openstack/openstack-helm-infra
Code Issues Proposed changes

Calico: bump version to 2.6

Browse Source 
This PS moves the deployed version of calico to v2.6

Change-Id: I282bb8df1bd6a55f60a0548bdd64709beecea112
This commit is contained in:
portdirect 2017-12-31 12:55:22 -05:00
parent bbf32935dc
commit ec6e3c4a88
7 changed files with 92 additions and 156 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
calico/templates/clusterrole-calico-cni-plugin.yaml
View File

@ -1,31 +0,0 @@
{{/*
Copyright 2017 The Openstack-Helm Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if .Values.manifests.clusterrole_calico_cni_plugin }}
{{- $envAll := . }}
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: calico-cni-plugin
rules:
- apiGroups: [""]
resources:
- pods
- nodes
verbs:
- get
{{- end }}

35
calico/templates/clusterrole-calico-policy-controller.yaml
View File

@ -1,35 +0,0 @@
{{/*
Copyright 2017 The Openstack-Helm Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if .Values.manifests.clusterrole_calico_policy_controller }}
{{- $envAll := . }}
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: calico-policy-controller
rules:
- apiGroups:
- ""
- extensions
resources:
- pods
- namespaces
- networkpolicies
verbs:
- watch
- list
{{- end }}

32
calico/templates/clusterrolebinding-calico-cni-plugin.yaml
View File

@ -1,32 +0,0 @@
{{/*
Copyright 2017 The Openstack-Helm Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if .Values.manifests.clusterrolebinding_calico_cni_plugin }}
{{- $envAll := . }}
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: calico-cni-plugin
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: calico-cni-plugin
subjects:
- kind: ServiceAccount
name: calico-cni-plugin
namespace: {{ .Release.Namespace }}
{{- end }}

32
calico/templates/clusterrolebinding-calico-policy-controller.yaml
View File

@ -1,32 +0,0 @@
{{/*
Copyright 2017 The Openstack-Helm Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if .Values.manifests.clusterrolebinding_calico_policy_controller }}
{{- $envAll := . }}
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: calico-policy-controller
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: calico-policy-controller
subjects:
- kind: ServiceAccount
name: calico-policy-controller
namespace: {{ .Release.Namespace }}
{{- end }}

30
calico/templates/daemonset-calico-node.yaml
View File

@ -25,6 +25,31 @@ limitations under the License.
{{- $serviceAccountName := "calico-cni-plugin"}}
{{ tuple $envAll $envAll.Values.pod_dependency $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: calico-cni-plugin
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ $serviceAccountName }}
subjects:
- kind: ServiceAccount
name: {{ $serviceAccountName }}
namespace: {{ .Release.Namespace }}
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: {{ $serviceAccountName }}
rules:
- apiGroups: [""]
resources:
- pods
- nodes
verbs:
- get
---
# This manifest installs the calico/node container, as well
# as the Calico CNI plugins and network config on
# each master and worker node in a Kubernetes cluster.
@ -86,6 +111,11 @@ spec:
# Cluster type to identify the deployment type
- name: CLUSTER_TYPE
value: "kubeadm,bgp"
# Set noderef for node controller.
- name: CALICO_K8S_NODE_REF
valueFrom:
fieldRef:
fieldPath: spec.nodeName
# Disable file logging so `kubectl logs` works.
- name: CALICO_DISABLE_FILE_LOGGING
value: "true"

74
calico/templates/deployment-calico-policy-controller.yaml → calico/templates/deployment-calico-kube-controllers.yaml
View File

@ -1,4 +1,4 @@
{{/*
{{/*
Copyright 2017 The Openstack-Helm Authors.
Licensed under the Apache License, Version 2.0 (the "License");
@ -14,47 +14,84 @@ See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if .Values.manifests.deployment_calico_policy_controller }}
{{- if .Values.manifests.deployment_calico_kube_controllers }}
{{- $envAll := . }}
{{- if .Values.images.local_registry.active -}}
{{- $_ := set .Values "pod_dependency" (merge .Values.dependencies.calico_policy_controller .Values.conditional_dependencies.local_image_registry) -}}
{{- $_ := set .Values "pod_dependency" (merge .Values.dependencies.calico_kube_controllers .Values.conditional_dependencies.local_image_registry) -}}
{{- else -}}
{{- $_ := set .Values "pod_dependency" .Values.dependencies.calico_policy_controller -}}
{{- $_ := set .Values "pod_dependency" .Values.dependencies.calico_kube_controllers -}}
{{- end -}}
{{- $serviceAccountName := "calico-policy-controller"}}
{{- $serviceAccountName := "calico-kube-controllers"}}
{{ tuple $envAll $envAll.Values.pod_dependency $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
---
# This manifest deploys the Calico policy controller on Kubernetes.
# See https://github.com/projectcalico/k8s-policy
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: {{ $serviceAccountName }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ $serviceAccountName }}
subjects:
- kind: ServiceAccount
name: {{ $serviceAccountName }}
namespace: {{ .Release.Namespace }}
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: {{ $serviceAccountName }}
rules:
- apiGroups:
- ""
- extensions
resources:
- pods
- namespaces
- networkpolicies
- nodes
verbs:
- watch
- list
---
# This manifest deploys the Calico Kubernetes controllers.
# See https://github.com/projectcalico/kube-controllers
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: calico-policy-controller
name: calico-kube-controllers
namespace: {{ .Release.Namespace }}
labels:
k8s-app: calico-policy
{{ tuple $envAll "calico" "policy" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
k8s-app: calico-kube-controllers
{{ tuple $envAll "calico" "kube-controller" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
spec:
# The policy controller can only have a single active instance.
# The controllers can only have a single active instance.
replicas: 1
strategy:
type: Recreate
template:
metadata:
name: calico-policy-controller
name: calico-kube-controllers
namespace: kube-system
labels:
k8s-app: calico-policy-controller
{{ tuple $envAll "calico" "policy" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
k8s-app: calico-kube-controllers
{{ tuple $envAll "calico" "kube-controller" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
annotations:
# Mark this pod as a critical add-on; when enabled, the critical add-on scheduler
# reserves resources for critical add-on pods so that they can be rescheduled after
# a failure. This annotation works in tandem with the toleration below.
scheduler.alpha.kubernetes.io/critical-pod: ''
spec:
# The policy controller must run in the host network namespace so that
# The controllers must run in the host network namespace so that
# it isn't governed by policy that would prevent it from working.
hostNetwork: true
tolerations:
# this taint is set by all kubelets running `--cloud-provider=external`
# so we should tolerate it to schedule the calico pods
- key: node.cloudprovider.kubernetes.io/uninitialized
value: "true"
effect: NoSchedule
- key: node-role.kubernetes.io/master
effect: NoSchedule
# Allow this pod to be rescheduled while the node is in "critical add-ons only" mode.
@ -65,8 +102,8 @@ spec:
initContainers:
{{ tuple $envAll .Values.pod_dependency list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
containers:
- name: calico-policy-controller
{{ tuple $envAll "calico_kube_policy_controller" | include "helm-toolkit.snippets.image" | indent 10 }}
- name: calico-kube-controllers
{{ tuple $envAll "calico_kube_controllers" | include "helm-toolkit.snippets.image" | indent 10 }}
env:
# The location of the Calico etcd cluster.
- name: ETCD_ENDPOINTS
@ -78,6 +115,9 @@ spec:
# service for API access.
- name: K8S_API
value: "https://kubernetes.default:443"
# Choose which controllers to run.
- name: ENABLED_CONTROLLERS
value: policy,profile,workloadendpoint,node
# Since we're running in the host namespace and might not have KubeDNS
# access, configure the container's /etc/hosts to resolve
# kubernetes.default to the correct service clusterIP.

14
calico/values.yaml
View File

@ -27,9 +27,9 @@ labels:
images:
tags:
calico_etcd: quay.io/coreos/etcd:v3.1.10
calico_node: quay.io/calico/node:v2.4.1
calico_cni: quay.io/calico/cni:v1.10.0
calico_kube_policy_controller: quay.io/calico/kube-policy-controller:v0.7.0
calico_node: quay.io/calico/node:v2.6.5
calico_cni: quay.io/calico/cni:v1.11.2
calico_kube_controllers: quay.io/calico/kube-controllers:v1.0.2
dep_check: quay.io/stackanetes/kubernetes-entrypoint:v0.2.1
image_repo_sync: docker.io/docker:17.07.0
pull_policy: IfNotPresent
@ -66,7 +66,7 @@ dependencies:
services:
- service: etcd
endpoint: internal
calico_policy_controller:
calico_kube_controllers:
services:
- service: etcd
endpoint: internal
@ -108,14 +108,10 @@ networking:
podSubnet: 192.168.0.0/16
manifests:
clusterrole_calico_cni_plugin: true
clusterrole_calico_policy_controller: true
clusterrolebinding_calico_cni_plugin: true
clusterrolebinding_calico_policy_controller: true
configmap_bin: true
configmap_calico_config: true
daemonset_calico_etcd: true
daemonset_calico_node: true
deployment_calico_policy_controller: true
deployment_calico_kube_controllers: true
job_image_repo_sync: true
service_calico_etcd: true