andata
/
rke2-charts
mirror of https://git.rancher.io/rke2-charts
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #216 from rbrtbnfgl/update-calico-3.21.4 

Update calico chart to version 3.21.4
pull/473/head
actions 2022-02-01 11:47:48 +00:00
parent c758967d79
commit 22fb67dd89
20 changed files with 749 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
assets/rke2-calico/rke2-calico-v3.21.401.tgz Executable file
View File

Binary file not shown.

7
charts/rke2-calico/rke2-calico/v3.21.401/Chart.yaml Executable file
View File

@ -0,0 +1,7 @@
annotations:
catalog.cattle.io/namespace: tigera-operator
apiVersion: v2
appVersion: v3.21.4
description: Installs the Tigera operator for Calico
name: rke2-calico
version: v3.21.401

60
charts/rke2-calico/rke2-calico/v3.21.401/README.md Executable file
View File

@ -0,0 +1,60 @@
# Calico
Calico is a widely adopted, battle-tested open source networking and network security solution for Kubernetes, virtual machines, and bare-metal workloads.
Calico provides two major services for Cloud Native applications:
- Network connectivity between workloads.
- Network security policy enforcement between workloads.
Calicos flexible architecture supports a wide range of deployment options, using modular components and technologies, including:
- Choice of data plane technology, whether it be [eBPF](https://projectcalico.docs.tigera.io/maintenance/ebpf/use-cases-ebpf), standard Linux, [Windows HNS](https://docs.microsoft.com/en-us/virtualization/windowscontainers/container-networking/architecture) or [VPP](https://github.com/projectcalico/vpp-dataplane)
- Enforcement of the full set of Kubernetes network policy features, plus for those needing a richer set of policy features, Calico network policies.
- An optimized Kubernetes Service implementation using eBPF.
- Kubernetes [apiserver integration](./apiserver), for managing Calico configuration and Calico network policies.
- Both non-overlay and [overlay (via IPIP or VXLAN)](https://projectcalico.docs.tigera.io/networking/vxlan-ipip) networking options in either public cloud or on-prem deployments.
- [CNI plugins](./cni-plugin) for Kubernetes to provide highly efficient pod networking and IP Address Management (IPAM).
- A [BGP routing stack](https://projectcalico.docs.tigera.io/networking/bgp) that can advertise routes for workload and service IP addresses to physical network infrastructure.
# Values
The default values.yaml should be suitable for most basic deployments.
```
# Image pull secrets to provision for pulling images from private registries.
# If provided, references to the secrets must also be provided in the installation section.
imagePullSecrets: {}
# Configures general installation parameters for Calico. Schema is based
# on the operator.tigera.io/Installation API documented
# here: https://projectcalico.docs.tigera.io/reference/installation/api#operator.tigera.io/v1.InstallationSpec
installation:
enabled: true
kubernetesProvider: ""
# Configures general installation parameters for Calico. Schema is based
# on the operator.tigera.io/Installation API documented
# here: https://projectcalico.docs.tigera.io/reference/installation/api#operator.tigera.io/v1.APIServerSpec
apiServer:
enabled: true
# Certificates for communications between calico/node and calico/typha.
# If left blank, will be automatically provisioned.
certs:
node:
key:
cert:
commonName:
typha:
key:
cert:
commonName:
caBundle:
# Configuration for the tigera operator images to deploy.
tigeraOperator:
image: tigera/operator
registry: quay.io
calicoctl:
image: docker.io/calico/ctl
```

10
charts/rke2-calico/rke2-calico/v3.21.401/templates/_helpers.tpl Executable file
View File

@ -0,0 +1,10 @@
{{/* generate the image name for a component*/}}
{{- define "tigera-operator.image" -}}
{{- if .Values.global.systemDefaultRegistry -}}
{{- $_ := set .Values.tigeraOperator "registry" .Values.global.systemDefaultRegistry -}}
{{- end -}}
{{- if .Values.tigeraOperator.registry -}}
{{- .Values.tigeraOperator.registry | trimSuffix "/" -}}/
{{- end -}}
{{- .Values.tigeraOperator.image -}}:{{- .Values.tigeraOperator.version -}}
{{- end -}}

13
charts/rke2-calico/rke2-calico/v3.21.401/templates/certs/certs-node.yaml Executable file
View File

@ -0,0 +1,13 @@
{{/* if any of .Values.certs.node or .Values.certs.typha is not nil */}}
{{ if without (concat (values .Values.certs.node) (values .Values.certs.typha)) nil }}
apiVersion: v1
kind: Secret
metadata:
name: node-certs
namespace: tigera-operator
type: Opaque
data:
cert.crt: {{ required "must set certs.node.cert" .Values.certs.node.cert | b64enc }}
key.key: {{ required "must set certs.node.key" .Values.certs.node.key | b64enc }}
common-name: {{ required "must set certs.node.commonName" .Values.certs.node.commonName | b64enc }}
{{ end }}

23
charts/rke2-calico/rke2-calico/v3.21.401/templates/certs/certs-typha.yaml Executable file
View File

@ -0,0 +1,23 @@
{{/* if any of .Values.certs.node or .Values.certs.typha is not nil */}}
{{ if without (concat (values .Values.certs.node) (values .Values.certs.typha)) nil }}
kind: ConfigMap
apiVersion: v1
metadata:
name: typha-ca
namespace: tigera-operator
data:
caBundle: |
{{ required "must set certs.typha.caBundle" .Values.certs.typha.caBundle | indent 4}}
---
apiVersion: v1
kind: Secret
metadata:
name: typha-certs
namespace: tigera-operator
type: Opaque
data:
cert.crt: {{ required "must set certs.typha.cert" .Values.certs.typha.cert | b64enc }}
key.key: {{ required "must set certs.typha.key" .Values.certs.typha.key | b64enc }}
common-name: {{ required "must set certs.typha.commonName" .Values.certs.typha.commonName | b64enc }}
{{ end }}

38
charts/rke2-calico/rke2-calico/v3.21.401/templates/crs/custom-resources.yaml Executable file
View File

@ -0,0 +1,38 @@
{{ if .Values.installation.enabled }}
{{ $installSpec := omit .Values.installation "enabled" }}
{{ $secrets := list }}
{{ range $name := keys .Values.imagePullSecrets -}}
{{ $item := dict "name" $name }}
{{ $secrets = append $secrets $item }}
{{ end }}
{{ $_ := set $installSpec "imagePullSecrets" $secrets }}
{{ $defaultRegistry := get $installSpec "registry" }}
{{ $finalRegistry := coalesce .Values.global.systemDefaultRegistry $defaultRegistry }}
{{ $_ := set $installSpec "registry" $finalRegistry }}
{{ $defaultipPools := get .Values.installation.calicoNetwork "ipPools" | first }}
{{ $defaultCIDR := get $defaultipPools "cidr" }}
{{ $finalCIDR := coalesce .Values.global.clusterCIDRv4 $defaultCIDR }}
{{ $_ := set $defaultipPools "cidr" $finalCIDR }}
{{- /*
If there is a defined ipv6 CIDR, we must add it as a new IPPool, disable any encapsulation and enable bgp
*/}}
{{ if not (empty .Values.global.clusterCIDRv6) }}
{{ $myIP6Dict := dict "natOutgoing" "Enabled" "cidr" .Values.global.clusterCIDRv6 }}
{{ $allIpPools := get .Values.installation.calicoNetwork "ipPools" }}
{{ range $allIpPools }}
{{ $_ := set . "encapsulation" "None" }}
{{ end }}
{{ $finalIpPoolList := append $allIpPools $myIP6Dict }}
{{ $calicoNetwork := get .Values.installation "calicoNetwork" }}
{{ $_ := set $calicoNetwork "ipPools" $finalIpPoolList }}
{{ $_ := set $calicoNetwork "bgp" "Enabled" }}
{{ end }}
apiVersion: operator.tigera.io/v1
kind: Installation
metadata:
name: default
spec:
{{ $installSpec | toYaml | indent 2 }}
{{ end }}

7
charts/rke2-calico/rke2-calico/v3.21.401/templates/felixconfig.yaml Executable file
View File

@ -0,0 +1,7 @@
apiVersion: crd.projectcalico.org/v1
kind: FelixConfiguration
metadata:
name: default
spec:
wireguardEnabled: {{ .Values.felixConfiguration.wireguardEnabled }}
featureDetectOverride: {{ .Values.felixConfiguration.featureDetectOverride }}

7
charts/rke2-calico/rke2-calico/v3.21.401/templates/ipamconfig.yaml Executable file
View File

@ -0,0 +1,7 @@
apiVersion: crd.projectcalico.org/v1
kind: IPAMConfig
metadata:
name: default
spec:
strictAffinity: {{ .Values.ipamConfig.strictAffinity }}
autoAllocateBlocks: {{ .Values.ipamConfig.autoAllocateBlocks }}

13
charts/rke2-calico/rke2-calico/v3.21.401/templates/tigera-operator/00-namespace-tigera-operator.yaml Executable file
View File

@ -0,0 +1,13 @@
apiVersion: v1
kind: Namespace
metadata:
name: tigera-operator
annotations:
{{- if eq .Values.installation.kubernetesProvider "openshift" }}
openshift.io/node-selector: ""
{{- end }}
labels:
name: tigera-operator
{{- if eq .Values.installation.kubernetesProvider "openshift" }}
openshift.io/run-level: "0"
{{- end }}

15
charts/rke2-calico/rke2-calico/v3.21.401/templates/tigera-operator/01-imagepullsecret.yaml Executable file
View File

@ -0,0 +1,15 @@
{{- $envAll := . }}
{{- if .Values.imagePullSecrets -}}
{{range $key, $value := .Values.imagePullSecrets -}}
apiVersion: v1
kind: Secret
metadata:
name: {{ $key }}
namespace: tigera-operator
data:
.dockerconfigjson: {{ $value | b64enc }}
type: kubernetes.io/dockerconfigjson
{{- end -}}
{{- end -}}

27
charts/rke2-calico/rke2-calico/v3.21.401/templates/tigera-operator/02-configmap-calico-resources.yaml Executable file
View File

@ -0,0 +1,27 @@
{{- if eq .Values.installation.kubernetesProvider "openshift" }}
apiVersion: v1
kind: ConfigMap
metadata:
name: calico-resources
namespace: tigera-operator
data:
# To create Calico resources before Calico components are started add
# an entry here and the contents of the resource under the entry.
# The resources here should all be projectcalico.org/v3.
# Multiple resources/entries can be added to this ConfigMap.
#
# If you need to remove a resource that was added to this ConfigMap
# you should remove it from here or else it will be re-created.
#
# example-global-network-set.yaml: |
# apiVersion: projectcalico.org/v3
# kind: GlobalNetworkSet
# metadata:
# name: a-name-for-the-set
# labels:
# role: external-database
# spec:
# nets:
# - 198.51.100.0/28
# - 203.0.113.0/24
{{- end}}

47
charts/rke2-calico/rke2-calico/v3.21.401/templates/tigera-operator/02-podsecuritypolicy-tigera-operator.yaml Executable file
View File

@ -0,0 +1,47 @@
{{ if ne .Values.installation.kubernetesProvider "openshift" }}
# This should not be rendered for an OpenShift install.
# OpenShift uses SecurityContextConstraints instead.
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: tigera-operator
annotations:
seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*'
spec:
privileged: false
allowPrivilegeEscalation: false
requiredDropCapabilities:
- ALL
volumes:
- 'hostPath'
- 'configMap'
- 'emptyDir'
- 'projected'
- 'secret'
- 'downwardAPI'
# Assume that persistentVolumes set up by the cluster admin are safe to use.
- 'persistentVolumeClaim'
hostNetwork: true
hostPorts:
- min: 0
max: 65535
hostIPC: false
hostPID: false
runAsUser:
rule: 'MustRunAsNonRoot'
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'MustRunAs'
ranges:
# Forbid adding the root group.
- min: 1
max: 65535
fsGroup:
rule: 'MustRunAs'
ranges:
# Forbid adding the root group.
- min: 1
max: 65535
readOnlyRootFilesystem: false
{{ end }}

278
charts/rke2-calico/rke2-calico/v3.21.401/templates/tigera-operator/02-role-tigera-operator.yaml Executable file
View File

@ -0,0 +1,278 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: tigera-operator
rules:
- apiGroups:
- ""
resources:
- namespaces
- pods
- podtemplates
- services
- endpoints
- events
- configmaps
- secrets
- serviceaccounts
verbs:
- create
- get
- list
- update
- delete
- watch
- apiGroups:
- ""
resources:
- nodes
verbs:
# Need to update node labels when migrating nodes.
- 'get'
- 'patch'
- 'list'
# We need this for Typha autoscaling
- 'watch'
- apiGroups:
- rbac.authorization.k8s.io
resources:
- clusterroles
- clusterrolebindings
- rolebindings
- roles
verbs:
- create
- get
- list
- update
- delete
- watch
- bind
- escalate
- apiGroups:
- apps
resources:
- deployments
- daemonsets
- statefulsets
verbs:
- create
- get
- list
- patch
- update
- delete
- watch
- apiGroups:
- apps
resourceNames:
- tigera-operator
resources:
- deployments/finalizers
verbs:
- update
- apiGroups:
- operator.tigera.io
resources:
- '*'
verbs:
- create
- get
- list
- update
- patch
- delete
- watch
- apiGroups:
- networking.k8s.io
resources:
- networkpolicies
verbs:
- create
- update
- delete
- get
- list
- watch
- apiGroups:
- crd.projectcalico.org
resources:
- felixconfigurations
verbs:
- create
- patch
- list
- get
- watch
- apiGroups:
- crd.projectcalico.org
resources:
- ippools
- kubecontrollersconfigurations
verbs:
- get
- list
- watch
- apiGroups:
- scheduling.k8s.io
resources:
- priorityclasses
verbs:
- create
- get
- list
- update
- delete
- watch
- apiGroups:
- monitoring.coreos.com
resources:
- servicemonitors
verbs:
- get
- create
- apiGroups:
- policy
resources:
- poddisruptionbudgets
verbs:
- create
- get
- list
- update
- delete
- watch
- apiGroups:
- apiregistration.k8s.io
resources:
- apiservices
verbs:
- list
- watch
- create
- update
# Needed for operator lock
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- create
- get
- list
- update
- delete
- watch
{{- if eq .Values.installation.kubernetesProvider "openshift" }}
# When running in OpenShift, we need to update networking config.
- apiGroups:
- config.openshift.io
resources:
- networks/status
verbs:
- get
- list
- update
- apiGroups:
- config.openshift.io
resources:
- networks
- infrastructures
verbs:
- get
- list
- patch
- watch
# On OpenShift, we need to modify SCCs.
- apiGroups:
- security.openshift.io
resources:
- securitycontextconstraints
verbs:
- create
- get
- list
- update
- delete
- watch
# The following rule is only for operator certification purposes.
# The operator normally runs in a namespace with openshift.io/run-level=0 which bypasses SCC.
# However in certification tests, the operator is run in a normal namespace so this
# rule is needed for host networking and hostPath volume access.
- apiGroups:
- security.openshift.io
resources:
- securitycontextconstraints
resourceNames:
- hostaccess
verbs:
- use
# Need these permissions for the calicoctl init container.
- apiGroups:
- crd.projectcalico.org
resources:
- bgpconfigurations
- bgppeers
- felixconfigurations
- kubecontrollersconfigurations
- globalnetworkpolicies
- globalnetworksets
- hostendpoints
- ippools
- networkpolicies
- networksets
verbs:
- create
- apiGroups:
- crd.projectcalico.org
resources:
- ipamblocks
verbs:
- list
# Need this permission for the calicoctl version mismatch checking
- apiGroups:
- crd.projectcalico.org
resources:
- clusterinformations
verbs:
- get
# For AWS security group setup.
- apiGroups:
- batch
resources:
- jobs
- cronjobs
verbs:
- create
- update
- list
- watch
{{- else }}
# Add the appropriate pod security policy permissions
- apiGroups:
- policy
resources:
- podsecuritypolicies
resourceNames:
- tigera-operator
verbs:
- use
- apiGroups:
- policy
resources:
- podsecuritypolicies
verbs:
- get
- list
- watch
- create
- update
- delete
# Add the permissions to monitor the status of certificatesigningrequests when certificate management is enabled.
- apiGroups:
- certificates.k8s.io
resources:
- certificatesigningrequests
verbs:
- list
{{- end }}

12
charts/rke2-calico/rke2-calico/v3.21.401/templates/tigera-operator/02-rolebinding-tigera-operator.yaml Executable file
View File

@ -0,0 +1,12 @@
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: tigera-operator
subjects:
- kind: ServiceAccount
name: tigera-operator
namespace: tigera-operator
roleRef:
kind: ClusterRole
name: tigera-operator
apiGroup: rbac.authorization.k8s.io

5
charts/rke2-calico/rke2-calico/v3.21.401/templates/tigera-operator/02-serviceaccount-tigera-operator.yaml Executable file
View File

@ -0,0 +1,5 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: tigera-operator
namespace: tigera-operator

85
charts/rke2-calico/rke2-calico/v3.21.401/templates/tigera-operator/02-tigera-operator.yaml Executable file
View File

@ -0,0 +1,85 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: tigera-operator
namespace: tigera-operator
labels:
k8s-app: tigera-operator
spec:
replicas: 1
selector:
matchLabels:
name: tigera-operator
template:
metadata:
labels:
name: tigera-operator
k8s-app: tigera-operator
spec:
nodeSelector:
kubernetes.io/os: linux
tolerations:
- effect: NoExecute
operator: Exists
- effect: NoSchedule
operator: Exists
serviceAccountName: tigera-operator
hostNetwork: true
# This must be set when hostNetwork is true or else the cluster services won't resolve
dnsPolicy: ClusterFirstWithHostNet
containers:
- name: tigera-operator
image: {{ template "tigera-operator.image" . }}
imagePullPolicy: IfNotPresent
command:
- operator
volumeMounts:
- name: var-lib-calico
readOnly: true
mountPath: /var/lib/calico
env:
- name: WATCH_NAMESPACE
value: ""
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: OPERATOR_NAME
value: "tigera-operator"
- name: TIGERA_OPERATOR_INIT_IMAGE_VERSION
value: {{.Values.tigeraOperator.version}}
envFrom:
- configMapRef:
name: kubernetes-services-endpoint
optional: true
volumes:
- name: var-lib-calico
hostPath:
path: /var/lib/calico
{{- if eq .Values.installation.kubernetesProvider "openshift" }}
- name: calico-resources
configMap:
defaultMode: 0400
name: calico-resources
- name: install-resources-script
configMap:
defaultMode: 0777
name: install-resources-script
initContainers:
- name: create-initial-resources
image: {{.Values.calicoctl.image}}:{{.Values.calicoctl.tag}}
env:
- name: DATASTORE_TYPE
value: kubernetes
command:
- calicoctl
args:
- create
- --skip-exists
- --skip-empty
- -f
- /calico-resources
volumeMounts:
- name: calico-resources
mountPath: /calico-resources
{{- end}}

32
charts/rke2-calico/rke2-calico/v3.21.401/templates/validate-install-crd.yaml Executable file
View File

@ -0,0 +1,32 @@
#{{- if gt (len (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" "")) 0 -}}
# {{- $found := dict -}}
# {{- set $found "crd.projectcalico.org/v1/BGPConfiguration" false -}}
# {{- set $found "crd.projectcalico.org/v1/BGPPeer" false -}}
# {{- set $found "crd.projectcalico.org/v1/BlockAffinity" false -}}
# {{- set $found "crd.projectcalico.org/v1/ClusterInformation" false -}}
# {{- set $found "crd.projectcalico.org/v1/FelixConfiguration" false -}}
# {{- set $found "crd.projectcalico.org/v1/GlobalNetworkPolicy" false -}}
# {{- set $found "crd.projectcalico.org/v1/GlobalNetworkSet" false -}}
# {{- set $found "crd.projectcalico.org/v1/HostEndpoint" false -}}
# {{- set $found "crd.projectcalico.org/v1/IPAMBlock" false -}}
# {{- set $found "crd.projectcalico.org/v1/IPAMConfig" false -}}
# {{- set $found "crd.projectcalico.org/v1/IPAMHandle" false -}}
# {{- set $found "crd.projectcalico.org/v1/IPPool" false -}}
# {{- set $found "crd.projectcalico.org/v1/KubeControllersConfiguration" false -}}
# {{- set $found "crd.projectcalico.org/v1/NetworkPolicy" false -}}
# {{- set $found "crd.projectcalico.org/v1/NetworkSet" false -}}
# {{- set $found "operator.tigera.io/v1/APIServer" false -}}
# {{- set $found "operator.tigera.io/v1/ImageSet" false -}}
# {{- set $found "operator.tigera.io/v1/Installation" false -}}
# {{- set $found "operator.tigera.io/v1/TigeraStatus" false -}}
# {{- range .Capabilities.APIVersions -}}
# {{- if hasKey $found (toString .) -}}
# {{- set $found (toString .) true -}}
# {{- end -}}
# {{- end -}}
# {{- range $_, $exists := $found -}}
# {{- if (eq $exists false) -}}
# {{- required "Required CRDs are missing. Please install the corresponding CRD chart before installing this chart." "" -}}
# {{- end -}}
# {{- end -}}
#{{- end -}}

59
charts/rke2-calico/rke2-calico/v3.21.401/values.yaml Executable file
View File

@ -0,0 +1,59 @@
imagePullSecrets: {}
installation:
controlPlaneTolerations:
- key: "node-role.kubernetes.io/control-plane"
operator: "Exists"
effect: "NoSchedule"
- key: "node-role.kubernetes.io/etcd"
operator: "Exists"
effect: "NoExecute"
enabled: true
kubernetesProvider: ""
calicoNetwork:
bgp: Disabled
ipPools:
- natOutgoing: Enabled
encapsulation: VXLAN
cidr: 10.42.0.0/16
blockSize: 24
imagePath: "rancher"
imagePrefix: "mirrored-calico-"
apiServer:
enabled: true
certs:
node:
key:
cert:
commonName:
typha:
key:
cert:
commonName:
caBundle:
# Configuration for the tigera operator
tigeraOperator:
image: rancher/mirrored-calico-operator
version: v1.23.5
registry: docker.io
calicoctl:
image: rancher/mirrored-calico-ctl
tag: v3.21.4
global:
systemDefaultRegistry: ""
clusterCIDRv4: ""
clusterCIDRv6: ""
# Config required by Windows nodes
ipamConfig:
strictAffinity: true
autoAllocateBlocks: true
felixConfiguration:
wireguardEnabled: false
# Config required to fix RKE2 issue #1541
featureDetectOverride: "ChecksumOffloadBroken=true"

11
index.yaml
View File

@ -134,6 +134,17 @@ entries:
urls:
- assets/rke2-calico/rke2-calico-v3.1906.tgz
version: v3.1906
- annotations:
catalog.cattle.io/namespace: tigera-operator
apiVersion: v2
appVersion: v3.21.4
created: "2022-02-01T11:47:47.815769104Z"
description: Installs the Tigera operator for Calico
digest: f1a8acb443a337e60c7c895ee20ddc60cf3dc8b6c135d5c211bc34f106f04b36
name: rke2-calico
urls:
- assets/rke2-calico/rke2-calico-v3.21.401.tgz
version: v3.21.401
- annotations:
catalog.cattle.io/namespace: tigera-operator
apiVersion: v2