From 432dbc723d84ff49f791e0614b869d22add3b995 Mon Sep 17 00:00:00 2001 From: Samuele Chiocca Date: Mon, 28 Aug 2023 10:13:04 +0200 Subject: [PATCH 01/24] Feat/update cilium and add 1.26 (#68) * feat: update cilium to 1.13.3 * docs: WIP add release 1.14.0 and update README * feat: update drone CI to add 1.26 to the tests * docs: WIP update compatibility matrix * docs: update compatibility matrix, add legacy table * docs: increase title level * feat: update 1.26 CI to 1.26.4 --- .drone.yml | 130 ++++++++++++++++++++++--- README.md | 8 +- docs/COMPATIBILITY_MATRIX.md | 49 ++++++---- docs/releases/v1.14.0.md | 32 ++++++ katalog/cilium/MAINTENANCE.md | 2 +- katalog/cilium/MAINTENANCE.values.yaml | 15 +-- katalog/cilium/README.md | 12 +-- katalog/cilium/core/deploy.yaml | 16 +-- katalog/cilium/hubble/deploy.yaml | 8 +- 9 files changed, 205 insertions(+), 67 deletions(-) create mode 100644 docs/releases/v1.14.0.md diff --git a/.drone.yml b/.drone.yml index 796f427..5875611 100644 --- a/.drone.yml +++ b/.drone.yml @@ -361,9 +361,8 @@ steps: volumes: - name: shared temp: {} - --- -name: e2e-kubernetes-1.23-cilium +name: e2e-kubernetes-1.26-calico kind: pipeline type: docker @@ -381,21 +380,21 @@ trigger: - refs/tags/** depends_on: - - e2e-kubernetes-1.23-calico + - policeman steps: - name: init - image: quay.io/sighup/e2e-testing-drone-plugin:v0.13.0 + image: quay.io/sighup/e2e-testing-drone-plugin:v1.26.4 pull: always volumes: - name: shared path: /shared depends_on: [clone] settings: - action: custom-cluster-123 - pipeline_id: cluster-123 + action: custom-cluster-126 + pipeline_id: cluster-126 local_kind_config_path: katalog/tests/calico/resources/kind-config - cluster_version: "1.23.0" + cluster_version: "1.26.4" instance_path: /shared aws_default_region: from_secret: aws_region @@ -417,23 +416,23 @@ steps: from_secret: dockerhub_password - name: test - image: quay.io/sighup/e2e-testing:1.1.0_0.2.2_2.16.1_1.9.4_1.23.0_3.8.7_2.4.1 + image: quay.io/sighup/e2e-testing:1.1.0_0.11.0_3.1.1_1.9.4_1.26.3_3.5.3_4.33.3 pull: always volumes: - name: shared path: /shared depends_on: [init] commands: - - export KUBECONFIG=/shared/kube/kubeconfig-123 - - bats -t katalog/tests/cilium/cilium.sh + - export KUBECONFIG=/shared/kube/kubeconfig-126 + - bats -t katalog/tests/calico/calico.sh - name: destroy - image: quay.io/sighup/e2e-testing-drone-plugin:v0.13.0 + image: quay.io/sighup/e2e-testing-drone-plugin:v1.26.4 pull: always depends_on: [test] settings: action: destroy - pipeline_id: cluster-123 + pipeline_id: cluster-126 aws_default_region: from_secret: aws_region aws_access_key_id: @@ -460,6 +459,7 @@ steps: volumes: - name: shared temp: {} + --- name: e2e-kubernetes-1.24-cilium kind: pipeline @@ -479,7 +479,7 @@ trigger: - refs/tags/** depends_on: - - e2e-kubernetes-1.24-calico + - e2e-kubernetes-1.26-calico steps: - name: init @@ -578,7 +578,7 @@ trigger: - refs/tags/** depends_on: - - e2e-kubernetes-1.25-calico + - e2e-kubernetes-1.26-calico steps: - name: init @@ -655,6 +655,104 @@ steps: - success - failure +volumes: + - name: shared + temp: {} +--- +name: e2e-kubernetes-1.26-cilium +kind: pipeline +type: docker + +node: + runner: internal + +platform: + os: linux + arch: amd64 + +trigger: + ref: + include: + - refs/heads/master + - refs/tags/** + +depends_on: + - e2e-kubernetes-1.26-calico + +steps: + - name: init + image: quay.io/sighup/e2e-testing-drone-plugin:v1.26.4 + pull: always + volumes: + - name: shared + path: /shared + depends_on: [clone] + settings: + action: custom-cluster-126 + pipeline_id: cluster-126 + local_kind_config_path: katalog/tests/calico/resources/kind-config + cluster_version: "1.26.4" + instance_path: /shared + aws_default_region: + from_secret: aws_region + aws_access_key_id: + from_secret: aws_access_key_id + aws_secret_access_key: + from_secret: aws_secret_access_key + terraform_tf_states_bucket_name: + from_secret: terraform_tf_states_bucket_name + vsphere_server: + from_secret: vsphere_server + vsphere_password: + from_secret: vsphere_password + vsphere_user: + from_secret: vsphere_user + dockerhub_username: + from_secret: dockerhub_username + dockerhub_password: + from_secret: dockerhub_password + + - name: test + image: quay.io/sighup/e2e-testing:1.1.0_0.11.0_3.1.1_1.9.4_1.26.3_3.5.3_4.33.3 + pull: always + volumes: + - name: shared + path: /shared + depends_on: [init] + commands: + - export KUBECONFIG=/shared/kube/kubeconfig-126 + - bats -t katalog/tests/cilium/cilium.sh + + - name: destroy + image: quay.io/sighup/e2e-testing-drone-plugin:v1.26.4 + pull: always + depends_on: [test] + settings: + action: destroy + pipeline_id: cluster-126 + aws_default_region: + from_secret: aws_region + aws_access_key_id: + from_secret: aws_access_key_id + aws_secret_access_key: + from_secret: aws_secret_access_key + terraform_tf_states_bucket_name: + from_secret: terraform_tf_states_bucket_name + vsphere_server: + from_secret: vsphere_server + vsphere_password: + from_secret: vsphere_password + vsphere_user: + from_secret: vsphere_user + dockerhub_username: + from_secret: dockerhub_username + dockerhub_password: + from_secret: dockerhub_password + when: + status: + - success + - failure + volumes: - name: shared temp: {} @@ -665,12 +763,12 @@ kind: pipeline type: docker depends_on: - - e2e-kubernetes-1.23-calico - e2e-kubernetes-1.24-calico - e2e-kubernetes-1.25-calico - - e2e-kubernetes-1.23-cilium + - e2e-kubernetes-1.26-calico - e2e-kubernetes-1.24-cilium - e2e-kubernetes-1.25-cilium + - e2e-kubernetes-1.26-cilium platform: os: linux diff --git a/README.md b/README.md index a8e2b01..58f1f92 100644 --- a/README.md +++ b/README.md @@ -5,7 +5,7 @@ -![Release](https://img.shields.io/badge/Latest%20Release-v1.13.0-blue) +![Release](https://img.shields.io/badge/Latest%20Release-v1.14.0-blue) ![License](https://img.shields.io/github/license/sighupio/fury-kubernetes-networking?label=License) ![Slack](https://img.shields.io/badge/slack-@kubernetes/fury-yellow.svg?logo=slack&label=Slack) @@ -30,7 +30,7 @@ Kubernetes Fury Networking provides the following packages: | Package | Version | Description | | -------------------------- | -------- | ---------------------------------------------------------------------------------------------------------------------------------------------------- | | [calico](katalog/calico) | `3.25.0` | [Calico][calico-page] CNI Plugin. For cluster with `< 50` nodes. | -| [cilium](katalog/cilium) | `1.13.1` | [Cilium][cilium-page] CNI Plugin. For cluster with `< 200` nodes. | +| [cilium](katalog/cilium) | `1.13.3` | [Cilium][cilium-page] CNI Plugin. For cluster with `< 200` nodes. | | [tigera](katalog/tigera) | `1.29.0` | [Tigera Operator][tigera-page], a Kubernetes Operator for Calico, provides pre-configured installations for on-prem and for EKS in policy-only mode. | | [ip-masq](katalog/ip-masq) | `2.8.0` | The `ip-masq-agent` configures iptables rules to implement IP masquerading functionality | @@ -42,9 +42,9 @@ Click on each package to see its full documentation. | Kubernetes Version | Compatibility | Notes | | ------------------ | :----------------: | --------------- | -| `1.23.x` | :white_check_mark: | No known issues | | `1.24.x` | :white_check_mark: | No known issues | | `1.25.x` | :white_check_mark: | No known issues | +| `1.26.x` | :white_check_mark: | No known issues | Check the [compatibility matrix][compatibility-matrix] for additional information on previous releases of the module. @@ -66,7 +66,7 @@ Check the [compatibility matrix][compatibility-matrix] for additional informatio ```yaml bases: - name: networking - version: "v1.13.0" + version: "v1.14.0" ``` > See `furyctl` [documentation][furyctl-repo] for additional details about `Furyfile.yml` format. diff --git a/docs/COMPATIBILITY_MATRIX.md b/docs/COMPATIBILITY_MATRIX.md index 63239c4..e4758fc 100644 --- a/docs/COMPATIBILITY_MATRIX.md +++ b/docs/COMPATIBILITY_MATRIX.md @@ -1,26 +1,14 @@ # Compatibility Matrix -| Module Version / Kubernetes Version | 1.14.X | 1.15.X | 1.16.X | 1.17.X | 1.18.X | 1.19.X | 1.20.X | 1.21.X | 1.22.X | 1.23.X | 1.24.X | 1.25.X | -| ----------------------------------- | :----------------: | :----------------: | :----------------: | :----------------: | :----------------: | :----------------: | :----------------: | :----------------: | :----------------: | ------------------ | ------------------ | ------------------ | -| v1.0.0 | :warning: | :warning: | :warning: | | | | | | | | | | -| v1.0.1 | :warning: | :warning: | :warning: | | | | | | | | | | -| v1.1.0 | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | | | | | | | -| v1.2.0 | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | | | | | | | -| v1.2.1 | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | | | | | | | -| v1.3.0 | | | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | | | | | -| v1.4.0 | | | :white_check_mark: | :white_check_mark: | :white_check_mark: | :warning: | | | | | | | -| v1.5.0 | | | | :white_check_mark: | :white_check_mark: | :white_check_mark: | :warning: | | | | | | -| v1.6.0 | | | | | :white_check_mark: | :white_check_mark: | :white_check_mark: | :warning: | | | | | -| v1.7.0 | | | | | | :white_check_mark: | :white_check_mark: | :x: | :x: | | | | -| v1.8.0 | | | | | | | :x: | :x: | :x: | :x: | | | -| v1.8.1 | | | | | | | :x: | :x: | :x: | :x: | | | -| v1.8.2 | | | | | | | :white_check_mark: | :x: | :x: | :x: | | | -| v1.9.0 | | | | | | | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | -| v1.10.0 | | | | | | | | | :white_check_mark: | :white_check_mark: | :white_check_mark: | | -| v1.11.0 | | | | | | | | | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | -| v1.12.0 | | | | | | | | | | :white_check_mark: | :white_check_mark: | :white_check_mark: | -| v1.12.1 | | | | | | | | | | :white_check_mark: | :white_check_mark: | :white_check_mark: | -| v1.12.2 | | | | | | | | | | :white_check_mark: | :white_check_mark: | :white_check_mark: | +| Module Version / Kubernetes Version | 1.24.X | 1.25.X | 1.26.X | +| ----------------------------------- | ------------------ | ------------------ | ------------------ | +| v1.10.0 | :white_check_mark: | | | +| v1.11.0 | :white_check_mark: | :white_check_mark: | | +| v1.12.0 | :white_check_mark: | :white_check_mark: | | +| v1.12.1 | :white_check_mark: | :white_check_mark: | | +| v1.12.2 | :white_check_mark: | :white_check_mark: | | +| v1.14.0 | :white_check_mark: | :white_check_mark: | :white_check_mark: | + :white_check_mark: Compatible @@ -35,3 +23,22 @@ - :x: module version `v1.8.1` has a known bug breaking upgrades and with calico on Kubernetes >= 1.21. Please do not use. - :x: module version `v1.8.2` has a known bug with calico on Kubernetes >= 1.21. Please do not use. - :x: module version `v1.9.0`is not compatible with Kubernetes <= 1.20. + +## Legacy versions + +| Module Version / Kubernetes Version | 1.14.X | 1.15.X | 1.16.X | 1.17.X | 1.18.X | 1.19.X | 1.20.X | 1.21.X | 1.22.X | 1.23.X | +| ----------------------------------- | :----------------: | :----------------: | :----------------: | :----------------: | :----------------: | :----------------: | :----------------: | :----------------: | :----------------: | ------------------ | +| v1.0.0 | :warning: | :warning: | :warning: | | | | | | | | +| v1.0.1 | :warning: | :warning: | :warning: | | | | | | | | +| v1.1.0 | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | | | | | +| v1.2.0 | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | | | | | +| v1.2.1 | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | | | | | +| v1.3.0 | | | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | | | +| v1.4.0 | | | :white_check_mark: | :white_check_mark: | :white_check_mark: | :warning: | | | | | +| v1.5.0 | | | | :white_check_mark: | :white_check_mark: | :white_check_mark: | :warning: | | | | +| v1.6.0 | | | | | :white_check_mark: | :white_check_mark: | :white_check_mark: | :warning: | | | +| v1.7.0 | | | | | | :white_check_mark: | :white_check_mark: | :x: | :x: | | +| v1.8.0 | | | | | | | :x: | :x: | :x: | :x: | +| v1.8.1 | | | | | | | :x: | :x: | :x: | :x: | +| v1.8.2 | | | | | | | :white_check_mark: | :x: | :x: | :x: | +| v1.9.0 | | | | | | | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | \ No newline at end of file diff --git a/docs/releases/v1.14.0.md b/docs/releases/v1.14.0.md new file mode 100644 index 0000000..ceaea22 --- /dev/null +++ b/docs/releases/v1.14.0.md @@ -0,0 +1,32 @@ +# Networking Core Module Release 1.14.0 + +Welcome to the latest release of the `Networking` module of [`Kubernetes Fury Distribution`](https://github.com/sighupio/fury-distribution) maintained by team SIGHUP. + +This minor release updates some components and adds support to Kubernetes 1.26. + +## Component Images 🚢 + +| Component | Supported Version | Previous Version | +| ----------------- | -------------------------------------------------------------------------------- | ---------------- | +| `calico` | [`v3.25.0`](https://projectcalico.docs.tigera.io/archive/v3.25/release-notes/) | No update | +| `cilium` | [`v1.13.3`](https://github.com/cilium/cilium/releases/tag/v1.13.1) | `v1.13.1` | +| `ip-masq` | [`v2.8.0`](https://github.com/kubernetes-sigs/ip-masq-agent/releases/tag/v2.5.0) | No update | +| `tigera-operator` | [`v1.29.0`](https://github.com/tigera/operator/releases/tag/v1.29.0) | No update | + +> Please refer the individual release notes to get detailed information on each release. + +## Update Guide 🦮 + +### Process + +1. Just deploy as usual: + +```bash +kustomize build katalog/calico | kubectl apply -f - +# OR +kustomize build katalog/tigera/on-prem | kubectl apply -f - +# OR +kustomize build katalog/cilium | kubectl apply -f - +``` + +If you are upgrading from previous versions, please refer to the [`v1.13.0` release notes](https://github.com/sighupio/fury-kubernetes-networking/releases/tag/v1.13.0). diff --git a/katalog/cilium/MAINTENANCE.md b/katalog/cilium/MAINTENANCE.md index ecf39e9..e86a507 100644 --- a/katalog/cilium/MAINTENANCE.md +++ b/katalog/cilium/MAINTENANCE.md @@ -5,7 +5,7 @@ To update the Cilium package with upstream, please follow the next steps. Download the upstream manifests: ```bash -helm pull cilium/cilium --version 1.13.1 --untar --untardir /tmp +helm pull cilium/cilium --version 1.13.3 --untar --untardir /tmp ``` Change the tag for the images on the file `MAINTENANCE.values.yaml`, check the new one on `/tmp/cilium/values.yaml diff --git a/katalog/cilium/MAINTENANCE.values.yaml b/katalog/cilium/MAINTENANCE.values.yaml index a06e6a9..e112892 100644 --- a/katalog/cilium/MAINTENANCE.values.yaml +++ b/katalog/cilium/MAINTENANCE.values.yaml @@ -7,7 +7,7 @@ image: override: ~ repository: "registry.sighup.io/fury/cilium/cilium" - tag: "v1.13.1" + tag: "v1.13.3" useDigest: false # -- Affinity for cilium-agent. @@ -57,7 +57,10 @@ hubble: certValidityDuration: 1095 # -- certmanager issuer used when hubble.tls.auto.method=certmanager. # If not specified, a CA issuer will be created. - certManagerIssuerRef: {} + certManagerIssuerRef: + group: cert-manager.io + kind: Issuer + name: hubble-issuer metrics: enableOpenMetrics: true @@ -83,7 +86,7 @@ hubble: image: override: ~ repository: "registry.sighup.io/fury/cilium/hubble-relay" - tag: "v1.13.1" + tag: "v1.13.3" useDigest: false pullPolicy: "IfNotPresent" @@ -126,7 +129,7 @@ hubble: image: override: ~ repository: "registry.sighup.io/fury/cilium/hubble-ui-backend" - tag: "v0.10.0" + tag: "v0.11.0" pullPolicy: "IfNotPresent" resources: {} @@ -142,7 +145,7 @@ hubble: image: override: ~ repository: "registry.sighup.io/fury/cilium/hubble-ui" - tag: "v0.10.0" + tag: "v0.11.0" pullPolicy: "IfNotPresent" # -- Resource requests and limits for the 'frontend' container of the 'hubble-ui' deployment. @@ -359,7 +362,7 @@ operator: image: override: ~ repository: "registry.sighup.io/fury/cilium/operator" - tag: "v1.13.1" + tag: "v1.13.3" useDigest: false pullPolicy: "IfNotPresent" suffix: "" diff --git a/katalog/cilium/README.md b/katalog/cilium/README.md index f0dc021..672377a 100644 --- a/katalog/cilium/README.md +++ b/katalog/cilium/README.md @@ -15,15 +15,15 @@ Additionally, we deploy hubble component as an observability tool on the network ## Image repository and tag - cilium images: - - `registry.sighup.io/fury/cilium/cilium:v1.13.1` - - `registry.sighup.io/fury/cilium/operator-generic:v1.13.1` - - `registry.sighup.io/fury/cilium/hubble-ui-backend:v0.10.0` - - `registry.sighup.io/fury/cilium/hubble-ui:v0.10.0` - - `registry.sighup.io/fury/cilium/hubble-relay:v1.13.1` + - `registry.sighup.io/fury/cilium/cilium:v1.13.3` + - `registry.sighup.io/fury/cilium/operator-generic:v1.13.3` + - `registry.sighup.io/fury/cilium/hubble-ui-backend:v0.11.0` + - `registry.sighup.io/fury/cilium/hubble-ui:v0.11.0` + - `registry.sighup.io/fury/cilium/hubble-relay:v1.13.3` ## Requirements -- Kubernetes >= `1.23.X`. +- Kubernetes >= `1.24.X`. - Kustomize >= `v3.5.3`. - [prometheus-operator from KFD monitoring module][prometheus-operator] - [cert-manager from KFD ingress module][cert-manager] diff --git a/katalog/cilium/core/deploy.yaml b/katalog/cilium/core/deploy.yaml index 25f2c12..859265d 100644 --- a/katalog/cilium/core/deploy.yaml +++ b/katalog/cilium/core/deploy.yaml @@ -657,7 +657,7 @@ spec: spec: containers: - name: cilium-agent - image: "registry.sighup.io/fury/cilium/cilium:v1.13.1" + image: "registry.sighup.io/fury/cilium/cilium:v1.13.3" imagePullPolicy: IfNotPresent command: - cilium-agent @@ -805,7 +805,7 @@ spec: mountPath: /tmp initContainers: - name: config - image: "registry.sighup.io/fury/cilium/cilium:v1.13.1" + image: "registry.sighup.io/fury/cilium/cilium:v1.13.3" imagePullPolicy: IfNotPresent command: - cilium @@ -828,7 +828,7 @@ spec: # Required to mount cgroup2 filesystem on the underlying Kubernetes node. # We use nsenter command with host's cgroup and mount namespaces enabled. - name: mount-cgroup - image: "registry.sighup.io/fury/cilium/cilium:v1.13.1" + image: "registry.sighup.io/fury/cilium/cilium:v1.13.3" imagePullPolicy: IfNotPresent env: - name: CGROUP_ROOT @@ -865,7 +865,7 @@ spec: drop: - ALL - name: apply-sysctl-overwrites - image: "registry.sighup.io/fury/cilium/cilium:v1.13.1" + image: "registry.sighup.io/fury/cilium/cilium:v1.13.3" imagePullPolicy: IfNotPresent env: - name: BIN_PATH @@ -903,7 +903,7 @@ spec: # from a privileged container because the mount propagation bidirectional # only works from privileged containers. - name: mount-bpf-fs - image: "registry.sighup.io/fury/cilium/cilium:v1.13.1" + image: "registry.sighup.io/fury/cilium/cilium:v1.13.3" imagePullPolicy: IfNotPresent args: - 'mount | grep "/sys/fs/bpf type bpf" || mount -t bpf bpf /sys/fs/bpf' @@ -919,7 +919,7 @@ spec: mountPath: /sys/fs/bpf mountPropagation: Bidirectional - name: clean-cilium-state - image: "registry.sighup.io/fury/cilium/cilium:v1.13.1" + image: "registry.sighup.io/fury/cilium/cilium:v1.13.3" imagePullPolicy: IfNotPresent command: - /init-container.sh @@ -964,7 +964,7 @@ spec: memory: 100Mi # wait-for-kube-proxy # Install the CNI binaries in an InitContainer so we don't have a writable host mount in the agent - name: install-cni-binaries - image: "registry.sighup.io/fury/cilium/cilium:v1.13.1" + image: "registry.sighup.io/fury/cilium/cilium:v1.13.3" imagePullPolicy: IfNotPresent command: - "/install-plugin.sh" @@ -1095,7 +1095,7 @@ spec: spec: containers: - name: cilium-operator - image: "registry.sighup.io/fury/cilium/operator-generic:v1.13.1" + image: "registry.sighup.io/fury/cilium/operator-generic:v1.13.3" imagePullPolicy: IfNotPresent command: - cilium-operator-generic diff --git a/katalog/cilium/hubble/deploy.yaml b/katalog/cilium/hubble/deploy.yaml index 092d2e9..c9c00b5 100644 --- a/katalog/cilium/hubble/deploy.yaml +++ b/katalog/cilium/hubble/deploy.yaml @@ -239,7 +239,7 @@ spec: spec: containers: - name: hubble-relay - image: "registry.sighup.io/fury/cilium/hubble-relay:v1.13.1" + image: "registry.sighup.io/fury/cilium/hubble-relay:v1.13.3" imagePullPolicy: IfNotPresent command: - hubble-relay @@ -339,7 +339,7 @@ spec: automountServiceAccountToken: true containers: - name: frontend - image: "registry.sighup.io/fury/cilium/hubble-ui:v0.10.0" + image: "registry.sighup.io/fury/cilium/hubble-ui:v0.11.0" imagePullPolicy: IfNotPresent ports: - name: http @@ -352,7 +352,7 @@ spec: mountPath: /tmp terminationMessagePolicy: FallbackToLogsOnError - name: backend - image: "registry.sighup.io/fury/cilium/hubble-ui-backend:v0.10.0" + image: "registry.sighup.io/fury/cilium/hubble-ui-backend:v0.11.0" imagePullPolicy: IfNotPresent env: - name: EVENTS_SERVER_PORT @@ -385,7 +385,6 @@ metadata: namespace: kube-system spec: issuerRef: - group: cert-manager.io kind: Issuer name: hubble-issuer @@ -403,7 +402,6 @@ metadata: namespace: kube-system spec: issuerRef: - group: cert-manager.io kind: Issuer name: hubble-issuer From d3ade3a993dd4072787b91e1c511512df49dc2b7 Mon Sep 17 00:00:00 2001 From: Samuele Chiocca Date: Mon, 28 Aug 2023 10:53:09 +0200 Subject: [PATCH 02/24] Feat/update calico for 1.26 (#69) * docs: update release note with calico * feat: update calico plain to 3.26.1 * feat: update tigera operator to 1.30.4 * feat: update ci, removes 1.23 CI for calico * docs: update main README with new calico versions * fix: kustomization.yaml file * fix: fix patch for calico enable metrics --- .drone.yml | 98 - README.md | 6 +- docs/releases/v1.14.0.md | 4 +- katalog/calico/MAINTENANCE.md | 18 +- katalog/calico/config.yml | 57 - katalog/calico/{crd.yml => deploy.yaml} | 949 ++- katalog/calico/deploy.yml | 64 - katalog/calico/ds.yml | 325 - katalog/calico/kustomization.yaml | 33 +- .../monitoring/felix-enable-metrics.yaml | 1 + katalog/calico/pdb.yml | 19 - katalog/calico/rbac.yml | 282 - katalog/calico/sa.yml | 15 - katalog/tigera/MAINTENANCE.md | 18 +- katalog/tigera/operator/tigera-operator.yaml | 6499 +++++++++++++---- 15 files changed, 5898 insertions(+), 2490 deletions(-) delete mode 100644 katalog/calico/config.yml rename katalog/calico/{crd.yml => deploy.yaml} (87%) delete mode 100644 katalog/calico/deploy.yml delete mode 100644 katalog/calico/ds.yml delete mode 100644 katalog/calico/pdb.yml delete mode 100644 katalog/calico/rbac.yml delete mode 100644 katalog/calico/sa.yml diff --git a/.drone.yml b/.drone.yml index 5875611..55ad0c6 100644 --- a/.drone.yml +++ b/.drone.yml @@ -66,104 +66,6 @@ steps: - /pluto detect tigera-on-prem.yml --ignore-deprecations --target-versions=k8s=v1.25.0 --- -name: e2e-kubernetes-1.23-calico -kind: pipeline -type: docker - -node: - runner: internal - -platform: - os: linux - arch: amd64 - -trigger: - ref: - include: - - refs/heads/master - - refs/tags/** - -depends_on: - - policeman - -steps: - - name: init - image: quay.io/sighup/e2e-testing-drone-plugin:v0.13.0 - pull: always - volumes: - - name: shared - path: /shared - depends_on: [clone] - settings: - action: custom-cluster-123 - pipeline_id: cluster-123 - local_kind_config_path: katalog/tests/calico/resources/kind-config - cluster_version: "1.23.0" - instance_path: /shared - aws_default_region: - from_secret: aws_region - aws_access_key_id: - from_secret: aws_access_key_id - aws_secret_access_key: - from_secret: aws_secret_access_key - terraform_tf_states_bucket_name: - from_secret: terraform_tf_states_bucket_name - vsphere_server: - from_secret: vsphere_server - vsphere_password: - from_secret: vsphere_password - vsphere_user: - from_secret: vsphere_user - dockerhub_username: - from_secret: dockerhub_username - dockerhub_password: - from_secret: dockerhub_password - - - name: test - image: quay.io/sighup/e2e-testing:1.1.0_0.2.2_2.16.1_1.9.4_1.23.0_3.8.7_2.4.1 - pull: always - volumes: - - name: shared - path: /shared - depends_on: [init] - commands: - - export KUBECONFIG=/shared/kube/kubeconfig-123 - - bats -t katalog/tests/calico/calico.sh - - - name: destroy - image: quay.io/sighup/e2e-testing-drone-plugin:v0.13.0 - pull: always - depends_on: [test] - settings: - action: destroy - pipeline_id: cluster-123 - aws_default_region: - from_secret: aws_region - aws_access_key_id: - from_secret: aws_access_key_id - aws_secret_access_key: - from_secret: aws_secret_access_key - terraform_tf_states_bucket_name: - from_secret: terraform_tf_states_bucket_name - vsphere_server: - from_secret: vsphere_server - vsphere_password: - from_secret: vsphere_password - vsphere_user: - from_secret: vsphere_user - dockerhub_username: - from_secret: dockerhub_username - dockerhub_password: - from_secret: dockerhub_password - when: - status: - - success - - failure - -volumes: - - name: shared - temp: {} ---- name: e2e-kubernetes-1.24-calico kind: pipeline type: docker diff --git a/README.md b/README.md index 58f1f92..0d6948d 100644 --- a/README.md +++ b/README.md @@ -29,9 +29,9 @@ Kubernetes Fury Networking provides the following packages: | Package | Version | Description | | -------------------------- | -------- | ---------------------------------------------------------------------------------------------------------------------------------------------------- | -| [calico](katalog/calico) | `3.25.0` | [Calico][calico-page] CNI Plugin. For cluster with `< 50` nodes. | -| [cilium](katalog/cilium) | `1.13.3` | [Cilium][cilium-page] CNI Plugin. For cluster with `< 200` nodes. | -| [tigera](katalog/tigera) | `1.29.0` | [Tigera Operator][tigera-page], a Kubernetes Operator for Calico, provides pre-configured installations for on-prem and for EKS in policy-only mode. | +| [calico](katalog/calico) | `3.26.1` | [Calico][calico-page] CNI Plugin. For cluster with `< 50` nodes. | +| [cilium](katalog/cilium) | `1.13.3` | [Cilium][cilium-page] CNI Plugin. For cluster with `< 200` nodes. | +| [tigera](katalog/tigera) | `1.30.4` | [Tigera Operator][tigera-page], a Kubernetes Operator for Calico, provides pre-configured installations for on-prem and for EKS in policy-only mode. | | [ip-masq](katalog/ip-masq) | `2.8.0` | The `ip-masq-agent` configures iptables rules to implement IP masquerading functionality | > The resources in these packages are going to be deployed in `kube-system` namespace. Except for the operator. diff --git a/docs/releases/v1.14.0.md b/docs/releases/v1.14.0.md index ceaea22..67fa421 100644 --- a/docs/releases/v1.14.0.md +++ b/docs/releases/v1.14.0.md @@ -8,10 +8,10 @@ This minor release updates some components and adds support to Kubernetes 1.26. | Component | Supported Version | Previous Version | | ----------------- | -------------------------------------------------------------------------------- | ---------------- | -| `calico` | [`v3.25.0`](https://projectcalico.docs.tigera.io/archive/v3.25/release-notes/) | No update | +| `calico` | [`v3.26.1`](https://projectcalico.docs.tigera.io/archive/v3.26/release-notes/) | `v3.25.0` | | `cilium` | [`v1.13.3`](https://github.com/cilium/cilium/releases/tag/v1.13.1) | `v1.13.1` | | `ip-masq` | [`v2.8.0`](https://github.com/kubernetes-sigs/ip-masq-agent/releases/tag/v2.5.0) | No update | -| `tigera-operator` | [`v1.29.0`](https://github.com/tigera/operator/releases/tag/v1.29.0) | No update | +| `tigera-operator` | [`v1.30.4`](https://github.com/tigera/operator/releases/tag/v1.30.4) | `v1.29.0` | > Please refer the individual release notes to get detailed information on each release. diff --git a/katalog/calico/MAINTENANCE.md b/katalog/calico/MAINTENANCE.md index 1354c20..3d1f62f 100644 --- a/katalog/calico/MAINTENANCE.md +++ b/katalog/calico/MAINTENANCE.md @@ -7,26 +7,20 @@ To update the Calico package with upstream, please follow the next steps: 1. Download upstream manifests: ```bash -export CALICO_VERSION=3.25 -curl -L https://docs.projectcalico.org/archive/v${CALICO_VERSION}/manifests/calico.yaml -o calico-${CALICO_VERSION}.yaml +export CALICO_VERSION=3.26.1 +curl -L https://raw.githubusercontent.com/projectcalico/calico/v${CALICO_VERSION}/manifests/calico.yaml -o calico-${CALICO_VERSION}.yaml ``` 2. Diff the downloaded manifest with the module's manifests: -```bash -# Let's generate a merged YAML to compare first -# ⚠️ assuming $PWD == root of the project -cat katalog/calico/pdb.yml katalog/calico/sa.yml katalog/calico/config.yml katalog/calico/crd.yml katalog/calico/rbac.yml katalog/calico/ds.yml katalog/calico/deploy.yml > merge.yaml -``` - -Compare the `merge.yaml` file with the downloaded `calico-${CALICO_VERSION}` file from upstream and port the necessary changes. +Compare the `deploy.yaml` file with the downloaded `calico-${CALICO_VERSION}` file from upstream and port the necessary changes. > ⚠️ Remember to drop the namespace from the files, becuase it is being added by Kustomize. 3. Update the `kustomization.yaml` file with the right image versions. ```bash -export CALICO_IMAGE_TAG=v3.25.0 +export CALICO_IMAGE_TAG=v3.26.1 kustomize edit set image docker.io/calico/kube-controllers=registry.sighup.io/fury/calico/kube-controllers:${CALICO_IMAGE_TAG} kustomize edit set image docker.io/calico/cni=registry.sighup.io/fury/calico/cni:${CALICO_IMAGE_TAG} kustomize edit set image docker.io/calico/node=registry.sighup.io/fury/calico/node:${CALICO_IMAGE_TAG} @@ -47,10 +41,10 @@ See ./katalog/calico/monitoring/dashboards/felix-dashboard.json +curl -L https://raw.githubusercontent.com/projectcalico/calico/v${CALICO_VERSION}/manifests/grafana-dashboards.yaml | yq '.data["felix-dashboard.json"]' | sed 's/calico-demo-prometheus/prometheus/g' | jq > ./monitoring/dashboards/felix-dashboard.json ``` ### Alerts diff --git a/katalog/calico/config.yml b/katalog/calico/config.yml deleted file mode 100644 index 2a2faef..0000000 --- a/katalog/calico/config.yml +++ /dev/null @@ -1,57 +0,0 @@ -# Copyright (c) 2017-present SIGHUP s.r.l All rights reserved. -# Use of this source code is governed by a BSD-style -# license that can be found in the LICENSE file. - ---- -# Source: calico/templates/calico-config.yaml -# This ConfigMap is used to configure a self-hosted Calico installation. -kind: ConfigMap -apiVersion: v1 -metadata: - name: calico-config -data: - # Typha is disabled. - typha_service_name: "none" - # Configure the backend to use. - calico_backend: "bird" - - # Configure the MTU to use for workload interfaces and tunnels. - # By default, MTU is auto-detected, and explicitly setting this field should not be required. - # You can override auto-detection by providing a non-zero value. - veth_mtu: "0" - - # The CNI network configuration to install on each node. The special - # values in this config will be automatically populated. - cni_network_config: |- - { - "name": "k8s-pod-network", - "cniVersion": "0.3.1", - "plugins": [ - { - "type": "calico", - "log_level": "info", - "log_file_path": "/var/log/calico/cni/cni.log", - "datastore_type": "kubernetes", - "nodename": "__KUBERNETES_NODE_NAME__", - "mtu": __CNI_MTU__, - "ipam": { - "type": "calico-ipam" - }, - "policy": { - "type": "k8s" - }, - "kubernetes": { - "kubeconfig": "__KUBECONFIG_FILEPATH__" - } - }, - { - "type": "portmap", - "snat": true, - "capabilities": {"portMappings": true} - }, - { - "type": "bandwidth", - "capabilities": {"bandwidth": true} - } - ] - } diff --git a/katalog/calico/crd.yml b/katalog/calico/deploy.yaml similarity index 87% rename from katalog/calico/crd.yml rename to katalog/calico/deploy.yaml index 1b25625..1b45e7a 100644 --- a/katalog/calico/crd.yml +++ b/katalog/calico/deploy.yaml @@ -2,6 +2,97 @@ # Use of this source code is governed by a BSD-style # license that can be found in the LICENSE file. +--- +# Source: calico/templates/calico-kube-controllers.yaml +# This manifest creates a Pod Disruption Budget for Controller to allow K8s Cluster Autoscaler to evict + +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: calico-kube-controllers + namespace: kube-system + labels: + k8s-app: calico-kube-controllers +spec: + maxUnavailable: 1 + selector: + matchLabels: + k8s-app: calico-kube-controllers +--- +# Source: calico/templates/calico-kube-controllers.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: calico-kube-controllers + namespace: kube-system +--- +# Source: calico/templates/calico-node.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: calico-node + namespace: kube-system +--- +# Source: calico/templates/calico-node.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: calico-cni-plugin + namespace: kube-system +--- +# Source: calico/templates/calico-config.yaml +# This ConfigMap is used to configure a self-hosted Calico installation. +kind: ConfigMap +apiVersion: v1 +metadata: + name: calico-config + namespace: kube-system +data: + # Typha is disabled. + typha_service_name: "none" + # Configure the backend to use. + calico_backend: "bird" + + # Configure the MTU to use for workload interfaces and tunnels. + # By default, MTU is auto-detected, and explicitly setting this field should not be required. + # You can override auto-detection by providing a non-zero value. + veth_mtu: "0" + + # The CNI network configuration to install on each node. The special + # values in this config will be automatically populated. + cni_network_config: |- + { + "name": "k8s-pod-network", + "cniVersion": "0.3.1", + "plugins": [ + { + "type": "calico", + "log_level": "info", + "log_file_path": "/var/log/calico/cni/cni.log", + "datastore_type": "kubernetes", + "nodename": "__KUBERNETES_NODE_NAME__", + "mtu": __CNI_MTU__, + "ipam": { + "type": "calico-ipam" + }, + "policy": { + "type": "k8s" + }, + "kubernetes": { + "kubeconfig": "__KUBECONFIG_FILEPATH__" + } + }, + { + "type": "portmap", + "snat": true, + "capabilities": {"portMappings": true} + }, + { + "type": "bandwidth", + "capabilities": {"bandwidth": true} + } + ] + } --- # Source: calico/templates/kdd-crds.yaml apiVersion: apiextensions.k8s.io/v1 @@ -193,6 +284,130 @@ status: # Source: calico/templates/kdd-crds.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: (devel) + creationTimestamp: null + name: bgpfilters.crd.projectcalico.org +spec: + group: crd.projectcalico.org + names: + kind: BGPFilter + listKind: BGPFilterList + plural: bgpfilters + singular: bgpfilter + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: BGPFilterSpec contains the IPv4 and IPv6 filter rules of + the BGP Filter. + properties: + exportV4: + description: The ordered set of IPv4 BGPFilter rules acting on exporting + routes to a peer. + items: + description: BGPFilterRuleV4 defines a BGP filter rule consisting + a single IPv4 CIDR block and a filter action for this CIDR. + properties: + action: + type: string + cidr: + type: string + matchOperator: + type: string + required: + - action + - cidr + - matchOperator + type: object + type: array + exportV6: + description: The ordered set of IPv6 BGPFilter rules acting on exporting + routes to a peer. + items: + description: BGPFilterRuleV6 defines a BGP filter rule consisting + a single IPv6 CIDR block and a filter action for this CIDR. + properties: + action: + type: string + cidr: + type: string + matchOperator: + type: string + required: + - action + - cidr + - matchOperator + type: object + type: array + importV4: + description: The ordered set of IPv4 BGPFilter rules acting on importing + routes from a peer. + items: + description: BGPFilterRuleV4 defines a BGP filter rule consisting + a single IPv4 CIDR block and a filter action for this CIDR. + properties: + action: + type: string + cidr: + type: string + matchOperator: + type: string + required: + - action + - cidr + - matchOperator + type: object + type: array + importV6: + description: The ordered set of IPv6 BGPFilter rules acting on importing + routes from a peer. + items: + description: BGPFilterRuleV6 defines a BGP filter rule consisting + a single IPv6 CIDR block and a filter action for this CIDR. + properties: + action: + type: string + cidr: + type: string + matchOperator: + type: string + required: + - action + - cidr + - matchOperator + type: object + type: array + type: object + type: object + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +# Source: calico/templates/kdd-crds.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition metadata: name: bgppeers.crd.projectcalico.org spec: @@ -228,6 +443,11 @@ spec: description: The AS Number of the peer. format: int32 type: integer + filters: + description: The ordered set of BGPFilters applied on this BGP peer. + items: + type: string + type: array keepOriginalNextHop: description: Option to keep the original nexthop field when routes are sent to a BGP Peer. Setting "true" configures the selected BGP @@ -774,6 +994,13 @@ spec: connections. The only reason to disable it is for debugging purposes. [Default: true]' type: boolean + bpfDSROptoutCIDRs: + description: BPFDSROptoutCIDRs is a list of CIDRs which are excluded + from DSR. That is, clients in those CIDRs will accesses nodeports + as if BPFExternalServiceMode was set to Tunnel. + items: + type: string + type: array bpfDataIfacePattern: description: BPFDataIfacePattern is a regular expression that controls which interfaces Felix should attach BPF programs to in order to @@ -797,7 +1024,7 @@ spec: description: 'BPFEnforceRPF enforce strict RPF on all host interfaces with BPF programs regardless of what is the per-interfaces or global setting. Possible values are Disabled, Strict or Loose. [Default: - Strict]' + Loose]' type: string bpfExtToServiceConnmark: description: 'BPFExtToServiceConnmark in BPF mode, control a 32bit @@ -1062,7 +1289,7 @@ spec: type: integer healthTimeoutOverrides: description: HealthTimeoutOverrides allows the internal watchdog timeouts - of individual subcomponents to be overriden. This is useful for + of individual subcomponents to be overridden. This is useful for working around "false positive" liveness timeouts that can occur in particularly stressful workloads or if CPU is constrained. For a list of active subcomponents, see Felix's logs. @@ -1122,6 +1349,12 @@ spec: type: string iptablesFilterAllowAction: type: string + iptablesFilterDenyAction: + description: IptablesFilterDenyAction controls what happens to traffic + that is denied by network policy. By default Calico blocks traffic + with an iptables "DROP" action. If you want to use "REJECT" action + instead you can configure it in here. + type: string iptablesLockFilePath: description: 'IptablesLockFilePath is the location of the iptables lock file. You may need to change this if the lock file is not in @@ -4035,3 +4268,715 @@ status: plural: "" conditions: [] storedVersions: [] +--- +# Source: calico/templates/calico-kube-controllers-rbac.yaml +# Include a clusterrole for the kube-controllers component, +# and bind it to the calico-kube-controllers serviceaccount. +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: calico-kube-controllers +rules: + # Nodes are watched to monitor for deletions. + - apiGroups: [""] + resources: + - nodes + verbs: + - watch + - list + - get + # Pods are watched to check for existence as part of IPAM controller. + - apiGroups: [""] + resources: + - pods + verbs: + - get + - list + - watch + # IPAM resources are manipulated in response to node and block updates, as well as periodic triggers. + - apiGroups: ["crd.projectcalico.org"] + resources: + - ipreservations + verbs: + - list + - apiGroups: ["crd.projectcalico.org"] + resources: + - blockaffinities + - ipamblocks + - ipamhandles + verbs: + - get + - list + - create + - update + - delete + - watch + # Pools are watched to maintain a mapping of blocks to IP pools. + - apiGroups: ["crd.projectcalico.org"] + resources: + - ippools + verbs: + - list + - watch + # kube-controllers manages hostendpoints. + - apiGroups: ["crd.projectcalico.org"] + resources: + - hostendpoints + verbs: + - get + - list + - create + - update + - delete + # Needs access to update clusterinformations. + - apiGroups: ["crd.projectcalico.org"] + resources: + - clusterinformations + verbs: + - get + - list + - create + - update + - watch + # KubeControllersConfiguration is where it gets its config + - apiGroups: ["crd.projectcalico.org"] + resources: + - kubecontrollersconfigurations + verbs: + # read its own config + - get + # create a default if none exists + - create + # update status + - update + # watch for changes + - watch +--- +# Source: calico/templates/calico-node-rbac.yaml +# Include a clusterrole for the calico-node DaemonSet, +# and bind it to the calico-node serviceaccount. +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: calico-node +rules: + # Used for creating service account tokens to be used by the CNI plugin + - apiGroups: [""] + resources: + - serviceaccounts/token + resourceNames: + - calico-cni-plugin + verbs: + - create + # The CNI plugin needs to get pods, nodes, and namespaces. + - apiGroups: [""] + resources: + - pods + - nodes + - namespaces + verbs: + - get + # EndpointSlices are used for Service-based network policy rule + # enforcement. + - apiGroups: ["discovery.k8s.io"] + resources: + - endpointslices + verbs: + - watch + - list + - apiGroups: [""] + resources: + - endpoints + - services + verbs: + # Used to discover service IPs for advertisement. + - watch + - list + # Used to discover Typhas. + - get + # Pod CIDR auto-detection on kubeadm needs access to config maps. + - apiGroups: [""] + resources: + - configmaps + verbs: + - get + - apiGroups: [""] + resources: + - nodes/status + verbs: + # Needed for clearing NodeNetworkUnavailable flag. + - patch + # Calico stores some configuration information in node annotations. + - update + # Watch for changes to Kubernetes NetworkPolicies. + - apiGroups: ["networking.k8s.io"] + resources: + - networkpolicies + verbs: + - watch + - list + # Used by Calico for policy information. + - apiGroups: [""] + resources: + - pods + - namespaces + - serviceaccounts + verbs: + - list + - watch + # The CNI plugin patches pods/status. + - apiGroups: [""] + resources: + - pods/status + verbs: + - patch + # Calico monitors various CRDs for config. + - apiGroups: ["crd.projectcalico.org"] + resources: + - globalfelixconfigs + - felixconfigurations + - bgppeers + - bgpfilters + - globalbgpconfigs + - bgpconfigurations + - ippools + - ipreservations + - ipamblocks + - globalnetworkpolicies + - globalnetworksets + - networkpolicies + - networksets + - clusterinformations + - hostendpoints + - blockaffinities + - caliconodestatuses + verbs: + - get + - list + - watch + # Calico must create and update some CRDs on startup. + - apiGroups: ["crd.projectcalico.org"] + resources: + - ippools + - felixconfigurations + - clusterinformations + verbs: + - create + - update + # Calico must update some CRDs. + - apiGroups: [ "crd.projectcalico.org" ] + resources: + - caliconodestatuses + verbs: + - update + # Calico stores some configuration information on the node. + - apiGroups: [""] + resources: + - nodes + verbs: + - get + - list + - watch + # These permissions are only required for upgrade from v2.6, and can + # be removed after upgrade or on fresh installations. + - apiGroups: ["crd.projectcalico.org"] + resources: + - bgpconfigurations + - bgppeers + verbs: + - create + - update + # These permissions are required for Calico CNI to perform IPAM allocations. + - apiGroups: ["crd.projectcalico.org"] + resources: + - blockaffinities + - ipamblocks + - ipamhandles + verbs: + - get + - list + - create + - update + - delete + # The CNI plugin and calico/node need to be able to create a default + # IPAMConfiguration + - apiGroups: ["crd.projectcalico.org"] + resources: + - ipamconfigs + verbs: + - get + - create + # Block affinities must also be watchable by confd for route aggregation. + - apiGroups: ["crd.projectcalico.org"] + resources: + - blockaffinities + verbs: + - watch + # The Calico IPAM migration needs to get daemonsets. These permissions can be + # removed if not upgrading from an installation using host-local IPAM. + - apiGroups: ["apps"] + resources: + - daemonsets + verbs: + - get +--- +# Source: calico/templates/calico-node-rbac.yaml +# CNI cluster role +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: calico-cni-plugin +rules: + - apiGroups: [""] + resources: + - pods + - nodes + - namespaces + verbs: + - get + - apiGroups: [""] + resources: + - pods/status + verbs: + - patch + - apiGroups: ["crd.projectcalico.org"] + resources: + - blockaffinities + - ipamblocks + - ipamhandles + - clusterinformations + - ippools + - ipreservations + - ipamconfigs + verbs: + - get + - list + - create + - update + - delete +--- +# Source: calico/templates/calico-kube-controllers-rbac.yaml +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: calico-kube-controllers +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: calico-kube-controllers +subjects: +- kind: ServiceAccount + name: calico-kube-controllers + namespace: kube-system +--- +# Source: calico/templates/calico-node-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: calico-node +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: calico-node +subjects: +- kind: ServiceAccount + name: calico-node + namespace: kube-system +--- +# Source: calico/templates/calico-node-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: calico-cni-plugin +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: calico-cni-plugin +subjects: +- kind: ServiceAccount + name: calico-cni-plugin + namespace: kube-system +--- +# Source: calico/templates/calico-node.yaml +# This manifest installs the calico-node container, as well +# as the CNI plugins and network config on +# each master and worker node in a Kubernetes cluster. +kind: DaemonSet +apiVersion: apps/v1 +metadata: + name: calico-node + namespace: kube-system + labels: + k8s-app: calico-node +spec: + selector: + matchLabels: + k8s-app: calico-node + updateStrategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 1 + template: + metadata: + labels: + k8s-app: calico-node + spec: + nodeSelector: + kubernetes.io/os: linux + hostNetwork: true + tolerations: + # Make sure calico-node gets scheduled on all nodes. + - effect: NoSchedule + operator: Exists + # Mark the pod as a critical add-on for rescheduling. + - key: CriticalAddonsOnly + operator: Exists + - effect: NoExecute + operator: Exists + serviceAccountName: calico-node + # Minimize downtime during a rolling upgrade or deletion; tell Kubernetes to do a "force + # deletion": https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods. + terminationGracePeriodSeconds: 0 + priorityClassName: system-node-critical + initContainers: + # This container performs upgrade from host-local IPAM to calico-ipam. + # It can be deleted if this is a fresh installation, or if you have already + # upgraded to use calico-ipam. + - name: upgrade-ipam + image: docker.io/calico/cni:v3.26.1 + imagePullPolicy: IfNotPresent + command: ["/opt/cni/bin/calico-ipam", "-upgrade"] + envFrom: + - configMapRef: + # Allow KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT to be overridden for eBPF mode. + name: kubernetes-services-endpoint + optional: true + env: + - name: KUBERNETES_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: CALICO_NETWORKING_BACKEND + valueFrom: + configMapKeyRef: + name: calico-config + key: calico_backend + volumeMounts: + - mountPath: /var/lib/cni/networks + name: host-local-net-dir + - mountPath: /host/opt/cni/bin + name: cni-bin-dir + securityContext: + privileged: true + # This container installs the CNI binaries + # and CNI network config file on each node. + - name: install-cni + image: docker.io/calico/cni:v3.26.1 + imagePullPolicy: IfNotPresent + command: ["/opt/cni/bin/install"] + envFrom: + - configMapRef: + # Allow KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT to be overridden for eBPF mode. + name: kubernetes-services-endpoint + optional: true + env: + # Name of the CNI config file to create. + - name: CNI_CONF_NAME + value: "10-calico.conflist" + # The CNI network config to install on each node. + - name: CNI_NETWORK_CONFIG + valueFrom: + configMapKeyRef: + name: calico-config + key: cni_network_config + # Set the hostname based on the k8s node name. + - name: KUBERNETES_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + # CNI MTU Config variable + - name: CNI_MTU + valueFrom: + configMapKeyRef: + name: calico-config + key: veth_mtu + # Prevents the container from sleeping forever. + - name: SLEEP + value: "false" + volumeMounts: + - mountPath: /host/opt/cni/bin + name: cni-bin-dir + - mountPath: /host/etc/cni/net.d + name: cni-net-dir + securityContext: + privileged: true + # This init container mounts the necessary filesystems needed by the BPF data plane + # i.e. bpf at /sys/fs/bpf and cgroup2 at /run/calico/cgroup. Calico-node initialisation is executed + # in best effort fashion, i.e. no failure for errors, to not disrupt pod creation in iptable mode. + - name: "mount-bpffs" + image: docker.io/calico/node:v3.26.1 + imagePullPolicy: IfNotPresent + command: ["calico-node", "-init", "-best-effort"] + volumeMounts: + - mountPath: /sys/fs + name: sys-fs + # Bidirectional is required to ensure that the new mount we make at /sys/fs/bpf propagates to the host + # so that it outlives the init container. + mountPropagation: Bidirectional + - mountPath: /var/run/calico + name: var-run-calico + # Bidirectional is required to ensure that the new mount we make at /run/calico/cgroup propagates to the host + # so that it outlives the init container. + mountPropagation: Bidirectional + # Mount /proc/ from host which usually is an init program at /nodeproc. It's needed by mountns binary, + # executed by calico-node, to mount root cgroup2 fs at /run/calico/cgroup to attach CTLB programs correctly. + - mountPath: /nodeproc + name: nodeproc + readOnly: true + securityContext: + privileged: true + containers: + # Runs calico-node container on each Kubernetes node. This + # container programs network policy and routes on each + # host. + - name: calico-node + image: docker.io/calico/node:v3.26.1 + imagePullPolicy: IfNotPresent + envFrom: + - configMapRef: + # Allow KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT to be overridden for eBPF mode. + name: kubernetes-services-endpoint + optional: true + env: + # Use Kubernetes API as the backing datastore. + - name: DATASTORE_TYPE + value: "kubernetes" + # Wait for the datastore. + - name: WAIT_FOR_DATASTORE + value: "true" + # Set based on the k8s node name. + - name: NODENAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + # Choose the backend to use. + - name: CALICO_NETWORKING_BACKEND + valueFrom: + configMapKeyRef: + name: calico-config + key: calico_backend + # Cluster type to identify the deployment type + - name: CLUSTER_TYPE + value: "k8s,bgp" + # Auto-detect the BGP IP address. + - name: IP + value: "autodetect" + # Enable IPIP + - name: CALICO_IPV4POOL_IPIP + value: "Always" + # Enable or Disable VXLAN on the default IP pool. + - name: CALICO_IPV4POOL_VXLAN + value: "Never" + # Enable or Disable VXLAN on the default IPv6 IP pool. + - name: CALICO_IPV6POOL_VXLAN + value: "Never" + # Set MTU for tunnel device used if ipip is enabled + - name: FELIX_IPINIPMTU + valueFrom: + configMapKeyRef: + name: calico-config + key: veth_mtu + # Set MTU for the VXLAN tunnel device. + - name: FELIX_VXLANMTU + valueFrom: + configMapKeyRef: + name: calico-config + key: veth_mtu + # Set MTU for the Wireguard tunnel device. + - name: FELIX_WIREGUARDMTU + valueFrom: + configMapKeyRef: + name: calico-config + key: veth_mtu + # The default IPv4 pool to create on startup if none exists. Pod IPs will be + # chosen from this range. Changing this value after installation will have + # no effect. This should fall within `--cluster-cidr`. + # - name: CALICO_IPV4POOL_CIDR + # value: "192.168.0.0/16" + # Disable file logging so `kubectl logs` works. + - name: CALICO_DISABLE_FILE_LOGGING + value: "true" + # Set Felix endpoint to host default action to ACCEPT. + - name: FELIX_DEFAULTENDPOINTTOHOSTACTION + value: "ACCEPT" + # Disable IPv6 on Kubernetes. + - name: FELIX_IPV6SUPPORT + value: "false" + - name: FELIX_HEALTHENABLED + value: "true" + securityContext: + privileged: true + resources: + requests: + cpu: 250m + lifecycle: + preStop: + exec: + command: + - /bin/calico-node + - -shutdown + livenessProbe: + exec: + command: + - /bin/calico-node + - -felix-live + - -bird-live + periodSeconds: 10 + initialDelaySeconds: 10 + failureThreshold: 6 + timeoutSeconds: 10 + readinessProbe: + exec: + command: + - /bin/calico-node + - -felix-ready + - -bird-ready + periodSeconds: 10 + timeoutSeconds: 10 + volumeMounts: + # For maintaining CNI plugin API credentials. + - mountPath: /host/etc/cni/net.d + name: cni-net-dir + readOnly: false + - mountPath: /lib/modules + name: lib-modules + readOnly: true + - mountPath: /run/xtables.lock + name: xtables-lock + readOnly: false + - mountPath: /var/run/calico + name: var-run-calico + readOnly: false + - mountPath: /var/lib/calico + name: var-lib-calico + readOnly: false + - name: policysync + mountPath: /var/run/nodeagent + # For eBPF mode, we need to be able to mount the BPF filesystem at /sys/fs/bpf so we mount in the + # parent directory. + - name: bpffs + mountPath: /sys/fs/bpf + - name: cni-log-dir + mountPath: /var/log/calico/cni + readOnly: true + volumes: + # Used by calico-node. + - name: lib-modules + hostPath: + path: /lib/modules + - name: var-run-calico + hostPath: + path: /var/run/calico + - name: var-lib-calico + hostPath: + path: /var/lib/calico + - name: xtables-lock + hostPath: + path: /run/xtables.lock + type: FileOrCreate + - name: sys-fs + hostPath: + path: /sys/fs/ + type: DirectoryOrCreate + - name: bpffs + hostPath: + path: /sys/fs/bpf + type: Directory + # mount /proc at /nodeproc to be used by mount-bpffs initContainer to mount root cgroup2 fs. + - name: nodeproc + hostPath: + path: /proc + # Used to install CNI. + - name: cni-bin-dir + hostPath: + path: /opt/cni/bin + - name: cni-net-dir + hostPath: + path: /etc/cni/net.d + # Used to access CNI logs. + - name: cni-log-dir + hostPath: + path: /var/log/calico/cni + # Mount in the directory for host-local IPAM allocations. This is + # used when upgrading from host-local to calico-ipam, and can be removed + # if not using the upgrade-ipam init container. + - name: host-local-net-dir + hostPath: + path: /var/lib/cni/networks + # Used to create per-pod Unix Domain Sockets + - name: policysync + hostPath: + type: DirectoryOrCreate + path: /var/run/nodeagent +--- +# Source: calico/templates/calico-kube-controllers.yaml +# See https://github.com/projectcalico/kube-controllers +apiVersion: apps/v1 +kind: Deployment +metadata: + name: calico-kube-controllers + namespace: kube-system + labels: + k8s-app: calico-kube-controllers +spec: + # The controllers can only have a single active instance. + replicas: 1 + selector: + matchLabels: + k8s-app: calico-kube-controllers + strategy: + type: Recreate + template: + metadata: + name: calico-kube-controllers + namespace: kube-system + labels: + k8s-app: calico-kube-controllers + spec: + nodeSelector: + kubernetes.io/os: linux + tolerations: + # Mark the pod as a critical add-on for rescheduling. + - key: CriticalAddonsOnly + operator: Exists + - key: node-role.kubernetes.io/master + effect: NoSchedule + - key: node-role.kubernetes.io/control-plane + effect: NoSchedule + serviceAccountName: calico-kube-controllers + priorityClassName: system-cluster-critical + containers: + - name: calico-kube-controllers + image: docker.io/calico/kube-controllers:v3.26.1 + imagePullPolicy: IfNotPresent + env: + # Choose which controllers to run. + - name: ENABLED_CONTROLLERS + value: node + - name: DATASTORE_TYPE + value: kubernetes + livenessProbe: + exec: + command: + - /usr/bin/check-status + - -l + periodSeconds: 10 + initialDelaySeconds: 10 + failureThreshold: 6 + timeoutSeconds: 10 + readinessProbe: + exec: + command: + - /usr/bin/check-status + - -r + periodSeconds: 10 diff --git a/katalog/calico/deploy.yml b/katalog/calico/deploy.yml deleted file mode 100644 index 429ef96..0000000 --- a/katalog/calico/deploy.yml +++ /dev/null @@ -1,64 +0,0 @@ -# Copyright (c) 2017-present SIGHUP s.r.l All rights reserved. -# Use of this source code is governed by a BSD-style -# license that can be found in the LICENSE file. - ---- -# Source: calico/templates/calico-kube-controllers.yaml -# See https://github.com/projectcalico/kube-controllers -apiVersion: apps/v1 -kind: Deployment -metadata: - name: calico-kube-controllers - labels: - k8s-app: calico-kube-controllers -spec: - # The controllers can only have a single active instance. - replicas: 1 - selector: - matchLabels: - k8s-app: calico-kube-controllers - strategy: - type: Recreate - template: - metadata: - name: calico-kube-controllers - labels: - k8s-app: calico-kube-controllers - spec: - nodeSelector: - kubernetes.io/os: linux - tolerations: - # Mark the pod as a critical add-on for rescheduling. - - key: CriticalAddonsOnly - operator: Exists - - key: node-role.kubernetes.io/master - effect: NoSchedule - - key: node-role.kubernetes.io/control-plane - effect: NoSchedule - serviceAccountName: calico-kube-controllers - priorityClassName: system-cluster-critical - containers: - - name: calico-kube-controllers - image: docker.io/calico/kube-controllers:v3.25.0 - imagePullPolicy: IfNotPresent - env: - # Choose which controllers to run. - - name: ENABLED_CONTROLLERS - value: node - - name: DATASTORE_TYPE - value: kubernetes - livenessProbe: - exec: - command: - - /usr/bin/check-status - - -l - periodSeconds: 10 - initialDelaySeconds: 10 - failureThreshold: 6 - timeoutSeconds: 10 - readinessProbe: - exec: - command: - - /usr/bin/check-status - - -r - periodSeconds: 10 diff --git a/katalog/calico/ds.yml b/katalog/calico/ds.yml deleted file mode 100644 index 702c8ff..0000000 --- a/katalog/calico/ds.yml +++ /dev/null @@ -1,325 +0,0 @@ -# Copyright (c) 2017-present SIGHUP s.r.l All rights reserved. -# Use of this source code is governed by a BSD-style -# license that can be found in the LICENSE file. - ---- -# Source: calico/templates/calico-node.yaml -# This manifest installs the calico-node container, as well -# as the CNI plugins and network config on -# each master and worker node in a Kubernetes cluster. -kind: DaemonSet -apiVersion: apps/v1 -metadata: - name: calico-node - labels: - k8s-app: calico-node -spec: - selector: - matchLabels: - k8s-app: calico-node - updateStrategy: - type: RollingUpdate - rollingUpdate: - maxUnavailable: 1 - template: - metadata: - labels: - k8s-app: calico-node - spec: - nodeSelector: - kubernetes.io/os: linux - hostNetwork: true - tolerations: - # Make sure calico-node gets scheduled on all nodes. - - effect: NoSchedule - operator: Exists - # Mark the pod as a critical add-on for rescheduling. - - key: CriticalAddonsOnly - operator: Exists - - effect: NoExecute - operator: Exists - serviceAccountName: calico-node - # Minimize downtime during a rolling upgrade or deletion; tell Kubernetes to do a "force - # deletion": https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods. - terminationGracePeriodSeconds: 0 - priorityClassName: system-node-critical - initContainers: - # This container performs upgrade from host-local IPAM to calico-ipam. - # It can be deleted if this is a fresh installation, or if you have already - # upgraded to use calico-ipam. - - name: upgrade-ipam - image: docker.io/calico/cni:v3.25.0 - imagePullPolicy: IfNotPresent - command: ["/opt/cni/bin/calico-ipam", "-upgrade"] - envFrom: - - configMapRef: - # Allow KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT to be overridden for eBPF mode. - name: kubernetes-services-endpoint - optional: true - env: - - name: KUBERNETES_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: CALICO_NETWORKING_BACKEND - valueFrom: - configMapKeyRef: - name: calico-config - key: calico_backend - volumeMounts: - - mountPath: /var/lib/cni/networks - name: host-local-net-dir - - mountPath: /host/opt/cni/bin - name: cni-bin-dir - securityContext: - privileged: true - # This container installs the CNI binaries - # and CNI network config file on each node. - - name: install-cni - image: docker.io/calico/cni:v3.25.0 - imagePullPolicy: IfNotPresent - command: ["/opt/cni/bin/install"] - envFrom: - - configMapRef: - # Allow KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT to be overridden for eBPF mode. - name: kubernetes-services-endpoint - optional: true - env: - # Name of the CNI config file to create. - - name: CNI_CONF_NAME - value: "10-calico.conflist" - # The CNI network config to install on each node. - - name: CNI_NETWORK_CONFIG - valueFrom: - configMapKeyRef: - name: calico-config - key: cni_network_config - # Set the hostname based on the k8s node name. - - name: KUBERNETES_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - # CNI MTU Config variable - - name: CNI_MTU - valueFrom: - configMapKeyRef: - name: calico-config - key: veth_mtu - # Prevents the container from sleeping forever. - - name: SLEEP - value: "false" - volumeMounts: - - mountPath: /host/opt/cni/bin - name: cni-bin-dir - - mountPath: /host/etc/cni/net.d - name: cni-net-dir - securityContext: - privileged: true - # This init container mounts the necessary filesystems needed by the BPF data plane - # i.e. bpf at /sys/fs/bpf and cgroup2 at /run/calico/cgroup. Calico-node initialisation is executed - # in best effort fashion, i.e. no failure for errors, to not disrupt pod creation in iptable mode. - - name: "mount-bpffs" - image: docker.io/calico/node:v3.25.0 - imagePullPolicy: IfNotPresent - command: ["calico-node", "-init", "-best-effort"] - volumeMounts: - - mountPath: /sys/fs - name: sys-fs - # Bidirectional is required to ensure that the new mount we make at /sys/fs/bpf propagates to the host - # so that it outlives the init container. - mountPropagation: Bidirectional - - mountPath: /var/run/calico - name: var-run-calico - # Bidirectional is required to ensure that the new mount we make at /run/calico/cgroup propagates to the host - # so that it outlives the init container. - mountPropagation: Bidirectional - # Mount /proc/ from host which usually is an init program at /nodeproc. It's needed by mountns binary, - # executed by calico-node, to mount root cgroup2 fs at /run/calico/cgroup to attach CTLB programs correctly. - - mountPath: /nodeproc - name: nodeproc - readOnly: true - securityContext: - privileged: true - containers: - # Runs calico-node container on each Kubernetes node. This - # container programs network policy and routes on each - # host. - - name: calico-node - image: docker.io/calico/node:v3.25.0 - imagePullPolicy: IfNotPresent - envFrom: - - configMapRef: - # Allow KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT to be overridden for eBPF mode. - name: kubernetes-services-endpoint - optional: true - env: - # Use Kubernetes API as the backing datastore. - - name: DATASTORE_TYPE - value: "kubernetes" - # Wait for the datastore. - - name: WAIT_FOR_DATASTORE - value: "true" - # Set based on the k8s node name. - - name: NODENAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - # Choose the backend to use. - - name: CALICO_NETWORKING_BACKEND - valueFrom: - configMapKeyRef: - name: calico-config - key: calico_backend - # Cluster type to identify the deployment type - - name: CLUSTER_TYPE - value: "k8s,bgp" - # Auto-detect the BGP IP address. - - name: IP - value: "autodetect" - # Enable IPIP - - name: CALICO_IPV4POOL_IPIP - value: "Always" - # Enable or Disable VXLAN on the default IP pool. - - name: CALICO_IPV4POOL_VXLAN - value: "Never" - # Enable or Disable VXLAN on the default IPv6 IP pool. - - name: CALICO_IPV6POOL_VXLAN - value: "Never" - # Set MTU for tunnel device used if ipip is enabled - - name: FELIX_IPINIPMTU - valueFrom: - configMapKeyRef: - name: calico-config - key: veth_mtu - # Set MTU for the VXLAN tunnel device. - - name: FELIX_VXLANMTU - valueFrom: - configMapKeyRef: - name: calico-config - key: veth_mtu - # Set MTU for the Wireguard tunnel device. - - name: FELIX_WIREGUARDMTU - valueFrom: - configMapKeyRef: - name: calico-config - key: veth_mtu - # The default IPv4 pool to create on startup if none exists. Pod IPs will be - # chosen from this range. Changing this value after installation will have - # no effect. This should fall within `--cluster-cidr`. - # - name: CALICO_IPV4POOL_CIDR - # value: "192.168.0.0/16" - # Disable file logging so `kubectl logs` works. - - name: CALICO_DISABLE_FILE_LOGGING - value: "true" - # Set Felix endpoint to host default action to ACCEPT. - - name: FELIX_DEFAULTENDPOINTTOHOSTACTION - value: "ACCEPT" - # Disable IPv6 on Kubernetes. - - name: FELIX_IPV6SUPPORT - value: "false" - - name: FELIX_HEALTHENABLED - value: "true" - securityContext: - privileged: true - resources: - requests: - cpu: 250m - lifecycle: - preStop: - exec: - command: - - /bin/calico-node - - -shutdown - livenessProbe: - exec: - command: - - /bin/calico-node - - -felix-live - - -bird-live - periodSeconds: 10 - initialDelaySeconds: 10 - failureThreshold: 6 - timeoutSeconds: 10 - readinessProbe: - exec: - command: - - /bin/calico-node - - -felix-ready - - -bird-ready - periodSeconds: 10 - timeoutSeconds: 10 - volumeMounts: - # For maintaining CNI plugin API credentials. - - mountPath: /host/etc/cni/net.d - name: cni-net-dir - readOnly: false - - mountPath: /lib/modules - name: lib-modules - readOnly: true - - mountPath: /run/xtables.lock - name: xtables-lock - readOnly: false - - mountPath: /var/run/calico - name: var-run-calico - readOnly: false - - mountPath: /var/lib/calico - name: var-lib-calico - readOnly: false - - name: policysync - mountPath: /var/run/nodeagent - # For eBPF mode, we need to be able to mount the BPF filesystem at /sys/fs/bpf so we mount in the - # parent directory. - - name: bpffs - mountPath: /sys/fs/bpf - - name: cni-log-dir - mountPath: /var/log/calico/cni - readOnly: true - volumes: - # Used by calico-node. - - name: lib-modules - hostPath: - path: /lib/modules - - name: var-run-calico - hostPath: - path: /var/run/calico - - name: var-lib-calico - hostPath: - path: /var/lib/calico - - name: xtables-lock - hostPath: - path: /run/xtables.lock - type: FileOrCreate - - name: sys-fs - hostPath: - path: /sys/fs/ - type: DirectoryOrCreate - - name: bpffs - hostPath: - path: /sys/fs/bpf - type: Directory - # mount /proc at /nodeproc to be used by mount-bpffs initContainer to mount root cgroup2 fs. - - name: nodeproc - hostPath: - path: /proc - # Used to install CNI. - - name: cni-bin-dir - hostPath: - path: /opt/cni/bin - - name: cni-net-dir - hostPath: - path: /etc/cni/net.d - # Used to access CNI logs. - - name: cni-log-dir - hostPath: - path: /var/log/calico/cni - # Mount in the directory for host-local IPAM allocations. This is - # used when upgrading from host-local to calico-ipam, and can be removed - # if not using the upgrade-ipam init container. - - name: host-local-net-dir - hostPath: - path: /var/lib/cni/networks - # Used to create per-pod Unix Domain Sockets - - name: policysync - hostPath: - type: DirectoryOrCreate - path: /var/run/nodeagent diff --git a/katalog/calico/kustomization.yaml b/katalog/calico/kustomization.yaml index f67a177..65c28eb 100644 --- a/katalog/calico/kustomization.yaml +++ b/katalog/calico/kustomization.yaml @@ -8,27 +8,24 @@ kind: Kustomization namespace: kube-system images: - - name: docker.io/calico/kube-controllers - newName: registry.sighup.io/fury/calico/kube-controllers - - name: docker.io/calico/cni - newName: registry.sighup.io/fury/calico/cni - - name: docker.io/calico/pod2daemon-flexvol - newName: registry.sighup.io/fury/calico/pod2daemon-flexvol - - name: docker.io/calico/node - newName: registry.sighup.io/fury/calico/node +- name: docker.io/calico/cni + newName: registry.sighup.io/fury/calico/cni + newTag: v3.26.1 +- name: docker.io/calico/kube-controllers + newName: registry.sighup.io/fury/calico/kube-controllers + newTag: v3.26.1 +- name: docker.io/calico/node + newName: registry.sighup.io/fury/calico/node + newTag: v3.26.1 +- name: docker.io/calico/pod2daemon-flexvol + newName: registry.sighup.io/fury/calico/pod2daemon-flexvol -resources: - - config.yml - - crd.yml - - sa.yml - - deploy.yml - - ds.yml - - rbac.yml - - pdb.yml # Resources needed for Monitoring - - monitoring +resources: +- deploy.yaml +- monitoring # Patch to enable metrics on Felix (calico-node DaemonSet) # we need to do this at this level, because the base is out of monitoring/ patchesStrategicMerge: - - "monitoring/felix-enable-metrics.yaml" +- monitoring/felix-enable-metrics.yaml diff --git a/katalog/calico/monitoring/felix-enable-metrics.yaml b/katalog/calico/monitoring/felix-enable-metrics.yaml index abe7cdf..5abc244 100644 --- a/katalog/calico/monitoring/felix-enable-metrics.yaml +++ b/katalog/calico/monitoring/felix-enable-metrics.yaml @@ -7,6 +7,7 @@ apiVersion: apps/v1 kind: DaemonSet metadata: name: calico-node + namespace: kube-system spec: template: spec: diff --git a/katalog/calico/pdb.yml b/katalog/calico/pdb.yml deleted file mode 100644 index 5e3ebd7..0000000 --- a/katalog/calico/pdb.yml +++ /dev/null @@ -1,19 +0,0 @@ -# Copyright (c) 2017-present SIGHUP s.r.l All rights reserved. -# Use of this source code is governed by a BSD-style -# license that can be found in the LICENSE file. - ---- -# Source: calico/templates/calico-kube-controllers.yaml -# This manifest creates a Pod Disruption Budget for Controller to allow K8s Cluster Autoscaler to evict - -apiVersion: policy/v1 -kind: PodDisruptionBudget -metadata: - name: calico-kube-controllers - labels: - k8s-app: calico-kube-controllers -spec: - maxUnavailable: 1 - selector: - matchLabels: - k8s-app: calico-kube-controllers diff --git a/katalog/calico/rbac.yml b/katalog/calico/rbac.yml deleted file mode 100644 index d279c7f..0000000 --- a/katalog/calico/rbac.yml +++ /dev/null @@ -1,282 +0,0 @@ -# Copyright (c) 2017-present SIGHUP s.r.l All rights reserved. -# Use of this source code is governed by a BSD-style -# license that can be found in the LICENSE file. - ---- -# Source: calico/templates/calico-kube-controllers-rbac.yaml -# Include a clusterrole for the kube-controllers component, -# and bind it to the calico-kube-controllers serviceaccount. -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: calico-kube-controllers -rules: - # Nodes are watched to monitor for deletions. - - apiGroups: [""] - resources: - - nodes - verbs: - - watch - - list - - get - # Pods are watched to check for existence as part of IPAM controller. - - apiGroups: [""] - resources: - - pods - verbs: - - get - - list - - watch - # IPAM resources are manipulated in response to node and block updates, as well as periodic triggers. - - apiGroups: ["crd.projectcalico.org"] - resources: - - ipreservations - verbs: - - list - - apiGroups: ["crd.projectcalico.org"] - resources: - - blockaffinities - - ipamblocks - - ipamhandles - verbs: - - get - - list - - create - - update - - delete - - watch - # Pools are watched to maintain a mapping of blocks to IP pools. - - apiGroups: ["crd.projectcalico.org"] - resources: - - ippools - verbs: - - list - - watch - # kube-controllers manages hostendpoints. - - apiGroups: ["crd.projectcalico.org"] - resources: - - hostendpoints - verbs: - - get - - list - - create - - update - - delete - # Needs access to update clusterinformations. - - apiGroups: ["crd.projectcalico.org"] - resources: - - clusterinformations - verbs: - - get - - list - - create - - update - - watch - # KubeControllersConfiguration is where it gets its config - - apiGroups: ["crd.projectcalico.org"] - resources: - - kubecontrollersconfigurations - verbs: - # read its own config - - get - # create a default if none exists - - create - # update status - - update - # watch for changes - - watch ---- -# Source: calico/templates/calico-node-rbac.yaml -# Include a clusterrole for the calico-node DaemonSet, -# and bind it to the calico-node serviceaccount. -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: calico-node -rules: - # Used for creating service account tokens to be used by the CNI plugin - - apiGroups: [""] - resources: - - serviceaccounts/token - resourceNames: - - calico-node - verbs: - - create - # The CNI plugin needs to get pods, nodes, and namespaces. - - apiGroups: [""] - resources: - - pods - - nodes - - namespaces - verbs: - - get - # EndpointSlices are used for Service-based network policy rule - # enforcement. - - apiGroups: ["discovery.k8s.io"] - resources: - - endpointslices - verbs: - - watch - - list - - apiGroups: [""] - resources: - - endpoints - - services - verbs: - # Used to discover service IPs for advertisement. - - watch - - list - # Used to discover Typhas. - - get - # Pod CIDR auto-detection on kubeadm needs access to config maps. - - apiGroups: [""] - resources: - - configmaps - verbs: - - get - - apiGroups: [""] - resources: - - nodes/status - verbs: - # Needed for clearing NodeNetworkUnavailable flag. - - patch - # Calico stores some configuration information in node annotations. - - update - # Watch for changes to Kubernetes NetworkPolicies. - - apiGroups: ["networking.k8s.io"] - resources: - - networkpolicies - verbs: - - watch - - list - # Used by Calico for policy information. - - apiGroups: [""] - resources: - - pods - - namespaces - - serviceaccounts - verbs: - - list - - watch - # The CNI plugin patches pods/status. - - apiGroups: [""] - resources: - - pods/status - verbs: - - patch - # Calico monitors various CRDs for config. - - apiGroups: ["crd.projectcalico.org"] - resources: - - globalfelixconfigs - - felixconfigurations - - bgppeers - - globalbgpconfigs - - bgpconfigurations - - ippools - - ipreservations - - ipamblocks - - globalnetworkpolicies - - globalnetworksets - - networkpolicies - - networksets - - clusterinformations - - hostendpoints - - blockaffinities - - caliconodestatuses - verbs: - - get - - list - - watch - # Calico must create and update some CRDs on startup. - - apiGroups: ["crd.projectcalico.org"] - resources: - - ippools - - felixconfigurations - - clusterinformations - verbs: - - create - - update - # Calico must update some CRDs. - - apiGroups: ["crd.projectcalico.org"] - resources: - - caliconodestatuses - verbs: - - update - # Calico stores some configuration information on the node. - - apiGroups: [""] - resources: - - nodes - verbs: - - get - - list - - watch - # These permissions are only required for upgrade from v2.6, and can - # be removed after upgrade or on fresh installations. - - apiGroups: ["crd.projectcalico.org"] - resources: - - bgpconfigurations - - bgppeers - verbs: - - create - - update - # These permissions are required for Calico CNI to perform IPAM allocations. - - apiGroups: ["crd.projectcalico.org"] - resources: - - blockaffinities - - ipamblocks - - ipamhandles - verbs: - - get - - list - - create - - update - - delete - # The CNI plugin and calico/node need to be able to create a default - # IPAMConfiguration - - apiGroups: ["crd.projectcalico.org"] - resources: - - ipamconfigs - verbs: - - get - - create - # Block affinities must also be watchable by confd for route aggregation. - - apiGroups: ["crd.projectcalico.org"] - resources: - - blockaffinities - verbs: - - watch - # The Calico IPAM migration needs to get daemonsets. These permissions can be - # removed if not upgrading from an installation using host-local IPAM. - - apiGroups: ["apps"] - resources: - - daemonsets - verbs: - - get ---- -# Source: calico/templates/calico-kube-controllers-rbac.yaml -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: calico-kube-controllers -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: calico-kube-controllers -subjects: -- kind: ServiceAccount - name: calico-kube-controllers - namespace: kube-system ---- -# Source: calico/templates/calico-node-rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: calico-node -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: calico-node -subjects: -- kind: ServiceAccount - name: calico-node - namespace: kube-system diff --git a/katalog/calico/sa.yml b/katalog/calico/sa.yml deleted file mode 100644 index cd34fe4..0000000 --- a/katalog/calico/sa.yml +++ /dev/null @@ -1,15 +0,0 @@ -# Copyright (c) 2017-present SIGHUP s.r.l All rights reserved. -# Use of this source code is governed by a BSD-style -# license that can be found in the LICENSE file. ---- -# Source: calico/templates/calico-kube-controllers.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: calico-kube-controllers ---- -# Source: calico/templates/calico-node.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: calico-node diff --git a/katalog/tigera/MAINTENANCE.md b/katalog/tigera/MAINTENANCE.md index c977c6d..577de56 100644 --- a/katalog/tigera/MAINTENANCE.md +++ b/katalog/tigera/MAINTENANCE.md @@ -10,9 +10,9 @@ Here are the installation notes: To update the YAML file, run the following command: ```bash -# assuming $PWD is the root of the repository -export CALICO_VERSION="3.25.0" -curl "https://raw.githubusercontent.com/projectcalico/calico/v${CALICO_VERSION}/manifests/tigera-operator.yaml" --output katalog/tigera/operator/tigera-operator.yaml +# assuming katalog/tigera is the root of the repository +export CALICO_VERSION="3.26.1" +curl "https://raw.githubusercontent.com/projectcalico/calico/v${CALICO_VERSION}/manifests/tigera-operator.yaml" --output operator/tigera-operator.yaml ``` No customizations are made. @@ -27,9 +27,9 @@ Here is the documentation To download the default configuration from upstream and update the file use the following commands: ```bash -# assuming $PWD is the root of the repository -export CALICO_VERSION="3.25.0" -curl https://raw.githubusercontent.com/projectcalico/calico/v${CALICO_VERSION}/manifests/custom-resources.yaml -O katalog/tigera/on-prem/custom-resources.yaml +# assuming katalog/tigera is the root of the repository +export CALICO_VERSION="3.26.1" +curl https://raw.githubusercontent.com/projectcalico/calico/v${CALICO_VERSION}/manifests/custom-resources.yaml --output on-prem/custom-resources.yaml ``` ### Customizations @@ -50,10 +50,10 @@ To get the dashboards you can use the following commands: ```bash # ⚠️ Assuming $PWD == root of the project -export CALICO_VERSION=3.25 +export CALICO_VERSION=3.26.1 # we split the upstream file and store only the json files -curl https://projectcalico.docs.tigera.io/archive/v${CALICO_VERSION}/manifests/grafana-dashboards.yaml | yq '.data["felix-dashboard.json"]' | sed 's/calico-demo-prometheus/prometheus/g' | jq > ./katalog/tigera/on-prem/monitoring/dashboards/felix-dashboard.json -curl https://projectcalico.docs.tigera.io/archive/v${CALICO_VERSION}/manifests/grafana-dashboards.yaml | yq '.data["typha-dashboard.json"]' | sed 's/calico-demo-prometheus/prometheus/g' | jq > ./katalog/tigera/on-prem/monitoring/dashboards/typa-dashboard.json +curl -L https://raw.githubusercontent.com/projectcalico/calico/v${CALICO_VERSION}/manifests/grafana-dashboards.yaml | yq '.data["felix-dashboard.json"]' | sed 's/calico-demo-prometheus/prometheus/g' | jq > ./on-prem/monitoring/dashboards/felix-dashboard.json +curl -L https://raw.githubusercontent.com/projectcalico/calico/v${CALICO_VERSION}/manifests/grafana-dashboards.yaml | yq '.data["typha-dashboard.json"]' | sed 's/calico-demo-prometheus/prometheus/g' | jq > ./on-prem/monitoring/dashboards/typa-dashboard.json ``` #### Alerts diff --git a/katalog/tigera/operator/tigera-operator.yaml b/katalog/tigera/operator/tigera-operator.yaml index 2400d20..0bbea6f 100644 --- a/katalog/tigera/operator/tigera-operator.yaml +++ b/katalog/tigera/operator/tigera-operator.yaml @@ -2,6 +2,7 @@ # Use of this source code is governed by a BSD-style # license that can be found in the LICENSE file. +--- apiVersion: v1 kind: Namespace metadata: @@ -196,6 +197,131 @@ status: conditions: [] storedVersions: [] +--- +# Source: crds/calico/crd.projectcalico.org_bgpfilters.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: (devel) + creationTimestamp: null + name: bgpfilters.crd.projectcalico.org +spec: + group: crd.projectcalico.org + names: + kind: BGPFilter + listKind: BGPFilterList + plural: bgpfilters + singular: bgpfilter + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: BGPFilterSpec contains the IPv4 and IPv6 filter rules of + the BGP Filter. + properties: + exportV4: + description: The ordered set of IPv4 BGPFilter rules acting on exporting + routes to a peer. + items: + description: BGPFilterRuleV4 defines a BGP filter rule consisting + a single IPv4 CIDR block and a filter action for this CIDR. + properties: + action: + type: string + cidr: + type: string + matchOperator: + type: string + required: + - action + - cidr + - matchOperator + type: object + type: array + exportV6: + description: The ordered set of IPv6 BGPFilter rules acting on exporting + routes to a peer. + items: + description: BGPFilterRuleV6 defines a BGP filter rule consisting + a single IPv6 CIDR block and a filter action for this CIDR. + properties: + action: + type: string + cidr: + type: string + matchOperator: + type: string + required: + - action + - cidr + - matchOperator + type: object + type: array + importV4: + description: The ordered set of IPv4 BGPFilter rules acting on importing + routes from a peer. + items: + description: BGPFilterRuleV4 defines a BGP filter rule consisting + a single IPv4 CIDR block and a filter action for this CIDR. + properties: + action: + type: string + cidr: + type: string + matchOperator: + type: string + required: + - action + - cidr + - matchOperator + type: object + type: array + importV6: + description: The ordered set of IPv6 BGPFilter rules acting on importing + routes from a peer. + items: + description: BGPFilterRuleV6 defines a BGP filter rule consisting + a single IPv6 CIDR block and a filter action for this CIDR. + properties: + action: + type: string + cidr: + type: string + matchOperator: + type: string + required: + - action + - cidr + - matchOperator + type: object + type: array + type: object + type: object + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] + --- # Source: crds/calico/crd.projectcalico.org_bgppeers.yaml apiVersion: apiextensions.k8s.io/v1 @@ -235,6 +361,11 @@ spec: description: The AS Number of the peer. format: int32 type: integer + filters: + description: The ordered set of BGPFilters applied on this BGP peer. + items: + type: string + type: array keepOriginalNextHop: description: Option to keep the original nexthop field when routes are sent to a BGP Peer. Setting "true" configures the selected BGP @@ -785,6 +916,13 @@ spec: connections. The only reason to disable it is for debugging purposes. [Default: true]' type: boolean + bpfDSROptoutCIDRs: + description: BPFDSROptoutCIDRs is a list of CIDRs which are excluded + from DSR. That is, clients in those CIDRs will accesses nodeports + as if BPFExternalServiceMode was set to Tunnel. + items: + type: string + type: array bpfDataIfacePattern: description: BPFDataIfacePattern is a regular expression that controls which interfaces Felix should attach BPF programs to in order to @@ -808,7 +946,7 @@ spec: description: 'BPFEnforceRPF enforce strict RPF on all host interfaces with BPF programs regardless of what is the per-interfaces or global setting. Possible values are Disabled, Strict or Loose. [Default: - Strict]' + Loose]' type: string bpfExtToServiceConnmark: description: 'BPFExtToServiceConnmark in BPF mode, control a 32bit @@ -1073,7 +1211,7 @@ spec: type: integer healthTimeoutOverrides: description: HealthTimeoutOverrides allows the internal watchdog timeouts - of individual subcomponents to be overriden. This is useful for + of individual subcomponents to be overridden. This is useful for working around "false positive" liveness timeouts that can occur in particularly stressful workloads or if CPU is constrained. For a list of active subcomponents, see Felix's logs. @@ -1133,6 +1271,12 @@ spec: type: string iptablesFilterAllowAction: type: string + iptablesFilterDenyAction: + description: IptablesFilterDenyAction controls what happens to traffic + that is denied by network policy. By default Calico blocks traffic + with an iptables "DROP" action. If you want to use "REJECT" action + instead you can configure it in here. + type: string iptablesLockFilePath: description: 'IptablesLockFilePath is the location of the iptables lock file. You may need to change this if the lock file is not in @@ -4060,8 +4204,6 @@ status: --- # Source: crds/operator.tigera.io_apiservers_crd.yaml - ---- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -5421,8 +5563,6 @@ status: --- # Source: crds/operator.tigera.io_imagesets_crd.yaml - ---- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -5501,13 +5641,11 @@ status: --- # Source: crds/operator.tigera.io_installations_crd.yaml - ---- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.3.0 + controller-gen.kubebuilder.io/version: v0.11.3 name: installations.operator.tigera.io spec: group: operator.tigera.io @@ -5744,6 +5882,7 @@ spec: type: object type: array type: object + x-kubernetes-map-type: atomic weight: description: Weight associated with matching the corresponding nodeSelectorTerm, @@ -5863,10 +6002,12 @@ spec: type: object type: array type: object + x-kubernetes-map-type: atomic type: array required: - nodeSelectorTerms type: object + x-kubernetes-map-type: atomic type: object podAffinity: description: Describes pod affinity scheduling @@ -5964,6 +6105,7 @@ spec: are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaceSelector: description: A label query over the set of namespaces that the @@ -5975,9 +6117,6 @@ spec: or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. - This field is beta-level and is - only honored when PodAffinityNamespaceSelector - feature is enabled. properties: matchExpressions: description: matchExpressions @@ -6039,6 +6178,7 @@ spec: are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaces: description: namespaces specifies a static list of namespace names @@ -6048,7 +6188,7 @@ spec: field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector - means "this pod's namespace" + means "this pod's namespace". items: type: string type: array @@ -6163,6 +6303,7 @@ spec: are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaceSelector: description: A label query over the set of namespaces that the term applies @@ -6172,10 +6313,7 @@ spec: field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) - matches all namespaces. This field - is beta-level and is only honored - when PodAffinityNamespaceSelector - feature is enabled. + matches all namespaces. properties: matchExpressions: description: matchExpressions is @@ -6233,6 +6371,7 @@ spec: are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaces: description: namespaces specifies a static list of namespace names that @@ -6241,7 +6380,7 @@ spec: in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector - means "this pod's namespace" + means "this pod's namespace". items: type: string type: array @@ -6358,6 +6497,7 @@ spec: are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaceSelector: description: A label query over the set of namespaces that the @@ -6369,9 +6509,6 @@ spec: or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. - This field is beta-level and is - only honored when PodAffinityNamespaceSelector - feature is enabled. properties: matchExpressions: description: matchExpressions @@ -6433,6 +6570,7 @@ spec: are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaces: description: namespaces specifies a static list of namespace names @@ -6442,7 +6580,7 @@ spec: field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector - means "this pod's namespace" + means "this pod's namespace". items: type: string type: array @@ -6557,6 +6695,7 @@ spec: are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaceSelector: description: A label query over the set of namespaces that the term applies @@ -6566,10 +6705,7 @@ spec: field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) - matches all namespaces. This field - is beta-level and is only honored - when PodAffinityNamespaceSelector - feature is enabled. + matches all namespaces. properties: matchExpressions: description: matchExpressions is @@ -6627,6 +6763,7 @@ spec: are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaces: description: namespaces specifies a static list of namespace names that @@ -6635,7 +6772,7 @@ spec: in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector - means "this pod's namespace" + means "this pod's namespace". items: type: string type: array @@ -7163,6 +7300,7 @@ spec: type: object type: array type: object + x-kubernetes-map-type: atomic weight: description: Weight associated with matching the corresponding nodeSelectorTerm, @@ -7282,10 +7420,12 @@ spec: type: object type: array type: object + x-kubernetes-map-type: atomic type: array required: - nodeSelectorTerms type: object + x-kubernetes-map-type: atomic type: object podAffinity: description: Describes pod affinity scheduling @@ -7383,6 +7523,7 @@ spec: are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaceSelector: description: A label query over the set of namespaces that the @@ -7394,9 +7535,6 @@ spec: or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. - This field is beta-level and is - only honored when PodAffinityNamespaceSelector - feature is enabled. properties: matchExpressions: description: matchExpressions @@ -7458,6 +7596,7 @@ spec: are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaces: description: namespaces specifies a static list of namespace names @@ -7467,7 +7606,7 @@ spec: field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector - means "this pod's namespace" + means "this pod's namespace". items: type: string type: array @@ -7582,6 +7721,7 @@ spec: are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaceSelector: description: A label query over the set of namespaces that the term applies @@ -7591,10 +7731,7 @@ spec: field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) - matches all namespaces. This field - is beta-level and is only honored - when PodAffinityNamespaceSelector - feature is enabled. + matches all namespaces. properties: matchExpressions: description: matchExpressions is @@ -7652,6 +7789,7 @@ spec: are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaces: description: namespaces specifies a static list of namespace names that @@ -7660,7 +7798,7 @@ spec: in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector - means "this pod's namespace" + means "this pod's namespace". items: type: string type: array @@ -7777,6 +7915,7 @@ spec: are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaceSelector: description: A label query over the set of namespaces that the @@ -7788,9 +7927,6 @@ spec: or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. - This field is beta-level and is - only honored when PodAffinityNamespaceSelector - feature is enabled. properties: matchExpressions: description: matchExpressions @@ -7852,6 +7988,7 @@ spec: are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaces: description: namespaces specifies a static list of namespace names @@ -7861,7 +7998,7 @@ spec: field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector - means "this pod's namespace" + means "this pod's namespace". items: type: string type: array @@ -7976,6 +8113,7 @@ spec: are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaceSelector: description: A label query over the set of namespaces that the term applies @@ -7985,10 +8123,7 @@ spec: field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) - matches all namespaces. This field - is beta-level and is only honored - when PodAffinityNamespaceSelector - feature is enabled. + matches all namespaces. properties: matchExpressions: description: matchExpressions is @@ -8046,6 +8181,7 @@ spec: are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaces: description: namespaces specifies a static list of namespace names that @@ -8054,7 +8190,7 @@ spec: in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector - means "this pod's namespace" + means "this pod's namespace". items: type: string type: array @@ -8465,6 +8601,7 @@ spec: type: object type: array type: object + x-kubernetes-map-type: atomic weight: description: Weight associated with matching the corresponding nodeSelectorTerm, @@ -8584,10 +8721,12 @@ spec: type: object type: array type: object + x-kubernetes-map-type: atomic type: array required: - nodeSelectorTerms type: object + x-kubernetes-map-type: atomic type: object podAffinity: description: Describes pod affinity scheduling @@ -8685,6 +8824,7 @@ spec: are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaceSelector: description: A label query over the set of namespaces that the @@ -8696,9 +8836,6 @@ spec: or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. - This field is beta-level and is - only honored when PodAffinityNamespaceSelector - feature is enabled. properties: matchExpressions: description: matchExpressions @@ -8760,6 +8897,7 @@ spec: are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaces: description: namespaces specifies a static list of namespace names @@ -8769,7 +8907,7 @@ spec: field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector - means "this pod's namespace" + means "this pod's namespace". items: type: string type: array @@ -8884,6 +9022,7 @@ spec: are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaceSelector: description: A label query over the set of namespaces that the term applies @@ -8893,10 +9032,7 @@ spec: field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) - matches all namespaces. This field - is beta-level and is only honored - when PodAffinityNamespaceSelector - feature is enabled. + matches all namespaces. properties: matchExpressions: description: matchExpressions is @@ -8954,6 +9090,7 @@ spec: are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaces: description: namespaces specifies a static list of namespace names that @@ -8962,7 +9099,7 @@ spec: in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector - means "this pod's namespace" + means "this pod's namespace". items: type: string type: array @@ -9079,6 +9216,7 @@ spec: are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaceSelector: description: A label query over the set of namespaces that the @@ -9090,9 +9228,6 @@ spec: or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. - This field is beta-level and is - only honored when PodAffinityNamespaceSelector - feature is enabled. properties: matchExpressions: description: matchExpressions @@ -9154,6 +9289,7 @@ spec: are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaces: description: namespaces specifies a static list of namespace names @@ -9163,7 +9299,7 @@ spec: field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector - means "this pod's namespace" + means "this pod's namespace". items: type: string type: array @@ -9278,6 +9414,7 @@ spec: are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaceSelector: description: A label query over the set of namespaces that the term applies @@ -9287,10 +9424,7 @@ spec: field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) - matches all namespaces. This field - is beta-level and is only honored - when PodAffinityNamespaceSelector - feature is enabled. + matches all namespaces. properties: matchExpressions: description: matchExpressions is @@ -9348,6 +9482,7 @@ spec: are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaces: description: namespaces specifies a static list of namespace names that @@ -9356,7 +9491,7 @@ spec: in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector - means "this pod's namespace" + means "this pod's namespace". items: type: string type: array @@ -9705,458 +9840,88 @@ spec: type: string type: object type: array - fipsMode: - description: 'FIPSMode uses images and features only that are using - FIPS 140-2 validated cryptographic modules and standards. Default: - Disabled' - enum: - - Enabled - - Disabled - type: string - flexVolumePath: - description: FlexVolumePath optionally specifies a custom path for - FlexVolume. If not specified, FlexVolume will be enabled by default. - If set to 'None', FlexVolume will be disabled. The default is based - on the kubernetesProvider. - type: string - imagePath: - description: "ImagePath allows for the path part of an image to be - specified. If specified then the specified value will be used as - the image path for each image. If not specified or empty, the default - for each image will be used. A special case value, UseDefault, is - supported to explicitly specify the default image path will be used - for each image. \n Image format: `/:` - \n This option allows configuring the `` portion of the - above format." - type: string - imagePrefix: - description: "ImagePrefix allows for the prefix part of an image to - be specified. If specified then the given value will be used as - a prefix on each image. If not specified or empty, no prefix will - be used. A special case value, UseDefault, is supported to explicitly - specify the default image prefix will be used for each image. \n - Image format: `/:` - \n This option allows configuring the `` portion of - the above format." - type: string - imagePullSecrets: - description: ImagePullSecrets is an array of references to container - registry pull secrets to use. These are applied to all images to - be pulled. - items: - description: LocalObjectReference contains enough information to - let you locate the referenced object inside the same namespace. - properties: - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' - type: string - type: object - type: array - kubeletVolumePluginPath: - description: 'KubeletVolumePluginPath optionally specifies enablement - of Calico CSI plugin. If not specified, CSI will be enabled by default. - If set to ''None'', CSI will be disabled. Default: /var/lib/kubelet' - type: string - kubernetesProvider: - description: KubernetesProvider specifies a particular provider of - the Kubernetes platform and enables provider-specific configuration. - If the specified value is empty, the Operator will attempt to automatically - determine the current provider. If the specified value is not empty, - the Operator will still attempt auto-detection, but will additionally - compare the auto-detected value to the specified value to confirm - they match. - enum: - - "" - - EKS - - GKE - - AKS - - OpenShift - - DockerEnterprise - - RKE2 - type: string - nodeMetricsPort: - description: NodeMetricsPort specifies which port calico/node serves - prometheus metrics on. By default, metrics are not enabled. If specified, - this overrides any FelixConfiguration resources which may exist. - If omitted, then prometheus metrics may still be configured through - FelixConfiguration. - format: int32 - type: integer - nodeUpdateStrategy: - description: NodeUpdateStrategy can be used to customize the desired - update strategy, such as the MaxUnavailable field. + csiNodeDriverDaemonSet: + description: CSINodeDriverDaemonSet configures the csi-node-driver + DaemonSet. properties: - rollingUpdate: - description: 'Rolling update config params. Present only if type - = "RollingUpdate". --- TODO: Update this to follow our convention - for oneOf, whatever we decide it to be. Same as Deployment `strategy.rollingUpdate`. - See https://github.com/kubernetes/kubernetes/issues/35345' + metadata: + description: Metadata is a subset of a Kubernetes object's metadata + that is added to the DaemonSet. properties: - maxSurge: - anyOf: - - type: integer - - type: string - description: 'The maximum number of nodes with an existing - available DaemonSet pod that can have an updated DaemonSet - pod during during an update. Value can be an absolute number - (ex: 5) or a percentage of desired pods (ex: 10%). This - can not be 0 if MaxUnavailable is 0. Absolute number is - calculated from percentage by rounding up to a minimum of - 1. Default value is 0. Example: when this is set to 30%, - at most 30% of the total number of nodes that should be - running the daemon pod (i.e. status.desiredNumberScheduled) - can have their a new pod created before the old pod is marked - as deleted. The update starts by launching new pods on 30% - of nodes. Once an updated pod is available (Ready for at - least minReadySeconds) the old DaemonSet pod on that node - is marked deleted. If the old pod becomes unavailable for - any reason (Ready transitions to false, is evicted, or is - drained) an updated pod is immediatedly created on that - node without considering surge limits. Allowing surge implies - the possibility that the resources consumed by the daemonset - on any given node can double if the readiness check fails, - and so resource intensive daemonsets should take into account - that they may cause evictions during disruption. This is - beta field and enabled/disabled by DaemonSetUpdateSurge - feature gate.' - x-kubernetes-int-or-string: true - maxUnavailable: - anyOf: - - type: integer - - type: string - description: 'The maximum number of DaemonSet pods that can - be unavailable during the update. Value can be an absolute - number (ex: 5) or a percentage of total number of DaemonSet - pods at the start of the update (ex: 10%). Absolute number - is calculated from percentage by rounding up. This cannot - be 0 if MaxSurge is 0 Default value is 1. Example: when - this is set to 30%, at most 30% of the total number of nodes - that should be running the daemon pod (i.e. status.desiredNumberScheduled) - can have their pods stopped for an update at any given time. - The update starts by stopping at most 30% of those DaemonSet - pods and then brings up new DaemonSet pods in their place. - Once the new pods are available, it then proceeds onto other - DaemonSet pods, thus ensuring that at least 70% of original - number of DaemonSet pods are available at all times during - the update.' - x-kubernetes-int-or-string: true + annotations: + additionalProperties: + type: string + description: Annotations is a map of arbitrary non-identifying + metadata. Each of these key/value pairs are added to the + object's annotations provided the key does not already exist + in the object's annotations. + type: object + labels: + additionalProperties: + type: string + description: Labels is a map of string keys and values that + may match replicaset and service selectors. Each of these + key/value pairs are added to the object's labels provided + the key does not already exist in the object's labels. + type: object type: object - type: - description: Type of daemon set update. Can be "RollingUpdate" - or "OnDelete". Default is RollingUpdate. - type: string - type: object - nonPrivileged: - description: NonPrivileged configures Calico to be run in non-privileged - containers as non-root users where possible. - type: string - registry: - description: "Registry is the default Docker registry used for component - Docker images. If specified then the given value must end with a - slash character (`/`) and all images will be pulled from this registry. - If not specified then the default registries will be used. A special - case value, UseDefault, is supported to explicitly specify the default - registries will be used. \n Image format: `/:` - \n This option allows configuring the `` portion of the - above format." - type: string - typhaAffinity: - description: Deprecated. Please use Installation.Spec.TyphaDeployment - instead. TyphaAffinity allows configuration of node affinity characteristics - for Typha pods. - properties: - nodeAffinity: - description: NodeAffinity describes node affinity scheduling rules - for typha. + spec: + description: Spec is the specification of the csi-node-driver + DaemonSet. properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer to schedule pods to - nodes that satisfy the affinity expressions specified by - this field, but it may choose a node that violates one or - more of the expressions. - items: - description: An empty preferred scheduling term matches - all objects with implicit weight 0 (i.e. it's a no-op). - A null preferred scheduling term matches no objects (i.e. - is also a no-op). - properties: - preference: - description: A node selector term, associated with the - corresponding weight. - properties: - matchExpressions: - description: A list of node selector requirements - by node's labels. - items: - description: A node selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. - properties: - key: - description: The label key that the selector - applies to. - type: string - operator: - description: Represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists, DoesNotExist. Gt, and - Lt. - type: string - values: - description: An array of string values. If - the operator is In or NotIn, the values - array must be non-empty. If the operator - is Exists or DoesNotExist, the values array - must be empty. If the operator is Gt or - Lt, the values array must have a single - element, which will be interpreted as an - integer. This array is replaced during a - strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchFields: - description: A list of node selector requirements - by node's fields. - items: - description: A node selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. - properties: - key: - description: The label key that the selector - applies to. - type: string - operator: - description: Represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists, DoesNotExist. Gt, and - Lt. - type: string - values: - description: An array of string values. If - the operator is In or NotIn, the values - array must be non-empty. If the operator - is Exists or DoesNotExist, the values array - must be empty. If the operator is Gt or - Lt, the values array must have a single - element, which will be interpreted as an - integer. This array is replaced during a - strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - type: object - weight: - description: Weight associated with matching the corresponding - nodeSelectorTerm, in the range 1-100. - format: int32 - type: integer - required: - - preference - - weight - type: object - type: array - requiredDuringSchedulingIgnoredDuringExecution: - description: 'WARNING: Please note that if the affinity requirements - specified by this field are not met at scheduling time, - the pod will NOT be scheduled onto the node. There is no - fallback to another affinity rules with this setting. This - may cause networking disruption or even catastrophic failure! - PreferredDuringSchedulingIgnoredDuringExecution should be - used for affinity unless there is a specific well understood - reason to use RequiredDuringSchedulingIgnoredDuringExecution - and you can guarantee that the RequiredDuringSchedulingIgnoredDuringExecution - will always have sufficient nodes to satisfy the requirement. - NOTE: RequiredDuringSchedulingIgnoredDuringExecution is - set by default for AKS nodes, to avoid scheduling Typhas - on virtual-nodes. If the affinity requirements specified - by this field cease to be met at some point during pod execution - (e.g. due to an update), the system may or may not try to - eventually evict the pod from its node.' + minReadySeconds: + description: MinReadySeconds is the minimum number of seconds + for which a newly created DaemonSet pod should be ready + without any of its container crashing, for it to be considered + available. If specified, this overrides any minReadySeconds + value that may be set on the csi-node-driver DaemonSet. + If omitted, the csi-node-driver DaemonSet will use its default + value for minReadySeconds. + format: int32 + maximum: 2147483647 + minimum: 0 + type: integer + template: + description: Template describes the csi-node-driver DaemonSet + pod that will be created. properties: - nodeSelectorTerms: - description: Required. A list of node selector terms. - The terms are ORed. - items: - description: A null or empty node selector term matches - no objects. The requirements of them are ANDed. The - TopologySelectorTerm type implements a subset of the - NodeSelectorTerm. - properties: - matchExpressions: - description: A list of node selector requirements - by node's labels. - items: - description: A node selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. - properties: - key: - description: The label key that the selector - applies to. - type: string - operator: - description: Represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists, DoesNotExist. Gt, and - Lt. - type: string - values: - description: An array of string values. If - the operator is In or NotIn, the values - array must be non-empty. If the operator - is Exists or DoesNotExist, the values array - must be empty. If the operator is Gt or - Lt, the values array must have a single - element, which will be interpreted as an - integer. This array is replaced during a - strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchFields: - description: A list of node selector requirements - by node's fields. - items: - description: A node selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. - properties: - key: - description: The label key that the selector - applies to. - type: string - operator: - description: Represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists, DoesNotExist. Gt, and - Lt. - type: string - values: - description: An array of string values. If - the operator is In or NotIn, the values - array must be non-empty. If the operator - is Exists or DoesNotExist, the values array - must be empty. If the operator is Gt or - Lt, the values array must have a single - element, which will be interpreted as an - integer. This array is replaced during a - strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - type: object - type: array - required: - - nodeSelectorTerms - type: object - type: object - type: object - typhaDeployment: - description: TyphaDeployment configures the typha Deployment. If used - in conjunction with the deprecated ComponentResources or TyphaAffinity, - then these overrides take precedence. - properties: - metadata: - description: Metadata is a subset of a Kubernetes object's metadata - that is added to the Deployment. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of arbitrary non-identifying - metadata. Each of these key/value pairs are added to the - object's annotations provided the key does not already exist - in the object's annotations. - type: object - labels: - additionalProperties: - type: string - description: Labels is a map of string keys and values that - may match replicaset and service selectors. Each of these - key/value pairs are added to the object's labels provided - the key does not already exist in the object's labels. - type: object - type: object - spec: - description: Spec is the specification of the typha Deployment. - properties: - minReadySeconds: - description: MinReadySeconds is the minimum number of seconds - for which a newly created Deployment pod should be ready - without any of its container crashing, for it to be considered - available. If specified, this overrides any minReadySeconds - value that may be set on the typha Deployment. If omitted, - the typha Deployment will use its default value for minReadySeconds. - format: int32 - maximum: 2147483647 - minimum: 0 - type: integer - template: - description: Template describes the typha Deployment pod that - will be created. - properties: - metadata: - description: Metadata is a subset of a Kubernetes object's - metadata that is added to the pod's metadata. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of arbitrary non-identifying - metadata. Each of these key/value pairs are added - to the object's annotations provided the key does - not already exist in the object's annotations. - type: object - labels: - additionalProperties: - type: string - description: Labels is a map of string keys and values - that may match replicaset and service selectors. - Each of these key/value pairs are added to the object's - labels provided the key does not already exist in - the object's labels. - type: object - type: object - spec: - description: Spec is the typha Deployment's PodSpec. - properties: - affinity: - description: 'Affinity is a group of affinity scheduling - rules for the typha pods. If specified, this overrides - any affinity that may be set on the typha Deployment. - If omitted, the typha Deployment will use its default - value for affinity. If used in conjunction with - the deprecated TyphaAffinity, then this value takes - precedence. WARNING: Please note that this field - will override the default calico-typha Deployment - affinity.' - properties: - nodeAffinity: - description: Describes node affinity scheduling - rules for the pod. + metadata: + description: Metadata is a subset of a Kubernetes object's + metadata that is added to the pod's metadata. + properties: + annotations: + additionalProperties: + type: string + description: Annotations is a map of arbitrary non-identifying + metadata. Each of these key/value pairs are added + to the object's annotations provided the key does + not already exist in the object's annotations. + type: object + labels: + additionalProperties: + type: string + description: Labels is a map of string keys and values + that may match replicaset and service selectors. + Each of these key/value pairs are added to the object's + labels provided the key does not already exist in + the object's labels. + type: object + type: object + spec: + description: Spec is the csi-node-driver DaemonSet's PodSpec. + properties: + affinity: + description: 'Affinity is a group of affinity scheduling + rules for the csi-node-driver pods. If specified, + this overrides any affinity that may be set on the + csi-node-driver DaemonSet. If omitted, the csi-node-driver + DaemonSet will use its default value for affinity. + WARNING: Please note that this field will override + the default csi-node-driver DaemonSet affinity.' + properties: + nodeAffinity: + description: Describes node affinity scheduling + rules for the pod. properties: preferredDuringSchedulingIgnoredDuringExecution: description: The scheduler will prefer to @@ -10274,6 +10039,7 @@ spec: type: object type: array type: object + x-kubernetes-map-type: atomic weight: description: Weight associated with matching the corresponding nodeSelectorTerm, @@ -10393,10 +10159,12 @@ spec: type: object type: array type: object + x-kubernetes-map-type: atomic type: array required: - nodeSelectorTerms type: object + x-kubernetes-map-type: atomic type: object podAffinity: description: Describes pod affinity scheduling @@ -10494,6 +10262,7 @@ spec: are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaceSelector: description: A label query over the set of namespaces that the @@ -10505,9 +10274,6 @@ spec: or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. - This field is beta-level and is - only honored when PodAffinityNamespaceSelector - feature is enabled. properties: matchExpressions: description: matchExpressions @@ -10569,6 +10335,7 @@ spec: are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaces: description: namespaces specifies a static list of namespace names @@ -10578,7 +10345,7 @@ spec: field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector - means "this pod's namespace" + means "this pod's namespace". items: type: string type: array @@ -10693,6 +10460,7 @@ spec: are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaceSelector: description: A label query over the set of namespaces that the term applies @@ -10702,10 +10470,7 @@ spec: field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) - matches all namespaces. This field - is beta-level and is only honored - when PodAffinityNamespaceSelector - feature is enabled. + matches all namespaces. properties: matchExpressions: description: matchExpressions is @@ -10763,6 +10528,7 @@ spec: are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaces: description: namespaces specifies a static list of namespace names that @@ -10771,7 +10537,7 @@ spec: in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector - means "this pod's namespace" + means "this pod's namespace". items: type: string type: array @@ -10888,6 +10654,7 @@ spec: are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaceSelector: description: A label query over the set of namespaces that the @@ -10899,9 +10666,6 @@ spec: or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. - This field is beta-level and is - only honored when PodAffinityNamespaceSelector - feature is enabled. properties: matchExpressions: description: matchExpressions @@ -10963,6 +10727,7 @@ spec: are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaces: description: namespaces specifies a static list of namespace names @@ -10972,7 +10737,7 @@ spec: field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector - means "this pod's namespace" + means "this pod's namespace". items: type: string type: array @@ -11087,6 +10852,7 @@ spec: are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaceSelector: description: A label query over the set of namespaces that the term applies @@ -11096,10 +10862,7 @@ spec: field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) - matches all namespaces. This field - is beta-level and is only honored - when PodAffinityNamespaceSelector - feature is enabled. + matches all namespaces. properties: matchExpressions: description: matchExpressions is @@ -11157,6 +10920,7 @@ spec: are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaces: description: namespaces specifies a static list of namespace names that @@ -11165,7 +10929,7 @@ spec: in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector - means "this pod's namespace" + means "this pod's namespace". items: type: string type: array @@ -11188,87 +10952,30 @@ spec: type: object type: object containers: - description: Containers is a list of typha containers. - If specified, this overrides the specified typha - Deployment containers. If omitted, the typha Deployment - will use its default values for its containers. - items: - description: TyphaDeploymentContainer is a typha - Deployment container. - properties: - name: - description: Name is an enum which identifies - the typha Deployment container by name. - enum: - - calico-typha - type: string - resources: - description: Resources allows customization - of limits and requests for compute resources - such as cpu and memory. If specified, this - overrides the named typha Deployment container's - resources. If omitted, the typha Deployment - will use its default value for this container's - resources. If used in conjunction with the - deprecated ComponentResources, then this value - takes precedence. - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: 'Limits describes the maximum - amount of compute resources allowed. More - info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: 'Requests describes the minimum - amount of compute resources required. - If Requests is omitted for a container, - it defaults to Limits if that is explicitly - specified, otherwise to an implementation-defined - value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' - type: object - type: object - required: - - name - type: object - type: array - initContainers: - description: InitContainers is a list of typha init + description: Containers is a list of csi-node-driver containers. If specified, this overrides the specified - typha Deployment init containers. If omitted, the - typha Deployment will use its default values for - its init containers. + csi-node-driver DaemonSet containers. If omitted, + the csi-node-driver DaemonSet will use its default + values for its containers. items: - description: TyphaDeploymentInitContainer is a typha - Deployment init container. + description: CSINodeDriverDaemonSetContainer is + a csi-node-driver DaemonSet container. properties: name: description: Name is an enum which identifies - the typha Deployment init container by name. + the csi-node-driver DaemonSet container by + name. enum: - - typha-certs-key-cert-provisioner + - csi-node-driver type: string resources: description: Resources allows customization of limits and requests for compute resources such as cpu and memory. If specified, this - overrides the named typha Deployment init - container's resources. If omitted, the typha - Deployment will use its default value for - this init container's resources. If used in - conjunction with the deprecated ComponentResources, - then this value takes precedence. + overrides the named csi-node-driver DaemonSet + container's resources. If omitted, the csi-node-driver + DaemonSet will use its default value for this + container's resources. properties: limits: additionalProperties: @@ -11303,23 +11010,24 @@ spec: nodeSelector: additionalProperties: type: string - description: 'NodeSelector is the calico-typha pod''s - scheduling constraints. If specified, each of the - key/value pairs are added to the calico-typha Deployment - nodeSelector provided the key does not already exist - in the object''s nodeSelector. If omitted, the calico-typha - Deployment will use its default value for nodeSelector. - WARNING: Please note that this field will modify - the default calico-typha Deployment nodeSelector.' + description: 'NodeSelector is the csi-node-driver + pod''s scheduling constraints. If specified, each + of the key/value pairs are added to the csi-node-driver + DaemonSet nodeSelector provided the key does not + already exist in the object''s nodeSelector. If + omitted, the csi-node-driver DaemonSet will use + its default value for nodeSelector. WARNING: Please + note that this field will modify the default csi-node-driver + DaemonSet nodeSelector.' type: object tolerations: - description: 'Tolerations is the typha pod''s tolerations. - If specified, this overrides any tolerations that - may be set on the typha Deployment. If omitted, - the typha Deployment will use its default value - for tolerations. WARNING: Please note that this - field will override the default calico-typha Deployment - tolerations.' + description: 'Tolerations is the csi-node-driver pod''s + tolerations. If specified, this overrides any tolerations + that may be set on the csi-node-driver DaemonSet. + If omitted, the csi-node-driver DaemonSet will use + its default value for tolerations. WARNING: Please + note that this field will override the default csi-node-driver + DaemonSet tolerations.' items: description: The pod this Toleration is attached to tolerates any taint that matches the triple @@ -11369,111 +11077,3607 @@ spec: type: object type: object type: object - typhaMetricsPort: - description: TyphaMetricsPort specifies which port calico/typha serves - prometheus metrics on. By default, metrics are not enabled. + fipsMode: + description: 'FIPSMode uses images and features only that are using + FIPS 140-2 validated cryptographic modules and standards. Default: + Disabled' + enum: + - Enabled + - Disabled + type: string + flexVolumePath: + description: FlexVolumePath optionally specifies a custom path for + FlexVolume. If not specified, FlexVolume will be enabled by default. + If set to 'None', FlexVolume will be disabled. The default is based + on the kubernetesProvider. + type: string + imagePath: + description: "ImagePath allows for the path part of an image to be + specified. If specified then the specified value will be used as + the image path for each image. If not specified or empty, the default + for each image will be used. A special case value, UseDefault, is + supported to explicitly specify the default image path will be used + for each image. \n Image format: `/:` + \n This option allows configuring the `` portion of the + above format." + type: string + imagePrefix: + description: "ImagePrefix allows for the prefix part of an image to + be specified. If specified then the given value will be used as + a prefix on each image. If not specified or empty, no prefix will + be used. A special case value, UseDefault, is supported to explicitly + specify the default image prefix will be used for each image. \n + Image format: `/:` + \n This option allows configuring the `` portion of + the above format." + type: string + imagePullSecrets: + description: ImagePullSecrets is an array of references to container + registry pull secrets to use. These are applied to all images to + be pulled. + items: + description: LocalObjectReference contains enough information to + let you locate the referenced object inside the same namespace. + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + type: array + kubeletVolumePluginPath: + description: 'KubeletVolumePluginPath optionally specifies enablement + of Calico CSI plugin. If not specified, CSI will be enabled by default. + If set to ''None'', CSI will be disabled. Default: /var/lib/kubelet' + type: string + kubernetesProvider: + description: KubernetesProvider specifies a particular provider of + the Kubernetes platform and enables provider-specific configuration. + If the specified value is empty, the Operator will attempt to automatically + determine the current provider. If the specified value is not empty, + the Operator will still attempt auto-detection, but will additionally + compare the auto-detected value to the specified value to confirm + they match. + enum: + - "" + - EKS + - GKE + - AKS + - OpenShift + - DockerEnterprise + - RKE2 + type: string + logging: + description: Logging Configuration for Components + properties: + cni: + description: Customized logging specification for calico-cni plugin + properties: + logFileMaxAgeDays: + description: 'Default: 30 (days)' + format: int32 + type: integer + logFileMaxCount: + description: 'Default: 10' + format: int32 + type: integer + logFileMaxSize: + anyOf: + - type: integer + - type: string + description: 'Default: 100Mi' + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + logSeverity: + description: 'Default: Info' + enum: + - Error + - Warning + - Debug + - Info + type: string + type: object + type: object + nodeMetricsPort: + description: NodeMetricsPort specifies which port calico/node serves + prometheus metrics on. By default, metrics are not enabled. If specified, + this overrides any FelixConfiguration resources which may exist. + If omitted, then prometheus metrics may still be configured through + FelixConfiguration. format: int32 type: integer - variant: - description: 'Variant is the product to install - one of Calico or - TigeraSecureEnterprise Default: Calico' - enum: - - Calico - - TigeraSecureEnterprise + nodeUpdateStrategy: + description: NodeUpdateStrategy can be used to customize the desired + update strategy, such as the MaxUnavailable field. + properties: + rollingUpdate: + description: 'Rolling update config params. Present only if type + = "RollingUpdate". --- TODO: Update this to follow our convention + for oneOf, whatever we decide it to be. Same as Deployment `strategy.rollingUpdate`. + See https://github.com/kubernetes/kubernetes/issues/35345' + properties: + maxSurge: + anyOf: + - type: integer + - type: string + description: 'The maximum number of nodes with an existing + available DaemonSet pod that can have an updated DaemonSet + pod during during an update. Value can be an absolute number + (ex: 5) or a percentage of desired pods (ex: 10%). This + can not be 0 if MaxUnavailable is 0. Absolute number is + calculated from percentage by rounding up to a minimum of + 1. Default value is 0. Example: when this is set to 30%, + at most 30% of the total number of nodes that should be + running the daemon pod (i.e. status.desiredNumberScheduled) + can have their a new pod created before the old pod is marked + as deleted. The update starts by launching new pods on 30% + of nodes. Once an updated pod is available (Ready for at + least minReadySeconds) the old DaemonSet pod on that node + is marked deleted. If the old pod becomes unavailable for + any reason (Ready transitions to false, is evicted, or is + drained) an updated pod is immediatedly created on that + node without considering surge limits. Allowing surge implies + the possibility that the resources consumed by the daemonset + on any given node can double if the readiness check fails, + and so resource intensive daemonsets should take into account + that they may cause evictions during disruption.' + x-kubernetes-int-or-string: true + maxUnavailable: + anyOf: + - type: integer + - type: string + description: 'The maximum number of DaemonSet pods that can + be unavailable during the update. Value can be an absolute + number (ex: 5) or a percentage of total number of DaemonSet + pods at the start of the update (ex: 10%). Absolute number + is calculated from percentage by rounding up. This cannot + be 0 if MaxSurge is 0 Default value is 1. Example: when + this is set to 30%, at most 30% of the total number of nodes + that should be running the daemon pod (i.e. status.desiredNumberScheduled) + can have their pods stopped for an update at any given time. + The update starts by stopping at most 30% of those DaemonSet + pods and then brings up new DaemonSet pods in their place. + Once the new pods are available, it then proceeds onto other + DaemonSet pods, thus ensuring that at least 70% of original + number of DaemonSet pods are available at all times during + the update.' + x-kubernetes-int-or-string: true + type: object + type: + description: Type of daemon set update. Can be "RollingUpdate" + or "OnDelete". Default is RollingUpdate. + type: string + type: object + nonPrivileged: + description: NonPrivileged configures Calico to be run in non-privileged + containers as non-root users where possible. type: string - type: object - status: - description: Most recently observed state for the Calico or Calico Enterprise - installation. - properties: - computed: - description: Computed is the final installation including overlaid - resources. + registry: + description: "Registry is the default Docker registry used for component + Docker images. If specified then the given value must end with a + slash character (`/`) and all images will be pulled from this registry. + If not specified then the default registries will be used. A special + case value, UseDefault, is supported to explicitly specify the default + registries will be used. \n Image format: `/:` + \n This option allows configuring the `` portion of the + above format." + type: string + typhaAffinity: + description: Deprecated. Please use Installation.Spec.TyphaDeployment + instead. TyphaAffinity allows configuration of node affinity characteristics + for Typha pods. properties: - calicoKubeControllersDeployment: - description: CalicoKubeControllersDeployment configures the calico-kube-controllers - Deployment. If used in conjunction with the deprecated ComponentResources, - then these overrides take precedence. + nodeAffinity: + description: NodeAffinity describes node affinity scheduling rules + for typha. properties: - metadata: - description: Metadata is a subset of a Kubernetes object's - metadata that is added to the Deployment. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of arbitrary non-identifying - metadata. Each of these key/value pairs are added to - the object's annotations provided the key does not already - exist in the object's annotations. - type: object - labels: - additionalProperties: - type: string - description: Labels is a map of string keys and values - that may match replicaset and service selectors. Each - of these key/value pairs are added to the object's labels - provided the key does not already exist in the object's - labels. - type: object - type: object - spec: - description: Spec is the specification of the calico-kube-controllers - Deployment. - properties: - minReadySeconds: - description: MinReadySeconds is the minimum number of - seconds for which a newly created Deployment pod should - be ready without any of its container crashing, for - it to be considered available. If specified, this overrides - any minReadySeconds value that may be set on the calico-kube-controllers - Deployment. If omitted, the calico-kube-controllers - Deployment will use its default value for minReadySeconds. - format: int32 - maximum: 2147483647 - minimum: 0 - type: integer - template: - description: Template describes the calico-kube-controllers - Deployment pod that will be created. - properties: - metadata: - description: Metadata is a subset of a Kubernetes - object's metadata that is added to the pod's metadata. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a map of arbitrary - non-identifying metadata. Each of these key/value - pairs are added to the object's annotations - provided the key does not already exist in the - object's annotations. - type: object - labels: - additionalProperties: - type: string - description: Labels is a map of string keys and - values that may match replicaset and service - selectors. Each of these key/value pairs are - added to the object's labels provided the key - does not already exist in the object's labels. - type: object + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to schedule pods to + nodes that satisfy the affinity expressions specified by + this field, but it may choose a node that violates one or + more of the expressions. + items: + description: An empty preferred scheduling term matches + all objects with implicit weight 0 (i.e. it's a no-op). + A null preferred scheduling term matches no objects (i.e. + is also a no-op). + properties: + preference: + description: A node selector term, associated with the + corresponding weight. + properties: + matchExpressions: + description: A list of node selector requirements + by node's labels. + items: + description: A node selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: The label key that the selector + applies to. + type: string + operator: + description: Represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists, DoesNotExist. Gt, and + Lt. + type: string + values: + description: An array of string values. If + the operator is In or NotIn, the values + array must be non-empty. If the operator + is Exists or DoesNotExist, the values array + must be empty. If the operator is Gt or + Lt, the values array must have a single + element, which will be interpreted as an + integer. This array is replaced during a + strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + description: A list of node selector requirements + by node's fields. + items: + description: A node selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: The label key that the selector + applies to. + type: string + operator: + description: Represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists, DoesNotExist. Gt, and + Lt. + type: string + values: + description: An array of string values. If + the operator is In or NotIn, the values + array must be non-empty. If the operator + is Exists or DoesNotExist, the values array + must be empty. If the operator is Gt or + Lt, the values array must have a single + element, which will be interpreted as an + integer. This array is replaced during a + strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + x-kubernetes-map-type: atomic + weight: + description: Weight associated with matching the corresponding + nodeSelectorTerm, in the range 1-100. + format: int32 + type: integer + required: + - preference + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: 'WARNING: Please note that if the affinity requirements + specified by this field are not met at scheduling time, + the pod will NOT be scheduled onto the node. There is no + fallback to another affinity rules with this setting. This + may cause networking disruption or even catastrophic failure! + PreferredDuringSchedulingIgnoredDuringExecution should be + used for affinity unless there is a specific well understood + reason to use RequiredDuringSchedulingIgnoredDuringExecution + and you can guarantee that the RequiredDuringSchedulingIgnoredDuringExecution + will always have sufficient nodes to satisfy the requirement. + NOTE: RequiredDuringSchedulingIgnoredDuringExecution is + set by default for AKS nodes, to avoid scheduling Typhas + on virtual-nodes. If the affinity requirements specified + by this field cease to be met at some point during pod execution + (e.g. due to an update), the system may or may not try to + eventually evict the pod from its node.' + properties: + nodeSelectorTerms: + description: Required. A list of node selector terms. + The terms are ORed. + items: + description: A null or empty node selector term matches + no objects. The requirements of them are ANDed. The + TopologySelectorTerm type implements a subset of the + NodeSelectorTerm. + properties: + matchExpressions: + description: A list of node selector requirements + by node's labels. + items: + description: A node selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: The label key that the selector + applies to. + type: string + operator: + description: Represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists, DoesNotExist. Gt, and + Lt. + type: string + values: + description: An array of string values. If + the operator is In or NotIn, the values + array must be non-empty. If the operator + is Exists or DoesNotExist, the values array + must be empty. If the operator is Gt or + Lt, the values array must have a single + element, which will be interpreted as an + integer. This array is replaced during a + strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + description: A list of node selector requirements + by node's fields. + items: + description: A node selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: The label key that the selector + applies to. + type: string + operator: + description: Represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists, DoesNotExist. Gt, and + Lt. + type: string + values: + description: An array of string values. If + the operator is In or NotIn, the values + array must be non-empty. If the operator + is Exists or DoesNotExist, the values array + must be empty. If the operator is Gt or + Lt, the values array must have a single + element, which will be interpreted as an + integer. This array is replaced during a + strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + x-kubernetes-map-type: atomic + type: array + required: + - nodeSelectorTerms + type: object + x-kubernetes-map-type: atomic + type: object + type: object + typhaDeployment: + description: TyphaDeployment configures the typha Deployment. If used + in conjunction with the deprecated ComponentResources or TyphaAffinity, + then these overrides take precedence. + properties: + metadata: + description: Metadata is a subset of a Kubernetes object's metadata + that is added to the Deployment. + properties: + annotations: + additionalProperties: + type: string + description: Annotations is a map of arbitrary non-identifying + metadata. Each of these key/value pairs are added to the + object's annotations provided the key does not already exist + in the object's annotations. + type: object + labels: + additionalProperties: + type: string + description: Labels is a map of string keys and values that + may match replicaset and service selectors. Each of these + key/value pairs are added to the object's labels provided + the key does not already exist in the object's labels. + type: object + type: object + spec: + description: Spec is the specification of the typha Deployment. + properties: + minReadySeconds: + description: MinReadySeconds is the minimum number of seconds + for which a newly created Deployment pod should be ready + without any of its container crashing, for it to be considered + available. If specified, this overrides any minReadySeconds + value that may be set on the typha Deployment. If omitted, + the typha Deployment will use its default value for minReadySeconds. + format: int32 + maximum: 2147483647 + minimum: 0 + type: integer + strategy: + description: The deployment strategy to use to replace existing + pods with new ones. + properties: + rollingUpdate: + description: Rolling update config params. Present only + if DeploymentStrategyType = RollingUpdate. to be. + properties: + maxSurge: + anyOf: + - type: integer + - type: string + description: 'The maximum number of pods that can + be scheduled above the desired number of pods. Value + can be an absolute number (ex: 5) or a percentage + of desired pods (ex: 10%). This can not be 0 if + MaxUnavailable is 0. Absolute number is calculated + from percentage by rounding up. Defaults to 25%. + Example: when this is set to 30%, the new ReplicaSet + can be scaled up immediately when the rolling update + starts, such that the total number of old and new + pods do not exceed 130% of desired pods. Once old + pods have been killed, new ReplicaSet can be scaled + up further, ensuring that total number of pods running + at any time during the update is at most 130% of + desired pods.' + x-kubernetes-int-or-string: true + maxUnavailable: + anyOf: + - type: integer + - type: string + description: 'The maximum number of pods that can + be unavailable during the update. Value can be an + absolute number (ex: 5) or a percentage of desired + pods (ex: 10%). Absolute number is calculated from + percentage by rounding down. This can not be 0 if + MaxSurge is 0. Defaults to 25%. Example: when this + is set to 30%, the old ReplicaSet can be scaled + down to 70% of desired pods immediately when the + rolling update starts. Once new pods are ready, + old ReplicaSet can be scaled down further, followed + by scaling up the new ReplicaSet, ensuring that + the total number of pods available at all times + during the update is at least 70% of desired pods.' + x-kubernetes-int-or-string: true + type: object + type: object + template: + description: Template describes the typha Deployment pod that + will be created. + properties: + metadata: + description: Metadata is a subset of a Kubernetes object's + metadata that is added to the pod's metadata. + properties: + annotations: + additionalProperties: + type: string + description: Annotations is a map of arbitrary non-identifying + metadata. Each of these key/value pairs are added + to the object's annotations provided the key does + not already exist in the object's annotations. + type: object + labels: + additionalProperties: + type: string + description: Labels is a map of string keys and values + that may match replicaset and service selectors. + Each of these key/value pairs are added to the object's + labels provided the key does not already exist in + the object's labels. + type: object + type: object + spec: + description: Spec is the typha Deployment's PodSpec. + properties: + affinity: + description: 'Affinity is a group of affinity scheduling + rules for the typha pods. If specified, this overrides + any affinity that may be set on the typha Deployment. + If omitted, the typha Deployment will use its default + value for affinity. If used in conjunction with + the deprecated TyphaAffinity, then this value takes + precedence. WARNING: Please note that this field + will override the default calico-typha Deployment + affinity.' + properties: + nodeAffinity: + description: Describes node affinity scheduling + rules for the pod. + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to + schedule pods to nodes that satisfy the + affinity expressions specified by this field, + but it may choose a node that violates one + or more of the expressions. The node that + is most preferred is the one with the greatest + sum of weights, i.e. for each node that + meets all of the scheduling requirements + (resource request, requiredDuringScheduling + affinity expressions, etc.), compute a sum + by iterating through the elements of this + field and adding "weight" to the sum if + the node matches the corresponding matchExpressions; + the node(s) with the highest sum are the + most preferred. + items: + description: An empty preferred scheduling + term matches all objects with implicit + weight 0 (i.e. it's a no-op). A null preferred + scheduling term matches no objects (i.e. + is also a no-op). + properties: + preference: + description: A node selector term, associated + with the corresponding weight. + properties: + matchExpressions: + description: A list of node selector + requirements by node's labels. + items: + description: A node selector requirement + is a selector that contains + values, a key, and an operator + that relates the key and values. + properties: + key: + description: The label key + that the selector applies + to. + type: string + operator: + description: Represents a + key's relationship to a + set of values. Valid operators + are In, NotIn, Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: An array of string + values. If the operator + is In or NotIn, the values + array must be non-empty. + If the operator is Exists + or DoesNotExist, the values + array must be empty. If + the operator is Gt or Lt, + the values array must have + a single element, which + will be interpreted as an + integer. This array is replaced + during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + description: A list of node selector + requirements by node's fields. + items: + description: A node selector requirement + is a selector that contains + values, a key, and an operator + that relates the key and values. + properties: + key: + description: The label key + that the selector applies + to. + type: string + operator: + description: Represents a + key's relationship to a + set of values. Valid operators + are In, NotIn, Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: An array of string + values. If the operator + is In or NotIn, the values + array must be non-empty. + If the operator is Exists + or DoesNotExist, the values + array must be empty. If + the operator is Gt or Lt, + the values array must have + a single element, which + will be interpreted as an + integer. This array is replaced + during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + x-kubernetes-map-type: atomic + weight: + description: Weight associated with + matching the corresponding nodeSelectorTerm, + in the range 1-100. + format: int32 + type: integer + required: + - preference + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements + specified by this field are not met at scheduling + time, the pod will not be scheduled onto + the node. If the affinity requirements specified + by this field cease to be met at some point + during pod execution (e.g. due to an update), + the system may or may not try to eventually + evict the pod from its node. + properties: + nodeSelectorTerms: + description: Required. A list of node + selector terms. The terms are ORed. + items: + description: A null or empty node selector + term matches no objects. The requirements + of them are ANDed. The TopologySelectorTerm + type implements a subset of the NodeSelectorTerm. + properties: + matchExpressions: + description: A list of node selector + requirements by node's labels. + items: + description: A node selector requirement + is a selector that contains + values, a key, and an operator + that relates the key and values. + properties: + key: + description: The label key + that the selector applies + to. + type: string + operator: + description: Represents a + key's relationship to a + set of values. Valid operators + are In, NotIn, Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: An array of string + values. If the operator + is In or NotIn, the values + array must be non-empty. + If the operator is Exists + or DoesNotExist, the values + array must be empty. If + the operator is Gt or Lt, + the values array must have + a single element, which + will be interpreted as an + integer. This array is replaced + during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + description: A list of node selector + requirements by node's fields. + items: + description: A node selector requirement + is a selector that contains + values, a key, and an operator + that relates the key and values. + properties: + key: + description: The label key + that the selector applies + to. + type: string + operator: + description: Represents a + key's relationship to a + set of values. Valid operators + are In, NotIn, Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: An array of string + values. If the operator + is In or NotIn, the values + array must be non-empty. + If the operator is Exists + or DoesNotExist, the values + array must be empty. If + the operator is Gt or Lt, + the values array must have + a single element, which + will be interpreted as an + integer. This array is replaced + during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + x-kubernetes-map-type: atomic + type: array + required: + - nodeSelectorTerms + type: object + x-kubernetes-map-type: atomic + type: object + podAffinity: + description: Describes pod affinity scheduling + rules (e.g. co-locate this pod in the same node, + zone, etc. as some other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to + schedule pods to nodes that satisfy the + affinity expressions specified by this field, + but it may choose a node that violates one + or more of the expressions. The node that + is most preferred is the one with the greatest + sum of weights, i.e. for each node that + meets all of the scheduling requirements + (resource request, requiredDuringScheduling + affinity expressions, etc.), compute a sum + by iterating through the elements of this + field and adding "weight" to the sum if + the node has pods which matches the corresponding + podAffinityTerm; the node(s) with the highest + sum are the most preferred. + items: + description: The weights of all of the matched + WeightedPodAffinityTerm fields are added + per-node to find the most preferred node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity + term, associated with the corresponding + weight. + properties: + labelSelector: + description: A label query over + a set of resources, in this case + pods. + properties: + matchExpressions: + description: matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + items: + description: A label selector + requirement is a selector + that contains values, a + key, and an operator that + relates the key and values. + properties: + key: + description: key is the + label key that the selector + applies to. + type: string + operator: + description: operator + represents a key's relationship + to a set of values. + Valid operators are + In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is + an array of string values. + If the operator is In + or NotIn, the values + array must be non-empty. + If the operator is Exists + or DoesNotExist, the + values array must be + empty. This array is + replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is + a map of {key,value} pairs. + A single {key,value} in the + matchLabels map is equivalent + to an element of matchExpressions, + whose key field is "key", + the operator is "In", and + the values array contains + only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaceSelector: + description: A label query over + the set of namespaces that the + term applies to. The term is applied + to the union of the namespaces + selected by this field and the + ones listed in the namespaces + field. null selector and null + or empty namespaces list means + "this pod's namespace". An empty + selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + items: + description: A label selector + requirement is a selector + that contains values, a + key, and an operator that + relates the key and values. + properties: + key: + description: key is the + label key that the selector + applies to. + type: string + operator: + description: operator + represents a key's relationship + to a set of values. + Valid operators are + In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is + an array of string values. + If the operator is In + or NotIn, the values + array must be non-empty. + If the operator is Exists + or DoesNotExist, the + values array must be + empty. This array is + replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is + a map of {key,value} pairs. + A single {key,value} in the + matchLabels map is equivalent + to an element of matchExpressions, + whose key field is "key", + the operator is "In", and + the values array contains + only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: namespaces specifies + a static list of namespace names + that the term applies to. The + term is applied to the union of + the namespaces listed in this + field and the ones selected by + namespaceSelector. null or empty + namespaces list and null namespaceSelector + means "this pod's namespace". + items: + type: string + type: array + topologyKey: + description: This pod should be + co-located (affinity) or not co-located + (anti-affinity) with the pods + matching the labelSelector in + the specified namespaces, where + co-located is defined as running + on a node whose value of the label + with key topologyKey matches that + of any node on which any of the + selected pods is running. Empty + topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: weight associated with + matching the corresponding podAffinityTerm, + in the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements + specified by this field are not met at scheduling + time, the pod will not be scheduled onto + the node. If the affinity requirements specified + by this field cease to be met at some point + during pod execution (e.g. due to a pod + label update), the system may or may not + try to eventually evict the pod from its + node. When there are multiple elements, + the lists of nodes corresponding to each + podAffinityTerm are intersected, i.e. all + terms must be satisfied. + items: + description: Defines a set of pods (namely + those matching the labelSelector relative + to the given namespace(s)) that this pod + should be co-located (affinity) or not + co-located (anti-affinity) with, where + co-located is defined as running on a + node whose value of the label with key + matches that of any node + on which a pod of the set of pods is running + properties: + labelSelector: + description: A label query over a set + of resources, in this case pods. + properties: + matchExpressions: + description: matchExpressions is + a list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector + requirement is a selector that + contains values, a key, and + an operator that relates the + key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: operator represents + a key's relationship to + a set of values. Valid operators + are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an + array of string values. + If the operator is In or + NotIn, the values array + must be non-empty. If the + operator is Exists or DoesNotExist, + the values array must be + empty. This array is replaced + during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map + of {key,value} pairs. A single + {key,value} in the matchLabels + map is equivalent to an element + of matchExpressions, whose key + field is "key", the operator is + "In", and the values array contains + only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaceSelector: + description: A label query over the + set of namespaces that the term applies + to. The term is applied to the union + of the namespaces selected by this + field and the ones listed in the namespaces + field. null selector and null or empty + namespaces list means "this pod's + namespace". An empty selector ({}) + matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is + a list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector + requirement is a selector that + contains values, a key, and + an operator that relates the + key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: operator represents + a key's relationship to + a set of values. Valid operators + are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an + array of string values. + If the operator is In or + NotIn, the values array + must be non-empty. If the + operator is Exists or DoesNotExist, + the values array must be + empty. This array is replaced + during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map + of {key,value} pairs. A single + {key,value} in the matchLabels + map is equivalent to an element + of matchExpressions, whose key + field is "key", the operator is + "In", and the values array contains + only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: namespaces specifies a + static list of namespace names that + the term applies to. The term is applied + to the union of the namespaces listed + in this field and the ones selected + by namespaceSelector. null or empty + namespaces list and null namespaceSelector + means "this pod's namespace". + items: + type: string + type: array + topologyKey: + description: This pod should be co-located + (affinity) or not co-located (anti-affinity) + with the pods matching the labelSelector + in the specified namespaces, where + co-located is defined as running on + a node whose value of the label with + key topologyKey matches that of any + node on which any of the selected + pods is running. Empty topologyKey + is not allowed. + type: string + required: + - topologyKey + type: object + type: array + type: object + podAntiAffinity: + description: Describes pod anti-affinity scheduling + rules (e.g. avoid putting this pod in the same + node, zone, etc. as some other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to + schedule pods to nodes that satisfy the + anti-affinity expressions specified by this + field, but it may choose a node that violates + one or more of the expressions. The node + that is most preferred is the one with the + greatest sum of weights, i.e. for each node + that meets all of the scheduling requirements + (resource request, requiredDuringScheduling + anti-affinity expressions, etc.), compute + a sum by iterating through the elements + of this field and adding "weight" to the + sum if the node has pods which matches the + corresponding podAffinityTerm; the node(s) + with the highest sum are the most preferred. + items: + description: The weights of all of the matched + WeightedPodAffinityTerm fields are added + per-node to find the most preferred node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity + term, associated with the corresponding + weight. + properties: + labelSelector: + description: A label query over + a set of resources, in this case + pods. + properties: + matchExpressions: + description: matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + items: + description: A label selector + requirement is a selector + that contains values, a + key, and an operator that + relates the key and values. + properties: + key: + description: key is the + label key that the selector + applies to. + type: string + operator: + description: operator + represents a key's relationship + to a set of values. + Valid operators are + In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is + an array of string values. + If the operator is In + or NotIn, the values + array must be non-empty. + If the operator is Exists + or DoesNotExist, the + values array must be + empty. This array is + replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is + a map of {key,value} pairs. + A single {key,value} in the + matchLabels map is equivalent + to an element of matchExpressions, + whose key field is "key", + the operator is "In", and + the values array contains + only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaceSelector: + description: A label query over + the set of namespaces that the + term applies to. The term is applied + to the union of the namespaces + selected by this field and the + ones listed in the namespaces + field. null selector and null + or empty namespaces list means + "this pod's namespace". An empty + selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + items: + description: A label selector + requirement is a selector + that contains values, a + key, and an operator that + relates the key and values. + properties: + key: + description: key is the + label key that the selector + applies to. + type: string + operator: + description: operator + represents a key's relationship + to a set of values. + Valid operators are + In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is + an array of string values. + If the operator is In + or NotIn, the values + array must be non-empty. + If the operator is Exists + or DoesNotExist, the + values array must be + empty. This array is + replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is + a map of {key,value} pairs. + A single {key,value} in the + matchLabels map is equivalent + to an element of matchExpressions, + whose key field is "key", + the operator is "In", and + the values array contains + only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: namespaces specifies + a static list of namespace names + that the term applies to. The + term is applied to the union of + the namespaces listed in this + field and the ones selected by + namespaceSelector. null or empty + namespaces list and null namespaceSelector + means "this pod's namespace". + items: + type: string + type: array + topologyKey: + description: This pod should be + co-located (affinity) or not co-located + (anti-affinity) with the pods + matching the labelSelector in + the specified namespaces, where + co-located is defined as running + on a node whose value of the label + with key topologyKey matches that + of any node on which any of the + selected pods is running. Empty + topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: weight associated with + matching the corresponding podAffinityTerm, + in the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the anti-affinity requirements + specified by this field are not met at scheduling + time, the pod will not be scheduled onto + the node. If the anti-affinity requirements + specified by this field cease to be met + at some point during pod execution (e.g. + due to a pod label update), the system may + or may not try to eventually evict the pod + from its node. When there are multiple elements, + the lists of nodes corresponding to each + podAffinityTerm are intersected, i.e. all + terms must be satisfied. + items: + description: Defines a set of pods (namely + those matching the labelSelector relative + to the given namespace(s)) that this pod + should be co-located (affinity) or not + co-located (anti-affinity) with, where + co-located is defined as running on a + node whose value of the label with key + matches that of any node + on which a pod of the set of pods is running + properties: + labelSelector: + description: A label query over a set + of resources, in this case pods. + properties: + matchExpressions: + description: matchExpressions is + a list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector + requirement is a selector that + contains values, a key, and + an operator that relates the + key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: operator represents + a key's relationship to + a set of values. Valid operators + are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an + array of string values. + If the operator is In or + NotIn, the values array + must be non-empty. If the + operator is Exists or DoesNotExist, + the values array must be + empty. This array is replaced + during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map + of {key,value} pairs. A single + {key,value} in the matchLabels + map is equivalent to an element + of matchExpressions, whose key + field is "key", the operator is + "In", and the values array contains + only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaceSelector: + description: A label query over the + set of namespaces that the term applies + to. The term is applied to the union + of the namespaces selected by this + field and the ones listed in the namespaces + field. null selector and null or empty + namespaces list means "this pod's + namespace". An empty selector ({}) + matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is + a list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector + requirement is a selector that + contains values, a key, and + an operator that relates the + key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: operator represents + a key's relationship to + a set of values. Valid operators + are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an + array of string values. + If the operator is In or + NotIn, the values array + must be non-empty. If the + operator is Exists or DoesNotExist, + the values array must be + empty. This array is replaced + during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map + of {key,value} pairs. A single + {key,value} in the matchLabels + map is equivalent to an element + of matchExpressions, whose key + field is "key", the operator is + "In", and the values array contains + only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: namespaces specifies a + static list of namespace names that + the term applies to. The term is applied + to the union of the namespaces listed + in this field and the ones selected + by namespaceSelector. null or empty + namespaces list and null namespaceSelector + means "this pod's namespace". + items: + type: string + type: array + topologyKey: + description: This pod should be co-located + (affinity) or not co-located (anti-affinity) + with the pods matching the labelSelector + in the specified namespaces, where + co-located is defined as running on + a node whose value of the label with + key topologyKey matches that of any + node on which any of the selected + pods is running. Empty topologyKey + is not allowed. + type: string + required: + - topologyKey + type: object + type: array + type: object + type: object + containers: + description: Containers is a list of typha containers. + If specified, this overrides the specified typha + Deployment containers. If omitted, the typha Deployment + will use its default values for its containers. + items: + description: TyphaDeploymentContainer is a typha + Deployment container. + properties: + name: + description: Name is an enum which identifies + the typha Deployment container by name. + enum: + - calico-typha + type: string + resources: + description: Resources allows customization + of limits and requests for compute resources + such as cpu and memory. If specified, this + overrides the named typha Deployment container's + resources. If omitted, the typha Deployment + will use its default value for this container's + resources. If used in conjunction with the + deprecated ComponentResources, then this value + takes precedence. + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Limits describes the maximum + amount of compute resources allowed. More + info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Requests describes the minimum + amount of compute resources required. + If Requests is omitted for a container, + it defaults to Limits if that is explicitly + specified, otherwise to an implementation-defined + value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + type: object + required: + - name + type: object + type: array + initContainers: + description: InitContainers is a list of typha init + containers. If specified, this overrides the specified + typha Deployment init containers. If omitted, the + typha Deployment will use its default values for + its init containers. + items: + description: TyphaDeploymentInitContainer is a typha + Deployment init container. + properties: + name: + description: Name is an enum which identifies + the typha Deployment init container by name. + enum: + - typha-certs-key-cert-provisioner + type: string + resources: + description: Resources allows customization + of limits and requests for compute resources + such as cpu and memory. If specified, this + overrides the named typha Deployment init + container's resources. If omitted, the typha + Deployment will use its default value for + this init container's resources. If used in + conjunction with the deprecated ComponentResources, + then this value takes precedence. + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Limits describes the maximum + amount of compute resources allowed. More + info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Requests describes the minimum + amount of compute resources required. + If Requests is omitted for a container, + it defaults to Limits if that is explicitly + specified, otherwise to an implementation-defined + value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + type: object + required: + - name + type: object + type: array + nodeSelector: + additionalProperties: + type: string + description: 'NodeSelector is the calico-typha pod''s + scheduling constraints. If specified, each of the + key/value pairs are added to the calico-typha Deployment + nodeSelector provided the key does not already exist + in the object''s nodeSelector. If omitted, the calico-typha + Deployment will use its default value for nodeSelector. + WARNING: Please note that this field will modify + the default calico-typha Deployment nodeSelector.' + type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds the pod + needs to terminate gracefully. May be decreased + in delete request. Value must be non-negative integer. + The value zero indicates stop immediately via the + kill signal (no opportunity to shut down). If this + value is nil, the default grace period will be used + instead. The grace period is the duration in seconds + after the processes running in the pod are sent + a termination signal and the time when the processes + are forcibly halted with a kill signal. Set this + value longer than the expected cleanup time for + your process. Defaults to 30 seconds. + format: int64 + type: integer + tolerations: + description: 'Tolerations is the typha pod''s tolerations. + If specified, this overrides any tolerations that + may be set on the typha Deployment. If omitted, + the typha Deployment will use its default value + for tolerations. WARNING: Please note that this + field will override the default calico-typha Deployment + tolerations.' + items: + description: The pod this Toleration is attached + to tolerates any taint that matches the triple + using the matching operator + . + properties: + effect: + description: Effect indicates the taint effect + to match. Empty means match all taint effects. + When specified, allowed values are NoSchedule, + PreferNoSchedule and NoExecute. + type: string + key: + description: Key is the taint key that the toleration + applies to. Empty means match all taint keys. + If the key is empty, operator must be Exists; + this combination means to match all values + and all keys. + type: string + operator: + description: Operator represents a key's relationship + to the value. Valid operators are Exists and + Equal. Defaults to Equal. Exists is equivalent + to wildcard for value, so that a pod can tolerate + all taints of a particular category. + type: string + tolerationSeconds: + description: TolerationSeconds represents the + period of time the toleration (which must + be of effect NoExecute, otherwise this field + is ignored) tolerates the taint. By default, + it is not set, which means tolerate the taint + forever (do not evict). Zero and negative + values will be treated as 0 (evict immediately) + by the system. + format: int64 + type: integer + value: + description: Value is the taint value the toleration + matches to. If the operator is Exists, the + value should be empty, otherwise just a regular + string. + type: string + type: object + type: array + topologySpreadConstraints: + description: TopologySpreadConstraints describes how + a group of pods ought to spread across topology + domains. Scheduler will schedule pods in a way which + abides by the constraints. All topologySpreadConstraints + are ANDed. + items: + description: TopologySpreadConstraint specifies + how to spread matching pods among the given topology. + properties: + labelSelector: + description: LabelSelector is used to find matching + pods. Pods that match this label selector + are counted to determine the number of pods + in their corresponding topology domain. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: operator represents a + key's relationship to a set of values. + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of + string values. If the operator is + In or NotIn, the values array must + be non-empty. If the operator is + Exists or DoesNotExist, the values + array must be empty. This array + is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: MatchLabelKeys is a set of pod + label keys to select the pods over which spreading + will be calculated. The keys are used to lookup + values from the incoming pod labels, those + key-value labels are ANDed with labelSelector + to select the group of existing pods over + which spreading will be calculated for the + incoming pod. Keys that don't exist in the + incoming pod labels will be ignored. A null + or empty list means only match against labelSelector. + items: + type: string + type: array + x-kubernetes-list-type: atomic + maxSkew: + description: 'MaxSkew describes the degree to + which pods may be unevenly distributed. When + `whenUnsatisfiable=DoNotSchedule`, it is the + maximum permitted difference between the number + of matching pods in the target topology and + the global minimum. The global minimum is + the minimum number of matching pods in an + eligible domain or zero if the number of eligible + domains is less than MinDomains. For example, + in a 3-zone cluster, MaxSkew is set to 1, + and pods with the same labelSelector spread + as 2/2/1: In this case, the global minimum + is 1. | zone1 | zone2 | zone3 | | P P | P + P | P | - if MaxSkew is 1, incoming pod + can only be scheduled to zone3 to become 2/2/2; + scheduling it onto zone1(zone2) would make + the ActualSkew(3-1) on zone1(zone2) violate + MaxSkew(1). - if MaxSkew is 2, incoming pod + can be scheduled onto any zone. When `whenUnsatisfiable=ScheduleAnyway`, + it is used to give higher precedence to topologies + that satisfy it. It''s a required field. Default + value is 1 and 0 is not allowed.' + format: int32 + type: integer + minDomains: + description: "MinDomains indicates a minimum + number of eligible domains. When the number + of eligible domains with matching topology + keys is less than minDomains, Pod Topology + Spread treats \"global minimum\" as 0, and + then the calculation of Skew is performed. + And when the number of eligible domains with + matching topology keys equals or greater than + minDomains, this value has no effect on scheduling. + As a result, when the number of eligible domains + is less than minDomains, scheduler won't schedule + more than maxSkew Pods to those domains. If + value is nil, the constraint behaves as if + MinDomains is equal to 1. Valid values are + integers greater than 0. When value is not + nil, WhenUnsatisfiable must be DoNotSchedule. + \n For example, in a 3-zone cluster, MaxSkew + is set to 2, MinDomains is set to 5 and pods + with the same labelSelector spread as 2/2/2: + | zone1 | zone2 | zone3 | | P P | P P | + \ P P | The number of domains is less than + 5(MinDomains), so \"global minimum\" is treated + as 0. In this situation, new pod with the + same labelSelector cannot be scheduled, because + computed skew will be 3(3 - 0) if new Pod + is scheduled to any of the three zones, it + will violate MaxSkew. \n This is a beta field + and requires the MinDomainsInPodTopologySpread + feature gate to be enabled (enabled by default)." + format: int32 + type: integer + nodeAffinityPolicy: + description: "NodeAffinityPolicy indicates how + we will treat Pod's nodeAffinity/nodeSelector + when calculating pod topology spread skew. + Options are: - Honor: only nodes matching + nodeAffinity/nodeSelector are included in + the calculations. - Ignore: nodeAffinity/nodeSelector + are ignored. All nodes are included in the + calculations. \n If this value is nil, the + behavior is equivalent to the Honor policy. + This is a alpha-level feature enabled by the + NodeInclusionPolicyInPodTopologySpread feature + flag." + type: string + nodeTaintsPolicy: + description: "NodeTaintsPolicy indicates how + we will treat node taints when calculating + pod topology spread skew. Options are: - Honor: + nodes without taints, along with tainted nodes + for which the incoming pod has a toleration, + are included. - Ignore: node taints are ignored. + All nodes are included. \n If this value is + nil, the behavior is equivalent to the Ignore + policy. This is a alpha-level feature enabled + by the NodeInclusionPolicyInPodTopologySpread + feature flag." + type: string + topologyKey: + description: TopologyKey is the key of node + labels. Nodes that have a label with this + key and identical values are considered to + be in the same topology. We consider each + as a "bucket", and try to put + balanced number of pods into each bucket. + We define a domain as a particular instance + of a topology. Also, we define an eligible + domain as a domain whose nodes meet the requirements + of nodeAffinityPolicy and nodeTaintsPolicy. + e.g. If TopologyKey is "kubernetes.io/hostname", + each Node is a domain of that topology. And, + if TopologyKey is "topology.kubernetes.io/zone", + each zone is a domain of that topology. It's + a required field. + type: string + whenUnsatisfiable: + description: 'WhenUnsatisfiable indicates how + to deal with a pod if it doesn''t satisfy + the spread constraint. - DoNotSchedule (default) + tells the scheduler not to schedule it. - + ScheduleAnyway tells the scheduler to schedule + the pod in any location, but giving higher + precedence to topologies that would help reduce + the skew. A constraint is considered "Unsatisfiable" + for an incoming pod if and only if every possible + node assignment for that pod would violate + "MaxSkew" on some topology. For example, in + a 3-zone cluster, MaxSkew is set to 1, and + pods with the same labelSelector spread as + 3/1/1: | zone1 | zone2 | zone3 | | P P P | P | P | + If WhenUnsatisfiable is set to DoNotSchedule, + incoming pod can only be scheduled to zone2(zone3) + to become 3/2/1(3/1/2) as ActualSkew(2-1) + on zone2(zone3) satisfies MaxSkew(1). In other + words, the cluster can still be imbalanced, + but scheduler won''t make it *more* imbalanced. + It''s a required field.' + type: string + required: + - maxSkew + - topologyKey + - whenUnsatisfiable + type: object + type: array + type: object + type: object + type: object + type: object + typhaMetricsPort: + description: TyphaMetricsPort specifies which port calico/typha serves + prometheus metrics on. By default, metrics are not enabled. + format: int32 + type: integer + variant: + description: 'Variant is the product to install - one of Calico or + TigeraSecureEnterprise Default: Calico' + enum: + - Calico + - TigeraSecureEnterprise + type: string + type: object + status: + description: Most recently observed state for the Calico or Calico Enterprise + installation. + properties: + calicoVersion: + description: CalicoVersion shows the current running version of calico. + CalicoVersion along with Variant is needed to know the exact version + deployed. + type: string + computed: + description: Computed is the final installation including overlaid + resources. + properties: + calicoKubeControllersDeployment: + description: CalicoKubeControllersDeployment configures the calico-kube-controllers + Deployment. If used in conjunction with the deprecated ComponentResources, + then these overrides take precedence. + properties: + metadata: + description: Metadata is a subset of a Kubernetes object's + metadata that is added to the Deployment. + properties: + annotations: + additionalProperties: + type: string + description: Annotations is a map of arbitrary non-identifying + metadata. Each of these key/value pairs are added to + the object's annotations provided the key does not already + exist in the object's annotations. + type: object + labels: + additionalProperties: + type: string + description: Labels is a map of string keys and values + that may match replicaset and service selectors. Each + of these key/value pairs are added to the object's labels + provided the key does not already exist in the object's + labels. + type: object + type: object + spec: + description: Spec is the specification of the calico-kube-controllers + Deployment. + properties: + minReadySeconds: + description: MinReadySeconds is the minimum number of + seconds for which a newly created Deployment pod should + be ready without any of its container crashing, for + it to be considered available. If specified, this overrides + any minReadySeconds value that may be set on the calico-kube-controllers + Deployment. If omitted, the calico-kube-controllers + Deployment will use its default value for minReadySeconds. + format: int32 + maximum: 2147483647 + minimum: 0 + type: integer + template: + description: Template describes the calico-kube-controllers + Deployment pod that will be created. + properties: + metadata: + description: Metadata is a subset of a Kubernetes + object's metadata that is added to the pod's metadata. + properties: + annotations: + additionalProperties: + type: string + description: Annotations is a map of arbitrary + non-identifying metadata. Each of these key/value + pairs are added to the object's annotations + provided the key does not already exist in the + object's annotations. + type: object + labels: + additionalProperties: + type: string + description: Labels is a map of string keys and + values that may match replicaset and service + selectors. Each of these key/value pairs are + added to the object's labels provided the key + does not already exist in the object's labels. + type: object + type: object + spec: + description: Spec is the calico-kube-controllers Deployment's + PodSpec. + properties: + affinity: + description: 'Affinity is a group of affinity + scheduling rules for the calico-kube-controllers + pods. If specified, this overrides any affinity + that may be set on the calico-kube-controllers + Deployment. If omitted, the calico-kube-controllers + Deployment will use its default value for affinity. + WARNING: Please note that this field will override + the default calico-kube-controllers Deployment + affinity.' + properties: + nodeAffinity: + description: Describes node affinity scheduling + rules for the pod. + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer + to schedule pods to nodes that satisfy + the affinity expressions specified by + this field, but it may choose a node + that violates one or more of the expressions. + The node that is most preferred is the + one with the greatest sum of weights, + i.e. for each node that meets all of + the scheduling requirements (resource + request, requiredDuringScheduling affinity + expressions, etc.), compute a sum by + iterating through the elements of this + field and adding "weight" to the sum + if the node matches the corresponding + matchExpressions; the node(s) with the + highest sum are the most preferred. + items: + description: An empty preferred scheduling + term matches all objects with implicit + weight 0 (i.e. it's a no-op). A null + preferred scheduling term matches + no objects (i.e. is also a no-op). + properties: + preference: + description: A node selector term, + associated with the corresponding + weight. + properties: + matchExpressions: + description: A list of node + selector requirements by node's + labels. + items: + description: A node selector + requirement is a selector + that contains values, a + key, and an operator that + relates the key and values. + properties: + key: + description: The label + key that the selector + applies to. + type: string + operator: + description: Represents + a key's relationship + to a set of values. + Valid operators are + In, NotIn, Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: An array + of string values. If + the operator is In or + NotIn, the values array + must be non-empty. If + the operator is Exists + or DoesNotExist, the + values array must be + empty. If the operator + is Gt or Lt, the values + array must have a single + element, which will + be interpreted as an + integer. This array + is replaced during a + strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + description: A list of node + selector requirements by node's + fields. + items: + description: A node selector + requirement is a selector + that contains values, a + key, and an operator that + relates the key and values. + properties: + key: + description: The label + key that the selector + applies to. + type: string + operator: + description: Represents + a key's relationship + to a set of values. + Valid operators are + In, NotIn, Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: An array + of string values. If + the operator is In or + NotIn, the values array + must be non-empty. If + the operator is Exists + or DoesNotExist, the + values array must be + empty. If the operator + is Gt or Lt, the values + array must have a single + element, which will + be interpreted as an + integer. This array + is replaced during a + strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + x-kubernetes-map-type: atomic + weight: + description: Weight associated with + matching the corresponding nodeSelectorTerm, + in the range 1-100. + format: int32 + type: integer + required: + - preference + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements + specified by this field are not met + at scheduling time, the pod will not + be scheduled onto the node. If the affinity + requirements specified by this field + cease to be met at some point during + pod execution (e.g. due to an update), + the system may or may not try to eventually + evict the pod from its node. + properties: + nodeSelectorTerms: + description: Required. A list of node + selector terms. The terms are ORed. + items: + description: A null or empty node + selector term matches no objects. + The requirements of them are ANDed. + The TopologySelectorTerm type + implements a subset of the NodeSelectorTerm. + properties: + matchExpressions: + description: A list of node + selector requirements by node's + labels. + items: + description: A node selector + requirement is a selector + that contains values, a + key, and an operator that + relates the key and values. + properties: + key: + description: The label + key that the selector + applies to. + type: string + operator: + description: Represents + a key's relationship + to a set of values. + Valid operators are + In, NotIn, Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: An array + of string values. If + the operator is In or + NotIn, the values array + must be non-empty. If + the operator is Exists + or DoesNotExist, the + values array must be + empty. If the operator + is Gt or Lt, the values + array must have a single + element, which will + be interpreted as an + integer. This array + is replaced during a + strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + description: A list of node + selector requirements by node's + fields. + items: + description: A node selector + requirement is a selector + that contains values, a + key, and an operator that + relates the key and values. + properties: + key: + description: The label + key that the selector + applies to. + type: string + operator: + description: Represents + a key's relationship + to a set of values. + Valid operators are + In, NotIn, Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: An array + of string values. If + the operator is In or + NotIn, the values array + must be non-empty. If + the operator is Exists + or DoesNotExist, the + values array must be + empty. If the operator + is Gt or Lt, the values + array must have a single + element, which will + be interpreted as an + integer. This array + is replaced during a + strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + x-kubernetes-map-type: atomic + type: array + required: + - nodeSelectorTerms + type: object + x-kubernetes-map-type: atomic + type: object + podAffinity: + description: Describes pod affinity scheduling + rules (e.g. co-locate this pod in the same + node, zone, etc. as some other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer + to schedule pods to nodes that satisfy + the affinity expressions specified by + this field, but it may choose a node + that violates one or more of the expressions. + The node that is most preferred is the + one with the greatest sum of weights, + i.e. for each node that meets all of + the scheduling requirements (resource + request, requiredDuringScheduling affinity + expressions, etc.), compute a sum by + iterating through the elements of this + field and adding "weight" to the sum + if the node has pods which matches the + corresponding podAffinityTerm; the node(s) + with the highest sum are the most preferred. + items: + description: The weights of all of the + matched WeightedPodAffinityTerm fields + are added per-node to find the most + preferred node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity + term, associated with the corresponding + weight. + properties: + labelSelector: + description: A label query over + a set of resources, in this + case pods. + properties: + matchExpressions: + description: matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + items: + description: A label selector + requirement is a selector + that contains values, + a key, and an operator + that relates the key + and values. + properties: + key: + description: key is + the label key that + the selector applies + to. + type: string + operator: + description: operator + represents a key's + relationship to + a set of values. + Valid operators + are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values + is an array of string + values. If the operator + is In or NotIn, + the values array + must be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. This + array is replaced + during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels + is a map of {key,value} + pairs. A single {key,value} + in the matchLabels map + is equivalent to an element + of matchExpressions, whose + key field is "key", the + operator is "In", and + the values array contains + only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaceSelector: + description: A label query over + the set of namespaces that + the term applies to. The term + is applied to the union of + the namespaces selected by + this field and the ones listed + in the namespaces field. null + selector and null or empty + namespaces list means "this + pod's namespace". An empty + selector ({}) matches all + namespaces. + properties: + matchExpressions: + description: matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + items: + description: A label selector + requirement is a selector + that contains values, + a key, and an operator + that relates the key + and values. + properties: + key: + description: key is + the label key that + the selector applies + to. + type: string + operator: + description: operator + represents a key's + relationship to + a set of values. + Valid operators + are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values + is an array of string + values. If the operator + is In or NotIn, + the values array + must be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. This + array is replaced + during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels + is a map of {key,value} + pairs. A single {key,value} + in the matchLabels map + is equivalent to an element + of matchExpressions, whose + key field is "key", the + operator is "In", and + the values array contains + only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: namespaces specifies + a static list of namespace + names that the term applies + to. The term is applied to + the union of the namespaces + listed in this field and the + ones selected by namespaceSelector. + null or empty namespaces list + and null namespaceSelector + means "this pod's namespace". + items: + type: string + type: array + topologyKey: + description: This pod should + be co-located (affinity) or + not co-located (anti-affinity) + with the pods matching the + labelSelector in the specified + namespaces, where co-located + is defined as running on a + node whose value of the label + with key topologyKey matches + that of any node on which + any of the selected pods is + running. Empty topologyKey + is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: weight associated with + matching the corresponding podAffinityTerm, + in the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements + specified by this field are not met + at scheduling time, the pod will not + be scheduled onto the node. If the affinity + requirements specified by this field + cease to be met at some point during + pod execution (e.g. due to a pod label + update), the system may or may not try + to eventually evict the pod from its + node. When there are multiple elements, + the lists of nodes corresponding to + each podAffinityTerm are intersected, + i.e. all terms must be satisfied. + items: + description: Defines a set of pods (namely + those matching the labelSelector relative + to the given namespace(s)) that this + pod should be co-located (affinity) + or not co-located (anti-affinity) + with, where co-located is defined + as running on a node whose value of + the label with key matches + that of any node on which a pod of + the set of pods is running + properties: + labelSelector: + description: A label query over + a set of resources, in this case + pods. + properties: + matchExpressions: + description: matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + items: + description: A label selector + requirement is a selector + that contains values, a + key, and an operator that + relates the key and values. + properties: + key: + description: key is the + label key that the selector + applies to. + type: string + operator: + description: operator + represents a key's relationship + to a set of values. + Valid operators are + In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is + an array of string values. + If the operator is In + or NotIn, the values + array must be non-empty. + If the operator is Exists + or DoesNotExist, the + values array must be + empty. This array is + replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is + a map of {key,value} pairs. + A single {key,value} in the + matchLabels map is equivalent + to an element of matchExpressions, + whose key field is "key", + the operator is "In", and + the values array contains + only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaceSelector: + description: A label query over + the set of namespaces that the + term applies to. The term is applied + to the union of the namespaces + selected by this field and the + ones listed in the namespaces + field. null selector and null + or empty namespaces list means + "this pod's namespace". An empty + selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + items: + description: A label selector + requirement is a selector + that contains values, a + key, and an operator that + relates the key and values. + properties: + key: + description: key is the + label key that the selector + applies to. + type: string + operator: + description: operator + represents a key's relationship + to a set of values. + Valid operators are + In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is + an array of string values. + If the operator is In + or NotIn, the values + array must be non-empty. + If the operator is Exists + or DoesNotExist, the + values array must be + empty. This array is + replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is + a map of {key,value} pairs. + A single {key,value} in the + matchLabels map is equivalent + to an element of matchExpressions, + whose key field is "key", + the operator is "In", and + the values array contains + only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: namespaces specifies + a static list of namespace names + that the term applies to. The + term is applied to the union of + the namespaces listed in this + field and the ones selected by + namespaceSelector. null or empty + namespaces list and null namespaceSelector + means "this pod's namespace". + items: + type: string + type: array + topologyKey: + description: This pod should be + co-located (affinity) or not co-located + (anti-affinity) with the pods + matching the labelSelector in + the specified namespaces, where + co-located is defined as running + on a node whose value of the label + with key topologyKey matches that + of any node on which any of the + selected pods is running. Empty + topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + type: object + podAntiAffinity: + description: Describes pod anti-affinity scheduling + rules (e.g. avoid putting this pod in the + same node, zone, etc. as some other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer + to schedule pods to nodes that satisfy + the anti-affinity expressions specified + by this field, but it may choose a node + that violates one or more of the expressions. + The node that is most preferred is the + one with the greatest sum of weights, + i.e. for each node that meets all of + the scheduling requirements (resource + request, requiredDuringScheduling anti-affinity + expressions, etc.), compute a sum by + iterating through the elements of this + field and adding "weight" to the sum + if the node has pods which matches the + corresponding podAffinityTerm; the node(s) + with the highest sum are the most preferred. + items: + description: The weights of all of the + matched WeightedPodAffinityTerm fields + are added per-node to find the most + preferred node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity + term, associated with the corresponding + weight. + properties: + labelSelector: + description: A label query over + a set of resources, in this + case pods. + properties: + matchExpressions: + description: matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + items: + description: A label selector + requirement is a selector + that contains values, + a key, and an operator + that relates the key + and values. + properties: + key: + description: key is + the label key that + the selector applies + to. + type: string + operator: + description: operator + represents a key's + relationship to + a set of values. + Valid operators + are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values + is an array of string + values. If the operator + is In or NotIn, + the values array + must be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. This + array is replaced + during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels + is a map of {key,value} + pairs. A single {key,value} + in the matchLabels map + is equivalent to an element + of matchExpressions, whose + key field is "key", the + operator is "In", and + the values array contains + only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaceSelector: + description: A label query over + the set of namespaces that + the term applies to. The term + is applied to the union of + the namespaces selected by + this field and the ones listed + in the namespaces field. null + selector and null or empty + namespaces list means "this + pod's namespace". An empty + selector ({}) matches all + namespaces. + properties: + matchExpressions: + description: matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + items: + description: A label selector + requirement is a selector + that contains values, + a key, and an operator + that relates the key + and values. + properties: + key: + description: key is + the label key that + the selector applies + to. + type: string + operator: + description: operator + represents a key's + relationship to + a set of values. + Valid operators + are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values + is an array of string + values. If the operator + is In or NotIn, + the values array + must be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. This + array is replaced + during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels + is a map of {key,value} + pairs. A single {key,value} + in the matchLabels map + is equivalent to an element + of matchExpressions, whose + key field is "key", the + operator is "In", and + the values array contains + only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: namespaces specifies + a static list of namespace + names that the term applies + to. The term is applied to + the union of the namespaces + listed in this field and the + ones selected by namespaceSelector. + null or empty namespaces list + and null namespaceSelector + means "this pod's namespace". + items: + type: string + type: array + topologyKey: + description: This pod should + be co-located (affinity) or + not co-located (anti-affinity) + with the pods matching the + labelSelector in the specified + namespaces, where co-located + is defined as running on a + node whose value of the label + with key topologyKey matches + that of any node on which + any of the selected pods is + running. Empty topologyKey + is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: weight associated with + matching the corresponding podAffinityTerm, + in the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the anti-affinity requirements + specified by this field are not met + at scheduling time, the pod will not + be scheduled onto the node. If the anti-affinity + requirements specified by this field + cease to be met at some point during + pod execution (e.g. due to a pod label + update), the system may or may not try + to eventually evict the pod from its + node. When there are multiple elements, + the lists of nodes corresponding to + each podAffinityTerm are intersected, + i.e. all terms must be satisfied. + items: + description: Defines a set of pods (namely + those matching the labelSelector relative + to the given namespace(s)) that this + pod should be co-located (affinity) + or not co-located (anti-affinity) + with, where co-located is defined + as running on a node whose value of + the label with key matches + that of any node on which a pod of + the set of pods is running + properties: + labelSelector: + description: A label query over + a set of resources, in this case + pods. + properties: + matchExpressions: + description: matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + items: + description: A label selector + requirement is a selector + that contains values, a + key, and an operator that + relates the key and values. + properties: + key: + description: key is the + label key that the selector + applies to. + type: string + operator: + description: operator + represents a key's relationship + to a set of values. + Valid operators are + In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is + an array of string values. + If the operator is In + or NotIn, the values + array must be non-empty. + If the operator is Exists + or DoesNotExist, the + values array must be + empty. This array is + replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is + a map of {key,value} pairs. + A single {key,value} in the + matchLabels map is equivalent + to an element of matchExpressions, + whose key field is "key", + the operator is "In", and + the values array contains + only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaceSelector: + description: A label query over + the set of namespaces that the + term applies to. The term is applied + to the union of the namespaces + selected by this field and the + ones listed in the namespaces + field. null selector and null + or empty namespaces list means + "this pod's namespace". An empty + selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + items: + description: A label selector + requirement is a selector + that contains values, a + key, and an operator that + relates the key and values. + properties: + key: + description: key is the + label key that the selector + applies to. + type: string + operator: + description: operator + represents a key's relationship + to a set of values. + Valid operators are + In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is + an array of string values. + If the operator is In + or NotIn, the values + array must be non-empty. + If the operator is Exists + or DoesNotExist, the + values array must be + empty. This array is + replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is + a map of {key,value} pairs. + A single {key,value} in the + matchLabels map is equivalent + to an element of matchExpressions, + whose key field is "key", + the operator is "In", and + the values array contains + only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: namespaces specifies + a static list of namespace names + that the term applies to. The + term is applied to the union of + the namespaces listed in this + field and the ones selected by + namespaceSelector. null or empty + namespaces list and null namespaceSelector + means "this pod's namespace". + items: + type: string + type: array + topologyKey: + description: This pod should be + co-located (affinity) or not co-located + (anti-affinity) with the pods + matching the labelSelector in + the specified namespaces, where + co-located is defined as running + on a node whose value of the label + with key topologyKey matches that + of any node on which any of the + selected pods is running. Empty + topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + type: object + type: object + containers: + description: Containers is a list of calico-kube-controllers + containers. If specified, this overrides the + specified calico-kube-controllers Deployment + containers. If omitted, the calico-kube-controllers + Deployment will use its default values for its + containers. + items: + description: CalicoKubeControllersDeploymentContainer + is a calico-kube-controllers Deployment container. + properties: + name: + description: Name is an enum which identifies + the calico-kube-controllers Deployment + container by name. + enum: + - calico-kube-controllers + type: string + resources: + description: Resources allows customization + of limits and requests for compute resources + such as cpu and memory. If specified, + this overrides the named calico-kube-controllers + Deployment container's resources. If omitted, + the calico-kube-controllers Deployment + will use its default value for this container's + resources. If used in conjunction with + the deprecated ComponentResources, then + this value takes precedence. + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Limits describes the maximum + amount of compute resources allowed. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Requests describes the + minimum amount of compute resources + required. If Requests is omitted for + a container, it defaults to Limits + if that is explicitly specified, otherwise + to an implementation-defined value. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + type: object + required: + - name + type: object + type: array + nodeSelector: + additionalProperties: + type: string + description: 'NodeSelector is the calico-kube-controllers + pod''s scheduling constraints. If specified, + each of the key/value pairs are added to the + calico-kube-controllers Deployment nodeSelector + provided the key does not already exist in the + object''s nodeSelector. If used in conjunction + with ControlPlaneNodeSelector, that nodeSelector + is set on the calico-kube-controllers Deployment + and each of this field''s key/value pairs are + added to the calico-kube-controllers Deployment + nodeSelector provided the key does not already + exist in the object''s nodeSelector. If omitted, + the calico-kube-controllers Deployment will + use its default value for nodeSelector. WARNING: + Please note that this field will modify the + default calico-kube-controllers Deployment nodeSelector.' + type: object + tolerations: + description: 'Tolerations is the calico-kube-controllers + pod''s tolerations. If specified, this overrides + any tolerations that may be set on the calico-kube-controllers + Deployment. If omitted, the calico-kube-controllers + Deployment will use its default value for tolerations. + WARNING: Please note that this field will override + the default calico-kube-controllers Deployment + tolerations.' + items: + description: The pod this Toleration is attached + to tolerates any taint that matches the triple + using the matching operator + . + properties: + effect: + description: Effect indicates the taint + effect to match. Empty means match all + taint effects. When specified, allowed + values are NoSchedule, PreferNoSchedule + and NoExecute. + type: string + key: + description: Key is the taint key that the + toleration applies to. Empty means match + all taint keys. If the key is empty, operator + must be Exists; this combination means + to match all values and all keys. + type: string + operator: + description: Operator represents a key's + relationship to the value. Valid operators + are Exists and Equal. Defaults to Equal. + Exists is equivalent to wildcard for value, + so that a pod can tolerate all taints + of a particular category. + type: string + tolerationSeconds: + description: TolerationSeconds represents + the period of time the toleration (which + must be of effect NoExecute, otherwise + this field is ignored) tolerates the taint. + By default, it is not set, which means + tolerate the taint forever (do not evict). + Zero and negative values will be treated + as 0 (evict immediately) by the system. + format: int64 + type: integer + value: + description: Value is the taint value the + toleration matches to. If the operator + is Exists, the value should be empty, + otherwise just a regular string. + type: string + type: object + type: array + type: object + type: object + type: object + type: object + calicoNetwork: + description: CalicoNetwork specifies networking configuration + options for Calico. + properties: + bgp: + description: BGP configures whether or not to enable Calico's + BGP capabilities. + enum: + - Enabled + - Disabled + type: string + containerIPForwarding: + description: 'ContainerIPForwarding configures whether ip + forwarding will be enabled for containers in the CNI configuration. + Default: Disabled' + enum: + - Enabled + - Disabled + type: string + hostPorts: + description: 'HostPorts configures whether or not Calico will + support Kubernetes HostPorts. Valid only when using the + Calico CNI plugin. Default: Enabled' + enum: + - Enabled + - Disabled + type: string + ipPools: + description: IPPools contains a list of IP pools to create + if none exist. At most one IP pool of each address family + may be specified. If omitted, a single pool will be configured + if needed. + items: + properties: + blockSize: + description: 'BlockSize specifies the CIDR prefex length + to use when allocating per-node IP blocks from the + main IP pool CIDR. Default: 26 (IPv4), 122 (IPv6)' + format: int32 + type: integer + cidr: + description: CIDR contains the address range for the + IP Pool in classless inter-domain routing format. + type: string + disableBGPExport: + default: false + description: 'DisableBGPExport specifies whether routes + from this IP pool''s CIDR are exported over BGP. Default: + false' + type: boolean + encapsulation: + description: 'Encapsulation specifies the encapsulation + type that will be used with the IP Pool. Default: + IPIP' + enum: + - IPIPCrossSubnet + - IPIP + - VXLAN + - VXLANCrossSubnet + - None + type: string + natOutgoing: + description: 'NATOutgoing specifies if NAT will be enabled + or disabled for outgoing traffic. Default: Enabled' + enum: + - Enabled + - Disabled + type: string + nodeSelector: + description: 'NodeSelector specifies the node selector + that will be set for the IP Pool. Default: ''all()''' + type: string + required: + - cidr + type: object + type: array + linuxDataplane: + description: 'LinuxDataplane is used to select the dataplane + used for Linux nodes. In particular, it causes the operator + to add required mounts and environment variables for the + particular dataplane. If not specified, iptables mode is + used. Default: Iptables' + enum: + - Iptables + - BPF + - VPP + type: string + mtu: + description: MTU specifies the maximum transmission unit to + use on the pod network. If not specified, Calico will perform + MTU auto-detection based on the cluster network. + format: int32 + type: integer + multiInterfaceMode: + description: 'MultiInterfaceMode configures what will configure + multiple interface per pod. Only valid for Calico Enterprise + installations using the Calico CNI plugin. Default: None' + enum: + - None + - Multus + type: string + nodeAddressAutodetectionV4: + description: NodeAddressAutodetectionV4 specifies an approach + to automatically detect node IPv4 addresses. If not specified, + will use default auto-detection settings to acquire an IPv4 + address for each node. + properties: + canReach: + description: CanReach enables IP auto-detection based + on which source address on the node is used to reach + the specified IP or domain. + type: string + cidrs: + description: CIDRS enables IP auto-detection based on + which addresses on the nodes are within one of the provided + CIDRs. + items: + type: string + type: array + firstFound: + description: FirstFound uses default interface matching + parameters to select an interface, performing best-effort + filtering based on well-known interface names. + type: boolean + interface: + description: Interface enables IP auto-detection based + on interfaces that match the given regex. + type: string + kubernetes: + description: Kubernetes configures Calico to detect node + addresses based on the Kubernetes API. + enum: + - NodeInternalIP + type: string + skipInterface: + description: SkipInterface enables IP auto-detection based + on interfaces that do not match the given regex. + type: string + type: object + nodeAddressAutodetectionV6: + description: NodeAddressAutodetectionV6 specifies an approach + to automatically detect node IPv6 addresses. If not specified, + IPv6 addresses will not be auto-detected. + properties: + canReach: + description: CanReach enables IP auto-detection based + on which source address on the node is used to reach + the specified IP or domain. + type: string + cidrs: + description: CIDRS enables IP auto-detection based on + which addresses on the nodes are within one of the provided + CIDRs. + items: + type: string + type: array + firstFound: + description: FirstFound uses default interface matching + parameters to select an interface, performing best-effort + filtering based on well-known interface names. + type: boolean + interface: + description: Interface enables IP auto-detection based + on interfaces that match the given regex. + type: string + kubernetes: + description: Kubernetes configures Calico to detect node + addresses based on the Kubernetes API. + enum: + - NodeInternalIP + type: string + skipInterface: + description: SkipInterface enables IP auto-detection based + on interfaces that do not match the given regex. + type: string + type: object + type: object + calicoNodeDaemonSet: + description: CalicoNodeDaemonSet configures the calico-node DaemonSet. + If used in conjunction with the deprecated ComponentResources, + then these overrides take precedence. + properties: + metadata: + description: Metadata is a subset of a Kubernetes object's + metadata that is added to the DaemonSet. + properties: + annotations: + additionalProperties: + type: string + description: Annotations is a map of arbitrary non-identifying + metadata. Each of these key/value pairs are added to + the object's annotations provided the key does not already + exist in the object's annotations. + type: object + labels: + additionalProperties: + type: string + description: Labels is a map of string keys and values + that may match replicaset and service selectors. Each + of these key/value pairs are added to the object's labels + provided the key does not already exist in the object's + labels. + type: object + type: object + spec: + description: Spec is the specification of the calico-node + DaemonSet. + properties: + minReadySeconds: + description: MinReadySeconds is the minimum number of + seconds for which a newly created DaemonSet pod should + be ready without any of its container crashing, for + it to be considered available. If specified, this overrides + any minReadySeconds value that may be set on the calico-node + DaemonSet. If omitted, the calico-node DaemonSet will + use its default value for minReadySeconds. + format: int32 + maximum: 2147483647 + minimum: 0 + type: integer + template: + description: Template describes the calico-node DaemonSet + pod that will be created. + properties: + metadata: + description: Metadata is a subset of a Kubernetes + object's metadata that is added to the pod's metadata. + properties: + annotations: + additionalProperties: + type: string + description: Annotations is a map of arbitrary + non-identifying metadata. Each of these key/value + pairs are added to the object's annotations + provided the key does not already exist in the + object's annotations. + type: object + labels: + additionalProperties: + type: string + description: Labels is a map of string keys and + values that may match replicaset and service + selectors. Each of these key/value pairs are + added to the object's labels provided the key + does not already exist in the object's labels. + type: object type: object spec: - description: Spec is the calico-kube-controllers Deployment's - PodSpec. + description: Spec is the calico-node DaemonSet's PodSpec. properties: affinity: description: 'Affinity is a group of affinity - scheduling rules for the calico-kube-controllers - pods. If specified, this overrides any affinity - that may be set on the calico-kube-controllers - Deployment. If omitted, the calico-kube-controllers - Deployment will use its default value for affinity. - WARNING: Please note that this field will override - the default calico-kube-controllers Deployment - affinity.' + scheduling rules for the calico-node pods. If + specified, this overrides any affinity that + may be set on the calico-node DaemonSet. If + omitted, the calico-node DaemonSet will use + its default value for affinity. WARNING: Please + note that this field will override the default + calico-node DaemonSet affinity.' properties: nodeAffinity: description: Describes node affinity scheduling @@ -11607,6 +14811,7 @@ spec: type: object type: array type: object + x-kubernetes-map-type: atomic weight: description: Weight associated with matching the corresponding nodeSelectorTerm, @@ -11738,10 +14943,12 @@ spec: type: object type: array type: object + x-kubernetes-map-type: atomic type: array required: - nodeSelectorTerms type: object + x-kubernetes-map-type: atomic type: object podAffinity: description: Describes pod affinity scheduling @@ -11847,6 +15054,7 @@ spec: are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaceSelector: description: A label query over the set of namespaces that @@ -11859,10 +15067,7 @@ spec: namespaces list means "this pod's namespace". An empty selector ({}) matches all - namespaces. This field is - beta-level and is only honored - when PodAffinityNamespaceSelector - feature is enabled. + namespaces. properties: matchExpressions: description: matchExpressions @@ -11930,6 +15135,7 @@ spec: are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaces: description: namespaces specifies a static list of namespace @@ -11940,7 +15146,7 @@ spec: ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector - means "this pod's namespace" + means "this pod's namespace". items: type: string type: array @@ -12064,6 +15270,7 @@ spec: are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaceSelector: description: A label query over the set of namespaces that the @@ -12075,9 +15282,6 @@ spec: or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. - This field is beta-level and is - only honored when PodAffinityNamespaceSelector - feature is enabled. properties: matchExpressions: description: matchExpressions @@ -12139,6 +15343,7 @@ spec: are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaces: description: namespaces specifies a static list of namespace names @@ -12148,7 +15353,7 @@ spec: field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector - means "this pod's namespace" + means "this pod's namespace". items: type: string type: array @@ -12274,6 +15479,7 @@ spec: are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaceSelector: description: A label query over the set of namespaces that @@ -12286,10 +15492,7 @@ spec: namespaces list means "this pod's namespace". An empty selector ({}) matches all - namespaces. This field is - beta-level and is only honored - when PodAffinityNamespaceSelector - feature is enabled. + namespaces. properties: matchExpressions: description: matchExpressions @@ -12357,6 +15560,7 @@ spec: are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaces: description: namespaces specifies a static list of namespace @@ -12367,7 +15571,7 @@ spec: ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector - means "this pod's namespace" + means "this pod's namespace". items: type: string type: array @@ -12491,6 +15695,7 @@ spec: are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaceSelector: description: A label query over the set of namespaces that the @@ -12502,9 +15707,6 @@ spec: or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. - This field is beta-level and is - only honored when PodAffinityNamespaceSelector - feature is enabled. properties: matchExpressions: description: matchExpressions @@ -12566,6 +15768,7 @@ spec: are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaces: description: namespaces specifies a static list of namespace names @@ -12575,7 +15778,7 @@ spec: field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector - means "this pod's namespace" + means "this pod's namespace". items: type: string type: array @@ -12599,331 +15802,209 @@ spec: type: object type: object containers: - description: Containers is a list of calico-kube-controllers + description: Containers is a list of calico-node containers. If specified, this overrides the - specified calico-kube-controllers Deployment - containers. If omitted, the calico-kube-controllers - Deployment will use its default values for its - containers. - items: - description: CalicoKubeControllersDeploymentContainer - is a calico-kube-controllers Deployment container. - properties: - name: - description: Name is an enum which identifies - the calico-kube-controllers Deployment - container by name. - enum: - - calico-kube-controllers - type: string - resources: - description: Resources allows customization - of limits and requests for compute resources - such as cpu and memory. If specified, - this overrides the named calico-kube-controllers - Deployment container's resources. If omitted, - the calico-kube-controllers Deployment - will use its default value for this container's - resources. If used in conjunction with - the deprecated ComponentResources, then - this value takes precedence. - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: 'Limits describes the maximum - amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: 'Requests describes the - minimum amount of compute resources - required. If Requests is omitted for - a container, it defaults to Limits - if that is explicitly specified, otherwise - to an implementation-defined value. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' - type: object - type: object - required: - - name - type: object - type: array - nodeSelector: - additionalProperties: - type: string - description: 'NodeSelector is the calico-kube-controllers - pod''s scheduling constraints. If specified, - each of the key/value pairs are added to the - calico-kube-controllers Deployment nodeSelector - provided the key does not already exist in the - object''s nodeSelector. If used in conjunction - with ControlPlaneNodeSelector, that nodeSelector - is set on the calico-kube-controllers Deployment - and each of this field''s key/value pairs are - added to the calico-kube-controllers Deployment - nodeSelector provided the key does not already - exist in the object''s nodeSelector. If omitted, - the calico-kube-controllers Deployment will - use its default value for nodeSelector. WARNING: - Please note that this field will modify the - default calico-kube-controllers Deployment nodeSelector.' - type: object - tolerations: - description: 'Tolerations is the calico-kube-controllers - pod''s tolerations. If specified, this overrides - any tolerations that may be set on the calico-kube-controllers - Deployment. If omitted, the calico-kube-controllers - Deployment will use its default value for tolerations. - WARNING: Please note that this field will override - the default calico-kube-controllers Deployment - tolerations.' - items: - description: The pod this Toleration is attached - to tolerates any taint that matches the triple - using the matching operator - . - properties: - effect: - description: Effect indicates the taint - effect to match. Empty means match all - taint effects. When specified, allowed - values are NoSchedule, PreferNoSchedule - and NoExecute. - type: string - key: - description: Key is the taint key that the - toleration applies to. Empty means match - all taint keys. If the key is empty, operator - must be Exists; this combination means - to match all values and all keys. - type: string - operator: - description: Operator represents a key's - relationship to the value. Valid operators - are Exists and Equal. Defaults to Equal. - Exists is equivalent to wildcard for value, - so that a pod can tolerate all taints - of a particular category. - type: string - tolerationSeconds: - description: TolerationSeconds represents - the period of time the toleration (which - must be of effect NoExecute, otherwise - this field is ignored) tolerates the taint. - By default, it is not set, which means - tolerate the taint forever (do not evict). - Zero and negative values will be treated - as 0 (evict immediately) by the system. - format: int64 - type: integer - value: - description: Value is the taint value the - toleration matches to. If the operator - is Exists, the value should be empty, - otherwise just a regular string. + specified calico-node DaemonSet containers. + If omitted, the calico-node DaemonSet will use + its default values for its containers. + items: + description: CalicoNodeDaemonSetContainer is + a calico-node DaemonSet container. + properties: + name: + description: Name is an enum which identifies + the calico-node DaemonSet container by + name. + enum: + - calico-node type: string + resources: + description: Resources allows customization + of limits and requests for compute resources + such as cpu and memory. If specified, + this overrides the named calico-node DaemonSet + container's resources. If omitted, the + calico-node DaemonSet will use its default + value for this container's resources. + If used in conjunction with the deprecated + ComponentResources, then this value takes + precedence. + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Limits describes the maximum + amount of compute resources allowed. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Requests describes the + minimum amount of compute resources + required. If Requests is omitted for + a container, it defaults to Limits + if that is explicitly specified, otherwise + to an implementation-defined value. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + type: object + required: + - name type: object type: array - type: object - type: object - type: object - type: object - calicoNetwork: - description: CalicoNetwork specifies networking configuration - options for Calico. - properties: - bgp: - description: BGP configures whether or not to enable Calico's - BGP capabilities. - enum: - - Enabled - - Disabled - type: string - containerIPForwarding: - description: 'ContainerIPForwarding configures whether ip - forwarding will be enabled for containers in the CNI configuration. - Default: Disabled' - enum: - - Enabled - - Disabled - type: string - hostPorts: - description: 'HostPorts configures whether or not Calico will - support Kubernetes HostPorts. Valid only when using the - Calico CNI plugin. Default: Enabled' - enum: - - Enabled - - Disabled - type: string - ipPools: - description: IPPools contains a list of IP pools to create - if none exist. At most one IP pool of each address family - may be specified. If omitted, a single pool will be configured - if needed. - items: - properties: - blockSize: - description: 'BlockSize specifies the CIDR prefex length - to use when allocating per-node IP blocks from the - main IP pool CIDR. Default: 26 (IPv4), 122 (IPv6)' - format: int32 - type: integer - cidr: - description: CIDR contains the address range for the - IP Pool in classless inter-domain routing format. - type: string - disableBGPExport: - default: false - description: 'DisableBGPExport specifies whether routes - from this IP pool''s CIDR are exported over BGP. Default: - false' - type: boolean - encapsulation: - description: 'Encapsulation specifies the encapsulation - type that will be used with the IP Pool. Default: - IPIP' - enum: - - IPIPCrossSubnet - - IPIP - - VXLAN - - VXLANCrossSubnet - - None - type: string - natOutgoing: - description: 'NATOutgoing specifies if NAT will be enabled - or disabled for outgoing traffic. Default: Enabled' - enum: - - Enabled - - Disabled - type: string - nodeSelector: - description: 'NodeSelector specifies the node selector - that will be set for the IP Pool. Default: ''all()''' - type: string - required: - - cidr - type: object - type: array - linuxDataplane: - description: 'LinuxDataplane is used to select the dataplane - used for Linux nodes. In particular, it causes the operator - to add required mounts and environment variables for the - particular dataplane. If not specified, iptables mode is - used. Default: Iptables' - enum: - - Iptables - - BPF - - VPP - type: string - mtu: - description: MTU specifies the maximum transmission unit to - use on the pod network. If not specified, Calico will perform - MTU auto-detection based on the cluster network. - format: int32 - type: integer - multiInterfaceMode: - description: 'MultiInterfaceMode configures what will configure - multiple interface per pod. Only valid for Calico Enterprise - installations using the Calico CNI plugin. Default: None' - enum: - - None - - Multus - type: string - nodeAddressAutodetectionV4: - description: NodeAddressAutodetectionV4 specifies an approach - to automatically detect node IPv4 addresses. If not specified, - will use default auto-detection settings to acquire an IPv4 - address for each node. - properties: - canReach: - description: CanReach enables IP auto-detection based - on which source address on the node is used to reach - the specified IP or domain. - type: string - cidrs: - description: CIDRS enables IP auto-detection based on - which addresses on the nodes are within one of the provided - CIDRs. - items: - type: string - type: array - firstFound: - description: FirstFound uses default interface matching - parameters to select an interface, performing best-effort - filtering based on well-known interface names. - type: boolean - interface: - description: Interface enables IP auto-detection based - on interfaces that match the given regex. - type: string - kubernetes: - description: Kubernetes configures Calico to detect node - addresses based on the Kubernetes API. - enum: - - NodeInternalIP - type: string - skipInterface: - description: SkipInterface enables IP auto-detection based - on interfaces that do not match the given regex. - type: string - type: object - nodeAddressAutodetectionV6: - description: NodeAddressAutodetectionV6 specifies an approach - to automatically detect node IPv6 addresses. If not specified, - IPv6 addresses will not be auto-detected. - properties: - canReach: - description: CanReach enables IP auto-detection based - on which source address on the node is used to reach - the specified IP or domain. - type: string - cidrs: - description: CIDRS enables IP auto-detection based on - which addresses on the nodes are within one of the provided - CIDRs. - items: - type: string - type: array - firstFound: - description: FirstFound uses default interface matching - parameters to select an interface, performing best-effort - filtering based on well-known interface names. - type: boolean - interface: - description: Interface enables IP auto-detection based - on interfaces that match the given regex. - type: string - kubernetes: - description: Kubernetes configures Calico to detect node - addresses based on the Kubernetes API. - enum: - - NodeInternalIP - type: string - skipInterface: - description: SkipInterface enables IP auto-detection based - on interfaces that do not match the given regex. - type: string + initContainers: + description: InitContainers is a list of calico-node + init containers. If specified, this overrides + the specified calico-node DaemonSet init containers. + If omitted, the calico-node DaemonSet will use + its default values for its init containers. + items: + description: CalicoNodeDaemonSetInitContainer + is a calico-node DaemonSet init container. + properties: + name: + description: Name is an enum which identifies + the calico-node DaemonSet init container + by name. + enum: + - install-cni + - hostpath-init + - flexvol-driver + - mount-bpffs + - node-certs-key-cert-provisioner + - calico-node-prometheus-server-tls-key-cert-provisioner + type: string + resources: + description: Resources allows customization + of limits and requests for compute resources + such as cpu and memory. If specified, + this overrides the named calico-node DaemonSet + init container's resources. If omitted, + the calico-node DaemonSet will use its + default value for this container's resources. + If used in conjunction with the deprecated + ComponentResources, then this value takes + precedence. + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Limits describes the maximum + amount of compute resources allowed. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Requests describes the + minimum amount of compute resources + required. If Requests is omitted for + a container, it defaults to Limits + if that is explicitly specified, otherwise + to an implementation-defined value. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + type: object + required: + - name + type: object + type: array + nodeSelector: + additionalProperties: + type: string + description: 'NodeSelector is the calico-node + pod''s scheduling constraints. If specified, + each of the key/value pairs are added to the + calico-node DaemonSet nodeSelector provided + the key does not already exist in the object''s + nodeSelector. If omitted, the calico-node DaemonSet + will use its default value for nodeSelector. + WARNING: Please note that this field will modify + the default calico-node DaemonSet nodeSelector.' + type: object + tolerations: + description: 'Tolerations is the calico-node pod''s + tolerations. If specified, this overrides any + tolerations that may be set on the calico-node + DaemonSet. If omitted, the calico-node DaemonSet + will use its default value for tolerations. + WARNING: Please note that this field will override + the default calico-node DaemonSet tolerations.' + items: + description: The pod this Toleration is attached + to tolerates any taint that matches the triple + using the matching operator + . + properties: + effect: + description: Effect indicates the taint + effect to match. Empty means match all + taint effects. When specified, allowed + values are NoSchedule, PreferNoSchedule + and NoExecute. + type: string + key: + description: Key is the taint key that the + toleration applies to. Empty means match + all taint keys. If the key is empty, operator + must be Exists; this combination means + to match all values and all keys. + type: string + operator: + description: Operator represents a key's + relationship to the value. Valid operators + are Exists and Equal. Defaults to Equal. + Exists is equivalent to wildcard for value, + so that a pod can tolerate all taints + of a particular category. + type: string + tolerationSeconds: + description: TolerationSeconds represents + the period of time the toleration (which + must be of effect NoExecute, otherwise + this field is ignored) tolerates the taint. + By default, it is not set, which means + tolerate the taint forever (do not evict). + Zero and negative values will be treated + as 0 (evict immediately) by the system. + format: int64 + type: integer + value: + description: Value is the taint value the + toleration matches to. If the operator + is Exists, the value should be empty, + otherwise just a regular string. + type: string + type: object + type: array + type: object + type: object type: object type: object - calicoNodeDaemonSet: - description: CalicoNodeDaemonSet configures the calico-node DaemonSet. - If used in conjunction with the deprecated ComponentResources, - then these overrides take precedence. + calicoWindowsUpgradeDaemonSet: + description: CalicoWindowsUpgradeDaemonSet configures the calico-windows-upgrade + DaemonSet. properties: metadata: description: Metadata is a subset of a Kubernetes object's - metadata that is added to the DaemonSet. + metadata that is added to the Deployment. properties: annotations: additionalProperties: @@ -12944,24 +16025,24 @@ spec: type: object type: object spec: - description: Spec is the specification of the calico-node + description: Spec is the specification of the calico-windows-upgrade DaemonSet. properties: minReadySeconds: description: MinReadySeconds is the minimum number of - seconds for which a newly created DaemonSet pod should + seconds for which a newly created Deployment pod should be ready without any of its container crashing, for it to be considered available. If specified, this overrides - any minReadySeconds value that may be set on the calico-node - DaemonSet. If omitted, the calico-node DaemonSet will - use its default value for minReadySeconds. + any minReadySeconds value that may be set on the calico-windows-upgrade + DaemonSet. If omitted, the calico-windows-upgrade DaemonSet + will use its default value for minReadySeconds. format: int32 maximum: 2147483647 minimum: 0 type: integer template: - description: Template describes the calico-node DaemonSet - pod that will be created. + description: Template describes the calico-windows-upgrade + DaemonSet pod that will be created. properties: metadata: description: Metadata is a subset of a Kubernetes @@ -12987,17 +16068,19 @@ spec: type: object type: object spec: - description: Spec is the calico-node DaemonSet's PodSpec. + description: Spec is the calico-windows-upgrade DaemonSet's + PodSpec. properties: affinity: description: 'Affinity is a group of affinity - scheduling rules for the calico-node pods. If - specified, this overrides any affinity that - may be set on the calico-node DaemonSet. If - omitted, the calico-node DaemonSet will use - its default value for affinity. WARNING: Please - note that this field will override the default - calico-node DaemonSet affinity.' + scheduling rules for the calico-windows-upgrade + pods. If specified, this overrides any affinity + that may be set on the calico-windows-upgrade + DaemonSet. If omitted, the calico-windows-upgrade + DaemonSet will use its default value for affinity. + WARNING: Please note that this field will override + the default calico-windows-upgrade DaemonSet + affinity.' properties: nodeAffinity: description: Describes node affinity scheduling @@ -13131,6 +16214,7 @@ spec: type: object type: array type: object + x-kubernetes-map-type: atomic weight: description: Weight associated with matching the corresponding nodeSelectorTerm, @@ -13262,10 +16346,12 @@ spec: type: object type: array type: object + x-kubernetes-map-type: atomic type: array required: - nodeSelectorTerms type: object + x-kubernetes-map-type: atomic type: object podAffinity: description: Describes pod affinity scheduling @@ -13371,6 +16457,7 @@ spec: are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaceSelector: description: A label query over the set of namespaces that @@ -13383,10 +16470,7 @@ spec: namespaces list means "this pod's namespace". An empty selector ({}) matches all - namespaces. This field is - beta-level and is only honored - when PodAffinityNamespaceSelector - feature is enabled. + namespaces. properties: matchExpressions: description: matchExpressions @@ -13454,6 +16538,7 @@ spec: are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaces: description: namespaces specifies a static list of namespace @@ -13464,7 +16549,7 @@ spec: ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector - means "this pod's namespace" + means "this pod's namespace". items: type: string type: array @@ -13588,6 +16673,7 @@ spec: are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaceSelector: description: A label query over the set of namespaces that the @@ -13599,9 +16685,6 @@ spec: or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. - This field is beta-level and is - only honored when PodAffinityNamespaceSelector - feature is enabled. properties: matchExpressions: description: matchExpressions @@ -13663,6 +16746,7 @@ spec: are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaces: description: namespaces specifies a static list of namespace names @@ -13672,7 +16756,7 @@ spec: field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector - means "this pod's namespace" + means "this pod's namespace". items: type: string type: array @@ -13798,6 +16882,7 @@ spec: are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaceSelector: description: A label query over the set of namespaces that @@ -13810,10 +16895,7 @@ spec: namespaces list means "this pod's namespace". An empty selector ({}) matches all - namespaces. This field is - beta-level and is only honored - when PodAffinityNamespaceSelector - feature is enabled. + namespaces. properties: matchExpressions: description: matchExpressions @@ -13881,6 +16963,7 @@ spec: are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaces: description: namespaces specifies a static list of namespace @@ -13891,7 +16974,7 @@ spec: ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector - means "this pod's namespace" + means "this pod's namespace". items: type: string type: array @@ -14015,6 +17098,7 @@ spec: are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaceSelector: description: A label query over the set of namespaces that the @@ -14026,9 +17110,6 @@ spec: or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. - This field is beta-level and is - only honored when PodAffinityNamespaceSelector - feature is enabled. properties: matchExpressions: description: matchExpressions @@ -14077,144 +17158,78 @@ spec: type: array matchLabels: additionalProperties: - type: string - description: matchLabels is - a map of {key,value} pairs. - A single {key,value} in the - matchLabels map is equivalent - to an element of matchExpressions, - whose key field is "key", - the operator is "In", and - the values array contains - only "value". The requirements - are ANDed. - type: object - type: object - namespaces: - description: namespaces specifies - a static list of namespace names - that the term applies to. The - term is applied to the union of - the namespaces listed in this - field and the ones selected by - namespaceSelector. null or empty - namespaces list and null namespaceSelector - means "this pod's namespace" - items: - type: string - type: array - topologyKey: - description: This pod should be - co-located (affinity) or not co-located - (anti-affinity) with the pods - matching the labelSelector in - the specified namespaces, where - co-located is defined as running - on a node whose value of the label - with key topologyKey matches that - of any node on which any of the - selected pods is running. Empty - topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - type: array - type: object - type: object - containers: - description: Containers is a list of calico-node - containers. If specified, this overrides the - specified calico-node DaemonSet containers. - If omitted, the calico-node DaemonSet will use - its default values for its containers. - items: - description: CalicoNodeDaemonSetContainer is - a calico-node DaemonSet container. - properties: - name: - description: Name is an enum which identifies - the calico-node DaemonSet container by - name. - enum: - - calico-node - type: string - resources: - description: Resources allows customization - of limits and requests for compute resources - such as cpu and memory. If specified, - this overrides the named calico-node DaemonSet - container's resources. If omitted, the - calico-node DaemonSet will use its default - value for this container's resources. - If used in conjunction with the deprecated - ComponentResources, then this value takes - precedence. - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: 'Limits describes the maximum - amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: 'Requests describes the - minimum amount of compute resources - required. If Requests is omitted for - a container, it defaults to Limits - if that is explicitly specified, otherwise - to an implementation-defined value. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: string + description: matchLabels is + a map of {key,value} pairs. + A single {key,value} in the + matchLabels map is equivalent + to an element of matchExpressions, + whose key field is "key", + the operator is "In", and + the values array contains + only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: namespaces specifies + a static list of namespace names + that the term applies to. The + term is applied to the union of + the namespaces listed in this + field and the ones selected by + namespaceSelector. null or empty + namespaces list and null namespaceSelector + means "this pod's namespace". + items: + type: string + type: array + topologyKey: + description: This pod should be + co-located (affinity) or not co-located + (anti-affinity) with the pods + matching the labelSelector in + the specified namespaces, where + co-located is defined as running + on a node whose value of the label + with key topologyKey matches that + of any node on which any of the + selected pods is running. Empty + topologyKey is not allowed. + type: string + required: + - topologyKey type: object - type: object - required: - - name - type: object - type: array - initContainers: - description: InitContainers is a list of calico-node - init containers. If specified, this overrides - the specified calico-node DaemonSet init containers. - If omitted, the calico-node DaemonSet will use - its default values for its init containers. + type: array + type: object + type: object + containers: + description: Containers is a list of calico-windows-upgrade + containers. If specified, this overrides the + specified calico-windows-upgrade DaemonSet containers. + If omitted, the calico-windows-upgrade DaemonSet + will use its default values for its containers. items: - description: CalicoNodeDaemonSetInitContainer - is a calico-node DaemonSet init container. + description: CalicoWindowsUpgradeDaemonSetContainer + is a calico-windows-upgrade DaemonSet container. properties: name: description: Name is an enum which identifies - the calico-node DaemonSet init container + the calico-windows-upgrade DaemonSet container by name. enum: - - install-cni - - hostpath-init - - flexvol-driver - - mount-bpffs - - node-certs-key-cert-provisioner - - calico-node-prometheus-server-tls-key-cert-provisioner + - calico-windows-upgrade type: string resources: description: Resources allows customization of limits and requests for compute resources such as cpu and memory. If specified, - this overrides the named calico-node DaemonSet - init container's resources. If omitted, - the calico-node DaemonSet will use its - default value for this container's resources. - If used in conjunction with the deprecated - ComponentResources, then this value takes - precedence. + this overrides the named calico-windows-upgrade + DaemonSet container's resources. If omitted, + the calico-windows-upgrade DaemonSet will + use its default value for this container's + resources. properties: limits: additionalProperties: @@ -14250,24 +17265,26 @@ spec: nodeSelector: additionalProperties: type: string - description: 'NodeSelector is the calico-node + description: 'NodeSelector is the calico-windows-upgrade pod''s scheduling constraints. If specified, each of the key/value pairs are added to the - calico-node DaemonSet nodeSelector provided - the key does not already exist in the object''s - nodeSelector. If omitted, the calico-node DaemonSet - will use its default value for nodeSelector. + calico-windows-upgrade DaemonSet nodeSelector + provided the key does not already exist in the + object''s nodeSelector. If omitted, the calico-windows-upgrade + DaemonSet will use its default value for nodeSelector. WARNING: Please note that this field will modify - the default calico-node DaemonSet nodeSelector.' + the default calico-windows-upgrade DaemonSet + nodeSelector.' type: object tolerations: - description: 'Tolerations is the calico-node pod''s - tolerations. If specified, this overrides any - tolerations that may be set on the calico-node - DaemonSet. If omitted, the calico-node DaemonSet - will use its default value for tolerations. + description: 'Tolerations is the calico-windows-upgrade + pod''s tolerations. If specified, this overrides + any tolerations that may be set on the calico-windows-upgrade + DaemonSet. If omitted, the calico-windows-upgrade + DaemonSet will use its default value for tolerations. WARNING: Please note that this field will override - the default calico-node DaemonSet tolerations.' + the default calico-windows-upgrade DaemonSet + tolerations.' items: description: The pod this Toleration is attached to tolerates any taint that matches the triple @@ -14319,13 +17336,219 @@ spec: type: object type: object type: object - calicoWindowsUpgradeDaemonSet: - description: CalicoWindowsUpgradeDaemonSet configures the calico-windows-upgrade + certificateManagement: + description: CertificateManagement configures pods to submit a + CertificateSigningRequest to the certificates.k8s.io/v1beta1 + API in order to obtain TLS certificates. This feature requires + that you bring your own CSR signing and approval process, otherwise + pods will be stuck during initialization. + properties: + caCert: + description: Certificate of the authority that signs the CertificateSigningRequests + in PEM format. + format: byte + type: string + keyAlgorithm: + description: 'Specify the algorithm used by pods to generate + a key pair that is associated with the X.509 certificate + request. Default: RSAWithSize2048' + enum: + - "" + - RSAWithSize2048 + - RSAWithSize4096 + - RSAWithSize8192 + - ECDSAWithCurve256 + - ECDSAWithCurve384 + - ECDSAWithCurve521 + type: string + signatureAlgorithm: + description: 'Specify the algorithm used for the signature + of the X.509 certificate request. Default: SHA256WithRSA' + enum: + - "" + - SHA256WithRSA + - SHA384WithRSA + - SHA512WithRSA + - ECDSAWithSHA256 + - ECDSAWithSHA384 + - ECDSAWithSHA512 + type: string + signerName: + description: 'When a CSR is issued to the certificates.k8s.io + API, the signerName is added to the request in order to + accommodate for clusters with multiple signers. Must be + formatted as: `/`.' + type: string + required: + - caCert + - signerName + type: object + cni: + description: CNI specifies the CNI that will be used by this installation. + properties: + ipam: + description: IPAM specifies the pod IP address management + that will be used in the Calico or Calico Enterprise installation. + properties: + type: + description: "Specifies the IPAM plugin that will be used + in the Calico or Calico Enterprise installation. * For + CNI Plugin Calico, this field defaults to Calico. * + For CNI Plugin GKE, this field defaults to HostLocal. + * For CNI Plugin AzureVNET, this field defaults to AzureVNET. + * For CNI Plugin AmazonVPC, this field defaults to AmazonVPC. + \n The IPAM plugin is installed and configured only + if the CNI plugin is set to Calico, for all other values + of the CNI plugin the plugin binaries and CNI config + is a dependency that is expected to be installed separately. + \n Default: Calico" + enum: + - Calico + - HostLocal + - AmazonVPC + - AzureVNET + type: string + required: + - type + type: object + type: + description: "Specifies the CNI plugin that will be used in + the Calico or Calico Enterprise installation. * For KubernetesProvider + GKE, this field defaults to GKE. * For KubernetesProvider + AKS, this field defaults to AzureVNET. * For KubernetesProvider + EKS, this field defaults to AmazonVPC. * If aws-node daemonset + exists in kube-system when the Installation resource is + created, this field defaults to AmazonVPC. * For all other + cases this field defaults to Calico. \n For the value Calico, + the CNI plugin binaries and CNI config will be installed + as part of deployment, for all other values the CNI plugin + binaries and CNI config is a dependency that is expected + to be installed separately. \n Default: Calico" + enum: + - Calico + - GKE + - AmazonVPC + - AzureVNET + type: string + required: + - type + type: object + componentResources: + description: Deprecated. Please use CalicoNodeDaemonSet, TyphaDeployment, + and KubeControllersDeployment. ComponentResources can be used + to customize the resource requirements for each component. Node, + Typha, and KubeControllers are supported for installations. + items: + description: Deprecated. Please use component resource config + fields in Installation.Spec instead. The ComponentResource + struct associates a ResourceRequirements with a component + by name + properties: + componentName: + description: ComponentName is an enum which identifies the + component + enum: + - Node + - Typha + - KubeControllers + type: string + resourceRequirements: + description: ResourceRequirements allows customization of + limits and requests for compute resources such as cpu + and memory. + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Limits describes the maximum amount of + compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Requests describes the minimum amount + of compute resources required. If Requests is omitted + for a container, it defaults to Limits if that is + explicitly specified, otherwise to an implementation-defined + value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + type: object + required: + - componentName + - resourceRequirements + type: object + type: array + controlPlaneNodeSelector: + additionalProperties: + type: string + description: ControlPlaneNodeSelector is used to select control + plane nodes on which to run Calico components. This is globally + applied to all resources created by the operator excluding daemonsets. + type: object + controlPlaneReplicas: + description: ControlPlaneReplicas defines how many replicas of + the control plane core components will be deployed. This field + applies to all control plane components that support High Availability. + Defaults to 2. + format: int32 + type: integer + controlPlaneTolerations: + description: ControlPlaneTolerations specify tolerations which + are then globally applied to all resources created by the operator. + items: + description: The pod this Toleration is attached to tolerates + any taint that matches the triple using + the matching operator . + properties: + effect: + description: Effect indicates the taint effect to match. + Empty means match all taint effects. When specified, allowed + values are NoSchedule, PreferNoSchedule and NoExecute. + type: string + key: + description: Key is the taint key that the toleration applies + to. Empty means match all taint keys. If the key is empty, + operator must be Exists; this combination means to match + all values and all keys. + type: string + operator: + description: Operator represents a key's relationship to + the value. Valid operators are Exists and Equal. Defaults + to Equal. Exists is equivalent to wildcard for value, + so that a pod can tolerate all taints of a particular + category. + type: string + tolerationSeconds: + description: TolerationSeconds represents the period of + time the toleration (which must be of effect NoExecute, + otherwise this field is ignored) tolerates the taint. + By default, it is not set, which means tolerate the taint + forever (do not evict). Zero and negative values will + be treated as 0 (evict immediately) by the system. + format: int64 + type: integer + value: + description: Value is the taint value the toleration matches + to. If the operator is Exists, the value should be empty, + otherwise just a regular string. + type: string + type: object + type: array + csiNodeDriverDaemonSet: + description: CSINodeDriverDaemonSet configures the csi-node-driver DaemonSet. properties: metadata: description: Metadata is a subset of a Kubernetes object's - metadata that is added to the Deployment. + metadata that is added to the DaemonSet. properties: annotations: additionalProperties: @@ -14346,24 +17569,24 @@ spec: type: object type: object spec: - description: Spec is the specification of the calico-windows-upgrade + description: Spec is the specification of the csi-node-driver DaemonSet. properties: minReadySeconds: description: MinReadySeconds is the minimum number of - seconds for which a newly created Deployment pod should + seconds for which a newly created DaemonSet pod should be ready without any of its container crashing, for it to be considered available. If specified, this overrides - any minReadySeconds value that may be set on the calico-windows-upgrade - DaemonSet. If omitted, the calico-windows-upgrade DaemonSet + any minReadySeconds value that may be set on the csi-node-driver + DaemonSet. If omitted, the csi-node-driver DaemonSet will use its default value for minReadySeconds. format: int32 maximum: 2147483647 minimum: 0 type: integer template: - description: Template describes the calico-windows-upgrade - DaemonSet pod that will be created. + description: Template describes the csi-node-driver DaemonSet + pod that will be created. properties: metadata: description: Metadata is a subset of a Kubernetes @@ -14389,19 +17612,18 @@ spec: type: object type: object spec: - description: Spec is the calico-windows-upgrade DaemonSet's + description: Spec is the csi-node-driver DaemonSet's PodSpec. properties: affinity: description: 'Affinity is a group of affinity - scheduling rules for the calico-windows-upgrade - pods. If specified, this overrides any affinity - that may be set on the calico-windows-upgrade - DaemonSet. If omitted, the calico-windows-upgrade - DaemonSet will use its default value for affinity. - WARNING: Please note that this field will override - the default calico-windows-upgrade DaemonSet - affinity.' + scheduling rules for the csi-node-driver pods. + If specified, this overrides any affinity that + may be set on the csi-node-driver DaemonSet. + If omitted, the csi-node-driver DaemonSet will + use its default value for affinity. WARNING: + Please note that this field will override the + default csi-node-driver DaemonSet affinity.' properties: nodeAffinity: description: Describes node affinity scheduling @@ -14535,6 +17757,7 @@ spec: type: object type: array type: object + x-kubernetes-map-type: atomic weight: description: Weight associated with matching the corresponding nodeSelectorTerm, @@ -14666,10 +17889,12 @@ spec: type: object type: array type: object + x-kubernetes-map-type: atomic type: array required: - nodeSelectorTerms type: object + x-kubernetes-map-type: atomic type: object podAffinity: description: Describes pod affinity scheduling @@ -14775,6 +18000,7 @@ spec: are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaceSelector: description: A label query over the set of namespaces that @@ -14787,10 +18013,7 @@ spec: namespaces list means "this pod's namespace". An empty selector ({}) matches all - namespaces. This field is - beta-level and is only honored - when PodAffinityNamespaceSelector - feature is enabled. + namespaces. properties: matchExpressions: description: matchExpressions @@ -14858,6 +18081,7 @@ spec: are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaces: description: namespaces specifies a static list of namespace @@ -14868,7 +18092,7 @@ spec: ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector - means "this pod's namespace" + means "this pod's namespace". items: type: string type: array @@ -14992,6 +18216,7 @@ spec: are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaceSelector: description: A label query over the set of namespaces that the @@ -15003,9 +18228,6 @@ spec: or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. - This field is beta-level and is - only honored when PodAffinityNamespaceSelector - feature is enabled. properties: matchExpressions: description: matchExpressions @@ -15067,6 +18289,7 @@ spec: are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaces: description: namespaces specifies a static list of namespace names @@ -15076,7 +18299,7 @@ spec: field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector - means "this pod's namespace" + means "this pod's namespace". items: type: string type: array @@ -15202,6 +18425,7 @@ spec: are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaceSelector: description: A label query over the set of namespaces that @@ -15214,10 +18438,7 @@ spec: namespaces list means "this pod's namespace". An empty selector ({}) matches all - namespaces. This field is - beta-level and is only honored - when PodAffinityNamespaceSelector - feature is enabled. + namespaces. properties: matchExpressions: description: matchExpressions @@ -15285,6 +18506,7 @@ spec: are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaces: description: namespaces specifies a static list of namespace @@ -15295,7 +18517,7 @@ spec: ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector - means "this pod's namespace" + means "this pod's namespace". items: type: string type: array @@ -15419,6 +18641,7 @@ spec: are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaceSelector: description: A label query over the set of namespaces that the @@ -15430,9 +18653,6 @@ spec: or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. - This field is beta-level and is - only honored when PodAffinityNamespaceSelector - feature is enabled. properties: matchExpressions: description: matchExpressions @@ -15494,6 +18714,7 @@ spec: are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaces: description: namespaces specifies a static list of namespace names @@ -15503,7 +18724,7 @@ spec: field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector - means "this pod's namespace" + means "this pod's namespace". items: type: string type: array @@ -15527,30 +18748,30 @@ spec: type: object type: object containers: - description: Containers is a list of calico-windows-upgrade + description: Containers is a list of csi-node-driver containers. If specified, this overrides the - specified calico-windows-upgrade DaemonSet containers. - If omitted, the calico-windows-upgrade DaemonSet - will use its default values for its containers. + specified csi-node-driver DaemonSet containers. + If omitted, the csi-node-driver DaemonSet will + use its default values for its containers. items: - description: CalicoWindowsUpgradeDaemonSetContainer - is a calico-windows-upgrade DaemonSet container. + description: CSINodeDriverDaemonSetContainer + is a csi-node-driver DaemonSet container. properties: name: description: Name is an enum which identifies - the calico-windows-upgrade DaemonSet container + the csi-node-driver DaemonSet container by name. enum: - - calico-windows-upgrade + - csi-node-driver type: string resources: description: Resources allows customization of limits and requests for compute resources such as cpu and memory. If specified, - this overrides the named calico-windows-upgrade + this overrides the named csi-node-driver DaemonSet container's resources. If omitted, - the calico-windows-upgrade DaemonSet will - use its default value for this container's + the csi-node-driver DaemonSet will use + its default value for this container's resources. properties: limits: @@ -15577,293 +18798,85 @@ spec: a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' - type: object - type: object - required: - - name - type: object - type: array - nodeSelector: - additionalProperties: - type: string - description: 'NodeSelector is the calico-windows-upgrade - pod''s scheduling constraints. If specified, - each of the key/value pairs are added to the - calico-windows-upgrade DaemonSet nodeSelector - provided the key does not already exist in the - object''s nodeSelector. If omitted, the calico-windows-upgrade - DaemonSet will use its default value for nodeSelector. - WARNING: Please note that this field will modify - the default calico-windows-upgrade DaemonSet - nodeSelector.' - type: object - tolerations: - description: 'Tolerations is the calico-windows-upgrade - pod''s tolerations. If specified, this overrides - any tolerations that may be set on the calico-windows-upgrade - DaemonSet. If omitted, the calico-windows-upgrade - DaemonSet will use its default value for tolerations. - WARNING: Please note that this field will override - the default calico-windows-upgrade DaemonSet - tolerations.' - items: - description: The pod this Toleration is attached - to tolerates any taint that matches the triple - using the matching operator - . - properties: - effect: - description: Effect indicates the taint - effect to match. Empty means match all - taint effects. When specified, allowed - values are NoSchedule, PreferNoSchedule - and NoExecute. - type: string - key: - description: Key is the taint key that the - toleration applies to. Empty means match - all taint keys. If the key is empty, operator - must be Exists; this combination means - to match all values and all keys. - type: string - operator: - description: Operator represents a key's - relationship to the value. Valid operators - are Exists and Equal. Defaults to Equal. - Exists is equivalent to wildcard for value, - so that a pod can tolerate all taints - of a particular category. - type: string - tolerationSeconds: - description: TolerationSeconds represents - the period of time the toleration (which - must be of effect NoExecute, otherwise - this field is ignored) tolerates the taint. - By default, it is not set, which means - tolerate the taint forever (do not evict). - Zero and negative values will be treated - as 0 (evict immediately) by the system. - format: int64 - type: integer - value: - description: Value is the taint value the - toleration matches to. If the operator - is Exists, the value should be empty, - otherwise just a regular string. - type: string - type: object - type: array - type: object - type: object - type: object - type: object - certificateManagement: - description: CertificateManagement configures pods to submit a - CertificateSigningRequest to the certificates.k8s.io/v1beta1 - API in order to obtain TLS certificates. This feature requires - that you bring your own CSR signing and approval process, otherwise - pods will be stuck during initialization. - properties: - caCert: - description: Certificate of the authority that signs the CertificateSigningRequests - in PEM format. - format: byte - type: string - keyAlgorithm: - description: 'Specify the algorithm used by pods to generate - a key pair that is associated with the X.509 certificate - request. Default: RSAWithSize2048' - enum: - - "" - - RSAWithSize2048 - - RSAWithSize4096 - - RSAWithSize8192 - - ECDSAWithCurve256 - - ECDSAWithCurve384 - - ECDSAWithCurve521 - type: string - signatureAlgorithm: - description: 'Specify the algorithm used for the signature - of the X.509 certificate request. Default: SHA256WithRSA' - enum: - - "" - - SHA256WithRSA - - SHA384WithRSA - - SHA512WithRSA - - ECDSAWithSHA256 - - ECDSAWithSHA384 - - ECDSAWithSHA512 - type: string - signerName: - description: 'When a CSR is issued to the certificates.k8s.io - API, the signerName is added to the request in order to - accommodate for clusters with multiple signers. Must be - formatted as: `/`.' - type: string - required: - - caCert - - signerName - type: object - cni: - description: CNI specifies the CNI that will be used by this installation. - properties: - ipam: - description: IPAM specifies the pod IP address management - that will be used in the Calico or Calico Enterprise installation. - properties: - type: - description: "Specifies the IPAM plugin that will be used - in the Calico or Calico Enterprise installation. * For - CNI Plugin Calico, this field defaults to Calico. * - For CNI Plugin GKE, this field defaults to HostLocal. - * For CNI Plugin AzureVNET, this field defaults to AzureVNET. - * For CNI Plugin AmazonVPC, this field defaults to AmazonVPC. - \n The IPAM plugin is installed and configured only - if the CNI plugin is set to Calico, for all other values - of the CNI plugin the plugin binaries and CNI config - is a dependency that is expected to be installed separately. - \n Default: Calico" - enum: - - Calico - - HostLocal - - AmazonVPC - - AzureVNET - type: string - required: - - type + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + type: object + required: + - name + type: object + type: array + nodeSelector: + additionalProperties: + type: string + description: 'NodeSelector is the csi-node-driver + pod''s scheduling constraints. If specified, + each of the key/value pairs are added to the + csi-node-driver DaemonSet nodeSelector provided + the key does not already exist in the object''s + nodeSelector. If omitted, the csi-node-driver + DaemonSet will use its default value for nodeSelector. + WARNING: Please note that this field will modify + the default csi-node-driver DaemonSet nodeSelector.' + type: object + tolerations: + description: 'Tolerations is the csi-node-driver + pod''s tolerations. If specified, this overrides + any tolerations that may be set on the csi-node-driver + DaemonSet. If omitted, the csi-node-driver DaemonSet + will use its default value for tolerations. + WARNING: Please note that this field will override + the default csi-node-driver DaemonSet tolerations.' + items: + description: The pod this Toleration is attached + to tolerates any taint that matches the triple + using the matching operator + . + properties: + effect: + description: Effect indicates the taint + effect to match. Empty means match all + taint effects. When specified, allowed + values are NoSchedule, PreferNoSchedule + and NoExecute. + type: string + key: + description: Key is the taint key that the + toleration applies to. Empty means match + all taint keys. If the key is empty, operator + must be Exists; this combination means + to match all values and all keys. + type: string + operator: + description: Operator represents a key's + relationship to the value. Valid operators + are Exists and Equal. Defaults to Equal. + Exists is equivalent to wildcard for value, + so that a pod can tolerate all taints + of a particular category. + type: string + tolerationSeconds: + description: TolerationSeconds represents + the period of time the toleration (which + must be of effect NoExecute, otherwise + this field is ignored) tolerates the taint. + By default, it is not set, which means + tolerate the taint forever (do not evict). + Zero and negative values will be treated + as 0 (evict immediately) by the system. + format: int64 + type: integer + value: + description: Value is the taint value the + toleration matches to. If the operator + is Exists, the value should be empty, + otherwise just a regular string. + type: string + type: object + type: array + type: object + type: object type: object - type: - description: "Specifies the CNI plugin that will be used in - the Calico or Calico Enterprise installation. * For KubernetesProvider - GKE, this field defaults to GKE. * For KubernetesProvider - AKS, this field defaults to AzureVNET. * For KubernetesProvider - EKS, this field defaults to AmazonVPC. * If aws-node daemonset - exists in kube-system when the Installation resource is - created, this field defaults to AmazonVPC. * For all other - cases this field defaults to Calico. \n For the value Calico, - the CNI plugin binaries and CNI config will be installed - as part of deployment, for all other values the CNI plugin - binaries and CNI config is a dependency that is expected - to be installed separately. \n Default: Calico" - enum: - - Calico - - GKE - - AmazonVPC - - AzureVNET - type: string - required: - - type - type: object - componentResources: - description: Deprecated. Please use CalicoNodeDaemonSet, TyphaDeployment, - and KubeControllersDeployment. ComponentResources can be used - to customize the resource requirements for each component. Node, - Typha, and KubeControllers are supported for installations. - items: - description: Deprecated. Please use component resource config - fields in Installation.Spec instead. The ComponentResource - struct associates a ResourceRequirements with a component - by name - properties: - componentName: - description: ComponentName is an enum which identifies the - component - enum: - - Node - - Typha - - KubeControllers - type: string - resourceRequirements: - description: ResourceRequirements allows customization of - limits and requests for compute resources such as cpu - and memory. - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: 'Limits describes the maximum amount of - compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: 'Requests describes the minimum amount - of compute resources required. If Requests is omitted - for a container, it defaults to Limits if that is - explicitly specified, otherwise to an implementation-defined - value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' - type: object - type: object - required: - - componentName - - resourceRequirements - type: object - type: array - controlPlaneNodeSelector: - additionalProperties: - type: string - description: ControlPlaneNodeSelector is used to select control - plane nodes on which to run Calico components. This is globally - applied to all resources created by the operator excluding daemonsets. type: object - controlPlaneReplicas: - description: ControlPlaneReplicas defines how many replicas of - the control plane core components will be deployed. This field - applies to all control plane components that support High Availability. - Defaults to 2. - format: int32 - type: integer - controlPlaneTolerations: - description: ControlPlaneTolerations specify tolerations which - are then globally applied to all resources created by the operator. - items: - description: The pod this Toleration is attached to tolerates - any taint that matches the triple using - the matching operator . - properties: - effect: - description: Effect indicates the taint effect to match. - Empty means match all taint effects. When specified, allowed - values are NoSchedule, PreferNoSchedule and NoExecute. - type: string - key: - description: Key is the taint key that the toleration applies - to. Empty means match all taint keys. If the key is empty, - operator must be Exists; this combination means to match - all values and all keys. - type: string - operator: - description: Operator represents a key's relationship to - the value. Valid operators are Exists and Equal. Defaults - to Equal. Exists is equivalent to wildcard for value, - so that a pod can tolerate all taints of a particular - category. - type: string - tolerationSeconds: - description: TolerationSeconds represents the period of - time the toleration (which must be of effect NoExecute, - otherwise this field is ignored) tolerates the taint. - By default, it is not set, which means tolerate the taint - forever (do not evict). Zero and negative values will - be treated as 0 (evict immediately) by the system. - format: int64 - type: integer - value: - description: Value is the taint value the toleration matches - to. If the operator is Exists, the value should be empty, - otherwise just a regular string. - type: string - type: object - type: array fipsMode: description: 'FIPSMode uses images and features only that are using FIPS 140-2 validated cryptographic modules and standards. @@ -15884,7 +18897,7 @@ spec: used as the image path for each image. If not specified or empty, the default for each image will be used. A special case value, UseDefault, is supported to explicitly specify the default image - path will be used for each image. \n Image format: `/:` + path will be used for each image. \n Image format: `/:` \n This option allows configuring the `` portion of the above format." type: string @@ -15894,7 +18907,7 @@ spec: as a prefix on each image. If not specified or empty, no prefix will be used. A special case value, UseDefault, is supported to explicitly specify the default image prefix will be used - for each image. \n Image format: `/:` + for each image. \n Image format: `/:` \n This option allows configuring the `` portion of the above format." type: string @@ -15911,6 +18924,7 @@ spec: TODO: Add other useful fields. apiVersion, kind, uid?' type: string type: object + x-kubernetes-map-type: atomic type: array kubeletVolumePluginPath: description: 'KubeletVolumePluginPath optionally specifies enablement @@ -15935,6 +18949,38 @@ spec: - DockerEnterprise - RKE2 type: string + logging: + description: Logging Configuration for Components + properties: + cni: + description: Customized logging specification for calico-cni + plugin + properties: + logFileMaxAgeDays: + description: 'Default: 30 (days)' + format: int32 + type: integer + logFileMaxCount: + description: 'Default: 10' + format: int32 + type: integer + logFileMaxSize: + anyOf: + - type: integer + - type: string + description: 'Default: 100Mi' + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + logSeverity: + description: 'Default: Info' + enum: + - Error + - Warning + - Debug + - Info + type: string + type: object + type: object nodeMetricsPort: description: NodeMetricsPort specifies which port calico/node serves prometheus metrics on. By default, metrics are not enabled. @@ -15979,8 +19025,7 @@ spec: by the daemonset on any given node can double if the readiness check fails, and so resource intensive daemonsets should take into account that they may cause evictions - during disruption. This is beta field and enabled/disabled - by DaemonSetUpdateSurge feature gate.' + during disruption.' x-kubernetes-int-or-string: true maxUnavailable: anyOf: @@ -16020,7 +19065,7 @@ spec: from this registry. If not specified then the default registries will be used. A special case value, UseDefault, is supported to explicitly specify the default registries will be used. \n - Image format: `/:` + Image format: `/:` \n This option allows configuring the `` portion of the above format." type: string @@ -16125,6 +19170,7 @@ spec: type: object type: array type: object + x-kubernetes-map-type: atomic weight: description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100. @@ -16240,10 +19286,12 @@ spec: type: object type: array type: object + x-kubernetes-map-type: atomic type: array required: - nodeSelectorTerms type: object + x-kubernetes-map-type: atomic type: object type: object typhaDeployment: @@ -16288,6 +19336,56 @@ spec: maximum: 2147483647 minimum: 0 type: integer + strategy: + description: The deployment strategy to use to replace + existing pods with new ones. + properties: + rollingUpdate: + description: Rolling update config params. Present + only if DeploymentStrategyType = RollingUpdate. + to be. + properties: + maxSurge: + anyOf: + - type: integer + - type: string + description: 'The maximum number of pods that + can be scheduled above the desired number of + pods. Value can be an absolute number (ex: 5) + or a percentage of desired pods (ex: 10%). This + can not be 0 if MaxUnavailable is 0. Absolute + number is calculated from percentage by rounding + up. Defaults to 25%. Example: when this is set + to 30%, the new ReplicaSet can be scaled up + immediately when the rolling update starts, + such that the total number of old and new pods + do not exceed 130% of desired pods. Once old + pods have been killed, new ReplicaSet can be + scaled up further, ensuring that total number + of pods running at any time during the update + is at most 130% of desired pods.' + x-kubernetes-int-or-string: true + maxUnavailable: + anyOf: + - type: integer + - type: string + description: 'The maximum number of pods that + can be unavailable during the update. Value + can be an absolute number (ex: 5) or a percentage + of desired pods (ex: 10%). Absolute number is + calculated from percentage by rounding down. + This can not be 0 if MaxSurge is 0. Defaults + to 25%. Example: when this is set to 30%, the + old ReplicaSet can be scaled down to 70% of + desired pods immediately when the rolling update + starts. Once new pods are ready, old ReplicaSet + can be scaled down further, followed by scaling + up the new ReplicaSet, ensuring that the total + number of pods available at all times during + the update is at least 70% of desired pods.' + x-kubernetes-int-or-string: true + type: object + type: object template: description: Template describes the typha Deployment pod that will be created. @@ -16461,6 +19559,7 @@ spec: type: object type: array type: object + x-kubernetes-map-type: atomic weight: description: Weight associated with matching the corresponding nodeSelectorTerm, @@ -16592,10 +19691,12 @@ spec: type: object type: array type: object + x-kubernetes-map-type: atomic type: array required: - nodeSelectorTerms type: object + x-kubernetes-map-type: atomic type: object podAffinity: description: Describes pod affinity scheduling @@ -16701,6 +19802,7 @@ spec: are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaceSelector: description: A label query over the set of namespaces that @@ -16713,10 +19815,7 @@ spec: namespaces list means "this pod's namespace". An empty selector ({}) matches all - namespaces. This field is - beta-level and is only honored - when PodAffinityNamespaceSelector - feature is enabled. + namespaces. properties: matchExpressions: description: matchExpressions @@ -16784,6 +19883,7 @@ spec: are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaces: description: namespaces specifies a static list of namespace @@ -16794,7 +19894,7 @@ spec: ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector - means "this pod's namespace" + means "this pod's namespace". items: type: string type: array @@ -16918,6 +20018,7 @@ spec: are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaceSelector: description: A label query over the set of namespaces that the @@ -16929,9 +20030,6 @@ spec: or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. - This field is beta-level and is - only honored when PodAffinityNamespaceSelector - feature is enabled. properties: matchExpressions: description: matchExpressions @@ -16993,6 +20091,7 @@ spec: are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaces: description: namespaces specifies a static list of namespace names @@ -17002,7 +20101,7 @@ spec: field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector - means "this pod's namespace" + means "this pod's namespace". items: type: string type: array @@ -17128,6 +20227,7 @@ spec: are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaceSelector: description: A label query over the set of namespaces that @@ -17140,10 +20240,7 @@ spec: namespaces list means "this pod's namespace". An empty selector ({}) matches all - namespaces. This field is - beta-level and is only honored - when PodAffinityNamespaceSelector - feature is enabled. + namespaces. properties: matchExpressions: description: matchExpressions @@ -17211,6 +20308,7 @@ spec: are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaces: description: namespaces specifies a static list of namespace @@ -17221,7 +20319,7 @@ spec: ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector - means "this pod's namespace" + means "this pod's namespace". items: type: string type: array @@ -17345,6 +20443,7 @@ spec: are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaceSelector: description: A label query over the set of namespaces that the @@ -17356,9 +20455,6 @@ spec: or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. - This field is beta-level and is - only honored when PodAffinityNamespaceSelector - feature is enabled. properties: matchExpressions: description: matchExpressions @@ -17420,6 +20516,7 @@ spec: are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaces: description: namespaces specifies a static list of namespace names @@ -17429,7 +20526,7 @@ spec: field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector - means "this pod's namespace" + means "this pod's namespace". items: type: string type: array @@ -17584,6 +20681,22 @@ spec: WARNING: Please note that this field will modify the default calico-typha Deployment nodeSelector.' type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds the + pod needs to terminate gracefully. May be decreased + in delete request. Value must be non-negative + integer. The value zero indicates stop immediately + via the kill signal (no opportunity to shut + down). If this value is nil, the default grace + period will be used instead. The grace period + is the duration in seconds after the processes + running in the pod are sent a termination signal + and the time when the processes are forcibly + halted with a kill signal. Set this value longer + than the expected cleanup time for your process. + Defaults to 30 seconds. + format: int64 + type: integer tolerations: description: 'Tolerations is the typha pod''s tolerations. If specified, this overrides any @@ -17639,6 +20752,233 @@ spec: type: string type: object type: array + topologySpreadConstraints: + description: TopologySpreadConstraints describes + how a group of pods ought to spread across topology + domains. Scheduler will schedule pods in a way + which abides by the constraints. All topologySpreadConstraints + are ANDed. + items: + description: TopologySpreadConstraint specifies + how to spread matching pods among the given + topology. + properties: + labelSelector: + description: LabelSelector is used to find + matching pods. Pods that match this label + selector are counted to determine the + number of pods in their corresponding + topology domain. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: operator represents + a key's relationship to a set + of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array + of string values. If the operator + is In or NotIn, the values array + must be non-empty. If the operator + is Exists or DoesNotExist, the + values array must be empty. + This array is replaced during + a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of + {key,value} pairs. A single {key,value} + in the matchLabels map is equivalent + to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are + ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: MatchLabelKeys is a set of + pod label keys to select the pods over + which spreading will be calculated. The + keys are used to lookup values from the + incoming pod labels, those key-value labels + are ANDed with labelSelector to select + the group of existing pods over which + spreading will be calculated for the incoming + pod. Keys that don't exist in the incoming + pod labels will be ignored. A null or + empty list means only match against labelSelector. + items: + type: string + type: array + x-kubernetes-list-type: atomic + maxSkew: + description: 'MaxSkew describes the degree + to which pods may be unevenly distributed. + When `whenUnsatisfiable=DoNotSchedule`, + it is the maximum permitted difference + between the number of matching pods in + the target topology and the global minimum. + The global minimum is the minimum number + of matching pods in an eligible domain + or zero if the number of eligible domains + is less than MinDomains. For example, + in a 3-zone cluster, MaxSkew is set to + 1, and pods with the same labelSelector + spread as 2/2/1: In this case, the global + minimum is 1. | zone1 | zone2 | zone3 + | | P P | P P | P | - if MaxSkew + is 1, incoming pod can only be scheduled + to zone3 to become 2/2/2; scheduling it + onto zone1(zone2) would make the ActualSkew(3-1) + on zone1(zone2) violate MaxSkew(1). - + if MaxSkew is 2, incoming pod can be scheduled + onto any zone. When `whenUnsatisfiable=ScheduleAnyway`, + it is used to give higher precedence to + topologies that satisfy it. It''s a required + field. Default value is 1 and 0 is not + allowed.' + format: int32 + type: integer + minDomains: + description: "MinDomains indicates a minimum + number of eligible domains. When the number + of eligible domains with matching topology + keys is less than minDomains, Pod Topology + Spread treats \"global minimum\" as 0, + and then the calculation of Skew is performed. + And when the number of eligible domains + with matching topology keys equals or + greater than minDomains, this value has + no effect on scheduling. As a result, + when the number of eligible domains is + less than minDomains, scheduler won't + schedule more than maxSkew Pods to those + domains. If value is nil, the constraint + behaves as if MinDomains is equal to 1. + Valid values are integers greater than + 0. When value is not nil, WhenUnsatisfiable + must be DoNotSchedule. \n For example, + in a 3-zone cluster, MaxSkew is set to + 2, MinDomains is set to 5 and pods with + the same labelSelector spread as 2/2/2: + | zone1 | zone2 | zone3 | | P P | P + P | P P | The number of domains is + less than 5(MinDomains), so \"global minimum\" + is treated as 0. In this situation, new + pod with the same labelSelector cannot + be scheduled, because computed skew will + be 3(3 - 0) if new Pod is scheduled to + any of the three zones, it will violate + MaxSkew. \n This is a beta field and requires + the MinDomainsInPodTopologySpread feature + gate to be enabled (enabled by default)." + format: int32 + type: integer + nodeAffinityPolicy: + description: "NodeAffinityPolicy indicates + how we will treat Pod's nodeAffinity/nodeSelector + when calculating pod topology spread skew. + Options are: - Honor: only nodes matching + nodeAffinity/nodeSelector are included + in the calculations. - Ignore: nodeAffinity/nodeSelector + are ignored. All nodes are included in + the calculations. \n If this value is + nil, the behavior is equivalent to the + Honor policy. This is a alpha-level feature + enabled by the NodeInclusionPolicyInPodTopologySpread + feature flag." + type: string + nodeTaintsPolicy: + description: "NodeTaintsPolicy indicates + how we will treat node taints when calculating + pod topology spread skew. Options are: + - Honor: nodes without taints, along with + tainted nodes for which the incoming pod + has a toleration, are included. - Ignore: + node taints are ignored. All nodes are + included. \n If this value is nil, the + behavior is equivalent to the Ignore policy. + This is a alpha-level feature enabled + by the NodeInclusionPolicyInPodTopologySpread + feature flag." + type: string + topologyKey: + description: TopologyKey is the key of node + labels. Nodes that have a label with this + key and identical values are considered + to be in the same topology. We consider + each as a "bucket", and try + to put balanced number of pods into each + bucket. We define a domain as a particular + instance of a topology. Also, we define + an eligible domain as a domain whose nodes + meet the requirements of nodeAffinityPolicy + and nodeTaintsPolicy. e.g. If TopologyKey + is "kubernetes.io/hostname", each Node + is a domain of that topology. And, if + TopologyKey is "topology.kubernetes.io/zone", + each zone is a domain of that topology. + It's a required field. + type: string + whenUnsatisfiable: + description: 'WhenUnsatisfiable indicates + how to deal with a pod if it doesn''t + satisfy the spread constraint. - DoNotSchedule + (default) tells the scheduler not to schedule + it. - ScheduleAnyway tells the scheduler + to schedule the pod in any location, but + giving higher precedence to topologies + that would help reduce the skew. A constraint + is considered "Unsatisfiable" for an incoming + pod if and only if every possible node + assignment for that pod would violate + "MaxSkew" on some topology. For example, + in a 3-zone cluster, MaxSkew is set to + 1, and pods with the same labelSelector + spread as 3/1/1: | zone1 | zone2 | zone3 + | | P P P | P | P | If WhenUnsatisfiable + is set to DoNotSchedule, incoming pod + can only be scheduled to zone2(zone3) + to become 3/2/1(3/1/2) as ActualSkew(2-1) + on zone2(zone3) satisfies MaxSkew(1). + In other words, the cluster can still + be imbalanced, but scheduler won''t make + it *more* imbalanced. It''s a required + field.' + type: string + required: + - maxSkew + - topologyKey + - whenUnsatisfiable + type: object + type: array type: object type: object type: object @@ -17664,13 +21004,12 @@ spec: description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, - type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: - \"Available\", \"Progressing\", and \"Degraded\" // +patchMergeKey=type - \ // +patchStrategy=merge // +listType=map // +listMapKey=type - \ Conditions []metav1.Condition `json:\"conditions,omitempty\" - patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` - \n // other fields }" + \n type FooStatus struct{ // Represents the observations of a + foo's current state. // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge + // +listType=map // +listMapKey=type Conditions []metav1.Condition + `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" + protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" properties: lastTransitionTime: description: lastTransitionTime is the last time the condition @@ -17752,17 +21091,9 @@ spec: storage: true subresources: status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] --- # Source: crds/operator.tigera.io_tigerastatuses_crd.yaml - ---- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -18155,7 +21486,7 @@ spec: dnsPolicy: ClusterFirstWithHostNet containers: - name: tigera-operator - image: quay.io/tigera/operator:v1.29.0 + image: quay.io/tigera/operator:v1.30.4 imagePullPolicy: IfNotPresent command: - operator @@ -18173,7 +21504,7 @@ spec: - name: OPERATOR_NAME value: "tigera-operator" - name: TIGERA_OPERATOR_INIT_IMAGE_VERSION - value: v1.29.0 + value: v1.30.4 envFrom: - configMapRef: name: kubernetes-services-endpoint From 938aa141aa9e3b0c8a702637bd616ce83c43ca41 Mon Sep 17 00:00:00 2001 From: Samuele Chiocca Date: Mon, 28 Aug 2023 11:19:01 +0200 Subject: [PATCH 03/24] feat: add calico dependency on cilium pipelines --- .drone.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.drone.yml b/.drone.yml index 55ad0c6..0e4976c 100644 --- a/.drone.yml +++ b/.drone.yml @@ -381,6 +381,8 @@ trigger: - refs/tags/** depends_on: + - e2e-kubernetes-1.24-calico + - e2e-kubernetes-1.25-calico - e2e-kubernetes-1.26-calico steps: @@ -480,6 +482,8 @@ trigger: - refs/tags/** depends_on: + - e2e-kubernetes-1.24-calico + - e2e-kubernetes-1.25-calico - e2e-kubernetes-1.26-calico steps: @@ -579,6 +583,8 @@ trigger: - refs/tags/** depends_on: + - e2e-kubernetes-1.24-calico + - e2e-kubernetes-1.25-calico - e2e-kubernetes-1.26-calico steps: From 400282ba7db572f74795a7c20ba380851fe15b79 Mon Sep 17 00:00:00 2001 From: Samuele Chiocca Date: Mon, 28 Aug 2023 11:55:03 +0200 Subject: [PATCH 04/24] feat: update pipeline_id for cilium pipelines --- .drone.yml | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/.drone.yml b/.drone.yml index 0e4976c..54946c3 100644 --- a/.drone.yml +++ b/.drone.yml @@ -61,9 +61,9 @@ steps: - render commands: # we use --ignore-deprecations because we don't want the CI to fail when the API has not been removed yet. - - /pluto detect calico.yml --ignore-deprecations --target-versions=k8s=v1.25.0 - - /pluto detect cilium.yml --ignore-deprecations --target-versions=k8s=v1.25.0 - - /pluto detect tigera-on-prem.yml --ignore-deprecations --target-versions=k8s=v1.25.0 + - /pluto detect calico.yml --ignore-deprecations --target-versions=k8s=v1.26.0 + - /pluto detect cilium.yml --ignore-deprecations --target-versions=k8s=v1.26.0 + - /pluto detect tigera-on-prem.yml --ignore-deprecations --target-versions=k8s=v1.26.0 --- name: e2e-kubernetes-1.24-calico @@ -395,7 +395,7 @@ steps: depends_on: [clone] settings: action: custom-cluster-124 - pipeline_id: cluster-124 + pipeline_id: cluster-124-cilium local_kind_config_path: katalog/tests/calico/resources/kind-config cluster_version: "1.24.0" instance_path: /shared @@ -435,7 +435,7 @@ steps: depends_on: [test] settings: action: destroy - pipeline_id: cluster-124 + pipeline_id: cluster-124-cilium aws_default_region: from_secret: aws_region aws_access_key_id: @@ -496,7 +496,7 @@ steps: depends_on: [clone] settings: action: custom-cluster-125 - pipeline_id: cluster-125 + pipeline_id: cluster-125-cilium local_kind_config_path: katalog/tests/calico/resources/kind-config cluster_version: "1.25.3" instance_path: /shared @@ -537,7 +537,7 @@ steps: depends_on: [test] settings: action: destroy - pipeline_id: cluster-125 + pipeline_id: cluster-125-cilium aws_default_region: from_secret: aws_region aws_access_key_id: @@ -597,7 +597,7 @@ steps: depends_on: [clone] settings: action: custom-cluster-126 - pipeline_id: cluster-126 + pipeline_id: cluster-126-cilium local_kind_config_path: katalog/tests/calico/resources/kind-config cluster_version: "1.26.4" instance_path: /shared @@ -637,7 +637,7 @@ steps: depends_on: [test] settings: action: destroy - pipeline_id: cluster-126 + pipeline_id: cluster-126-cilium aws_default_region: from_secret: aws_region aws_access_key_id: From 2ef2ebbd86181d9d693095d7fab6c1d2eca34535 Mon Sep 17 00:00:00 2001 From: FedericoAntoniazzi Date: Wed, 25 Oct 2023 12:15:44 +0200 Subject: [PATCH 05/24] feat(cilium): upgrade preflight checks --- katalog/cilium/tasks/preflight.yaml | 314 ++++++++++++++++++++++++++++ 1 file changed, 314 insertions(+) create mode 100644 katalog/cilium/tasks/preflight.yaml diff --git a/katalog/cilium/tasks/preflight.yaml b/katalog/cilium/tasks/preflight.yaml new file mode 100644 index 0000000..c940110 --- /dev/null +++ b/katalog/cilium/tasks/preflight.yaml @@ -0,0 +1,314 @@ +# Copyright (c) 2017-present SIGHUP s.r.l All rights reserved. +# Use of this source code is governed by a BSD-style +# license that can be found in the LICENSE file. +--- +# Source: cilium/templates/cilium-preflight/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: "cilium-pre-flight" + namespace: kube-system +--- +# Source: cilium/templates/cilium-preflight/clusterrole.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: cilium-pre-flight + labels: + app.kubernetes.io/part-of: cilium +rules: +- apiGroups: + - networking.k8s.io + resources: + - networkpolicies + verbs: + - get + - list + - watch +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - namespaces + - services + - pods + - endpoints + - nodes + verbs: + - get + - list + - watch +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - list + - watch + # This is used when validating policies in preflight. This will need to stay + # until we figure out how to avoid "get" inside the preflight, and then + # should be removed ideally. + - get +- apiGroups: + - cilium.io + resources: + - ciliumloadbalancerippools + - ciliumbgppeeringpolicies + - ciliumclusterwideenvoyconfigs + - ciliumclusterwidenetworkpolicies + - ciliumegressgatewaypolicies + - ciliumendpoints + - ciliumendpointslices + - ciliumenvoyconfigs + - ciliumidentities + - ciliumlocalredirectpolicies + - ciliumnetworkpolicies + - ciliumnodes + - ciliumnodeconfigs + - ciliumcidrgroups + - ciliuml2announcementpolicies + - ciliumpodippools + verbs: + - list + - watch +- apiGroups: + - cilium.io + resources: + - ciliumidentities + - ciliumendpoints + - ciliumnodes + verbs: + - create +- apiGroups: + - cilium.io + # To synchronize garbage collection of such resources + resources: + - ciliumidentities + verbs: + - update +- apiGroups: + - cilium.io + resources: + - ciliumendpoints + verbs: + - delete + - get +- apiGroups: + - cilium.io + resources: + - ciliumnodes + - ciliumnodes/status + verbs: + - get + - update +- apiGroups: + - cilium.io + resources: + - ciliumnetworkpolicies/status + - ciliumclusterwidenetworkpolicies/status + - ciliumendpoints/status + - ciliumendpoints + - ciliuml2announcementpolicies/status + verbs: + - patch +--- +# Source: cilium/templates/cilium-preflight/clusterrolebinding.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: cilium-pre-flight + labels: + app.kubernetes.io/part-of: cilium +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cilium-pre-flight +subjects: +- kind: ServiceAccount + name: "cilium-pre-flight" + namespace: kube-system +--- +# Source: cilium/templates/cilium-preflight/daemonset.yaml +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: cilium-pre-flight-check + namespace: kube-system +spec: + selector: + matchLabels: + k8s-app: cilium-pre-flight-check + kubernetes.io/cluster-service: "true" + template: + metadata: + labels: + app.kubernetes.io/part-of: cilium + k8s-app: cilium-pre-flight-check + app.kubernetes.io/name: cilium-pre-flight-check + kubernetes.io/cluster-service: "true" + spec: + affinity: + podAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: + k8s-app: cilium + topologyKey: kubernetes.io/hostname + initContainers: + - name: clean-cilium-state + image: "registry.sighup.io/fury/cilium/cilium:v1.14.3" + imagePullPolicy: IfNotPresent + command: ["/bin/echo"] + args: + - "hello" + terminationMessagePolicy: FallbackToLogsOnError + containers: + - name: cilium-pre-flight-check + image: "registry.sighup.io/fury/cilium/cilium:v1.14.3" + imagePullPolicy: IfNotPresent + command: ["/bin/sh"] + args: + - -c + - "touch /tmp/ready; sleep 1h" + livenessProbe: + exec: + command: + - cat + - /tmp/ready + initialDelaySeconds: 5 + periodSeconds: 5 + readinessProbe: + exec: + command: + - cat + - /tmp/ready + initialDelaySeconds: 5 + periodSeconds: 5 + volumeMounts: + - name: cilium-run + mountPath: /var/run/cilium + terminationMessagePolicy: FallbackToLogsOnError + hostNetwork: true + # This is here to seamlessly allow migrate-identity to work with + # etcd-operator setups. The assumption is that other cases would also + # work since the cluster DNS would forward the request on. + # This differs from the cilium-agent daemonset, where this is only + # enabled when etcd.managed=true + dnsPolicy: ClusterFirstWithHostNet + restartPolicy: Always + priorityClassName: system-node-critical + serviceAccount: "cilium-pre-flight" + serviceAccountName: "cilium-pre-flight" + automountServiceAccountToken: true + terminationGracePeriodSeconds: 1 + tolerations: + - effect: NoSchedule + key: node.kubernetes.io/not-ready + - effect: NoSchedule + key: node-role.kubernetes.io/master + - effect: NoSchedule + key: node-role.kubernetes.io/control-plane + - effect: NoSchedule + key: node.cloudprovider.kubernetes.io/uninitialized + value: "true" + - key: CriticalAddonsOnly + operator: Exists + volumes: + # To keep state between restarts / upgrades + - name: cilium-run + hostPath: + path: /var/run/cilium + type: DirectoryOrCreate + - name: bpf-maps + hostPath: + path: /sys/fs/bpf + type: DirectoryOrCreate +--- +# Source: cilium/templates/cilium-preflight/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: cilium-pre-flight-check + namespace: kube-system + labels: + app.kubernetes.io/part-of: cilium + app.kubernetes.io/name: cilium-pre-flight-check +spec: + selector: + matchLabels: + k8s-app: cilium-pre-flight-check-deployment + kubernetes.io/cluster-service: "true" + template: + metadata: + labels: + app.kubernetes.io/part-of: cilium + k8s-app: cilium-pre-flight-check-deployment + kubernetes.io/cluster-service: "true" + app.kubernetes.io/name: cilium-pre-flight-check + spec: + containers: + - name: cnp-validator + image: "registry.sighup.io/fury/cilium/cilium:v1.14.3" + imagePullPolicy: IfNotPresent + command: ["/bin/sh"] + args: + - -ec + - | + cilium preflight validate-cnp; + touch /tmp/ready-validate-cnp; + sleep 1h; + livenessProbe: + exec: + command: + - cat + - /tmp/ready-validate-cnp + initialDelaySeconds: 5 + periodSeconds: 5 + readinessProbe: + exec: + command: + - cat + - /tmp/ready-validate-cnp + initialDelaySeconds: 5 + periodSeconds: 5 + env: + terminationMessagePolicy: FallbackToLogsOnError + hostNetwork: true + restartPolicy: Always + priorityClassName: system-cluster-critical + serviceAccount: "cilium-pre-flight" + serviceAccountName: "cilium-pre-flight" + terminationGracePeriodSeconds: 1 + affinity: + podAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: + k8s-app: cilium + topologyKey: kubernetes.io/hostname + nodeSelector: + kubernetes.io/os: linux + tolerations: + - effect: NoSchedule + key: node.kubernetes.io/not-ready + - effect: NoSchedule + key: node-role.kubernetes.io/master + - effect: NoSchedule + key: node-role.kubernetes.io/control-plane + - effect: NoSchedule + key: node.cloudprovider.kubernetes.io/uninitialized + value: "true" + - key: CriticalAddonsOnly + operator: Exists +--- +# Source: cilium/templates/cilium-secrets-namespace.yaml +# Only create the namespace if it's different from Ingress secret namespace or Ingress is not enabled. + +# Only create the namespace if it's different from Ingress and Gateway API secret namespaces (if enabled). From 39e83118404ea1e88d9ec5ea169d4a3895431aef Mon Sep 17 00:00:00 2001 From: FedericoAntoniazzi Date: Wed, 25 Oct 2023 12:34:21 +0200 Subject: [PATCH 06/24] docs(cilium): upgrade preflight checks --- docs/releases/v1.15.0.md | 64 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 64 insertions(+) create mode 100644 docs/releases/v1.15.0.md diff --git a/docs/releases/v1.15.0.md b/docs/releases/v1.15.0.md new file mode 100644 index 0000000..dec6a3a --- /dev/null +++ b/docs/releases/v1.15.0.md @@ -0,0 +1,64 @@ +# Networking Core Module Release 1.15.0 + +Welcome to the latest release of the `Networking` module of [`Kubernetes Fury Distribution`](https://github.com/sighupio/fury-distribution) maintained by team SIGHUP. + +This minor release updates some components and adds support to Kubernetes 1.27. + +## Component Images 🚢 + +| Component | Supported Version | Previous Version | +| ----------------- | -------------------------------------------------------------------------------- | ---------------- | +| `calico` | [`v3.26.1`](https://projectcalico.docs.tigera.io/archive/v3.26/release-notes/) | `v3.25.0` | +| `cilium` | [`v1.13.3`](https://github.com/cilium/cilium/releases/tag/v1.13.1) | `v1.13.1` | +| `ip-masq` | [`v2.8.0`](https://github.com/kubernetes-sigs/ip-masq-agent/releases/tag/v2.5.0) | No update | +| `tigera-operator` | [`v1.30.4`](https://github.com/tigera/operator/releases/tag/v1.30.4) | `v1.29.0` | + +> Please refer the individual release notes to get detailed information on each release. + +## Update Guide 🦮 + +### Process + +If you are using Cilium, read the steps [below](#cilium-upgrade) before proceeding. + +1. Just deploy as usual: + +```bash +kustomize build katalog/calico | kubectl apply -f - +# OR +kustomize build katalog/tigera/on-prem | kubectl apply -f - +# OR +kustomize build katalog/cilium | kubectl apply -f - +``` + +#### Cilium upgrade +Cilium suggested path expect a pre-flight check to be run before any upgrade. + +1. Create the resources for the check +```bash +kubectl create -f katalog/cilium/tasks/preflight.yaml +``` + +2. Ensure that the number of READY pods is the same number of Cilium pods running. +```text +kubectl get daemonset -n kube-system | sed -n '1p;/cilium/p' +NAME DESIRED CURRENT READY UP-TO-DATE AVAILABLE NODE SELECTOR AGE +cilium 2 2 2 2 2 1h20m +cilium-pre-flight-check 2 2 2 2 2 7m15s +``` + +3. Once the number of READY pods is equal, make sure the Cilium pre-flight deployment is also marked as READY 1/1. +If it shows READY 0/1, consult the [CNP Validation](https://docs.cilium.io/en/stable/operations/upgrade/#cnp-validation) section in the official docs and resolve issues with the deployment before continuing with the upgrade. +```text +kubectl get deployment -n kube-system cilium-pre-flight-check -w +NAME READY UP-TO-DATE AVAILABLE AGE +cilium-pre-flight-check 1/1 1 0 12s +``` + +4. Once the number of READY for the preflight DaemonSet is the same as the number of cilium pods running and the preflight Deployment is marked as READY 1/1 you can delete the cilium-preflight and proceed with the upgrade. +```bash +kubectl delete -f cilium-preflight.yaml +``` + + +If you are upgrading from previous versions, please refer to the [`v1.14.0` release notes](https://github.com/sighupio/fury-kubernetes-networking/releases/tag/v1.14.0). From da06fb8fcb8288a6ced189a427b74a82e28d489c Mon Sep 17 00:00:00 2001 From: FedericoAntoniazzi Date: Fri, 27 Oct 2023 16:58:39 +0200 Subject: [PATCH 07/24] feat(cilium): Upgrade core to v1.14.3 The values.yaml file now keeps track only of overriden parameters --- katalog/cilium/MAINTENANCE.values.yaml | 147 +------------------------ katalog/cilium/core/deploy.yaml | 89 +++++++++------ 2 files changed, 58 insertions(+), 178 deletions(-) diff --git a/katalog/cilium/MAINTENANCE.values.yaml b/katalog/cilium/MAINTENANCE.values.yaml index e112892..82d0ef6 100644 --- a/katalog/cilium/MAINTENANCE.values.yaml +++ b/katalog/cilium/MAINTENANCE.values.yaml @@ -7,7 +7,7 @@ image: override: ~ repository: "registry.sighup.io/fury/cilium/cilium" - tag: "v1.13.3" + tag: "v1.14.3" useDigest: false # -- Affinity for cilium-agent. @@ -19,16 +19,6 @@ affinity: matchLabels: k8s-app: cilium -# -- Agent resource limits & requests -# ref: https://kubernetes.io/docs/user-guide/compute-resources/ -resources: {} - # limits: - # cpu: 4000m - # memory: 4Gi - # requests: - # cpu: 100m - # memory: 512Mi - hubble: # -- Enable Hubble (true by default). enabled: true @@ -86,7 +76,7 @@ hubble: image: override: ~ repository: "registry.sighup.io/fury/cilium/hubble-relay" - tag: "v1.13.3" + tag: "v1.14.3" useDigest: false pullPolicy: "IfNotPresent" @@ -129,7 +119,7 @@ hubble: image: override: ~ repository: "registry.sighup.io/fury/cilium/hubble-ui-backend" - tag: "v0.11.0" + tag: "v0.12.1" pullPolicy: "IfNotPresent" resources: {} @@ -145,7 +135,7 @@ hubble: image: override: ~ repository: "registry.sighup.io/fury/cilium/hubble-ui" - tag: "v0.11.0" + tag: "v0.12.1" pullPolicy: "IfNotPresent" # -- Resource requests and limits for the 'frontend' container of the 'hubble-ui' deployment. @@ -182,34 +172,6 @@ installIptablesRules: true # is running in a managed Kubernetes environment or in a chained CNI setup. installNoConntrackIptablesRules: false -ipam: - # -- Configure IP Address Management mode. - # ref: https://docs.cilium.io/en/stable/concepts/networking/ipam/ - mode: "cluster-pool" - operator: - # -- Deprecated in favor of ipam.operator.clusterPoolIPv4PodCIDRList. - # IPv4 CIDR range to delegate to individual nodes for IPAM. - clusterPoolIPv4PodCIDR: "10.0.0.0/8" - # -- IPv4 CIDR list range to delegate to individual nodes for IPAM. - clusterPoolIPv4PodCIDRList: [] - # -- IPv4 CIDR mask size to delegate to individual nodes for IPAM. - clusterPoolIPv4MaskSize: 24 - # -- Deprecated in favor of ipam.operator.clusterPoolIPv6PodCIDRList. - # IPv6 CIDR range to delegate to individual nodes for IPAM. - clusterPoolIPv6PodCIDR: "fd00::/104" - # -- IPv6 CIDR list range to delegate to individual nodes for IPAM. - clusterPoolIPv6PodCIDRList: [] - # -- IPv6 CIDR mask size to delegate to individual nodes for IPAM. - clusterPoolIPv6MaskSize: 120 - # -- The maximum burst size when rate limiting access to external APIs. - # Also known as the token bucket capacity. - # @default -- `20` - externalAPILimitBurstSize: ~ - # -- The maximum queries per second when rate limiting access to - # external APIs. Also known as the bucket refill rate, which is used to - # refill the bucket up to the burst size capacity. - # @default -- `4.0` - externalAPILimitQPS: ~ # -- Configure the eBPF-based ip-masq-agent ipMasqAgent: @@ -239,13 +201,6 @@ k8s: {} # -- requireIPv6PodCIDR enables waiting for Kubernetes to provide the PodCIDR # range via the Kubernetes node resource # requireIPv6PodCIDR: false - -l2NeighDiscovery: - # -- Enable L2 neighbor discovery in the agent - enabled: true - # -- Override the agent's default neighbor resolution refresh period. - refreshPeriod: "30s" - # -- Enable Layer 7 network policy. l7Proxy: true @@ -263,49 +218,6 @@ localRedirectPolicy: false logSystemLoad: false -# -- Configure maglev consistent hashing -maglev: {} - # -- tableSize is the size (parameter M) for the backend table of one - # service entry - # tableSize: - - # -- hashSeed is the cluster-wide base64 encoded seed for the hashing -# hashSeed: - -# -- Enables masquerading of IPv4 traffic leaving the node from endpoints. -enableIPv4Masquerade: true - -# -- Enables IPv6 BIG TCP support which increases maximum GSO/GRO limits for nodes and pods -enableIPv6BIGTCP: false - -# -- Enables masquerading of IPv6 traffic leaving the node from endpoints. -enableIPv6Masquerade: true - - -vtep: - # -- Enables VXLAN Tunnel Endpoint (VTEP) Integration (beta) to allow - # Cilium-managed pods to talk to third party VTEP devices over Cilium tunnel. - enabled: false - -ipv4NativeRoutingCIDR: "" - -# -- (string) Allows to explicitly specify the IPv6 CIDR for native routing. -# When specified, Cilium assumes networking for this CIDR is preconfigured and -# hands traffic destined for that range to the Linux network stack without -# applying any SNAT. -# Generally speaking, specifying a native routing CIDR implies that Cilium can -# depend on the underlying networking stack to route packets to their -# destination. To offer a concrete example, if Cilium is configured to use -# direct routing and the Kubernetes CIDR is included in the native routing CIDR, -# the user must configure the routes to reach pods, either manually or by -# setting the auto-direct-node-routes flag. -ipv6NativeRoutingCIDR: "" - -# -- cilium-monitor sidecar. -monitor: - # -- Enable the cilium-monitor sidecar. - enabled: false - # -- Configure prometheus metrics on the configured port at /metrics prometheus: enabled: true @@ -337,20 +249,6 @@ prometheus: # ref: https://docs.cilium.io/en/stable/operations/metrics/#exported-metrics metrics: ~ - -# -- Enable use of the remote node identity. -# ref: https://docs.cilium.io/en/v1.7/install/upgrade/#configmap-remote-node-identity -remoteNodeIdentity: true - - -wellKnownIdentities: - # -- Enable the use of well-known identities. - enabled: false - -etcd: - # -- Enable etcd mode for the agent. - enabled: false - operator: # -- Enable the cilium-operator component (required). enabled: true @@ -362,19 +260,11 @@ operator: image: override: ~ repository: "registry.sighup.io/fury/cilium/operator" - tag: "v1.13.3" + tag: "v1.14.3" useDigest: false pullPolicy: "IfNotPresent" suffix: "" - resources: {} - # limits: - # cpu: 1000m - # memory: 1Gi - # requests: - # cpu: 100m - # memory: 128Mi - # -- Enable prometheus metrics for cilium-operator on the configured port at # /metrics prometheus: @@ -394,30 +284,3 @@ preflight: # -- Enable Cilium pre-flight resources (required for upgrade) enabled: false -enableCriticalPriorityClass: true - -# disableEnvoyVersionCheck removes the check for Envoy, which can be useful -# on AArch64 as the images do not currently ship a version of Envoy. -#disableEnvoyVersionCheck: false - -# -- Configure cgroup related configuration -cgroup: - autoMount: - # -- Enable auto mount of cgroup2 filesystem. - # When `autoMount` is enabled, cgroup2 filesystem is mounted at - # `cgroup.hostRoot` path on the underlying host and inside the cilium agent pod. - # If users disable `autoMount`, it's expected that users have mounted - # cgroup2 filesystem at the specified `cgroup.hostRoot` volume, and then the - # volume will be mounted inside the cilium agent pod at the same path. - enabled: true - # -- Init Container Cgroup Automount resource limits & requests - resources: {} - # limits: - # cpu: 100m - # memory: 128Mi - # requests: - # cpu: 100m - # memory: 128Mi - # -- Configure cgroup root where cgroup2 filesystem is mounted on the host (see also: `cgroup.autoMount`) - hostRoot: /run/cilium/cgroupv2 - diff --git a/katalog/cilium/core/deploy.yaml b/katalog/cilium/core/deploy.yaml index 859265d..275e18b 100644 --- a/katalog/cilium/core/deploy.yaml +++ b/katalog/cilium/core/deploy.yaml @@ -138,13 +138,16 @@ data: # - disabled # - vxlan (default) # - geneve - tunnel: "vxlan" + # Default case + routing-mode: "tunnel" + tunnel-protocol: "vxlan" # Enables L7 proxy for L7 policy enforcement and visibility enable-l7-proxy: "true" enable-ipv4-masquerade: "true" + enable-ipv4-big-tcp: "false" enable-ipv6-big-tcp: "false" enable-ipv6-masquerade: "true" @@ -162,7 +165,11 @@ data: enable-svc-source-range-check: "true" enable-l2-neigh-discovery: "true" arping-refresh-period: "30s" - cni-uninstall: "true" + enable-k8s-networkpolicy: "true" + # Tell the agent to generate and write a CNI configuration file + write-cni-conf-when-ready: /host/etc/cni/net.d/05-cilium.conflist + cni-exclusive: "true" + cni-log-file: "/var/run/cilium/cilium-cni.log" enable-endpoint-health-checking: "true" enable-health-checking: "true" enable-well-known-identities: "false" @@ -170,9 +177,12 @@ data: synchronize-k8s-nodes: "true" operator-api-serve-addr: "127.0.0.1:9234" ipam: "cluster-pool" + ipam-cilium-node-update-rate: "15s" cluster-pool-ipv4-cidr: "10.0.0.0/8" cluster-pool-ipv4-mask-size: "24" disable-cnp-status-updates: "true" + cnp-node-status-gc-interval: "0s" + egress-gateway-reconciliation-trigger-interval: "1s" enable-vtep: "false" vtep-endpoint: "" vtep-cidr: "" @@ -184,7 +194,10 @@ data: cgroup-root: "/run/cilium/cgroupv2" enable-k8s-terminating-endpoint: "true" enable-sctp: "false" + k8s-client-qps: "5" + k8s-client-burst: "10" remove-cilium-node-taints: "true" + set-cilium-node-taints: "true" set-cilium-is-up-condition: "true" unmanaged-pod-watcher-interval: "15" tofqdns-dns-reject-response-code: "refused" @@ -192,7 +205,6 @@ data: tofqdns-endpoint-max-ip-per-hostname: "50" tofqdns-idle-connection-grace-period: "0s" tofqdns-max-deferred-connection-deletes: "10000" - tofqdns-min-ttl: "3600" tofqdns-proxy-response-max-delay: "100ms" agent-not-ready-taint-key: "node.cilium.io/agent-not-ready" --- @@ -259,6 +271,9 @@ rules: - ciliumnetworkpolicies - ciliumnodes - ciliumnodeconfigs + - ciliumcidrgroups + - ciliuml2announcementpolicies + - ciliumpodippools verbs: - list - watch @@ -299,6 +314,7 @@ rules: - ciliumclusterwidenetworkpolicies/status - ciliumendpoints/status - ciliumendpoints + - ciliuml2announcementpolicies/status verbs: - patch --- @@ -474,14 +490,24 @@ rules: - ciliumnetworkpolicies.cilium.io - ciliumnodes.cilium.io - ciliumnodeconfigs.cilium.io + - ciliumcidrgroups.cilium.io + - ciliuml2announcementpolicies.cilium.io + - ciliumpodippools.cilium.io - apiGroups: - cilium.io resources: - ciliumloadbalancerippools + - ciliumpodippools verbs: - get - list - watch +- apiGroups: + - cilium.io + resources: + - ciliumpodippools + verbs: + - create - apiGroups: - cilium.io resources: @@ -594,10 +620,6 @@ spec: port: 9964 protocol: TCP targetPort: envoy-metrics - - name: hubble-metrics - port: 9965 - protocol: TCP - targetPort: hubble-metrics --- # Source: cilium/templates/cilium-operator/service.yaml kind: Service @@ -657,7 +679,7 @@ spec: spec: containers: - name: cilium-agent - image: "registry.sighup.io/fury/cilium/cilium:v1.13.3" + image: "registry.sighup.io/fury/cilium/cilium:v1.14.3" imagePullPolicy: IfNotPresent command: - cilium-agent @@ -714,26 +736,7 @@ spec: fieldPath: metadata.namespace - name: CILIUM_CLUSTERMESH_CONFIG value: /var/lib/cilium/clustermesh/ - - name: CILIUM_CNI_CHAINING_MODE - valueFrom: - configMapKeyRef: - name: cilium-config - key: cni-chaining-mode - optional: true - - name: CILIUM_CUSTOM_CNI_CONF - valueFrom: - configMapKeyRef: - name: cilium-config - key: custom-cni-conf - optional: true lifecycle: - postStart: - exec: - command: - - "/cni-install.sh" - - "--enable-debug=false" - - "--cni-exclusive=true" - - "--log-file=/var/run/cilium/cilium-cni.log" preStop: exec: command: @@ -805,7 +808,7 @@ spec: mountPath: /tmp initContainers: - name: config - image: "registry.sighup.io/fury/cilium/cilium:v1.13.3" + image: "registry.sighup.io/fury/cilium/cilium:v1.14.3" imagePullPolicy: IfNotPresent command: - cilium @@ -828,7 +831,7 @@ spec: # Required to mount cgroup2 filesystem on the underlying Kubernetes node. # We use nsenter command with host's cgroup and mount namespaces enabled. - name: mount-cgroup - image: "registry.sighup.io/fury/cilium/cilium:v1.13.3" + image: "registry.sighup.io/fury/cilium/cilium:v1.14.3" imagePullPolicy: IfNotPresent env: - name: CGROUP_ROOT @@ -865,7 +868,7 @@ spec: drop: - ALL - name: apply-sysctl-overwrites - image: "registry.sighup.io/fury/cilium/cilium:v1.13.3" + image: "registry.sighup.io/fury/cilium/cilium:v1.14.3" imagePullPolicy: IfNotPresent env: - name: BIN_PATH @@ -903,7 +906,7 @@ spec: # from a privileged container because the mount propagation bidirectional # only works from privileged containers. - name: mount-bpf-fs - image: "registry.sighup.io/fury/cilium/cilium:v1.13.3" + image: "registry.sighup.io/fury/cilium/cilium:v1.14.3" imagePullPolicy: IfNotPresent args: - 'mount | grep "/sys/fs/bpf type bpf" || mount -t bpf bpf /sys/fs/bpf' @@ -919,7 +922,7 @@ spec: mountPath: /sys/fs/bpf mountPropagation: Bidirectional - name: clean-cilium-state - image: "registry.sighup.io/fury/cilium/cilium:v1.13.3" + image: "registry.sighup.io/fury/cilium/cilium:v1.14.3" imagePullPolicy: IfNotPresent command: - /init-container.sh @@ -964,7 +967,7 @@ spec: memory: 100Mi # wait-for-kube-proxy # Install the CNI binaries in an InitContainer so we don't have a writable host mount in the agent - name: install-cni-binaries - image: "registry.sighup.io/fury/cilium/cilium:v1.13.3" + image: "registry.sighup.io/fury/cilium/cilium:v1.14.3" imagePullPolicy: IfNotPresent command: - "/install-plugin.sh" @@ -1079,10 +1082,14 @@ spec: matchLabels: io.cilium/app: operator name: cilium-operator + # ensure operator update on single node k8s clusters, by using rolling update with maxUnavailable=100% in case + # of one replica and no user configured Recreate strategy. + # otherwise an update might get stuck due to the default maxUnavailable=50% in combination with the + # podAntiAffinity which prevents deployments of multiple operator replicas on the same node. strategy: rollingUpdate: - maxSurge: 1 - maxUnavailable: 1 + maxSurge: 25% + maxUnavailable: 50% type: RollingUpdate template: metadata: @@ -1095,7 +1102,7 @@ spec: spec: containers: - name: cilium-operator - image: "registry.sighup.io/fury/cilium/operator-generic:v1.13.3" + image: "registry.sighup.io/fury/cilium/operator-generic:v1.14.3" imagePullPolicy: IfNotPresent command: - cilium-operator-generic @@ -1133,6 +1140,16 @@ spec: initialDelaySeconds: 60 periodSeconds: 10 timeoutSeconds: 3 + readinessProbe: + httpGet: + host: "127.0.0.1" + path: /healthz + port: 9234 + scheme: HTTP + initialDelaySeconds: 0 + periodSeconds: 5 + timeoutSeconds: 3 + failureThreshold: 5 volumeMounts: - name: cilium-config-path mountPath: /tmp/cilium/config-map From bda1265e9f4b9b4fb9d7e40c4e6636fd742398a3 Mon Sep 17 00:00:00 2001 From: FedericoAntoniazzi Date: Fri, 27 Oct 2023 18:50:55 +0200 Subject: [PATCH 08/24] feat(cilium): upgrade hubble to v1.14.3 --- katalog/cilium/hubble/deploy.yaml | 117 +++++++++++++-------- katalog/cilium/hubble/kustomization.yaml | 3 +- katalog/cilium/hubble/patches/cilium.yaml | 11 +- katalog/cilium/hubble/patches/service.yaml | 15 +++ 4 files changed, 96 insertions(+), 50 deletions(-) create mode 100644 katalog/cilium/hubble/patches/service.yaml diff --git a/katalog/cilium/hubble/deploy.yaml b/katalog/cilium/hubble/deploy.yaml index c9c00b5..c2cb2a7 100644 --- a/katalog/cilium/hubble/deploy.yaml +++ b/katalog/cilium/hubble/deploy.yaml @@ -1,7 +1,6 @@ # Copyright (c) 2017-present SIGHUP s.r.l All rights reserved. # Use of this source code is governed by a BSD-style # license that can be found in the LICENSE file. - --- # Source: cilium/templates/hubble-relay/serviceaccount.yaml apiVersion: v1 @@ -17,6 +16,29 @@ metadata: name: "hubble-ui" namespace: kube-system --- +# Source: cilium/templates/hubble-relay/configmap.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: hubble-relay-config + namespace: kube-system +data: + config.yaml: | + cluster-name: default + peer-service: "hubble-peer.kube-system.svc.cluster.local:443" + listen-address: :4245 + gops: true + gops-port: "9893" + metrics-listen-address: ":9966" + dial-timeout: + retry-timeout: + sort-buffer-len-max: + sort-buffer-drain-timeout: + tls-hubble-client-cert-file: /var/lib/hubble-relay/tls/client.crt + tls-hubble-client-key-file: /var/lib/hubble-relay/tls/client.key + tls-hubble-server-ca-files: /var/lib/hubble-relay/tls/hubble-server-ca.crt + disable-server-tls: true +--- apiVersion: cert-manager.io/v1 kind: Issuer metadata: @@ -38,28 +60,6 @@ spec: name: self-signed-cilium kind: Issuer commonName: "cilium-ca" - ---- -# Source: cilium/templates/hubble-relay/configmap.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: hubble-relay-config - namespace: kube-system -data: - config.yaml: | - cluster-name: default - peer-service: "hubble-peer.kube-system.svc.cluster.local:443" - listen-address: :4245 - metrics-listen-address: ":9966" - dial-timeout: - retry-timeout: - sort-buffer-len-max: - sort-buffer-drain-timeout: - tls-client-cert-file: /var/lib/hubble-relay/tls/client.crt - tls-client-key-file: /var/lib/hubble-relay/tls/client.key - tls-hubble-server-ca-files: /var/lib/hubble-relay/tls/hubble-server-ca.crt - disable-server-tls: true --- # Source: cilium/templates/hubble-ui/configmap.yaml apiVersion: v1 @@ -190,6 +190,28 @@ spec: port: 80 targetPort: 8081 --- +# Source: cilium/templates/hubble/metrics-service.yaml +apiVersion: v1 +kind: Service +metadata: + name: hubble-metrics + namespace: kube-system + labels: + k8s-app: hubble + app.kubernetes.io/name: hubble + app.kubernetes.io/part-of: cilium + annotations: +spec: + clusterIP: None + type: ClusterIP + ports: + - name: hubble-metrics + port: 9965 + protocol: TCP + targetPort: hubble-metrics + selector: + k8s-app: cilium +--- # Source: cilium/templates/hubble/peer-service.yaml apiVersion: v1 kind: Service @@ -237,9 +259,18 @@ spec: app.kubernetes.io/name: hubble-relay app.kubernetes.io/part-of: cilium spec: + securityContext: + fsGroup: 65532 containers: - name: hubble-relay - image: "registry.sighup.io/fury/cilium/hubble-relay:v1.13.3" + securityContext: + capabilities: + drop: + - ALL + runAsGroup: 65532 + runAsNonRoot: true + runAsUser: 65532 + image: "registry.sighup.io/fury/cilium/hubble-relay:v1.14.3" imagePullPolicy: IfNotPresent command: - hubble-relay @@ -295,12 +326,12 @@ spec: - secret: name: hubble-relay-client-certs items: - - key: ca.crt - path: hubble-server-ca.crt - key: tls.crt path: client.crt - key: tls.key path: client.key + - key: ca.crt + path: hubble-server-ca.crt --- # Source: cilium/templates/hubble-ui/deployment.yaml kind: Deployment @@ -329,17 +360,13 @@ spec: app.kubernetes.io/name: hubble-ui app.kubernetes.io/part-of: cilium spec: - securityContext: - fsGroup: 1001 - runAsGroup: 1001 - runAsUser: 1001 - priorityClassName: + priorityClassName: serviceAccount: "hubble-ui" serviceAccountName: "hubble-ui" automountServiceAccountToken: true containers: - name: frontend - image: "registry.sighup.io/fury/cilium/hubble-ui:v0.11.0" + image: "registry.sighup.io/fury/cilium/hubble-ui:v0.12.1" imagePullPolicy: IfNotPresent ports: - name: http @@ -352,7 +379,7 @@ spec: mountPath: /tmp terminationMessagePolicy: FallbackToLogsOnError - name: backend - image: "registry.sighup.io/fury/cilium/hubble-ui-backend:v0.11.0" + image: "registry.sighup.io/fury/cilium/hubble-ui-backend:v0.12.1" imagePullPolicy: IfNotPresent env: - name: EVENTS_SERVER_PORT @@ -374,6 +401,8 @@ spec: - emptyDir: {} name: tmp-dir --- + + # Source: cilium/templates/cilium-secrets-namespace.yaml # Only create the namespace if it's different from Ingress secret namespace or Ingress is not enabled. --- @@ -453,17 +482,17 @@ metadata: spec: selector: matchLabels: - k8s-app: cilium + k8s-app: hubble namespaceSelector: matchNames: - - kube-system + - kube-system endpoints: - - port: hubble-metrics - interval: "10s" - honorLabels: true - path: /metrics - relabelings: - - replacement: ${1} - sourceLabels: - - __meta_kubernetes_pod_node_name - targetLabel: node + - port: hubble-metrics + interval: "10s" + honorLabels: true + path: /metrics + relabelings: + - replacement: ${1} + sourceLabels: + - __meta_kubernetes_pod_node_name + targetLabel: node diff --git a/katalog/cilium/hubble/kustomization.yaml b/katalog/cilium/hubble/kustomization.yaml index b61247b..dc5f44d 100644 --- a/katalog/cilium/hubble/kustomization.yaml +++ b/katalog/cilium/hubble/kustomization.yaml @@ -1,7 +1,7 @@ # Copyright (c) 2017-present SIGHUP s.r.l All rights reserved. # Use of this source code is governed by a BSD-style # license that can be found in the LICENSE file. - +--- apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization @@ -14,6 +14,7 @@ resources: patchesStrategicMerge: - patches/cilium.yaml + - patches/service.yaml configMapGenerator: - name: cilium-config diff --git a/katalog/cilium/hubble/patches/cilium.yaml b/katalog/cilium/hubble/patches/cilium.yaml index efc4778..a47ffdd 100644 --- a/katalog/cilium/hubble/patches/cilium.yaml +++ b/katalog/cilium/hubble/patches/cilium.yaml @@ -15,10 +15,10 @@ spec: containers: - name: cilium-agent ports: - - name: hubble-metrics - containerPort: 9965 - hostPort: 9965 - protocol: TCP + - name: hubble-metrics + containerPort: 9965 + hostPort: 9965 + protocol: TCP volumeMounts: - name: hubble-tls mountPath: /var/lib/cilium/tls/hubble @@ -26,7 +26,8 @@ spec: volumes: - name: hubble-tls projected: - # note: the leading zero means this number is in octal representation: do not remove it + # Do not remove the leading zero + # It states an octal number defaultMode: 0400 sources: - secret: diff --git a/katalog/cilium/hubble/patches/service.yaml b/katalog/cilium/hubble/patches/service.yaml new file mode 100644 index 0000000..d082d7e --- /dev/null +++ b/katalog/cilium/hubble/patches/service.yaml @@ -0,0 +1,15 @@ +# Copyright (c) 2017-present SIGHUP s.r.l All rights reserved. +# Use of this source code is governed by a BSD-style +# license that can be found in the LICENSE file. +--- +apiVersion: v1 +kind: Service +metadata: + name: cilium-agent + namespace: kube-system +spec: + ports: + - name: hubble-metrics + port: 9965 + protocol: TCP + targetPort: hubble-metrics From 3cd37426d430f49c770fbb0970a329eabc5da2eb Mon Sep 17 00:00:00 2001 From: FedericoAntoniazzi Date: Mon, 30 Oct 2023 15:29:43 +0100 Subject: [PATCH 09/24] ci(cilium): drop support for kubernetes 1.24 --- .drone.yml | 101 ----------------------------------------------------- 1 file changed, 101 deletions(-) diff --git a/.drone.yml b/.drone.yml index 54946c3..99df932 100644 --- a/.drone.yml +++ b/.drone.yml @@ -363,107 +363,7 @@ volumes: temp: {} --- -name: e2e-kubernetes-1.24-cilium -kind: pipeline -type: docker -node: - runner: internal - -platform: - os: linux - arch: amd64 - -trigger: - ref: - include: - - refs/heads/master - - refs/tags/** - -depends_on: - - e2e-kubernetes-1.24-calico - - e2e-kubernetes-1.25-calico - - e2e-kubernetes-1.26-calico - -steps: - - name: init - image: quay.io/sighup/e2e-testing-drone-plugin:v1.24.0 - pull: always - volumes: - - name: shared - path: /shared - depends_on: [clone] - settings: - action: custom-cluster-124 - pipeline_id: cluster-124-cilium - local_kind_config_path: katalog/tests/calico/resources/kind-config - cluster_version: "1.24.0" - instance_path: /shared - aws_default_region: - from_secret: aws_region - aws_access_key_id: - from_secret: aws_access_key_id - aws_secret_access_key: - from_secret: aws_secret_access_key - terraform_tf_states_bucket_name: - from_secret: terraform_tf_states_bucket_name - vsphere_server: - from_secret: vsphere_server - vsphere_password: - from_secret: vsphere_password - vsphere_user: - from_secret: vsphere_user - dockerhub_username: - from_secret: dockerhub_username - dockerhub_password: - from_secret: dockerhub_password - - - name: test - image: quay.io/sighup/e2e-testing:1.1.0_0.7.0_3.1.1_1.9.4_1.24.1_3.8.7_4.21.1 - pull: always - volumes: - - name: shared - path: /shared - depends_on: [init] - commands: - - export KUBECONFIG=/shared/kube/kubeconfig-124 - - bats -t katalog/tests/cilium/cilium.sh - - - name: destroy - image: quay.io/sighup/e2e-testing-drone-plugin:v1.24.0 - pull: always - depends_on: [test] - settings: - action: destroy - pipeline_id: cluster-124-cilium - aws_default_region: - from_secret: aws_region - aws_access_key_id: - from_secret: aws_access_key_id - aws_secret_access_key: - from_secret: aws_secret_access_key - terraform_tf_states_bucket_name: - from_secret: terraform_tf_states_bucket_name - vsphere_server: - from_secret: vsphere_server - vsphere_password: - from_secret: vsphere_password - vsphere_user: - from_secret: vsphere_user - dockerhub_username: - from_secret: dockerhub_username - dockerhub_password: - from_secret: dockerhub_password - when: - status: - - success - - failure - -volumes: - - name: shared - temp: {} - ---- name: e2e-kubernetes-1.25-cilium kind: pipeline type: docker @@ -674,7 +574,6 @@ depends_on: - e2e-kubernetes-1.24-calico - e2e-kubernetes-1.25-calico - e2e-kubernetes-1.26-calico - - e2e-kubernetes-1.24-cilium - e2e-kubernetes-1.25-cilium - e2e-kubernetes-1.26-cilium From da51851a64a19b31069189f127d081eac37431d0 Mon Sep 17 00:00:00 2001 From: FedericoAntoniazzi Date: Mon, 30 Oct 2023 15:29:59 +0100 Subject: [PATCH 10/24] ci(cilium): add support for kubernetes 1.27 --- .drone.yml | 100 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 100 insertions(+) diff --git a/.drone.yml b/.drone.yml index 99df932..1e940a0 100644 --- a/.drone.yml +++ b/.drone.yml @@ -564,7 +564,106 @@ steps: volumes: - name: shared temp: {} +--- +name: e2e-kubernetes-1.27-cilium +kind: pipeline +type: docker + +node: + runner: internal +platform: + os: linux + arch: amd64 + +trigger: + ref: + include: + - refs/heads/master + - refs/tags/** + +depends_on: + - e2e-kubernetes-1.24-calico + - e2e-kubernetes-1.25-calico + - e2e-kubernetes-1.26-calico + +steps: + - name: init + image: quay.io/sighup/e2e-testing-drone-plugin:v1.27.1 + pull: always + volumes: + - name: shared + path: /shared + depends_on: [clone] + settings: + action: custom-cluster-127 + pipeline_id: cluster-127-cilium + local_kind_config_path: katalog/tests/calico/resources/kind-config + cluster_version: "1.27.0" + instance_path: /shared + aws_default_region: + from_secret: aws_region + aws_access_key_id: + from_secret: aws_access_key_id + aws_secret_access_key: + from_secret: aws_secret_access_key + terraform_tf_states_bucket_name: + from_secret: terraform_tf_states_bucket_name + vsphere_server: + from_secret: vsphere_server + vsphere_password: + from_secret: vsphere_password + vsphere_user: + from_secret: vsphere_user + dockerhub_username: + from_secret: dockerhub_username + dockerhub_password: + from_secret: dockerhub_password + + - name: test + image: quay.io/sighup/e2e-testing:1.1.0_0.11.0_3.12.0_1.9.4_1.27.1_3.5.3_4.33.3 + pull: always + volumes: + - name: shared + path: /shared + depends_on: [init] + commands: + - export KUBECONFIG=/shared/kube/kubeconfig-124 + - bats -t katalog/tests/cilium/cilium.sh + + - name: destroy + image: quay.io/sighup/e2e-testing-drone-plugin:v1.27.1 + pull: always + depends_on: [test] + settings: + action: destroy + pipeline_id: cluster-127-cilium + aws_default_region: + from_secret: aws_region + aws_access_key_id: + from_secret: aws_access_key_id + aws_secret_access_key: + from_secret: aws_secret_access_key + terraform_tf_states_bucket_name: + from_secret: terraform_tf_states_bucket_name + vsphere_server: + from_secret: vsphere_server + vsphere_password: + from_secret: vsphere_password + vsphere_user: + from_secret: vsphere_user + dockerhub_username: + from_secret: dockerhub_username + dockerhub_password: + from_secret: dockerhub_password + when: + status: + - success + - failure + +volumes: + - name: shared + temp: {} --- name: release kind: pipeline @@ -576,6 +675,7 @@ depends_on: - e2e-kubernetes-1.26-calico - e2e-kubernetes-1.25-cilium - e2e-kubernetes-1.26-cilium + - e2e-kubernetes-1.27-cilium platform: os: linux From 06d2941b5a628b7af25333083ce55b46ee6c8fab Mon Sep 17 00:00:00 2001 From: FedericoAntoniazzi Date: Thu, 2 Nov 2023 15:54:44 +0100 Subject: [PATCH 11/24] docs(compatibility): set v0.15.0 compatible with kubernetes v1.27.x --- docs/COMPATIBILITY_MATRIX.md | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/docs/COMPATIBILITY_MATRIX.md b/docs/COMPATIBILITY_MATRIX.md index e4758fc..f0727db 100644 --- a/docs/COMPATIBILITY_MATRIX.md +++ b/docs/COMPATIBILITY_MATRIX.md @@ -1,13 +1,14 @@ # Compatibility Matrix -| Module Version / Kubernetes Version | 1.24.X | 1.25.X | 1.26.X | -| ----------------------------------- | ------------------ | ------------------ | ------------------ | -| v1.10.0 | :white_check_mark: | | | -| v1.11.0 | :white_check_mark: | :white_check_mark: | | -| v1.12.0 | :white_check_mark: | :white_check_mark: | | -| v1.12.1 | :white_check_mark: | :white_check_mark: | | -| v1.12.2 | :white_check_mark: | :white_check_mark: | | -| v1.14.0 | :white_check_mark: | :white_check_mark: | :white_check_mark: | +| Module Version / Kubernetes Version | 1.24.X | 1.25.X | 1.26.X | 1.27.X | +| ----------------------------------- | ------------------ | ------------------ | ------------------ | ------------------ | +| v1.10.0 | :white_check_mark: | | | | +| v1.11.0 | :white_check_mark: | :white_check_mark: | | | +| v1.12.0 | :white_check_mark: | :white_check_mark: | | | +| v1.12.1 | :white_check_mark: | :white_check_mark: | | | +| v1.12.2 | :white_check_mark: | :white_check_mark: | | | +| v1.14.0 | :white_check_mark: | :white_check_mark: | :white_check_mark: | | +| v1.15.0 | | | :white_check_mark: | :white_check_mark: | :white_check_mark: Compatible @@ -41,4 +42,4 @@ | v1.8.0 | | | | | | | :x: | :x: | :x: | :x: | | v1.8.1 | | | | | | | :x: | :x: | :x: | :x: | | v1.8.2 | | | | | | | :white_check_mark: | :x: | :x: | :x: | -| v1.9.0 | | | | | | | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | \ No newline at end of file +| v1.9.0 | | | | | | | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | From 67a19f10feca3cf7a1585421ae1c1dca5127c1c6 Mon Sep 17 00:00:00 2001 From: FedericoAntoniazzi Date: Thu, 2 Nov 2023 18:22:03 +0100 Subject: [PATCH 12/24] docs(cilium): update version to v1.14.3 Update docs/releases/v1.15.0.md --- README.md | 8 ++++---- docs/releases/v1.15.0.md | 4 ++-- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index 0d6948d..3ece547 100644 --- a/README.md +++ b/README.md @@ -30,7 +30,7 @@ Kubernetes Fury Networking provides the following packages: | Package | Version | Description | | -------------------------- | -------- | ---------------------------------------------------------------------------------------------------------------------------------------------------- | | [calico](katalog/calico) | `3.26.1` | [Calico][calico-page] CNI Plugin. For cluster with `< 50` nodes. | -| [cilium](katalog/cilium) | `1.13.3` | [Cilium][cilium-page] CNI Plugin. For cluster with `< 200` nodes. | +| [cilium](katalog/cilium) | `1.14.3` | [Cilium][cilium-page] CNI Plugin. For cluster with `< 200` nodes. | | [tigera](katalog/tigera) | `1.30.4` | [Tigera Operator][tigera-page], a Kubernetes Operator for Calico, provides pre-configured installations for on-prem and for EKS in policy-only mode. | | [ip-masq](katalog/ip-masq) | `2.8.0` | The `ip-masq-agent` configures iptables rules to implement IP masquerading functionality | @@ -42,9 +42,9 @@ Click on each package to see its full documentation. | Kubernetes Version | Compatibility | Notes | | ------------------ | :----------------: | --------------- | -| `1.24.x` | :white_check_mark: | No known issues | | `1.25.x` | :white_check_mark: | No known issues | | `1.26.x` | :white_check_mark: | No known issues | +| `1.27.x` | :white_check_mark: | No known issues | Check the [compatibility matrix][compatibility-matrix] for additional information on previous releases of the module. @@ -59,14 +59,14 @@ Check the [compatibility matrix][compatibility-matrix] for additional informatio ### Deployment -> ⚠️ please notice that the Calico packages is for cluster with less the 50 nodes. If your cluster has more than 50 nodes, you'll need to switch to [Calico + Typha](https://projectcalico.docs.tigera.io/archive/v3.23/getting-started/kubernetes/self-managed-onprem/onpremises#install-calico-with-kubernetes-api-datastore-more-than-50-nodes) or to the [Tigera Operator](katalog/tigera/README.md). +> ⚠️ Please notice that the Calico packages is for cluster with less the 50 nodes. If your cluster has more than 50 nodes, you'll need to switch to [Calico + Typha](https://projectcalico.docs.tigera.io/archive/v3.23/getting-started/kubernetes/self-managed-onprem/onpremises#install-calico-with-kubernetes-api-datastore-more-than-50-nodes) or to the [Tigera Operator](katalog/tigera/README.md). 1. List the packages you want to deploy and their version in a `Furyfile.yml` ```yaml bases: - name: networking - version: "v1.14.0" + version: "v1.15.0" ``` > See `furyctl` [documentation][furyctl-repo] for additional details about `Furyfile.yml` format. diff --git a/docs/releases/v1.15.0.md b/docs/releases/v1.15.0.md index dec6a3a..7136ce1 100644 --- a/docs/releases/v1.15.0.md +++ b/docs/releases/v1.15.0.md @@ -9,7 +9,7 @@ This minor release updates some components and adds support to Kubernetes 1.27. | Component | Supported Version | Previous Version | | ----------------- | -------------------------------------------------------------------------------- | ---------------- | | `calico` | [`v3.26.1`](https://projectcalico.docs.tigera.io/archive/v3.26/release-notes/) | `v3.25.0` | -| `cilium` | [`v1.13.3`](https://github.com/cilium/cilium/releases/tag/v1.13.1) | `v1.13.1` | +| `cilium` | [`v1.14.3`](https://github.com/cilium/cilium/releases/tag/v1.14.3) | `v1.13.1` | | `ip-masq` | [`v2.8.0`](https://github.com/kubernetes-sigs/ip-masq-agent/releases/tag/v2.5.0) | No update | | `tigera-operator` | [`v1.30.4`](https://github.com/tigera/operator/releases/tag/v1.30.4) | `v1.29.0` | @@ -39,7 +39,7 @@ Cilium suggested path expect a pre-flight check to be run before any upgrade. kubectl create -f katalog/cilium/tasks/preflight.yaml ``` -2. Ensure that the number of READY pods is the same number of Cilium pods running. +2. Make sure that the number of READY pods is the same as the number of RUNNING Cilium pods. ```text kubectl get daemonset -n kube-system | sed -n '1p;/cilium/p' NAME DESIRED CURRENT READY UP-TO-DATE AVAILABLE NODE SELECTOR AGE From d3fe4f4049b531df4615b172632a0076eae0ec58 Mon Sep 17 00:00:00 2001 From: mimnix <108413495+mimnix@users.noreply.github.com> Date: Tue, 7 Nov 2023 09:09:29 +0100 Subject: [PATCH 13/24] fix(ci): update addlicense go package install --- .drone.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.drone.yml b/.drone.yml index 1e940a0..7aee257 100644 --- a/.drone.yml +++ b/.drone.yml @@ -8,10 +8,10 @@ type: docker steps: - name: check - image: docker.io/library/golang:1.16 + image: docker.io/library/golang:1.21 pull: always commands: - - go get -u github.com/google/addlicense + - go install github.com/google/addlicense@v1.1.1 - addlicense -c "SIGHUP s.r.l" -v -l bsd --check . --- name: policeman From 226f45f3975013c10e0146c0f7c29693c24a85e2 Mon Sep 17 00:00:00 2001 From: mimnix <108413495+mimnix@users.noreply.github.com> Date: Tue, 7 Nov 2023 12:36:09 +0100 Subject: [PATCH 14/24] feat(calico): upgrade manifests to v3.26.3 --- katalog/calico/MAINTENANCE.md | 4 +--- katalog/calico/deploy.yaml | 10 +++++----- katalog/calico/kustomization.yaml | 8 +++----- 3 files changed, 9 insertions(+), 13 deletions(-) diff --git a/katalog/calico/MAINTENANCE.md b/katalog/calico/MAINTENANCE.md index 3d1f62f..e400ad1 100644 --- a/katalog/calico/MAINTENANCE.md +++ b/katalog/calico/MAINTENANCE.md @@ -20,12 +20,10 @@ Compare the `deploy.yaml` file with the downloaded `calico-${CALICO_VERSION}` fi 3. Update the `kustomization.yaml` file with the right image versions. ```bash -export CALICO_IMAGE_TAG=v3.26.1 +export CALICO_IMAGE_TAG=v3.26.3 kustomize edit set image docker.io/calico/kube-controllers=registry.sighup.io/fury/calico/kube-controllers:${CALICO_IMAGE_TAG} kustomize edit set image docker.io/calico/cni=registry.sighup.io/fury/calico/cni:${CALICO_IMAGE_TAG} kustomize edit set image docker.io/calico/node=registry.sighup.io/fury/calico/node:${CALICO_IMAGE_TAG} -# Not present anymore in 3.23: -# kustomize edit set image docker.io/calico/pod2daemon-flexvol=registry.sighup.io/fury/calico/pod2daemon-flexvol:${CALICO_IMAGE_TAG} ``` > ⚠️ Remember to check if images have been added to or dropped from upstream. diff --git a/katalog/calico/deploy.yaml b/katalog/calico/deploy.yaml index 1b45e7a..9e0e4e5 100644 --- a/katalog/calico/deploy.yaml +++ b/katalog/calico/deploy.yaml @@ -4643,7 +4643,7 @@ spec: # It can be deleted if this is a fresh installation, or if you have already # upgraded to use calico-ipam. - name: upgrade-ipam - image: docker.io/calico/cni:v3.26.1 + image: docker.io/calico/cni:v3.26.3 imagePullPolicy: IfNotPresent command: ["/opt/cni/bin/calico-ipam", "-upgrade"] envFrom: @@ -4671,7 +4671,7 @@ spec: # This container installs the CNI binaries # and CNI network config file on each node. - name: install-cni - image: docker.io/calico/cni:v3.26.1 + image: docker.io/calico/cni:v3.26.3 imagePullPolicy: IfNotPresent command: ["/opt/cni/bin/install"] envFrom: @@ -4714,7 +4714,7 @@ spec: # i.e. bpf at /sys/fs/bpf and cgroup2 at /run/calico/cgroup. Calico-node initialisation is executed # in best effort fashion, i.e. no failure for errors, to not disrupt pod creation in iptable mode. - name: "mount-bpffs" - image: docker.io/calico/node:v3.26.1 + image: docker.io/calico/node:v3.26.3 imagePullPolicy: IfNotPresent command: ["calico-node", "-init", "-best-effort"] volumeMounts: @@ -4740,7 +4740,7 @@ spec: # container programs network policy and routes on each # host. - name: calico-node - image: docker.io/calico/node:v3.26.1 + image: docker.io/calico/node:v3.26.3 imagePullPolicy: IfNotPresent envFrom: - configMapRef: @@ -4957,7 +4957,7 @@ spec: priorityClassName: system-cluster-critical containers: - name: calico-kube-controllers - image: docker.io/calico/kube-controllers:v3.26.1 + image: docker.io/calico/kube-controllers:v3.26.3 imagePullPolicy: IfNotPresent env: # Choose which controllers to run. diff --git a/katalog/calico/kustomization.yaml b/katalog/calico/kustomization.yaml index 65c28eb..0cf7f1d 100644 --- a/katalog/calico/kustomization.yaml +++ b/katalog/calico/kustomization.yaml @@ -10,15 +10,13 @@ namespace: kube-system images: - name: docker.io/calico/cni newName: registry.sighup.io/fury/calico/cni - newTag: v3.26.1 + newTag: v3.26.3 - name: docker.io/calico/kube-controllers newName: registry.sighup.io/fury/calico/kube-controllers - newTag: v3.26.1 + newTag: v3.26.3 - name: docker.io/calico/node newName: registry.sighup.io/fury/calico/node - newTag: v3.26.1 -- name: docker.io/calico/pod2daemon-flexvol - newName: registry.sighup.io/fury/calico/pod2daemon-flexvol + newTag: v3.26.3 # Resources needed for Monitoring resources: From 51ffc3d8496fe78a4e7b2023861cf45bde3b5595 Mon Sep 17 00:00:00 2001 From: mimnix <108413495+mimnix@users.noreply.github.com> Date: Tue, 7 Nov 2023 14:11:26 +0100 Subject: [PATCH 15/24] docs(calico): maintenance and readme --- katalog/calico/MAINTENANCE.md | 4 ++-- katalog/calico/README.md | 17 +++++++++-------- 2 files changed, 11 insertions(+), 10 deletions(-) diff --git a/katalog/calico/MAINTENANCE.md b/katalog/calico/MAINTENANCE.md index e400ad1..5c7e953 100644 --- a/katalog/calico/MAINTENANCE.md +++ b/katalog/calico/MAINTENANCE.md @@ -34,12 +34,12 @@ kustomize edit set image docker.io/calico/node=registry.sighup.io/fury/calico/no The resources needed to provide monitoring features are not included in the default upstream manifests. There are some additional steps to perform. -See for details. Note that we are adding an environment variable to the DaemonSet instead of modifing the `default` instance of the `felixconfigurations.crd.projectcalico.org` CRD as the docs say. Modifing the CRD is not possible using Kustomize patches. +See for details. Note that we are adding an environment variable to the DaemonSet instead of modifing the `default` instance of the `felixconfigurations.crd.projectcalico.org` CRD as the docs say. Modifing the CRD is not possible using Kustomize patches. 1. Download the dashboard from upstream: ```bash -export CALICO_VERSION=3.26.1 +export CALICO_VERSION=3.26.3 # ⚠️ Assuming $PWD == root of the project # We take the `felix-dashboard.json` from the downloaded yaml, we are not deploying `typha`, so we don't need its dashboard. curl -L https://raw.githubusercontent.com/projectcalico/calico/v${CALICO_VERSION}/manifests/grafana-dashboards.yaml | yq '.data["felix-dashboard.json"]' | sed 's/calico-demo-prometheus/prometheus/g' | jq > ./monitoring/dashboards/felix-dashboard.json diff --git a/katalog/calico/README.md b/katalog/calico/README.md index ee05d36..1e2bf3e 100644 --- a/katalog/calico/README.md +++ b/katalog/calico/README.md @@ -7,6 +7,7 @@ Calico supports a broad range of platforms including Kubernetes, OpenShift, Dock > For more information about Calico refer to [calico documentation][calico-documentation] +## Components and features The deployment of Calico consists of a daemon set running on every node (including the control-plane) and a controller that implements: - *policy controller* watches network policies and programs Calico policies. @@ -20,18 +21,18 @@ The deployment of Calico consists of a daemon set running on every node (includi ## Image repository and tag - calico images: - - `calico/kube-controllers:v3.25.0`. - - `calico/cni:v3.25.0`. - - `calico/node:v3.25.0`. + - `calico/kube-controllers:v3.26.3`. + - `calico/cni:v3.26.3`. + - `calico/node:v3.26.3`. - calico repositories: - - [https://github.com/projectcalico/kube-controllers](https://github.com/projectcalico/kube-controllers). - - [https://github.com/projectcalico/cni-plugin](https://github.com/projectcalico/cni-plugin). - - [https://github.com/projectcalico/node](https://github.com/projectcalico/node). + - [https://github.com/projectcalico/kube-controllers](https://github.com/projectcalico/calico/tree/master/kube-controllers). + - [https://github.com/projectcalico/cni-plugin](https://github.com/projectcalico/calico/tree/master/cni-plugin). + - [https://github.com/projectcalico/node](https://github.com/projectcalico/calico/tree/master/node). ## Requirements -- Tested with Kubernetes >= `1.23.X`. -- Tested with Kustomize >= `v3.3.X`. +- Tested with Kubernetes >= `1.25.X`. +- Tested with Kustomize >= `v3.5.3`. - Prometheus Operator, optional if you want to have metrics. ## Configuration From 6452ce3d5a6ce8ba6c67b9deb0ab4c6d05bfb82f Mon Sep 17 00:00:00 2001 From: mimnix <108413495+mimnix@users.noreply.github.com> Date: Tue, 7 Nov 2023 14:35:04 +0100 Subject: [PATCH 16/24] feat(calico): upgrade tigera operator to v3.26.3 --- katalog/tigera/operator/tigera-operator.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/katalog/tigera/operator/tigera-operator.yaml b/katalog/tigera/operator/tigera-operator.yaml index 0bbea6f..8b4f010 100644 --- a/katalog/tigera/operator/tigera-operator.yaml +++ b/katalog/tigera/operator/tigera-operator.yaml @@ -21486,7 +21486,7 @@ spec: dnsPolicy: ClusterFirstWithHostNet containers: - name: tigera-operator - image: quay.io/tigera/operator:v1.30.4 + image: quay.io/tigera/operator:v1.30.7 imagePullPolicy: IfNotPresent command: - operator @@ -21504,7 +21504,7 @@ spec: - name: OPERATOR_NAME value: "tigera-operator" - name: TIGERA_OPERATOR_INIT_IMAGE_VERSION - value: v1.30.4 + value: v1.30.7 envFrom: - configMapRef: name: kubernetes-services-endpoint From 275dba231af08addb07a62d39acab18fb98d014a Mon Sep 17 00:00:00 2001 From: mimnix <108413495+mimnix@users.noreply.github.com> Date: Tue, 7 Nov 2023 14:36:40 +0100 Subject: [PATCH 17/24] docs(calico): maintenance tigera operator --- katalog/tigera/MAINTENANCE.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/katalog/tigera/MAINTENANCE.md b/katalog/tigera/MAINTENANCE.md index 577de56..d79bcfe 100644 --- a/katalog/tigera/MAINTENANCE.md +++ b/katalog/tigera/MAINTENANCE.md @@ -11,7 +11,7 @@ To update the YAML file, run the following command: ```bash # assuming katalog/tigera is the root of the repository -export CALICO_VERSION="3.26.1" +export CALICO_VERSION="3.26.3" curl "https://raw.githubusercontent.com/projectcalico/calico/v${CALICO_VERSION}/manifests/tigera-operator.yaml" --output operator/tigera-operator.yaml ``` @@ -28,7 +28,7 @@ To download the default configuration from upstream and update the file use the ```bash # assuming katalog/tigera is the root of the repository -export CALICO_VERSION="3.26.1" +export CALICO_VERSION="3.26.3" curl https://raw.githubusercontent.com/projectcalico/calico/v${CALICO_VERSION}/manifests/custom-resources.yaml --output on-prem/custom-resources.yaml ``` @@ -50,7 +50,7 @@ To get the dashboards you can use the following commands: ```bash # ⚠️ Assuming $PWD == root of the project -export CALICO_VERSION=3.26.1 +export CALICO_VERSION="3.26.3" # we split the upstream file and store only the json files curl -L https://raw.githubusercontent.com/projectcalico/calico/v${CALICO_VERSION}/manifests/grafana-dashboards.yaml | yq '.data["felix-dashboard.json"]' | sed 's/calico-demo-prometheus/prometheus/g' | jq > ./on-prem/monitoring/dashboards/felix-dashboard.json curl -L https://raw.githubusercontent.com/projectcalico/calico/v${CALICO_VERSION}/manifests/grafana-dashboards.yaml | yq '.data["typha-dashboard.json"]' | sed 's/calico-demo-prometheus/prometheus/g' | jq > ./on-prem/monitoring/dashboards/typa-dashboard.json From f799876652c8586f4648cf3ecf2c1e4d07042cdb Mon Sep 17 00:00:00 2001 From: mimnix <108413495+mimnix@users.noreply.github.com> Date: Mon, 13 Nov 2023 11:53:13 +0100 Subject: [PATCH 18/24] ci(calico): add pipeline 1.27, drop pipeline 1.24 --- .drone.yml | 59 +++++++++++++++++++++++++++--------------------------- 1 file changed, 29 insertions(+), 30 deletions(-) diff --git a/.drone.yml b/.drone.yml index 6b55827..ac40899 100644 --- a/.drone.yml +++ b/.drone.yml @@ -66,7 +66,7 @@ steps: - /pluto detect tigera-on-prem.yml --ignore-deprecations --target-versions=k8s=v1.26.0 --- -name: e2e-kubernetes-1.24-calico +name: e2e-kubernetes-1.25-calico kind: pipeline type: docker @@ -88,17 +88,17 @@ depends_on: steps: - name: init - image: quay.io/sighup/e2e-testing-drone-plugin:v1.24.0 + image: quay.io/sighup/e2e-testing-drone-plugin:v1.25.3 pull: always volumes: - name: shared path: /shared depends_on: [clone] settings: - action: custom-cluster-124 - pipeline_id: cluster-124 + action: custom-cluster-125 + pipeline_id: cluster-125 local_kind_config_path: katalog/tests/calico/resources/kind-config - cluster_version: "1.24.0" + cluster_version: "1.25.3" instance_path: /shared aws_default_region: from_secret: aws_region @@ -120,23 +120,24 @@ steps: from_secret: dockerhub_password - name: test - image: quay.io/sighup/e2e-testing:1.1.0_0.7.0_3.1.1_1.9.4_1.24.1_3.8.7_4.21.1 + # KUBECTL 1.25.3 - KUSTOMIZE 3.5.3 - HELM 3.1.1 - YQ 4.21.1 - ISTIOCTL 1.9.4 - FURYCTL 0.9.0 - BATS 1.1.0 + image: quay.io/sighup/e2e-testing:1.1.0_0.9.0_3.1.1_1.9.4_1.25.3_3.5.3_4.21.1 pull: always volumes: - name: shared path: /shared depends_on: [init] commands: - - export KUBECONFIG=/shared/kube/kubeconfig-124 + - export KUBECONFIG=/shared/kube/kubeconfig-125 - bats -t katalog/tests/calico/calico.sh - name: destroy - image: quay.io/sighup/e2e-testing-drone-plugin:v1.24.0 + image: quay.io/sighup/e2e-testing-drone-plugin:v1.25.3 pull: always depends_on: [test] settings: action: destroy - pipeline_id: cluster-124 + pipeline_id: cluster-125 aws_default_region: from_secret: aws_region aws_access_key_id: @@ -163,9 +164,8 @@ steps: volumes: - name: shared temp: {} - --- -name: e2e-kubernetes-1.25-calico +name: e2e-kubernetes-1.26-calico kind: pipeline type: docker @@ -187,17 +187,17 @@ depends_on: steps: - name: init - image: quay.io/sighup/e2e-testing-drone-plugin:v1.25.3 + image: quay.io/sighup/e2e-testing-drone-plugin:v1.26.4 pull: always volumes: - name: shared path: /shared depends_on: [clone] settings: - action: custom-cluster-125 - pipeline_id: cluster-125 + action: custom-cluster-126 + pipeline_id: cluster-126 local_kind_config_path: katalog/tests/calico/resources/kind-config - cluster_version: "1.25.3" + cluster_version: "1.26.4" instance_path: /shared aws_default_region: from_secret: aws_region @@ -219,24 +219,23 @@ steps: from_secret: dockerhub_password - name: test - # KUBECTL 1.25.3 - KUSTOMIZE 3.5.3 - HELM 3.1.1 - YQ 4.21.1 - ISTIOCTL 1.9.4 - FURYCTL 0.9.0 - BATS 1.1.0 - image: quay.io/sighup/e2e-testing:1.1.0_0.9.0_3.1.1_1.9.4_1.25.3_3.5.3_4.21.1 + image: quay.io/sighup/e2e-testing:1.1.0_0.11.0_3.1.1_1.9.4_1.26.3_3.5.3_4.33.3 pull: always volumes: - name: shared path: /shared depends_on: [init] commands: - - export KUBECONFIG=/shared/kube/kubeconfig-125 + - export KUBECONFIG=/shared/kube/kubeconfig-126 - bats -t katalog/tests/calico/calico.sh - name: destroy - image: quay.io/sighup/e2e-testing-drone-plugin:v1.25.3 + image: quay.io/sighup/e2e-testing-drone-plugin:v1.26.4 pull: always depends_on: [test] settings: action: destroy - pipeline_id: cluster-125 + pipeline_id: cluster-126 aws_default_region: from_secret: aws_region aws_access_key_id: @@ -264,7 +263,7 @@ volumes: - name: shared temp: {} --- -name: e2e-kubernetes-1.26-calico +name: e2e-kubernetes-1.27-calico kind: pipeline type: docker @@ -286,17 +285,17 @@ depends_on: steps: - name: init - image: quay.io/sighup/e2e-testing-drone-plugin:v1.26.4 + image: quay.io/sighup/e2e-testing-drone-plugin:v1.27.1 pull: always volumes: - name: shared path: /shared depends_on: [clone] settings: - action: custom-cluster-126 - pipeline_id: cluster-126 + action: custom-cluster-127 + pipeline_id: cluster-127 local_kind_config_path: katalog/tests/calico/resources/kind-config - cluster_version: "1.26.4" + cluster_version: "1.27.1" instance_path: /shared aws_default_region: from_secret: aws_region @@ -318,23 +317,23 @@ steps: from_secret: dockerhub_password - name: test - image: quay.io/sighup/e2e-testing:1.1.0_0.11.0_3.1.1_1.9.4_1.26.3_3.5.3_4.33.3 + image: quay.io/sighup/e2e-testing:1.1.0_0.11.0_3.12.0_1.9.4_1.27.1_3.5.3_4.33.3 pull: always volumes: - name: shared path: /shared depends_on: [init] commands: - - export KUBECONFIG=/shared/kube/kubeconfig-126 + - export KUBECONFIG=/shared/kube/kubeconfig-127 - bats -t katalog/tests/calico/calico.sh - name: destroy - image: quay.io/sighup/e2e-testing-drone-plugin:v1.26.4 + image: quay.io/sighup/e2e-testing-drone-plugin:v1.27.1 pull: always depends_on: [test] settings: action: destroy - pipeline_id: cluster-126 + pipeline_id: cluster-127 aws_default_region: from_secret: aws_region aws_access_key_id: @@ -670,9 +669,9 @@ kind: pipeline type: docker depends_on: - - e2e-kubernetes-1.24-calico - e2e-kubernetes-1.25-calico - e2e-kubernetes-1.26-calico + - e2e-kubernetes-1.27-calico - e2e-kubernetes-1.25-cilium - e2e-kubernetes-1.26-cilium - e2e-kubernetes-1.27-cilium From bd7d3051ed51c347f26a370810059cc000b1fe47 Mon Sep 17 00:00:00 2001 From: mimnix <108413495+mimnix@users.noreply.github.com> Date: Mon, 13 Nov 2023 14:58:58 +0100 Subject: [PATCH 19/24] docs(calico): release and compatibility matrix --- docs/COMPATIBILITY_MATRIX.md | 2 +- docs/releases/v1.15.0.md | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/COMPATIBILITY_MATRIX.md b/docs/COMPATIBILITY_MATRIX.md index f0727db..7184aa8 100644 --- a/docs/COMPATIBILITY_MATRIX.md +++ b/docs/COMPATIBILITY_MATRIX.md @@ -8,7 +8,7 @@ | v1.12.1 | :white_check_mark: | :white_check_mark: | | | | v1.12.2 | :white_check_mark: | :white_check_mark: | | | | v1.14.0 | :white_check_mark: | :white_check_mark: | :white_check_mark: | | -| v1.15.0 | | | :white_check_mark: | :white_check_mark: | +| v1.15.0 | | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: Compatible diff --git a/docs/releases/v1.15.0.md b/docs/releases/v1.15.0.md index 7136ce1..1202a27 100644 --- a/docs/releases/v1.15.0.md +++ b/docs/releases/v1.15.0.md @@ -8,10 +8,10 @@ This minor release updates some components and adds support to Kubernetes 1.27. | Component | Supported Version | Previous Version | | ----------------- | -------------------------------------------------------------------------------- | ---------------- | -| `calico` | [`v3.26.1`](https://projectcalico.docs.tigera.io/archive/v3.26/release-notes/) | `v3.25.0` | +| `calico` | [`v3.26.3`](https://projectcalico.docs.tigera.io/archive/v3.26/release-notes/) | `v3.26.1` | | `cilium` | [`v1.14.3`](https://github.com/cilium/cilium/releases/tag/v1.14.3) | `v1.13.1` | | `ip-masq` | [`v2.8.0`](https://github.com/kubernetes-sigs/ip-masq-agent/releases/tag/v2.5.0) | No update | -| `tigera-operator` | [`v1.30.4`](https://github.com/tigera/operator/releases/tag/v1.30.4) | `v1.29.0` | +| `tigera-operator` | [`v1.30.7`](https://github.com/tigera/operator/releases/tag/v1.30.7) | `v1.30.4` | > Please refer the individual release notes to get detailed information on each release. From 327db81890499d1f57c8e3250b1e07d8c080ec62 Mon Sep 17 00:00:00 2001 From: mimnix <108413495+mimnix@users.noreply.github.com> Date: Tue, 14 Nov 2023 12:47:32 +0100 Subject: [PATCH 20/24] docs(calico): bump versions in main README.md file --- README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index f14ef5a..a87dd42 100644 --- a/README.md +++ b/README.md @@ -29,9 +29,9 @@ Kubernetes Fury Networking provides the following packages: | Package | Version | Description | | -------------------------- | -------- | ---------------------------------------------------------------------------------------------------------------------------------------------------- | -| [calico](katalog/calico) | `3.26.1` | [Calico][calico-page] CNI Plugin. For cluster with `< 50` nodes. | +| [calico](katalog/calico) | `3.26.3` | [Calico][calico-page] CNI Plugin. For cluster with `< 50` nodes. | | [cilium](katalog/cilium) | `1.14.3` | [Cilium][cilium-page] CNI Plugin. For cluster with `< 200` nodes. | -| [tigera](katalog/tigera) | `1.30.4` | [Tigera Operator][tigera-page], a Kubernetes Operator for Calico, provides pre-configured installations for on-prem and for EKS in policy-only mode. | +| [tigera](katalog/tigera) | `1.30.7` | [Tigera Operator][tigera-page], a Kubernetes Operator for Calico, provides pre-configured installations for on-prem and for EKS in policy-only mode. | | [ip-masq](katalog/ip-masq) | `2.8.0` | The `ip-masq-agent` configures iptables rules to implement IP masquerading functionality | > The resources in these packages are going to be deployed in `kube-system` namespace. Except for the operator. @@ -60,7 +60,7 @@ Check the [compatibility matrix][compatibility-matrix] for additional informatio ### Deployment -> ⚠️ Please notice that the Calico packages is for cluster with less the 50 nodes. If your cluster has more than 50 nodes, you'll need to switch to [Calico + Typha](https://projectcalico.docs.tigera.io/archive/v3.23/getting-started/kubernetes/self-managed-onprem/onpremises#install-calico-with-kubernetes-api-datastore-more-than-50-nodes) or to the [Tigera Operator](katalog/tigera/README.md). +> ⚠️ Please notice that the Calico packages is for cluster with less the 50 nodes. If your cluster has more than 50 nodes, you'll need to switch to [Calico + Typha](https://docs.tigera.io/calico/latest/getting-started/kubernetes/self-managed-onprem/onpremises) or to the [Tigera Operator](katalog/tigera/README.md). 1. List the packages you want to deploy and their version in a `Furyfile.yml` From d0e638e9a0865ad611538ff734a72ba0337c8fbc Mon Sep 17 00:00:00 2001 From: Samuele Chiocca Date: Fri, 24 Nov 2023 14:38:19 +0100 Subject: [PATCH 21/24] fix: drone pipeline dependencies --- .drone.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.drone.yml b/.drone.yml index ac40899..d2c3886 100644 --- a/.drone.yml +++ b/.drone.yml @@ -380,9 +380,9 @@ trigger: - refs/tags/** depends_on: - - e2e-kubernetes-1.24-calico - e2e-kubernetes-1.25-calico - e2e-kubernetes-1.26-calico + - e2e-kubernetes-1.27-calico steps: - name: init @@ -482,9 +482,9 @@ trigger: - refs/tags/** depends_on: - - e2e-kubernetes-1.24-calico - e2e-kubernetes-1.25-calico - e2e-kubernetes-1.26-calico + - e2e-kubernetes-1.27-calico steps: - name: init @@ -582,9 +582,9 @@ trigger: - refs/tags/** depends_on: - - e2e-kubernetes-1.24-calico - e2e-kubernetes-1.25-calico - e2e-kubernetes-1.26-calico + - e2e-kubernetes-1.27-calico steps: - name: init From ab8142ba7084e860fa603a266f0f9010f4592758 Mon Sep 17 00:00:00 2001 From: Samuele Chiocca Date: Fri, 24 Nov 2023 14:42:28 +0100 Subject: [PATCH 22/24] feat: improve 1.27 pipeline using e2e-testing-drone-plugin image v2.0.0 --- .drone.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.drone.yml b/.drone.yml index d2c3886..d542e9c 100644 --- a/.drone.yml +++ b/.drone.yml @@ -285,7 +285,7 @@ depends_on: steps: - name: init - image: quay.io/sighup/e2e-testing-drone-plugin:v1.27.1 + image: quay.io/sighup/e2e-testing-drone-plugin:v2.0.0 pull: always volumes: - name: shared @@ -328,7 +328,7 @@ steps: - bats -t katalog/tests/calico/calico.sh - name: destroy - image: quay.io/sighup/e2e-testing-drone-plugin:v1.27.1 + image: quay.io/sighup/e2e-testing-drone-plugin:v2.0.0 pull: always depends_on: [test] settings: @@ -588,7 +588,7 @@ depends_on: steps: - name: init - image: quay.io/sighup/e2e-testing-drone-plugin:v1.27.1 + image: quay.io/sighup/e2e-testing-drone-plugin:v2.0.0 pull: always volumes: - name: shared @@ -631,7 +631,7 @@ steps: - bats -t katalog/tests/cilium/cilium.sh - name: destroy - image: quay.io/sighup/e2e-testing-drone-plugin:v1.27.1 + image: quay.io/sighup/e2e-testing-drone-plugin:v2.0.0 pull: always depends_on: [test] settings: From 29cff88d9713171543598ccb9f3d222b8b3588d5 Mon Sep 17 00:00:00 2001 From: Samuele Chiocca Date: Mon, 27 Nov 2023 10:58:28 +0100 Subject: [PATCH 23/24] fix: wrong kubeconfig on cilium 1.27 step --- .drone.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.drone.yml b/.drone.yml index d542e9c..16e429c 100644 --- a/.drone.yml +++ b/.drone.yml @@ -627,7 +627,7 @@ steps: path: /shared depends_on: [init] commands: - - export KUBECONFIG=/shared/kube/kubeconfig-124 + - export KUBECONFIG=/shared/kube/kubeconfig-127 - bats -t katalog/tests/cilium/cilium.sh - name: destroy From bf1c29a9d4dc58a2112e34b4541e9049f0e44134 Mon Sep 17 00:00:00 2001 From: Samuele Chiocca Date: Mon, 27 Nov 2023 11:52:05 +0100 Subject: [PATCH 24/24] fix: bump v1.27 on cilium, change dependency graph --- .drone.yml | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/.drone.yml b/.drone.yml index 16e429c..383256c 100644 --- a/.drone.yml +++ b/.drone.yml @@ -381,8 +381,6 @@ trigger: depends_on: - e2e-kubernetes-1.25-calico - - e2e-kubernetes-1.26-calico - - e2e-kubernetes-1.27-calico steps: - name: init @@ -482,9 +480,7 @@ trigger: - refs/tags/** depends_on: - - e2e-kubernetes-1.25-calico - e2e-kubernetes-1.26-calico - - e2e-kubernetes-1.27-calico steps: - name: init @@ -582,8 +578,6 @@ trigger: - refs/tags/** depends_on: - - e2e-kubernetes-1.25-calico - - e2e-kubernetes-1.26-calico - e2e-kubernetes-1.27-calico steps: @@ -598,7 +592,7 @@ steps: action: custom-cluster-127 pipeline_id: cluster-127-cilium local_kind_config_path: katalog/tests/calico/resources/kind-config - cluster_version: "1.27.0" + cluster_version: "1.27.1" instance_path: /shared aws_default_region: from_secret: aws_region