExpFilter, calicoctl, root, calicoctl, get, .*, -f|--filename, .*, -o|--output .*, --export calicoctl_get_220: RegExpFilter, calicoctl, root, calicoctl, get, .*, .*, -f|--filename, .*, -o|--output .*, --export calicoctl_get_230: RegExpFilter, calicoctl, root, calicoctl, -l, (?i)panic|fatal|error|warn|info|debug, get, .*, -f|--filename, .*, -o|--output .*, --export calicoctl_get_240: RegExpFilter, calicoctl, root, calicoctl, -l, (?i)panic|fatal|error|warn|info|debug, get, .*, .*, -f|--filename, .*, -o|--output .*, --export calicoctl_get_250: RegExpFilter, calicoctl, root, calicoctl, get, .*, -f|--filename, .*, -o|--output .*, -n|--namespace, .* calicoctl_get_260: RegExpFilter, calicoctl, root, calicoctl, get, .*, .*, -f|--filename, .*, -o|--output .*, -n|--namespace, .* calicoctl_get_270: RegExpFilter, calicoctl, root, calicoctl, -l, (?i)panic|fatal|error|warn|info|debug, get, .*, -f|--filename, .*, -o|--output .*, -n|--namespace, .* calicoctl_get_280: RegExpFilter, calicoctl, root, calicoctl, -l, (?i)panic|fatal|error|warn|info|debug, get, .*, .*, -f|--filename, .*, -o|--output .*, -n|--namespace, .* calicoctl_get_290: RegExpFilter, calicoctl, root, calicoctl, get, .*, -f|--filename, .*, -o|--output .*, -n|--namespace, .*, --export calicoctl_get_300: RegExpFilter, calicoctl, root, calicoctl, get, .*, .*, -f|--filename, .*, -o|--output .*, -n|--namespace, .*, --export calicoctl_get_310: RegExpFilter, calicoctl, root, calicoctl, -l, (?i)panic|fatal|error|warn|info|debug, get, .*, -f|--filename, .*, -o|--output .*, -n|--namespace, .*, --export calicoctl_get_320: RegExpFilter, calicoctl, root, calicoctl, -l, (?i)panic|fatal|error|warn|info|debug, get, .*, .*, -f|--filename, .*, -o|--output .*, -n|--namespace, .*, --export calicoctl_get_330: RegExpFilter, calicoctl, root, calicoctl, get, .*, -f|--filename, .*, -o|--output .*, --all-namespaces calicoctl_get_340: RegExpFilter, calicoctl, root, calicoctl, get, .*, .*, -f|--filename, .*, -o|--output .*, --all-namespaces calicoctl_get_350: RegExpFilter, calicoctl, root, calicoctl, -l, (?i)panic|fatal|error|warn|info|debug, get, .*, -f|--filename, .*, -o|--output .*, --all-namespaces calicoctl_get_360: RegExpFilter, calicoctl, root, calicoctl, -l, (?i)panic|fatal|error|warn|info|debug, get, .*, .*, -f|--filename, .*, -o|--output .*, --all-namespaces calicoctl_get_370: RegExpFilter, calicoctl, root, calicoctl, get, .*, -f|--filename, .*, -o|--output .*, --all-namespaces, --export calicoctl_get_380: RegExpFilter, calicoctl, root, calicoctl, get, .*, .*, -f|--filename, .*, -o|--output .*, --all-namespaces, --export calicoctl_get_390: RegExpFilter, calicoctl, root, calicoctl, -l, (?i)panic|fatal|error|warn|info|debug, get, .*, -f|--filename, .*, -o|--output .*, --all-namespaces, --export calicoctl_get_400: RegExpFilter, calicoctl, root, calicoctl, -l, (?i)panic|fatal|error|warn|info|debug, get, .*, .*, -f|--filename, .*, -o|--output .*, --all-namespaces, --export calicoctl_convert_000: RegExpFilter, calicoctl, root, calicoctl, convert, -h calicoctl_convert_010: RegExpFilter, calicoctl, root, calicoctl, convert, -f|--filename|-o|--output, .* calicoctl_convert_020: RegExpFilter, calicoctl, root, calicoctl, -l, (?i)panic|fatal|error|warn|info|debug, convert, -f|--filename|-o|--output, .* calicoctl_convert_030: RegExpFilter, calicoctl, root, calicoctl, convert, -f|--filename|-o|--output, .*, --ignore-validation calicoctl_convert_040: RegExpFilter, calicoctl, root, calicoctl, -l, (?i)panic|fatal|error|warn|info|debug, convert, -f|--filename|-o|--output, .*, --ignore-validation calicoctl_convert_050: RegExpFilter, calicoctl, root, calicoctl, convert, -f|--filename, .*, -o|--output, .* calicoctl_convert_060: RegExpFilter, calicoctl, root, calicoctl, -l, (?i)panic|fatal|error|warn|info|debug, convert, -f|--filename, .*, -o|--output, .* calicoctl_convert_070: RegExpFilter, calicoctl, root, calicoctl, convert, -f|--filename, .*, -o|--output, .*, --ignore-validation calicoctl_convert_080: RegExpFilter, calicoctl, root, calicoctl, -l, (?i)panic|fatal|error|warn|info|debug, convert, -f|--filename, .*, -o|--output, .*, --ignore-validation calicoctl_ipam_00: RegExpFilter, calicoctl, root, calicoctl, ipam, show, --ip=.* calicoctl_ipam_01: RegExpFilter, calicoctl, root, calicoctl, -l, (?i)panic|fatal|error|warn|info|debug, ipam, show, --ip=.* calicoctl_version_00: RegExpFilter, calicoctl, root, calicoctl, version calicoctl_version_01: RegExpFilter, calicoctl, root, calicoctl, -l, (?i)panic|fatal|error|warn|info|debug, version calicoq_00: CommandFilter, calicoq, root calicoctl_rootwrap: DEFAULT: # Configuration for calicoctl-rootwrap # This file should be owned by (and only-writeable by) the root user # List of directories to load filter definitions from (separated by ','). # These directories MUST all be only writeable by root ! filters_path: /etc/calicoctl/rootwrap.d # List of directories to search executables in, in case filters do not # explicitely specify a full path (separated by ',') # If not specified, defaults to system PATH environment variable. # These directories MUST all be only writeable by root ! exec_dirs: /sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin,/tmp # Enable logging to syslog # Default value is False use_syslog: true # Which syslog facility to use. # Valid values include auth, authpriv, syslog, local0, local1... # Default value is 'syslog' syslog_log_facility: syslog # Which messages to log. # INFO means log all usage # ERROR means only log unsuccessful attempts syslog_log_level: DEBUG utility: # Set to true for development sites, # Set to false otherwise always_log_user: true # Specify whether we need to check for exact match of calicoctl and cluster # versions during readiness probe match_versions: false manifests: configmap_bin: true configmap_etc_client: true deployment_calicoctl_utility: true job_image_repo_sync: false secret_certificates: false