richard
/
kubespray
mirror of https://github.com/kubernetes-sigs/kubespray.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
7837 Commits
33 Branches
82 Tags
153 MiB
Tree: 1fa4bb733d
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '1fa4bb733d'
${ noResults }
kubespray/roles/network_plugin/calico/templates/calico-node.yml.j2

482 lines
18 KiB
Raw Normal View History

Move calico to daemonset (#1605) * Drop legacy calico logic * add calico as a daemonset
7 years ago
Rename master to control plane - non-breaking changes only (#11394) K8s is moving away from the "master" terminology, so kubespray should follow the same naming conventions. See https://github.com/kubernetes/community/blob/65d886bb3029e73d9729e1d4f27422a7985233ed/sig-architecture/naming/recommendations/001-master-control-plane.md
5 months ago
Move calico to daemonset (#1605) * Drop legacy calico logic * add calico as a daemonset
7 years ago
Add support for k8s v1.16.0-beta.2 (#5148) Cleaned up deprecated APIs: apps/v1beta1 apps/v1beta2 extensions/v1beta1 for ds,deploy,rs Add workaround for deploying helm using incompatible deployment manifest. Change-Id: I78b36741348f47a999df3841ee63cf4e6f377830
5 years ago
Move calico to daemonset (#1605) * Drop legacy calico logic * add calico as a daemonset
7 years ago
Stop templating kube-system namespace and creating it (#2545) Kubernetes makes this namespace automatically, so there is no need for kubespray to manage it.
7 years ago
Move calico to daemonset (#1605) * Drop legacy calico logic * add calico as a daemonset
7 years ago
allow non existing etcd group (#6797) When using kubeadm managed etcd, configuring an etcd group can now be skipped.
4 years ago
kubeadm support (#1631) * kubeadm support * move k8s master to a subtask * disable k8s secrets when using kubeadm * fix etcd cert serial var * move simple auth users to master role * make a kubeadm-specific env file for kubelet * add non-ha CI job * change ci boolean vars to json format * fixup * Update create-gce.yml * Update create-gce.yml * Update create-gce.yml
7 years ago
allow non existing etcd group (#6797) When using kubeadm managed etcd, configuring an etcd group can now be skipped.
4 years ago
calico-node: add prometheus annotations (#3645) add prometheus annotations to calico-node if calico_felix_prometheusmetricsenabled is enabled. This will allow a kubernetes_sd to automaticly find the pods and start scraping.
6 years ago
Move calico to daemonset (#1605) * Drop legacy calico logic * add calico as a daemonset
7 years ago
Add nodeSelctor for other services and node labels before CNI setup (#7613)
3 years ago
Adding pod priority for all the components. (#3361) * Changes to assign pod priority to kube components. * Removed the boolean flag pod_priority_assignment * Created new priorityclass k8s-cluster-critical * Created new priorityclass k8s-cluster-critical * Fixed the trailing spaces * Fixed the trailing spaces * Added kube version check while creating Priority Class k8s-cluster-critical * Moved k8s-cluster-critical.yml * Moved k8s-cluster-critical.yml to kube_config_dir
6 years ago
Move calico to daemonset (#1605) * Drop legacy calico logic * add calico as a daemonset
7 years ago
add dnsPolicy: ClusterFirstWithHostNet to DaemonSets with hostNetwork: true value to avoid DNSConfigFormat events (#10618)
1 year ago
Move calico to daemonset (#1605) * Drop legacy calico logic * add calico as a daemonset
7 years ago
Support all taints in network plugins manifests (#6208) flannel, ovn and multus network plugins did not support all taint keys. This update changes the tolerations to support them all. According to the documentation: ``` There are two special cases: An empty key with operator Exists matches all keys, values and effects which means this will tolerate everything. An empty effect matches all effects with key key. ``` Usage of the empty `key` and `effect` ensures the network plugin daemonset will be deployed on every nodes (ex: in case of custom taints, or NoExecute effect)
4 years ago
Update Calico and Canal - Updating to use calico-node v2.6.7 - A few updates to their manifests too
7 years ago
[PR-Calico]Support calico 3.4.0 (#4102) * Suport calico 3.4.0 Signed-off-by: wangxf1987 <xiaofeix.wang@gmail.com> * Remove symlink + cni conflist template when 3.3.0+, handle Canal, addition of install-cni: sidecar(3.3.0) or initontainer(3.4.0), KUBECONFIG_FILEPATH, calico_cert_dir, advertise cluster ips * scheduler.alpha.kubernetes.io/critical-pod deprecated since 1.12
6 years ago
Fix calico host local ipam (#11022) * Prevent upgrade-ipam for host-local IPAM Otherwise, the init container upgrade-ipam would clear the state of the host-local plugin, potentially causing it to reassign IPs that are still in use. * USE_POD_CIDR required for host-local https://github.com/projectcalico/calico/blob/4efd1bfd914b0c59086531c8c5a5ac5b593c18b1/charts/calico/templates/calico-node.yaml#L279 https://github.com/projectcalico/calico/blob/4efd1bfd914b0c59086531c8c5a5ac5b593c18b1/charts/calico/templates/calico-typha.yaml#L133
10 months ago
Add calico 3.7.3 support (#4953) * Add calico 3.7.3 support * add calico_datastore variable to policy controller role * add missing clusterrole rules for calico policy controller * disable calico kube controller when kdd mode is used for versions < 3.6
5 years ago
[calico] add calico apiserver (#8690) * [calico] add calico apiserver * fix yamllint * remove addext argument * Configure API server with the CA bundle * add check kdd
2 years ago
Add calico 3.7.3 support (#4953) * Add calico 3.7.3 support * add calico_datastore variable to policy controller role * add missing clusterrole rules for calico policy controller * disable calico kube controller when kdd mode is used for versions < 3.6
5 years ago
Calico enable support for eBPF (#7618) * Calico: align manifests with upstream * allow enabling typha prometheus metrics * Calico: enable eBPF support * manage the kubernetes-services-endpoint configmap * Calico: document the use of eBPF dataplane * Calico: improve checks before deployment * enforce disabling kube-proxy when using eBPF dataplane * ensure calico_version is supported
3 years ago
Add calico 3.7.3 support (#4953) * Add calico 3.7.3 support * add calico_datastore variable to policy controller role * add missing clusterrole rules for calico policy controller * disable calico kube controller when kdd mode is used for versions < 3.6
5 years ago
add calico-node selinux (#6359)
4 years ago
Add calico 3.7.3 support (#4953) * Add calico 3.7.3 support * add calico_datastore variable to policy controller role * add missing clusterrole rules for calico policy controller * disable calico kube controller when kdd mode is used for versions < 3.6
5 years ago
[PR-Calico]Support calico 3.4.0 (#4102) * Suport calico 3.4.0 Signed-off-by: wangxf1987 <xiaofeix.wang@gmail.com> * Remove symlink + cni conflist template when 3.3.0+, handle Canal, addition of install-cni: sidecar(3.3.0) or initontainer(3.4.0), KUBECONFIG_FILEPATH, calico_cert_dir, advertise cluster ips * scheduler.alpha.kubernetes.io/critical-pod deprecated since 1.12
6 years ago
[calico] add calico apiserver (#8690) * [calico] add calico apiserver * fix yamllint * remove addext argument * Configure API server with the CA bundle * add check kdd
2 years ago
Drop calico 3.15 (#7545) * calico: drop support for version 3.15 * drop check for calico version >= 3.3, we are at 3.16 minimum now * we moved to calico 3.16+ so we can default to /opt/cni/bin/install
3 years ago
Calico: add dependencies for 3.21.x (#8250)
3 years ago
[PR-Calico]Support calico 3.4.0 (#4102) * Suport calico 3.4.0 Signed-off-by: wangxf1987 <xiaofeix.wang@gmail.com> * Remove symlink + cni conflist template when 3.3.0+, handle Canal, addition of install-cni: sidecar(3.3.0) or initontainer(3.4.0), KUBECONFIG_FILEPATH, calico_cert_dir, advertise cluster ips * scheduler.alpha.kubernetes.io/critical-pod deprecated since 1.12
6 years ago
using configmap to configure calico cni config (#10177) Signed-off-by: cyclinder qifeng.guo@daocloud.io Signed-off-by: cyclinder qifeng.guo@daocloud.io
1 year ago
[PR-Calico]Support calico 3.4.0 (#4102) * Suport calico 3.4.0 Signed-off-by: wangxf1987 <xiaofeix.wang@gmail.com> * Remove symlink + cni conflist template when 3.3.0+, handle Canal, addition of install-cni: sidecar(3.3.0) or initontainer(3.4.0), KUBECONFIG_FILEPATH, calico_cert_dir, advertise cluster ips * scheduler.alpha.kubernetes.io/critical-pod deprecated since 1.12
6 years ago
Use install_cni init container for cni copy for calico/canal (#4416)
5 years ago
[PR-Calico]Support calico 3.4.0 (#4102) * Suport calico 3.4.0 Signed-off-by: wangxf1987 <xiaofeix.wang@gmail.com> * Remove symlink + cni conflist template when 3.3.0+, handle Canal, addition of install-cni: sidecar(3.3.0) or initontainer(3.4.0), KUBECONFIG_FILEPATH, calico_cert_dir, advertise cluster ips * scheduler.alpha.kubernetes.io/critical-pod deprecated since 1.12
6 years ago
Use install_cni init container for cni copy for calico/canal (#4416)
5 years ago
[PR-Calico]Support calico 3.4.0 (#4102) * Suport calico 3.4.0 Signed-off-by: wangxf1987 <xiaofeix.wang@gmail.com> * Remove symlink + cni conflist template when 3.3.0+, handle Canal, addition of install-cni: sidecar(3.3.0) or initontainer(3.4.0), KUBECONFIG_FILEPATH, calico_cert_dir, advertise cluster ips * scheduler.alpha.kubernetes.io/critical-pod deprecated since 1.12
6 years ago
Fix calico-node in etcd mode (#10438) * Calico : add ETCD endpoints to install-cni container * Calico : remove nodename from configmap in etcd mode
1 year ago
Add support calico kubernetes datastore and typha. (#4498) * Add support calico kubernetes datastore and typha. * Add typha_enabled to kubespray-defaults.
5 years ago
[PR-Calico]Support calico 3.4.0 (#4102) * Suport calico 3.4.0 Signed-off-by: wangxf1987 <xiaofeix.wang@gmail.com> * Remove symlink + cni conflist template when 3.3.0+, handle Canal, addition of install-cni: sidecar(3.3.0) or initontainer(3.4.0), KUBECONFIG_FILEPATH, calico_cert_dir, advertise cluster ips * scheduler.alpha.kubernetes.io/critical-pod deprecated since 1.12
6 years ago
Use install_cni init container for cni copy for calico/canal (#4416)
5 years ago
add calico-node selinux (#6359)
4 years ago
Calico enable support for eBPF (#7618) * Calico: align manifests with upstream * allow enabling typha prometheus metrics * Calico: enable eBPF support * manage the kubernetes-services-endpoint configmap * Calico: document the use of eBPF dataplane * Calico: improve checks before deployment * enforce disabling kube-proxy when using eBPF dataplane * ensure calico_version is supported
3 years ago
[calico] add calico apiserver (#8690) * [calico] add calico apiserver * fix yamllint * remove addext argument * Configure API server with the CA bundle * add check kdd
2 years ago
Calico enable support for eBPF (#7618) * Calico: align manifests with upstream * allow enabling typha prometheus metrics * Calico: enable eBPF support * manage the kubernetes-services-endpoint configmap * Calico: document the use of eBPF dataplane * Calico: improve checks before deployment * enforce disabling kube-proxy when using eBPF dataplane * ensure calico_version is supported
3 years ago
Move calico to daemonset (#1605) * Drop legacy calico logic * add calico as a daemonset
7 years ago
[calico] add calico apiserver (#8690) * [calico] add calico apiserver * fix yamllint * remove addext argument * Configure API server with the CA bundle * add check kdd
2 years ago
Calico enable support for eBPF (#7618) * Calico: align manifests with upstream * allow enabling typha prometheus metrics * Calico: enable eBPF support * manage the kubernetes-services-endpoint configmap * Calico: document the use of eBPF dataplane * Calico: improve checks before deployment * enforce disabling kube-proxy when using eBPF dataplane * ensure calico_version is supported
3 years ago
Move calico to daemonset (#1605) * Drop legacy calico logic * add calico as a daemonset
7 years ago
Add support calico kubernetes datastore and typha. (#4498) * Add support calico kubernetes datastore and typha. * Add typha_enabled to kubespray-defaults.
5 years ago
Move calico to daemonset (#1605) * Drop legacy calico logic * add calico as a daemonset
7 years ago
Add support calico kubernetes datastore and typha. (#4498) * Add support calico kubernetes datastore and typha. * Add typha_enabled to kubespray-defaults.
5 years ago
Generate TLS certs for calico typha (#5258) * Generate TLS certs for calico typha Change-Id: I3883f49c124c52d0fc5b900ca2b44e4e2ed0d707 * Add group vars note Change-Id: I63550dfef616e884efdbd42010a90b2c04c5eb69
5 years ago
Add support calico kubernetes datastore and typha. (#4498) * Add support calico kubernetes datastore and typha. * Add typha_enabled to kubespray-defaults.
5 years ago
Generate TLS certs for calico typha (#5258) * Generate TLS certs for calico typha Change-Id: I3883f49c124c52d0fc5b900ca2b44e4e2ed0d707 * Add group vars note Change-Id: I63550dfef616e884efdbd42010a90b2c04c5eb69
5 years ago
Add support calico kubernetes datastore and typha. (#4498) * Add support calico kubernetes datastore and typha. * Add typha_enabled to kubespray-defaults.
5 years ago
Added ability to set calico vxlan vni and port. defaults to calico's … (#6678) * Added ability to set calico vxlan vni and port. defaults to calico's documented defaults. * Check if calico_network_backend is defined prior to checking value * Removed calico hidden defaults for vxlan port and vni * Fixed FELIX_VXLANVNI typo
4 years ago
[calico] don't enable ipip encapsulation by default and use vxlan in CI (#8434) * [calico] make vxlan encapsulation the default * don't enable ipip encapsulation by default * set calico_network_backend by default to vxlan * update sample inventory and documentation * [CI] pin default calico parameters for upgrade tests to ensure proper upgrade * [CI] improve netchecker connectivity testing * [CI] show logs for tests * [calico] tweak task name * [CI] Don't run the provisioner from vagrant since we run it in testcases_run.sh * [CI] move kube-router tests to vagrant to avoid network connectivity issues during netchecker check * service proxy mode still fails connectivity tests so keeping it manual mode * [kube-router] account for containerd use-case
2 years ago
Added ability to set calico vxlan vni and port. defaults to calico's … (#6678) * Added ability to set calico vxlan vni and port. defaults to calico's documented defaults. * Check if calico_network_backend is defined prior to checking value * Removed calico hidden defaults for vxlan port and vni * Fixed FELIX_VXLANVNI typo
4 years ago
Add support calico kubernetes datastore and typha. (#4498) * Add support calico kubernetes datastore and typha. * Add typha_enabled to kubespray-defaults.
5 years ago
Move calico to daemonset (#1605) * Drop legacy calico logic * add calico as a daemonset
7 years ago
Update Calico and Canal - Updating to use calico-node v2.6.7 - A few updates to their manifests too
7 years ago
Move calico to daemonset (#1605) * Drop legacy calico logic * add calico as a daemonset
7 years ago
project: fix var-spacing ansible rule (#10266) * project: fix var-spacing ansible rule Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch> * project: fix spacing on the beginning/end of jinja template Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch> * project: fix spacing of default filter Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch> * project: fix spacing between filter arguments Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch> * project: fix double space at beginning/end of jinja Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch> * project: fix remaining jinja[spacing] ansible-lint warning Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch> --------- Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch>
1 year ago
Make Felix healthhost configurable
6 years ago
[Calico] Define FELIX_KUBENODEPORTRANGES when kube-proxy in ipvs mode (#4173) * Define FELIX_KUBENODEPORTRANGES when kube-proxy in ipvs mode * ensure kube_apiserver_node_port_range is defined
6 years ago
Calico: update to 3.11.1, allow to configure calico_iptables_backend (#5514) I've tested this update by deploying a containerd / etcd cluster on top CentOS7, MetalLB + NGINX Ingress. Upgrade using upgrade-cluster.yml Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
5 years ago
Mount host's xtable lock and enable calico lokcing for <v3.2.1
6 years ago
Make calico iptables lock timeout configurable (#5658) Adds `calico_iptables_lock_timeout_secs` variable to calico DS yaml.
5 years ago
Move calico to daemonset (#1605) * Drop legacy calico logic * add calico as a daemonset
7 years ago
fix for calico with kdd datastore (#4922) * fix for calico with kdd datastore * remove AS number from daemonset * revert changes to canal * additionnal fixes for kdd datastore in calico
5 years ago
calico CALICO_IPV4POOL_IPIP overriding variable (#3507)
6 years ago
Move calico to daemonset (#1605) * Drop legacy calico logic * add calico as a daemonset
7 years ago
Changes to support Dual Stack networking
4 years ago
Move calico to daemonset (#1605) * Drop legacy calico logic * add calico as a daemonset
7 years ago
Make Calico Felix log level configurable (#3781)
6 years ago
Fixes issue #7528 - allow configuring CALICO_STARTUP_LOGLEVEL via a new variable: calico_node_startup_loglevel (#7530) Signed-off-by: Brendan Holmes <5072156+holmesb@users.noreply.github.com>
3 years ago
Add option to enable usage reports to calico servers (#6030)
4 years ago
Move calico to daemonset (#1605) * Drop legacy calico logic * add calico as a daemonset
7 years ago
Calico: add dependencies for 3.21.x (#8250)
3 years ago
Move calico to daemonset (#1605) * Drop legacy calico logic * add calico as a daemonset
7 years ago
Update the calico_veth_mtu setting to affect IP-in-IP users (#6419) * Update calico_veth_mtu to FELIX_IPINIP variable calico_veth_mtu is specified in the configuration, but since it only works for wireguard, modify it to work for IP-in-IP users. * Update template with more cleaner expression
4 years ago
Calico: add dependencies for 3.21.x (#8250)
3 years ago
Move calico to daemonset (#1605) * Drop legacy calico logic * add calico as a daemonset
7 years ago
Support configuring the Calico iptables insert mode (#5473) * Support configuring the insert mode Defaults to the upstream default https://docs.projectcalico.org/v3.9/reference/felix/configuration so nothing should change for existing deployments. This allows coexistence with other firewall management technologies. * Add a note to the sample config
5 years ago
Adding calico/node env vars for prometheus configuration
7 years ago
optional calico_ip_auto_method variable with IP_AUTODETECTION_METHOD can be set to one of first-found can-reach interface
7 years ago
Update calico-node.yml.j2
7 years ago
optional calico_ip_auto_method variable with IP_AUTODETECTION_METHOD can be set to one of first-found can-reach interface
7 years ago
Calico: fix node ip subnet detection (#7065) We are currently setting the IP variable to hostIP, Before https://github.com/projectcalico/node/pull/593 (not yet released) Calico interpret that as hostIP/32 Using 'can-reach' we get the future behavior This fixes vxlan and IPIP CrossSubnet modes Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
4 years ago
Move calico to daemonset (#1605) * Drop legacy calico logic * add calico as a daemonset
7 years ago
Calico: fix node ip subnet detection (#7065) We are currently setting the IP variable to hostIP, Before https://github.com/projectcalico/node/pull/593 (not yet released) Calico interpret that as hostIP/32 Using 'can-reach' we get the future behavior This fixes vxlan and IPIP CrossSubnet modes Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
4 years ago
Calico enable support for eBPF (#7618) * Calico: align manifests with upstream * allow enabling typha prometheus metrics * Calico: enable eBPF support * manage the kubernetes-services-endpoint configmap * Calico: document the use of eBPF dataplane * Calico: improve checks before deployment * enforce disabling kube-proxy when using eBPF dataplane * ensure calico_version is supported
3 years ago
Calico: fix node ip subnet detection (#7065) We are currently setting the IP variable to hostIP, Before https://github.com/projectcalico/node/pull/593 (not yet released) Calico interpret that as hostIP/32 Using 'can-reach' we get the future behavior This fixes vxlan and IPIP CrossSubnet modes Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
4 years ago
add support for Calico IP6_AUTODETECTION_METHOD (#8541)
3 years ago
allow user to set env: FELIX_MTUIFACEPATTERN in calico-node.yml (#9330)
2 years ago
Changes to support Dual Stack networking
4 years ago
project: fix var-spacing ansible rule (#10266) * project: fix var-spacing ansible rule Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch> * project: fix spacing on the beginning/end of jinja template Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch> * project: fix spacing of default filter Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch> * project: fix spacing between filter arguments Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch> * project: fix double space at beginning/end of jinja Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch> * project: fix remaining jinja[spacing] ansible-lint warning Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch> --------- Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch>
1 year ago
Deviceroutesourceaddress (#6508) * add FELIX_DEVICEROUTESOURCEADDRESS calico option * add calico_use_default_route_src_ipaddr option add calico_use_default_route_src_ipaddr option to use FELIX_DEVICEROUTESOURCEADDRESS calico option * Update k8s-net-calico.yml
4 years ago
optional calico_ip_auto_method variable with IP_AUTODETECTION_METHOD can be set to one of first-found can-reach interface
7 years ago
Move calico to daemonset (#1605) * Drop legacy calico logic * add calico as a daemonset
7 years ago
Make calico_node_ignorelooserpf have an effect (#1945)
7 years ago
Enables Calico serviceAccount token monitoring and update of /etc/cni/net.d/calico-kubeconfig if need be. (#7586) Since K8S 1.21, BoundServiceAccountTokenVolume feature gate is in beta stage, thus activated by default (anyone who follows CSI guidelines has enabled AllAlpha and faced the issue before 1.21). With this feature, SA tokens are regenerated every hour. As a consequence for Calico CNI, token in /etc/cni/net.d/calico-kubeconfig copied from /var/run/secrets/kubernetes.io/serviceaccount in install-cni initContainer expires after one hour and any pod creation fails due to unauthorization. Calico pods need to be restarted so that /etc/cni/net.d/calico-kubeconfig is updated with the new SA token.
3 years ago
Fix calico host local ipam (#11022) * Prevent upgrade-ipam for host-local IPAM Otherwise, the init container upgrade-ipam would clear the state of the host-local plugin, potentially causing it to reassign IPs that are still in use. * USE_POD_CIDR required for host-local https://github.com/projectcalico/calico/blob/4efd1bfd914b0c59086531c8c5a5ac5b593c18b1/charts/calico/templates/calico-node.yaml#L279 https://github.com/projectcalico/calico/blob/4efd1bfd914b0c59086531c8c5a5ac5b593c18b1/charts/calico/templates/calico-typha.yaml#L133
10 months ago
Felix configuration via extraenvs of calico node (#6433)
4 years ago
Move calico to daemonset (#1605) * Drop legacy calico logic * add calico as a daemonset
7 years ago
Calico: add dependencies for 3.21.x (#8250)
3 years ago
Move calico to daemonset (#1605) * Drop legacy calico logic * add calico as a daemonset
7 years ago
Calico: update to 3.11.1, allow to configure calico_iptables_backend (#5514) I've tested this update by deploying a containerd / etcd cluster on top CentOS7, MetalLB + NGINX Ingress. Upgrade using upgrade-cluster.yml Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
5 years ago
[calico] don't enable ipip encapsulation by default and use vxlan in CI (#8434) * [calico] make vxlan encapsulation the default * don't enable ipip encapsulation by default * set calico_network_backend by default to vxlan * update sample inventory and documentation * [CI] pin default calico parameters for upgrade tests to ensure proper upgrade * [CI] improve netchecker connectivity testing * [CI] show logs for tests * [calico] tweak task name * [CI] Don't run the provisioner from vagrant since we run it in testcases_run.sh * [CI] move kube-router tests to vagrant to avoid network connectivity issues during netchecker check * service proxy mode still fails connectivity tests so keeping it manual mode * [kube-router] account for containerd use-case
2 years ago
Calico: update to 3.11.1, allow to configure calico_iptables_backend (#5514) I've tested this update by deploying a containerd / etcd cluster on top CentOS7, MetalLB + NGINX Ingress. Upgrade using upgrade-cluster.yml Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
5 years ago
Calico enable support for eBPF (#7618) * Calico: align manifests with upstream * allow enabling typha prometheus metrics * Calico: enable eBPF support * manage the kubernetes-services-endpoint configmap * Calico: document the use of eBPF dataplane * Calico: improve checks before deployment * enforce disabling kube-proxy when using eBPF dataplane * ensure calico_version is supported
3 years ago
Calico: increase calico node probe timeouts and allow tunning (#7981)
3 years ago
Move calico to daemonset (#1605) * Drop legacy calico logic * add calico as a daemonset
7 years ago
[PR-Calico]Support calico 3.4.0 (#4102) * Suport calico 3.4.0 Signed-off-by: wangxf1987 <xiaofeix.wang@gmail.com> * Remove symlink + cni conflist template when 3.3.0+, handle Canal, addition of install-cni: sidecar(3.3.0) or initontainer(3.4.0), KUBECONFIG_FILEPATH, calico_cert_dir, advertise cluster ips * scheduler.alpha.kubernetes.io/critical-pod deprecated since 1.12
6 years ago
[calico] don't enable ipip encapsulation by default and use vxlan in CI (#8434) * [calico] make vxlan encapsulation the default * don't enable ipip encapsulation by default * set calico_network_backend by default to vxlan * update sample inventory and documentation * [CI] pin default calico parameters for upgrade tests to ensure proper upgrade * [CI] improve netchecker connectivity testing * [CI] show logs for tests * [calico] tweak task name * [CI] Don't run the provisioner from vagrant since we run it in testcases_run.sh * [CI] move kube-router tests to vagrant to avoid network connectivity issues during netchecker check * service proxy mode still fails connectivity tests so keeping it manual mode * [kube-router] account for containerd use-case
2 years ago
[PR-Calico]Support calico 3.4.0 (#4102) * Suport calico 3.4.0 Signed-off-by: wangxf1987 <xiaofeix.wang@gmail.com> * Remove symlink + cni conflist template when 3.3.0+, handle Canal, addition of install-cni: sidecar(3.3.0) or initontainer(3.4.0), KUBECONFIG_FILEPATH, calico_cert_dir, advertise cluster ips * scheduler.alpha.kubernetes.io/critical-pod deprecated since 1.12
6 years ago
disable bird-check flag for probes of calico-node pods when calico_network_backend is not 'bird'. (#6217)
4 years ago
[PR-Calico]Support calico 3.4.0 (#4102) * Suport calico 3.4.0 Signed-off-by: wangxf1987 <xiaofeix.wang@gmail.com> * Remove symlink + cni conflist template when 3.3.0+, handle Canal, addition of install-cni: sidecar(3.3.0) or initontainer(3.4.0), KUBECONFIG_FILEPATH, calico_cert_dir, advertise cluster ips * scheduler.alpha.kubernetes.io/critical-pod deprecated since 1.12
6 years ago
Calico enable support for eBPF (#7618) * Calico: align manifests with upstream * allow enabling typha prometheus metrics * Calico: enable eBPF support * manage the kubernetes-services-endpoint configmap * Calico: document the use of eBPF dataplane * Calico: improve checks before deployment * enforce disabling kube-proxy when using eBPF dataplane * ensure calico_version is supported
3 years ago
Calico: increase calico node probe timeouts and allow tunning (#7981)
3 years ago
Calico enable support for eBPF (#7618) * Calico: align manifests with upstream * allow enabling typha prometheus metrics * Calico: enable eBPF support * manage the kubernetes-services-endpoint configmap * Calico: document the use of eBPF dataplane * Calico: improve checks before deployment * enforce disabling kube-proxy when using eBPF dataplane * ensure calico_version is supported
3 years ago
Move calico to daemonset (#1605) * Drop legacy calico logic * add calico as a daemonset
7 years ago
Calico enable support for eBPF (#7618) * Calico: align manifests with upstream * allow enabling typha prometheus metrics * Calico: enable eBPF support * manage the kubernetes-services-endpoint configmap * Calico: document the use of eBPF dataplane * Calico: improve checks before deployment * enforce disabling kube-proxy when using eBPF dataplane * ensure calico_version is supported
3 years ago
calico upgrade to v3 (#3086) * calico upgrade to v3 * update calico_rr version * add missing file * change contents of main.yml as it was left old version * enable network policy by default * remove unneeded task * Fix kubelet calico settings * fix when statement * switch back to node-kubeconfig.yaml
6 years ago
Move calico to daemonset (#1605) * Drop legacy calico logic * add calico as a daemonset
7 years ago
Add support calico kubernetes datastore and typha. (#4498) * Add support calico kubernetes datastore and typha. * Add typha_enabled to kubespray-defaults.
5 years ago
Move calico to daemonset (#1605) * Drop legacy calico logic * add calico as a daemonset
7 years ago
Calico enable support for eBPF (#7618) * Calico: align manifests with upstream * allow enabling typha prometheus metrics * Calico: enable eBPF support * manage the kubernetes-services-endpoint configmap * Calico: document the use of eBPF dataplane * Calico: improve checks before deployment * enforce disabling kube-proxy when using eBPF dataplane * ensure calico_version is supported
3 years ago
Add support calico kubernetes datastore and typha. (#4498) * Add support calico kubernetes datastore and typha. * Add typha_enabled to kubespray-defaults.
5 years ago
Mount host's xtable lock and enable calico lokcing for <v3.2.1
6 years ago
Calico: add dependencies for 3.21.x (#8250)
3 years ago
Enables Calico serviceAccount token monitoring and update of /etc/cni/net.d/calico-kubeconfig if need be. (#7586) Since K8S 1.21, BoundServiceAccountTokenVolume feature gate is in beta stage, thus activated by default (anyone who follows CSI guidelines has enabled AllAlpha and faced the issue before 1.21). With this feature, SA tokens are regenerated every hour. As a consequence for Calico CNI, token in /etc/cni/net.d/calico-kubeconfig copied from /var/run/secrets/kubernetes.io/serviceaccount in install-cni initContainer expires after one hour and any pod creation fails due to unauthorization. Calico pods need to be restarted so that /etc/cni/net.d/calico-kubeconfig is updated with the new SA token.
3 years ago
Calico: add dependencies for 3.21.x (#8250)
3 years ago
Generate TLS certs for calico typha (#5258) * Generate TLS certs for calico typha Change-Id: I3883f49c124c52d0fc5b900ca2b44e4e2ed0d707 * Add group vars note Change-Id: I63550dfef616e884efdbd42010a90b2c04c5eb69
5 years ago
Calico enable support for eBPF (#7618) * Calico: align manifests with upstream * allow enabling typha prometheus metrics * Calico: enable eBPF support * manage the kubernetes-services-endpoint configmap * Calico: document the use of eBPF dataplane * Calico: improve checks before deployment * enforce disabling kube-proxy when using eBPF dataplane * ensure calico_version is supported
3 years ago
Move calico to daemonset (#1605) * Drop legacy calico logic * add calico as a daemonset
7 years ago
Calico v3.28.[0-1] checksums and change calico default version (#11234) * make calico api server manifest backward compatible with version older than 3.27.3 Add 3.28.1 checksums Add 3.28.0 checksums Change default version to 3.27.3 * change default calico version to 3.28.1 * Set mount type to DirectoryOrCreate for hostPath needed by Calico
6 months ago
calico upgrade to v3 (#3086) * calico upgrade to v3 * update calico_rr version * add missing file * change contents of main.yml as it was left old version * enable network policy by default * remove unneeded task * Fix kubelet calico settings * fix when statement * switch back to node-kubeconfig.yaml
6 years ago
Calico v3.28.[0-1] checksums and change calico default version (#11234) * make calico api server manifest backward compatible with version older than 3.27.3 Add 3.28.1 checksums Add 3.28.0 checksums Change default version to 3.27.3 * change default calico version to 3.28.1 * Set mount type to DirectoryOrCreate for hostPath needed by Calico
6 months ago
Move calico to daemonset (#1605) * Drop legacy calico logic * add calico as a daemonset
7 years ago
Use install_cni init container for cni copy for calico/canal (#4416)
5 years ago
Calico v3.28.[0-1] checksums and change calico default version (#11234) * make calico api server manifest backward compatible with version older than 3.27.3 Add 3.28.1 checksums Add 3.28.0 checksums Change default version to 3.27.3 * change default calico version to 3.28.1 * Set mount type to DirectoryOrCreate for hostPath needed by Calico
6 months ago
Add support calico kubernetes datastore and typha. (#4498) * Add support calico kubernetes datastore and typha. * Add typha_enabled to kubespray-defaults.
5 years ago
Move calico to daemonset (#1605) * Drop legacy calico logic * add calico as a daemonset
7 years ago
Add support calico kubernetes datastore and typha. (#4498) * Add support calico kubernetes datastore and typha. * Add typha_enabled to kubespray-defaults.
5 years ago
Mount host's xtable lock and enable calico lokcing for <v3.2.1
6 years ago
Fix calico host local ipam (#11022) * Prevent upgrade-ipam for host-local IPAM Otherwise, the init container upgrade-ipam would clear the state of the host-local plugin, potentially causing it to reassign IPs that are still in use. * USE_POD_CIDR required for host-local https://github.com/projectcalico/calico/blob/4efd1bfd914b0c59086531c8c5a5ac5b593c18b1/charts/calico/templates/calico-node.yaml#L279 https://github.com/projectcalico/calico/blob/4efd1bfd914b0c59086531c8c5a5ac5b593c18b1/charts/calico/templates/calico-typha.yaml#L133
10 months ago
Add calico 3.7.3 support (#4953) * Add calico 3.7.3 support * add calico_datastore variable to policy controller role * add missing clusterrole rules for calico policy controller * disable calico kube controller when kdd mode is used for versions < 3.6
5 years ago
Generate TLS certs for calico typha (#5258) * Generate TLS certs for calico typha Change-Id: I3883f49c124c52d0fc5b900ca2b44e4e2ed0d707 * Add group vars note Change-Id: I63550dfef616e884efdbd42010a90b2c04c5eb69
5 years ago
Add .editorconfig file (#6307)
4 years ago
Generate TLS certs for calico typha (#5258) * Generate TLS certs for calico typha Change-Id: I3883f49c124c52d0fc5b900ca2b44e4e2ed0d707 * Add group vars note Change-Id: I63550dfef616e884efdbd42010a90b2c04c5eb69
5 years ago
Add calico 3.7.3 support (#4953) * Add calico 3.7.3 support * add calico_datastore variable to policy controller role * add missing clusterrole rules for calico policy controller * disable calico kube controller when kdd mode is used for versions < 3.6
5 years ago
Calico enable support for eBPF (#7618) * Calico: align manifests with upstream * allow enabling typha prometheus metrics * Calico: enable eBPF support * manage the kubernetes-services-endpoint configmap * Calico: document the use of eBPF dataplane * Calico: improve checks before deployment * enforce disabling kube-proxy when using eBPF dataplane * ensure calico_version is supported
3 years ago
Move calico to daemonset (#1605) * Drop legacy calico logic * add calico as a daemonset
7 years ago
fix apply for netchecker upgrade (#1659) * fix apply for netchecker upgrade and graceful upgrade * Speed up daemonset upgrades. Make check wait for ds upgrades.
7 years ago
All CNIs: support ANY toleration. (#3391) Before, Nodes tainted with NoExecute policy did not have calico/weave Pod. Network pod should run on all nodes whatever happens on a specific node. Also always set the Pods to be critical. Also remove deprecated scheduler.alpha.kubernetes.io/tolerations annotations.
6 years ago
  1. ---
  2. # This manifest installs the calico/node container, as well
  3. # as the Calico CNI plugins and network config on
  4. # each control plane and worker node in a Kubernetes cluster.
  5. kind: DaemonSet
  6. apiVersion: apps/v1
  7. metadata:
  8. name: calico-node
  9. namespace: kube-system
  10. labels:
  11. k8s-app: calico-node
  12. spec:
  13. selector:
  14. matchLabels:
  15. k8s-app: calico-node
  16. template:
  17. metadata:
  18. labels:
  19. k8s-app: calico-node
  20. annotations:
  21. {% if calico_datastore == "etcd" %}
  22. kubespray.etcd-cert/serial: "{{ etcd_client_cert_serial }}"
  23. {% endif %}
  24. {% if calico_felix_prometheusmetricsenabled %}
  25. prometheus.io/scrape: 'true'
  26. prometheus.io/port: "{{ calico_felix_prometheusmetricsport }}"
  27. {% endif %}
  28. spec:
  29. nodeSelector:
  30. {{ calico_ds_nodeselector }}
  31. priorityClassName: system-node-critical
  32. hostNetwork: true
  33. dnsPolicy: ClusterFirstWithHostNet
  34. serviceAccountName: calico-node
  35. tolerations:
  36. - operator: Exists
  37. # Minimize downtime during a rolling upgrade or deletion; tell Kubernetes to do a "force
  38. # deletion": https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods.
  39. terminationGracePeriodSeconds: 0
  40. initContainers:
  41. {% if calico_datastore == "kdd" and not calico_ipam_host_local %}
  42. # This container performs upgrade from host-local IPAM to calico-ipam.
  43. # It can be deleted if this is a fresh installation, or if you have already
  44. # upgraded to use calico-ipam.
  45. - name: upgrade-ipam
  46. image: {{ calico_cni_image_repo }}:{{ calico_cni_image_tag }}
  47. imagePullPolicy: {{ k8s_image_pull_policy }}
  48. command: ["/opt/cni/bin/calico-ipam", "-upgrade"]
  49. envFrom:
  50. - configMapRef:
  51. # Allow KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT to be overridden for eBPF mode.
  52. name: kubernetes-services-endpoint
  53. optional: true
  54. env:
  55. - name: KUBERNETES_NODE_NAME
  56. valueFrom:
  57. fieldRef:
  58. fieldPath: spec.nodeName
  59. - name: CALICO_NETWORKING_BACKEND
  60. valueFrom:
  61. configMapKeyRef:
  62. name: calico-config
  63. key: calico_backend
  64. volumeMounts:
  65. - mountPath: /var/lib/cni/networks
  66. name: host-local-net-dir
  67. - mountPath: /host/opt/cni/bin
  68. name: cni-bin-dir
  69. securityContext:
  70. privileged: true
  71. {% endif %}
  72. # This container installs the Calico CNI binaries
  73. # and CNI network config file on each node.
  74. - name: install-cni
  75. image: {{ calico_cni_image_repo }}:{{ calico_cni_image_tag }}
  76. imagePullPolicy: {{ k8s_image_pull_policy }}
  77. command: ["/opt/cni/bin/install"]
  78. envFrom:
  79. - configMapRef:
  80. # Allow KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT to be overridden for eBPF mode.
  81. name: kubernetes-services-endpoint
  82. optional: true
  83. env:
  84. # The CNI network config to install on each node.
  85. - name: CNI_NETWORK_CONFIG
  86. valueFrom:
  87. configMapKeyRef:
  88. name: calico-config
  89. key: cni_network_config
  90. # Name of the CNI config file to create.
  91. - name: CNI_CONF_NAME
  92. value: "10-calico.conflist"
  93. # Install CNI binaries
  94. - name: UPDATE_CNI_BINARIES
  95. value: "true"
  96. # Prevents the container from sleeping forever.
  97. - name: SLEEP
  98. value: "false"
  99. {% if calico_datastore == "etcd" %}
  100. - name: ETCD_ENDPOINTS
  101. valueFrom:
  102. configMapKeyRef:
  103. name: calico-config
  104. key: etcd_endpoints
  105. {% endif %}
  106. {% if calico_datastore == "kdd" %}
  107. # Set the hostname based on the k8s node name.
  108. - name: KUBERNETES_NODE_NAME
  109. valueFrom:
  110. fieldRef:
  111. fieldPath: spec.nodeName
  112. {% endif %}
  113. volumeMounts:
  114. - mountPath: /host/etc/cni/net.d
  115. name: cni-net-dir
  116. - mountPath: /host/opt/cni/bin
  117. name: cni-bin-dir
  118. securityContext:
  119. privileged: true
  120. # Adds a Flex Volume Driver that creates a per-pod Unix Domain Socket to allow Dikastes
  121. # to communicate with Felix over the Policy Sync API.
  122. - name: flexvol-driver
  123. image: {{ calico_flexvol_image_repo }}:{{ calico_flexvol_image_tag }}
  124. imagePullPolicy: {{ k8s_image_pull_policy }}
  125. volumeMounts:
  126. - name: flexvol-driver-host
  127. mountPath: /host/driver
  128. securityContext:
  129. privileged: true
  130. containers:
  131. # Runs calico/node container on each Kubernetes node. This
  132. # container programs network policy and routes on each
  133. # host.
  134. - name: calico-node
  135. image: {{ calico_node_image_repo }}:{{ calico_node_image_tag }}
  136. imagePullPolicy: {{ k8s_image_pull_policy }}
  137. envFrom:
  138. - configMapRef:
  139. # Allow KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT to be overridden for eBPF mode.
  140. name: kubernetes-services-endpoint
  141. optional: true
  142. env:
  143. # The location of the Calico etcd cluster.
  144. {% if calico_datastore == "etcd" %}
  145. - name: ETCD_ENDPOINTS
  146. valueFrom:
  147. configMapKeyRef:
  148. name: calico-config
  149. key: etcd_endpoints
  150. # Location of the CA certificate for etcd.
  151. - name: ETCD_CA_CERT_FILE
  152. valueFrom:
  153. configMapKeyRef:
  154. name: calico-config
  155. key: etcd_ca
  156. # Location of the client key for etcd.
  157. - name: ETCD_KEY_FILE
  158. valueFrom:
  159. configMapKeyRef:
  160. name: calico-config
  161. key: etcd_key
  162. # Location of the client certificate for etcd.
  163. - name: ETCD_CERT_FILE
  164. valueFrom:
  165. configMapKeyRef:
  166. name: calico-config
  167. key: etcd_cert
  168. {% elif calico_datastore == "kdd" %}
  169. # Use Kubernetes API as the backing datastore.
  170. - name: DATASTORE_TYPE
  171. value: "kubernetes"
  172. {% if typha_enabled %}
  173. # Typha support: controlled by the ConfigMap.
  174. - name: FELIX_TYPHAK8SSERVICENAME
  175. valueFrom:
  176. configMapKeyRef:
  177. name: calico-config
  178. key: typha_service_name
  179. {% if typha_secure %}
  180. - name: FELIX_TYPHACN
  181. value: typha-server
  182. - name: FELIX_TYPHACAFILE
  183. value: /etc/typha-ca/ca.crt
  184. - name: FELIX_TYPHACERTFILE
  185. value: /etc/typha-client/typha-client.crt
  186. - name: FELIX_TYPHAKEYFILE
  187. value: /etc/typha-client/typha-client.key
  188. {% endif %}
  189. {% endif %}
  190. # Wait for the datastore.
  191. - name: WAIT_FOR_DATASTORE
  192. value: "true"
  193. {% endif %}
  194. {% if calico_network_backend == 'vxlan' %}
  195. - name: FELIX_VXLANVNI
  196. value: "{{ calico_vxlan_vni }}"
  197. - name: FELIX_VXLANPORT
  198. value: "{{ calico_vxlan_port }}"
  199. {% endif %}
  200. # Choose the backend to use.
  201. - name: CALICO_NETWORKING_BACKEND
  202. valueFrom:
  203. configMapKeyRef:
  204. name: calico-config
  205. key: calico_backend
  206. # Cluster type to identify the deployment type
  207. - name: CLUSTER_TYPE
  208. valueFrom:
  209. configMapKeyRef:
  210. name: calico-config
  211. key: cluster_type
  212. # Set noderef for node controller.
  213. - name: CALICO_K8S_NODE_REF
  214. valueFrom:
  215. fieldRef:
  216. fieldPath: spec.nodeName
  217. # Disable file logging so `kubectl logs` works.
  218. - name: CALICO_DISABLE_FILE_LOGGING
  219. value: "true"
  220. # Set Felix endpoint to host default action to ACCEPT.
  221. - name: FELIX_DEFAULTENDPOINTTOHOSTACTION
  222. value: "{{ calico_endpoint_to_host_action | default('RETURN') }}"
  223. - name: FELIX_HEALTHHOST
  224. value: "{{ calico_healthhost }}"
  225. {% if kube_proxy_mode == 'ipvs' and kube_apiserver_node_port_range is defined %}
  226. - name: FELIX_KUBENODEPORTRANGES
  227. value: "{{ kube_apiserver_node_port_range.split('-')[0] }}:{{ kube_apiserver_node_port_range.split('-')[1] }}"
  228. {% endif %}
  229. - name: FELIX_IPTABLESBACKEND
  230. value: "{{ calico_iptables_backend }}"
  231. - name: FELIX_IPTABLESLOCKTIMEOUTSECS
  232. value: "{{ calico_iptables_lock_timeout_secs }}"
  233. # should be set in etcd before deployment
  234. # # Configure the IP Pool from which Pod IPs will be chosen.
  235. # - name: CALICO_IPV4POOL_CIDR
  236. # value: "{{ calico_pool_cidr | default(kube_pods_subnet) }}"
  237. - name: CALICO_IPV4POOL_IPIP
  238. value: "{{ calico_ipv4pool_ipip }}"
  239. - name: FELIX_IPV6SUPPORT
  240. value: "{{ enable_dual_stack_networks | default(false) }}"
  241. # Set Felix logging to "info"
  242. - name: FELIX_LOGSEVERITYSCREEN
  243. value: "{{ calico_loglevel }}"
  244. # Set Calico startup logging to "error"
  245. - name: CALICO_STARTUP_LOGLEVEL
  246. value: "{{ calico_node_startup_loglevel }}"
  247. # Enable or disable usage report
  248. - name: FELIX_USAGEREPORTINGENABLED
  249. value: "{{ calico_usage_reporting }}"
  250. # Set MTU for tunnel device used if ipip is enabled
  251. {% if calico_mtu is defined %}
  252. # Set MTU for tunnel device used if ipip is enabled
  253. - name: FELIX_IPINIPMTU
  254. value: "{{ calico_veth_mtu | default(calico_mtu) }}"
  255. # Set MTU for the VXLAN tunnel device.
  256. - name: FELIX_VXLANMTU
  257. value: "{{ calico_veth_mtu | default(calico_mtu) }}"
  258. # Set MTU for the Wireguard tunnel device.
  259. - name: FELIX_WIREGUARDMTU
  260. value: "{{ calico_veth_mtu | default(calico_mtu) }}"
  261. {% endif %}
  262. - name: FELIX_CHAININSERTMODE
  263. value: "{{ calico_felix_chaininsertmode }}"
  264. - name: FELIX_PROMETHEUSMETRICSENABLED
  265. value: "{{ calico_felix_prometheusmetricsenabled }}"
  266. - name: FELIX_PROMETHEUSMETRICSPORT
  267. value: "{{ calico_felix_prometheusmetricsport }}"
  268. - name: FELIX_PROMETHEUSGOMETRICSENABLED
  269. value: "{{ calico_felix_prometheusgometricsenabled }}"
  270. - name: FELIX_PROMETHEUSPROCESSMETRICSENABLED
  271. value: "{{ calico_felix_prometheusprocessmetricsenabled }}"
  272. {% if calico_ip_auto_method is defined %}
  273. - name: IP_AUTODETECTION_METHOD
  274. value: "{{ calico_ip_auto_method }}"
  275. {% else %}
  276. - name: NODEIP
  277. valueFrom:
  278. fieldRef:
  279. fieldPath: status.hostIP
  280. - name: IP_AUTODETECTION_METHOD
  281. value: "can-reach=$(NODEIP)"
  282. {% endif %}
  283. - name: IP
  284. value: "autodetect"
  285. {% if calico_ip6_auto_method is defined and enable_dual_stack_networks %}
  286. - name: IP6_AUTODETECTION_METHOD
  287. value: "{{ calico_ip6_auto_method }}"
  288. {% endif %}
  289. {% if calico_felix_mtu_iface_pattern is defined %}
  290. - name: FELIX_MTUIFACEPATTERN
  291. value: "{{ calico_felix_mtu_iface_pattern }}"
  292. {% endif %}
  293. {% if enable_dual_stack_networks %}
  294. - name: IP6
  295. value: autodetect
  296. {% endif %}
  297. {% if calico_use_default_route_src_ipaddr | default(false) %}
  298. - name: FELIX_DEVICEROUTESOURCEADDRESS
  299. valueFrom:
  300. fieldRef:
  301. fieldPath: status.hostIP
  302. {% endif %}
  303. - name: NODENAME
  304. valueFrom:
  305. fieldRef:
  306. fieldPath: spec.nodeName
  307. - name: FELIX_HEALTHENABLED
  308. value: "true"
  309. - name: FELIX_IGNORELOOSERPF
  310. value: "{{ calico_node_ignorelooserpf }}"
  311. - name: CALICO_MANAGE_CNI
  312. value: "true"
  313. {% if calico_ipam_host_local %}
  314. - name: USE_POD_CIDR
  315. value: "true"
  316. {% endif %}
  317. {% if calico_node_extra_envs is defined %}
  318. {% for key in calico_node_extra_envs %}
  319. - name: {{ key }}
  320. value: "{{ calico_node_extra_envs[key] }}"
  321. {% endfor %}
  322. {% endif %}
  323. securityContext:
  324. privileged: true
  325. resources:
  326. limits:
  327. cpu: {{ calico_node_cpu_limit }}
  328. memory: {{ calico_node_memory_limit }}
  329. requests:
  330. cpu: {{ calico_node_cpu_requests }}
  331. memory: {{ calico_node_memory_requests }}
  332. lifecycle:
  333. preStop:
  334. exec:
  335. command:
  336. - /bin/calico-node
  337. - -shutdown
  338. livenessProbe:
  339. exec:
  340. command:
  341. - /bin/calico-node
  342. - -felix-live
  343. {% if calico_network_backend == "bird" %}
  344. - -bird-live
  345. {% endif %}
  346. periodSeconds: 10
  347. initialDelaySeconds: 10
  348. timeoutSeconds: {{ calico_node_livenessprobe_timeout | default(10) }}
  349. failureThreshold: 6
  350. readinessProbe:
  351. exec:
  352. command:
  353. - /bin/calico-node
  354. {% if calico_network_backend == "bird" %}
  355. - -bird-ready
  356. {% endif %}
  357. - -felix-ready
  358. periodSeconds: 10
  359. timeoutSeconds: {{ calico_node_readinessprobe_timeout | default(10) }}
  360. failureThreshold: 6
  361. volumeMounts:
  362. - mountPath: /lib/modules
  363. name: lib-modules
  364. readOnly: true
  365. - mountPath: /var/run/calico
  366. name: var-run-calico
  367. readOnly: false
  368. - mountPath: /var/lib/calico
  369. name: var-lib-calico
  370. readOnly: false
  371. {% if calico_datastore == "etcd" %}
  372. - mountPath: /calico-secrets
  373. name: etcd-certs
  374. readOnly: true
  375. {% endif %}
  376. - name: xtables-lock
  377. mountPath: /run/xtables.lock
  378. readOnly: false
  379. # For maintaining CNI plugin API credentials.
  380. - mountPath: /host/etc/cni/net.d
  381. name: cni-net-dir
  382. readOnly: false
  383. {% if typha_secure %}
  384. - name: typha-client
  385. mountPath: /etc/typha-client
  386. readOnly: true
  387. - name: typha-cacert
  388. subPath: ca.crt
  389. mountPath: /etc/typha-ca/ca.crt
  390. readOnly: true
  391. {% endif %}
  392. - name: policysync
  393. mountPath: /var/run/nodeagent
  394. {% if calico_bpf_enabled %}
  395. # For eBPF mode, we need to be able to mount the BPF filesystem at /sys/fs/bpf so we mount in the
  396. # parent directory.
  397. - name: sysfs
  398. mountPath: /sys/fs/
  399. # Bidirectional means that, if we mount the BPF filesystem at /sys/fs/bpf it will propagate to the host.
  400. # If the host is known to mount that filesystem already then Bidirectional can be omitted.
  401. mountPropagation: Bidirectional
  402. {% endif %}
  403. - name: cni-log-dir
  404. mountPath: /var/log/calico/cni
  405. readOnly: true
  406. volumes:
  407. # Used by calico/node.
  408. - name: lib-modules
  409. hostPath:
  410. path: /lib/modules
  411. - name: var-run-calico
  412. hostPath:
  413. path: /var/run/calico
  414. type: DirectoryOrCreate
  415. - name: var-lib-calico
  416. hostPath:
  417. path: /var/lib/calico
  418. type: DirectoryOrCreate
  419. # Used to install CNI.
  420. - name: cni-net-dir
  421. hostPath:
  422. path: /etc/cni/net.d
  423. - name: cni-bin-dir
  424. hostPath:
  425. path: /opt/cni/bin
  426. type: DirectoryOrCreate
  427. {% if calico_datastore == "etcd" %}
  428. # Mount in the etcd TLS secrets.
  429. - name: etcd-certs
  430. hostPath:
  431. path: "{{ calico_cert_dir }}"
  432. {% endif %}
  433. # Mount the global iptables lock file, used by calico/node
  434. - name: xtables-lock
  435. hostPath:
  436. path: /run/xtables.lock
  437. type: FileOrCreate
  438. {% if calico_datastore == "kdd" and not calico_ipam_host_local %}
  439. # Mount in the directory for host-local IPAM allocations. This is
  440. # used when upgrading from host-local to calico-ipam, and can be removed
  441. # if not using the upgrade-ipam init container.
  442. - name: host-local-net-dir
  443. hostPath:
  444. path: /var/lib/cni/networks
  445. {% endif %}
  446. {% if typha_enabled and typha_secure %}
  447. - name: typha-client
  448. secret:
  449. secretName: typha-client
  450. items:
  451. - key: tls.crt
  452. path: typha-client.crt
  453. - key: tls.key
  454. path: typha-client.key
  455. - name: typha-cacert
  456. hostPath:
  457. path: "/etc/kubernetes/ssl/"
  458. {% endif %}
  459. {% if calico_bpf_enabled %}
  460. - name: sysfs
  461. hostPath:
  462. path: /sys/fs/
  463. type: DirectoryOrCreate
  464. {% endif %}
  465. # Used to access CNI logs.
  466. - name: cni-log-dir
  467. hostPath:
  468. path: /var/log/calico/cni
  469. # Used to create per-pod Unix Domain Sockets
  470. - name: policysync
  471. hostPath:
  472. type: DirectoryOrCreate
  473. path: /var/run/nodeagent
  474. # Used to install Flex Volume Driver
  475. - name: flexvol-driver-host
  476. hostPath:
  477. type: DirectoryOrCreate
  478. path: "{{ kubelet_flexvolumes_plugins_dir | default('/usr/libexec/kubernetes/kubelet-plugins/volume/exec') }}/nodeagent~uds"
  479. updateStrategy:
  480. rollingUpdate:
  481. maxUnavailable: {{ serial | default('20%') }}
  482. type: RollingUpdate