openstack/openstack-helm-infra
Code Issues Proposed changes
fc92933346
openstack-helm-infra/calico/values.yaml
Brian Haley f31cfb2ef9 support image registries with authentication 
Based on spec in openstack-helm repo,
support-OCI-image-registry-with-authentication-turned-on.rst

Each Helm chart can configure an OCI image registry and
credentials to use. A Kubernetes secret is then created with these
info. Service Accounts then specify an imagePullSecret specifying
the Secret with creds for the registry. Then any pod using one
of these ServiceAccounts may pull images from an authenticated
container registry.

Change-Id: Iebda4c7a861aa13db921328776b20c14ba346269
2022-07-20 14:28:47 -05:00

596 lines
17 KiB
YAML
Raw Blame History

# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
images:
tags:
# These are minimum versions, older images will very likely not
# work
calico_etcd: quay.io/coreos/etcd:v3.4.3
calico_node: quay.io/calico/node:v3.4.0
calico_cni: quay.io/calico/cni:v3.4.0
calico_ctl: calico/ctl:v3.4.0
calico_settings: calico/ctl:v3.4.0
# NOTE: plural key, singular value
calico_kube_controllers: quay.io/calico/kube-controllers:v3.4.0
dep_check: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
image_repo_sync: docker.io/library/docker:17.07.0
pull_policy: IfNotPresent
local_registry:
active: false
exclude:
- dep_check
- image_repo_sync
- calico_etcd
- calico_node
- calico_cni
- calico_kube_controllers
pod:
security_context:
etcd:
pod:
runAsUser: 0
container:
calico_etcd:
readOnlyRootFilesystem: false
calico_node:
pod:
runAsUser: 0
container:
calico_ctl:
readOnlyRootFilesystem: false
install_cni:
readOnlyRootFilesystem: false
calico_node:
readOnlyRootFilesystem: false
capabilities:
add:
- 'NET_ADMIN'
- 'SYS_ADMIN'
kube_controllers:
pod:
runAsUser: 0
container:
kube_controller:
readOnlyRootFilesystem: false
calico_settings:
pod:
runAsUser: 0
container:
calico_settings:
readOnlyRootFilesystem: false
resources:
enabled: false
jobs:
image_repo_sync:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
calico_settings:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
calico_kube_controllers:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
calico_node:
requests:
memory: "128Mi"
cpu: "250m"
limits:
memory: "1024Mi"
cpu: "2000m"
calico_cni:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
calico_ctl:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
calico_etcd:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
lifecycle:
upgrades:
deployments:
revision_history: 3
pod_replacement_strategy: RollingUpdate
rolling_update:
max_unavailable: 1
max_surge: 3
disruption_budget:
controllers:
min_available: 0
mandatory_access_control:
type: apparmor
calico-node:
calico-node: runtime/default
dependencies:
dynamic:
common:
local_image_registry:
jobs:
- calico-image-repo-sync
services:
- endpoint: node
service: local_image_registry
static:
calico_kube_controllers:
services:
- endpoint: internal
service: calico-etcd
calico_node:
services:
- endpoint: internal
service: calico-etcd
calico_settings:
services:
- endpoint: internal
service: calico-etcd
calico_etcd:
services: null
image_repo_sync:
services:
- endpoint: internal
service: local_image_registry
secrets:
oci_image_registry:
calico: calico-oci-image-registry
endpoints:
cluster_domain_suffix: cluster.local
local_image_registry:
name: docker-registry
namespace: docker-registry
hosts:
default: localhost
internal: docker-registry
node: localhost
host_fqdn_override:
default: null
port:
registry:
node: 5000
oci_image_registry:
name: oci-image-registry
namespace: oci-image-registry
auth:
enabled: false
calico:
username: calico
password: password
hosts:
default: localhost
host_fqdn_override:
default: null
port:
registry:
default: null
etcd:
auth:
client:
tls:
crt: null
ca: null
key: null
path:
# these must be within /etc/calico
crt: /etc/calico/pki/crt
ca: /etc/calico/pki/ca
key: /etc/calico/pki/key
scheme:
default: http
path:
default: ' ' # space required to provide a truly empty path
hosts:
default: 10.96.232.136
host_fqdn_override:
default: null
service:
name: null
port:
client:
default: 6666
peer:
default: 6667
monitoring:
prometheus:
enabled: true
calico_node:
scrape: true
port: 9091
networking:
podSubnet: 192.168.0.0/16
# Physical MTU, if ipip is enabled, the chart will adjust things downward
mtu: 1500
settings:
mesh: "on"
# technically this could be a list, today we only support a single
# podSubnet, the one above. The settings below will be applied to
# that ipPool
ippool:
ipip:
enabled: true
nat_outgoing: true
disabled: false
bgp:
# our asnumber for bgp peering
asnumber: 64512
ipv4:
# https://docs.projectcalico.org/v3.4/reference/calicoctl/resources/bgppeer
#
# this is a list of peer objects that will be passed directly to
# calicoctl - for global peers, the scope should be global and
# the node attribute removed
#
# apiVersion: projectcalico.org/v3
# kind: BGPPeer
# metadata:
# name: some.name
# spec:
# node: rack1-host1
# peerIP: 10.1.10.39
# asNumber: 64512
peers: []
# this is a list of additional IPv4 cidrs that if we discover
# IPs within them on a host, we will announce the address in
# addition to traditional pod workloads
additional_cidrs: []
# community_cidr_ref contains embedded objects that describe a
# BGP community that is to be associated with the supplied CIDR.
# The top-level key names are not important.
#
# The resulting BGP community will take the form of
# <prefix>:<community>
# If no prefix is specified then the asnumber is used
community_cidr_ref:
# cidr_community_description:
# cidr: 192.168.0.0/16
# community: 54321
# prefix: 55555
# alpha:
# cidr: 10.0.0.0/16
# community: 54322
port:
neighbor: 179
listen: 179
ipv6:
# https://docs.projectcalico.org/v3.4/reference/calicoctl/resources/bgppeer
#
# this is a list of peer objects that will be passed directly to
# calicoctl - for global peers, the scope should be global and
# the node attribute removed
#
# apiVersion: projectcalico.org/v3
# kind: BGPPeer
# metadata:
# name: some.name
# spec:
# node: rack1-host1
# peerIP: 2600:1:2:3::abcd
# asNumber: 64512
peers: []
# this is a list of additional IPv6 cidrs that if we discover
# IPs within them on a host, we will announce them in addition
# to traditional pod workloads
additional_cidrs: []
# community_cidr_ref contains embedded objects that describe a
# BGP community that is to be associated with the supplied CIDR.
# The top-level key names are not important.
#
# The resulting BGP community will take the form of
# <prefix>:<community>
# If no prefix is specified then the asnumber is used
community_cidr_ref:
# cidr_community_description:
# cidr: 2600:1:2:3::abcd/28
# community: 54321
# prefix: 55555
# alpha:
# cidr: 1400:a:2:3::abcd/26
# community: 54322
port:
neighbor: 179
listen: 179
# Policy contains embedded Calico policy and/or endpoint objects.
# Because lists are cumbersome to deal with this is stuctured as a
# dictionary (therefore not ordered). The top-level key names are
# not important, priority contains a value between 0 and 9 inclusive
# and rules contains any objects (typically used as rules).
# Priority 0 objects are emitted before priority 9. It is
# recommended any rules such as HostEndpoint be given a higher
# priority so that they are applied after more generic objects.
# Priority values outside of integers 0 through 9 are not valid and
# should not be used.
policy:
# alpha:
# priority: 0
# rules:
# - apiVersion: projectcalico.org/v3
# kind: GlobalNetworkPolicy
# metadata:
# name: allow-tcp-6379
# spec:
# order: 0
# selector: role == 'database'
# types:
# - Ingress
# - Egress
# ingress:
# - action: Allow
# protocol: TCP
# source:
# selector: role == 'frontend'
# destination:
# ports:
# - 6379
# egress:
# - action: Allow
# - apiVersion: projectcalico.org/v3
# kind: GlobalNetworkPolicy
# metadata:
# name: allow-tcp-3306
# spec:
# order: 1
# selector: role == 'database'
# types:
# - Ingress
# - Egress
# ingress:
# - action: Allow
# protocol: TCP
# source:
# selector: role == 'frontend'
# destination:
# ports:
# - 3306
# egress:
# - action: Allow
# beta:
# priority: 1
# rules:
# - apiVersion: projectcalico.org/v3
# kind: NetworkPolicy
# metadata:
# name: allow-tcp-6379
# namespace: production
# spec:
# selector: role == 'database'
# types:
# - Ingress
# - Egress
# ingress:
# - action: Allow
# protocol: TCP
# source:
# selector: role == 'frontend'
# destination:
# ports:
# - 6379
# egress:
# - action: Allow
# - apiVersion: projectcalico.org/v3
# kind: NetworkPolicy
# metadata:
# name: allow-tcp-8081
# namespace: production
# spec:
# selector: role == 'webthing'
# types:
# - Ingress
# - Egress
# ingress:
# - action: Allow
# protocol: TCP
# source:
# selector: role == 'frontend'
# destination:
# ports:
# - 8081
# egress:
# - action: Allow
# zulu:
# priority: 9
# rules:
# - apiVersion: projectcalico.org/v3
# kind: HostEndpoint
# metadata:
# name: first.thing
# labels:
# type: production
# spec:
# interfaceName: eth0
# node: mysecrethost
# expectedIPs:
# - 192.168.0.1
# - 192.168.0.2
# profiles:
# - profile1
# - profile2
# ports:
# - name: some-port
# port: 1234
# protocol: TCP
# - name: another-port
# port: 5432
# protocol: UDP
# - apiVersion: projectcalico.org/v3
# kind: HostEndpoint
# metadata:
# name: second.thing
# labels:
# type: production
# spec:
# interfaceName: eth1
# node: myothersecrethost
# expectedIPs:
# - 192.168.1.1
# - 192.168.1.2
# profiles:
# - profile1
# - profile2
# ports:
# - name: some-port
# port: 1234
# protocol: TCP
# - name: another-port
# port: 5432
# protocol: UDP
conf:
etcd:
credentials:
ca: null
key: null
certificate: null
# NOTE; syntax has subtly changed since Calico v2. For Armada *all*
# of this needes to be specified. We're using yaml here which we
# can't robustly convert to json (which the node pod requires) so it
# might be we revisit that and embedded a json string that gets
# edits
cni_network_config:
# https://docs.projectcalico.org/v3.4/reference/cni-plugin/configuration
#
# other than the etcd_* keys you likely want to leave this as-is
name: k8s-pod-network
cniVersion: 0.3.0
plugins:
- type: calico
log_level: info
etcd_endpoints: __ETCD_ENDPOINTS__
etcd_key_file: __ETCD_KEY_FILE__
etcd_cert_file: __ETCD_CERT_FILE__
etcd_ca_cert_file: __ETCD_CA_CERT_FILE__
ipam:
type: calico-ipam
policy:
type: k8s
kubernetes:
kubeconfig: __KUBECONFIG_FILEPATH__
- type: portmap
snat: true
capabilities:
portMappings: true
controllers:
# The location of the Kubernetes API. Use the default Kubernetes
# service for API access.
K8S_API: "https://kubernetes.default:443"
# Choose which controllers to run, see
# https://docs.projectcalico.org//v3.4/reference/kube-controllers/configuration
# for an explanation of each
ENABLED_CONTROLLERS: "policy,namespace,serviceaccount,workloadendpoint,node"
# Since we're running in the host namespace and might not have KubeDNS
# access, configure the container's /etc/hosts to resolve
# kubernetes.default to the correct service clusterIP.
CONFIGURE_ETC_HOSTS: true
node:
# for specific details see
# https://docs.projectcalico.org/v3.4/reference/node/configuration
name: k8s-pod-network
# Cluster type to identify the deployment type
# NOTE: v2 had a list ... v3 a comma separated string
CLUSTER_TYPE: "k8s,bgp"
# Describes which BGP networking backend to use gobgp, bird, none.
# Default is bird. NOTE(alanmeadows) today this chart only
# supports applying the bgp customizations to bird templates - in
# the future we may support gobgp as well
CALICO_NETWORKING_BACKEND: bird
# Location of the CA certificate for etcd.
ETCD_CA_CERT_FILE: ""
# Location of the client key for etcd.
ETCD_KEY_FILE: ""
# Location of the client certificate for etcd.
ETCD_CERT_FILE: ""
# Disable file logging so `kubectl logs` works.
CALICO_DISABLE_FILE_LOGGING: true
# Set Felix endpoint to host default action to ACCEPT.
# early/startup log level for calico-node on startup.
CALICO_STARTUP_LOGLEVEL: "Info"
FELIX_DEFAULTENDPOINTTOHOSTACTION: "ACCEPT"
# Configure the IP Pool from which Pod IPs will be chosen; it's
# recommended you leave this as null and the value from
# networking.podSubnet will be used
CALICO_IPV4POOL_CIDR: null
# See https://docs.projectcalico.org/v3.4/reference/calicoctl/resources/ippool
CALICO_IPV4POOL_BLOCKSIZE: 26
# Change this to 'Never' in environments with direct L2
# communication (such that tunnels are not needed for pods on
# different hosts to communicate with each otehr).
CALICO_IPV4POOL_IPIP: "Always"
# Disable IPv6 on Kubernetes.
FELIX_IPV6SUPPORT: false
# Set MTU for tunnel device used if ipip is enabled, it's
# recommended you leave this as null and an appropriate value will
# be set based on tunneling mode and the networking.mtu value
FELIX_IPINIPMTU: null
# Set Felix logging; also (ab)used for bgp configuration
FELIX_LOGSEVERITYSCREEN: "Info"
FELIX_HEALTHENABLED: true
# Set Felix experimental Prometheus metrics server
FELIX_PROMETHEUSMETRICSENABLED: true
FELIX_PROMETHEUSMETRICSPORT: "9091"
# Auto-detect the BGP IP address.
IP: ""
# Detection of source interface for routing
# options include
# can-reach=DESTINATION
# interface=INTERFACE-REGEX
IP_AUTODETECTION_METHOD: first-found
IPV6_AUTODETECTION_METHOD: first-found
manifests:
configmap_bin: true
configmap_etc: true
configmap_bird: true
daemonset_calico_etcd: true
daemonset_calico_node: true
daemonset_calico_node_calicoctl: true
deployment_calico_kube_controllers: true
job_image_repo_sync: true
job_calico_settings: true
service_calico_etcd: true
secret_certificates: true
secret_registry: true
...
View Git Blame Copy Permalink