openstack-helm-infra/calico/templates/daemonset-calico-etcd.yaml
Pete Birley eb58abb880 Calico: Fix security context
This PS fixes the use of the security context macros for the
calico chart.

Change-Id: I2ed8a5e994726b625d76a2c308895441c7d174a9
Signed-off-by: Pete Birley <pete@port.direct>
2019-04-21 15:46:16 +00:00

137 lines
6.0 KiB
YAML

{{/*
Copyright 2017 The Openstack-Helm Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if .Values.manifests.daemonset_calico_etcd }}
{{- $envAll := . }}
{{- $serviceAccountName := "calico-etcd" }}
{{ tuple $envAll "calico-etcd" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
---
# This manifest installs the Calico etcd on the kubeadm master. This uses a DaemonSet
# to force it to run on the master even when the master isn't schedulable, and uses
# nodeSelector to ensure it only runs on the master.
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: calico-etcd
annotations:
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
labels:
k8s-app: calico-etcd
{{ tuple $envAll "calico" "etcd" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
spec:
selector:
matchLabels:
k8s-app: calico-etcd
{{ tuple $envAll "calico" "etcd" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
template:
metadata:
labels:
k8s-app: calico-etcd
{{ tuple $envAll "calico" "etcd" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
annotations:
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
# Mark this pod as a critical add-on; when enabled, the critical add-on scheduler
# reserves resources for critical add-on pods so that they can be rescheduled after
# a failure. This annotation works in tandem with the toleration below.
scheduler.alpha.kubernetes.io/critical-pod: ''
spec:
{{ dict "envAll" $envAll "application" "etcd" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
serviceAccountName: {{ $serviceAccountName }}
tolerations:
# This taint is set by all kubelets running `--cloud-provider=external`
# so we should tolerate it to schedule the Calico pods
- key: node.cloudprovider.kubernetes.io/uninitialized
value: "true"
effect: NoSchedule
# Allow this pod to run on the master.
- key: node-role.kubernetes.io/master
effect: NoSchedule
# Allow this pod to be rescheduled while the node is in "critical add-ons only" mode.
# This, along with the annotation above marks this pod as a critical add-on.
- key: CriticalAddonsOnly
operator: Exists
# Only run this pod on the master.
nodeSelector:
node-role.kubernetes.io/master: ""
hostNetwork: true
initContainers:
{{ tuple $envAll "etcd" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
containers:
- name: calico-etcd
{{ tuple $envAll "calico_etcd" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.calico_etcd | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
{{ dict "envAll" $envAll "application" "etcd" "container" "calico_etcd" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
env:
- name: CALICO_ETCD_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
command:
- /usr/local/bin/etcd
args:
- --name=calico
- --data-dir=/var/etcd/calico-data
{{ if eq .Values.endpoints.etcd.scheme.default "https" }}
- --client-cert-auth=True
- --peer-client-cert-auth=True
- --trusted-ca-file=/etc/calico-certs/ca.crt
- --cert-file=/etc/calico-certs/server.crt
- --key-file=/etc/calico-certs/server.key
- --peer-trusted-ca-file=/etc/calico-certs/ca.crt
- --peer-cert-file=/etc/calico-certs/server.crt
- --peer-key-file=/etc/calico-certs/server.key
{{ end }}
- --advertise-client-urls={{ tuple "etcd" "internal" "client" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" }}
- --listen-client-urls={{ tuple "etcd" "internal" "client" . | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}://0.0.0.0:{{ tuple "etcd" "internal" "client" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
- --listen-peer-urls={{ tuple "etcd" "internal" "peer" . | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}://0.0.0.0:{{ tuple "etcd" "internal" "peer" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
- --auto-compaction-retention=1
volumeMounts:
- name: pod-tmp
mountPath: /tmp
- name: var-etcd
mountPath: /var/etcd
{{ if .Values.conf.etcd.credentials.ca }}
- name: calico-etcd-secrets
mountPath: /etc/calico-certs/ca.crt
subPath: etcd.ca
readOnly: true
{{ end }}
{{ if .Values.conf.etcd.credentials.certificate }}
- name: calico-etcd-secrets
mountPath: /etc/calico-certs/server.crt
subPath: etcd.crt
readOnly: true
{{ end }}
{{ if .Values.conf.etcd.credentials.key }}
- name: calico-etcd-secrets
mountPath: /etc/calico-certs/server.key
subPath: etcd.key
readOnly: true
{{ end }}
volumes:
- name: pod-tmp
emptyDir: {}
- name: var-etcd
hostPath:
path: /var/etcd
- name: calico-etcd-secrets
secret:
secretName: calico-etcd-secrets
{{- end }}