413f2e2591
Also make previously mandatory requirement for exact match of
calicoctl version and cluster version optional and set this
verification as disabled by default.
Image update commits:
https://review.opendev.org/#/c/673915/
https://review.gerrithub.io/c/att-comdev/cicd/+/463828
Change-Id: I4dca1a4b075e5183ebf068c9aee59b55b0939881
211 lines
9.3 KiB
YAML
211 lines
9.3 KiB
YAML
# Copyright 2019 The Openstack-Helm Authors.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
# Default values for calicoctl-client.
|
|
# This is a YAML-formatted file.
|
|
# Declare name/value pairs to be passed into your templates.
|
|
# name: value
|
|
|
|
images:
|
|
tags:
|
|
calicoctl_utility: 'docker.io/deepakdt/ctl:v3.4.0'
|
|
image_repo_sync: docker.io/docker:17.07.0
|
|
pull_policy: IfNotPresent
|
|
local_registry:
|
|
active: false
|
|
exclude:
|
|
- dep_check
|
|
- image_repo_sync
|
|
- calicoctl_utility
|
|
|
|
pod:
|
|
resources:
|
|
enabled: true
|
|
jobs:
|
|
image_repo_sync:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
utility:
|
|
requests:
|
|
memory: "100Mi"
|
|
cpu: "250m"
|
|
limits:
|
|
memory: "250Mi"
|
|
cpu: "500m"
|
|
dns_policy: "ClusterFirstWithHostNet"
|
|
replicas:
|
|
utility: 1
|
|
sec_context:
|
|
run_as_user: 65534
|
|
|
|
release_group: null
|
|
|
|
labels:
|
|
utility:
|
|
node_selector_key: util-calicoctl
|
|
node_selector_value: enabled
|
|
job:
|
|
node_selector_key: openstack-helm-node-class
|
|
node_selector_value: primary
|
|
|
|
dependencies:
|
|
dynamic:
|
|
common:
|
|
local_image_registry:
|
|
jobs:
|
|
- calicoctl-utility-image-repo-sync
|
|
services:
|
|
- endpoint: node
|
|
service: local_image_registry
|
|
static:
|
|
image_repo_sync:
|
|
services:
|
|
- endpoint: internal
|
|
service: local_image_registry
|
|
calicoctl_utility:
|
|
services:
|
|
- endpoint: internal
|
|
service: calico-etcd
|
|
|
|
endpoints:
|
|
cluster_domain_suffix: cluster.local
|
|
local_image_registry:
|
|
name: docker-registry
|
|
namespace: docker-registry
|
|
hosts:
|
|
default: localhost
|
|
internal: docker-registry
|
|
node: localhost
|
|
host_fqdn_override:
|
|
default: null
|
|
port:
|
|
registry:
|
|
node: 5000
|
|
etcd:
|
|
auth:
|
|
client:
|
|
tls:
|
|
crt: null
|
|
ca: null
|
|
key: null
|
|
path:
|
|
# these must be within /etc/calico
|
|
crt: /etc/calico/pki/crt
|
|
ca: /etc/calico/pki/ca
|
|
key: /etc/calico/pki/key
|
|
scheme:
|
|
default: https
|
|
path:
|
|
default: ' ' # space required to provide a truly empty path
|
|
hosts:
|
|
default: 10.96.232.136
|
|
host_fqdn_override:
|
|
default: null
|
|
service:
|
|
name: null
|
|
port:
|
|
client:
|
|
default: 6666
|
|
peer:
|
|
default: 6667
|
|
|
|
conf:
|
|
calicoctl_filter:
|
|
Filters:
|
|
# calicoctl-rootwrap command filters for calicoctl utility container
|
|
# This file should be owned by (and only-writable by) the root user
|
|
# Below are example command filters. access can be restricted by creating a user with less privileges
|
|
# calicoctl_00: CommandFilter, calicoctl, root
|
|
# Below are examples of RegExpFilter. This will restrict available calicoctl options even with admin user
|
|
calicoctl_help_00: RegExpFilter, calicoctl, root, calicoctl, -h
|
|
calicoctl_help_01: RegExpFilter, calicoctl, root, calicoctl, -l, (?i)panic|fatal|error|warn|info|debug, -h
|
|
calicoctl_get_01: RegExpFilter, calicoctl, root, calicoctl, get, .*
|
|
calicoctl_get_03: RegExpFilter, calicoctl, root, calicoctl, -l, (?i)panic|fatal|error|warn|info|debug, get, .*
|
|
calicoctl_get_04: RegExpFilter, calicoctl, root, calicoctl, get, .*, --export
|
|
calicoctl_get_05: RegExpFilter, calicoctl, root, calicoctl, -l, (?i)panic|fatal|error|warn|info|debug, get, .*, --export
|
|
calicoctl_get_06: RegExpFilter, calicoctl, root, calicoctl, get, .*, -f|--filename|-o|--output|-n|--namespace, .*
|
|
calicoctl_get_07: RegExpFilter, calicoctl, root, calicoctl, -l, (?i)panic|fatal|error|warn|info|debug, get, .*, -f|--filename|-o|--output|-n|--namespace, .*
|
|
calicoctl_get_08: RegExpFilter, calicoctl, root, calicoctl, get, .*, -f|--filename|-o|--output|-n|--namespace, .*, --export
|
|
calicoctl_get_09: RegExpFilter, calicoctl, root, calicoctl, -l, (?i)panic|fatal|error|warn|info|debug, get, .*, -f|--filename|-o|--output|-n|--namespace, .*, --export
|
|
calicoctl_get_10: RegExpFilter, calicoctl, root, calicoctl, get, .*, -f|--filename, .*, -o|--output .*
|
|
calicoctl_get_11: RegExpFilter, calicoctl, root, calicoctl, -l, (?i)panic|fatal|error|warn|info|debug, get, .*, -f|--filename, .*, -o|--output .*
|
|
calicoctl_get_12: RegExpFilter, calicoctl, root, calicoctl, get, .*, -f|--filename, .*, -o|--output .*, --export
|
|
calicoctl_get_13: RegExpFilter, calicoctl, root, calicoctl, -l, (?i)panic|fatal|error|warn|info|debug, get, .*, -f|--filename, .*, -o|--output .*, --export
|
|
calicoctl_get_14: RegExpFilter, calicoctl, root, calicoctl, get, .*, -f|--filename, .*, -o|--output .*, -n|--namespace, .*
|
|
calicoctl_get_15: RegExpFilter, calicoctl, root, calicoctl, -l, (?i)panic|fatal|error|warn|info|debug, get, .*, -f|--filename, .*, -o|--output .*, -n|--namespace, .*
|
|
calicoctl_get_16: RegExpFilter, calicoctl, root, calicoctl, get, .*, -f|--filename, .*, -o|--output .*, -n|--namespace, .*, --export
|
|
calicoctl_get_17: RegExpFilter, calicoctl, root, calicoctl, -l, (?i)panic|fatal|error|warn|info|debug, get, .*, -f|--filename, .*, -o|--output .*, -n|--namespace, .*, --export
|
|
calicoctl_get_18: RegExpFilter, calicoctl, root, calicoctl, get, .*, -f|--filename, .*, -o|--output .*, --all-namespaces
|
|
calicoctl_get_19: RegExpFilter, calicoctl, root, calicoctl, -l, (?i)panic|fatal|error|warn|info|debug, get, .*, -f|--filename, .*, -o|--output .*, --all-namespaces
|
|
calicoctl_get_20: RegExpFilter, calicoctl, root, calicoctl, get, .*, -f|--filename, .*, -o|--output .*, --all-namespaces, --export
|
|
calicoctl_get_21: RegExpFilter, calicoctl, root, calicoctl, -l, (?i)panic|fatal|error|warn|info|debug, get, .*, -f|--filename, .*, -o|--output .*, --all-namespaces, --export
|
|
|
|
calicoctl_convert_00: RegExpFilter, calicoctl, root, calicoctl, convert, -h
|
|
calicoctl_convert_01: RegExpFilter, calicoctl, root, calicoctl, convert, -f|--filename|-o|--output, .*
|
|
calicoctl_convert_02: RegExpFilter, calicoctl, root, calicoctl, -l, (?i)panic|fatal|error|warn|info|debug, convert, -f|--filename|-o|--output, .*
|
|
calicoctl_convert_03: RegExpFilter, calicoctl, root, calicoctl, convert, -f|--filename|-o|--output, .*, --ignore-validation
|
|
calicoctl_convert_04: RegExpFilter, calicoctl, root, calicoctl, -l, (?i)panic|fatal|error|warn|info|debug, convert, -f|--filename|-o|--output, .*, --ignore-validation
|
|
calicoctl_convert_05: RegExpFilter, calicoctl, root, calicoctl, convert, -f|--filename, .*, -o|--output, .*
|
|
calicoctl_convert_06: RegExpFilter, calicoctl, root, calicoctl, -l, (?i)panic|fatal|error|warn|info|debug, convert, -f|--filename, .*, -o|--output, .*
|
|
calicoctl_convert_07: RegExpFilter, calicoctl, root, calicoctl, convert, -f|--filename, .*, -o|--output, .*, --ignore-validation
|
|
calicoctl_convert_08: RegExpFilter, calicoctl, root, calicoctl, -l, (?i)panic|fatal|error|warn|info|debug, convert, -f|--filename, .*, -o|--output, .*, --ignore-validation
|
|
|
|
calicoctl_ipam_00: RegExpFilter, calicoctl, root, calicoctl, ipam, show, --ip=.*
|
|
calicoctl_ipam_01: RegExpFilter, calicoctl, root, calicoctl, -l, (?i)panic|fatal|error|warn|info|debug, ipam, show, --ip=.*
|
|
|
|
calicoctl_version_00: RegExpFilter, calicoctl, root, calicoctl, version
|
|
calicoctl_version_01: RegExpFilter, calicoctl, root, calicoctl, -l, (?i)panic|fatal|error|warn|info|debug, version
|
|
calicoq_00: CommandFilter, calicoq, root
|
|
calicoctl_rootwrap:
|
|
DEFAULT:
|
|
# Configuration for calicoctl-rootwrap
|
|
# This file should be owned by (and only-writeable by) the root user
|
|
# List of directories to load filter definitions from (separated by ',').
|
|
# These directories MUST all be only writeable by root !
|
|
filters_path: /etc/calicoctl/rootwrap.d
|
|
# List of directories to search executables in, in case filters do not
|
|
# explicitely specify a full path (separated by ',')
|
|
# If not specified, defaults to system PATH environment variable.
|
|
# These directories MUST all be only writeable by root !
|
|
exec_dirs: /sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin,/tmp
|
|
# Enable logging to syslog
|
|
# Default value is False
|
|
use_syslog: true
|
|
# Which syslog facility to use.
|
|
# Valid values include auth, authpriv, syslog, local0, local1...
|
|
# Default value is 'syslog'
|
|
syslog_log_facility: syslog
|
|
# Which messages to log.
|
|
# INFO means log all usage
|
|
# ERROR means only log unsuccessful attempts
|
|
syslog_log_level: DEBUG
|
|
utility:
|
|
# Set to true for development sites,
|
|
# Set to false otherwise
|
|
always_log_user: true
|
|
# Specify whether we need to check for exact match of calicoctl and cluster
|
|
# versions during readiness probe
|
|
match_versions: false
|
|
|
|
manifests:
|
|
configmap_bin: true
|
|
configmap_etc_client: true
|
|
deployment_calicoctl_utility: true
|
|
job_image_repo_sync: false
|
|
secret_certificates: true
|