andata
/
rke2-charts
mirror of https://git.rancher.io/rke2-charts
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #180 from manuelbuil/update_calico 

Update Calico version
pull/473/head
actions 2021-10-29 06:49:40 +00:00
parent c328ee1dd9
commit df0eb3eea9
19 changed files with 689 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
assets/rke2-calico/rke2-calico-v3.20.201.tgz Executable file
View File

Binary file not shown.

7
charts/rke2-calico/rke2-calico/v3.20.201/Chart.yaml Executable file
View File

@ -0,0 +1,7 @@
annotations:
catalog.cattle.io/namespace: tigera-operator
apiVersion: v2
appVersion: v3.20.2
description: Installs the Tigera operator for Calico
name: rke2-calico
version: v3.20.201

10
charts/rke2-calico/rke2-calico/v3.20.201/templates/_helpers.tpl Executable file
View File

@ -0,0 +1,10 @@
{{/* generate the image name for a component*/}}
{{- define "tigera-operator.image" -}}
{{- if .Values.global.systemDefaultRegistry -}}
{{- $_ := set .Values.tigeraOperator "registry" .Values.global.systemDefaultRegistry -}}
{{- end -}}
{{- if .Values.tigeraOperator.registry -}}
{{- .Values.tigeraOperator.registry | trimSuffix "/" -}}/
{{- end -}}
{{- .Values.tigeraOperator.image -}}:{{- .Values.tigeraOperator.version -}}
{{- end -}}

13
charts/rke2-calico/rke2-calico/v3.20.201/templates/certs/certs-node.yaml Executable file
View File

@ -0,0 +1,13 @@
{{/* if any of .Values.certs.node or .Values.certs.typha is not nil */}}
{{ if without (concat (values .Values.certs.node) (values .Values.certs.typha)) nil }}
apiVersion: v1
kind: Secret
metadata:
name: node-certs
namespace: tigera-operator
type: Opaque
data:
cert.crt: {{ required "must set certs.node.cert" .Values.certs.node.cert | b64enc }}
key.key: {{ required "must set certs.node.key" .Values.certs.node.key | b64enc }}
common-name: {{ required "must set certs.node.commonName" .Values.certs.node.commonName | b64enc }}
{{ end }}

23
charts/rke2-calico/rke2-calico/v3.20.201/templates/certs/certs-typha.yaml Executable file
View File

@ -0,0 +1,23 @@
{{/* if any of .Values.certs.node or .Values.certs.typha is not nil */}}
{{ if without (concat (values .Values.certs.node) (values .Values.certs.typha)) nil }}
kind: ConfigMap
apiVersion: v1
metadata:
name: typha-ca
namespace: tigera-operator
data:
caBundle: |
{{ required "must set certs.typha.caBundle" .Values.certs.typha.caBundle | indent 4}}
---
apiVersion: v1
kind: Secret
metadata:
name: typha-certs
namespace: tigera-operator
type: Opaque
data:
cert.crt: {{ required "must set certs.typha.cert" .Values.certs.typha.cert | b64enc }}
key.key: {{ required "must set certs.typha.key" .Values.certs.typha.key | b64enc }}
common-name: {{ required "must set certs.typha.commonName" .Values.certs.typha.commonName | b64enc }}
{{ end }}

38
charts/rke2-calico/rke2-calico/v3.20.201/templates/crs/custom-resources.yaml Executable file
View File

@ -0,0 +1,38 @@
{{ if .Values.installation.enabled }}
{{ $installSpec := omit .Values.installation "enabled" }}
{{ $secrets := list }}
{{ range $name := keys .Values.imagePullSecrets -}}
{{ $item := dict "name" $name }}
{{ $secrets = append $secrets $item }}
{{ end }}
{{ $_ := set $installSpec "imagePullSecrets" $secrets }}
{{ $defaultRegistry := get $installSpec "registry" }}
{{ $finalRegistry := coalesce .Values.global.systemDefaultRegistry $defaultRegistry }}
{{ $_ := set $installSpec "registry" $finalRegistry }}
{{ $defaultipPools := get .Values.installation.calicoNetwork "ipPools" | first }}
{{ $defaultCIDR := get $defaultipPools "cidr" }}
{{ $finalCIDR := coalesce .Values.global.clusterCIDRv4 $defaultCIDR }}
{{ $_ := set $defaultipPools "cidr" $finalCIDR }}
{{- /*
If there is a defined ipv6 CIDR, we must add it as a new IPPool, disable any encapsulation and enable bgp
*/}}
{{ if not (empty .Values.global.clusterCIDRv6) }}
{{ $myIP6Dict := dict "natOutgoing" "Enabled" "cidr" .Values.global.clusterCIDRv6 }}
{{ $allIpPools := get .Values.installation.calicoNetwork "ipPools" }}
{{ range $allIpPools }}
{{ $_ := set . "encapsulation" "None" }}
{{ end }}
{{ $finalIpPoolList := append $allIpPools $myIP6Dict }}
{{ $calicoNetwork := get .Values.installation "calicoNetwork" }}
{{ $_ := set $calicoNetwork "ipPools" $finalIpPoolList }}
{{ $_ := set $calicoNetwork "bgp" "Enabled" }}
{{ end }}
apiVersion: operator.tigera.io/v1
kind: Installation
metadata:
name: default
spec:
{{ $installSpec | toYaml | indent 2 }}
{{ end }}

7
charts/rke2-calico/rke2-calico/v3.20.201/templates/felixconfig.yaml Executable file
View File

@ -0,0 +1,7 @@
apiVersion: crd.projectcalico.org/v1
kind: FelixConfiguration
metadata:
name: default
spec:
wireguardEnabled: {{ .Values.felixConfiguration.wireguardEnabled }}
featureDetectOverride: {{ .Values.felixConfiguration.featureDetectOverride }}

7
charts/rke2-calico/rke2-calico/v3.20.201/templates/ipamconfig.yaml Executable file
View File

@ -0,0 +1,7 @@
apiVersion: crd.projectcalico.org/v1
kind: IPAMConfig
metadata:
name: default
spec:
strictAffinity: {{ .Values.ipamConfig.strictAffinity }}
autoAllocateBlocks: {{ .Values.ipamConfig.autoAllocateBlocks }}

13
charts/rke2-calico/rke2-calico/v3.20.201/templates/tigera-operator/00-namespace-tigera-operator.yaml Executable file
View File

@ -0,0 +1,13 @@
apiVersion: v1
kind: Namespace
metadata:
name: tigera-operator
annotations:
{{- if eq .Values.installation.kubernetesProvider "openshift" }}
openshift.io/node-selector: ""
{{- end }}
labels:
name: tigera-operator
{{- if eq .Values.installation.kubernetesProvider "openshift" }}
openshift.io/run-level: "0"
{{- end }}

15
charts/rke2-calico/rke2-calico/v3.20.201/templates/tigera-operator/01-imagepullsecret.yaml Executable file
View File

@ -0,0 +1,15 @@
{{- $envAll := . }}
{{- if .Values.imagePullSecrets -}}
{{range $key, $value := .Values.imagePullSecrets -}}
apiVersion: v1
kind: Secret
metadata:
name: {{ $key }}
namespace: tigera-operator
data:
.dockerconfigjson: {{ $value | b64enc }}
type: kubernetes.io/dockerconfigjson
{{- end -}}
{{- end -}}

27
charts/rke2-calico/rke2-calico/v3.20.201/templates/tigera-operator/02-configmap-calico-resources.yaml Executable file
View File

@ -0,0 +1,27 @@
{{- if eq .Values.installation.kubernetesProvider "openshift" }}
apiVersion: v1
kind: ConfigMap
metadata:
name: calico-resources
namespace: tigera-operator
data:
# To create Calico resources before Calico components are started add
# an entry here and the contents of the resource under the entry.
# The resources here should all be projectcalico.org/v3.
# Multiple resources/entries can be added to this ConfigMap.
#
# If you need to remove a resource that was added to this ConfigMap
# you should remove it from here or else it will be re-created.
#
# example-global-network-set.yaml: |
# apiVersion: projectcalico.org/v3
# kind: GlobalNetworkSet
# metadata:
# name: a-name-for-the-set
# labels:
# role: external-database
# spec:
# nets:
# - 198.51.100.0/28
# - 203.0.113.0/24
{{- end}}

47
charts/rke2-calico/rke2-calico/v3.20.201/templates/tigera-operator/02-podsecuritypolicy-tigera-operator.yaml Executable file
View File

@ -0,0 +1,47 @@
{{ if ne .Values.installation.kubernetesProvider "openshift" }}
# This should not be rendered for an OpenShift install.
# OpenShift uses SecurityContextConstraints instead.
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: tigera-operator
annotations:
seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*'
spec:
privileged: false
allowPrivilegeEscalation: false
requiredDropCapabilities:
- ALL
volumes:
- 'hostPath'
- 'configMap'
- 'emptyDir'
- 'projected'
- 'secret'
- 'downwardAPI'
# Assume that persistentVolumes set up by the cluster admin are safe to use.
- 'persistentVolumeClaim'
hostNetwork: true
hostPorts:
- min: 0
max: 65535
hostIPC: false
hostPID: false
runAsUser:
rule: 'MustRunAsNonRoot'
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'MustRunAs'
ranges:
# Forbid adding the root group.
- min: 1
max: 65535
fsGroup:
rule: 'MustRunAs'
ranges:
# Forbid adding the root group.
- min: 1
max: 65535
readOnlyRootFilesystem: false
{{ end }}

278
charts/rke2-calico/rke2-calico/v3.20.201/templates/tigera-operator/02-role-tigera-operator.yaml Executable file
View File

@ -0,0 +1,278 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: tigera-operator
rules:
- apiGroups:
- ""
resources:
- namespaces
- pods
- podtemplates
- services
- endpoints
- events
- configmaps
- secrets
- serviceaccounts
verbs:
- create
- get
- list
- update
- delete
- watch
- apiGroups:
- ""
resources:
- nodes
verbs:
# Need to update node labels when migrating nodes.
- 'get'
- 'patch'
- 'list'
# We need this for Typha autoscaling
- 'watch'
- apiGroups:
- rbac.authorization.k8s.io
resources:
- clusterroles
- clusterrolebindings
- rolebindings
- roles
verbs:
- create
- get
- list
- update
- delete
- watch
- bind
- escalate
- apiGroups:
- apps
resources:
- deployments
- daemonsets
- statefulsets
verbs:
- create
- get
- list
- patch
- update
- delete
- watch
- apiGroups:
- apps
resourceNames:
- tigera-operator
resources:
- deployments/finalizers
verbs:
- update
- apiGroups:
- operator.tigera.io
resources:
- '*'
verbs:
- create
- get
- list
- update
- patch
- delete
- watch
- apiGroups:
- networking.k8s.io
resources:
- networkpolicies
verbs:
- create
- update
- delete
- get
- list
- watch
- apiGroups:
- crd.projectcalico.org
resources:
- felixconfigurations
verbs:
- create
- patch
- list
- get
- watch
- apiGroups:
- crd.projectcalico.org
resources:
- ippools
- kubecontrollersconfigurations
verbs:
- get
- list
- watch
- apiGroups:
- scheduling.k8s.io
resources:
- priorityclasses
verbs:
- create
- get
- list
- update
- delete
- watch
- apiGroups:
- monitoring.coreos.com
resources:
- servicemonitors
verbs:
- get
- create
- apiGroups:
- policy
resources:
- poddisruptionbudgets
verbs:
- create
- get
- list
- update
- delete
- watch
- apiGroups:
- apiregistration.k8s.io
resources:
- apiservices
verbs:
- list
- watch
- create
- update
# Needed for operator lock
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- create
- get
- list
- update
- delete
- watch
{{- if eq .Values.installation.kubernetesProvider "openshift" }}
# When running in OpenShift, we need to update networking config.
- apiGroups:
- config.openshift.io
resources:
- networks/status
verbs:
- get
- list
- update
- apiGroups:
- config.openshift.io
resources:
- networks
- infrastructures
verbs:
- get
- list
- patch
- watch
# On OpenShift, we need to modify SCCs.
- apiGroups:
- security.openshift.io
resources:
- securitycontextconstraints
verbs:
- create
- get
- list
- update
- delete
- watch
# The following rule is only for operator certification purposes.
# The operator normally runs in a namespace with openshift.io/run-level=0 which bypasses SCC.
# However in certification tests, the operator is run in a normal namespace so this
# rule is needed for host networking and hostPath volume access.
- apiGroups:
- security.openshift.io
resources:
- securitycontextconstraints
resourceNames:
- hostaccess
verbs:
- use
# Need these permissions for the calicoctl init container.
- apiGroups:
- crd.projectcalico.org
resources:
- bgpconfigurations
- bgppeers
- felixconfigurations
- kubecontrollersconfigurations
- globalnetworkpolicies
- globalnetworksets
- hostendpoints
- ippools
- networkpolicies
- networksets
verbs:
- create
- apiGroups:
- crd.projectcalico.org
resources:
- ipamblocks
verbs:
- list
# Need this permission for the calicoctl version mismatch checking
- apiGroups:
- crd.projectcalico.org
resources:
- clusterinformations
verbs:
- get
# For AWS security group setup.
- apiGroups:
- batch
resources:
- jobs
- cronjobs
verbs:
- create
- update
- list
- watch
{{- else }}
# Add the appropriate pod security policy permissions
- apiGroups:
- policy
resources:
- podsecuritypolicies
resourceNames:
- tigera-operator
verbs:
- use
- apiGroups:
- policy
resources:
- podsecuritypolicies
verbs:
- get
- list
- watch
- create
- update
- delete
# Add the permissions to monitor the status of certificatesigningrequests when certificate management is enabled.
- apiGroups:
- certificates.k8s.io
resources:
- certificatesigningrequests
verbs:
- list
{{- end }}

12
charts/rke2-calico/rke2-calico/v3.20.201/templates/tigera-operator/02-rolebinding-tigera-operator.yaml Executable file
View File

@ -0,0 +1,12 @@
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: tigera-operator
subjects:
- kind: ServiceAccount
name: tigera-operator
namespace: tigera-operator
roleRef:
kind: ClusterRole
name: tigera-operator
apiGroup: rbac.authorization.k8s.io

5
charts/rke2-calico/rke2-calico/v3.20.201/templates/tigera-operator/02-serviceaccount-tigera-operator.yaml Executable file
View File

@ -0,0 +1,5 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: tigera-operator
namespace: tigera-operator

85
charts/rke2-calico/rke2-calico/v3.20.201/templates/tigera-operator/02-tigera-operator.yaml Executable file
View File

@ -0,0 +1,85 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: tigera-operator
namespace: tigera-operator
labels:
k8s-app: tigera-operator
spec:
replicas: 1
selector:
matchLabels:
name: tigera-operator
template:
metadata:
labels:
name: tigera-operator
k8s-app: tigera-operator
spec:
nodeSelector:
kubernetes.io/os: linux
tolerations:
- effect: NoExecute
operator: Exists
- effect: NoSchedule
operator: Exists
serviceAccountName: tigera-operator
hostNetwork: true
# This must be set when hostNetwork is true or else the cluster services won't resolve
dnsPolicy: ClusterFirstWithHostNet
containers:
- name: tigera-operator
image: {{ template "tigera-operator.image" . }}
imagePullPolicy: IfNotPresent
command:
- operator
volumeMounts:
- name: var-lib-calico
readOnly: true
mountPath: /var/lib/calico
env:
- name: WATCH_NAMESPACE
value: ""
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: OPERATOR_NAME
value: "tigera-operator"
- name: TIGERA_OPERATOR_INIT_IMAGE_VERSION
value: {{.Values.tigeraOperator.version}}
envFrom:
- configMapRef:
name: kubernetes-services-endpoint
optional: true
volumes:
- name: var-lib-calico
hostPath:
path: /var/lib/calico
{{- if eq .Values.installation.kubernetesProvider "openshift" }}
- name: calico-resources
configMap:
defaultMode: 0400
name: calico-resources
- name: install-resources-script
configMap:
defaultMode: 0777
name: install-resources-script
initContainers:
- name: create-initial-resources
image: {{.Values.calicoctl.image}}:{{.Values.calicoctl.tag}}
env:
- name: DATASTORE_TYPE
value: kubernetes
command:
- calicoctl
args:
- create
- --skip-exists
- --skip-empty
- -f
- /calico-resources
volumeMounts:
- name: calico-resources
mountPath: /calico-resources
{{- end}}

32
charts/rke2-calico/rke2-calico/v3.20.201/templates/validate-install-crd.yaml Executable file
View File

@ -0,0 +1,32 @@
#{{- if gt (len (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" "")) 0 -}}
# {{- $found := dict -}}
# {{- set $found "crd.projectcalico.org/v1/BGPConfiguration" false -}}
# {{- set $found "crd.projectcalico.org/v1/BGPPeer" false -}}
# {{- set $found "crd.projectcalico.org/v1/BlockAffinity" false -}}
# {{- set $found "crd.projectcalico.org/v1/ClusterInformation" false -}}
# {{- set $found "crd.projectcalico.org/v1/FelixConfiguration" false -}}
# {{- set $found "crd.projectcalico.org/v1/GlobalNetworkPolicy" false -}}
# {{- set $found "crd.projectcalico.org/v1/GlobalNetworkSet" false -}}
# {{- set $found "crd.projectcalico.org/v1/HostEndpoint" false -}}
# {{- set $found "crd.projectcalico.org/v1/IPAMBlock" false -}}
# {{- set $found "crd.projectcalico.org/v1/IPAMConfig" false -}}
# {{- set $found "crd.projectcalico.org/v1/IPAMHandle" false -}}
# {{- set $found "crd.projectcalico.org/v1/IPPool" false -}}
# {{- set $found "crd.projectcalico.org/v1/KubeControllersConfiguration" false -}}
# {{- set $found "crd.projectcalico.org/v1/NetworkPolicy" false -}}
# {{- set $found "crd.projectcalico.org/v1/NetworkSet" false -}}
# {{- set $found "operator.tigera.io/v1/APIServer" false -}}
# {{- set $found "operator.tigera.io/v1/ImageSet" false -}}
# {{- set $found "operator.tigera.io/v1/Installation" false -}}
# {{- set $found "operator.tigera.io/v1/TigeraStatus" false -}}
# {{- range .Capabilities.APIVersions -}}
# {{- if hasKey $found (toString .) -}}
# {{- set $found (toString .) true -}}
# {{- end -}}
# {{- end -}}
# {{- range $_, $exists := $found -}}
# {{- if (eq $exists false) -}}
# {{- required "Required CRDs are missing. Please install the corresponding CRD chart before installing this chart." "" -}}
# {{- end -}}
# {{- end -}}
#{{- end -}}

59
charts/rke2-calico/rke2-calico/v3.20.201/values.yaml Executable file
View File

@ -0,0 +1,59 @@
imagePullSecrets: {}
installation:
controlPlaneTolerations:
- key: "node-role.kubernetes.io/control-plane"
operator: "Exists"
effect: "NoSchedule"
- key: "node-role.kubernetes.io/etcd"
operator: "Exists"
effect: "NoExecute"
enabled: true
kubernetesProvider: ""
calicoNetwork:
bgp: Disabled
ipPools:
- natOutgoing: Enabled
encapsulation: VXLAN
cidr: 10.42.0.0/16
blockSize: 24
imagePath: "rancher"
imagePrefix: "mirrored-calico-"
apiServer:
enabled: true
certs:
node:
key:
cert:
commonName:
typha:
key:
cert:
commonName:
caBundle:
# Configuration for the tigera operator
tigeraOperator:
image: rancher/mirrored-calico-operator
version: v1.20.4
registry: docker.io
calicoctl:
image: rancher/mirrored-calico-ctl
tag: v3.20.2
global:
systemDefaultRegistry: ""
clusterCIDRv4: ""
clusterCIDRv6: ""
# Config required by Windows nodes
ipamConfig:
strictAffinity: true
autoAllocateBlocks: true
felixConfiguration:
wireguardEnabled: false
# Config required to fix RKE2 issue #1541
featureDetectOverride: "ChecksumOffloadBroken=true"

11
index.yaml
View File

@ -60,6 +60,17 @@ entries:
urls:
- assets/rke2-calico/rke2-calico-v3.1906.tgz
version: v3.1906
- annotations:
catalog.cattle.io/namespace: tigera-operator
apiVersion: v2
appVersion: v3.20.2
created: "2021-10-29T06:49:39.787554662Z"
description: Installs the Tigera operator for Calico
digest: 9a299fa1c36937fd67f36f2ad45f9223ade4bb1b0342b5e78ffcfefed32c45cc
name: rke2-calico
urls:
- assets/rke2-calico/rke2-calico-v3.20.201.tgz
version: v3.20.201
- annotations:
catalog.cattle.io/namespace: tigera-operator
apiVersion: v2