Browse Source
Move calico to daemonset (#1605)
Move calico to daemonset (#1605)
* Drop legacy calico logic * add calico as a daemonsetpull/1611/head
Matthew Mosesohn
7 years ago
committed by
GitHub
17 changed files with 262 additions and 200 deletions
Split View
Diff Options
-
1.gitlab-ci.yml
-
10roles/kubernetes-apps/network_plugin/calico/tasks/main.yml
-
3roles/kubernetes-apps/network_plugin/meta/main.yml
-
5roles/kubernetes/node/templates/kubelet.docker.service.j2
-
5roles/kubernetes/node/templates/kubelet.host.service.j2
-
5roles/kubernetes/node/templates/kubelet.rkt.service.j2
-
5roles/network_plugin/calico/defaults/main.yml
-
127roles/network_plugin/calico/tasks/main.yml
-
19roles/network_plugin/calico/templates/calico-config.yml.j2
-
13roles/network_plugin/calico/templates/calico-cr.yml.j2
-
13roles/network_plugin/calico/templates/calico-crb.yml.j2
-
8roles/network_plugin/calico/templates/calico-node-sa.yml.j2
-
41roles/network_plugin/calico/templates/calico-node.service.j2
-
19roles/network_plugin/calico/templates/calico-node.service.legacy.j2
-
166roles/network_plugin/calico/templates/calico-node.yml.j2
-
20roles/network_plugin/calico/templates/calico.env.j2
-
2roles/network_plugin/calico/templates/cni-calico.conf.j2
@ -0,0 +1,10 @@ |
|||
--- |
|||
- name: Start Calico resources |
|||
kube: |
|||
name: "{{item.item.name}}" |
|||
namespace: "{{ system_namespace }}" |
|||
kubectl: "{{bin_dir}}/kubectl" |
|||
resource: "{{item.item.type}}" |
|||
filename: "{{kube_config_dir}}/{{item.item.file}}" |
|||
state: "{{item.changed | ternary('latest','present') }}" |
|||
with_items: "{{ calico_node_manifests.results }}" |
@ -0,0 +1,19 @@ |
|||
kind: ConfigMap |
|||
apiVersion: v1 |
|||
metadata: |
|||
name: calico-config |
|||
namespace: {{ system_namespace }} |
|||
data: |
|||
etcd_endpoints: "{{ etcd_access_endpoint }}" |
|||
etcd_ca: "/calico-secrets/ca_cert.crt" |
|||
etcd_cert: "/calico-secrets/cert.crt" |
|||
etcd_key: "/calico-secrets/key.pem" |
|||
{% if calico_network_backend is defined and calico_network_backend == 'none' %} |
|||
cluster_type: "kubespray" |
|||
{%- else %} |
|||
cluster_type: "kubespray,bgp" |
|||
{% endif %} |
|||
calico_backend: "bird" |
|||
{%- if inventory_hostname in groups['k8s-cluster'] and peer_with_router|default(false) %} |
|||
as: "{{ local_as }}" |
|||
{% endif -%} |
@ -0,0 +1,13 @@ |
|||
--- |
|||
kind: ClusterRole |
|||
apiVersion: rbac.authorization.k8s.io/v1beta1 |
|||
metadata: |
|||
name: calico-node |
|||
namespace: {{ system_namespace }} |
|||
rules: |
|||
- apiGroups: [""] |
|||
resources: |
|||
- pods |
|||
- nodes |
|||
verbs: |
|||
- get |
@ -0,0 +1,13 @@ |
|||
--- |
|||
apiVersion: rbac.authorization.k8s.io/v1beta1 |
|||
kind: ClusterRoleBinding |
|||
metadata: |
|||
name: calico-node |
|||
roleRef: |
|||
apiGroup: rbac.authorization.k8s.io |
|||
kind: ClusterRole |
|||
name: calico-node |
|||
subjects: |
|||
- kind: ServiceAccount |
|||
name: calico-node |
|||
namespace: {{ system_namespace }} |
@ -0,0 +1,8 @@ |
|||
--- |
|||
apiVersion: v1 |
|||
kind: ServiceAccount |
|||
metadata: |
|||
name: calico-node |
|||
namespace: {{ system_namespace }} |
|||
labels: |
|||
kubernetes.io/cluster-service: "true" |
@ -1,41 +0,0 @@ |
|||
[Unit] |
|||
Description=calico-node |
|||
After=docker.service |
|||
Requires=docker.service |
|||
|
|||
[Service] |
|||
EnvironmentFile=/etc/calico/calico.env |
|||
ExecStartPre=-{{ docker_bin_dir }}/docker rm -f calico-node |
|||
ExecStart={{ docker_bin_dir }}/docker run --net=host --privileged \ |
|||
--name=calico-node \ |
|||
-e HOSTNAME=${CALICO_HOSTNAME} \ |
|||
-e IP=${CALICO_IP} \ |
|||
-e IP6=${CALICO_IP6} \ |
|||
-e CLUSTER_TYPE=${CLUSTER_TYPE} \ |
|||
-e CALICO_NETWORKING_BACKEND=${CALICO_NETWORKING_BACKEND} \ |
|||
-e FELIX_DEFAULTENDPOINTTOHOSTACTION={{ calico_endpoint_to_host_action|default('RETURN') }} \ |
|||
-e AS=${CALICO_AS} \ |
|||
-e NO_DEFAULT_POOLS=${CALICO_NO_DEFAULT_POOLS} \ |
|||
-e CALICO_LIBNETWORK_ENABLED=${CALICO_LIBNETWORK_ENABLED} \ |
|||
-e ETCD_ENDPOINTS=${ETCD_ENDPOINTS} \ |
|||
-e ETCD_CA_CERT_FILE=${ETCD_CA_CERT_FILE} \ |
|||
-e ETCD_CERT_FILE=${ETCD_CERT_FILE} \ |
|||
-e ETCD_KEY_FILE=${ETCD_KEY_FILE} \ |
|||
{% if calico_node_ignorelooserpf %} |
|||
-e FELIX_IGNORELOOSERPF=true \ |
|||
{% endif %} |
|||
-v /var/log/calico:/var/log/calico \ |
|||
-v /run/docker/plugins:/run/docker/plugins \ |
|||
-v /lib/modules:/lib/modules \ |
|||
-v /var/run/calico:/var/run/calico \ |
|||
-v {{ calico_cert_dir }}:{{ calico_cert_dir }}:ro \ |
|||
--memory={{ calico_node_memory_limit|regex_replace('Mi', 'M') }} --cpu-shares={{ calico_node_cpu_limit|regex_replace('m', '') }} \ |
|||
{{ calico_node_image_repo }}:{{ calico_node_image_tag }} |
|||
|
|||
Restart=always |
|||
RestartSec=10s |
|||
|
|||
ExecStop=-{{ docker_bin_dir }}/docker stop calico-node |
|||
|
|||
[Install] |
|||
WantedBy=multi-user.target |
@ -1,19 +0,0 @@ |
|||
[Unit] |
|||
Description=Calico per-node agent |
|||
Documentation=https://github.com/projectcalico/calico-docker |
|||
After=docker.service docker.socket |
|||
Wants=docker.socket |
|||
|
|||
[Service] |
|||
User=root |
|||
PermissionsStartOnly=true |
|||
{% if inventory_hostname in groups['k8s-cluster'] and peer_with_router|default(false)%} |
|||
ExecStart={{ bin_dir }}/calicoctl node --ip={{ip | default(ansible_default_ipv4.address) }} --as={{ local_as }} --detach=false --node-image={{ calico_node_image_repo }}:{{ calico_node_image_tag }} |
|||
{% else %} |
|||
ExecStart={{ bin_dir }}/calicoctl node --ip={{ip | default(ansible_default_ipv4.address) }} --detach=false --node-image={{ calico_node_image_repo }}:{{ calico_node_image_tag }} |
|||
{% endif %} |
|||
Restart=always |
|||
RestartSec=10s |
|||
|
|||
[Install] |
|||
WantedBy=multi-user.target |
@ -0,0 +1,166 @@ |
|||
--- |
|||
# This manifest installs the calico/node container, as well |
|||
# as the Calico CNI plugins and network config on |
|||
# each master and worker node in a Kubernetes cluster. |
|||
kind: DaemonSet |
|||
apiVersion: extensions/v1beta1 |
|||
metadata: |
|||
name: calico-node |
|||
namespace: {{ system_namespace }} |
|||
labels: |
|||
k8s-app: calico-node |
|||
spec: |
|||
selector: |
|||
matchLabels: |
|||
k8s-app: calico-node |
|||
template: |
|||
metadata: |
|||
labels: |
|||
k8s-app: calico-node |
|||
annotations: |
|||
scheduler.alpha.kubernetes.io/critical-pod: '' |
|||
kubespray.etcd-cert/serial: "{{ etcd_node_cert_serial }}" |
|||
spec: |
|||
hostNetwork: true |
|||
{% if rbac_enabled %} |
|||
serviceAccountName: calico-node |
|||
{% endif %} |
|||
tolerations: |
|||
- effect: NoSchedule |
|||
operator: Exists |
|||
containers: |
|||
# Runs calico/node container on each Kubernetes node. This |
|||
# container programs network policy and routes on each |
|||
# host. |
|||
- name: calico-node |
|||
image: {{ calico_node_image_repo }}:{{ calico_node_image_tag }} |
|||
env: |
|||
# The location of the Calico etcd cluster. |
|||
- name: ETCD_ENDPOINTS |
|||
valueFrom: |
|||
configMapKeyRef: |
|||
name: calico-config |
|||
key: etcd_endpoints |
|||
# Choose the backend to use. |
|||
- name: CALICO_NETWORKING_BACKEND |
|||
valueFrom: |
|||
configMapKeyRef: |
|||
name: calico-config |
|||
key: calico_backend |
|||
# Cluster type to identify the deployment type |
|||
- name: CLUSTER_TYPE |
|||
valueFrom: |
|||
configMapKeyRef: |
|||
name: calico-config |
|||
key: cluster_type |
|||
# Disable file logging so `kubectl logs` works. |
|||
- name: CALICO_DISABLE_FILE_LOGGING |
|||
value: "true" |
|||
# Set Felix endpoint to host default action to ACCEPT. |
|||
- name: FELIX_DEFAULTENDPOINTTOHOSTACTION |
|||
value: "{{ calico_endpoint_to_host_action|default('RETURN') }}" |
|||
# should be set in etcd before deployment |
|||
# # Configure the IP Pool from which Pod IPs will be chosen. |
|||
# - name: CALICO_IPV4POOL_CIDR |
|||
# value: "192.168.0.0/16" |
|||
# - name: CALICO_IPV4POOL_IPIP |
|||
# value: "always" |
|||
# Disable IPv6 on Kubernetes. |
|||
- name: FELIX_IPV6SUPPORT |
|||
value: "false" |
|||
# Set Felix logging to "info" |
|||
- name: FELIX_LOGSEVERITYSCREEN |
|||
value: "info" |
|||
# Disable autocreation of pools |
|||
- name: CALICO_NO_DEFAULT_POOLS |
|||
value: "true" |
|||
# Enable libnetwork |
|||
- name: CALICO_LIBNETWORK_ENABLED |
|||
value: "true" |
|||
# Set MTU for tunnel device used if ipip is enabled |
|||
{% if calico_mtu is defined %} |
|||
- name: FELIX_IPINIPMTU |
|||
value: "{{ calico_mtu }}" |
|||
{% endif %} |
|||
# Location of the CA certificate for etcd. |
|||
- name: ETCD_CA_CERT_FILE |
|||
valueFrom: |
|||
configMapKeyRef: |
|||
name: calico-config |
|||
key: etcd_ca |
|||
# Location of the client key for etcd. |
|||
- name: ETCD_KEY_FILE |
|||
valueFrom: |
|||
configMapKeyRef: |
|||
name: calico-config |
|||
key: etcd_key |
|||
# Location of the client certificate for etcd. |
|||
- name: ETCD_CERT_FILE |
|||
valueFrom: |
|||
configMapKeyRef: |
|||
name: calico-config |
|||
key: etcd_cert |
|||
- name: IP |
|||
valueFrom: |
|||
fieldRef: |
|||
fieldPath: status.hostIP |
|||
- name: NODENAME |
|||
valueFrom: |
|||
fieldRef: |
|||
fieldPath: spec.nodeName |
|||
- name: FELIX_HEALTHENABLED |
|||
value: "true" |
|||
securityContext: |
|||
privileged: true |
|||
resources: |
|||
limits: |
|||
cpu: {{ calico_node_cpu_limit }} |
|||
memory: {{ calico_node_memory_limit }} |
|||
requests: |
|||
cpu: {{ calico_node_cpu_requests }} |
|||
memory: {{ calico_node_memory_requests }} |
|||
livenessProbe: |
|||
httpGet: |
|||
path: /liveness |
|||
port: 9099 |
|||
periodSeconds: 10 |
|||
initialDelaySeconds: 10 |
|||
failureThreshold: 6 |
|||
readinessProbe: |
|||
httpGet: |
|||
path: /readiness |
|||
port: 9099 |
|||
periodSeconds: 10 |
|||
volumeMounts: |
|||
- mountPath: /lib/modules |
|||
name: lib-modules |
|||
readOnly: true |
|||
- mountPath: /var/run/calico |
|||
name: var-run-calico |
|||
readOnly: false |
|||
- mountPath: /calico-secrets |
|||
name: etcd-certs |
|||
volumes: |
|||
# Used by calico/node. |
|||
- name: lib-modules |
|||
hostPath: |
|||
path: /lib/modules |
|||
- name: var-run-calico |
|||
hostPath: |
|||
path: /var/run/calico |
|||
# Used to install CNI. |
|||
- name: cni-bin-dir |
|||
hostPath: |
|||
path: /opt/cni/bin |
|||
- name: cni-net-dir |
|||
hostPath: |
|||
path: /etc/cni/net.d |
|||
# Mount in the etcd TLS secrets. |
|||
- name: etcd-certs |
|||
hostPath: |
|||
path: "{{ calico_cert_dir }}" |
|||
updateStrategy: |
|||
rollingUpdate: |
|||
maxUnavailable: 1 |
|||
type: RollingUpdate |
|||
|
@ -1,20 +0,0 @@ |
|||
ETCD_ENDPOINTS="{{ etcd_access_endpoint }}" |
|||
ETCD_CA_CERT_FILE="{{ calico_cert_dir }}/ca_cert.crt" |
|||
ETCD_CERT_FILE="{{ calico_cert_dir }}/cert.crt" |
|||
ETCD_KEY_FILE="{{ calico_cert_dir }}/key.pem" |
|||
CALICO_IP="{{ip | default(ansible_default_ipv4.address) }}" |
|||
CALICO_IP6="" |
|||
{% if calico_network_backend is defined and calico_network_backend == 'none' %} |
|||
CLUSTER_TYPE="kubespray" |
|||
{% else %} |
|||
CLUSTER_TYPE="kubespray,bgp" |
|||
{% endif %} |
|||
{% if calico_network_backend is defined %} |
|||
CALICO_NETWORKING_BACKEND="{{calico_network_backend }}" |
|||
{% endif %} |
|||
{% if inventory_hostname in groups['k8s-cluster'] and peer_with_router|default(false)%} |
|||
CALICO_AS="{{ local_as }}" |
|||
{% endif %} |
|||
CALICO_NO_DEFAULT_POOLS="true" |
|||
CALICO_LIBNETWORK_ENABLED="true" |
|||
CALICO_HOSTNAME="{{ ansible_hostname }}" |
Write
Preview
Loading…
Cancel
Save