openstack/openstack-helm-infra
Code Issues Proposed changes
eac7202774
openstack-helm-infra/calico/values.yaml
Chris Wedgwood 02f400e442 [Calico] Allow resource configuration using chart (overrides) 
Allow Calico resources such as NetworkPolicy, GlobalNetworkPolicy,
WorkloadEndpoint, etc to be specified using values.

To avoid the complexities of list management with helm we use a
dictionary that contains a relative priority and set of objects
(called rules).

For example:

network:
  policy:

    someName:
      priority: 0
      rules:
       - apiVersion: projectcalico.org/v3
... some useful resource object ...
       - apiVersion: projectcalico.org/v3
... some other useful resource object ...

    someOtherName:
      priority: 1
      rules:
       - apiVersion: projectcalico.org/v3
... rules that come later ...

    lastSetOfRules:
      priority: 9
      rules:
       - apiVersion: projectcalico.org/v3
... rules that come last ... maybe hostendpoints ...

By having named groups of rules each with it's own priority you can
update, delete and amend individual sets of rules without provided you
set the appropriate "priority" value.

Change-Id: Id441350bcc8b95a91ef4d1b89d1bc3c417f50b13
2018-10-22 18:49:18 +00:00

500 lines
14 KiB
YAML
Raw Blame History

# Copyright 2017 The Openstack-Helm Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
images:
tags:
# These are minimum versions, older images will very likely not
# work
calico_etcd: quay.io/coreos/etcd:v3.3.9
calico_node: quay.io/calico/node:v3.2.3
calico_cni: quay.io/calico/cni:v3.2.3
calico_ctl: calico/ctl:v3.2.3
calico_settings: calico/ctl:v3.2.3
# NOTE: plural key, singular value
calico_kube_controllers: quay.io/calico/kube-controllers:v3.2.3
dep_check: quay.io/stackanetes/kubernetes-entrypoint:v0.3.1
image_repo_sync: docker.io/docker:17.07.0
pull_policy: IfNotPresent
local_registry:
active: false
exclude:
- dep_check
- image_repo_sync
- calico_etcd
- calico_node
- calico_cni
- calico_kube_controllers
pod:
resources:
enabled: false
jobs:
image_repo_sync:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
calico_settings:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
calico_kube_controllers:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
calico_node:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
calico_cni:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
calico_ctl:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
calico_etcd:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
lifecycle:
upgrades:
deployments:
revision_history: 3
pod_replacement_strategy: RollingUpdate
rolling_update:
max_unavailable: 1
max_surge: 3
disruption_budget:
controllers:
min_available: 0
dependencies:
dynamic:
common:
local_image_registry:
jobs:
- calico-image-repo-sync
services:
- endpoint: node
service: local_image_registry
static:
calico_kube_controllers:
services:
- endpoint: internal
service: calico-etcd
calico_node:
services:
- endpoint: internal
service: calico-etcd
calico_settings:
services:
- endpoint: internal
service: calico-etcd
calico_etcd:
services: null
image_repo_sync:
services:
- endpoint: internal
service: local_image_registry
endpoints:
cluster_domain_suffix: cluster.local
local_image_registry:
name: docker-registry
namespace: docker-registry
hosts:
default: localhost
internal: docker-registry
node: localhost
host_fqdn_override:
default: null
port:
registry:
node: 5000
etcd:
auth:
client:
tls:
crt: null
ca: null
key: null
path:
# these must be within /etc/calico
crt: /etc/calico/pki/crt
ca: /etc/calico/pki/ca
key: /etc/calico/pki/key
scheme:
default: http
path:
default: ' ' # space required to provide a truly empty path
hosts:
default: 10.96.232.136
host_fqdn_override:
default: null
service:
name: null
port:
client:
default: 6666
peer:
default: 6667
monitoring:
prometheus:
enabled: true
calico_node:
scrape: true
port: 9091
networking:
podSubnet: 192.168.0.0/16
# Physical MTU, if ipip is enabled, the chart will adjust things downward
mtu: 1500
settings:
mesh: "on"
# technically this could be a list, today we only support
# a single podSubnet, the one above. The settings below
# will be applied to that ipPool
ippool:
ipip:
enabled: "true"
# Titlecase
mode: "Always"
nat_outgoing: "true"
disabled: "false"
bgp:
# our asnumber for bgp peering
asnumber: 64512
ipv4:
# https://docs.projectcalico.org/v3.2/reference/calicoctl/resources/bgppeer
#
# this is a list of peer objects that will be passed directly to
# calicoctl - for global peers, the scope should be global and
# the node attribute removed
#
# apiVersion: projectcalico.org/v3
# kind: BGPPeer
# metadata:
# name: some.name
# spec:
# node: rack1-host1
# peerIP: 10.1.10.39
# asNumber: 64512
peers: []
# this is a list of additional IPv4 cidrs that if we discover
# IPs within them on a host, we will announce the address in
# addition to traditional pod workloads
additional_cidrs: []
port:
neighbor: 179
listen: 179
ipv6:
# https://docs.projectcalico.org/v3.2/reference/calicoctl/resources/bgppeer
#
# this is a list of peer objects that will be passed directly to
# calicoctl - for global peers, the scope should be global and
# the node attribute removed
#
# apiVersion: projectcalico.org/v3
# kind: BGPPeer
# metadata:
# name: some.name
# spec:
# node: rack1-host1
# peerIP: 2600:1:2:3::abcd
# asNumber: 64512
peers: []
# this is a list of additional IPv6 cidrs that if we discover
# IPs within them on a host, we will announce them in addition
# to traditional pod workloads
additional_cidrs: []
port:
neighbor: 179
listen: 179
# Policy contains embedded Calico policy and/or endpoint objects.
# Because lists are cumbersome to deal with this is stuctured as a
# dictionary (therefore not ordered). The top-level key names are
# not important, priority contains a value between 0 and 9 inclusive
# and rules contains any objects (typically used as rules).
# Priority 0 objects are emitted before priority 9. It is
# recommended any rules such as HostEndpoint be given a higher
# priority so that they are applied after more generic objects.
# Priority values outside of integers 0 through 9 are not valid and
# should not be used.
policy:
# alpha:
# priority: 0
# rules:
# - apiVersion: projectcalico.org/v3
# kind: GlobalNetworkPolicy
# metadata:
# name: allow-tcp-6379
# spec:
# order: 0
# selector: role == 'database'
# types:
# - Ingress
# - Egress
# ingress:
# - action: Allow
# protocol: TCP
# source:
# selector: role == 'frontend'
# destination:
# ports:
# - 6379
# egress:
# - action: Allow
# - apiVersion: projectcalico.org/v3
# kind: GlobalNetworkPolicy
# metadata:
# name: allow-tcp-3306
# spec:
# order: 1
# selector: role == 'database'
# types:
# - Ingress
# - Egress
# ingress:
# - action: Allow
# protocol: TCP
# source:
# selector: role == 'frontend'
# destination:
# ports:
# - 3306
# egress:
# - action: Allow
# beta:
# priority: 1
# rules:
# - apiVersion: projectcalico.org/v3
# kind: NetworkPolicy
# metadata:
# name: allow-tcp-6379
# namespace: production
# spec:
# selector: role == 'database'
# types:
# - Ingress
# - Egress
# ingress:
# - action: Allow
# protocol: TCP
# source:
# selector: role == 'frontend'
# destination:
# ports:
# - 6379
# egress:
# - action: Allow
# - apiVersion: projectcalico.org/v3
# kind: NetworkPolicy
# metadata:
# name: allow-tcp-8081
# namespace: production
# spec:
# selector: role == 'webthing'
# types:
# - Ingress
# - Egress
# ingress:
# - action: Allow
# protocol: TCP
# source:
# selector: role == 'frontend'
# destination:
# ports:
# - 8081
# egress:
# - action: Allow
# zulu:
# priority: 9
# rules:
# - apiVersion: projectcalico.org/v3
# kind: HostEndpoint
# metadata:
# name: first.thing
# labels:
# type: production
# spec:
# interfaceName: eth0
# node: mysecrethost
# expectedIPs:
# - 192.168.0.1
# - 192.168.0.2
# profiles:
# - profile1
# - profile2
# ports:
# - name: some-port
# port: 1234
# protocol: TCP
# - name: another-port
# port: 5432
# protocol: UDP
# - apiVersion: projectcalico.org/v3
# kind: HostEndpoint
# metadata:
# name: second.thing
# labels:
# type: production
# spec:
# interfaceName: eth1
# node: myothersecrethost
# expectedIPs:
# - 192.168.1.1
# - 192.168.1.2
# profiles:
# - profile1
# - profile2
# ports:
# - name: some-port
# port: 1234
# protocol: TCP
# - name: another-port
# port: 5432
# protocol: UDP
conf:
etcd:
credentials:
ca: null
key: null
certificate: null
# NOTE; syntax has subtly changed since Calico v2. For Armada *all*
# of this needes to be specified. We're using yaml here which we
# can't robustly convert to json (which the node pod requires) so it
# might be we revisit that and embedded a json string that gets
# edits
cni_network_config:
# https://docs.projectcalico.org/v3.2/reference/cni-plugin/configuration
#
# other than the etcd_* keys you likely want to leave this as-is
name: k8s-pod-network
cniVersion: 0.3.0
plugins:
- type: calico
log_level: info
etcd_endpoints: __ETCD_ENDPOINTS__
etcd_key_file: __ETCD_KEY_FILE__
etcd_cert_file: __ETCD_CERT_FILE__
etcd_ca_cert_file: __ETCD_CA_CERT_FILE__
ipam:
type: calico-ipam
policy:
type: k8s
kubernetes:
kubeconfig: __KUBECONFIG_FILEPATH__
- type: portmap
snat: true
capabilities:
portMappings: true
controllers:
# The location of the Kubernetes API. Use the default Kubernetes
# service for API access.
K8S_API: "https://kubernetes.default:443"
# Choose which controllers to run.
ENABLED_CONTROLLERS: "policy,profile,workloadendpoint,node"
# Since we're running in the host namespace and might not have KubeDNS
# access, configure the container's /etc/hosts to resolve
# kubernetes.default to the correct service clusterIP.
CONFIGURE_ETC_HOSTS: "true"
node:
# for specific details see
# https://docs.projectcalico.org/v3.2/reference/node/configuration
name: k8s-pod-network
# Cluster type to identify the deployment type
# NOTE: v2 had a list ... v3 a comma separated string
CLUSTER_TYPE: "k8s,bgp"
# Describes which BGP networking backend to use gobgp, bird, none.
# Default is bird. NOTE(alanmeadows) today this chart only
# supports applying the bgp customizations to bird templates - in
# the future we may support gobgp as well
CALICO_NETWORKING_BACKEND: bird
# Location of the CA certificate for etcd.
ETCD_CA_CERT_FILE: ""
# Location of the client key for etcd.
ETCD_KEY_FILE: ""
# Location of the client certificate for etcd.
ETCD_CERT_FILE: ""
# Disable file logging so `kubectl logs` works.
CALICO_DISABLE_FILE_LOGGING: "true"
# Set Felix endpoint to host default action to ACCEPT.
FELIX_DEFAULTENDPOINTTOHOSTACTION: "ACCEPT"
# Configure the IP Pool from which Pod IPs will be chosen.
CALICO_IPV4POOL_CIDR: null
# Change this to 'off' in environments with direct L2 communication
# Titlecase
CALICO_IPV4POOL_IPIP: "Always"
# Disable IPv6 on Kubernetes.
FELIX_IPV6SUPPORT: "false"
# Set MTU for tunnel device used if ipip is enabled
FELIX_IPINIPMTU: null
# Set Felix logging to "info"
FELIX_LOGSEVERITYSCREEN: "info"
FELIX_HEALTHENABLED: "true"
# Set Felix experimental Prometheus metrics server
FELIX_PROMETHEUSMETRICSENABLED: "true"
FELIX_PROMETHEUSMETRICSPORT: "9091"
# Auto-detect the BGP IP address.
IP: ""
# Detection of source interface for routing
# options include
# can-reach=DESTINATION
# interface=INTERFACE-REGEX
IP_AUTODETECTION_METHOD: first-found
IPV6_AUTODETECTION_METHOD: first-found
manifests:
configmap_bin: true
configmap_etc: true
configmap_bird: true
daemonset_calico_etcd: true
daemonset_calico_node: true
daemonset_calico_node_calicoctl: true
deployment_calico_kube_controllers: true
job_image_repo_sync: true
job_calico_settings: true
service_calico_etcd: true
secret_certificates: true
View Git Blame Copy Permalink