e74e94a19a
Change-Id: I1c475266584316d550924fa53badf43463f4d0bd Signed-off-by: Anselme, Schubert (sa246v) <sa246v@att.com>
596 lines
17 KiB
YAML
596 lines
17 KiB
YAML
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
---
|
|
images:
|
|
tags:
|
|
# These are minimum versions, older images will very likely not
|
|
# work
|
|
calico_etcd: quay.io/coreos/etcd:v3.5.9
|
|
calico_node: quay.io/calico/node:v3.25.1
|
|
calico_cni: quay.io/calico/cni:v3.25.1
|
|
calico_ctl: calico/ctl:v3.25.1
|
|
calico_settings: calico/ctl:v3.25.1
|
|
# NOTE: plural key, singular value
|
|
calico_kube_controllers: quay.io/calico/kube-controllers:v3.25.1
|
|
dep_check: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
|
|
image_repo_sync: docker.io/library/docker:24.0.1
|
|
pull_policy: IfNotPresent
|
|
local_registry:
|
|
active: false
|
|
exclude:
|
|
- dep_check
|
|
- image_repo_sync
|
|
- calico_etcd
|
|
- calico_node
|
|
- calico_cni
|
|
- calico_kube_controllers
|
|
|
|
pod:
|
|
security_context:
|
|
etcd:
|
|
pod:
|
|
runAsUser: 0
|
|
container:
|
|
calico_etcd:
|
|
readOnlyRootFilesystem: false
|
|
calico_node:
|
|
pod:
|
|
runAsUser: 0
|
|
container:
|
|
calico_ctl:
|
|
readOnlyRootFilesystem: false
|
|
install_cni:
|
|
readOnlyRootFilesystem: false
|
|
calico_node:
|
|
readOnlyRootFilesystem: false
|
|
capabilities:
|
|
add:
|
|
- 'NET_ADMIN'
|
|
- 'SYS_ADMIN'
|
|
kube_controllers:
|
|
pod:
|
|
runAsUser: 0
|
|
container:
|
|
kube_controller:
|
|
readOnlyRootFilesystem: false
|
|
calico_settings:
|
|
pod:
|
|
runAsUser: 0
|
|
container:
|
|
calico_settings:
|
|
readOnlyRootFilesystem: false
|
|
resources:
|
|
enabled: false
|
|
jobs:
|
|
image_repo_sync:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
calico_settings:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
calico_kube_controllers:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
calico_node:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "250m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
calico_cni:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
calico_ctl:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
calico_etcd:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
lifecycle:
|
|
upgrades:
|
|
deployments:
|
|
revision_history: 3
|
|
pod_replacement_strategy: RollingUpdate
|
|
rolling_update:
|
|
max_unavailable: 1
|
|
max_surge: 3
|
|
disruption_budget:
|
|
controllers:
|
|
min_available: 0
|
|
mandatory_access_control:
|
|
type: apparmor
|
|
calico-node:
|
|
calico-node: runtime/default
|
|
|
|
dependencies:
|
|
dynamic:
|
|
common:
|
|
local_image_registry:
|
|
jobs:
|
|
- calico-image-repo-sync
|
|
services:
|
|
- endpoint: node
|
|
service: local_image_registry
|
|
static:
|
|
calico_kube_controllers:
|
|
services:
|
|
- endpoint: internal
|
|
service: calico-etcd
|
|
calico_node:
|
|
services:
|
|
- endpoint: internal
|
|
service: calico-etcd
|
|
calico_settings:
|
|
services:
|
|
- endpoint: internal
|
|
service: calico-etcd
|
|
calico_etcd:
|
|
services: null
|
|
image_repo_sync:
|
|
services:
|
|
- endpoint: internal
|
|
service: local_image_registry
|
|
|
|
secrets:
|
|
oci_image_registry:
|
|
calico: calico-oci-image-registry
|
|
|
|
endpoints:
|
|
cluster_domain_suffix: cluster.local
|
|
local_image_registry:
|
|
name: docker-registry
|
|
namespace: docker-registry
|
|
hosts:
|
|
default: localhost
|
|
internal: docker-registry
|
|
node: localhost
|
|
host_fqdn_override:
|
|
default: null
|
|
port:
|
|
registry:
|
|
node: 5000
|
|
oci_image_registry:
|
|
name: oci-image-registry
|
|
namespace: oci-image-registry
|
|
auth:
|
|
enabled: false
|
|
calico:
|
|
username: calico
|
|
password: password
|
|
hosts:
|
|
default: localhost
|
|
host_fqdn_override:
|
|
default: null
|
|
port:
|
|
registry:
|
|
default: null
|
|
etcd:
|
|
auth:
|
|
client:
|
|
tls:
|
|
crt: null
|
|
ca: null
|
|
key: null
|
|
path:
|
|
# these must be within /etc/calico
|
|
crt: /etc/calico/pki/crt
|
|
ca: /etc/calico/pki/ca
|
|
key: /etc/calico/pki/key
|
|
scheme:
|
|
default: http
|
|
path:
|
|
default: ' ' # space required to provide a truly empty path
|
|
hosts:
|
|
default: 10.96.232.136
|
|
host_fqdn_override:
|
|
default: null
|
|
service:
|
|
name: null
|
|
port:
|
|
client:
|
|
default: 6666
|
|
peer:
|
|
default: 6667
|
|
|
|
monitoring:
|
|
prometheus:
|
|
enabled: true
|
|
calico_node:
|
|
scrape: true
|
|
port: 9091
|
|
|
|
networking:
|
|
podSubnet: 192.168.0.0/16
|
|
# Physical MTU, if ipip is enabled, the chart will adjust things downward
|
|
mtu: 1500
|
|
|
|
settings:
|
|
mesh: "on"
|
|
# technically this could be a list, today we only support a single
|
|
# podSubnet, the one above. The settings below will be applied to
|
|
# that ipPool
|
|
ippool:
|
|
ipip:
|
|
enabled: true
|
|
nat_outgoing: true
|
|
disabled: false
|
|
|
|
bgp:
|
|
# our asnumber for bgp peering
|
|
asnumber: 64512
|
|
ipv4:
|
|
# https://docs.projectcalico.org/v3.4/reference/calicoctl/resources/bgppeer
|
|
#
|
|
# this is a list of peer objects that will be passed directly to
|
|
# calicoctl - for global peers, the scope should be global and
|
|
# the node attribute removed
|
|
#
|
|
# apiVersion: projectcalico.org/v3
|
|
# kind: BGPPeer
|
|
# metadata:
|
|
# name: some.name
|
|
# spec:
|
|
# node: rack1-host1
|
|
# peerIP: 10.1.10.39
|
|
# asNumber: 64512
|
|
peers: []
|
|
# this is a list of additional IPv4 cidrs that if we discover
|
|
# IPs within them on a host, we will announce the address in
|
|
# addition to traditional pod workloads
|
|
additional_cidrs: []
|
|
# community_cidr_ref contains embedded objects that describe a
|
|
# BGP community that is to be associated with the supplied CIDR.
|
|
# The top-level key names are not important.
|
|
#
|
|
# The resulting BGP community will take the form of
|
|
# <prefix>:<community>
|
|
# If no prefix is specified then the asnumber is used
|
|
community_cidr_ref:
|
|
# cidr_community_description:
|
|
# cidr: 192.168.0.0/16
|
|
# community: 54321
|
|
# prefix: 55555
|
|
# alpha:
|
|
# cidr: 10.0.0.0/16
|
|
# community: 54322
|
|
port:
|
|
neighbor: 179
|
|
listen: 179
|
|
ipv6:
|
|
# https://docs.projectcalico.org/v3.4/reference/calicoctl/resources/bgppeer
|
|
#
|
|
# this is a list of peer objects that will be passed directly to
|
|
# calicoctl - for global peers, the scope should be global and
|
|
# the node attribute removed
|
|
#
|
|
# apiVersion: projectcalico.org/v3
|
|
# kind: BGPPeer
|
|
# metadata:
|
|
# name: some.name
|
|
# spec:
|
|
# node: rack1-host1
|
|
# peerIP: 2600:1:2:3::abcd
|
|
# asNumber: 64512
|
|
peers: []
|
|
# this is a list of additional IPv6 cidrs that if we discover
|
|
# IPs within them on a host, we will announce them in addition
|
|
# to traditional pod workloads
|
|
additional_cidrs: []
|
|
# community_cidr_ref contains embedded objects that describe a
|
|
# BGP community that is to be associated with the supplied CIDR.
|
|
# The top-level key names are not important.
|
|
#
|
|
# The resulting BGP community will take the form of
|
|
# <prefix>:<community>
|
|
# If no prefix is specified then the asnumber is used
|
|
community_cidr_ref:
|
|
# cidr_community_description:
|
|
# cidr: 2600:1:2:3::abcd/28
|
|
# community: 54321
|
|
# prefix: 55555
|
|
# alpha:
|
|
# cidr: 1400:a:2:3::abcd/26
|
|
# community: 54322
|
|
port:
|
|
neighbor: 179
|
|
listen: 179
|
|
|
|
# Policy contains embedded Calico policy and/or endpoint objects.
|
|
# Because lists are cumbersome to deal with this is stuctured as a
|
|
# dictionary (therefore not ordered). The top-level key names are
|
|
# not important, priority contains a value between 0 and 9 inclusive
|
|
# and rules contains any objects (typically used as rules).
|
|
# Priority 0 objects are emitted before priority 9. It is
|
|
# recommended any rules such as HostEndpoint be given a higher
|
|
# priority so that they are applied after more generic objects.
|
|
# Priority values outside of integers 0 through 9 are not valid and
|
|
# should not be used.
|
|
policy:
|
|
# alpha:
|
|
# priority: 0
|
|
# rules:
|
|
# - apiVersion: projectcalico.org/v3
|
|
# kind: GlobalNetworkPolicy
|
|
# metadata:
|
|
# name: allow-tcp-6379
|
|
# spec:
|
|
# order: 0
|
|
# selector: role == 'database'
|
|
# types:
|
|
# - Ingress
|
|
# - Egress
|
|
# ingress:
|
|
# - action: Allow
|
|
# protocol: TCP
|
|
# source:
|
|
# selector: role == 'frontend'
|
|
# destination:
|
|
# ports:
|
|
# - 6379
|
|
# egress:
|
|
# - action: Allow
|
|
# - apiVersion: projectcalico.org/v3
|
|
# kind: GlobalNetworkPolicy
|
|
# metadata:
|
|
# name: allow-tcp-3306
|
|
# spec:
|
|
# order: 1
|
|
# selector: role == 'database'
|
|
# types:
|
|
# - Ingress
|
|
# - Egress
|
|
# ingress:
|
|
# - action: Allow
|
|
# protocol: TCP
|
|
# source:
|
|
# selector: role == 'frontend'
|
|
# destination:
|
|
# ports:
|
|
# - 3306
|
|
# egress:
|
|
# - action: Allow
|
|
|
|
# beta:
|
|
# priority: 1
|
|
# rules:
|
|
# - apiVersion: projectcalico.org/v3
|
|
# kind: NetworkPolicy
|
|
# metadata:
|
|
# name: allow-tcp-6379
|
|
# namespace: production
|
|
# spec:
|
|
# selector: role == 'database'
|
|
# types:
|
|
# - Ingress
|
|
# - Egress
|
|
# ingress:
|
|
# - action: Allow
|
|
# protocol: TCP
|
|
# source:
|
|
# selector: role == 'frontend'
|
|
# destination:
|
|
# ports:
|
|
# - 6379
|
|
# egress:
|
|
# - action: Allow
|
|
# - apiVersion: projectcalico.org/v3
|
|
# kind: NetworkPolicy
|
|
# metadata:
|
|
# name: allow-tcp-8081
|
|
# namespace: production
|
|
# spec:
|
|
# selector: role == 'webthing'
|
|
# types:
|
|
# - Ingress
|
|
# - Egress
|
|
# ingress:
|
|
# - action: Allow
|
|
# protocol: TCP
|
|
# source:
|
|
# selector: role == 'frontend'
|
|
# destination:
|
|
# ports:
|
|
# - 8081
|
|
# egress:
|
|
# - action: Allow
|
|
|
|
# zulu:
|
|
# priority: 9
|
|
# rules:
|
|
# - apiVersion: projectcalico.org/v3
|
|
# kind: HostEndpoint
|
|
# metadata:
|
|
# name: first.thing
|
|
# labels:
|
|
# type: production
|
|
# spec:
|
|
# interfaceName: eth0
|
|
# node: mysecrethost
|
|
# expectedIPs:
|
|
# - 192.168.0.1
|
|
# - 192.168.0.2
|
|
# profiles:
|
|
# - profile1
|
|
# - profile2
|
|
# ports:
|
|
# - name: some-port
|
|
# port: 1234
|
|
# protocol: TCP
|
|
# - name: another-port
|
|
# port: 5432
|
|
# protocol: UDP
|
|
# - apiVersion: projectcalico.org/v3
|
|
# kind: HostEndpoint
|
|
# metadata:
|
|
# name: second.thing
|
|
# labels:
|
|
# type: production
|
|
# spec:
|
|
# interfaceName: eth1
|
|
# node: myothersecrethost
|
|
# expectedIPs:
|
|
# - 192.168.1.1
|
|
# - 192.168.1.2
|
|
# profiles:
|
|
# - profile1
|
|
# - profile2
|
|
# ports:
|
|
# - name: some-port
|
|
# port: 1234
|
|
# protocol: TCP
|
|
# - name: another-port
|
|
# port: 5432
|
|
# protocol: UDP
|
|
|
|
conf:
|
|
etcd:
|
|
credentials:
|
|
ca: null
|
|
key: null
|
|
certificate: null
|
|
# NOTE; syntax has subtly changed since Calico v2. For Armada *all*
|
|
# of this needes to be specified. We're using yaml here which we
|
|
# can't robustly convert to json (which the node pod requires) so it
|
|
# might be we revisit that and embedded a json string that gets
|
|
# edits
|
|
cni_network_config:
|
|
# https://docs.projectcalico.org/v3.4/reference/cni-plugin/configuration
|
|
#
|
|
# other than the etcd_* keys you likely want to leave this as-is
|
|
name: k8s-pod-network
|
|
cniVersion: 0.3.0
|
|
plugins:
|
|
- type: calico
|
|
log_level: info
|
|
etcd_endpoints: __ETCD_ENDPOINTS__
|
|
etcd_key_file: __ETCD_KEY_FILE__
|
|
etcd_cert_file: __ETCD_CERT_FILE__
|
|
etcd_ca_cert_file: __ETCD_CA_CERT_FILE__
|
|
ipam:
|
|
type: calico-ipam
|
|
policy:
|
|
type: k8s
|
|
kubernetes:
|
|
kubeconfig: __KUBECONFIG_FILEPATH__
|
|
- type: portmap
|
|
snat: true
|
|
capabilities:
|
|
portMappings: true
|
|
controllers:
|
|
# The location of the Kubernetes API. Use the default Kubernetes
|
|
# service for API access.
|
|
K8S_API: "https://kubernetes.default:443"
|
|
# Choose which controllers to run, see
|
|
# https://docs.projectcalico.org//v3.4/reference/kube-controllers/configuration
|
|
# for an explanation of each
|
|
ENABLED_CONTROLLERS: "policy,namespace,serviceaccount,workloadendpoint,node"
|
|
# Since we're running in the host namespace and might not have KubeDNS
|
|
# access, configure the container's /etc/hosts to resolve
|
|
# kubernetes.default to the correct service clusterIP.
|
|
CONFIGURE_ETC_HOSTS: true
|
|
|
|
node:
|
|
# for specific details see
|
|
# https://docs.projectcalico.org/v3.4/reference/node/configuration
|
|
name: k8s-pod-network
|
|
# Cluster type to identify the deployment type
|
|
# NOTE: v2 had a list ... v3 a comma separated string
|
|
CLUSTER_TYPE: "k8s,bgp"
|
|
# Describes which BGP networking backend to use gobgp, bird, none.
|
|
# Default is bird. NOTE(alanmeadows) today this chart only
|
|
# supports applying the bgp customizations to bird templates - in
|
|
# the future we may support gobgp as well
|
|
CALICO_NETWORKING_BACKEND: bird
|
|
# Location of the CA certificate for etcd.
|
|
ETCD_CA_CERT_FILE: ""
|
|
# Location of the client key for etcd.
|
|
ETCD_KEY_FILE: ""
|
|
# Location of the client certificate for etcd.
|
|
ETCD_CERT_FILE: ""
|
|
# Disable file logging so `kubectl logs` works.
|
|
CALICO_DISABLE_FILE_LOGGING: true
|
|
# Set Felix endpoint to host default action to ACCEPT.
|
|
# early/startup log level for calico-node on startup.
|
|
CALICO_STARTUP_LOGLEVEL: "Info"
|
|
FELIX_DEFAULTENDPOINTTOHOSTACTION: "ACCEPT"
|
|
# Configure the IP Pool from which Pod IPs will be chosen; it's
|
|
# recommended you leave this as null and the value from
|
|
# networking.podSubnet will be used
|
|
CALICO_IPV4POOL_CIDR: null
|
|
# See https://docs.projectcalico.org/v3.4/reference/calicoctl/resources/ippool
|
|
CALICO_IPV4POOL_BLOCKSIZE: 26
|
|
# Change this to 'Never' in environments with direct L2
|
|
# communication (such that tunnels are not needed for pods on
|
|
# different hosts to communicate with each otehr).
|
|
CALICO_IPV4POOL_IPIP: "Always"
|
|
# Disable IPv6 on Kubernetes.
|
|
FELIX_IPV6SUPPORT: false
|
|
# Set MTU for tunnel device used if ipip is enabled, it's
|
|
# recommended you leave this as null and an appropriate value will
|
|
# be set based on tunneling mode and the networking.mtu value
|
|
FELIX_IPINIPMTU: null
|
|
# Set Felix logging; also (ab)used for bgp configuration
|
|
FELIX_LOGSEVERITYSCREEN: "Info"
|
|
FELIX_HEALTHENABLED: true
|
|
# Set Felix experimental Prometheus metrics server
|
|
FELIX_PROMETHEUSMETRICSENABLED: true
|
|
FELIX_PROMETHEUSMETRICSPORT: "9091"
|
|
# Auto-detect the BGP IP address.
|
|
IP: ""
|
|
# Detection of source interface for routing
|
|
# options include
|
|
# can-reach=DESTINATION
|
|
# interface=INTERFACE-REGEX
|
|
IP_AUTODETECTION_METHOD: first-found
|
|
IPV6_AUTODETECTION_METHOD: first-found
|
|
|
|
manifests:
|
|
configmap_bin: true
|
|
configmap_etc: true
|
|
configmap_bird: true
|
|
daemonset_calico_etcd: true
|
|
daemonset_calico_node: true
|
|
daemonset_calico_node_calicoctl: true
|
|
deployment_calico_kube_controllers: true
|
|
job_image_repo_sync: true
|
|
job_calico_settings: true
|
|
service_calico_etcd: true
|
|
secret_certificates: true
|
|
secret_registry: true
|
|
...
|