Image local repo jobs and multiple namespace support

This PS introduces support for using a local docker repo to store images if desired, and adds multiple namespace support to the entrypoint lookup functions. Change-Id: Ib51aa30d3cc033795fe13f6c40a57d46171ad586
hossein-alit · Nov 2, 2017 · 4368455 · 4368455
1 parent d4163df
commit 4368455
Show file tree

Hide file tree

Showing 66 changed files with 1,289 additions and 81 deletions.
diff --git a/calico/templates/clusterrole-calico-cni-plugin.yaml b/calico/templates/clusterrole-calico-cni-plugin.yaml
@@ -14,6 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */}}
 
+{{- if .Values.manifests.clusterrole_calico_cni_plugin }}
 {{- $envAll := . }}
 ---
 kind: ClusterRole
@@ -27,3 +28,4 @@ rules:
  - nodes
  verbs:
  - get
+{{- end }}
diff --git a/calico/templates/clusterrole-calico-policy-controller.yaml b/calico/templates/clusterrole-calico-policy-controller.yaml
@@ -14,6 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */}}
 
+{{- if .Values.manifests.clusterrole_calico_policy_controller }}
 {{- $envAll := . }}
 ---
 kind: ClusterRole
@@ -31,3 +32,4 @@ rules:
  verbs:
  - watch
  - list
+{{- end }}
diff --git a/calico/templates/clusterrolebinding-calico-cni-plugin.yaml b/calico/templates/clusterrolebinding-calico-cni-plugin.yaml
@@ -14,6 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */}}
 
+{{- if .Values.manifests.clusterrolebinding_calico_cni_plugin }}
 {{- $envAll := . }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1beta1
@@ -28,3 +29,4 @@ subjects:
  - kind: ServiceAccount
  name: calico-cni-plugin
  namespace: {{ .Release.Namespace }}
+{{- end }}
diff --git a/calico/templates/clusterrolebinding-calico-policy-controller.yaml b/calico/templates/clusterrolebinding-calico-policy-controller.yaml
@@ -14,6 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */}}
 
+{{- if .Values.manifests.clusterrolebinding_calico_policy_controller }}
 {{- $envAll := . }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1beta1
@@ -28,3 +29,4 @@ subjects:
  - kind: ServiceAccount
  name: calico-policy-controller
  namespace: {{ .Release.Namespace }}
+{{- end }}
diff --git a/calico/templates/configmap-bin.yaml b/calico/templates/configmap-bin.yaml
@@ -0,0 +1,27 @@
+{{/*
+Copyright 2017 The Openstack-Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ https://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.configmap_bin }}
+{{- $envAll := . }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: calico-bin
+data:
+ image-repo-sync.sh: |+
+{{- include "helm-toolkit.scripts.image_repo_sync" . | indent 4 }}
+{{- end }}
diff --git a/calico/templates/configmap-calico-config.yaml b/calico/templates/configmap-calico-config.yaml
@@ -14,6 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */}}
 
+{{- if .Values.manifests.configmap_calico_config }}
 {{- $envAll := . }}
 ---
 # This ConfigMap is used to configure a self-hosted Calico installation.
@@ -50,3 +51,4 @@ data:
  "kubeconfig": "/etc/cni/net.d/__KUBECONFIG_FILENAME__"
  }
  }
+{{- end }}
diff --git a/calico/templates/daemonset-calico-etcd.yaml b/calico/templates/daemonset-calico-etcd.yaml
@@ -14,7 +14,13 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */}}
 
+{{- if .Values.manifests.daemonset_calico_etcd }}
 {{- $envAll := . }}
+{{- if .Values.images.local_registry.active -}}
+{{- $_ := set .Values "pod_dependency" (merge .Values.dependencies.etcd .Values.conditional_dependencies.local_image_registry) -}}
+{{- else -}}
+{{- $_ := set .Values "pod_dependency" .Values.dependencies.etcd -}}
+{{- end -}}
 ---
 # This manifest installs the Calico etcd on the kubeadm master. This uses a DaemonSet
 # to force it to run on the master even when the master isn't schedulable, and uses
@@ -49,6 +55,8 @@ spec:
  nodeSelector:
  node-role.kubernetes.io/master: ""
  hostNetwork: true
+ initContainers:
+{{ tuple $envAll .Values.pod_dependency list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
  containers:
  - name: calico-etcd
 {{ tuple $envAll "calico_etcd" | include "helm-toolkit.snippets.image" | indent 10 }}
@@ -68,6 +76,8 @@ spec:
  - name: var-etcd
  mountPath: /var/etcd
  volumes:
+{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_secret_mount" | indent 8 }}
  - name: var-etcd
  hostPath:
  path: /var/etcd
+{{- end }}
diff --git a/calico/templates/daemonset-calico-node.yaml b/calico/templates/daemonset-calico-node.yaml
@@ -14,8 +14,13 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */}}
 
+{{- if .Values.manifests.daemonset_calico_node }}
 {{- $envAll := . }}
-{{- $dependencies := .Values.dependencies.calico_node }}
+{{- if .Values.images.local_registry.active -}}
+{{- $_ := set .Values "pod_dependency" (merge .Values.dependencies.calico_node .Values.conditional_dependencies.local_image_registry) -}}
+{{- else -}}
+{{- $_ := set .Values "pod_dependency" .Values.dependencies.calico_node -}}
+{{- end -}}
 ---
 # This manifest installs the calico/node container, as well
 # as the Calico CNI plugins and network config on
@@ -54,7 +59,7 @@ spec:
  operator: Exists
  serviceAccountName: calico-cni-plugin
  initContainers:
-{{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+{{ tuple $envAll .Values.pod_dependency list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
  containers:
  # Runs calico/node container on each Kubernetes node. This
  # container programs network policy and routes on each
@@ -155,6 +160,7 @@ spec:
  - mountPath: /host/etc/cni/net.d
  name: cni-net-dir
  volumes:
+{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_secret_mount" | indent 8 }}
  # Used by calico/node.
  - name: lib-modules
  hostPath:
@@ -169,4 +175,4 @@ spec:
  - name: cni-net-dir
  hostPath:
  path: /etc/cni/net.d
-{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_secret_mount" | indent 8 }}
+{{- end }}
diff --git a/calico/templates/deployment-calico-policy-controller.yaml b/calico/templates/deployment-calico-policy-controller.yaml
@@ -14,8 +14,13 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */}}
 
+{{- if .Values.manifests.deployment_calico_policy_controller }}
 {{- $envAll := . }}
-{{- $dependencies := .Values.dependencies.calico_policy_controller }}
+{{- if .Values.images.local_registry.active -}}
+{{- $_ := set .Values "pod_dependency" (merge .Values.dependencies.calico_policy_controller .Values.conditional_dependencies.local_image_registry) -}}
+{{- else -}}
+{{- $_ := set .Values "pod_dependency" .Values.dependencies.calico_policy_controller -}}
+{{- end -}}
 ---
 # This manifest deploys the Calico policy controller on Kubernetes.
 # See https://github.com/projectcalico/k8s-policy
@@ -55,7 +60,7 @@ spec:
  operator: Exists
  serviceAccountName: calico-policy-controller
  initContainers:
-{{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+{{ tuple $envAll .Values.pod_dependency list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
  containers:
  - name: calico-policy-controller
 {{ tuple $envAll "calico_kube_policy_controller" | include "helm-toolkit.snippets.image" | indent 10 }}
@@ -77,3 +82,4 @@ spec:
  value: "true"
  volumes:
 {{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_secret_mount" | indent 8 }}
+{{- end }}
diff --git a/calico/templates/job-image-repo-sync.yaml b/calico/templates/job-image-repo-sync.yaml
@@ -0,0 +1,65 @@
+{{/*
+Copyright 2017 The Openstack-Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ https://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.job_image_repo_sync }}
+{{- $envAll := . }}
+{{- if .Values.images.local_registry.active -}}
+{{- $_ := set .Values "pod_dependency" .Values.dependencies.image_repo_sync -}}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: calico-image-repo-sync
+spec:
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll "calico" "image-repo-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+ spec:
+ restartPolicy: OnFailure
+ nodeSelector:
+ {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
+ initContainers:
+{{ tuple $envAll .Values.pod_dependency list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+ - name: image-repo-sync
+{{ tuple $envAll "image_repo_sync" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.image_repo_sync | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ env:
+ - name: LOCAL_REPO
+ value: "{{ tuple "local_image_registry" "node" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}:{{ tuple "local_image_registry" "node" "registry" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}"
+ - name: IMAGE_SYNC_LIST
+ value: "{{ include "helm-toolkit.utils.image_sync_list" . }}"
+ command:
+ - /tmp/image-repo-sync.sh
+ volumeMounts:
+ - name: calico-bin
+ mountPath: /tmp/image-repo-sync.sh
+ subPath: image-repo-sync.sh
+ readOnly: true
+ - name: docker-socket
+ mountPath: /var/run/docker.sock
+ volumes:
+{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_secret_mount" | indent 8 }}
+ - name: calico-bin
+ configMap:
+ name: calico-bin
+ defaultMode: 0555
+ - name: docker-socket
+ hostPath:
+ path: /var/run/docker.sock
+{{- end }}
+{{- end }}
diff --git a/calico/templates/rbac-entrypoint.yaml b/calico/templates/rbac-entrypoint.yaml
@@ -14,4 +14,6 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */}}
 
+{{- if .Values.manifests.rbac_entrypoint }}
 {{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_rbac"}}
+{{- end }}
diff --git a/calico/templates/service-calico-etcd.yaml b/calico/templates/service-calico-etcd.yaml
@@ -14,6 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */}}
 
+{{- if .Values.manifests.service_calico_etcd }}
 {{- $envAll := . }}
 ---
 # This manifest installs the Service which gets traffic to the Calico
@@ -35,3 +36,4 @@ spec:
  clusterIP: 10.96.232.136
  ports:
  - port: {{ tuple "etcd" "internal" "client" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- end }}
diff --git a/calico/templates/serviceaccount-calico-cni-plugin.yaml b/calico/templates/serviceaccount-calico-cni-plugin.yaml
@@ -14,9 +14,11 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */}}
 
+{{- if .Values.manifests.serviceaccount_calico_cni_plugin }}
 {{- $envAll := . }}
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: calico-cni-plugin
+{{- end }}
diff --git a/calico/templates/serviceaccount-calico-policy-controller.yaml b/calico/templates/serviceaccount-calico-policy-controller.yaml
@@ -14,9 +14,11 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */}}
 
+{{- if .Values.manifests.serviceaccount_calico_policy_controller }}
 {{- $envAll := . }}
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: calico-policy-controller
+{{- end }}
diff --git a/calico/values.yaml b/calico/values.yaml
@@ -20,18 +20,44 @@
 # calico/cni:v1.10.0
 # calico/kube-policy-controller:v0.7.0
 
+labels:
+ node_selector_key: openstack-control-plane
+ node_selector_value: enabled
+
 images:
  tags:
  calico_etcd: quay.io/coreos/etcd:v3.1.10
  calico_node: quay.io/calico/node:v2.4.1
  calico_cni: quay.io/calico/cni:v1.10.0
  calico_kube_policy_controller: quay.io/calico/kube-policy-controller:v0.7.0
  dep_check: quay.io/stackanetes/kubernetes-entrypoint:v0.2.1
+ image_repo_sync: docker.io/docker:17.07.0
  pull_policy: IfNotPresent
- registry:
- prefix: null
+ local_registry:
+ active: false
+ exclude:
+ - dep_check
+ - image_repo_sync
+ - calico_etcd
+ - calico_node
+ - calico_cni
+ - calico_kube_policy_controller
+
+pod:
+ resources:
+ enabled: false
+ jobs:
+ image_repo_sync:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
 
 dependencies:
+ etcd:
+ services: null
  calico_node:
  services:
  - service: etcd
@@ -41,8 +67,28 @@ dependencies:
  - service: etcd
  endpoint: internal
 
+conditional_dependencies:
+ local_image_registry:
+ jobs:
+ - calico-image-repo-sync
+ services:
+ - service: local_image_registry
+ endpoint: node
+
 endpoints:
  cluster_domain_suffix: cluster.local
+ local_image_registry:
+ name: docker-registry
+ namespace: docker-registry
+ hosts:
+ default: localhost
+ internal: docker-registry
+ node: localhost
+ host_fqdn_override:
+ default: null
+ port:
+ registry:
+ node: 5000
  etcd:
  hosts:
  default: calico-etcd
@@ -56,3 +102,19 @@ endpoints:
 
 networking:
  podSubnet: 192.168.0.0/16
+
+manifests:
+ clusterrole_calico_cni_plugin: true
+ clusterrole_calico_policy_controller: true
+ clusterrolebinding_calico_cni_plugin: true
+ clusterrolebinding_calico_policy_controller: true
+ configmap_bin: true
+ configmap_calico_config: true
+ daemonset_calico_etcd: true
+ daemonset_calico_node: true
+ deployment_calico_policy_controller: true
+ job_image_repo_sync: true
+ rbac_entrypoint: true
+ service_calico_etcd: true
+ serviceaccount_calico_cni_plugin: true
+ serviceaccount_calico_policy_controller: true