diff --git a/.drone.yml b/.drone.yml deleted file mode 100644 index 7644a6724..000000000 --- a/.drone.yml +++ /dev/null @@ -1,1181 +0,0 @@ ---- -kind: pipeline -name: amd64 - -platform: - os: linux - arch: amd64 - -steps: - - name: validate - image: rancher/dapper:v0.6.0 - commands: - - dapper ci - environment: - REGISTRY_ENDPOINT: - from_secret: REGISTRY_ENDPOINT - volumes: - - name: docker - path: /var/run/docker.sock - - - name: mirror-images - image: rancher/dapper:v0.6.0 - commands: - - dapper mirror-images - environment: - REGISTRY_ENDPOINT: - from_secret: REGISTRY_ENDPOINT - REGISTRY_USERNAME: - from_secret: REGISTRY_USERNAME - REGISTRY_PASSWORD: - from_secret: REGISTRY_PASSWORD - volumes: - - name: docker - path: /var/run/docker.sock - depends_on: - - validate - when: - ref: - include: - - "refs/heads/release-v*" - event: - - push - instance: - - drone-publish.rancher.io - - - name: upload - pull: default - image: plugins/gcs - settings: - acl: - - allUsers:READER - cache_control: "public,no-cache,proxy-revalidate" - source: data - target: releases.rancher.com/kontainer-driver-metadata/${DRONE_BRANCH} - token: - from_secret: google_auth_key - when: - event: - - push - depends_on: - - validate - - mirror-images - - - name: dispatch - image: curlimages/curl:7.81.0 - user: root - environment: - PAT_USERNAME: - from_secret: pat_username - PAT_TOKEN: - from_secret: github_token - commands: - - apk -U --no-cache add bash - - scripts/dispatch - when: - event: - - push - depends_on: - - upload - -volumes: -- name: docker - host: - path: /var/run/docker.sock - ---- - -kind: pipeline -name: provisioning-tests-rke2-1-27 - -platform: - os: linux - arch: amd64 - -environment: - V2PROV_TEST_DIST: "rke2" - V2PROV_TEST_RUN_REGEX: "^Test_Provisioning_.*$" - KDM_TEST_K8S_MINOR: "27" - -steps: - - name: provisioning-tests-pr - image: rancher/dapper:v0.6.0 - commands: - - dapper provisioning-tests - privileged: true - volumes: - - name: docker - path: /var/run/docker.sock - when: - event: - - pull_request - - name: provisioning-tests-push - image: rancher/dapper:v0.6.0 - failure: ignore - commands: - - dapper provisioning-tests - privileged: true - volumes: - - name: docker - path: /var/run/docker.sock - when: - instance: - - drone-publish.rancher.io - ref: - include: - - "refs/heads/dev-v2.*" - event: - - push - -volumes: - - name: docker - host: - path: /var/run/docker.sock - -trigger: - event: - exclude: - - promote - ---- - -kind: pipeline -name: provisioning-tests-rke2-1-26 - -platform: - os: linux - arch: amd64 - -environment: - V2PROV_TEST_DIST: "rke2" - V2PROV_TEST_RUN_REGEX: "^Test_Provisioning_.*$" - KDM_TEST_K8S_MINOR: "26" - -steps: - - name: provisioning-tests-pr - image: rancher/dapper:v0.6.0 - commands: - - dapper provisioning-tests - privileged: true - volumes: - - name: docker - path: /var/run/docker.sock - when: - event: - - pull_request - - name: provisioning-tests-push - image: rancher/dapper:v0.6.0 - failure: ignore - commands: - - dapper provisioning-tests - privileged: true - volumes: - - name: docker - path: /var/run/docker.sock - when: - instance: - - drone-publish.rancher.io - ref: - include: - - "refs/heads/dev-v2.*" - event: - - push - -volumes: - - name: docker - host: - path: /var/run/docker.sock - -trigger: - event: - exclude: - - promote - ---- - -kind: pipeline -name: provisioning-tests-rke2-1-25 - -platform: - os: linux - arch: amd64 - -environment: - V2PROV_TEST_DIST: "rke2" - V2PROV_TEST_RUN_REGEX: "^Test_Provisioning_.*$" - KDM_TEST_K8S_MINOR: "25" - -steps: - - name: provisioning-tests-pr - image: rancher/dapper:v0.6.0 - commands: - - dapper provisioning-tests - privileged: true - volumes: - - name: docker - path: /var/run/docker.sock - when: - event: - - pull_request - - name: provisioning-tests-push - image: rancher/dapper:v0.6.0 - failure: ignore - commands: - - dapper provisioning-tests - privileged: true - volumes: - - name: docker - path: /var/run/docker.sock - when: - instance: - - drone-publish.rancher.io - ref: - include: - - "refs/heads/dev-v2.*" - event: - - push - -volumes: - - name: docker - host: - path: /var/run/docker.sock - -trigger: - event: - exclude: - - promote - ---- - -kind: pipeline -name: provisioning-tests-rke2-1-24 - -platform: - os: linux - arch: amd64 - -environment: - V2PROV_TEST_DIST: "rke2" - V2PROV_TEST_RUN_REGEX: "^Test_Provisioning_.*$" - KDM_TEST_K8S_MINOR: "24" - -steps: - - name: provisioning-tests-pr - image: rancher/dapper:v0.6.0 - commands: - - dapper provisioning-tests - privileged: true - volumes: - - name: docker - path: /var/run/docker.sock - when: - event: - - pull_request - - name: provisioning-tests-push - image: rancher/dapper:v0.6.0 - failure: ignore - commands: - - dapper provisioning-tests - privileged: true - volumes: - - name: docker - path: /var/run/docker.sock - when: - instance: - - drone-publish.rancher.io - ref: - include: - - "refs/heads/dev-v2.*" - event: - - push - -volumes: - - name: docker - host: - path: /var/run/docker.sock - -trigger: - event: - exclude: - - promote - ---- - -kind: pipeline -name: provisioning-tests-rke2-1-23 - -platform: - os: linux - arch: amd64 - -environment: - V2PROV_TEST_DIST: "rke2" - V2PROV_TEST_RUN_REGEX: "^Test_Provisioning_.*$" - KDM_TEST_K8S_MINOR: "23" - -steps: - - name: provisioning-tests-pr - image: rancher/dapper:v0.6.0 - commands: - - dapper provisioning-tests - privileged: true - volumes: - - name: docker - path: /var/run/docker.sock - when: - event: - - pull_request - - name: provisioning-tests-push - image: rancher/dapper:v0.6.0 - failure: ignore - commands: - - dapper provisioning-tests - privileged: true - volumes: - - name: docker - path: /var/run/docker.sock - when: - instance: - - drone-publish.rancher.io - ref: - include: - - "refs/heads/dev-v2.*" - event: - - push - -volumes: - - name: docker - host: - path: /var/run/docker.sock - -trigger: - event: - exclude: - - promote - ---- - -kind: pipeline -name: provisioning-tests-k3s-1-27 - -platform: - os: linux - arch: amd64 - -environment: - V2PROV_TEST_DIST: "k3s" - V2PROV_TEST_RUN_REGEX: "^Test_Provisioning_.*$" - KDM_TEST_K8S_MINOR: "27" - -steps: - - name: provisioning-tests-pr - image: rancher/dapper:v0.6.0 - commands: - - dapper provisioning-tests - privileged: true - volumes: - - name: docker - path: /var/run/docker.sock - when: - event: - - pull_request - - name: provisioning-tests-push - image: rancher/dapper:v0.6.0 - failure: ignore - commands: - - dapper provisioning-tests - privileged: true - volumes: - - name: docker - path: /var/run/docker.sock - when: - instance: - - drone-publish.rancher.io - ref: - include: - - "refs/heads/dev-v2.*" - event: - - push - -volumes: - - name: docker - host: - path: /var/run/docker.sock - -trigger: - event: - exclude: - - promote - ---- - -kind: pipeline -name: provisioning-tests-k3s-1-26 - -platform: - os: linux - arch: amd64 - -environment: - V2PROV_TEST_DIST: "k3s" - V2PROV_TEST_RUN_REGEX: "^Test_Provisioning_.*$" - KDM_TEST_K8S_MINOR: "26" - -steps: - - name: provisioning-tests-pr - image: rancher/dapper:v0.6.0 - commands: - - dapper provisioning-tests - privileged: true - volumes: - - name: docker - path: /var/run/docker.sock - when: - event: - - pull_request - - name: provisioning-tests-push - image: rancher/dapper:v0.6.0 - failure: ignore - commands: - - dapper provisioning-tests - privileged: true - volumes: - - name: docker - path: /var/run/docker.sock - when: - instance: - - drone-publish.rancher.io - ref: - include: - - "refs/heads/dev-v2.*" - event: - - push - -volumes: - - name: docker - host: - path: /var/run/docker.sock - -trigger: - event: - exclude: - - promote - ---- - -kind: pipeline -name: provisioning-tests-k3s-1-25 - -platform: - os: linux - arch: amd64 - -environment: - V2PROV_TEST_DIST: "k3s" - V2PROV_TEST_RUN_REGEX: "^Test_Provisioning_.*$" - KDM_TEST_K8S_MINOR: "25" - -steps: - - name: provisioning-tests-pr - image: rancher/dapper:v0.6.0 - commands: - - dapper provisioning-tests - privileged: true - volumes: - - name: docker - path: /var/run/docker.sock - when: - event: - - pull_request - - name: provisioning-tests-push - image: rancher/dapper:v0.6.0 - failure: ignore - commands: - - dapper provisioning-tests - privileged: true - volumes: - - name: docker - path: /var/run/docker.sock - when: - instance: - - drone-publish.rancher.io - ref: - include: - - "refs/heads/dev-v2.*" - event: - - push - -volumes: - - name: docker - host: - path: /var/run/docker.sock - -trigger: - event: - exclude: - - promote - ---- - -kind: pipeline -name: provisioning-tests-k3s-1-24 - -platform: - os: linux - arch: amd64 - -environment: - V2PROV_TEST_DIST: "k3s" - V2PROV_TEST_RUN_REGEX: "^Test_Provisioning_.*$" - KDM_TEST_K8S_MINOR: "24" - -steps: - - name: provisioning-tests-pr - image: rancher/dapper:v0.6.0 - commands: - - dapper provisioning-tests - privileged: true - volumes: - - name: docker - path: /var/run/docker.sock - when: - event: - - pull_request - - name: provisioning-tests-push - image: rancher/dapper:v0.6.0 - failure: ignore - commands: - - dapper provisioning-tests - privileged: true - volumes: - - name: docker - path: /var/run/docker.sock - when: - instance: - - drone-publish.rancher.io - ref: - include: - - "refs/heads/dev-v2.*" - event: - - push - -volumes: - - name: docker - host: - path: /var/run/docker.sock - -trigger: - event: - exclude: - - promote - ---- - -kind: pipeline -name: provisioning-tests-k3s-1-23 - -platform: - os: linux - arch: amd64 - -environment: - V2PROV_TEST_DIST: "k3s" - V2PROV_TEST_RUN_REGEX: "^Test_Provisioning_.*$" - KDM_TEST_K8S_MINOR: "23" - -steps: - - name: provisioning-tests-pr - image: rancher/dapper:v0.6.0 - commands: - - dapper provisioning-tests - privileged: true - volumes: - - name: docker - path: /var/run/docker.sock - when: - event: - - pull_request - - name: provisioning-tests-push - image: rancher/dapper:v0.6.0 - failure: ignore - commands: - - dapper provisioning-tests - privileged: true - volumes: - - name: docker - path: /var/run/docker.sock - when: - instance: - - drone-publish.rancher.io - ref: - include: - - "refs/heads/dev-v2.*" - event: - - push - -volumes: - - name: docker - host: - path: /var/run/docker.sock - -trigger: - event: - exclude: - - promote - ---- - -kind: pipeline -name: provisioning-operations-tests-rke2-1-27 - -platform: - os: linux - arch: amd64 - -environment: - V2PROV_TEST_DIST: "rke2" - V2PROV_TEST_RUN_REGEX: "^Test_Operation_SetA_.*$" - KDM_TEST_K8S_MINOR: "27" - -steps: - - name: provisioning-operations-tests-pr - image: rancher/dapper:v0.6.0 - commands: - - dapper provisioning-tests - privileged: true - volumes: - - name: docker - path: /var/run/docker.sock - when: - event: - - pull_request - - name: provisioning-operations-tests-push - image: rancher/dapper:v0.6.0 - failure: ignore - commands: - - dapper provisioning-tests - privileged: true - volumes: - - name: docker - path: /var/run/docker.sock - when: - instance: - - drone-publish.rancher.io - ref: - include: - - "refs/heads/dev-v2.*" - event: - - push - -volumes: - - name: docker - host: - path: /var/run/docker.sock - -trigger: - event: - exclude: - - promote - ---- - -kind: pipeline -name: provisioning-operations-tests-rke2-1-26 - -platform: - os: linux - arch: amd64 - -environment: - V2PROV_TEST_DIST: "rke2" - V2PROV_TEST_RUN_REGEX: "^Test_Operation_SetA_.*$" - KDM_TEST_K8S_MINOR: "26" - -steps: - - name: provisioning-operations-tests-pr - image: rancher/dapper:v0.6.0 - commands: - - dapper provisioning-tests - privileged: true - volumes: - - name: docker - path: /var/run/docker.sock - when: - event: - - pull_request - - name: provisioning-operations-tests-push - image: rancher/dapper:v0.6.0 - failure: ignore - commands: - - dapper provisioning-tests - privileged: true - volumes: - - name: docker - path: /var/run/docker.sock - when: - instance: - - drone-publish.rancher.io - ref: - include: - - "refs/heads/dev-v2.*" - event: - - push - -volumes: - - name: docker - host: - path: /var/run/docker.sock - -trigger: - event: - exclude: - - promote - ---- - -kind: pipeline -name: provisioning-operations-tests-rke2-1-25 - -platform: - os: linux - arch: amd64 - -environment: - V2PROV_TEST_DIST: "rke2" - V2PROV_TEST_RUN_REGEX: "^Test_Operation_SetA_.*$" - KDM_TEST_K8S_MINOR: "25" - -steps: - - name: provisioning-operations-tests-pr - image: rancher/dapper:v0.6.0 - commands: - - dapper provisioning-tests - privileged: true - volumes: - - name: docker - path: /var/run/docker.sock - when: - event: - - pull_request - - name: provisioning-operations-tests-push - image: rancher/dapper:v0.6.0 - failure: ignore - commands: - - dapper provisioning-tests - privileged: true - volumes: - - name: docker - path: /var/run/docker.sock - when: - instance: - - drone-publish.rancher.io - ref: - include: - - "refs/heads/dev-v2.*" - event: - - push - -volumes: - - name: docker - host: - path: /var/run/docker.sock - -trigger: - event: - exclude: - - promote - ---- - -kind: pipeline -name: provisioning-operations-tests-rke2-1-24 - -platform: - os: linux - arch: amd64 - -environment: - V2PROV_TEST_DIST: "rke2" - V2PROV_TEST_RUN_REGEX: "^Test_Operation_SetA_.*$" - KDM_TEST_K8S_MINOR: "24" - -steps: - - name: provisioning-operations-tests-pr - image: rancher/dapper:v0.6.0 - commands: - - dapper provisioning-tests - privileged: true - volumes: - - name: docker - path: /var/run/docker.sock - when: - event: - - pull_request - - name: provisioning-operations-tests-push - image: rancher/dapper:v0.6.0 - failure: ignore - commands: - - dapper provisioning-tests - privileged: true - volumes: - - name: docker - path: /var/run/docker.sock - when: - instance: - - drone-publish.rancher.io - ref: - include: - - "refs/heads/dev-v2.*" - event: - - push - -volumes: - - name: docker - host: - path: /var/run/docker.sock - -trigger: - event: - exclude: - - promote - ---- - -kind: pipeline -name: provisioning-operations-tests-rke2-1-23 - -platform: - os: linux - arch: amd64 - -environment: - V2PROV_TEST_DIST: "rke2" - V2PROV_TEST_RUN_REGEX: "^Test_Operation_SetA_.*$" - KDM_TEST_K8S_MINOR: "23" - -steps: - - name: provisioning-operations-tests-pr - image: rancher/dapper:v0.6.0 - commands: - - dapper provisioning-tests - privileged: true - volumes: - - name: docker - path: /var/run/docker.sock - when: - event: - - pull_request - - name: provisioning-operations-tests-push - image: rancher/dapper:v0.6.0 - failure: ignore - commands: - - dapper provisioning-tests - privileged: true - volumes: - - name: docker - path: /var/run/docker.sock - when: - instance: - - drone-publish.rancher.io - ref: - include: - - "refs/heads/dev-v2.*" - event: - - push - -volumes: - - name: docker - host: - path: /var/run/docker.sock - -trigger: - event: - exclude: - - promote - ---- - -kind: pipeline -name: provisioning-operations-tests-k3s-1-27 - -platform: - os: linux - arch: amd64 - -environment: - V2PROV_TEST_DIST: "k3s" - V2PROV_TEST_RUN_REGEX: "^Test_Operation_SetA_.*$" - KDM_TEST_K8S_MINOR: "27" - -steps: - - name: provisioning-operations-tests-pr - image: rancher/dapper:v0.6.0 - commands: - - dapper provisioning-tests - privileged: true - volumes: - - name: docker - path: /var/run/docker.sock - when: - event: - - pull_request - - name: provisioning-operations-tests-push - image: rancher/dapper:v0.6.0 - failure: ignore - commands: - - dapper provisioning-tests - privileged: true - volumes: - - name: docker - path: /var/run/docker.sock - when: - instance: - - drone-publish.rancher.io - ref: - include: - - "refs/heads/dev-v2.*" - event: - - push - -volumes: - - name: docker - host: - path: /var/run/docker.sock - -trigger: - event: - exclude: - - promote - ---- - -kind: pipeline -name: provisioning-operations-tests-k3s-1-26 - -platform: - os: linux - arch: amd64 - -environment: - V2PROV_TEST_DIST: "k3s" - V2PROV_TEST_RUN_REGEX: "^Test_Operation_SetA_.*$" - KDM_TEST_K8S_MINOR: "26" - -steps: - - name: provisioning-operations-tests-pr - image: rancher/dapper:v0.6.0 - commands: - - dapper provisioning-tests - privileged: true - volumes: - - name: docker - path: /var/run/docker.sock - when: - event: - - pull_request - - name: provisioning-operations-tests-push - image: rancher/dapper:v0.6.0 - failure: ignore - commands: - - dapper provisioning-tests - privileged: true - volumes: - - name: docker - path: /var/run/docker.sock - when: - instance: - - drone-publish.rancher.io - ref: - include: - - "refs/heads/dev-v2.*" - event: - - push - -volumes: - - name: docker - host: - path: /var/run/docker.sock - -trigger: - event: - exclude: - - promote - ---- - -kind: pipeline -name: provisioning-operations-tests-k3s-1-25 - -platform: - os: linux - arch: amd64 - -environment: - V2PROV_TEST_DIST: "k3s" - V2PROV_TEST_RUN_REGEX: "^Test_Operation_SetA_.*$" - KDM_TEST_K8S_MINOR: "25" - -steps: - - name: provisioning-operations-tests-pr - image: rancher/dapper:v0.6.0 - commands: - - dapper provisioning-tests - privileged: true - volumes: - - name: docker - path: /var/run/docker.sock - when: - event: - - pull_request - - name: provisioning-operations-tests-push - image: rancher/dapper:v0.6.0 - failure: ignore - commands: - - dapper provisioning-tests - privileged: true - volumes: - - name: docker - path: /var/run/docker.sock - when: - instance: - - drone-publish.rancher.io - ref: - include: - - "refs/heads/dev-v2.*" - event: - - push - -volumes: - - name: docker - host: - path: /var/run/docker.sock - -trigger: - event: - exclude: - - promote - ---- - -kind: pipeline -name: provisioning-operations-tests-k3s-1-24 - -platform: - os: linux - arch: amd64 - -environment: - V2PROV_TEST_DIST: "k3s" - V2PROV_TEST_RUN_REGEX: "^Test_Operation_SetA_.*$" - KDM_TEST_K8S_MINOR: "24" - -steps: - - name: provisioning-operations-tests-pr - image: rancher/dapper:v0.6.0 - commands: - - dapper provisioning-tests - privileged: true - volumes: - - name: docker - path: /var/run/docker.sock - when: - event: - - pull_request - - name: provisioning-operations-tests-push - image: rancher/dapper:v0.6.0 - failure: ignore - commands: - - dapper provisioning-tests - privileged: true - volumes: - - name: docker - path: /var/run/docker.sock - when: - instance: - - drone-publish.rancher.io - ref: - include: - - "refs/heads/dev-v2.*" - event: - - push - -volumes: - - name: docker - host: - path: /var/run/docker.sock - -trigger: - event: - exclude: - - promote - ---- - -kind: pipeline -name: provisioning-operations-tests-k3s-1-23 - -platform: - os: linux - arch: amd64 - -environment: - V2PROV_TEST_DIST: "k3s" - V2PROV_TEST_RUN_REGEX: "^Test_Operation_SetA_.*$" - KDM_TEST_K8S_MINOR: "23" - -steps: - - name: provisioning-operations-tests-pr - image: rancher/dapper:v0.6.0 - commands: - - dapper provisioning-tests - privileged: true - volumes: - - name: docker - path: /var/run/docker.sock - when: - event: - - pull_request - - name: provisioning-operations-tests-push - image: rancher/dapper:v0.6.0 - failure: ignore - commands: - - dapper provisioning-tests - privileged: true - volumes: - - name: docker - path: /var/run/docker.sock - when: - instance: - - drone-publish.rancher.io - ref: - include: - - "refs/heads/dev-v2.*" - event: - - push - -volumes: - - name: docker - host: - path: /var/run/docker.sock - -trigger: - event: - exclude: - - promote - ---- - -kind: pipeline -name: fossa - -steps: -- name: fossa - image: rancher/drone-fossa:latest - failure: ignore - settings: - api_key: - from_secret: FOSSA_API_KEY - when: - instance: - - drone-publish.rancher.io - diff --git a/.github/runs-on.yml b/.github/runs-on.yml new file mode 100644 index 000000000..adec41405 --- /dev/null +++ b/.github/runs-on.yml @@ -0,0 +1 @@ +_extends: .github-private \ No newline at end of file diff --git a/.github/workflows/fossa.yaml b/.github/workflows/fossa.yaml new file mode 100644 index 000000000..18bc91ad1 --- /dev/null +++ b/.github/workflows/fossa.yaml @@ -0,0 +1,28 @@ +name: Fossa Scan + +on: + push: + branches: + - 'dev-v*' + - 'release-v*' + +jobs: + fossa: + runs-on: ubuntu-latest + permissions: + contents: read + id-token: write + timeout-minutes: 20 + steps: + - name: Checkout Repo + uses: actions/checkout@v4 + - name: Read FOSSA token + uses: rancher-eio/read-vault-secrets@main + with: + secrets: | + secret/data/github/org/rancher/fossa/push token | FOSSA_API_KEY_PUSH_ONLY + - name: FOSSA scan + uses: fossas/fossa-action@main + with: + api-key: ${{ env.FOSSA_API_KEY_PUSH_ONLY }} + run-tests: false \ No newline at end of file diff --git a/.github/workflows/provisioning-tests.yaml b/.github/workflows/provisioning-tests.yaml new file mode 100644 index 000000000..372fcdf05 --- /dev/null +++ b/.github/workflows/provisioning-tests.yaml @@ -0,0 +1,78 @@ +name: Provisioning tests + +on: + push: + branches: + - 'dev-v*' + - 'release-v*' + pull_request: + branches: + - 'dev-v*' + - 'release-v*' + +jobs: + provisioning-test: + permissions: + contents: read + runs-on: runs-on,runner=4cpu-linux-x64,image=legacy-cgroups-for-x64,run-id=${{ github.run_id }} + container: + image: rancher/dapper:v0.6.0 + options: --privileged + timeout-minutes: 90 + strategy: + matrix: + dist: [rke2, k3s] + k8s-minor: [23, 24, 25, 26, 27] + fail-fast: false + steps: + - name: Force Install GIT latest + run: | + apk add git --update-cache + git --version + git config --global --add safe.directory "$GITHUB_WORKSPACE" + - name: Checkout code + uses: actions/checkout@v4 + with: + fetch-depth: "0" + - name: Provisioning test + run: | + dapper provisioning-tests + env: + V2PROV_TEST_DIST: ${{ matrix.dist }} + V2PROV_TEST_RUN_REGEX: "^Test_Provisioning_.*$" + KDM_TEST_K8S_MINOR: ${{ matrix.k8s-minor }} + PREV_COMMIT_PR_SHA: ${{ github.event.pull_request.base.sha }} + PREV_COMMIT_PUSH_SHA: ${{ github.event.before }} + + provisioning-operations-test: + permissions: + contents: read + runs-on: runs-on,runner=4cpu-linux-x64,image=legacy-cgroups-for-x64,run-id=${{ github.run_id }} + container: + image: rancher/dapper:v0.6.0 + options: --privileged + timeout-minutes: 90 + strategy: + fail-fast: false + matrix: + dist: [rke2, k3s] + k8s-minor: [23, 24, 25, 26, 27] + steps: + - name: Force Install GIT latest + run: | + apk add git --update-cache + git --version + git config --global --add safe.directory "$GITHUB_WORKSPACE" + - name: Checkout code + uses: actions/checkout@v4 + with: + fetch-depth: "0" + - name: Provisioning Operations tests + run: | + dapper provisioning-tests + env: + V2PROV_TEST_DIST: ${{ matrix.dist }} + V2PROV_TEST_RUN_REGEX: "^Test_Operation_SetA_.*$" + KDM_TEST_K8S_MINOR: ${{ matrix.k8s-minor }} + PREV_COMMIT_PR_SHA: ${{ github.event.pull_request.base.sha }} + PREV_COMMIT_PUSH_SHA: ${{ github.event.before }} \ No newline at end of file diff --git a/.github/workflows/workflow.yaml b/.github/workflows/workflow.yaml new file mode 100644 index 000000000..9c66789f5 --- /dev/null +++ b/.github/workflows/workflow.yaml @@ -0,0 +1,106 @@ +name: Main workflow + +on: + push: + branches: + - 'dev-v*' + - 'release-v*' + pull_request: + branches: + - 'dev-v*' + - 'release-v*' + +jobs: + validate: + permissions: + contents: read + id-token: write + runs-on: ubuntu-latest + timeout-minutes: 20 + container: + image: rancher/dapper:v0.6.0 + steps: + - name: Force Install GIT latest + run: | + apk add git --update-cache + git --version + git config --global --add safe.directory "$GITHUB_WORKSPACE" + - name: Checkout code + uses: actions/checkout@v4 + - name: Validate + run: dapper ci + + mirror-images: + permissions: + contents: read + id-token: write + runs-on: ubuntu-latest + needs: validate + container: + image: rancher/dapper:v0.6.0 + if: github.event_name == 'push' && startsWith(github.ref_name, 'release-v') + steps: + - name: Checkout code + uses: actions/checkout@v4 + - name: Retrieve Registy secrets from vault + uses: rancher-eio/read-vault-secrets@main + with: + secrets: | + secret/data/github/repo/${{ github.repository }}/registry-endpoint/credentials token | REGISTRY_ENDPOINT ; + secret/data/github/repo/${{ github.repository }}/registry-username/credentials token | REGISTRY_USERNAME ; + secret/data/github/repo/${{ github.repository }}/registry-password/credentials token | REGISTRY_PASSWORD + - name: Validate + run: dapper mirror-images + + upload: + permissions: + contents: read + id-token: write + runs-on: ubuntu-latest + timeout-minutes: 10 + needs: validate + if: github.event_name == 'push' + steps: + - name: Checkout code + uses: actions/checkout@v4 + - name: Retrieve Google auth from vault + uses: rancher-eio/read-vault-secrets@main + with: + secrets: | + secret/data/github/repo/${{ github.repository }}/google-auth/rancher/credentials token | GOOGLE_AUTH ; + - name: Authenticate with Google Cloud + uses: 'google-github-actions/auth@v2' + with: + credentials_json: '${{ env.GOOGLE_AUTH }}' + - name: Upload to Google Cloud Storage + uses: google-github-actions/upload-cloud-storage@v2 + with: + path: data/ + destination: releases.rancher.com/kontainer-driver-metadata/${{ github.ref_name }} + parent: false + predefinedAcl: publicRead + process_gcloudignore: false + headers: |- + cache-control: public,no-cache,proxy-revalidate + + dispatch: + permissions: + contents: read + id-token: write + runs-on: ubuntu-latest + timeout-minutes: 10 + needs: upload + if: github.event_name == 'push' && (github.ref_name == 'release-v2.7' || github.ref_name == 'dev-v2.7') + steps: + - name: Checkout code + uses: actions/checkout@v4 + - name: Retrieve token from vault + uses: rancher-eio/read-vault-secrets@main + with: + secrets: | + secret/data/github/repo/${{ github.repository }}/github-token/credentials token | PAT_TOKEN + - name: Run dispatch + run: | + gh workflow run "Go Generate" --repo rancher/rke --ref release/v1.4 -F source_author=${{ github.actor }} + env: + GH_TOKEN: ${{ env.PAT_TOKEN }} diff --git a/Dockerfile.dapper b/Dockerfile.dapper index d9ecd62bd..e6c1975b9 100644 --- a/Dockerfile.dapper +++ b/Dockerfile.dapper @@ -71,14 +71,15 @@ RUN if [[ "${ARCH}" == "amd64" ]]; then \ curl -sL https://github.com/regclient/regclient/releases/download/v0.4.8/regsync-linux-amd64 -o /bin/regsync && chmod +x /bin/regsync; \ fi -ENV DAPPER_ENV REPO TAG CI DRONE_BUILD_NUMBER DRONE_BUILD_EVENT DRONE_TAG DRONE_COMMIT_BEFORE \ +ENV DAPPER_ENV REPO TAG CI \ + PREV_COMMIT_PR_SHA PREV_COMMIT_PUSH_SHA GITHUB_EVENT_NAME GITHUB_RUN_NUMBER GITHUB_REF_TYPE GITHUB_REF_NAME \ REGISTRY_ENDPOINT REGISTRY_USERNAME REGISTRY_PASSWORD \ V2PROV_TEST_DIST V2PROV_TEST_RUN_REGEX KDM_TEST_K8S_MINOR DEBUG ENV DAPPER_SOURCE /go/src/github.com/rancher/kontainer-driver-metadata ENV DAPPER_DOCKER_SOCKET true ARG CI -ARG DRONE_BUILD_NUMBER -ENV DAPPER_RUN_ARGS "--privileged --label CI=${CI} --label DRONE_BUILD_NUMBER=${DRONE_BUILD_NUMBER}" +ARG GITHUB_RUN_NUMBER +ENV DAPPER_RUN_ARGS "--privileged --label CI=${CI} --label DRONE_BUILD_NUMBER=${GITHUB_RUN_NUMBER}" ENV HOME ${DAPPER_SOURCE} ENV GOPATH /go VOLUME /var/lib/rancher diff --git a/channels-rke2.yaml b/channels-rke2.yaml index f078e0c46..8645f93c2 100644 --- a/channels-rke2.yaml +++ b/channels-rke2.yaml @@ -1922,3 +1922,36 @@ releases: repo: rancher-rke2-charts version: 1.15.500 featureVersions: *featureVersions-v1 + - version: v1.27.15+rke2r1 + minChannelServerVersion: v2.7.11-alpha1 + maxChannelServerVersion: v2.8.99 + serverArgs: &serverArgs-v1-27-15-rke2r1 + <<: *serverArgs-v1-27-13-rke2r1 + supervisor-metrics: + type: boolean + write-kubeconfig-group: + type: string + agentArgs: &agentArgs-v1-27-15-rke2r1 + <<: *agentArgs-v1-25-15-rke2r2 + enable-pprof: + type: boolean + bind-address: + type: string + charts: &charts-v1-27-15-rke2r1 + <<: *charts-v1-27-14-rke2r1 + rke2-canal: + repo: rancher-rke2-charts + version: v3.28.0-build2024062503 + rke2-ingress-nginx: + repo: rancher-rke2-charts + version: 4.10.101 + rke2-multus: + repo: rancher-rke2-charts + version: v4.0.205 + rke2-flannel: + repo: rancher-rke2-charts + version: v0.25.400 + harvester-cloud-provider: + repo: rancher-rke2-charts + version: 0.2.400 + featureVersions: *featureVersions-v1 diff --git a/channels.yaml b/channels.yaml index 4d6aff978..7ccc8367e 100644 --- a/channels.yaml +++ b/channels.yaml @@ -573,3 +573,19 @@ releases: serverArgs: *serverArgs-v8 agentArgs: *agentArgs-v5 featureVersions: *featureVersions-v1 + - version: v1.27.15+k3s2 + minChannelServerVersion: v2.7.11-alpha1 + maxChannelServerVersion: v2.7.99 + serverArgs: &serverArgs-v9 + <<: *serverArgs-v8 + supervisor-metrics: + type: boolean + write-kubeconfig-group: + type: string + agentArgs: &agentArgs-v6 + <<: *agentArgs-v5 + enable-pprof: + type: boolean + bind-address: + type: string + featureVersions: *featureVersions-v1 diff --git a/data/data.json b/data/data.json index c999b4c38..63fecc437 100644 --- a/data/data.json +++ b/data/data.json @@ -13103,6 +13103,47 @@ "aciOvsContainer": "noiro/openvswitch:6.0.4.1.81c2369", "aciControllerContainer": "noiro/aci-containers-controller:6.0.4.1.81c2369" }, + "v1.27.15-rancher1-1": { + "etcd": "rancher/mirrored-coreos-etcd:v3.5.10", + "alpine": "rancher/rke-tools:v0.1.100", + "nginxProxy": "rancher/rke-tools:v0.1.100", + "certDownloader": "rancher/rke-tools:v0.1.100", + "kubernetesServicesSidecar": "rancher/rke-tools:v0.1.100", + "kubedns": "rancher/mirrored-k8s-dns-kube-dns:1.22.28", + "dnsmasq": "rancher/mirrored-k8s-dns-dnsmasq-nanny:1.22.28", + "kubednsSidecar": "rancher/mirrored-k8s-dns-sidecar:1.22.28", + "kubednsAutoscaler": "rancher/mirrored-cluster-proportional-autoscaler:v1.8.9", + "coredns": "rancher/mirrored-coredns-coredns:1.10.1", + "corednsAutoscaler": "rancher/mirrored-cluster-proportional-autoscaler:v1.8.9", + "nodelocal": "rancher/mirrored-k8s-dns-node-cache:1.22.28", + "kubernetes": "rancher/hyperkube:v1.27.15-rancher1", + "flannel": "rancher/mirrored-flannel-flannel:v0.21.4", + "flannelCni": "rancher/flannel-cni:v0.3.0-rancher8", + "calicoNode": "rancher/mirrored-calico-node:v3.26.3", + "calicoCni": "rancher/calico-cni:v3.26.3-rancher1", + "calicoControllers": "rancher/mirrored-calico-kube-controllers:v3.26.3", + "calicoCtl": "rancher/mirrored-calico-ctl:v3.26.3", + "calicoFlexVol": "rancher/mirrored-calico-pod2daemon-flexvol:v3.26.3", + "canalNode": "rancher/mirrored-calico-node:v3.26.3", + "canalCni": "rancher/calico-cni:v3.26.3-rancher1", + "canalControllers": "rancher/mirrored-calico-kube-controllers:v3.26.3", + "canalFlannel": "rancher/mirrored-flannel-flannel:v0.21.4", + "canalFlexVol": "rancher/mirrored-calico-pod2daemon-flexvol:v3.26.3", + "weaveNode": "weaveworks/weave-kube:2.8.1", + "weaveCni": "weaveworks/weave-npc:2.8.1", + "podInfraContainer": "rancher/mirrored-pause:3.7", + "ingress": "rancher/nginx-ingress-controller:nginx-1.9.4-rancher1", + "ingressBackend": "rancher/mirrored-nginx-ingress-controller-defaultbackend:1.5-rancher1", + "ingressWebhook": "rancher/mirrored-ingress-nginx-kube-webhook-certgen:v20231011-8b53cabe0", + "metricsServer": "rancher/mirrored-metrics-server:v0.6.3", + "windowsPodInfraContainer": "rancher/mirrored-pause:3.7", + "aciCniDeployContainer": "noiro/cnideploy:6.0.4.2.81c2369", + "aciHostContainer": "noiro/aci-containers-host:6.0.4.2.81c2369", + "aciOpflexContainer": "noiro/opflex:6.0.4.2.81c2369", + "aciMcastContainer": "noiro/opflex:6.0.4.2.81c2369", + "aciOvsContainer": "noiro/openvswitch:6.0.4.2.81c2369", + "aciControllerContainer": "noiro/aci-containers-controller:6.0.4.2.81c2369" + }, "v1.27.6-rancher1-1": { "etcd": "rancher/mirrored-coreos-etcd:v3.5.7", "alpine": "rancher/rke-tools:v0.1.96", @@ -13365,7 +13406,8 @@ "\u003e=1.26.8-rancher1-1 \u003c1.26.11-rancher2-2": "aci-v6.0.3.1", "\u003e=1.27.0-rancher1-1 \u003c1.27.8-rancher2-1": "aci-v5.2.7.1", "\u003e=1.27.10-rancher1-2 \u003c1.27.11-rancher1-1": "aci-v6.0.3.3", - "\u003e=1.27.11-rancher1-1": "aci-v6.0.4.1", + "\u003e=1.27.11-rancher1-1 \u003c1.27.15-rancher1-1": "aci-v6.0.4.1", + "\u003e=1.27.15-rancher1-1": "aci-v6.0.4.2", "\u003e=1.27.8-rancher2-1 \u003c1.27.8-rancher2-2": "aci-v6.0.3.1", "\u003e=1.27.8-rancher2-2 \u003c1.27.10-rancher1-2": "aci-v6.0.3.2" }, @@ -13523,6 +13565,7 @@ "aci-v6.0.3.2": "\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: acicontainersoperators.aci.ctrl\nspec:\n group: aci.ctrl\n names:\n kind: AciContainersOperator\n listKind: AciContainersOperatorList\n plural: acicontainersoperators\n singular: acicontainersoperator\n scope: Namespaced\n versions:\n - name: v1alpha1\n served: true\n storage: true\n subresources:\n status: {}\n schema:\n openAPIV3Schema:\n description: acicontainersoperator owns the lifecycle of ACI objects in the cluster\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n metadata:\n type: object\n spec:\n description: AciContainersOperatorSpec defines the desired spec for ACI Objects\n properties:\n flavor:\n type: string\n config:\n type: string\n type: object\n status:\n description: AciContainersOperatorStatus defines the successful completion of AciContainersOperator\n properties:\n status:\n type: boolean\n type: object\n required:\n - spec\n type: object\n---\napiVersion: v1\nkind: Namespace\nmetadata:\n name: aci-containers-system\n labels:\n aci-containers-config-version: \"{{.Token}}\"\n network-plugin: aci-containers\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: nodepodifs.aci.aw\nspec:\n group: aci.aw\n names:\n kind: NodePodIF\n listKind: NodePodIFList\n plural: nodepodifs\n singular: nodepodif\n scope: Namespaced\n versions:\n - name: v1\n served: true\n storage: true\n schema:\n openAPIV3Schema:\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n metadata:\n type: object\n spec:\n type: object\n properties:\n podifs:\n type: array\n items:\n type: object\n properties:\n containerID:\n type: string\n epg:\n type: string\n ifname:\n type: string\n ipaddr:\n type: string\n macaddr:\n type: string\n podname:\n type: string\n podns:\n type: string\n vtep:\n type: string\n required:\n - spec\n type: object\n---\n{{- if eq .UseAciCniPriorityClass \"true\"}}\napiVersion: scheduling.k8s.io/v1beta1\nkind: PriorityClass\nmetadata:\n name: acicni-priority\nvalue: 1000000000\nglobalDefault: false\ndescription: \"This priority class is used for ACI-CNI resources\"\n---\n{{- end }}\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: snatglobalinfos.aci.snat\nspec:\n group: aci.snat\n names:\n kind: SnatGlobalInfo\n listKind: SnatGlobalInfoList\n plural: snatglobalinfos\n singular: snatglobalinfo\n scope: Namespaced\n versions:\n - name: v1\n served: true\n storage: true\n schema:\n openAPIV3Schema:\n description: SnatGlobalInfo is the Schema for the snatglobalinfos API\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n metadata:\n type: object\n spec:\n properties:\n globalInfos:\n additionalProperties:\n items:\n properties:\n macAddress:\n type: string\n portRanges:\n items:\n properties:\n end:\n maximum: 65535\n minimum: 1\n type: integer\n start:\n maximum: 65535\n minimum: 1\n type: integer\n type: object\n type: array\n snatIp:\n type: string\n snatIpUid:\n type: string\n snatPolicyName:\n type: string\n required:\n - macAddress\n - portRanges\n - snatIp\n - snatIpUid\n - snatPolicyName\n type: object\n type: array\n type: object\n required:\n - globalInfos\n type: object\n status:\n description: SnatGlobalInfoStatus defines the observed state of SnatGlobalInfo\n type: object\n type: object\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: snatlocalinfos.aci.snat\nspec:\n group: aci.snat\n names:\n kind: SnatLocalInfo\n listKind: SnatLocalInfoList\n plural: snatlocalinfos\n singular: snatlocalinfo\n scope: Namespaced\n versions:\n - name: v1\n served: true\n storage: true\n schema:\n openAPIV3Schema:\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n metadata:\n type: object\n spec:\n description: SnatLocalInfoSpec defines the desired state of SnatLocalInfo\n properties:\n localInfos:\n items:\n properties:\n podName:\n type: string\n podNamespace:\n type: string\n podUid:\n type: string\n snatPolicies:\n items:\n properties:\n destIp:\n items:\n type: string\n type: array\n name:\n type: string\n snatIp:\n type: string\n required:\n - destIp\n - name\n - snatIp\n type: object\n type: array\n required:\n - podName\n - podNamespace\n - podUid\n - snatPolicies\n type: object\n type: array\n required:\n - localInfos\n type: object\n type: object\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: snatpolicies.aci.snat\nspec:\n group: aci.snat\n names:\n kind: SnatPolicy\n listKind: SnatPolicyList\n plural: snatpolicies\n singular: snatpolicy\n scope: Cluster\n versions:\n - name: v1\n served: true\n storage: true\n subresources:\n status: {}\n schema:\n openAPIV3Schema:\n type: object\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n metadata:\n type: object\n spec:\n type: object\n properties:\n selector:\n type: object\n properties:\n labels:\n type: object\n description: 'Selection of Pods'\n properties:\n additionalProperties:\n type: string\n namespace:\n type: string\n type: object\n snatIp:\n type: array\n items:\n type: string\n destIp:\n type: array\n items:\n type: string\n type: object\n status:\n type: object\n properties:\n additionalProperties:\n type: string\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: nodeinfos.aci.snat\nspec:\n group: aci.snat\n names:\n kind: NodeInfo\n listKind: NodeInfoList\n plural: nodeinfos\n singular: nodeinfo\n scope: Namespaced\n versions:\n - name: v1\n served: true\n storage: true\n schema:\n openAPIV3Schema:\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n metadata:\n type: object\n spec:\n properties:\n macaddress:\n type: string\n snatpolicynames:\n additionalProperties:\n type: boolean\n type: object\n type: object\n status:\n description: NodeinfoStatus defines the observed state of Nodeinfo\n type: object\n type: object\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: rdconfigs.aci.snat\nspec:\n group: aci.snat\n names:\n kind: RdConfig\n listKind: RdConfigList\n plural: rdconfigs\n singular: rdconfig\n scope: Namespaced\n versions:\n - name: v1\n served: true\n storage: true\n schema:\n openAPIV3Schema:\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n metadata:\n type: object\n spec:\n properties:\n discoveredsubnets:\n items:\n type: string\n type: array\n usersubnets:\n items:\n type: string\n type: array\n type: object\n status:\n description: NodeinfoStatus defines the observed state of Nodeinfo\n type: object\n type: object\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: networkpolicies.aci.netpol\nspec:\n group: aci.netpol\n names:\n kind: NetworkPolicy\n listKind: NetworkPolicyList\n plural: networkpolicies\n singular: networkpolicy\n scope: Namespaced\n versions:\n - name: v1\n schema:\n openAPIV3Schema:\n description: Network Policy describes traffic flow at IP address or port level\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n metadata:\n type: object\n spec:\n properties:\n appliedTo:\n properties:\n namespaceSelector:\n properties:\n matchExpressions:\n items:\n properties:\n key:\n type: string\n operator:\n type: string\n values:\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n matchLabels:\n additionalProperties:\n type: string\n type: object\n type: object\n podSelector:\n description: allow ingress from the same namespace\n properties:\n matchExpressions:\n items:\n properties:\n key:\n type: string\n operator:\n type: string\n values:\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n matchLabels:\n additionalProperties:\n type: string\n type: object\n type: object\n type: object\n egress:\n description: Set of egress rules evaluated based on the order in which they are set.\n items:\n properties:\n action:\n description: Action specifies the action to be applied on the rule.\n type: string\n enableLogging:\n description: EnableLogging is used to indicate if agent should generate logs default to false.\n type: boolean\n ports:\n description: Set of port and protocol allowed/denied by the rule. If this field is unset or empty, this rule matches all ports.\n items:\n description: NetworkPolicyPort describes the port and protocol to match in a rule.\n properties:\n endPort:\n description: EndPort defines the end of the port range, being the end included within the range. It can only be specified when a numerical port is specified.\n format: int32\n type: integer\n port:\n anyOf:\n - type: integer\n - type: string\n description: The port on the given protocol. This can be either a numerical or named port on a Pod. If this field is not provided, this matches all port names and numbers.\n x-kubernetes-int-or-string: true\n protocol:\n default: TCP\n description: The protocol (TCP, UDP, or SCTP) which traffic must match. If not specified, this field defaults to TCP.\n type: string\n type: object\n type: array\n to:\n description: Rule is matched if traffic is intended for workloads selected by this field. If this field is empty or missing, this rule matches all destinations.\n items:\n properties:\n ipBlock:\n description: IPBlock describes the IPAddresses/IPBlocks that is matched in to/from. IPBlock cannot be set as part of the AppliedTo field. Cannot be set with any other selector.\n properties:\n cidr:\n description: CIDR is a string representing the IP Block Valid examples are \"192.168.1.1/24\" or \"2001:db9::/64\"\n type: string\n except:\n description: Except is a slice of CIDRs that should not be included within an IP Block Valid examples are \"192.168.1.1/24\" or \"2001:db9::/64\" Except values will be rejected if they are outside the CIDR range\n items:\n type: string\n type: array\n required:\n - cidr\n type: object\n namespaceSelector:\n description: Select all Pods from Namespaces matched by this selector, as workloads in To/From fields. If set with PodSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except PodSelector or ExternalEntitySelector.\n properties:\n matchExpressions:\n items:\n properties:\n key:\n type: string\n operator:\n description: operator represents a keys relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.\n type: string\n values:\n description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n matchLabels:\n additionalProperties:\n type: string\n type: object\n type: object\n podSelector:\n description: Select Pods from NetworkPolicys Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector.\n properties:\n matchExpressions:\n items:\n properties:\n key:\n type: string\n operator:\n description: operator represents a keys relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.\n type: string\n values:\n description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n matchLabels:\n additionalProperties:\n type: string\n type: object\n type: object\n type: object\n type: array\n toFqDn:\n properties:\n matchNames:\n items:\n type: string\n type: array\n required:\n - matchNames\n type: object\n required:\n - enableLogging\n - toFqDn\n type: object\n type: array\n ingress:\n description: Set of ingress rules evaluated based on the order in which they are set.\n items:\n properties:\n action:\n description: Action specifies the action to be applied on the rule.\n type: string\n enableLogging:\n description: EnableLogging is used to indicate if agent should generate logs when rules are matched. Should be default to false.\n type: boolean\n from:\n description: Rule is matched if traffic originates from workloads selected by this field. If this field is empty, this rule matches all sources.\n items:\n properties:\n ipBlock:\n description: IPBlock describes the IPAddresses/IPBlocks that is matched in to/from. IPBlock cannot be set as part of the AppliedTo field. Cannot be set with any other selector.\n properties:\n cidr:\n description: CIDR is a string representing the IP Block Valid examples are \"192.168.1.1/24\" or \"2001:db9::/64\"\n type: string\n except:\n description: Except is a slice of CIDRs that should not be included within an IP Block Valid examples are \"192.168.1.1/24\" or \"2001:db9::/64\" Except values will be rejected if they are outside the CIDR range\n items:\n type: string\n type: array\n required:\n - cidr\n type: object\n namespaceSelector:\n properties:\n matchExpressions:\n items:\n properties:\n key:\n type: string\n operator:\n description: operator represents a keys relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.\n type: string\n values:\n description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n matchLabels:\n additionalProperties:\n type: string\n type: object\n type: object\n podSelector:\n description: Select Pods from NetworkPolicys Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector.\n properties:\n matchExpressions:\n description: matchExpressions is a list of label selector requirements. The requirements are ANDed.\n items:\n properties:\n key:\n type: string\n operator:\n description: operator represents a keys relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.\n type: string\n values:\n description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n matchLabels:\n additionalProperties:\n type: string\n type: object\n type: object\n type: object\n type: array\n ports:\n description: Set of port and protocol allowed/denied by the rule. If this field is unset or empty, this rule matches all ports.\n items:\n description: NetworkPolicyPort describes the port and protocol to match in a rule.\n properties:\n endPort:\n description: EndPort defines the end of the port range, being the end included within the range. It can only be specified when a numerical port is specified.\n format: int32\n type: integer\n port:\n anyOf:\n - type: integer\n - type: string\n description: The port on the given protocol. This can be either a numerical or named port on a Pod. If this field is not provided, this matches all port names and numbers.\n x-kubernetes-int-or-string: true\n protocol:\n default: TCP\n description: The protocol (TCP, UDP, or SCTP) which traffic must match. If not specified, this field defaults to TCP.\n type: string\n type: object\n type: array\n type: object\n type: array\n policyTypes:\n items:\n description: Policy Type string describes the NetworkPolicy type This type is beta-level in 1.8\n type: string\n type: array\n priority:\n description: Priority specfies the order of the NetworkPolicy relative to other NetworkPolicies.\n type: integer\n type:\n description: type of the policy.\n type: string\n required:\n - type\n type: object\n required:\n - spec\n type: object\n served: true\n storage: true\nstatus:\n acceptedNames:\n kind: \"\"\n plural: \"\"\n conditions: []\n storedVersions: []\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: dnsnetworkpolicies.aci.dnsnetpol\nspec:\n group: aci.dnsnetpol\n names:\n kind: DnsNetworkPolicy\n listKind: DnsNetworkPolicyList\n plural: dnsnetworkpolicies\n singular: dnsnetworkpolicy\n scope: Namespaced\n versions:\n - name: v1beta\n schema:\n openAPIV3Schema:\n description: dns network Policy\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n metadata:\n type: object\n spec:\n properties:\n appliedTo:\n properties:\n namespaceSelector:\n properties:\n matchExpressions:\n items:\n properties:\n key:\n type: string\n operator:\n type: string\n values:\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n matchLabels:\n additionalProperties:\n type: string\n type: object\n type: object\n podSelector:\n description: allow ingress from the same namespace\n properties:\n matchExpressions:\n items:\n properties:\n key:\n type: string\n operator:\n description: operator represents a keys relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.\n type: string\n values:\n description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n matchLabels:\n additionalProperties:\n type: string\n type: object\n type: object\n type: object\n egress:\n description: Set of egress rules evaluated based on the order in which they are set.\n properties:\n toFqdn:\n properties:\n matchNames:\n items:\n type: string\n type: array\n required:\n - matchNames\n type: object\n required:\n - toFqdn\n type: object\n type: object\n required:\n - spec\n type: object\n served: true\n storage: true\nstatus:\n acceptedNames:\n kind: \"\"\n plural: \"\"\n conditions: []\n storedVersions: []\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: qospolicies.aci.qos\nspec:\n group: aci.qos\n names:\n kind: QosPolicy\n listKind: QosPolicyList\n plural: qospolicies\n singular: qospolicy\n scope: Namespaced\n preserveUnknownFields: false\n versions:\n - name: v1\n served: true\n storage: true\n subresources:\n status: {}\n schema:\n openAPIV3Schema:\n type: object\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n spec:\n type: object\n properties:\n podSelector:\n description: 'Selection of Pods'\n type: object\n properties:\n matchLabels:\n type: object\n description:\n ingress:\n type: object\n properties:\n policing_rate:\n type: integer\n minimum: 0\n policing_burst:\n type: integer\n minimum: 0\n egress:\n type: object\n properties:\n policing_rate:\n type: integer\n minimum: 0\n policing_burst:\n type: integer\n minimum: 0\n dscpmark:\n type: integer\n default: 0\n minimum: 0\n maximum: 63\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: netflowpolicies.aci.netflow\nspec:\n group: aci.netflow\n names:\n kind: NetflowPolicy\n listKind: NetflowPolicyList\n plural: netflowpolicies\n singular: netflowpolicy\n scope: Cluster\n preserveUnknownFields: false\n versions:\n - name: v1alpha\n served: true\n storage: true\n schema:\n # openAPIV3Schema is the schema for validating custom objects.\n openAPIV3Schema:\n type: object\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n spec:\n type: object\n properties:\n flowSamplingPolicy:\n type: object\n properties:\n destIp:\n type: string\n destPort:\n type: integer\n minimum: 0\n maximum: 65535\n default: 2055\n flowType:\n type: string\n enum:\n - netflow\n - ipfix\n default: netflow\n activeFlowTimeOut:\n type: integer\n minimum: 0\n maximum: 3600\n default: 60\n idleFlowTimeOut:\n type: integer\n minimum: 0\n maximum: 600\n default: 15\n samplingRate:\n type: integer\n minimum: 0\n maximum: 1000\n default: 0\n required:\n - destIp\n type: object\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: erspanpolicies.aci.erspan\nspec:\n group: aci.erspan\n names:\n kind: ErspanPolicy\n listKind: ErspanPolicyList\n plural: erspanpolicies\n singular: erspanpolicy\n scope: Cluster\n preserveUnknownFields: false\n versions:\n - name: v1alpha\n served: true\n storage: true\n schema:\n openAPIV3Schema:\n type: object\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n spec:\n type: object\n properties:\n selector:\n type: object\n description: 'Selection of Pods'\n properties:\n labels:\n type: object\n properties:\n additionalProperties:\n type: string\n namespace:\n type: string\n source:\n type: object\n properties:\n adminState:\n description: Administrative state.\n default: start\n type: string\n enum:\n - start\n - stop\n direction:\n description: Direction of the packets to monitor.\n default: both\n type: string\n enum:\n - in\n - out\n - both\n destination:\n type: object\n properties:\n destIP:\n description: Destination IP of the ERSPAN packet.\n type: string\n flowID:\n description: Unique flow ID of the ERSPAN packet.\n default: 1\n type: integer\n minimum: 1\n maximum: 1023\n required:\n - destIP\n type: object\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: enabledroplogs.aci.droplog\nspec:\n group: aci.droplog\n names:\n kind: EnableDropLog\n listKind: EnableDropLogList\n plural: enabledroplogs\n singular: enabledroplog\n scope: Cluster\n versions:\n - name: v1alpha1\n served: true\n storage: true\n schema:\n # openAPIV3Schema is the schema for validating custom objects.\n openAPIV3Schema:\n type: object\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n spec:\n description: Defines the desired state of EnableDropLog\n type: object\n properties:\n disableDefaultDropLog:\n description: Disables the default droplog enabled by acc-provision.\n default: false\n type: boolean\n nodeSelector:\n type: object\n description: Drop logging is enabled on nodes selected based on labels\n properties:\n labels:\n type: object\n properties:\n additionalProperties:\n type: string\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: prunedroplogs.aci.droplog\nspec:\n group: aci.droplog\n names:\n kind: PruneDropLog\n listKind: PruneDropLogList\n plural: prunedroplogs\n singular: prunedroplog\n scope: Cluster\n versions:\n - name: v1alpha1\n served: true\n storage: true\n schema:\n # openAPIV3Schema is the schema for validating custom objects.\n openAPIV3Schema:\n type: object\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n spec:\n description: Defines the desired state of PruneDropLog\n type: object\n properties:\n nodeSelector:\n type: object\n description: Drop logging filters are applied to nodes selected based on labels\n properties:\n labels:\n type: object\n properties:\n additionalProperties:\n type: string\n dropLogFilters:\n type: object\n properties:\n srcIP:\n type: string\n destIP:\n type: string\n srcMAC:\n type: string\n destMAC:\n type: string\n srcPort:\n type: integer\n destPort:\n type: integer\n ipProto:\n type: integer\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: accprovisioninputs.aci.ctrl\nspec:\n group: aci.ctrl\n names:\n kind: AccProvisionInput\n listKind: AccProvisionInputList\n plural: accprovisioninputs\n singular: accprovisioninput\n scope: Namespaced\n versions:\n - name: v1alpha1\n served: true\n storage: true\n subresources:\n status: {}\n schema:\n openAPIV3Schema:\n description: accprovisioninput defines the input configuration for ACI CNI\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n metadata:\n type: object\n spec:\n description: AccProvisionInputSpec defines the desired spec for accprovisioninput object\n properties:\n acc_provision_input:\n type: object\n properties:\n operator_managed_config:\n type: object\n properties:\n enable_updates:\n type: boolean\n aci_config:\n type: object\n properties:\n sync_login:\n type: object\n properties:\n certfile:\n type: string\n keyfile:\n type: string\n client_ssl:\n type: boolean\n net_config:\n type: object\n properties:\n interface_mtu:\n type: integer\n service_monitor_interval:\n type: integer\n pbr_tracking_non_snat:\n type: boolean\n pod_subnet_chunk_size:\n type: integer\n disable_wait_for_network:\n type: boolean\n duration_wait_for_network:\n type: integer\n registry:\n type: object\n properties:\n image_prefix:\n type: string\n image_pull_secret:\n type: string\n aci_containers_operator_version:\n type: string\n aci_containers_controller_version:\n type: string\n aci_containers_host_version:\n type: string\n acc_provision_operator_version:\n type: string\n aci_cni_operator_version:\n type: string\n cnideploy_version:\n type: string\n opflex_agent_version:\n type: string\n openvswitch_version:\n type: string\n gbp_version:\n type: string\n logging:\n type: object\n properties:\n controller_log_level:\n type: string\n hostagent_log_level:\n type: string\n opflexagent_log_level:\n type: string\n istio_config:\n type: object\n properties:\n install_istio:\n type: boolean\n install_profile:\n type: string\n multus:\n type: object\n properties:\n disable:\n type: boolean\n drop_log_config:\n type: object\n properties:\n enable:\n type: boolean\n nodepodif_config:\n type: object\n properties:\n enable:\n type: boolean\n sriov_config:\n type: object\n properties:\n enable:\n type: boolean\n kube_config:\n type: object\n properties:\n ovs_memory_limit:\n type: string\n use_privileged_containers:\n type: boolean\n image_pull_policy:\n type: string\n reboot_opflex_with_ovs:\n type: string\n snat_operator:\n type: object\n properties:\n port_range:\n type: object\n properties:\n start:\n type: integer\n end:\n type: integer\n ports_per_node:\n type: integer\n contract_scope:\n type: string\n disable_periodic_snat_global_info_sync:\n type: boolean\n type: object\n status:\n description: AccProvisionInputStatus defines the successful completion of AccProvisionInput\n properties:\n status:\n type: boolean\n type: object\n required:\n - spec\n type: object\n---\napiVersion: v1\nkind: ConfigMap\nmetadata:\n name: aci-containers-config\n namespace: aci-containers-system\n labels:\n aci-containers-config-version: \"{{.Token}}\"\n network-plugin: aci-containers\ndata:\n controller-config: |-\n {\n \"log-level\": \"{{.ControllerLogLevel}}\",\n \"apic-hosts\": {{.ApicHosts}},\n{{- if ne .AciMultipod \"false\" }}\n \"aci-multipod\": {{.AciMultipod}},\n{{- end}}\n{{- if .OpflexDeviceReconnectWaitTimeout }}\n \"opflex-device-reconnect-wait-timeout\": {{.OpflexDeviceReconnectWaitTimeout}},\n{{- end}}\n \"apic-refreshtime\": \"{{.ApicRefreshTime}}\",\n \"apic-subscription-delay\": {{.ApicSubscriptionDelay}},\n \"apic_refreshticker_adjust\": \"{{.ApicRefreshTickerAdjust}}\",\n \"apic-username\": \"{{.ApicUserName}}\",\n \"apic-private-key-path\": \"/usr/local/etc/aci-cert/user.key\",\n \"aci-prefix\": \"{{.SystemIdentifier}}\",\n \"aci-vmm-type\": \"Kubernetes\",\n{{- if ne .VmmDomain \"\"}}\n \"aci-vmm-domain\": \"{{.VmmDomain}}\",\n{{- else}}\n \"aci-vmm-domain\": \"{{.SystemIdentifier}}\",\n{{- end}}\n{{- if ne .VmmController \"\"}}\n \"aci-vmm-controller\": \"{{.VmmController}}\",\n{{- else}}\n \"aci-vmm-controller\": \"{{.SystemIdentifier}}\",\n{{- end}}\n \"aci-policy-tenant\": \"{{.Tenant}}\",\n{{- if ne .CApic \"false\"}}\n \"lb-type\": \"None\",\n{{- end}}\n{{- if ne .HppOptimization \"false\"}}\n \"hpp-optimization\": {{.HppOptimization}},\n{{- end}}\n{{- if ne .NoWaitForServiceEpReadiness \"false\"}}\n \"no-wait-for-service-ep-readiness\": {{.NoWaitForServiceEpReadiness}},\n{{- end}}\n{{- if ne .ServiceGraphEndpointAddDelay \"0\"}}\n \"service-graph-endpoint-add-delay\" : {\n \"delay\": {{.ServiceGraphEndpointAddDelay}},\n \"services\": [{{- range $index, $item :=.ServiceGraphEndpointAddServices }}{{- if $index}},{{end}}{ {{- range $k, $v := $item }}\"{{ $k }}\": \"{{ $v }}\"{{if eq $k \"name\"}},{{end}}{{- end}}}{{end}}]\n },\n{{- end}}\n{{- if ne .AddExternalSubnetsToRdconfig \"false\"}}\n \"add-external-subnets-to-rdconfig\": {{.AddExternalSubnetsToRdconfig}},\n{{- end}}\n{{- if ne .DisablePeriodicSnatGlobalInfoSync \"false\"}}\n \"disable-periodic-snat-global-info-sync\": {{.DisablePeriodicSnatGlobalInfoSync}},\n{{- end}}\n{{- if .NodeSnatRedirectExclude }}\n \"node-snat-redirect-exclude\": [{{ range $index,$item := .NodeSnatRedirectExclude}}{{- if $index}}, {{end }}{\"group\": \"{{ index $item \"group\" }}\", \"labels\": {{ index $item \"labels\" }}}{{ end }}],\n{{- end }}\n \"opflex-device-delete-timeout\": {{.OpflexDeviceDeleteTimeout}},\n \"sleep-time-snat-global-info-sync\": {{.SleepTimeSnatGlobalInfoSync}},\n \"install-istio\": {{.InstallIstio}},\n \"istio-profile\": \"{{.IstioProfile}}\",\n{{- if ne .CApic \"true\"}}\n \"aci-podbd-dn\": \"uni/tn-{{.Tenant}}/BD-aci-containers-{{.SystemIdentifier}}-pod-bd\",\n \"aci-nodebd-dn\": \"uni/tn-{{.Tenant}}/BD-aci-containers-{{.SystemIdentifier}}-node-bd\",\n{{- end}}\n \"aci-service-phys-dom\": \"{{.SystemIdentifier}}-pdom\",\n \"aci-service-encap\": \"vlan-{{.ServiceVlan}}\",\n \"aci-service-monitor-interval\": {{.ServiceMonitorInterval}},\n \"aci-pbr-tracking-non-snat\": {{.PBRTrackingNonSnat}},\n \"aci-vrf-tenant\": \"{{.VRFTenant}}\",\n \"aci-l3out\": \"{{.L3Out}}\",\n \"aci-ext-networks\": {{.L3OutExternalNetworks}},\n{{- if ne .CApic \"true\"}}\n \"aci-vrf\": \"{{.VRFName}}\",\n{{- else}}\n \"aci-vrf\": \"{{.OverlayVRFName}}\",\n{{- end}}\n \"app-profile\": \"aci-containers-{{.SystemIdentifier}}\",\n{{- if ne .AddExternalContractToDefaultEpg \"false\"}}\n \"add-external-contract-to-default-epg\": {{.AddExternalContractToDefaultEpg}},\n{{- end}} \n \"default-endpoint-group\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-default\"\n{{- else}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}\"\n{{- end}}\n },\n \"max-nodes-svc-graph\": {{.MaxNodesSvcGraph}},\n \"namespace-default-endpoint-group\": {\n \"aci-containers-system\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-system\"\n{{- else}}\n \"name\": \"aci-containers-system\"\n{{- end}}\n },\n \"istio-operator\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-istio\"\n{{- else}}\n \"name\": \"aci-containers-istio\"\n{{- end}}\n },\n \"istio-system\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-istio\"\n{{- else}}\n \"name\": \"aci-containers-istio\"\n{{- end}}\n },\n \"kube-system\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-system\"\n{{- else}}\n \"name\": \"aci-containers-system\"\n{{- end}}\n },\n \"cattle-system\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-system\"\n{{- else}}\n \"name\": \"aci-containers-system\"\n{{- end}}\n },\n \"cattle-prometheus\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-system\"\n{{- else}}\n \"name\": \"aci-containers-system\"\n{{- end}}\n },\n \"cattle-logging\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-system\"\n{{- else}}\n \"name\": \"aci-containers-system\"\n{{- end}}\n } },\n \"service-ip-pool\": [{{- range $index, $item := .ServiceIPPool }}{{- if $index}},{{end}}{ \"start\": \"{{ $item.Start }}\", \"end\": \"{{ $item.End}}\" }{{end}}],\n \"extern-static\": [{{- range $index, $item := .StaticExternalSubnet }}{{- if $index}},{{end}}{{$item}}{{end}}],\n \"extern-dynamic\": [{{- range $index, $item := .DynamicExternalSubnet }}{{- if $index}},{{end}}{{$item}}{{end}}],\n \"snat-contract-scope\": \"{{.SnatContractScope}}\",\n \"static-service-ip-pool\": [{{- range $index, $item := .StaticServiceIPPool }}{{- if $index}},{{end}}{ \"start\": \"{{ $item.Start }}\", \"end\": \"{{ $item.End }}\" }{{end}}],\n \"pod-ip-pool\": [{{- range $index, $item := .PodIPPool }}{{- if $index}},{{end}}{ \"start\": \"{{ $item.Start }}\", \"end\": \"{{ $item.End}}\" }{{end}}],\n \"pod-subnet-chunk-size\": {{.PodSubnetChunkSize}},\n \"node-service-ip-pool\": [\n {\n \"end\": \"{{.NodeServiceIPEnd}}\",\n \"start\": \"{{.NodeServiceIPStart}}\"\n }\n ],\n \"node-service-subnets\": [\n \"{{.ServiceGraphSubnet}}\"\n ],\n \"enable_endpointslice\": {{.EnableEndpointSlice}}\n }\n host-agent-config: |-\n {\n \"app-profile\": \"aci-containers-{{.SystemIdentifier}}\",\n{{- if ne .EpRegistry \"\"}}\n \"ep-registry\": \"{{.EpRegistry}}\",\n{{- else}}\n \"ep-registry\": null,\n{{- end}}\n{{- if ne .AciMultipod \"false\" }}\n \"aci-multipod\": {{.AciMultipod}},\n{{- end}}\n{{- if ne .DhcpRenewMaxRetryCount \"0\" }}\n \"dhcp-renew-max-retry-count\": {{.DhcpRenewMaxRetryCount}},\n{{- end}}\n{{- if ne .DhcpDelay \"0\" }}\n \"dhcp-delay\": {{.DhcpDelay}},\n{{- end}}\n{{- if ne .EnableOpflexAgentReconnect \"false\"}}\n \"enable-opflex-agent-reconnect\": {{.EnableOpflexAgentReconnect}},\n{{- end}}\n{{- if ne .OpflexMode \"\"}}\n \"opflex-mode\": \"{{.OpflexMode}}\",\n{{- else}}\n \"opflex-mode\": null,\n{{- end}}\n \"log-level\": \"{{.HostAgentLogLevel}}\",\n \"aci-snat-namespace\": \"{{.SnatNamespace}}\",\n \"aci-vmm-type\": \"Kubernetes\",\n{{- if ne .VmmDomain \"\"}}\n \"aci-vmm-domain\": \"{{.VmmDomain}}\",\n{{- else}}\n \"aci-vmm-domain\": \"{{.SystemIdentifier}}\",\n{{- end}}\n{{- if ne .VmmController \"\"}}\n \"aci-vmm-controller\": \"{{.VmmController}}\",\n{{- else}}\n \"aci-vmm-controller\": \"{{.SystemIdentifier}}\",\n{{- end}}\n \"aci-prefix\": \"{{.SystemIdentifier}}\",\n{{- if ne .CApic \"true\"}}\n \"aci-vrf\": \"{{.VRFName}}\",\n{{- else}}\n \"aci-vrf\": \"{{.OverlayVRFName}}\",\n{{- end}}\n \"aci-vrf-tenant\": \"{{.VRFTenant}}\",\n \"service-vlan\": {{.ServiceVlan}},\n \"kubeapi-vlan\": {{.KubeAPIVlan}},\n{{- if ne .HppOptimization \"false\"}}\n \"hpp-optimization\": {{.HppOptimization}},\n{{- end}}\n \"pod-subnet\": [{{- range $index, $item := .PodSubnet }}{{- if $index}},{{end}}{{$item}}{{end}}],\n \"node-subnet\": [{{- range $index, $item := .NodeSubnet }}{{- if $index}},{{end}}{{$item}}{{end}}],\n \"encap-type\": \"{{.EncapType}}\",\n \"aci-infra-vlan\": {{.InfraVlan}},\n{{- if .MTU}}\n{{- if ne .MTU 0}}\n \"interface-mtu\": {{.MTU}},\n{{- end}}\n{{- end}}\n{{- if .MTUHeadRoom}}\n{{- if ne .MTUHeadRoom \"0\"}}\n \"interface-mtu-headroom\": {{.MTUHeadRoom}},\n{{- end}}\n{{- end}}\n \"cni-netconfig\": [{{- range $index, $item := .PodNetwork }}{{- if $index}},{{end}}{ \"gateway\": \"{{ $item.Gateway }}\", \"subnet\": \"{{ $item.Subnet }}\", \"routes\": [{ \"dst\": \"0.0.0.0/0\", \"gw\": \"{{ $item.Gateway }}\" }]}{{end}}],\n \"default-endpoint-group\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-default\"\n{{- else}}\n \"name\": \"aci-containers-default\"\n{{- end}}\n },\n \"namespace-default-endpoint-group\": {\n \"aci-containers-system\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-system\"\n{{- else}}\n \"name\": \"aci-containers-system\"\n{{- end}}\n },\n \"istio-operator\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-istio\"\n{{- else}}\n \"name\": \"aci-containers-istio\"\n{{- end}}\n },\n \"istio-system\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-istio\"\n{{- else}}\n \"name\": \"aci-containers-istio\"\n{{- end}}\n },\n \"kube-system\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-system\"\n{{- else}}\n \"name\": \"aci-containers-system\"\n{{- end}}\n },\n \"cattle-system\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-system\"\n{{- else}}\n \"name\": \"aci-containers-system\"\n{{- end}}\n },\n \"cattle-prometheus\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-system\"\n{{- else}}\n \"name\": \"aci-containers-system\"\n{{- end}}\n },\n \"cattle-logging\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-system\"\n{{- else}}\n \"name\": \"aci-containers-system\"\n{{- end}}\n } },\n \"enable-drop-log\": {{.DropLogEnable}},\n \"enable_endpointslice\": {{.EnableEndpointSlice}},\n \"enable-nodepodif\": {{.NodePodIfEnable}},\n \"enable-ovs-hw-offload\": {{.SriovEnable}}\n }\n opflex-agent-config: |-\n {\n \"log\": {\n \"level\": \"{{.OpflexAgentLogLevel}}\"\n },\n \"opflex\": {\n{{- if eq .OpflexClientSSL \"false\"}}\n \"ssl\": { \"mode\": \"disabled\"},\n{{- end}}\n{{- if eq .OpflexAgentStatistics \"false\"}}\n \"statistics\" : { \"mode\" : \"off\" },\n{{- end}}\n{{- if ne .OpflexAgentPolicyRetryDelayTimer \"10\" }}\n \"timers\" : { \"policy-retry-delay\": {{.OpflexAgentPolicyRetryDelayTimer}} },\n{{- end}}\n \"notif\" : { \"enabled\" : \"false\" },\n \"asyncjson\": { \"enabled\" : {{.OpflexAgentOpflexAsyncjsonEnabled}} }\n },\n \"ovs\": {\n \"asyncjson\": { \"enabled\" : {{.OpflexAgentOvsAsyncjsonEnabled}} }\n }\n }\n---\napiVersion: v1\nkind: ConfigMap\nmetadata:\n name: snat-operator-config\n namespace: aci-containers-system\n labels:\n aci-containers-config-version: \"{{.Token}}\"\n network-plugin: aci-containers\ndata:\n \"start\": \"{{.SnatPortRangeStart}}\"\n \"end\": \"{{.SnatPortRangeEnd}}\"\n \"ports-per-node\": \"{{.SnatPortsPerNode}}\"\n---\napiVersion: v1\nkind: Secret\nmetadata:\n name: aci-user-cert\n namespace: aci-containers-system\n labels:\n aci-containers-config-version: \"{{.Token}}\"\ndata:\n user.key: {{.ApicUserKey}}\n user.crt: {{.ApicUserCrt}}\n---\n{{- if eq .CApic \"true\"}}\napiVersion: v1\nkind: Secret\nmetadata:\n name: kafka-client-certificates\n namespace: aci-containers-system\n labels:\n aci-containers-config-version: \"{{.Token}}\"\ndata:\n ca.crt: {{.KafkaClientCrt}}\n kafka-client.crt: {{.KafkaClientCrt}}\n kafka-client.key: {{.KafkaClientKey}}\n---\n{{- end}}\napiVersion: v1\nkind: ServiceAccount\nmetadata:\n name: aci-containers-controller\n namespace: aci-containers-system\n labels:\n aci-containers-config-version: \"{{.Token}}\"\n---\napiVersion: v1\nkind: ServiceAccount\nmetadata:\n name: aci-containers-host-agent\n namespace: aci-containers-system\n labels:\n aci-containers-config-version: \"{{.Token}}\"\n---\n{{- if eq .UseClusterRole \"true\"}}\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n labels:\n aci-containers-config-version: \"{{.Token}}\"\n network-plugin: aci-containers\n name: aci-containers-controller\nrules:\n- apiGroups:\n - \"\"\n resources:\n - nodes\n - namespaces\n - pods\n - endpoints\n - services\n - events\n - replicationcontrollers\n - serviceaccounts\n verbs:\n - list\n - watch\n - get\n - patch\n - create\n - update\n - delete\n- apiGroups:\n - \"\"\n resources:\n - configmaps\n verbs:\n - list\n - watch\n - get\n - create\n - update\n - delete\n- apiGroups:\n - \"apiextensions.k8s.io\"\n resources:\n - customresourcedefinitions\n verbs:\n - '*'\n- apiGroups:\n - \"rbac.authorization.k8s.io\"\n resources:\n - clusterroles\n - clusterrolebindings\n verbs:\n - '*'\n{{- if ne .InstallIstio \"false\"}}\n- apiGroups:\n - \"install.istio.io\"\n resources:\n - istiocontrolplanes\n - istiooperators\n verbs:\n - '*'\n- apiGroups:\n - \"aci.istio\"\n resources:\n - aciistiooperators\n - aciistiooperator\n verbs:\n - '*'\n{{- end}}\n- apiGroups:\n - \"networking.k8s.io\"\n resources:\n - networkpolicies\n verbs:\n - list\n - watch\n - get\n- apiGroups:\n - \"apps\"\n resources:\n - deployments\n - replicasets\n - daemonsets\n - statefulsets\n verbs:\n - '*'\n- apiGroups:\n - \"\"\n resources:\n - nodes\n - services/status\n verbs:\n - update\n- apiGroups:\n - \"monitoring.coreos.com\"\n resources:\n - servicemonitors\n verbs:\n - get\n - create\n- apiGroups:\n - \"aci.snat\"\n resources:\n - snatpolicies/finalizers\n - snatpolicies/status\n - nodeinfos\n verbs:\n - update\n - create\n - list\n - watch\n - get\n - delete\n- apiGroups:\n - \"aci.snat\"\n resources:\n - snatglobalinfos\n - snatpolicies\n - nodeinfos\n - rdconfigs\n verbs:\n - list\n - watch\n - get\n - create\n - update\n - delete\n- apiGroups:\n - \"aci.qos\"\n resources:\n - qospolicies\n verbs:\n - list\n - watch\n - get\n - create\n - update\n - delete\n - patch\n- apiGroups:\n - \"aci.netflow\"\n resources:\n - netflowpolicies\n verbs:\n - list\n - watch\n - get\n - update\n- apiGroups:\n - \"aci.erspan\"\n resources:\n - erspanpolicies\n verbs:\n - list\n - watch\n - get\n - update\n- apiGroups:\n - \"aci.aw\"\n resources:\n - nodepodifs\n verbs:\n - '*'\n- apiGroups:\n - apps.openshift.io\n resources:\n - deploymentconfigs\n verbs:\n - list\n - watch\n - get\n- apiGroups:\n - discovery.k8s.io\n resources:\n - endpointslices\n verbs:\n - get\n - list\n - watch\n- apiGroups:\n - \"aci.netpol\"\n resources:\n - networkpolicies\n verbs:\n - get\n - list\n - watch\n - create\n - update\n - delete\n- apiGroups:\n - \"aci.dnsnetpol\"\n resources:\n - dnsnetworkpolicies\n verbs:\n - get\n - list\n - watch\n - create\n - update\n - delete\n---\n{{- end}}\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n labels:\n aci-containers-config-version: \"{{.Token}}\"\n network-plugin: aci-containers\n name: aci-containers-host-agent\nrules:\n- apiGroups:\n - \"\"\n resources:\n - nodes\n - namespaces\n - pods\n - endpoints\n - services\n - replicationcontrollers\n verbs:\n - list\n - watch\n - get\n{{- if ne .DropLogEnable \"false\"}}\n - update\n- apiGroups:\n - \"\"\n resources:\n - events\n verbs:\n - create\n - patch\n{{- end}}\n- apiGroups:\n - \"apiextensions.k8s.io\"\n resources:\n - customresourcedefinitions\n verbs:\n - list\n - watch\n - get\n- apiGroups:\n - \"networking.k8s.io\"\n resources:\n - networkpolicies\n verbs:\n - list\n - watch\n - get\n- apiGroups:\n - \"apps\"\n resources:\n - deployments\n - replicasets\n verbs:\n - list\n - watch\n - get\n- apiGroups:\n - \"aci.snat\"\n resources:\n - snatpolicies\n - snatglobalinfos\n - rdconfigs\n verbs:\n - list\n - watch\n - get\n- apiGroups:\n - \"aci.qos\"\n resources:\n - qospolicies\n verbs:\n - list\n - watch\n - get\n - create\n - update\n - delete\n - patch\n- apiGroups:\n - \"aci.droplog\"\n resources:\n - enabledroplogs\n - prunedroplogs\n verbs:\n - list\n - watch\n - get\n- apiGroups:\n - \"aci.snat\"\n resources:\n - nodeinfos\n - snatlocalinfos\n verbs:\n - create\n - update\n - list\n - watch\n - get\n - delete\n- apiGroups:\n - discovery.k8s.io\n resources:\n - endpointslices\n verbs:\n - get\n - list\n - watch\n- apiGroups:\n - \"aci.netpol\"\n resources:\n - networkpolicies\n verbs:\n - get\n - list\n - watch\n- apiGroups:\n - \"aci.aw\"\n resources:\n - nodepodifs\n verbs:\n - \"*\"\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRoleBinding\nmetadata:\n name: aci-containers-controller\n labels:\n aci-containers-config-version: \"{{.Token}}\"\nroleRef:\n apiGroup: rbac.authorization.k8s.io\n kind: ClusterRole\n name: aci-containers-controller\nsubjects:\n- kind: ServiceAccount\n name: aci-containers-controller\n namespace: aci-containers-system\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRoleBinding\nmetadata:\n name: aci-containers-host-agent\n labels:\n aci-containers-config-version: \"{{.Token}}\"\nroleRef:\n apiGroup: rbac.authorization.k8s.io\n kind: ClusterRole\n name: aci-containers-host-agent\nsubjects:\n- kind: ServiceAccount\n name: aci-containers-host-agent\n namespace: aci-containers-system\n---\napiVersion: apps/v1\nkind: DaemonSet\nmetadata:\n name: aci-containers-host\n namespace: aci-containers-system\n labels:\n aci-containers-config-version: \"{{.Token}}\"\n network-plugin: aci-containers\nspec:\n updateStrategy:\n type: RollingUpdate\n selector:\n matchLabels:\n name: aci-containers-host\n network-plugin: aci-containers\n template:\n metadata:\n labels:\n name: aci-containers-host\n network-plugin: aci-containers\n annotations:\n prometheus.io/scrape: \"true\"\n prometheus.io/port: \"9612\"\n spec:\n hostNetwork: true\n hostPID: true\n hostIPC: true\n serviceAccountName: aci-containers-host-agent\n{{- if ne .ImagePullSecret \"\"}}\n imagePullSecrets:\n - name: {{.ImagePullSecret}}\n{{- end}}\n tolerations:\n - operator: Exists\n initContainers:\n - name: cnideploy\n image: {{.AciCniDeployContainer}}\n imagePullPolicy: {{.ImagePullPolicy}}\n securityContext:\n{{- if eq .UsePrivilegedContainer \"true\"}}\n privileged: true\n{{- end}}\n capabilities:\n add:\n - SYS_ADMIN\n volumeMounts:\n - name: cni-bin\n mountPath: /mnt/cni-bin\n{{- if ne .UseSystemNodePriorityClass \"false\"}}\n priorityClassName: system-node-critical\n{{- else if .UseAciContainersHostPriorityClass}} \n priorityClassName: aci-containers-host\n{{- else}} \n{{- if ne .NoPriorityClass \"true\"}}\n priorityClassName: system-cluster-critical\n{{- end}}\n{{- if eq .UseAciCniPriorityClass \"true\"}}\n priorityClassName: acicni-priority\n{{- end}}\n{{- end}}\n containers:\n - name: aci-containers-host\n image: {{.AciHostContainer}}\n imagePullPolicy: {{.ImagePullPolicy}}\n{{- if or ( .AciContainersHostMemoryLimit ) ( .AciContainersHostMemoryRequest )}}\n resources:\n limits:\n{{- if .AciContainersHostMemoryLimit }}\n memory: \"{{ .AciContainersHostMemoryLimit }}\"\n{{- else}}\n memory: \"{{ .AciContainersMemoryLimit }}\"\n{{- end}}\n requests:\n{{- if .AciContainersHostMemoryRequest }}\n memory: \"{{ .AciContainersHostMemoryRequest }}\"\n{{- else}}\n memory: \"{{ .AciContainersMemoryRequest }}\"\n{{- end}}\n{{- end}}\n securityContext:\n{{- if eq .UsePrivilegedContainer \"true\"}}\n privileged: true\n{{- end}}\n capabilities:\n add:\n - SYS_ADMIN\n - NET_ADMIN\n - SYS_PTRACE\n - NET_RAW\n env:\n - name: KUBERNETES_NODE_NAME\n valueFrom:\n fieldRef:\n fieldPath: spec.nodeName\n - name: TENANT\n value: \"{{.Tenant}}\"\n{{- if ne .MultusDisable \"true\"}}\n - name: MULTUS\n value: true\n{{- end}}\n{{- if eq .DisableWaitForNetwork \"true\"}}\n - name: DISABLE_WAIT_FOR_NETWORK\n value: true\n{{- else}}\n - name: DURATION_WAIT_FOR_NETWORK\n value: \"{{.DurationWaitForNetwork}}\"\n{{- end}}\n volumeMounts:\n - name: cni-bin\n mountPath: /mnt/cni-bin\n - name: cni-conf\n mountPath: /mnt/cni-conf\n - name: hostvar\n mountPath: /usr/local/var\n - name: hostrun\n mountPath: /run\n - name: hostrun\n mountPath: /usr/local/run\n - name: opflex-hostconfig-volume\n mountPath: /usr/local/etc/opflex-agent-ovs/base-conf.d\n - name: host-config-volume\n mountPath: /usr/local/etc/aci-containers/\n - name: varlogpods\n mountPath: /var/log/pods\n readOnly: true\n - name: varlogcontainers\n mountPath: /var/log/containers\n readOnly: true\n - name: varlibdocker\n mountPath: /var/lib/docker\n readOnly: true\n{{- if eq .AciMultipod \"true\" }}\n - name: dhclient\n mountPath: /var/lib/dhclient\n{{- end}}\n{{- if eq .UseHostNetnsVolume \"true\"}}\n - mountPath: /run/netns\n name: host-run-netns\n readOnly: true\n mountPropagation: HostToContainer\n{{- end}}\n{{- if ne .MultusDisable \"true\"}}\n - name: multus-cni-conf\n mountPath: /mnt/multus-cni-conf\n{{- end}}\n livenessProbe:\n failureThreshold: 10\n httpGet:\n path: /status\n port: 8090\n scheme: HTTP\n initialDelaySeconds: 120\n periodSeconds: 60\n successThreshold: 1\n timeoutSeconds: 30\n - name: opflex-agent\n env:\n - name: REBOOT_WITH_OVS\n value: \"true\"\n{{- if ne .OpflexOpensslCompat \"false\"}}\n - name: OPENSSL_CONF\n value: \"/etc/pki/tls/openssl11.cnf\" \n{{- end}}\n image: {{.AciOpflexContainer}}\n imagePullPolicy: {{.ImagePullPolicy}}\n{{- if or ( .OpflexAgentMemoryLimit ) ( .OpflexAgentMemoryRequest )}}\n resources:\n limits:\n{{- if .OpflexAgentMemoryLimit }}\n memory: \"{{ .OpflexAgentMemoryLimit }}\"\n{{- else}}\n memory: \"{{ .AciContainersMemoryLimit }}\"\n{{- end}}\n requests:\n{{- if .OpflexAgentMemoryRequest }}\n memory: \"{{ .OpflexAgentMemoryRequest }}\"\n{{- else}}\n memory: \"{{ .AciContainersMemoryRequest }}\"\n{{- end}}\n{{- end}} \n securityContext:\n{{- if eq .UsePrivilegedContainer \"true\"}}\n privileged: true\n{{- end}}\n capabilities:\n add:\n - NET_ADMIN\n volumeMounts:\n - name: hostvar\n mountPath: /usr/local/var\n - name: hostrun\n mountPath: /run\n - name: hostrun\n mountPath: /usr/local/run\n - name: opflex-hostconfig-volume\n mountPath: /usr/local/etc/opflex-agent-ovs/base-conf.d\n - name: opflex-config-volume\n mountPath: /usr/local/etc/opflex-agent-ovs/conf.d\n{{- if eq .RunOpflexServerContainer \"true\"}}\n - name: opflex-server\n image: {{.AciOpflexContainer}}\n command: [\"/bin/sh\"]\n args: [\"/usr/local/bin/launch-opflexserver.sh\"]\n imagePullPolicy: {{.ImagePullPolicy}}\n securityContext:\n capabilities:\n add:\n - NET_ADMIN\n ports:\n - containerPort: {{.OpflexServerPort}}\n - name: metrics\n containerPort: 9632\n terminationMessagePath: /dev/termination-log\n terminationMessagePolicy: File\n volumeMounts:\n - name: opflex-server-config-volume\n mountPath: /usr/local/etc/opflex-server\n - name: hostvar\n mountPath: /usr/local/var\n{{- end}}\n{{- if ne .OpflexMode \"overlay\"}}\n - name: mcast-daemon\n image: {{.AciMcastContainer}}\n command: [\"/bin/sh\"]\n args: [\"/usr/local/bin/launch-mcastdaemon.sh\"]\n imagePullPolicy: {{.ImagePullPolicy}}\n{{- if or ( .McastDaemonMemoryLimit ) ( .McastDaemonMemoryRequest )}}\n resources:\n limits:\n{{- if .McastDaemonMemoryLimit }}\n memory: \"{{ .McastDaemonMemoryLimit }}\"\n{{- else}}\n memory: \"{{ .AciContainersMemoryLimit }}\"\n{{- end}}\n requests:\n{{- if .McastDaemonMemoryRequest }}\n memory: \"{{ .McastDaemonMemoryRequest }}\"\n{{- else}}\n memory: \"{{ .AciContainersMemoryRequest }}\"\n{{- end}}\n{{- end}}\n{{- if eq .UsePrivilegedContainer \"true\"}}\n securityContext:\n privileged: true\n{{- end}}\n volumeMounts:\n - name: hostvar\n mountPath: /usr/local/var\n - name: hostrun\n mountPath: /run\n - name: hostrun\n mountPath: /usr/local/run\n{{- end}}\n restartPolicy: Always\n volumes:\n - name: cni-bin\n hostPath:\n path: /opt\n - name: cni-conf\n hostPath:\n path: /etc\n - name: hostvar\n hostPath:\n path: /var\n - name: hostrun\n hostPath:\n path: /run\n - name: host-config-volume\n configMap:\n name: aci-containers-config\n items:\n - key: host-agent-config\n path: host-agent.conf\n - name: opflex-hostconfig-volume\n emptyDir:\n medium: Memory\n - name: varlogpods\n hostPath:\n path: /var/log/pods\n - name: varlogcontainers\n hostPath:\n path: /var/log/containers\n - name: varlibdocker\n hostPath:\n path: /var/lib/docker\n{{- if eq .AciMultipod \"true\" }}\n{{- if eq .AciMultipodUbuntu \"true\" }}\n - name: dhclient\n hostPath:\n path: /var/lib/dhcp\n{{- else}}\n - name: dhclient\n hostPath:\n path: /var/lib/dhclient\n{{- end}}\n{{- end}}\n - name: opflex-config-volume\n configMap:\n name: aci-containers-config\n items:\n - key: opflex-agent-config\n path: local.conf\n{{- if eq .UseOpflexServerVolume \"true\"}}\n - name: opflex-server-config-volume\n{{- end}}\n{{- if eq .UseHostNetnsVolume \"true\"}}\n - name: host-run-netns\n hostPath:\n path: /run/netns\n{{- end}}\n{{- if ne .MultusDisable \"true\" }}\n - name: multus-cni-conf\n hostPath:\n path: /var/run/multus/\n{{- end}}\n---\napiVersion: apps/v1\nkind: DaemonSet\nmetadata:\n name: aci-containers-openvswitch\n namespace: aci-containers-system\n labels:\n aci-containers-config-version: \"{{.Token}}\"\n network-plugin: aci-containers\nspec:\n updateStrategy:\n type: RollingUpdate\n selector:\n matchLabels:\n name: aci-containers-openvswitch\n network-plugin: aci-containers\n template:\n metadata:\n labels:\n name: aci-containers-openvswitch\n network-plugin: aci-containers\n spec:\n hostNetwork: true\n hostPID: true\n hostIPC: true\n serviceAccountName: aci-containers-host-agent\n{{- if ne .ImagePullSecret \"\"}}\n imagePullSecrets:\n - name: {{.ImagePullSecret}}\n{{end}}\n tolerations:\n - operator: Exists \n{{- if ne .UseSystemNodePriorityClass \"false\"}}\n priorityClassName: system-node-critical\n{{- else if .UseAciContainersOpenvswitchPriorityClass}} \n priorityClassName: aci-containers-openvswitch\n{{- else}} \n{{- if ne .NoPriorityClass \"true\"}}\n priorityClassName: system-cluster-critical\n{{- end}}\n{{- if eq .UseAciCniPriorityClass \"true\"}}\n priorityClassName: acicni-priority\n{{- end}}\n{{- end}}\n containers:\n - name: aci-containers-openvswitch\n image: {{.AciOpenvSwitchContainer}}\n imagePullPolicy: {{.ImagePullPolicy}}\n resources:\n limits:\n memory: \"{{.OVSMemoryLimit}}\"\n requests:\n memory: \"{{.OVSMemoryRequest}}\"\n securityContext:\n{{- if eq .UsePrivilegedContainer \"true\"}}\n privileged: true\n{{- end}}\n capabilities:\n add:\n - NET_ADMIN\n - SYS_MODULE\n - SYS_NICE\n - IPC_LOCK\n env:\n - name: OVS_RUNDIR\n value: /usr/local/var/run/openvswitch\n volumeMounts:\n - name: hostvar\n mountPath: /usr/local/var\n - name: hostrun\n mountPath: /run\n - name: hostrun\n mountPath: /usr/local/run\n - name: hostetc\n mountPath: /usr/local/etc\n - name: hostmodules\n mountPath: /lib/modules\n - name: varlogpods\n mountPath: /var/log/pods\n readOnly: true\n - name: varlogcontainers\n mountPath: /var/log/containers\n readOnly: true\n - name: varlibdocker\n mountPath: /var/lib/docker\n readOnly: true\n livenessProbe:\n exec:\n command:\n - /usr/local/bin/liveness-ovs.sh\n restartPolicy: Always\n volumes:\n - name: hostetc\n hostPath:\n path: /etc\n - name: hostvar\n hostPath:\n path: /var\n - name: hostrun\n hostPath:\n path: /run\n - name: hostmodules\n hostPath:\n path: /lib/modules\n - name: varlogpods\n hostPath:\n path: /var/log/pods\n - name: varlogcontainers\n hostPath:\n path: /var/log/containers\n - name: varlibdocker\n hostPath:\n path: /var/lib/docker\n---\napiVersion: apps/v1\nkind: Deployment\nmetadata:\n name: aci-containers-controller\n namespace: aci-containers-system\n labels:\n aci-containers-config-version: \"{{.Token}}\"\n network-plugin: aci-containers\n name: aci-containers-controller\nspec:\n replicas: 1\n strategy:\n type: Recreate\n selector:\n matchLabels:\n name: aci-containers-controller\n network-plugin: aci-containers\n template:\n metadata:\n name: aci-containers-controller\n namespace: aci-containers-system\n labels:\n name: aci-containers-controller\n network-plugin: aci-containers\n spec:\n hostNetwork: true\n serviceAccountName: aci-containers-controller\n{{- if ne .ImagePullSecret \"\"}}\n imagePullSecrets:\n - name: {{.ImagePullSecret}}\n{{- end}}\n{{- if .Tolerations }}\n tolerations:\n{{ toYaml .Tolerations | indent 6}}\n{{- else }}\n tolerations:\n - effect: NoExecute\n operator: Exists\n tolerationSeconds: {{ .TolerationSeconds }}\n - effect: NoSchedule\n key: node.kubernetes.io/not-ready\n operator: Exists\n - effect: NoSchedule\n key: node-role.kubernetes.io/master\n operator: Exists\n{{- end }}\n{{- if ne .UseSystemNodePriorityClass \"false\"}}\n priorityClassName: system-node-critical\n{{- else if .UseAciContainersControllerPriorityClass}} \n priorityClassName: aci-containers-controller\n{{- else}} \n{{- if ne .NoPriorityClass \"true\"}}\n priorityClassName: system-node-critical\n{{- end}}\n{{- if eq .UseAciCniPriorityClass \"true\"}}\n priorityClassName: acicni-priority\n{{- end}}\n{{- end}}\n containers:\n - name: aci-containers-controller\n image: {{.AciControllerContainer}}\n imagePullPolicy: {{.ImagePullPolicy}}\n{{- if or ( .AciContainersControllerMemoryLimit ) ( .AciContainersControllerMemoryRequest )}}\n resources:\n limits:\n{{- if .AciContainersControllerMemoryLimit }}\n memory: \"{{ .AciContainersControllerMemoryLimit }}\"\n{{- else}}\n memory: \"{{ .AciContainersMemoryLimit }}\"\n{{- end}}\n requests:\n{{- if .AciContainersControllerMemoryRequest }}\n memory: \"{{ .AciContainersControllerMemoryRequest }}\"\n{{- else}}\n memory: \"{{ .AciContainersMemoryRequest }}\"\n{{- end}}\n{{- end}}\n env:\n - name: WATCH_NAMESPACE\n value: \"\"\n - name: ACI_SNAT_NAMESPACE\n value: \"aci-containers-system\"\n - name: ACI_SNAGLOBALINFO_NAME\n value: \"snatglobalinfo\"\n - name: ACI_RDCONFIG_NAME\n value: \"routingdomain-config\"\n - name: SYSTEM_NAMESPACE\n value: \"aci-containers-system\"\n volumeMounts:\n - name: controller-config-volume\n mountPath: /usr/local/etc/aci-containers/\n - name: varlogpods\n mountPath: /var/log/pods\n readOnly: true\n - name: varlogcontainers\n mountPath: /var/log/containers\n readOnly: true\n - name: varlibdocker\n mountPath: /var/lib/docker\n readOnly: true\n - name: aci-user-cert-volume\n mountPath: /usr/local/etc/aci-cert/\n livenessProbe:\n failureThreshold: 10\n httpGet:\n path: /status\n port: 8091\n scheme: HTTP\n initialDelaySeconds: 120\n periodSeconds: 60\n successThreshold: 1\n timeoutSeconds: 30\n volumes:\n{{- if eq .CApic \"true\"}}\n - name: kafka-certs\n secret:\n secretName: kafka-client-certificates\n{{- end}}\n - name: aci-user-cert-volume\n secret:\n secretName: aci-user-cert\n - name: controller-config-volume\n configMap:\n name: aci-containers-config\n items:\n - key: controller-config\n path: controller.conf\n - name: varlogpods\n hostPath:\n path: /var/log/pods\n - name: varlogcontainers\n hostPath:\n path: /var/log/containers\n - name: varlibdocker\n hostPath:\n path: /var/lib/docker\n{{- if eq .CApic \"true\"}}\n---\napiVersion: aci.aw/v1\nkind: PodIF\nmetadata:\n name: inet-route\n namespace: kube-system\nstatus:\n epg: aci-containers-inet-out\n ipaddr: 0.0.0.0/0\n{{- end}}\n---\napiVersion: v1\nkind: LimitRange\nmetadata:\n name: memory-limit-range\n namespace: aci-containers-system\nspec:\n limits:\n - default:\n memory: {{ .AciContainersMemoryLimit }}\n defaultRequest:\n memory: {{ .AciContainersMemoryRequest }}\n type: Container\n", "aci-v6.0.3.3": "\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: acicontainersoperators.aci.ctrl\nspec:\n group: aci.ctrl\n names:\n kind: AciContainersOperator\n listKind: AciContainersOperatorList\n plural: acicontainersoperators\n singular: acicontainersoperator\n scope: Namespaced\n versions:\n - name: v1alpha1\n served: true\n storage: true\n subresources:\n status: {}\n schema:\n openAPIV3Schema:\n description: acicontainersoperator owns the lifecycle of ACI objects in the cluster\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n metadata:\n type: object\n spec:\n description: AciContainersOperatorSpec defines the desired spec for ACI Objects\n properties:\n flavor:\n type: string\n config:\n type: string\n type: object\n status:\n description: AciContainersOperatorStatus defines the successful completion of AciContainersOperator\n properties:\n status:\n type: boolean\n type: object\n required:\n - spec\n type: object\n---\napiVersion: v1\nkind: Namespace\nmetadata:\n name: aci-containers-system\n labels:\n aci-containers-config-version: \"{{.Token}}\"\n network-plugin: aci-containers\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: nodepodifs.aci.aw\nspec:\n group: aci.aw\n names:\n kind: NodePodIF\n listKind: NodePodIFList\n plural: nodepodifs\n singular: nodepodif\n scope: Namespaced\n versions:\n - name: v1\n served: true\n storage: true\n schema:\n openAPIV3Schema:\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n metadata:\n type: object\n spec:\n type: object\n properties:\n podifs:\n type: array\n items:\n type: object\n properties:\n containerID:\n type: string\n epg:\n type: string\n ifname:\n type: string\n ipaddr:\n type: string\n macaddr:\n type: string\n podname:\n type: string\n podns:\n type: string\n vtep:\n type: string\n required:\n - spec\n type: object\n---\n{{- if eq .UseAciCniPriorityClass \"true\"}}\napiVersion: scheduling.k8s.io/v1beta1\nkind: PriorityClass\nmetadata:\n name: acicni-priority\nvalue: 1000000000\nglobalDefault: false\ndescription: \"This priority class is used for ACI-CNI resources\"\n---\n{{- end }}\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: snatglobalinfos.aci.snat\nspec:\n group: aci.snat\n names:\n kind: SnatGlobalInfo\n listKind: SnatGlobalInfoList\n plural: snatglobalinfos\n singular: snatglobalinfo\n scope: Namespaced\n versions:\n - name: v1\n served: true\n storage: true\n schema:\n openAPIV3Schema:\n description: SnatGlobalInfo is the Schema for the snatglobalinfos API\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n metadata:\n type: object\n spec:\n properties:\n globalInfos:\n additionalProperties:\n items:\n properties:\n macAddress:\n type: string\n portRanges:\n items:\n properties:\n end:\n maximum: 65535\n minimum: 1\n type: integer\n start:\n maximum: 65535\n minimum: 1\n type: integer\n type: object\n type: array\n snatIp:\n type: string\n snatIpUid:\n type: string\n snatPolicyName:\n type: string\n required:\n - macAddress\n - portRanges\n - snatIp\n - snatIpUid\n - snatPolicyName\n type: object\n type: array\n type: object\n required:\n - globalInfos\n type: object\n status:\n description: SnatGlobalInfoStatus defines the observed state of SnatGlobalInfo\n type: object\n type: object\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: snatlocalinfos.aci.snat\nspec:\n group: aci.snat\n names:\n kind: SnatLocalInfo\n listKind: SnatLocalInfoList\n plural: snatlocalinfos\n singular: snatlocalinfo\n scope: Namespaced\n versions:\n - name: v1\n served: true\n storage: true\n schema:\n openAPIV3Schema:\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n metadata:\n type: object\n spec:\n description: SnatLocalInfoSpec defines the desired state of SnatLocalInfo\n properties:\n localInfos:\n items:\n properties:\n podName:\n type: string\n podNamespace:\n type: string\n podUid:\n type: string\n snatPolicies:\n items:\n properties:\n destIp:\n items:\n type: string\n type: array\n name:\n type: string\n snatIp:\n type: string\n required:\n - destIp\n - name\n - snatIp\n type: object\n type: array\n required:\n - podName\n - podNamespace\n - podUid\n - snatPolicies\n type: object\n type: array\n required:\n - localInfos\n type: object\n type: object\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: snatpolicies.aci.snat\nspec:\n group: aci.snat\n names:\n kind: SnatPolicy\n listKind: SnatPolicyList\n plural: snatpolicies\n singular: snatpolicy\n scope: Cluster\n versions:\n - name: v1\n served: true\n storage: true\n subresources:\n status: {}\n schema:\n openAPIV3Schema:\n type: object\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n metadata:\n type: object\n spec:\n type: object\n properties:\n selector:\n type: object\n properties:\n labels:\n type: object\n description: 'Selection of Pods'\n properties:\n additionalProperties:\n type: string\n namespace:\n type: string\n type: object\n snatIp:\n type: array\n items:\n type: string\n destIp:\n type: array\n items:\n type: string\n type: object\n status:\n type: object\n properties:\n additionalProperties:\n type: string\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: nodeinfos.aci.snat\nspec:\n group: aci.snat\n names:\n kind: NodeInfo\n listKind: NodeInfoList\n plural: nodeinfos\n singular: nodeinfo\n scope: Namespaced\n versions:\n - name: v1\n served: true\n storage: true\n schema:\n openAPIV3Schema:\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n metadata:\n type: object\n spec:\n properties:\n macaddress:\n type: string\n snatpolicynames:\n additionalProperties:\n type: boolean\n type: object\n type: object\n status:\n description: NodeinfoStatus defines the observed state of Nodeinfo\n type: object\n type: object\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: rdconfigs.aci.snat\nspec:\n group: aci.snat\n names:\n kind: RdConfig\n listKind: RdConfigList\n plural: rdconfigs\n singular: rdconfig\n scope: Namespaced\n versions:\n - name: v1\n served: true\n storage: true\n schema:\n openAPIV3Schema:\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n metadata:\n type: object\n spec:\n properties:\n discoveredsubnets:\n items:\n type: string\n type: array\n usersubnets:\n items:\n type: string\n type: array\n type: object\n status:\n description: NodeinfoStatus defines the observed state of Nodeinfo\n type: object\n type: object\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: networkpolicies.aci.netpol\nspec:\n group: aci.netpol\n names:\n kind: NetworkPolicy\n listKind: NetworkPolicyList\n plural: networkpolicies\n singular: networkpolicy\n scope: Namespaced\n versions:\n - name: v1\n schema:\n openAPIV3Schema:\n description: Network Policy describes traffic flow at IP address or port level\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n metadata:\n type: object\n spec:\n properties:\n appliedTo:\n properties:\n namespaceSelector:\n properties:\n matchExpressions:\n items:\n properties:\n key:\n type: string\n operator:\n type: string\n values:\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n matchLabels:\n additionalProperties:\n type: string\n type: object\n type: object\n podSelector:\n description: allow ingress from the same namespace\n properties:\n matchExpressions:\n items:\n properties:\n key:\n type: string\n operator:\n type: string\n values:\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n matchLabels:\n additionalProperties:\n type: string\n type: object\n type: object\n type: object\n egress:\n description: Set of egress rules evaluated based on the order in which they are set.\n items:\n properties:\n action:\n description: Action specifies the action to be applied on the rule.\n type: string\n enableLogging:\n description: EnableLogging is used to indicate if agent should generate logs default to false.\n type: boolean\n ports:\n description: Set of port and protocol allowed/denied by the rule. If this field is unset or empty, this rule matches all ports.\n items:\n description: NetworkPolicyPort describes the port and protocol to match in a rule.\n properties:\n endPort:\n description: EndPort defines the end of the port range, being the end included within the range. It can only be specified when a numerical port is specified.\n format: int32\n type: integer\n port:\n anyOf:\n - type: integer\n - type: string\n description: The port on the given protocol. This can be either a numerical or named port on a Pod. If this field is not provided, this matches all port names and numbers.\n x-kubernetes-int-or-string: true\n protocol:\n default: TCP\n description: The protocol (TCP, UDP, or SCTP) which traffic must match. If not specified, this field defaults to TCP.\n type: string\n type: object\n type: array\n to:\n description: Rule is matched if traffic is intended for workloads selected by this field. If this field is empty or missing, this rule matches all destinations.\n items:\n properties:\n ipBlock:\n description: IPBlock describes the IPAddresses/IPBlocks that is matched in to/from. IPBlock cannot be set as part of the AppliedTo field. Cannot be set with any other selector.\n properties:\n cidr:\n description: CIDR is a string representing the IP Block Valid examples are \"192.168.1.1/24\" or \"2001:db9::/64\"\n type: string\n except:\n description: Except is a slice of CIDRs that should not be included within an IP Block Valid examples are \"192.168.1.1/24\" or \"2001:db9::/64\" Except values will be rejected if they are outside the CIDR range\n items:\n type: string\n type: array\n required:\n - cidr\n type: object\n namespaceSelector:\n description: Select all Pods from Namespaces matched by this selector, as workloads in To/From fields. If set with PodSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except PodSelector or ExternalEntitySelector.\n properties:\n matchExpressions:\n items:\n properties:\n key:\n type: string\n operator:\n description: operator represents a keys relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.\n type: string\n values:\n description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n matchLabels:\n additionalProperties:\n type: string\n type: object\n type: object\n podSelector:\n description: Select Pods from NetworkPolicys Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector.\n properties:\n matchExpressions:\n items:\n properties:\n key:\n type: string\n operator:\n description: operator represents a keys relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.\n type: string\n values:\n description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n matchLabels:\n additionalProperties:\n type: string\n type: object\n type: object\n type: object\n type: array\n toFqDn:\n properties:\n matchNames:\n items:\n type: string\n type: array\n required:\n - matchNames\n type: object\n required:\n - enableLogging\n - toFqDn\n type: object\n type: array\n ingress:\n description: Set of ingress rules evaluated based on the order in which they are set.\n items:\n properties:\n action:\n description: Action specifies the action to be applied on the rule.\n type: string\n enableLogging:\n description: EnableLogging is used to indicate if agent should generate logs when rules are matched. Should be default to false.\n type: boolean\n from:\n description: Rule is matched if traffic originates from workloads selected by this field. If this field is empty, this rule matches all sources.\n items:\n properties:\n ipBlock:\n description: IPBlock describes the IPAddresses/IPBlocks that is matched in to/from. IPBlock cannot be set as part of the AppliedTo field. Cannot be set with any other selector.\n properties:\n cidr:\n description: CIDR is a string representing the IP Block Valid examples are \"192.168.1.1/24\" or \"2001:db9::/64\"\n type: string\n except:\n description: Except is a slice of CIDRs that should not be included within an IP Block Valid examples are \"192.168.1.1/24\" or \"2001:db9::/64\" Except values will be rejected if they are outside the CIDR range\n items:\n type: string\n type: array\n required:\n - cidr\n type: object\n namespaceSelector:\n properties:\n matchExpressions:\n items:\n properties:\n key:\n type: string\n operator:\n description: operator represents a keys relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.\n type: string\n values:\n description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n matchLabels:\n additionalProperties:\n type: string\n type: object\n type: object\n podSelector:\n description: Select Pods from NetworkPolicys Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector.\n properties:\n matchExpressions:\n description: matchExpressions is a list of label selector requirements. The requirements are ANDed.\n items:\n properties:\n key:\n type: string\n operator:\n description: operator represents a keys relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.\n type: string\n values:\n description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n matchLabels:\n additionalProperties:\n type: string\n type: object\n type: object\n type: object\n type: array\n ports:\n description: Set of port and protocol allowed/denied by the rule. If this field is unset or empty, this rule matches all ports.\n items:\n description: NetworkPolicyPort describes the port and protocol to match in a rule.\n properties:\n endPort:\n description: EndPort defines the end of the port range, being the end included within the range. It can only be specified when a numerical port is specified.\n format: int32\n type: integer\n port:\n anyOf:\n - type: integer\n - type: string\n description: The port on the given protocol. This can be either a numerical or named port on a Pod. If this field is not provided, this matches all port names and numbers.\n x-kubernetes-int-or-string: true\n protocol:\n default: TCP\n description: The protocol (TCP, UDP, or SCTP) which traffic must match. If not specified, this field defaults to TCP.\n type: string\n type: object\n type: array\n type: object\n type: array\n policyTypes:\n items:\n description: Policy Type string describes the NetworkPolicy type This type is beta-level in 1.8\n type: string\n type: array\n priority:\n description: Priority specfies the order of the NetworkPolicy relative to other NetworkPolicies.\n type: integer\n type:\n description: type of the policy.\n type: string\n required:\n - type\n type: object\n required:\n - spec\n type: object\n served: true\n storage: true\nstatus:\n acceptedNames:\n kind: \"\"\n plural: \"\"\n conditions: []\n storedVersions: []\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: dnsnetworkpolicies.aci.dnsnetpol\nspec:\n group: aci.dnsnetpol\n names:\n kind: DnsNetworkPolicy\n listKind: DnsNetworkPolicyList\n plural: dnsnetworkpolicies\n singular: dnsnetworkpolicy\n scope: Namespaced\n versions:\n - name: v1beta\n schema:\n openAPIV3Schema:\n description: dns network Policy\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n metadata:\n type: object\n spec:\n properties:\n appliedTo:\n properties:\n namespaceSelector:\n properties:\n matchExpressions:\n items:\n properties:\n key:\n type: string\n operator:\n type: string\n values:\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n matchLabels:\n additionalProperties:\n type: string\n type: object\n type: object\n podSelector:\n description: allow ingress from the same namespace\n properties:\n matchExpressions:\n items:\n properties:\n key:\n type: string\n operator:\n description: operator represents a keys relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.\n type: string\n values:\n description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n matchLabels:\n additionalProperties:\n type: string\n type: object\n type: object\n type: object\n egress:\n description: Set of egress rules evaluated based on the order in which they are set.\n properties:\n toFqdn:\n properties:\n matchNames:\n items:\n type: string\n type: array\n required:\n - matchNames\n type: object\n required:\n - toFqdn\n type: object\n type: object\n required:\n - spec\n type: object\n served: true\n storage: true\nstatus:\n acceptedNames:\n kind: \"\"\n plural: \"\"\n conditions: []\n storedVersions: []\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: qospolicies.aci.qos\nspec:\n group: aci.qos\n names:\n kind: QosPolicy\n listKind: QosPolicyList\n plural: qospolicies\n singular: qospolicy\n scope: Namespaced\n preserveUnknownFields: false\n versions:\n - name: v1\n served: true\n storage: true\n subresources:\n status: {}\n schema:\n openAPIV3Schema:\n type: object\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n spec:\n type: object\n properties:\n podSelector:\n description: 'Selection of Pods'\n type: object\n properties:\n matchLabels:\n type: object\n description:\n ingress:\n type: object\n properties:\n policing_rate:\n type: integer\n minimum: 0\n policing_burst:\n type: integer\n minimum: 0\n egress:\n type: object\n properties:\n policing_rate:\n type: integer\n minimum: 0\n policing_burst:\n type: integer\n minimum: 0\n dscpmark:\n type: integer\n default: 0\n minimum: 0\n maximum: 63\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: netflowpolicies.aci.netflow\nspec:\n group: aci.netflow\n names:\n kind: NetflowPolicy\n listKind: NetflowPolicyList\n plural: netflowpolicies\n singular: netflowpolicy\n scope: Cluster\n preserveUnknownFields: false\n versions:\n - name: v1alpha\n served: true\n storage: true\n schema:\n # openAPIV3Schema is the schema for validating custom objects.\n openAPIV3Schema:\n type: object\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n spec:\n type: object\n properties:\n flowSamplingPolicy:\n type: object\n properties:\n destIp:\n type: string\n destPort:\n type: integer\n minimum: 0\n maximum: 65535\n default: 2055\n flowType:\n type: string\n enum:\n - netflow\n - ipfix\n default: netflow\n activeFlowTimeOut:\n type: integer\n minimum: 0\n maximum: 3600\n default: 60\n idleFlowTimeOut:\n type: integer\n minimum: 0\n maximum: 600\n default: 15\n samplingRate:\n type: integer\n minimum: 0\n maximum: 1000\n default: 0\n required:\n - destIp\n type: object\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: erspanpolicies.aci.erspan\nspec:\n group: aci.erspan\n names:\n kind: ErspanPolicy\n listKind: ErspanPolicyList\n plural: erspanpolicies\n singular: erspanpolicy\n scope: Cluster\n preserveUnknownFields: false\n versions:\n - name: v1alpha\n served: true\n storage: true\n schema:\n openAPIV3Schema:\n type: object\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n spec:\n type: object\n properties:\n selector:\n type: object\n description: 'Selection of Pods'\n properties:\n labels:\n type: object\n properties:\n additionalProperties:\n type: string\n namespace:\n type: string\n source:\n type: object\n properties:\n adminState:\n description: Administrative state.\n default: start\n type: string\n enum:\n - start\n - stop\n direction:\n description: Direction of the packets to monitor.\n default: both\n type: string\n enum:\n - in\n - out\n - both\n destination:\n type: object\n properties:\n destIP:\n description: Destination IP of the ERSPAN packet.\n type: string\n flowID:\n description: Unique flow ID of the ERSPAN packet.\n default: 1\n type: integer\n minimum: 1\n maximum: 1023\n required:\n - destIP\n type: object\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: enabledroplogs.aci.droplog\nspec:\n group: aci.droplog\n names:\n kind: EnableDropLog\n listKind: EnableDropLogList\n plural: enabledroplogs\n singular: enabledroplog\n scope: Cluster\n versions:\n - name: v1alpha1\n served: true\n storage: true\n schema:\n # openAPIV3Schema is the schema for validating custom objects.\n openAPIV3Schema:\n type: object\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n spec:\n description: Defines the desired state of EnableDropLog\n type: object\n properties:\n disableDefaultDropLog:\n description: Disables the default droplog enabled by acc-provision.\n default: false\n type: boolean\n nodeSelector:\n type: object\n description: Drop logging is enabled on nodes selected based on labels\n properties:\n labels:\n type: object\n properties:\n additionalProperties:\n type: string\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: prunedroplogs.aci.droplog\nspec:\n group: aci.droplog\n names:\n kind: PruneDropLog\n listKind: PruneDropLogList\n plural: prunedroplogs\n singular: prunedroplog\n scope: Cluster\n versions:\n - name: v1alpha1\n served: true\n storage: true\n schema:\n # openAPIV3Schema is the schema for validating custom objects.\n openAPIV3Schema:\n type: object\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n spec:\n description: Defines the desired state of PruneDropLog\n type: object\n properties:\n nodeSelector:\n type: object\n description: Drop logging filters are applied to nodes selected based on labels\n properties:\n labels:\n type: object\n properties:\n additionalProperties:\n type: string\n dropLogFilters:\n type: object\n properties:\n srcIP:\n type: string\n destIP:\n type: string\n srcMAC:\n type: string\n destMAC:\n type: string\n srcPort:\n type: integer\n destPort:\n type: integer\n ipProto:\n type: integer\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: accprovisioninputs.aci.ctrl\nspec:\n group: aci.ctrl\n names:\n kind: AccProvisionInput\n listKind: AccProvisionInputList\n plural: accprovisioninputs\n singular: accprovisioninput\n scope: Namespaced\n versions:\n - name: v1alpha1\n served: true\n storage: true\n subresources:\n status: {}\n schema:\n openAPIV3Schema:\n description: accprovisioninput defines the input configuration for ACI CNI\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n metadata:\n type: object\n spec:\n description: AccProvisionInputSpec defines the desired spec for accprovisioninput object\n properties:\n acc_provision_input:\n type: object\n properties:\n operator_managed_config:\n type: object\n properties:\n enable_updates:\n type: boolean\n aci_config:\n type: object\n properties:\n sync_login:\n type: object\n properties:\n certfile:\n type: string\n keyfile:\n type: string\n client_ssl:\n type: boolean\n net_config:\n type: object\n properties:\n interface_mtu:\n type: integer\n service_monitor_interval:\n type: integer\n pbr_tracking_non_snat:\n type: boolean\n pod_subnet_chunk_size:\n type: integer\n disable_wait_for_network:\n type: boolean\n duration_wait_for_network:\n type: integer\n registry:\n type: object\n properties:\n image_prefix:\n type: string\n image_pull_secret:\n type: string\n aci_containers_operator_version:\n type: string\n aci_containers_controller_version:\n type: string\n aci_containers_host_version:\n type: string\n acc_provision_operator_version:\n type: string\n aci_cni_operator_version:\n type: string\n cnideploy_version:\n type: string\n opflex_agent_version:\n type: string\n openvswitch_version:\n type: string\n gbp_version:\n type: string\n logging:\n type: object\n properties:\n controller_log_level:\n type: string\n hostagent_log_level:\n type: string\n opflexagent_log_level:\n type: string\n istio_config:\n type: object\n properties:\n install_istio:\n type: boolean\n install_profile:\n type: string\n multus:\n type: object\n properties:\n disable:\n type: boolean\n drop_log_config:\n type: object\n properties:\n enable:\n type: boolean\n nodepodif_config:\n type: object\n properties:\n enable:\n type: boolean\n sriov_config:\n type: object\n properties:\n enable:\n type: boolean\n kube_config:\n type: object\n properties:\n ovs_memory_limit:\n type: string\n use_privileged_containers:\n type: boolean\n image_pull_policy:\n type: string\n reboot_opflex_with_ovs:\n type: string\n snat_operator:\n type: object\n properties:\n port_range:\n type: object\n properties:\n start:\n type: integer\n end:\n type: integer\n ports_per_node:\n type: integer\n contract_scope:\n type: string\n disable_periodic_snat_global_info_sync:\n type: boolean\n type: object\n status:\n description: AccProvisionInputStatus defines the successful completion of AccProvisionInput\n properties:\n status:\n type: boolean\n type: object\n required:\n - spec\n type: object\n---\napiVersion: v1\nkind: ConfigMap\nmetadata:\n name: aci-containers-config\n namespace: aci-containers-system\n labels:\n aci-containers-config-version: \"{{.Token}}\"\n network-plugin: aci-containers\ndata:\n controller-config: |-\n {\n \"log-level\": \"{{.ControllerLogLevel}}\",\n \"apic-hosts\": {{.ApicHosts}},\n{{- if ne .AciMultipod \"false\" }}\n \"aci-multipod\": {{.AciMultipod}},\n{{- end}}\n{{- if .OpflexDeviceReconnectWaitTimeout }}\n \"opflex-device-reconnect-wait-timeout\": {{.OpflexDeviceReconnectWaitTimeout}},\n{{- end}}\n \"apic-refreshtime\": \"{{.ApicRefreshTime}}\",\n \"apic-subscription-delay\": {{.ApicSubscriptionDelay}},\n \"apic_refreshticker_adjust\": \"{{.ApicRefreshTickerAdjust}}\",\n \"apic-username\": \"{{.ApicUserName}}\",\n \"apic-private-key-path\": \"/usr/local/etc/aci-cert/user.key\",\n \"aci-prefix\": \"{{.SystemIdentifier}}\",\n \"aci-vmm-type\": \"Kubernetes\",\n{{- if ne .VmmDomain \"\"}}\n \"aci-vmm-domain\": \"{{.VmmDomain}}\",\n{{- else}}\n \"aci-vmm-domain\": \"{{.SystemIdentifier}}\",\n{{- end}}\n{{- if ne .VmmController \"\"}}\n \"aci-vmm-controller\": \"{{.VmmController}}\",\n{{- else}}\n \"aci-vmm-controller\": \"{{.SystemIdentifier}}\",\n{{- end}}\n \"aci-policy-tenant\": \"{{.Tenant}}\",\n{{- if ne .CApic \"false\"}}\n \"lb-type\": \"None\",\n{{- end}}\n{{- if ne .HppOptimization \"false\"}}\n \"hpp-optimization\": {{.HppOptimization}},\n{{- end}}\n{{- if ne .NoWaitForServiceEpReadiness \"false\"}}\n \"no-wait-for-service-ep-readiness\": {{.NoWaitForServiceEpReadiness}},\n{{- end}}\n{{- if ne .ServiceGraphEndpointAddDelay \"0\"}}\n \"service-graph-endpoint-add-delay\" : {\n \"delay\": {{.ServiceGraphEndpointAddDelay}},\n \"services\": [{{- range $index, $item :=.ServiceGraphEndpointAddServices }}{{- if $index}},{{end}}{ {{- range $k, $v := $item }}\"{{ $k }}\": \"{{ $v }}\"{{if eq $k \"name\"}},{{end}}{{- end}}}{{end}}]\n },\n{{- end}}\n{{- if ne .AddExternalSubnetsToRdconfig \"false\"}}\n \"add-external-subnets-to-rdconfig\": {{.AddExternalSubnetsToRdconfig}},\n{{- end}}\n{{- if ne .DisablePeriodicSnatGlobalInfoSync \"false\"}}\n \"disable-periodic-snat-global-info-sync\": {{.DisablePeriodicSnatGlobalInfoSync}},\n{{- end}}\n{{- if .NodeSnatRedirectExclude }}\n \"node-snat-redirect-exclude\": [{{ range $index,$item := .NodeSnatRedirectExclude}}{{- if $index}}, {{end }}{\"group\": \"{{ index $item \"group\" }}\", \"labels\": {{ index $item \"labels\" }}}{{ end }}],\n{{- end }}\n \"opflex-device-delete-timeout\": {{.OpflexDeviceDeleteTimeout}},\n \"sleep-time-snat-global-info-sync\": {{.SleepTimeSnatGlobalInfoSync}},\n \"install-istio\": {{.InstallIstio}},\n \"istio-profile\": \"{{.IstioProfile}}\",\n{{- if ne .CApic \"true\"}}\n \"aci-podbd-dn\": \"uni/tn-{{.Tenant}}/BD-aci-containers-{{.SystemIdentifier}}-pod-bd\",\n \"aci-nodebd-dn\": \"uni/tn-{{.Tenant}}/BD-aci-containers-{{.SystemIdentifier}}-node-bd\",\n{{- end}}\n \"aci-service-phys-dom\": \"{{.SystemIdentifier}}-pdom\",\n \"aci-service-encap\": \"vlan-{{.ServiceVlan}}\",\n \"aci-service-monitor-interval\": {{.ServiceMonitorInterval}},\n \"aci-pbr-tracking-non-snat\": {{.PBRTrackingNonSnat}},\n \"aci-vrf-tenant\": \"{{.VRFTenant}}\",\n \"aci-l3out\": \"{{.L3Out}}\",\n \"aci-ext-networks\": {{.L3OutExternalNetworks}},\n{{- if ne .CApic \"true\"}}\n \"aci-vrf\": \"{{.VRFName}}\",\n{{- else}}\n \"aci-vrf\": \"{{.OverlayVRFName}}\",\n{{- end}}\n \"app-profile\": \"aci-containers-{{.SystemIdentifier}}\",\n{{- if ne .AddExternalContractToDefaultEpg \"false\"}}\n \"add-external-contract-to-default-epg\": {{.AddExternalContractToDefaultEpg}},\n{{- end}} \n \"default-endpoint-group\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-default\"\n{{- else}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}\"\n{{- end}}\n },\n \"max-nodes-svc-graph\": {{.MaxNodesSvcGraph}},\n \"namespace-default-endpoint-group\": {\n \"aci-containers-system\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-system\"\n{{- else}}\n \"name\": \"aci-containers-system\"\n{{- end}}\n },\n \"istio-operator\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-istio\"\n{{- else}}\n \"name\": \"aci-containers-istio\"\n{{- end}}\n },\n \"istio-system\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-istio\"\n{{- else}}\n \"name\": \"aci-containers-istio\"\n{{- end}}\n },\n \"kube-system\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-system\"\n{{- else}}\n \"name\": \"aci-containers-system\"\n{{- end}}\n },\n \"cattle-system\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-system\"\n{{- else}}\n \"name\": \"aci-containers-system\"\n{{- end}}\n },\n \"cattle-prometheus\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-system\"\n{{- else}}\n \"name\": \"aci-containers-system\"\n{{- end}}\n },\n \"cattle-logging\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-system\"\n{{- else}}\n \"name\": \"aci-containers-system\"\n{{- end}}\n } },\n \"service-ip-pool\": [{{- range $index, $item := .ServiceIPPool }}{{- if $index}},{{end}}{ \"start\": \"{{ $item.Start }}\", \"end\": \"{{ $item.End}}\" }{{end}}],\n \"extern-static\": [{{- range $index, $item := .StaticExternalSubnet }}{{- if $index}},{{end}}{{$item}}{{end}}],\n \"extern-dynamic\": [{{- range $index, $item := .DynamicExternalSubnet }}{{- if $index}},{{end}}{{$item}}{{end}}],\n \"snat-contract-scope\": \"{{.SnatContractScope}}\",\n \"static-service-ip-pool\": [{{- range $index, $item := .StaticServiceIPPool }}{{- if $index}},{{end}}{ \"start\": \"{{ $item.Start }}\", \"end\": \"{{ $item.End }}\" }{{end}}],\n \"pod-ip-pool\": [{{- range $index, $item := .PodIPPool }}{{- if $index}},{{end}}{ \"start\": \"{{ $item.Start }}\", \"end\": \"{{ $item.End}}\" }{{end}}],\n \"pod-subnet-chunk-size\": {{.PodSubnetChunkSize}},\n \"node-service-ip-pool\": [\n {\n \"end\": \"{{.NodeServiceIPEnd}}\",\n \"start\": \"{{.NodeServiceIPStart}}\"\n }\n ],\n \"node-service-subnets\": [\n \"{{.ServiceGraphSubnet}}\"\n ],\n \"enable_endpointslice\": {{.EnableEndpointSlice}}\n }\n host-agent-config: |-\n {\n \"app-profile\": \"aci-containers-{{.SystemIdentifier}}\",\n{{- if ne .EpRegistry \"\"}}\n \"ep-registry\": \"{{.EpRegistry}}\",\n{{- else}}\n \"ep-registry\": null,\n{{- end}}\n{{- if ne .AciMultipod \"false\" }}\n \"aci-multipod\": {{.AciMultipod}},\n{{- end}}\n{{- if ne .DhcpRenewMaxRetryCount \"0\" }}\n \"dhcp-renew-max-retry-count\": {{.DhcpRenewMaxRetryCount}},\n{{- end}}\n{{- if ne .DhcpDelay \"0\" }}\n \"dhcp-delay\": {{.DhcpDelay}},\n{{- end}}\n{{- if ne .EnableOpflexAgentReconnect \"false\"}}\n \"enable-opflex-agent-reconnect\": {{.EnableOpflexAgentReconnect}},\n{{- end}}\n{{- if ne .OpflexMode \"\"}}\n \"opflex-mode\": \"{{.OpflexMode}}\",\n{{- else}}\n \"opflex-mode\": null,\n{{- end}}\n \"log-level\": \"{{.HostAgentLogLevel}}\",\n \"aci-snat-namespace\": \"{{.SnatNamespace}}\",\n \"aci-vmm-type\": \"Kubernetes\",\n{{- if ne .VmmDomain \"\"}}\n \"aci-vmm-domain\": \"{{.VmmDomain}}\",\n{{- else}}\n \"aci-vmm-domain\": \"{{.SystemIdentifier}}\",\n{{- end}}\n{{- if ne .VmmController \"\"}}\n \"aci-vmm-controller\": \"{{.VmmController}}\",\n{{- else}}\n \"aci-vmm-controller\": \"{{.SystemIdentifier}}\",\n{{- end}}\n \"aci-prefix\": \"{{.SystemIdentifier}}\",\n{{- if ne .CApic \"true\"}}\n \"aci-vrf\": \"{{.VRFName}}\",\n{{- else}}\n \"aci-vrf\": \"{{.OverlayVRFName}}\",\n{{- end}}\n \"aci-vrf-tenant\": \"{{.VRFTenant}}\",\n \"service-vlan\": {{.ServiceVlan}},\n \"kubeapi-vlan\": {{.KubeAPIVlan}},\n{{- if ne .HppOptimization \"false\"}}\n \"hpp-optimization\": {{.HppOptimization}},\n{{- end}}\n \"pod-subnet\": [{{- range $index, $item := .PodSubnet }}{{- if $index}},{{end}}{{$item}}{{end}}],\n \"node-subnet\": [{{- range $index, $item := .NodeSubnet }}{{- if $index}},{{end}}{{$item}}{{end}}],\n \"encap-type\": \"{{.EncapType}}\",\n \"aci-infra-vlan\": {{.InfraVlan}},\n{{- if .MTU}}\n{{- if ne .MTU 0}}\n \"interface-mtu\": {{.MTU}},\n{{- end}}\n{{- end}}\n{{- if .MTUHeadRoom}}\n{{- if ne .MTUHeadRoom \"0\"}}\n \"interface-mtu-headroom\": {{.MTUHeadRoom}},\n{{- end}}\n{{- end}}\n \"cni-netconfig\": [{{- range $index, $item := .PodNetwork }}{{- if $index}},{{end}}{ \"gateway\": \"{{ $item.Gateway }}\", \"subnet\": \"{{ $item.Subnet }}\", \"routes\": [{ \"dst\": \"0.0.0.0/0\", \"gw\": \"{{ $item.Gateway }}\" }]}{{end}}],\n \"default-endpoint-group\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-default\"\n{{- else}}\n \"name\": \"aci-containers-default\"\n{{- end}}\n },\n \"namespace-default-endpoint-group\": {\n \"aci-containers-system\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-system\"\n{{- else}}\n \"name\": \"aci-containers-system\"\n{{- end}}\n },\n \"istio-operator\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-istio\"\n{{- else}}\n \"name\": \"aci-containers-istio\"\n{{- end}}\n },\n \"istio-system\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-istio\"\n{{- else}}\n \"name\": \"aci-containers-istio\"\n{{- end}}\n },\n \"kube-system\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-system\"\n{{- else}}\n \"name\": \"aci-containers-system\"\n{{- end}}\n },\n \"cattle-system\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-system\"\n{{- else}}\n \"name\": \"aci-containers-system\"\n{{- end}}\n },\n \"cattle-prometheus\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-system\"\n{{- else}}\n \"name\": \"aci-containers-system\"\n{{- end}}\n },\n \"cattle-logging\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-system\"\n{{- else}}\n \"name\": \"aci-containers-system\"\n{{- end}}\n } },\n \"enable-drop-log\": {{.DropLogEnable}},\n \"enable_endpointslice\": {{.EnableEndpointSlice}},\n \"enable-nodepodif\": {{.NodePodIfEnable}},\n \"enable-ovs-hw-offload\": {{.SriovEnable}}\n }\n opflex-agent-config: |-\n {\n \"log\": {\n \"level\": \"{{.OpflexAgentLogLevel}}\"\n },\n \"opflex\": {\n{{- if eq .OpflexClientSSL \"false\"}}\n \"ssl\": { \"mode\": \"disabled\"},\n{{- end}}\n{{- if eq .OpflexAgentStatistics \"false\"}}\n \"statistics\" : { \"mode\" : \"off\" },\n{{- end}}\n{{- if ne .OpflexAgentPolicyRetryDelayTimer \"10\" }}\n \"timers\" : { \"policy-retry-delay\": {{.OpflexAgentPolicyRetryDelayTimer}} },\n{{- end}}\n \"notif\" : { \"enabled\" : \"false\" },\n \"asyncjson\": { \"enabled\" : {{.OpflexAgentOpflexAsyncjsonEnabled}} }\n },\n \"ovs\": {\n \"asyncjson\": { \"enabled\" : {{.OpflexAgentOvsAsyncjsonEnabled}} }\n }\n }\n---\napiVersion: v1\nkind: ConfigMap\nmetadata:\n name: snat-operator-config\n namespace: aci-containers-system\n labels:\n aci-containers-config-version: \"{{.Token}}\"\n network-plugin: aci-containers\ndata:\n \"start\": \"{{.SnatPortRangeStart}}\"\n \"end\": \"{{.SnatPortRangeEnd}}\"\n \"ports-per-node\": \"{{.SnatPortsPerNode}}\"\n---\napiVersion: v1\nkind: Secret\nmetadata:\n name: aci-user-cert\n namespace: aci-containers-system\n labels:\n aci-containers-config-version: \"{{.Token}}\"\ndata:\n user.key: {{.ApicUserKey}}\n user.crt: {{.ApicUserCrt}}\n---\n{{- if eq .CApic \"true\"}}\napiVersion: v1\nkind: Secret\nmetadata:\n name: kafka-client-certificates\n namespace: aci-containers-system\n labels:\n aci-containers-config-version: \"{{.Token}}\"\ndata:\n ca.crt: {{.KafkaClientCrt}}\n kafka-client.crt: {{.KafkaClientCrt}}\n kafka-client.key: {{.KafkaClientKey}}\n---\n{{- end}}\napiVersion: v1\nkind: ServiceAccount\nmetadata:\n name: aci-containers-controller\n namespace: aci-containers-system\n labels:\n aci-containers-config-version: \"{{.Token}}\"\n---\napiVersion: v1\nkind: ServiceAccount\nmetadata:\n name: aci-containers-host-agent\n namespace: aci-containers-system\n labels:\n aci-containers-config-version: \"{{.Token}}\"\n---\n{{- if eq .UseClusterRole \"true\"}}\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n labels:\n aci-containers-config-version: \"{{.Token}}\"\n network-plugin: aci-containers\n name: aci-containers-controller\nrules:\n- apiGroups:\n - \"\"\n resources:\n - nodes\n - namespaces\n - pods\n - endpoints\n - services\n - events\n - replicationcontrollers\n - serviceaccounts\n verbs:\n - list\n - watch\n - get\n - patch\n - create\n - update\n - delete\n- apiGroups:\n - \"\"\n resources:\n - configmaps\n verbs:\n - list\n - watch\n - get\n - create\n - update\n - delete\n- apiGroups:\n - \"apiextensions.k8s.io\"\n resources:\n - customresourcedefinitions\n verbs:\n - '*'\n- apiGroups:\n - \"rbac.authorization.k8s.io\"\n resources:\n - clusterroles\n - clusterrolebindings\n verbs:\n - '*'\n{{- if ne .InstallIstio \"false\"}}\n- apiGroups:\n - \"install.istio.io\"\n resources:\n - istiocontrolplanes\n - istiooperators\n verbs:\n - '*'\n- apiGroups:\n - \"aci.istio\"\n resources:\n - aciistiooperators\n - aciistiooperator\n verbs:\n - '*'\n{{- end}}\n- apiGroups:\n - \"networking.k8s.io\"\n resources:\n - networkpolicies\n verbs:\n - list\n - watch\n - get\n- apiGroups:\n - \"apps\"\n resources:\n - deployments\n - replicasets\n - daemonsets\n - statefulsets\n verbs:\n - '*'\n- apiGroups:\n - \"\"\n resources:\n - nodes\n - services/status\n verbs:\n - update\n- apiGroups:\n - \"monitoring.coreos.com\"\n resources:\n - servicemonitors\n verbs:\n - get\n - create\n- apiGroups:\n - \"aci.snat\"\n resources:\n - snatpolicies/finalizers\n - snatpolicies/status\n - nodeinfos\n verbs:\n - update\n - create\n - list\n - watch\n - get\n - delete\n- apiGroups:\n - \"aci.snat\"\n resources:\n - snatglobalinfos\n - snatpolicies\n - nodeinfos\n - rdconfigs\n verbs:\n - list\n - watch\n - get\n - create\n - update\n - delete\n- apiGroups:\n - \"aci.qos\"\n resources:\n - qospolicies\n verbs:\n - list\n - watch\n - get\n - create\n - update\n - delete\n - patch\n- apiGroups:\n - \"aci.netflow\"\n resources:\n - netflowpolicies\n verbs:\n - list\n - watch\n - get\n - update\n- apiGroups:\n - \"aci.erspan\"\n resources:\n - erspanpolicies\n verbs:\n - list\n - watch\n - get\n - update\n- apiGroups:\n - \"aci.aw\"\n resources:\n - nodepodifs\n verbs:\n - '*'\n- apiGroups:\n - apps.openshift.io\n resources:\n - deploymentconfigs\n verbs:\n - list\n - watch\n - get\n- apiGroups:\n - discovery.k8s.io\n resources:\n - endpointslices\n verbs:\n - get\n - list\n - watch\n- apiGroups:\n - \"aci.netpol\"\n resources:\n - networkpolicies\n verbs:\n - get\n - list\n - watch\n - create\n - update\n - delete\n- apiGroups:\n - \"aci.dnsnetpol\"\n resources:\n - dnsnetworkpolicies\n verbs:\n - get\n - list\n - watch\n - create\n - update\n - delete\n---\n{{- end}}\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n labels:\n aci-containers-config-version: \"{{.Token}}\"\n network-plugin: aci-containers\n name: aci-containers-host-agent\nrules:\n- apiGroups:\n - \"\"\n resources:\n - nodes\n - namespaces\n - pods\n - endpoints\n - services\n - replicationcontrollers\n verbs:\n - list\n - watch\n - get\n{{- if ne .DropLogEnable \"false\"}}\n - update\n- apiGroups:\n - \"\"\n resources:\n - events\n verbs:\n - create\n - patch\n{{- end}}\n- apiGroups:\n - \"apiextensions.k8s.io\"\n resources:\n - customresourcedefinitions\n verbs:\n - list\n - watch\n - get\n- apiGroups:\n - \"networking.k8s.io\"\n resources:\n - networkpolicies\n verbs:\n - list\n - watch\n - get\n- apiGroups:\n - \"apps\"\n resources:\n - deployments\n - replicasets\n verbs:\n - list\n - watch\n - get\n- apiGroups:\n - \"aci.snat\"\n resources:\n - snatpolicies\n - snatglobalinfos\n - rdconfigs\n verbs:\n - list\n - watch\n - get\n- apiGroups:\n - \"aci.qos\"\n resources:\n - qospolicies\n verbs:\n - list\n - watch\n - get\n - create\n - update\n - delete\n - patch\n- apiGroups:\n - \"aci.droplog\"\n resources:\n - enabledroplogs\n - prunedroplogs\n verbs:\n - list\n - watch\n - get\n- apiGroups:\n - \"aci.snat\"\n resources:\n - nodeinfos\n - snatlocalinfos\n verbs:\n - create\n - update\n - list\n - watch\n - get\n - delete\n- apiGroups:\n - discovery.k8s.io\n resources:\n - endpointslices\n verbs:\n - get\n - list\n - watch\n- apiGroups:\n - \"aci.netpol\"\n resources:\n - networkpolicies\n verbs:\n - get\n - list\n - watch\n- apiGroups:\n - \"aci.aw\"\n resources:\n - nodepodifs\n verbs:\n - \"*\"\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRoleBinding\nmetadata:\n name: aci-containers-controller\n labels:\n aci-containers-config-version: \"{{.Token}}\"\nroleRef:\n apiGroup: rbac.authorization.k8s.io\n kind: ClusterRole\n name: aci-containers-controller\nsubjects:\n- kind: ServiceAccount\n name: aci-containers-controller\n namespace: aci-containers-system\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRoleBinding\nmetadata:\n name: aci-containers-host-agent\n labels:\n aci-containers-config-version: \"{{.Token}}\"\nroleRef:\n apiGroup: rbac.authorization.k8s.io\n kind: ClusterRole\n name: aci-containers-host-agent\nsubjects:\n- kind: ServiceAccount\n name: aci-containers-host-agent\n namespace: aci-containers-system\n---\napiVersion: apps/v1\nkind: DaemonSet\nmetadata:\n name: aci-containers-host\n namespace: aci-containers-system\n labels:\n aci-containers-config-version: \"{{.Token}}\"\n network-plugin: aci-containers\nspec:\n updateStrategy:\n type: RollingUpdate\n selector:\n matchLabels:\n name: aci-containers-host\n network-plugin: aci-containers\n template:\n metadata:\n labels:\n name: aci-containers-host\n network-plugin: aci-containers\n annotations:\n prometheus.io/scrape: \"true\"\n prometheus.io/port: \"9612\"\n spec:\n hostNetwork: true\n hostPID: true\n hostIPC: true\n serviceAccountName: aci-containers-host-agent\n{{- if ne .ImagePullSecret \"\"}}\n imagePullSecrets:\n - name: {{.ImagePullSecret}}\n{{- end}}\n tolerations:\n - operator: Exists\n initContainers:\n - name: cnideploy\n image: {{.AciCniDeployContainer}}\n imagePullPolicy: {{.ImagePullPolicy}}\n securityContext:\n{{- if eq .UsePrivilegedContainer \"true\"}}\n privileged: true\n{{- end}}\n capabilities:\n add:\n - SYS_ADMIN\n volumeMounts:\n - name: cni-bin\n mountPath: /mnt/cni-bin\n{{- if ne .UseSystemNodePriorityClass \"false\"}}\n priorityClassName: system-node-critical\n{{- else if .UseAciContainersHostPriorityClass}} \n priorityClassName: aci-containers-host\n{{- else}} \n{{- if ne .NoPriorityClass \"true\"}}\n priorityClassName: system-cluster-critical\n{{- end}}\n{{- if eq .UseAciCniPriorityClass \"true\"}}\n priorityClassName: acicni-priority\n{{- end}}\n{{- end}}\n containers:\n - name: aci-containers-host\n image: {{.AciHostContainer}}\n imagePullPolicy: {{.ImagePullPolicy}}\n{{- if or ( .AciContainersHostMemoryLimit ) ( .AciContainersHostMemoryRequest )}}\n resources:\n limits:\n{{- if .AciContainersHostMemoryLimit }}\n memory: \"{{ .AciContainersHostMemoryLimit }}\"\n{{- else}}\n memory: \"{{ .AciContainersMemoryLimit }}\"\n{{- end}}\n requests:\n{{- if .AciContainersHostMemoryRequest }}\n memory: \"{{ .AciContainersHostMemoryRequest }}\"\n{{- else}}\n memory: \"{{ .AciContainersMemoryRequest }}\"\n{{- end}}\n{{- end}}\n securityContext:\n{{- if eq .UsePrivilegedContainer \"true\"}}\n privileged: true\n{{- end}}\n capabilities:\n add:\n - SYS_ADMIN\n - NET_ADMIN\n - SYS_PTRACE\n - NET_RAW\n env:\n - name: KUBERNETES_NODE_NAME\n valueFrom:\n fieldRef:\n fieldPath: spec.nodeName\n - name: TENANT\n value: \"{{.Tenant}}\"\n{{- if ne .MultusDisable \"true\"}}\n - name: MULTUS\n value: true\n{{- end}}\n{{- if eq .DisableWaitForNetwork \"true\"}}\n - name: DISABLE_WAIT_FOR_NETWORK\n value: true\n{{- else}}\n - name: DURATION_WAIT_FOR_NETWORK\n value: \"{{.DurationWaitForNetwork}}\"\n{{- end}}\n volumeMounts:\n - name: cni-bin\n mountPath: /mnt/cni-bin\n - name: cni-conf\n mountPath: /mnt/cni-conf\n - name: hostvar\n mountPath: /usr/local/var\n - name: hostrun\n mountPath: /run\n - name: hostrun\n mountPath: /usr/local/run\n - name: opflex-hostconfig-volume\n mountPath: /usr/local/etc/opflex-agent-ovs/base-conf.d\n - name: host-config-volume\n mountPath: /usr/local/etc/aci-containers/\n - name: varlogpods\n mountPath: /var/log/pods\n readOnly: true\n - name: varlogcontainers\n mountPath: /var/log/containers\n readOnly: true\n - name: varlibdocker\n mountPath: /var/lib/docker\n readOnly: true\n{{- if eq .AciMultipod \"true\" }}\n - name: dhclient\n mountPath: /var/lib/dhclient\n{{- end}}\n{{- if eq .UseHostNetnsVolume \"true\"}}\n - mountPath: /run/netns\n name: host-run-netns\n readOnly: true\n mountPropagation: HostToContainer\n{{- end}}\n{{- if ne .MultusDisable \"true\"}}\n - name: multus-cni-conf\n mountPath: /mnt/multus-cni-conf\n{{- end}}\n livenessProbe:\n failureThreshold: 10\n httpGet:\n path: /status\n port: 8090\n scheme: HTTP\n initialDelaySeconds: 120\n periodSeconds: 60\n successThreshold: 1\n timeoutSeconds: 30\n - name: opflex-agent\n env:\n - name: REBOOT_WITH_OVS\n value: \"true\"\n{{- if ne .OpflexOpensslCompat \"false\"}}\n - name: OPENSSL_CONF\n value: \"/etc/pki/tls/openssl11.cnf\" \n{{- end}}\n image: {{.AciOpflexContainer}}\n imagePullPolicy: {{.ImagePullPolicy}}\n{{- if or ( .OpflexAgentMemoryLimit ) ( .OpflexAgentMemoryRequest )}}\n resources:\n limits:\n{{- if .OpflexAgentMemoryLimit }}\n memory: \"{{ .OpflexAgentMemoryLimit }}\"\n{{- else}}\n memory: \"{{ .AciContainersMemoryLimit }}\"\n{{- end}}\n requests:\n{{- if .OpflexAgentMemoryRequest }}\n memory: \"{{ .OpflexAgentMemoryRequest }}\"\n{{- else}}\n memory: \"{{ .AciContainersMemoryRequest }}\"\n{{- end}}\n{{- end}} \n securityContext:\n{{- if eq .UsePrivilegedContainer \"true\"}}\n privileged: true\n{{- end}}\n capabilities:\n add:\n - NET_ADMIN\n volumeMounts:\n - name: hostvar\n mountPath: /usr/local/var\n - name: hostrun\n mountPath: /run\n - name: hostrun\n mountPath: /usr/local/run\n - name: opflex-hostconfig-volume\n mountPath: /usr/local/etc/opflex-agent-ovs/base-conf.d\n - name: opflex-config-volume\n mountPath: /usr/local/etc/opflex-agent-ovs/conf.d\n{{- if eq .RunOpflexServerContainer \"true\"}}\n - name: opflex-server\n image: {{.AciOpflexContainer}}\n command: [\"/bin/sh\"]\n args: [\"/usr/local/bin/launch-opflexserver.sh\"]\n imagePullPolicy: {{.ImagePullPolicy}}\n securityContext:\n capabilities:\n add:\n - NET_ADMIN\n ports:\n - containerPort: {{.OpflexServerPort}}\n - name: metrics\n containerPort: 9632\n terminationMessagePath: /dev/termination-log\n terminationMessagePolicy: File\n volumeMounts:\n - name: opflex-server-config-volume\n mountPath: /usr/local/etc/opflex-server\n - name: hostvar\n mountPath: /usr/local/var\n{{- end}}\n{{- if ne .OpflexMode \"overlay\"}}\n - name: mcast-daemon\n image: {{.AciMcastContainer}}\n command: [\"/bin/sh\"]\n args: [\"/usr/local/bin/launch-mcastdaemon.sh\"]\n imagePullPolicy: {{.ImagePullPolicy}}\n{{- if or ( .McastDaemonMemoryLimit ) ( .McastDaemonMemoryRequest )}}\n resources:\n limits:\n{{- if .McastDaemonMemoryLimit }}\n memory: \"{{ .McastDaemonMemoryLimit }}\"\n{{- else}}\n memory: \"{{ .AciContainersMemoryLimit }}\"\n{{- end}}\n requests:\n{{- if .McastDaemonMemoryRequest }}\n memory: \"{{ .McastDaemonMemoryRequest }}\"\n{{- else}}\n memory: \"{{ .AciContainersMemoryRequest }}\"\n{{- end}}\n{{- end}}\n{{- if eq .UsePrivilegedContainer \"true\"}}\n securityContext:\n privileged: true\n{{- end}}\n volumeMounts:\n - name: hostvar\n mountPath: /usr/local/var\n - name: hostrun\n mountPath: /run\n - name: hostrun\n mountPath: /usr/local/run\n{{- end}}\n restartPolicy: Always\n volumes:\n - name: cni-bin\n hostPath:\n path: /opt\n - name: cni-conf\n hostPath:\n path: /etc\n - name: hostvar\n hostPath:\n path: /var\n - name: hostrun\n hostPath:\n path: /run\n - name: host-config-volume\n configMap:\n name: aci-containers-config\n items:\n - key: host-agent-config\n path: host-agent.conf\n - name: opflex-hostconfig-volume\n emptyDir:\n medium: Memory\n - name: varlogpods\n hostPath:\n path: /var/log/pods\n - name: varlogcontainers\n hostPath:\n path: /var/log/containers\n - name: varlibdocker\n hostPath:\n path: /var/lib/docker\n{{- if eq .AciMultipod \"true\" }}\n{{- if eq .AciMultipodUbuntu \"true\" }}\n - name: dhclient\n hostPath:\n path: /var/lib/dhcp\n{{- else}}\n - name: dhclient\n hostPath:\n path: /var/lib/dhclient\n{{- end}}\n{{- end}}\n - name: opflex-config-volume\n configMap:\n name: aci-containers-config\n items:\n - key: opflex-agent-config\n path: local.conf\n{{- if eq .UseOpflexServerVolume \"true\"}}\n - name: opflex-server-config-volume\n{{- end}}\n{{- if eq .UseHostNetnsVolume \"true\"}}\n - name: host-run-netns\n hostPath:\n path: /run/netns\n{{- end}}\n{{- if ne .MultusDisable \"true\" }}\n - name: multus-cni-conf\n hostPath:\n path: /var/run/multus/\n{{- end}}\n---\napiVersion: apps/v1\nkind: DaemonSet\nmetadata:\n name: aci-containers-openvswitch\n namespace: aci-containers-system\n labels:\n aci-containers-config-version: \"{{.Token}}\"\n network-plugin: aci-containers\nspec:\n updateStrategy:\n type: RollingUpdate\n selector:\n matchLabels:\n name: aci-containers-openvswitch\n network-plugin: aci-containers\n template:\n metadata:\n labels:\n name: aci-containers-openvswitch\n network-plugin: aci-containers\n spec:\n hostNetwork: true\n hostPID: true\n hostIPC: true\n serviceAccountName: aci-containers-host-agent\n{{- if ne .ImagePullSecret \"\"}}\n imagePullSecrets:\n - name: {{.ImagePullSecret}}\n{{end}}\n tolerations:\n - operator: Exists \n{{- if ne .UseSystemNodePriorityClass \"false\"}}\n priorityClassName: system-node-critical\n{{- else if .UseAciContainersOpenvswitchPriorityClass}} \n priorityClassName: aci-containers-openvswitch\n{{- else}} \n{{- if ne .NoPriorityClass \"true\"}}\n priorityClassName: system-cluster-critical\n{{- end}}\n{{- if eq .UseAciCniPriorityClass \"true\"}}\n priorityClassName: acicni-priority\n{{- end}}\n{{- end}}\n containers:\n - name: aci-containers-openvswitch\n image: {{.AciOpenvSwitchContainer}}\n imagePullPolicy: {{.ImagePullPolicy}}\n resources:\n limits:\n memory: \"{{.OVSMemoryLimit}}\"\n requests:\n memory: \"{{.OVSMemoryRequest}}\"\n securityContext:\n{{- if eq .UsePrivilegedContainer \"true\"}}\n privileged: true\n{{- end}}\n capabilities:\n add:\n - NET_ADMIN\n - SYS_MODULE\n - SYS_NICE\n - IPC_LOCK\n env:\n - name: OVS_RUNDIR\n value: /usr/local/var/run/openvswitch\n volumeMounts:\n - name: hostvar\n mountPath: /usr/local/var\n - name: hostrun\n mountPath: /run\n - name: hostrun\n mountPath: /usr/local/run\n - name: hostetc\n mountPath: /usr/local/etc\n - name: hostmodules\n mountPath: /lib/modules\n - name: varlogpods\n mountPath: /var/log/pods\n readOnly: true\n - name: varlogcontainers\n mountPath: /var/log/containers\n readOnly: true\n - name: varlibdocker\n mountPath: /var/lib/docker\n readOnly: true\n livenessProbe:\n exec:\n command:\n - /usr/local/bin/liveness-ovs.sh\n restartPolicy: Always\n volumes:\n - name: hostetc\n hostPath:\n path: /etc\n - name: hostvar\n hostPath:\n path: /var\n - name: hostrun\n hostPath:\n path: /run\n - name: hostmodules\n hostPath:\n path: /lib/modules\n - name: varlogpods\n hostPath:\n path: /var/log/pods\n - name: varlogcontainers\n hostPath:\n path: /var/log/containers\n - name: varlibdocker\n hostPath:\n path: /var/lib/docker\n---\napiVersion: apps/v1\nkind: Deployment\nmetadata:\n name: aci-containers-controller\n namespace: aci-containers-system\n labels:\n aci-containers-config-version: \"{{.Token}}\"\n network-plugin: aci-containers\n name: aci-containers-controller\nspec:\n replicas: 1\n strategy:\n type: Recreate\n selector:\n matchLabels:\n name: aci-containers-controller\n network-plugin: aci-containers\n template:\n metadata:\n name: aci-containers-controller\n namespace: aci-containers-system\n labels:\n name: aci-containers-controller\n network-plugin: aci-containers\n spec:\n hostNetwork: true\n serviceAccountName: aci-containers-controller\n{{- if ne .ImagePullSecret \"\"}}\n imagePullSecrets:\n - name: {{.ImagePullSecret}}\n{{- end}}\n{{- if .Tolerations }}\n tolerations:\n{{ toYaml .Tolerations | indent 6}}\n{{- else }}\n tolerations:\n - effect: NoExecute\n operator: Exists\n tolerationSeconds: {{ .TolerationSeconds }}\n - effect: NoSchedule\n key: node.kubernetes.io/not-ready\n operator: Exists\n - effect: NoSchedule\n key: node-role.kubernetes.io/master\n operator: Exists\n{{- end }}\n{{- if ne .UseSystemNodePriorityClass \"false\"}}\n priorityClassName: system-node-critical\n{{- else if .UseAciContainersControllerPriorityClass}} \n priorityClassName: aci-containers-controller\n{{- else}} \n{{- if ne .NoPriorityClass \"true\"}}\n priorityClassName: system-node-critical\n{{- end}}\n{{- if eq .UseAciCniPriorityClass \"true\"}}\n priorityClassName: acicni-priority\n{{- end}}\n{{- end}}\n containers:\n - name: aci-containers-controller\n image: {{.AciControllerContainer}}\n imagePullPolicy: {{.ImagePullPolicy}}\n{{- if or ( .AciContainersControllerMemoryLimit ) ( .AciContainersControllerMemoryRequest )}}\n resources:\n limits:\n{{- if .AciContainersControllerMemoryLimit }}\n memory: \"{{ .AciContainersControllerMemoryLimit }}\"\n{{- else}}\n memory: \"{{ .AciContainersMemoryLimit }}\"\n{{- end}}\n requests:\n{{- if .AciContainersControllerMemoryRequest }}\n memory: \"{{ .AciContainersControllerMemoryRequest }}\"\n{{- else}}\n memory: \"{{ .AciContainersMemoryRequest }}\"\n{{- end}}\n{{- end}}\n env:\n - name: WATCH_NAMESPACE\n value: \"\"\n - name: ACI_SNAT_NAMESPACE\n value: \"aci-containers-system\"\n - name: ACI_SNAGLOBALINFO_NAME\n value: \"snatglobalinfo\"\n - name: ACI_RDCONFIG_NAME\n value: \"routingdomain-config\"\n - name: SYSTEM_NAMESPACE\n value: \"aci-containers-system\"\n volumeMounts:\n - name: controller-config-volume\n mountPath: /usr/local/etc/aci-containers/\n - name: varlogpods\n mountPath: /var/log/pods\n readOnly: true\n - name: varlogcontainers\n mountPath: /var/log/containers\n readOnly: true\n - name: varlibdocker\n mountPath: /var/lib/docker\n readOnly: true\n - name: aci-user-cert-volume\n mountPath: /usr/local/etc/aci-cert/\n livenessProbe:\n failureThreshold: 10\n httpGet:\n path: /status\n port: 8091\n scheme: HTTP\n initialDelaySeconds: 120\n periodSeconds: 60\n successThreshold: 1\n timeoutSeconds: 30\n volumes:\n{{- if eq .CApic \"true\"}}\n - name: kafka-certs\n secret:\n secretName: kafka-client-certificates\n{{- end}}\n - name: aci-user-cert-volume\n secret:\n secretName: aci-user-cert\n - name: controller-config-volume\n configMap:\n name: aci-containers-config\n items:\n - key: controller-config\n path: controller.conf\n - name: varlogpods\n hostPath:\n path: /var/log/pods\n - name: varlogcontainers\n hostPath:\n path: /var/log/containers\n - name: varlibdocker\n hostPath:\n path: /var/lib/docker\n{{- if eq .CApic \"true\"}}\n---\napiVersion: aci.aw/v1\nkind: PodIF\nmetadata:\n name: inet-route\n namespace: kube-system\nstatus:\n epg: aci-containers-inet-out\n ipaddr: 0.0.0.0/0\n{{- end}}\n---\napiVersion: v1\nkind: LimitRange\nmetadata:\n name: memory-limit-range\n namespace: aci-containers-system\nspec:\n limits:\n - default:\n memory: {{ .AciContainersMemoryLimit }}\n defaultRequest:\n memory: {{ .AciContainersMemoryRequest }}\n type: Container\n", "aci-v6.0.4.1": "\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: acicontainersoperators.aci.ctrl\nspec:\n group: aci.ctrl\n names:\n kind: AciContainersOperator\n listKind: AciContainersOperatorList\n plural: acicontainersoperators\n singular: acicontainersoperator\n scope: Namespaced\n versions:\n - name: v1alpha1\n served: true\n storage: true\n subresources:\n status: {}\n schema:\n openAPIV3Schema:\n description: acicontainersoperator owns the lifecycle of ACI objects in the cluster\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n metadata:\n type: object\n spec:\n description: AciContainersOperatorSpec defines the desired spec for ACI Objects\n properties:\n flavor:\n type: string\n config:\n type: string\n type: object\n status:\n description: AciContainersOperatorStatus defines the successful completion of AciContainersOperator\n properties:\n status:\n type: boolean\n type: object\n required:\n - spec\n type: object\n---\napiVersion: v1\nkind: Namespace\nmetadata:\n name: aci-containers-system\n labels:\n aci-containers-config-version: \"{{.Token}}\"\n network-plugin: aci-containers\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: nodepodifs.aci.aw\nspec:\n group: aci.aw\n names:\n kind: NodePodIF\n listKind: NodePodIFList\n plural: nodepodifs\n singular: nodepodif\n scope: Namespaced\n versions:\n - name: v1\n served: true\n storage: true\n schema:\n openAPIV3Schema:\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n metadata:\n type: object\n spec:\n type: object\n properties:\n podifs:\n type: array\n items:\n type: object\n properties:\n containerID:\n type: string\n epg:\n type: string\n ifname:\n type: string\n ipaddr:\n type: string\n macaddr:\n type: string\n podname:\n type: string\n podns:\n type: string\n vtep:\n type: string\n required:\n - spec\n type: object\n---\n{{- if eq .UseAciCniPriorityClass \"true\"}}\napiVersion: scheduling.k8s.io/v1beta1\nkind: PriorityClass\nmetadata:\n name: acicni-priority\nvalue: 1000000000\nglobalDefault: false\ndescription: \"This priority class is used for ACI-CNI resources\"\n---\n{{- end }}\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: snatglobalinfos.aci.snat\nspec:\n group: aci.snat\n names:\n kind: SnatGlobalInfo\n listKind: SnatGlobalInfoList\n plural: snatglobalinfos\n singular: snatglobalinfo\n scope: Namespaced\n versions:\n - name: v1\n served: true\n storage: true\n schema:\n openAPIV3Schema:\n description: SnatGlobalInfo is the Schema for the snatglobalinfos API\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n metadata:\n type: object\n spec:\n properties:\n globalInfos:\n additionalProperties:\n items:\n properties:\n macAddress:\n type: string\n portRanges:\n items:\n properties:\n end:\n maximum: 65535\n minimum: 1\n type: integer\n start:\n maximum: 65535\n minimum: 1\n type: integer\n type: object\n type: array\n snatIp:\n type: string\n snatIpUid:\n type: string\n snatPolicyName:\n type: string\n required:\n - macAddress\n - portRanges\n - snatIp\n - snatIpUid\n - snatPolicyName\n type: object\n type: array\n type: object\n required:\n - globalInfos\n type: object\n status:\n description: SnatGlobalInfoStatus defines the observed state of SnatGlobalInfo\n type: object\n type: object\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: snatlocalinfos.aci.snat\nspec:\n group: aci.snat\n names:\n kind: SnatLocalInfo\n listKind: SnatLocalInfoList\n plural: snatlocalinfos\n singular: snatlocalinfo\n scope: Namespaced\n versions:\n - name: v1\n served: true\n storage: true\n schema:\n openAPIV3Schema:\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n metadata:\n type: object\n spec:\n description: SnatLocalInfoSpec defines the desired state of SnatLocalInfo\n properties:\n localInfos:\n items:\n properties:\n podName:\n type: string\n podNamespace:\n type: string\n podUid:\n type: string\n snatPolicies:\n items:\n properties:\n destIp:\n items:\n type: string\n type: array\n name:\n type: string\n snatIp:\n type: string\n required:\n - destIp\n - name\n - snatIp\n type: object\n type: array\n required:\n - podName\n - podNamespace\n - podUid\n - snatPolicies\n type: object\n type: array\n required:\n - localInfos\n type: object\n type: object\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: snatpolicies.aci.snat\nspec:\n group: aci.snat\n names:\n kind: SnatPolicy\n listKind: SnatPolicyList\n plural: snatpolicies\n singular: snatpolicy\n scope: Cluster\n versions:\n - name: v1\n served: true\n storage: true\n subresources:\n status: {}\n schema:\n openAPIV3Schema:\n type: object\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n metadata:\n type: object\n spec:\n type: object\n properties:\n selector:\n type: object\n properties:\n labels:\n type: object\n description: 'Selection of Pods'\n properties:\n additionalProperties:\n type: string\n namespace:\n type: string\n type: object\n snatIp:\n type: array\n items:\n type: string\n destIp:\n type: array\n items:\n type: string\n type: object\n status:\n type: object\n properties:\n additionalProperties:\n type: string\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: nodeinfos.aci.snat\nspec:\n group: aci.snat\n names:\n kind: NodeInfo\n listKind: NodeInfoList\n plural: nodeinfos\n singular: nodeinfo\n scope: Namespaced\n versions:\n - name: v1\n served: true\n storage: true\n schema:\n openAPIV3Schema:\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n metadata:\n type: object\n spec:\n properties:\n macaddress:\n type: string\n snatpolicynames:\n additionalProperties:\n type: boolean\n type: object\n type: object\n status:\n description: NodeinfoStatus defines the observed state of Nodeinfo\n type: object\n type: object\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: rdconfigs.aci.snat\nspec:\n group: aci.snat\n names:\n kind: RdConfig\n listKind: RdConfigList\n plural: rdconfigs\n singular: rdconfig\n scope: Namespaced\n versions:\n - name: v1\n served: true\n storage: true\n schema:\n openAPIV3Schema:\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n metadata:\n type: object\n spec:\n properties:\n discoveredsubnets:\n items:\n type: string\n type: array\n usersubnets:\n items:\n type: string\n type: array\n type: object\n status:\n description: NodeinfoStatus defines the observed state of Nodeinfo\n type: object\n type: object\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: networkpolicies.aci.netpol\nspec:\n group: aci.netpol\n names:\n kind: NetworkPolicy\n listKind: NetworkPolicyList\n plural: networkpolicies\n singular: networkpolicy\n scope: Namespaced\n versions:\n - name: v1\n schema:\n openAPIV3Schema:\n description: Network Policy describes traffic flow at IP address or port level\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n metadata:\n type: object\n spec:\n properties:\n appliedTo:\n properties:\n namespaceSelector:\n properties:\n matchExpressions:\n items:\n properties:\n key:\n type: string\n operator:\n type: string\n values:\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n matchLabels:\n additionalProperties:\n type: string\n type: object\n type: object\n podSelector:\n description: allow ingress from the same namespace\n properties:\n matchExpressions:\n items:\n properties:\n key:\n type: string\n operator:\n type: string\n values:\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n matchLabels:\n additionalProperties:\n type: string\n type: object\n type: object\n type: object\n egress:\n description: Set of egress rules evaluated based on the order in which they are set.\n items:\n properties:\n action:\n description: Action specifies the action to be applied on the rule.\n type: string\n enableLogging:\n description: EnableLogging is used to indicate if agent should generate logs default to false.\n type: boolean\n ports:\n description: Set of port and protocol allowed/denied by the rule. If this field is unset or empty, this rule matches all ports.\n items:\n description: NetworkPolicyPort describes the port and protocol to match in a rule.\n properties:\n endPort:\n description: EndPort defines the end of the port range, being the end included within the range. It can only be specified when a numerical port is specified.\n format: int32\n type: integer\n port:\n anyOf:\n - type: integer\n - type: string\n description: The port on the given protocol. This can be either a numerical or named port on a Pod. If this field is not provided, this matches all port names and numbers.\n x-kubernetes-int-or-string: true\n protocol:\n default: TCP\n description: The protocol (TCP, UDP, or SCTP) which traffic must match. If not specified, this field defaults to TCP.\n type: string\n type: object\n type: array\n to:\n description: Rule is matched if traffic is intended for workloads selected by this field. If this field is empty or missing, this rule matches all destinations.\n items:\n properties:\n ipBlock:\n description: IPBlock describes the IPAddresses/IPBlocks that is matched in to/from. IPBlock cannot be set as part of the AppliedTo field. Cannot be set with any other selector.\n properties:\n cidr:\n description: CIDR is a string representing the IP Block Valid examples are \"192.168.1.1/24\" or \"2001:db9::/64\"\n type: string\n except:\n description: Except is a slice of CIDRs that should not be included within an IP Block Valid examples are \"192.168.1.1/24\" or \"2001:db9::/64\" Except values will be rejected if they are outside the CIDR range\n items:\n type: string\n type: array\n required:\n - cidr\n type: object\n namespaceSelector:\n description: Select all Pods from Namespaces matched by this selector, as workloads in To/From fields. If set with PodSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except PodSelector or ExternalEntitySelector.\n properties:\n matchExpressions:\n items:\n properties:\n key:\n type: string\n operator:\n description: operator represents a keys relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.\n type: string\n values:\n description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n matchLabels:\n additionalProperties:\n type: string\n type: object\n type: object\n podSelector:\n description: Select Pods from NetworkPolicys Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector.\n properties:\n matchExpressions:\n items:\n properties:\n key:\n type: string\n operator:\n description: operator represents a keys relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.\n type: string\n values:\n description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n matchLabels:\n additionalProperties:\n type: string\n type: object\n type: object\n type: object\n type: array\n toFqDn:\n properties:\n matchNames:\n items:\n type: string\n type: array\n required:\n - matchNames\n type: object\n required:\n - enableLogging\n - toFqDn\n type: object\n type: array\n ingress:\n description: Set of ingress rules evaluated based on the order in which they are set.\n items:\n properties:\n action:\n description: Action specifies the action to be applied on the rule.\n type: string\n enableLogging:\n description: EnableLogging is used to indicate if agent should generate logs when rules are matched. Should be default to false.\n type: boolean\n from:\n description: Rule is matched if traffic originates from workloads selected by this field. If this field is empty, this rule matches all sources.\n items:\n properties:\n ipBlock:\n description: IPBlock describes the IPAddresses/IPBlocks that is matched in to/from. IPBlock cannot be set as part of the AppliedTo field. Cannot be set with any other selector.\n properties:\n cidr:\n description: CIDR is a string representing the IP Block Valid examples are \"192.168.1.1/24\" or \"2001:db9::/64\"\n type: string\n except:\n description: Except is a slice of CIDRs that should not be included within an IP Block Valid examples are \"192.168.1.1/24\" or \"2001:db9::/64\" Except values will be rejected if they are outside the CIDR range\n items:\n type: string\n type: array\n required:\n - cidr\n type: object\n namespaceSelector:\n properties:\n matchExpressions:\n items:\n properties:\n key:\n type: string\n operator:\n description: operator represents a keys relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.\n type: string\n values:\n description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n matchLabels:\n additionalProperties:\n type: string\n type: object\n type: object\n podSelector:\n description: Select Pods from NetworkPolicys Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector.\n properties:\n matchExpressions:\n description: matchExpressions is a list of label selector requirements. The requirements are ANDed.\n items:\n properties:\n key:\n type: string\n operator:\n description: operator represents a keys relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.\n type: string\n values:\n description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n matchLabels:\n additionalProperties:\n type: string\n type: object\n type: object\n type: object\n type: array\n ports:\n description: Set of port and protocol allowed/denied by the rule. If this field is unset or empty, this rule matches all ports.\n items:\n description: NetworkPolicyPort describes the port and protocol to match in a rule.\n properties:\n endPort:\n description: EndPort defines the end of the port range, being the end included within the range. It can only be specified when a numerical port is specified.\n format: int32\n type: integer\n port:\n anyOf:\n - type: integer\n - type: string\n description: The port on the given protocol. This can be either a numerical or named port on a Pod. If this field is not provided, this matches all port names and numbers.\n x-kubernetes-int-or-string: true\n protocol:\n default: TCP\n description: The protocol (TCP, UDP, or SCTP) which traffic must match. If not specified, this field defaults to TCP.\n type: string\n type: object\n type: array\n type: object\n type: array\n policyTypes:\n items:\n description: Policy Type string describes the NetworkPolicy type This type is beta-level in 1.8\n type: string\n type: array\n priority:\n description: Priority specfies the order of the NetworkPolicy relative to other NetworkPolicies.\n type: integer\n type:\n description: type of the policy.\n type: string\n required:\n - type\n type: object\n required:\n - spec\n type: object\n served: true\n storage: true\nstatus:\n acceptedNames:\n kind: \"\"\n plural: \"\"\n conditions: []\n storedVersions: []\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: dnsnetworkpolicies.aci.dnsnetpol\nspec:\n group: aci.dnsnetpol\n names:\n kind: DnsNetworkPolicy\n listKind: DnsNetworkPolicyList\n plural: dnsnetworkpolicies\n singular: dnsnetworkpolicy\n scope: Namespaced\n versions:\n - name: v1beta\n schema:\n openAPIV3Schema:\n description: dns network Policy\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n metadata:\n type: object\n spec:\n properties:\n appliedTo:\n properties:\n namespaceSelector:\n properties:\n matchExpressions:\n items:\n properties:\n key:\n type: string\n operator:\n type: string\n values:\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n matchLabels:\n additionalProperties:\n type: string\n type: object\n type: object\n podSelector:\n description: allow ingress from the same namespace\n properties:\n matchExpressions:\n items:\n properties:\n key:\n type: string\n operator:\n description: operator represents a keys relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.\n type: string\n values:\n description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n matchLabels:\n additionalProperties:\n type: string\n type: object\n type: object\n type: object\n egress:\n description: Set of egress rules evaluated based on the order in which they are set.\n properties:\n toFqdn:\n properties:\n matchNames:\n items:\n type: string\n type: array\n required:\n - matchNames\n type: object\n required:\n - toFqdn\n type: object\n type: object\n required:\n - spec\n type: object\n served: true\n storage: true\nstatus:\n acceptedNames:\n kind: \"\"\n plural: \"\"\n conditions: []\n storedVersions: []\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: qospolicies.aci.qos\nspec:\n group: aci.qos\n names:\n kind: QosPolicy\n listKind: QosPolicyList\n plural: qospolicies\n singular: qospolicy\n scope: Namespaced\n preserveUnknownFields: false\n versions:\n - name: v1\n served: true\n storage: true\n subresources:\n status: {}\n schema:\n openAPIV3Schema:\n type: object\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n spec:\n type: object\n properties:\n podSelector:\n description: 'Selection of Pods'\n type: object\n properties:\n matchLabels:\n type: object\n description:\n ingress:\n type: object\n properties:\n policing_rate:\n type: integer\n minimum: 0\n policing_burst:\n type: integer\n minimum: 0\n egress:\n type: object\n properties:\n policing_rate:\n type: integer\n minimum: 0\n policing_burst:\n type: integer\n minimum: 0\n dscpmark:\n type: integer\n default: 0\n minimum: 0\n maximum: 63\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: netflowpolicies.aci.netflow\nspec:\n group: aci.netflow\n names:\n kind: NetflowPolicy\n listKind: NetflowPolicyList\n plural: netflowpolicies\n singular: netflowpolicy\n scope: Cluster\n preserveUnknownFields: false\n versions:\n - name: v1alpha\n served: true\n storage: true\n schema:\n # openAPIV3Schema is the schema for validating custom objects.\n openAPIV3Schema:\n type: object\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n spec:\n type: object\n properties:\n flowSamplingPolicy:\n type: object\n properties:\n destIp:\n type: string\n destPort:\n type: integer\n minimum: 0\n maximum: 65535\n default: 2055\n flowType:\n type: string\n enum:\n - netflow\n - ipfix\n default: netflow\n activeFlowTimeOut:\n type: integer\n minimum: 0\n maximum: 3600\n default: 60\n idleFlowTimeOut:\n type: integer\n minimum: 0\n maximum: 600\n default: 15\n samplingRate:\n type: integer\n minimum: 0\n maximum: 1000\n default: 0\n required:\n - destIp\n type: object\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: erspanpolicies.aci.erspan\nspec:\n group: aci.erspan\n names:\n kind: ErspanPolicy\n listKind: ErspanPolicyList\n plural: erspanpolicies\n singular: erspanpolicy\n scope: Cluster\n preserveUnknownFields: false\n versions:\n - name: v1alpha\n served: true\n storage: true\n schema:\n openAPIV3Schema:\n type: object\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n spec:\n type: object\n properties:\n selector:\n type: object\n description: 'Selection of Pods'\n properties:\n labels:\n type: object\n properties:\n additionalProperties:\n type: string\n namespace:\n type: string\n source:\n type: object\n properties:\n adminState:\n description: Administrative state.\n default: start\n type: string\n enum:\n - start\n - stop\n direction:\n description: Direction of the packets to monitor.\n default: both\n type: string\n enum:\n - in\n - out\n - both\n destination:\n type: object\n properties:\n destIP:\n description: Destination IP of the ERSPAN packet.\n type: string\n flowID:\n description: Unique flow ID of the ERSPAN packet.\n default: 1\n type: integer\n minimum: 1\n maximum: 1023\n required:\n - destIP\n type: object\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: enabledroplogs.aci.droplog\nspec:\n group: aci.droplog\n names:\n kind: EnableDropLog\n listKind: EnableDropLogList\n plural: enabledroplogs\n singular: enabledroplog\n scope: Cluster\n versions:\n - name: v1alpha1\n served: true\n storage: true\n schema:\n # openAPIV3Schema is the schema for validating custom objects.\n openAPIV3Schema:\n type: object\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n spec:\n description: Defines the desired state of EnableDropLog\n type: object\n properties:\n disableDefaultDropLog:\n description: Disables the default droplog enabled by acc-provision.\n default: false\n type: boolean\n nodeSelector:\n type: object\n description: Drop logging is enabled on nodes selected based on labels\n properties:\n labels:\n type: object\n properties:\n additionalProperties:\n type: string\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: prunedroplogs.aci.droplog\nspec:\n group: aci.droplog\n names:\n kind: PruneDropLog\n listKind: PruneDropLogList\n plural: prunedroplogs\n singular: prunedroplog\n scope: Cluster\n versions:\n - name: v1alpha1\n served: true\n storage: true\n schema:\n # openAPIV3Schema is the schema for validating custom objects.\n openAPIV3Schema:\n type: object\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n spec:\n description: Defines the desired state of PruneDropLog\n type: object\n properties:\n nodeSelector:\n type: object\n description: Drop logging filters are applied to nodes selected based on labels\n properties:\n labels:\n type: object\n properties:\n additionalProperties:\n type: string\n dropLogFilters:\n type: object\n properties:\n srcIP:\n type: string\n destIP:\n type: string\n srcMAC:\n type: string\n destMAC:\n type: string\n srcPort:\n type: integer\n destPort:\n type: integer\n ipProto:\n type: integer\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: accprovisioninputs.aci.ctrl\nspec:\n group: aci.ctrl\n names:\n kind: AccProvisionInput\n listKind: AccProvisionInputList\n plural: accprovisioninputs\n singular: accprovisioninput\n scope: Namespaced\n versions:\n - name: v1alpha1\n served: true\n storage: true\n subresources:\n status: {}\n schema:\n openAPIV3Schema:\n description: accprovisioninput defines the input configuration for ACI CNI\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n metadata:\n type: object\n spec:\n description: AccProvisionInputSpec defines the desired spec for accprovisioninput object\n properties:\n acc_provision_input:\n type: object\n properties:\n operator_managed_config:\n type: object\n properties:\n enable_updates:\n type: boolean\n aci_config:\n type: object\n properties:\n sync_login:\n type: object\n properties:\n certfile:\n type: string\n keyfile:\n type: string\n client_ssl:\n type: boolean\n net_config:\n type: object\n properties:\n interface_mtu:\n type: integer\n service_monitor_interval:\n type: integer\n pbr_tracking_non_snat:\n type: boolean\n pod_subnet_chunk_size:\n type: integer\n disable_wait_for_network:\n type: boolean\n duration_wait_for_network:\n type: integer\n registry:\n type: object\n properties:\n image_prefix:\n type: string\n image_pull_secret:\n type: string\n aci_containers_operator_version:\n type: string\n aci_containers_controller_version:\n type: string\n aci_containers_host_version:\n type: string\n acc_provision_operator_version:\n type: string\n aci_cni_operator_version:\n type: string\n cnideploy_version:\n type: string\n opflex_agent_version:\n type: string\n openvswitch_version:\n type: string\n gbp_version:\n type: string\n logging:\n type: object\n properties:\n controller_log_level:\n type: string\n hostagent_log_level:\n type: string\n opflexagent_log_level:\n type: string\n istio_config:\n type: object\n properties:\n install_istio:\n type: boolean\n install_profile:\n type: string\n multus:\n type: object\n properties:\n disable:\n type: boolean\n drop_log_config:\n type: object\n properties:\n enable:\n type: boolean\n nodepodif_config:\n type: object\n properties:\n enable:\n type: boolean\n sriov_config:\n type: object\n properties:\n enable:\n type: boolean\n kube_config:\n type: object\n properties:\n ovs_memory_limit:\n type: string\n use_privileged_containers:\n type: boolean\n image_pull_policy:\n type: string\n reboot_opflex_with_ovs:\n type: string\n snat_operator:\n type: object\n properties:\n port_range:\n type: object\n properties:\n start:\n type: integer\n end:\n type: integer\n ports_per_node:\n type: integer\n contract_scope:\n type: string\n disable_periodic_snat_global_info_sync:\n type: boolean\n type: object\n status:\n description: AccProvisionInputStatus defines the successful completion of AccProvisionInput\n properties:\n status:\n type: boolean\n type: object\n required:\n - spec\n type: object\n---\napiVersion: v1\nkind: ConfigMap\nmetadata:\n name: aci-containers-config\n namespace: aci-containers-system\n labels:\n aci-containers-config-version: \"{{.Token}}\"\n network-plugin: aci-containers\ndata:\n controller-config: |-\n {\n \"log-level\": \"{{.ControllerLogLevel}}\",\n \"apic-hosts\": {{.ApicHosts}},\n{{- if ne .AciMultipod \"false\" }}\n \"aci-multipod\": {{.AciMultipod}},\n{{- end}}\n{{- if .OpflexDeviceReconnectWaitTimeout }}\n \"opflex-device-reconnect-wait-timeout\": {{.OpflexDeviceReconnectWaitTimeout}},\n{{- end}}\n \"apic-refreshtime\": \"{{.ApicRefreshTime}}\",\n \"apic-subscription-delay\": {{.ApicSubscriptionDelay}},\n \"apic_refreshticker_adjust\": \"{{.ApicRefreshTickerAdjust}}\",\n \"apic-username\": \"{{.ApicUserName}}\",\n \"apic-private-key-path\": \"/usr/local/etc/aci-cert/user.key\",\n \"aci-prefix\": \"{{.SystemIdentifier}}\",\n \"aci-vmm-type\": \"Kubernetes\",\n{{- if ne .VmmDomain \"\"}}\n \"aci-vmm-domain\": \"{{.VmmDomain}}\",\n{{- else}}\n \"aci-vmm-domain\": \"{{.SystemIdentifier}}\",\n{{- end}}\n{{- if ne .VmmController \"\"}}\n \"aci-vmm-controller\": \"{{.VmmController}}\",\n{{- else}}\n \"aci-vmm-controller\": \"{{.SystemIdentifier}}\",\n{{- end}}\n \"aci-policy-tenant\": \"{{.Tenant}}\",\n{{- if ne .CApic \"false\"}}\n \"lb-type\": \"None\",\n{{- end}}\n{{- if ne .HppOptimization \"false\"}}\n \"hpp-optimization\": {{.HppOptimization}},\n{{- end}}\n{{- if ne .DisableHppRendering \"false\"}}\n \"disable-hpp-rendering\": {{.DisableHppRendering}},\n{{- end}}\n{{- if ne .NoWaitForServiceEpReadiness \"false\"}}\n \"no-wait-for-service-ep-readiness\": {{.NoWaitForServiceEpReadiness}},\n{{- end}}\n{{- if ne .ServiceGraphEndpointAddDelay \"0\"}}\n \"service-graph-endpoint-add-delay\" : {\n \"delay\": {{.ServiceGraphEndpointAddDelay}},\n \"services\": [{{- range $index, $item :=.ServiceGraphEndpointAddServices }}{{- if $index}},{{end}}{ {{- range $k, $v := $item }}\"{{ $k }}\": \"{{ $v }}\"{{if eq $k \"name\"}},{{end}}{{- end}}}{{end}}]\n },\n{{- end}}\n{{- if ne .AddExternalSubnetsToRdconfig \"false\"}}\n \"add-external-subnets-to-rdconfig\": {{.AddExternalSubnetsToRdconfig}},\n{{- end}}\n{{- if ne .DisablePeriodicSnatGlobalInfoSync \"false\"}}\n \"disable-periodic-snat-global-info-sync\": {{.DisablePeriodicSnatGlobalInfoSync}},\n{{- end}}\n{{- if .NodeSnatRedirectExclude }}\n \"node-snat-redirect-exclude\": [{{ range $index,$item := .NodeSnatRedirectExclude}}{{- if $index}}, {{end }}{\"group\": \"{{ index $item \"group\" }}\", \"labels\": {{ index $item \"labels\" }}}{{ end }}],\n{{- end }}\n{{- if .ApicConnectionRetryLimit}}\n \"apic-connection-retry-limit\": {{.ApicConnectionRetryLimit}},\n{{- end}}\n \"opflex-device-delete-timeout\": {{.OpflexDeviceDeleteTimeout}},\n \"sleep-time-snat-global-info-sync\": {{.SleepTimeSnatGlobalInfoSync}},\n \"install-istio\": {{.InstallIstio}},\n \"istio-profile\": \"{{.IstioProfile}}\",\n{{- if ne .CApic \"true\"}}\n \"aci-podbd-dn\": \"uni/tn-{{.Tenant}}/BD-aci-containers-{{.SystemIdentifier}}-pod-bd\",\n \"aci-nodebd-dn\": \"uni/tn-{{.Tenant}}/BD-aci-containers-{{.SystemIdentifier}}-node-bd\",\n{{- end}}\n \"aci-service-phys-dom\": \"{{.SystemIdentifier}}-pdom\",\n \"aci-service-encap\": \"vlan-{{.ServiceVlan}}\",\n \"aci-service-monitor-interval\": {{.ServiceMonitorInterval}},\n \"aci-pbr-tracking-non-snat\": {{.PBRTrackingNonSnat}},\n \"aci-vrf-tenant\": \"{{.VRFTenant}}\",\n \"aci-l3out\": \"{{.L3Out}}\",\n \"aci-ext-networks\": {{.L3OutExternalNetworks}},\n{{- if ne .CApic \"true\"}}\n \"aci-vrf\": \"{{.VRFName}}\",\n{{- else}}\n \"aci-vrf\": \"{{.OverlayVRFName}}\",\n{{- end}}\n \"app-profile\": \"aci-containers-{{.SystemIdentifier}}\",\n{{- if ne .AddExternalContractToDefaultEpg \"false\"}}\n \"add-external-contract-to-default-epg\": {{.AddExternalContractToDefaultEpg}},\n{{- end}} \n \"default-endpoint-group\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-default\"\n{{- else}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}\"\n{{- end}}\n },\n \"max-nodes-svc-graph\": {{.MaxNodesSvcGraph}},\n \"namespace-default-endpoint-group\": {\n \"aci-containers-system\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-system\"\n{{- else}}\n \"name\": \"aci-containers-system\"\n{{- end}}\n },\n \"istio-operator\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-istio\"\n{{- else}}\n \"name\": \"aci-containers-istio\"\n{{- end}}\n },\n \"istio-system\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-istio\"\n{{- else}}\n \"name\": \"aci-containers-istio\"\n{{- end}}\n },\n \"kube-system\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-system\"\n{{- else}}\n \"name\": \"aci-containers-system\"\n{{- end}}\n },\n \"cattle-system\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-system\"\n{{- else}}\n \"name\": \"aci-containers-system\"\n{{- end}}\n },\n \"cattle-prometheus\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-system\"\n{{- else}}\n \"name\": \"aci-containers-system\"\n{{- end}}\n },\n \"cattle-logging\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-system\"\n{{- else}}\n \"name\": \"aci-containers-system\"\n{{- end}}\n } },\n \"service-ip-pool\": [{{- range $index, $item := .ServiceIPPool }}{{- if $index}},{{end}}{ \"start\": \"{{ $item.Start }}\", \"end\": \"{{ $item.End}}\" }{{end}}],\n \"extern-static\": [{{- range $index, $item := .StaticExternalSubnet }}{{- if $index}},{{end}}{{$item}}{{end}}],\n \"extern-dynamic\": [{{- range $index, $item := .DynamicExternalSubnet }}{{- if $index}},{{end}}{{$item}}{{end}}],\n \"snat-contract-scope\": \"{{.SnatContractScope}}\",\n \"static-service-ip-pool\": [{{- range $index, $item := .StaticServiceIPPool }}{{- if $index}},{{end}}{ \"start\": \"{{ $item.Start }}\", \"end\": \"{{ $item.End }}\" }{{end}}],\n{{- if ne .TaintNotReadyNode \"false\"}}\n \"taint-not-ready\": {{.TaintNotReadyNode}},\n{{- end}}\n \"pod-ip-pool\": [{{- range $index, $item := .PodIPPool }}{{- if $index}},{{end}}{ \"start\": \"{{ $item.Start }}\", \"end\": \"{{ $item.End}}\" }{{end}}],\n \"pod-subnet\": [{{- range $index, $item := .PodSubnet }}{{- if $index}},{{end}}{{$item}}{{end}}],\n \"pod-subnet-chunk-size\": {{.PodSubnetChunkSize}},\n \"node-service-ip-pool\": [\n {\n \"end\": \"{{.NodeServiceIPEnd}}\",\n \"start\": \"{{.NodeServiceIPStart}}\"\n }\n ],\n \"node-service-subnets\": [\n \"{{.ServiceGraphSubnet}}\"\n ],\n \"enable_endpointslice\": {{.EnableEndpointSlice}}\n }\n host-agent-config: |-\n {\n \"app-profile\": \"aci-containers-{{.SystemIdentifier}}\",\n{{- if ne .EpRegistry \"\"}}\n \"ep-registry\": \"{{.EpRegistry}}\",\n{{- else}}\n \"ep-registry\": null,\n{{- end}}\n{{- if ne .AciMultipod \"false\" }}\n \"aci-multipod\": {{.AciMultipod}},\n{{- end}}\n{{- if ne .DhcpRenewMaxRetryCount \"0\" }}\n \"dhcp-renew-max-retry-count\": {{.DhcpRenewMaxRetryCount}},\n{{- end}}\n{{- if ne .DhcpDelay \"0\" }}\n \"dhcp-delay\": {{.DhcpDelay}},\n{{- end}}\n{{- if ne .EnableOpflexAgentReconnect \"false\"}}\n \"enable-opflex-agent-reconnect\": {{.EnableOpflexAgentReconnect}},\n{{- end}}\n{{- if ne .OpflexMode \"\"}}\n \"opflex-mode\": \"{{.OpflexMode}}\",\n{{- else}}\n \"opflex-mode\": null,\n{{- end}}\n \"log-level\": \"{{.HostAgentLogLevel}}\",\n \"aci-snat-namespace\": \"{{.SnatNamespace}}\",\n \"aci-vmm-type\": \"Kubernetes\",\n{{- if ne .VmmDomain \"\"}}\n \"aci-vmm-domain\": \"{{.VmmDomain}}\",\n{{- else}}\n \"aci-vmm-domain\": \"{{.SystemIdentifier}}\",\n{{- end}}\n{{- if ne .VmmController \"\"}}\n \"aci-vmm-controller\": \"{{.VmmController}}\",\n{{- else}}\n \"aci-vmm-controller\": \"{{.SystemIdentifier}}\",\n{{- end}}\n \"aci-prefix\": \"{{.SystemIdentifier}}\",\n{{- if ne .CApic \"true\"}}\n \"aci-vrf\": \"{{.VRFName}}\",\n{{- else}}\n \"aci-vrf\": \"{{.OverlayVRFName}}\",\n{{- end}}\n \"aci-vrf-tenant\": \"{{.VRFTenant}}\",\n \"service-vlan\": {{.ServiceVlan}},\n \"kubeapi-vlan\": {{.KubeAPIVlan}},\n{{- if ne .HppOptimization \"false\"}}\n \"hpp-optimization\": {{.HppOptimization}},\n{{- end}}\n{{- if ne .DisableHppRendering \"false\"}}\n \"disable-hpp-rendering\": {{.DisableHppRendering}},\n{{- end}}\n \"pod-subnet\": [{{- range $index, $item := .PodSubnet }}{{- if $index}},{{end}}{{$item}}{{end}}],\n \"node-subnet\": [{{- range $index, $item := .NodeSubnet }}{{- if $index}},{{end}}{{$item}}{{end}}],\n \"encap-type\": \"{{.EncapType}}\",\n \"aci-infra-vlan\": {{.InfraVlan}},\n{{- if .MTU}}\n{{- if ne .MTU 0}}\n \"interface-mtu\": {{.MTU}},\n{{- end}}\n{{- end}}\n{{- if .MTUHeadRoom}}\n{{- if ne .MTUHeadRoom \"0\"}}\n \"interface-mtu-headroom\": {{.MTUHeadRoom}},\n{{- end}}\n{{- end}}\n \"cni-netconfig\": [{{- range $index, $item := .PodNetwork }}{{- if $index}},{{end}}{ \"gateway\": \"{{ $item.Gateway }}\", \"subnet\": \"{{ $item.Subnet }}\", \"routes\": [{ \"dst\": \"0.0.0.0/0\", \"gw\": \"{{ $item.Gateway }}\" }]}{{end}}],\n \"default-endpoint-group\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-default\"\n{{- else}}\n \"name\": \"aci-containers-default\"\n{{- end}}\n },\n \"namespace-default-endpoint-group\": {\n \"aci-containers-system\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-system\"\n{{- else}}\n \"name\": \"aci-containers-system\"\n{{- end}}\n },\n \"istio-operator\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-istio\"\n{{- else}}\n \"name\": \"aci-containers-istio\"\n{{- end}}\n },\n \"istio-system\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-istio\"\n{{- else}}\n \"name\": \"aci-containers-istio\"\n{{- end}}\n },\n \"kube-system\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-system\"\n{{- else}}\n \"name\": \"aci-containers-system\"\n{{- end}}\n },\n \"cattle-system\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-system\"\n{{- else}}\n \"name\": \"aci-containers-system\"\n{{- end}}\n },\n \"cattle-prometheus\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-system\"\n{{- else}}\n \"name\": \"aci-containers-system\"\n{{- end}}\n },\n \"cattle-logging\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-system\"\n{{- else}}\n \"name\": \"aci-containers-system\"\n{{- end}}\n } },\n \"enable-drop-log\": {{.DropLogEnable}},\n{{- if ne .DropLogDisableEvents \"false\"}}\n \"packet-event-notification-socket\": \"\",\n{{- end}}\n \"enable_endpointslice\": {{.EnableEndpointSlice}},\n \"enable-nodepodif\": {{.NodePodIfEnable}},\n{{- if ne .TaintNotReadyNode \"false\"}}\n \"taint-not-ready\": {{.TaintNotReadyNode}},\n{{- end}} \n \"enable-ovs-hw-offload\": {{.SriovEnable}}\n }\n opflex-agent-config: |-\n {\n \"log\": {\n \"level\": \"{{.OpflexAgentLogLevel}}\"\n },\n \"opflex\": {\n{{- if eq .OpflexClientSSL \"false\"}}\n \"ssl\": { \"mode\": \"disabled\"},\n{{- end}}\n{{- if eq .OpflexAgentStatistics \"false\"}}\n \"statistics\" : { \"mode\" : \"off\" },\n{{- end}}\n{{- if ne .OpflexAgentPolicyRetryDelayTimer \"10\" }}\n \"timers\" : { \"policy-retry-delay\": {{.OpflexAgentPolicyRetryDelayTimer}} },\n{{- end}}\n \"notif\" : { \"enabled\" : \"false\" },\n \"asyncjson\": { \"enabled\" : {{.OpflexAgentOpflexAsyncjsonEnabled}} }\n },\n \"ovs\": {\n \"asyncjson\": { \"enabled\" : {{.OpflexAgentOvsAsyncjsonEnabled}} }\n }\n }\n---\napiVersion: v1\nkind: ConfigMap\nmetadata:\n name: snat-operator-config\n namespace: aci-containers-system\n labels:\n aci-containers-config-version: \"{{.Token}}\"\n network-plugin: aci-containers\ndata:\n \"start\": \"{{.SnatPortRangeStart}}\"\n \"end\": \"{{.SnatPortRangeEnd}}\"\n \"ports-per-node\": \"{{.SnatPortsPerNode}}\"\n---\napiVersion: v1\nkind: Secret\nmetadata:\n name: aci-user-cert\n namespace: aci-containers-system\n labels:\n aci-containers-config-version: \"{{.Token}}\"\ndata:\n user.key: {{.ApicUserKey}}\n user.crt: {{.ApicUserCrt}}\n---\n{{- if eq .CApic \"true\"}}\napiVersion: v1\nkind: Secret\nmetadata:\n name: kafka-client-certificates\n namespace: aci-containers-system\n labels:\n aci-containers-config-version: \"{{.Token}}\"\ndata:\n ca.crt: {{.KafkaClientCrt}}\n kafka-client.crt: {{.KafkaClientCrt}}\n kafka-client.key: {{.KafkaClientKey}}\n---\n{{- end}}\napiVersion: v1\nkind: ServiceAccount\nmetadata:\n name: aci-containers-controller\n namespace: aci-containers-system\n labels:\n aci-containers-config-version: \"{{.Token}}\"\n---\napiVersion: v1\nkind: ServiceAccount\nmetadata:\n name: aci-containers-host-agent\n namespace: aci-containers-system\n labels:\n aci-containers-config-version: \"{{.Token}}\"\n---\n{{- if eq .UseClusterRole \"true\"}}\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n labels:\n aci-containers-config-version: \"{{.Token}}\"\n network-plugin: aci-containers\n name: aci-containers-controller\nrules:\n- apiGroups:\n - \"\"\n resources:\n - nodes\n - namespaces\n - pods\n - endpoints\n - services\n - events\n - replicationcontrollers\n - serviceaccounts\n verbs:\n - list\n - watch\n - get\n - patch\n - create\n - update\n - delete\n- apiGroups:\n - \"\"\n resources:\n - configmaps\n verbs:\n - list\n - watch\n - get\n - create\n - update\n - delete\n- apiGroups:\n - \"apiextensions.k8s.io\"\n resources:\n - customresourcedefinitions\n verbs:\n - '*'\n- apiGroups:\n - \"rbac.authorization.k8s.io\"\n resources:\n - clusterroles\n - clusterrolebindings\n verbs:\n - '*'\n{{- if ne .InstallIstio \"false\"}}\n- apiGroups:\n - \"install.istio.io\"\n resources:\n - istiocontrolplanes\n - istiooperators\n verbs:\n - '*'\n- apiGroups:\n - \"aci.istio\"\n resources:\n - aciistiooperators\n - aciistiooperator\n verbs:\n - '*'\n{{- end}}\n- apiGroups:\n - \"networking.k8s.io\"\n resources:\n - networkpolicies\n verbs:\n - list\n - watch\n - get\n- apiGroups:\n - \"apps\"\n resources:\n - deployments\n - replicasets\n - daemonsets\n - statefulsets\n verbs:\n - '*'\n- apiGroups:\n - \"\"\n resources:\n - nodes\n - services/status\n verbs:\n - update\n- apiGroups:\n - \"monitoring.coreos.com\"\n resources:\n - servicemonitors\n verbs:\n - get\n - create\n- apiGroups:\n - \"aci.snat\"\n resources:\n - snatpolicies/finalizers\n - snatpolicies/status\n - nodeinfos\n verbs:\n - update\n - create\n - list\n - watch\n - get\n - delete\n- apiGroups:\n - \"aci.snat\"\n resources:\n - snatglobalinfos\n - snatpolicies\n - nodeinfos\n - rdconfigs\n verbs:\n - list\n - watch\n - get\n - create\n - update\n - delete\n- apiGroups:\n - \"aci.qos\"\n resources:\n - qospolicies\n verbs:\n - list\n - watch\n - get\n - create\n - update\n - delete\n - patch\n- apiGroups:\n - \"aci.netflow\"\n resources:\n - netflowpolicies\n verbs:\n - list\n - watch\n - get\n - update\n- apiGroups:\n - \"aci.erspan\"\n resources:\n - erspanpolicies\n verbs:\n - list\n - watch\n - get\n - update\n- apiGroups:\n - \"aci.aw\"\n resources:\n - nodepodifs\n verbs:\n - '*'\n- apiGroups:\n - apps.openshift.io\n resources:\n - deploymentconfigs\n verbs:\n - list\n - watch\n - get\n- apiGroups:\n - discovery.k8s.io\n resources:\n - endpointslices\n verbs:\n - get\n - list\n - watch\n- apiGroups:\n - \"aci.netpol\"\n resources:\n - networkpolicies\n verbs:\n - get\n - list\n - watch\n - create\n - update\n - delete\n- apiGroups:\n - \"aci.dnsnetpol\"\n resources:\n - dnsnetworkpolicies\n verbs:\n - get\n - list\n - watch\n - create\n - update\n - delete\n---\n{{- end}}\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n labels:\n aci-containers-config-version: \"{{.Token}}\"\n network-plugin: aci-containers\n name: aci-containers-host-agent\nrules:\n- apiGroups:\n - \"\"\n resources:\n - nodes\n - namespaces\n - pods\n - endpoints\n - services\n - replicationcontrollers\n verbs:\n - list\n - watch\n - get\n{{- if ne .DropLogEnable \"false\"}}\n - update\n- apiGroups:\n - \"\"\n resources:\n - events\n verbs:\n - create\n - patch\n{{- end}}\n- apiGroups:\n - \"apiextensions.k8s.io\"\n resources:\n - customresourcedefinitions\n verbs:\n - list\n - watch\n - get\n- apiGroups:\n - \"networking.k8s.io\"\n resources:\n - networkpolicies\n verbs:\n - list\n - watch\n - get\n- apiGroups:\n - \"apps\"\n resources:\n - deployments\n - replicasets\n verbs:\n - list\n - watch\n - get\n- apiGroups:\n - \"aci.snat\"\n resources:\n - snatpolicies\n - snatglobalinfos\n - rdconfigs\n verbs:\n - list\n - watch\n - get\n- apiGroups:\n - \"aci.qos\"\n resources:\n - qospolicies\n verbs:\n - list\n - watch\n - get\n - create\n - update\n - delete\n - patch\n- apiGroups:\n - \"aci.droplog\"\n resources:\n - enabledroplogs\n - prunedroplogs\n verbs:\n - list\n - watch\n - get\n- apiGroups:\n - \"aci.snat\"\n resources:\n - nodeinfos\n - snatlocalinfos\n verbs:\n - create\n - update\n - list\n - watch\n - get\n - delete\n- apiGroups:\n - discovery.k8s.io\n resources:\n - endpointslices\n verbs:\n - get\n - list\n - watch\n- apiGroups:\n - \"aci.netpol\"\n resources:\n - networkpolicies\n verbs:\n - get\n - list\n - watch\n- apiGroups:\n - \"aci.aw\"\n resources:\n - nodepodifs\n verbs:\n - \"*\"\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRoleBinding\nmetadata:\n name: aci-containers-controller\n labels:\n aci-containers-config-version: \"{{.Token}}\"\nroleRef:\n apiGroup: rbac.authorization.k8s.io\n kind: ClusterRole\n name: aci-containers-controller\nsubjects:\n- kind: ServiceAccount\n name: aci-containers-controller\n namespace: aci-containers-system\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRoleBinding\nmetadata:\n name: aci-containers-host-agent\n labels:\n aci-containers-config-version: \"{{.Token}}\"\nroleRef:\n apiGroup: rbac.authorization.k8s.io\n kind: ClusterRole\n name: aci-containers-host-agent\nsubjects:\n- kind: ServiceAccount\n name: aci-containers-host-agent\n namespace: aci-containers-system\n---\napiVersion: apps/v1\nkind: DaemonSet\nmetadata:\n name: aci-containers-host\n namespace: aci-containers-system\n labels:\n aci-containers-config-version: \"{{.Token}}\"\n network-plugin: aci-containers\nspec:\n updateStrategy:\n type: RollingUpdate\n selector:\n matchLabels:\n name: aci-containers-host\n network-plugin: aci-containers\n template:\n metadata:\n labels:\n name: aci-containers-host\n network-plugin: aci-containers\n annotations:\n prometheus.io/scrape: \"true\"\n prometheus.io/port: \"9612\"\n spec:\n hostNetwork: true\n hostPID: true\n hostIPC: true\n serviceAccountName: aci-containers-host-agent\n{{- if ne .ImagePullSecret \"\"}}\n imagePullSecrets:\n - name: {{.ImagePullSecret}}\n{{- end}}\n tolerations:\n - operator: Exists\n initContainers:\n - name: cnideploy\n image: {{.AciCniDeployContainer}}\n imagePullPolicy: {{.ImagePullPolicy}}\n securityContext:\n{{- if eq .UsePrivilegedContainer \"true\"}}\n privileged: true\n{{- end}}\n capabilities:\n add:\n - SYS_ADMIN\n volumeMounts:\n - name: cni-bin\n mountPath: /mnt/cni-bin\n{{- if ne .UseSystemNodePriorityClass \"false\"}}\n priorityClassName: system-node-critical\n{{- else if .UseAciContainersHostPriorityClass}} \n priorityClassName: aci-containers-host\n{{- else}} \n{{- if ne .NoPriorityClass \"true\"}}\n priorityClassName: system-cluster-critical\n{{- end}}\n{{- if eq .UseAciCniPriorityClass \"true\"}}\n priorityClassName: acicni-priority\n{{- end}}\n{{- end}}\n containers:\n - name: aci-containers-host\n image: {{.AciHostContainer}}\n imagePullPolicy: {{.ImagePullPolicy}}\n{{- if or ( .AciContainersHostMemoryLimit ) ( .AciContainersHostMemoryRequest )}}\n resources:\n limits:\n{{- if .AciContainersHostMemoryLimit }}\n memory: \"{{ .AciContainersHostMemoryLimit }}\"\n{{- else}}\n memory: \"{{ .AciContainersMemoryLimit }}\"\n{{- end}}\n requests:\n{{- if .AciContainersHostMemoryRequest }}\n memory: \"{{ .AciContainersHostMemoryRequest }}\"\n{{- else}}\n memory: \"{{ .AciContainersMemoryRequest }}\"\n{{- end}}\n{{- end}}\n securityContext:\n{{- if eq .UsePrivilegedContainer \"true\"}}\n privileged: true\n{{- end}}\n capabilities:\n add:\n - SYS_ADMIN\n - NET_ADMIN\n - SYS_PTRACE\n - NET_RAW\n env:\n - name: KUBERNETES_NODE_NAME\n valueFrom:\n fieldRef:\n fieldPath: spec.nodeName\n - name: TENANT\n value: \"{{.Tenant}}\"\n{{- if ne .MultusDisable \"true\"}}\n - name: MULTUS\n value: true\n{{- end}}\n{{- if eq .DisableWaitForNetwork \"true\"}}\n - name: DISABLE_WAIT_FOR_NETWORK\n value: true\n{{- else}}\n - name: DURATION_WAIT_FOR_NETWORK\n value: \"{{.DurationWaitForNetwork}}\"\n{{- end}}\n volumeMounts:\n - name: cni-bin\n mountPath: /mnt/cni-bin\n - name: cni-conf\n mountPath: /mnt/cni-conf\n - name: hostvar\n mountPath: /usr/local/var\n - name: hostrun\n mountPath: /run\n - name: hostrun\n mountPath: /usr/local/run\n - name: opflex-hostconfig-volume\n mountPath: /usr/local/etc/opflex-agent-ovs/base-conf.d\n - name: host-config-volume\n mountPath: /usr/local/etc/aci-containers/\n - name: varlogpods\n mountPath: /var/log/pods\n readOnly: true\n - name: varlogcontainers\n mountPath: /var/log/containers\n readOnly: true\n - name: varlibdocker\n mountPath: /var/lib/docker\n readOnly: true\n{{- if eq .AciMultipod \"true\" }}\n - name: dhclient\n mountPath: /var/lib/dhclient\n{{- end}}\n{{- if eq .UseHostNetnsVolume \"true\"}}\n - mountPath: /run/netns\n name: host-run-netns\n readOnly: true\n mountPropagation: HostToContainer\n{{- end}}\n{{- if ne .MultusDisable \"true\"}}\n - name: multus-cni-conf\n mountPath: /mnt/multus-cni-conf\n{{- end}}\n livenessProbe:\n failureThreshold: 10\n httpGet:\n path: /status\n port: 8090\n scheme: HTTP\n initialDelaySeconds: 120\n periodSeconds: 60\n successThreshold: 1\n timeoutSeconds: 30\n - name: opflex-agent\n env:\n - name: REBOOT_WITH_OVS\n value: \"true\"\n{{- if ne .OpflexOpensslCompat \"false\"}}\n - name: OPENSSL_CONF\n value: \"/etc/pki/tls/openssl11.cnf\" \n{{- end}}\n image: {{.AciOpflexContainer}}\n imagePullPolicy: {{.ImagePullPolicy}}\n{{- if or ( .OpflexAgentMemoryLimit ) ( .OpflexAgentMemoryRequest )}}\n resources:\n limits:\n{{- if .OpflexAgentMemoryLimit }}\n memory: \"{{ .OpflexAgentMemoryLimit }}\"\n{{- else}}\n memory: \"{{ .AciContainersMemoryLimit }}\"\n{{- end}}\n requests:\n{{- if .OpflexAgentMemoryRequest }}\n memory: \"{{ .OpflexAgentMemoryRequest }}\"\n{{- else}}\n memory: \"{{ .AciContainersMemoryRequest }}\"\n{{- end}}\n{{- end}} \n securityContext:\n{{- if eq .UsePrivilegedContainer \"true\"}}\n privileged: true\n{{- end}}\n capabilities:\n add:\n - NET_ADMIN\n volumeMounts:\n - name: hostvar\n mountPath: /usr/local/var\n - name: hostrun\n mountPath: /run\n - name: hostrun\n mountPath: /usr/local/run\n - name: opflex-hostconfig-volume\n mountPath: /usr/local/etc/opflex-agent-ovs/base-conf.d\n - name: opflex-config-volume\n mountPath: /usr/local/etc/opflex-agent-ovs/conf.d\n{{- if eq .RunOpflexServerContainer \"true\"}}\n - name: opflex-server\n image: {{.AciOpflexContainer}}\n command: [\"/bin/sh\"]\n args: [\"/usr/local/bin/launch-opflexserver.sh\"]\n imagePullPolicy: {{.ImagePullPolicy}}\n securityContext:\n capabilities:\n add:\n - NET_ADMIN\n ports:\n - containerPort: {{.OpflexServerPort}}\n - name: metrics\n containerPort: 9632\n terminationMessagePath: /dev/termination-log\n terminationMessagePolicy: File\n volumeMounts:\n - name: opflex-server-config-volume\n mountPath: /usr/local/etc/opflex-server\n - name: hostvar\n mountPath: /usr/local/var\n{{- end}}\n{{- if ne .OpflexMode \"overlay\"}}\n - name: mcast-daemon\n image: {{.AciMcastContainer}}\n command: [\"/bin/sh\"]\n args: [\"/usr/local/bin/launch-mcastdaemon.sh\"]\n imagePullPolicy: {{.ImagePullPolicy}}\n{{- if or ( .McastDaemonMemoryLimit ) ( .McastDaemonMemoryRequest )}}\n resources:\n limits:\n{{- if .McastDaemonMemoryLimit }}\n memory: \"{{ .McastDaemonMemoryLimit }}\"\n{{- else}}\n memory: \"{{ .AciContainersMemoryLimit }}\"\n{{- end}}\n requests:\n{{- if .McastDaemonMemoryRequest }}\n memory: \"{{ .McastDaemonMemoryRequest }}\"\n{{- else}}\n memory: \"{{ .AciContainersMemoryRequest }}\"\n{{- end}}\n{{- end}}\n{{- if eq .UsePrivilegedContainer \"true\"}}\n securityContext:\n privileged: true\n{{- end}}\n volumeMounts:\n - name: hostvar\n mountPath: /usr/local/var\n - name: hostrun\n mountPath: /run\n - name: hostrun\n mountPath: /usr/local/run\n{{- end}}\n restartPolicy: Always\n volumes:\n - name: cni-bin\n hostPath:\n path: /opt\n - name: cni-conf\n hostPath:\n path: /etc\n - name: hostvar\n hostPath:\n path: /var\n - name: hostrun\n hostPath:\n path: /run\n - name: host-config-volume\n configMap:\n name: aci-containers-config\n items:\n - key: host-agent-config\n path: host-agent.conf\n - name: opflex-hostconfig-volume\n emptyDir:\n medium: Memory\n - name: varlogpods\n hostPath:\n path: /var/log/pods\n - name: varlogcontainers\n hostPath:\n path: /var/log/containers\n - name: varlibdocker\n hostPath:\n path: /var/lib/docker\n{{- if eq .AciMultipod \"true\" }}\n{{- if eq .AciMultipodUbuntu \"true\" }}\n - name: dhclient\n hostPath:\n path: /var/lib/dhcp\n{{- else}}\n - name: dhclient\n hostPath:\n path: /var/lib/dhclient\n{{- end}}\n{{- end}}\n - name: opflex-config-volume\n configMap:\n name: aci-containers-config\n items:\n - key: opflex-agent-config\n path: local.conf\n{{- if eq .UseOpflexServerVolume \"true\"}}\n - name: opflex-server-config-volume\n{{- end}}\n{{- if eq .UseHostNetnsVolume \"true\"}}\n - name: host-run-netns\n hostPath:\n path: /run/netns\n{{- end}}\n{{- if ne .MultusDisable \"true\" }}\n - name: multus-cni-conf\n hostPath:\n path: /var/run/multus/\n{{- end}}\n---\napiVersion: apps/v1\nkind: DaemonSet\nmetadata:\n name: aci-containers-openvswitch\n namespace: aci-containers-system\n labels:\n aci-containers-config-version: \"{{.Token}}\"\n network-plugin: aci-containers\nspec:\n updateStrategy:\n type: RollingUpdate\n selector:\n matchLabels:\n name: aci-containers-openvswitch\n network-plugin: aci-containers\n template:\n metadata:\n labels:\n name: aci-containers-openvswitch\n network-plugin: aci-containers\n spec:\n hostNetwork: true\n hostPID: true\n hostIPC: true\n serviceAccountName: aci-containers-host-agent\n{{- if ne .ImagePullSecret \"\"}}\n imagePullSecrets:\n - name: {{.ImagePullSecret}}\n{{end}}\n tolerations:\n - operator: Exists \n{{- if ne .UseSystemNodePriorityClass \"false\"}}\n priorityClassName: system-node-critical\n{{- else if .UseAciContainersOpenvswitchPriorityClass}} \n priorityClassName: aci-containers-openvswitch\n{{- else}} \n{{- if ne .NoPriorityClass \"true\"}}\n priorityClassName: system-cluster-critical\n{{- end}}\n{{- if eq .UseAciCniPriorityClass \"true\"}}\n priorityClassName: acicni-priority\n{{- end}}\n{{- end}}\n containers:\n - name: aci-containers-openvswitch\n image: {{.AciOpenvSwitchContainer}}\n imagePullPolicy: {{.ImagePullPolicy}}\n resources:\n limits:\n memory: \"{{.OVSMemoryLimit}}\"\n requests:\n memory: \"{{.OVSMemoryRequest}}\"\n securityContext:\n{{- if eq .UsePrivilegedContainer \"true\"}}\n privileged: true\n{{- end}}\n capabilities:\n add:\n - NET_ADMIN\n - SYS_MODULE\n - SYS_NICE\n - IPC_LOCK\n env:\n - name: OVS_RUNDIR\n value: /usr/local/var/run/openvswitch\n volumeMounts:\n - name: hostvar\n mountPath: /usr/local/var\n - name: hostrun\n mountPath: /run\n - name: hostrun\n mountPath: /usr/local/run\n - name: hostetc\n mountPath: /usr/local/etc\n - name: hostmodules\n mountPath: /lib/modules\n - name: varlogpods\n mountPath: /var/log/pods\n readOnly: true\n - name: varlogcontainers\n mountPath: /var/log/containers\n readOnly: true\n - name: varlibdocker\n mountPath: /var/lib/docker\n readOnly: true\n livenessProbe:\n exec:\n command:\n - /usr/local/bin/liveness-ovs.sh\n restartPolicy: Always\n volumes:\n - name: hostetc\n hostPath:\n path: /etc\n - name: hostvar\n hostPath:\n path: /var\n - name: hostrun\n hostPath:\n path: /run\n - name: hostmodules\n hostPath:\n path: /lib/modules\n - name: varlogpods\n hostPath:\n path: /var/log/pods\n - name: varlogcontainers\n hostPath:\n path: /var/log/containers\n - name: varlibdocker\n hostPath:\n path: /var/lib/docker\n---\napiVersion: apps/v1\nkind: Deployment\nmetadata:\n name: aci-containers-controller\n namespace: aci-containers-system\n labels:\n aci-containers-config-version: \"{{.Token}}\"\n network-plugin: aci-containers\n name: aci-containers-controller\nspec:\n replicas: 1\n strategy:\n type: Recreate\n selector:\n matchLabels:\n name: aci-containers-controller\n network-plugin: aci-containers\n template:\n metadata:\n name: aci-containers-controller\n namespace: aci-containers-system\n labels:\n name: aci-containers-controller\n network-plugin: aci-containers\n spec:\n hostNetwork: true\n serviceAccountName: aci-containers-controller\n{{- if ne .ImagePullSecret \"\"}}\n imagePullSecrets:\n - name: {{.ImagePullSecret}}\n{{- end}}\n{{- if .Tolerations }}\n tolerations:\n{{ toYaml .Tolerations | indent 6}}\n{{- else }}\n tolerations:\n - effect: NoExecute\n operator: Exists\n tolerationSeconds: {{ .TolerationSeconds }}\n - effect: NoSchedule\n key: node.kubernetes.io/not-ready\n operator: Exists\n - effect: NoSchedule\n key: node-role.kubernetes.io/master\n operator: Exists\n{{- end }}\n{{- if ne .UseSystemNodePriorityClass \"false\"}}\n priorityClassName: system-node-critical\n{{- else if .UseAciContainersControllerPriorityClass}} \n priorityClassName: aci-containers-controller\n{{- else}} \n{{- if ne .NoPriorityClass \"true\"}}\n priorityClassName: system-node-critical\n{{- end}}\n{{- if eq .UseAciCniPriorityClass \"true\"}}\n priorityClassName: acicni-priority\n{{- end}}\n{{- end}}\n containers:\n - name: aci-containers-controller\n image: {{.AciControllerContainer}}\n imagePullPolicy: {{.ImagePullPolicy}}\n{{- if or ( .AciContainersControllerMemoryLimit ) ( .AciContainersControllerMemoryRequest )}}\n resources:\n limits:\n{{- if .AciContainersControllerMemoryLimit }}\n memory: \"{{ .AciContainersControllerMemoryLimit }}\"\n{{- else}}\n memory: \"{{ .AciContainersMemoryLimit }}\"\n{{- end}}\n requests:\n{{- if .AciContainersControllerMemoryRequest }}\n memory: \"{{ .AciContainersControllerMemoryRequest }}\"\n{{- else}}\n memory: \"{{ .AciContainersMemoryRequest }}\"\n{{- end}}\n{{- end}}\n env:\n - name: WATCH_NAMESPACE\n value: \"\"\n - name: ACI_SNAT_NAMESPACE\n value: \"aci-containers-system\"\n - name: ACI_SNAGLOBALINFO_NAME\n value: \"snatglobalinfo\"\n - name: ACI_RDCONFIG_NAME\n value: \"routingdomain-config\"\n - name: SYSTEM_NAMESPACE\n value: \"aci-containers-system\"\n volumeMounts:\n - name: controller-config-volume\n mountPath: /usr/local/etc/aci-containers/\n - name: varlogpods\n mountPath: /var/log/pods\n readOnly: true\n - name: varlogcontainers\n mountPath: /var/log/containers\n readOnly: true\n - name: varlibdocker\n mountPath: /var/lib/docker\n readOnly: true\n - name: aci-user-cert-volume\n mountPath: /usr/local/etc/aci-cert/\n livenessProbe:\n failureThreshold: 10\n httpGet:\n path: /status\n port: 8091\n scheme: HTTP\n initialDelaySeconds: 120\n periodSeconds: 60\n successThreshold: 1\n timeoutSeconds: 30\n volumes:\n{{- if eq .CApic \"true\"}}\n - name: kafka-certs\n secret:\n secretName: kafka-client-certificates\n{{- end}}\n - name: aci-user-cert-volume\n secret:\n secretName: aci-user-cert\n - name: controller-config-volume\n configMap:\n name: aci-containers-config\n items:\n - key: controller-config\n path: controller.conf\n - name: varlogpods\n hostPath:\n path: /var/log/pods\n - name: varlogcontainers\n hostPath:\n path: /var/log/containers\n - name: varlibdocker\n hostPath:\n path: /var/lib/docker\n{{- if eq .CApic \"true\"}}\n---\napiVersion: aci.aw/v1\nkind: PodIF\nmetadata:\n name: inet-route\n namespace: kube-system\nstatus:\n epg: aci-containers-inet-out\n ipaddr: 0.0.0.0/0\n{{- end}}\n---\napiVersion: v1\nkind: LimitRange\nmetadata:\n name: memory-limit-range\n namespace: aci-containers-system\nspec:\n limits:\n - default:\n memory: {{ .AciContainersMemoryLimit }}\n defaultRequest:\n memory: {{ .AciContainersMemoryRequest }}\n type: Container\n", + "aci-v6.0.4.2": "\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: acicontainersoperators.aci.ctrl\nspec:\n group: aci.ctrl\n names:\n kind: AciContainersOperator\n listKind: AciContainersOperatorList\n plural: acicontainersoperators\n singular: acicontainersoperator\n scope: Namespaced\n versions:\n - name: v1alpha1\n served: true\n storage: true\n subresources:\n status: {}\n schema:\n openAPIV3Schema:\n description: acicontainersoperator owns the lifecycle of ACI objects in the cluster\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n metadata:\n type: object\n spec:\n description: AciContainersOperatorSpec defines the desired spec for ACI Objects\n properties:\n flavor:\n type: string\n config:\n type: string\n type: object\n status:\n description: AciContainersOperatorStatus defines the successful completion of AciContainersOperator\n properties:\n status:\n type: boolean\n type: object\n required:\n - spec\n type: object\n---\napiVersion: v1\nkind: Namespace\nmetadata:\n name: aci-containers-system\n labels:\n aci-containers-config-version: \"{{.Token}}\"\n network-plugin: aci-containers\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: nodepodifs.aci.aw\nspec:\n group: aci.aw\n names:\n kind: NodePodIF\n listKind: NodePodIFList\n plural: nodepodifs\n singular: nodepodif\n scope: Namespaced\n versions:\n - name: v1\n served: true\n storage: true\n schema:\n openAPIV3Schema:\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n metadata:\n type: object\n spec:\n type: object\n properties:\n podifs:\n type: array\n items:\n type: object\n properties:\n containerID:\n type: string\n epg:\n type: string\n ifname:\n type: string\n ipaddr:\n type: string\n macaddr:\n type: string\n podname:\n type: string\n podns:\n type: string\n vtep:\n type: string\n required:\n - spec\n type: object\n---\n{{- if eq .UseAciCniPriorityClass \"true\"}}\napiVersion: scheduling.k8s.io/v1beta1\nkind: PriorityClass\nmetadata:\n name: acicni-priority\nvalue: 1000000000\nglobalDefault: false\ndescription: \"This priority class is used for ACI-CNI resources\"\n---\n{{- end }}\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: snatglobalinfos.aci.snat\nspec:\n group: aci.snat\n names:\n kind: SnatGlobalInfo\n listKind: SnatGlobalInfoList\n plural: snatglobalinfos\n singular: snatglobalinfo\n scope: Namespaced\n versions:\n - name: v1\n served: true\n storage: true\n schema:\n openAPIV3Schema:\n description: SnatGlobalInfo is the Schema for the snatglobalinfos API\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n metadata:\n type: object\n spec:\n properties:\n globalInfos:\n additionalProperties:\n items:\n properties:\n macAddress:\n type: string\n portRanges:\n items:\n properties:\n end:\n maximum: 65535\n minimum: 1\n type: integer\n start:\n maximum: 65535\n minimum: 1\n type: integer\n type: object\n type: array\n snatIp:\n type: string\n snatIpUid:\n type: string\n snatPolicyName:\n type: string\n required:\n - macAddress\n - portRanges\n - snatIp\n - snatIpUid\n - snatPolicyName\n type: object\n type: array\n type: object\n required:\n - globalInfos\n type: object\n status:\n description: SnatGlobalInfoStatus defines the observed state of SnatGlobalInfo\n type: object\n type: object\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: snatlocalinfos.aci.snat\nspec:\n group: aci.snat\n names:\n kind: SnatLocalInfo\n listKind: SnatLocalInfoList\n plural: snatlocalinfos\n singular: snatlocalinfo\n scope: Namespaced\n versions:\n - name: v1\n served: true\n storage: true\n schema:\n openAPIV3Schema:\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n metadata:\n type: object\n spec:\n description: SnatLocalInfoSpec defines the desired state of SnatLocalInfo\n properties:\n localInfos:\n items:\n properties:\n podName:\n type: string\n podNamespace:\n type: string\n podUid:\n type: string\n snatPolicies:\n items:\n properties:\n destIp:\n items:\n type: string\n type: array\n name:\n type: string\n snatIp:\n type: string\n required:\n - destIp\n - name\n - snatIp\n type: object\n type: array\n required:\n - podName\n - podNamespace\n - podUid\n - snatPolicies\n type: object\n type: array\n required:\n - localInfos\n type: object\n type: object\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: snatpolicies.aci.snat\nspec:\n group: aci.snat\n names:\n kind: SnatPolicy\n listKind: SnatPolicyList\n plural: snatpolicies\n singular: snatpolicy\n scope: Cluster\n versions:\n - name: v1\n served: true\n storage: true\n subresources:\n status: {}\n schema:\n openAPIV3Schema:\n type: object\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n metadata:\n type: object\n spec:\n type: object\n properties:\n selector:\n type: object\n properties:\n labels:\n type: object\n description: 'Selection of Pods'\n properties:\n additionalProperties:\n type: string\n namespace:\n type: string\n type: object\n snatIp:\n type: array\n items:\n type: string\n destIp:\n type: array\n items:\n type: string\n type: object\n status:\n type: object\n properties:\n additionalProperties:\n type: string\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: nodeinfos.aci.snat\nspec:\n group: aci.snat\n names:\n kind: NodeInfo\n listKind: NodeInfoList\n plural: nodeinfos\n singular: nodeinfo\n scope: Namespaced\n versions:\n - name: v1\n served: true\n storage: true\n schema:\n openAPIV3Schema:\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n metadata:\n type: object\n spec:\n properties:\n macaddress:\n type: string\n snatpolicynames:\n additionalProperties:\n type: boolean\n type: object\n type: object\n status:\n description: NodeinfoStatus defines the observed state of Nodeinfo\n type: object\n type: object\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: rdconfigs.aci.snat\nspec:\n group: aci.snat\n names:\n kind: RdConfig\n listKind: RdConfigList\n plural: rdconfigs\n singular: rdconfig\n scope: Namespaced\n versions:\n - name: v1\n served: true\n storage: true\n schema:\n openAPIV3Schema:\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n metadata:\n type: object\n spec:\n properties:\n discoveredsubnets:\n items:\n type: string\n type: array\n usersubnets:\n items:\n type: string\n type: array\n type: object\n status:\n description: NodeinfoStatus defines the observed state of Nodeinfo\n type: object\n type: object\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: networkpolicies.aci.netpol\nspec:\n group: aci.netpol\n names:\n kind: NetworkPolicy\n listKind: NetworkPolicyList\n plural: networkpolicies\n singular: networkpolicy\n scope: Namespaced\n versions:\n - name: v1\n schema:\n openAPIV3Schema:\n description: Network Policy describes traffic flow at IP address or port level\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n metadata:\n type: object\n spec:\n properties:\n appliedTo:\n properties:\n namespaceSelector:\n properties:\n matchExpressions:\n items:\n properties:\n key:\n type: string\n operator:\n type: string\n values:\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n matchLabels:\n additionalProperties:\n type: string\n type: object\n type: object\n podSelector:\n description: allow ingress from the same namespace\n properties:\n matchExpressions:\n items:\n properties:\n key:\n type: string\n operator:\n type: string\n values:\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n matchLabels:\n additionalProperties:\n type: string\n type: object\n type: object\n type: object\n egress:\n description: Set of egress rules evaluated based on the order in which they are set.\n items:\n properties:\n action:\n description: Action specifies the action to be applied on the rule.\n type: string\n enableLogging:\n description: EnableLogging is used to indicate if agent should generate logs default to false.\n type: boolean\n ports:\n description: Set of port and protocol allowed/denied by the rule. If this field is unset or empty, this rule matches all ports.\n items:\n description: NetworkPolicyPort describes the port and protocol to match in a rule.\n properties:\n endPort:\n description: EndPort defines the end of the port range, being the end included within the range. It can only be specified when a numerical port is specified.\n format: int32\n type: integer\n port:\n anyOf:\n - type: integer\n - type: string\n description: The port on the given protocol. This can be either a numerical or named port on a Pod. If this field is not provided, this matches all port names and numbers.\n x-kubernetes-int-or-string: true\n protocol:\n default: TCP\n description: The protocol (TCP, UDP, or SCTP) which traffic must match. If not specified, this field defaults to TCP.\n type: string\n type: object\n type: array\n to:\n description: Rule is matched if traffic is intended for workloads selected by this field. If this field is empty or missing, this rule matches all destinations.\n items:\n properties:\n ipBlock:\n description: IPBlock describes the IPAddresses/IPBlocks that is matched in to/from. IPBlock cannot be set as part of the AppliedTo field. Cannot be set with any other selector.\n properties:\n cidr:\n description: CIDR is a string representing the IP Block Valid examples are \"192.168.1.1/24\" or \"2001:db9::/64\"\n type: string\n except:\n description: Except is a slice of CIDRs that should not be included within an IP Block Valid examples are \"192.168.1.1/24\" or \"2001:db9::/64\" Except values will be rejected if they are outside the CIDR range\n items:\n type: string\n type: array\n required:\n - cidr\n type: object\n namespaceSelector:\n description: Select all Pods from Namespaces matched by this selector, as workloads in To/From fields. If set with PodSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except PodSelector or ExternalEntitySelector.\n properties:\n matchExpressions:\n items:\n properties:\n key:\n type: string\n operator:\n description: operator represents a keys relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.\n type: string\n values:\n description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n matchLabels:\n additionalProperties:\n type: string\n type: object\n type: object\n podSelector:\n description: Select Pods from NetworkPolicys Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector.\n properties:\n matchExpressions:\n items:\n properties:\n key:\n type: string\n operator:\n description: operator represents a keys relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.\n type: string\n values:\n description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n matchLabels:\n additionalProperties:\n type: string\n type: object\n type: object\n type: object\n type: array\n toFqDn:\n properties:\n matchNames:\n items:\n type: string\n type: array\n required:\n - matchNames\n type: object\n required:\n - enableLogging\n - toFqDn\n type: object\n type: array\n ingress:\n description: Set of ingress rules evaluated based on the order in which they are set.\n items:\n properties:\n action:\n description: Action specifies the action to be applied on the rule.\n type: string\n enableLogging:\n description: EnableLogging is used to indicate if agent should generate logs when rules are matched. Should be default to false.\n type: boolean\n from:\n description: Rule is matched if traffic originates from workloads selected by this field. If this field is empty, this rule matches all sources.\n items:\n properties:\n ipBlock:\n description: IPBlock describes the IPAddresses/IPBlocks that is matched in to/from. IPBlock cannot be set as part of the AppliedTo field. Cannot be set with any other selector.\n properties:\n cidr:\n description: CIDR is a string representing the IP Block Valid examples are \"192.168.1.1/24\" or \"2001:db9::/64\"\n type: string\n except:\n description: Except is a slice of CIDRs that should not be included within an IP Block Valid examples are \"192.168.1.1/24\" or \"2001:db9::/64\" Except values will be rejected if they are outside the CIDR range\n items:\n type: string\n type: array\n required:\n - cidr\n type: object\n namespaceSelector:\n properties:\n matchExpressions:\n items:\n properties:\n key:\n type: string\n operator:\n description: operator represents a keys relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.\n type: string\n values:\n description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n matchLabels:\n additionalProperties:\n type: string\n type: object\n type: object\n podSelector:\n description: Select Pods from NetworkPolicys Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector.\n properties:\n matchExpressions:\n description: matchExpressions is a list of label selector requirements. The requirements are ANDed.\n items:\n properties:\n key:\n type: string\n operator:\n description: operator represents a keys relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.\n type: string\n values:\n description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n matchLabels:\n additionalProperties:\n type: string\n type: object\n type: object\n type: object\n type: array\n ports:\n description: Set of port and protocol allowed/denied by the rule. If this field is unset or empty, this rule matches all ports.\n items:\n description: NetworkPolicyPort describes the port and protocol to match in a rule.\n properties:\n endPort:\n description: EndPort defines the end of the port range, being the end included within the range. It can only be specified when a numerical port is specified.\n format: int32\n type: integer\n port:\n anyOf:\n - type: integer\n - type: string\n description: The port on the given protocol. This can be either a numerical or named port on a Pod. If this field is not provided, this matches all port names and numbers.\n x-kubernetes-int-or-string: true\n protocol:\n default: TCP\n description: The protocol (TCP, UDP, or SCTP) which traffic must match. If not specified, this field defaults to TCP.\n type: string\n type: object\n type: array\n type: object\n type: array\n policyTypes:\n items:\n description: Policy Type string describes the NetworkPolicy type This type is beta-level in 1.8\n type: string\n type: array\n priority:\n description: Priority specfies the order of the NetworkPolicy relative to other NetworkPolicies.\n type: integer\n type:\n description: type of the policy.\n type: string\n required:\n - type\n type: object\n required:\n - spec\n type: object\n served: true\n storage: true\nstatus:\n acceptedNames:\n kind: \"\"\n plural: \"\"\n conditions: []\n storedVersions: []\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: dnsnetworkpolicies.aci.dnsnetpol\nspec:\n group: aci.dnsnetpol\n names:\n kind: DnsNetworkPolicy\n listKind: DnsNetworkPolicyList\n plural: dnsnetworkpolicies\n singular: dnsnetworkpolicy\n scope: Namespaced\n versions:\n - name: v1beta\n schema:\n openAPIV3Schema:\n description: dns network Policy\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n metadata:\n type: object\n spec:\n properties:\n appliedTo:\n properties:\n namespaceSelector:\n properties:\n matchExpressions:\n items:\n properties:\n key:\n type: string\n operator:\n type: string\n values:\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n matchLabels:\n additionalProperties:\n type: string\n type: object\n type: object\n podSelector:\n description: allow ingress from the same namespace\n properties:\n matchExpressions:\n items:\n properties:\n key:\n type: string\n operator:\n description: operator represents a keys relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.\n type: string\n values:\n description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n matchLabels:\n additionalProperties:\n type: string\n type: object\n type: object\n type: object\n egress:\n description: Set of egress rules evaluated based on the order in which they are set.\n properties:\n toFqdn:\n properties:\n matchNames:\n items:\n type: string\n type: array\n required:\n - matchNames\n type: object\n required:\n - toFqdn\n type: object\n type: object\n required:\n - spec\n type: object\n served: true\n storage: true\nstatus:\n acceptedNames:\n kind: \"\"\n plural: \"\"\n conditions: []\n storedVersions: []\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: qospolicies.aci.qos\nspec:\n group: aci.qos\n names:\n kind: QosPolicy\n listKind: QosPolicyList\n plural: qospolicies\n singular: qospolicy\n scope: Namespaced\n preserveUnknownFields: false\n versions:\n - name: v1\n served: true\n storage: true\n subresources:\n status: {}\n schema:\n openAPIV3Schema:\n type: object\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n spec:\n type: object\n properties:\n podSelector:\n description: 'Selection of Pods'\n type: object\n properties:\n matchLabels:\n type: object\n description:\n ingress:\n type: object\n properties:\n policing_rate:\n type: integer\n minimum: 0\n policing_burst:\n type: integer\n minimum: 0\n egress:\n type: object\n properties:\n policing_rate:\n type: integer\n minimum: 0\n policing_burst:\n type: integer\n minimum: 0\n dscpmark:\n type: integer\n default: 0\n minimum: 0\n maximum: 63\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: netflowpolicies.aci.netflow\nspec:\n group: aci.netflow\n names:\n kind: NetflowPolicy\n listKind: NetflowPolicyList\n plural: netflowpolicies\n singular: netflowpolicy\n scope: Cluster\n preserveUnknownFields: false\n versions:\n - name: v1alpha\n served: true\n storage: true\n schema:\n # openAPIV3Schema is the schema for validating custom objects.\n openAPIV3Schema:\n type: object\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n spec:\n type: object\n properties:\n flowSamplingPolicy:\n type: object\n properties:\n destIp:\n type: string\n destPort:\n type: integer\n minimum: 0\n maximum: 65535\n default: 2055\n flowType:\n type: string\n enum:\n - netflow\n - ipfix\n default: netflow\n activeFlowTimeOut:\n type: integer\n minimum: 0\n maximum: 3600\n default: 60\n idleFlowTimeOut:\n type: integer\n minimum: 0\n maximum: 600\n default: 15\n samplingRate:\n type: integer\n minimum: 0\n maximum: 1000\n default: 0\n required:\n - destIp\n type: object\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: erspanpolicies.aci.erspan\nspec:\n group: aci.erspan\n names:\n kind: ErspanPolicy\n listKind: ErspanPolicyList\n plural: erspanpolicies\n singular: erspanpolicy\n scope: Cluster\n preserveUnknownFields: false\n versions:\n - name: v1alpha\n served: true\n storage: true\n schema:\n openAPIV3Schema:\n type: object\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n spec:\n type: object\n properties:\n selector:\n type: object\n description: 'Selection of Pods'\n properties:\n labels:\n type: object\n properties:\n additionalProperties:\n type: string\n namespace:\n type: string\n source:\n type: object\n properties:\n adminState:\n description: Administrative state.\n default: start\n type: string\n enum:\n - start\n - stop\n direction:\n description: Direction of the packets to monitor.\n default: both\n type: string\n enum:\n - in\n - out\n - both\n destination:\n type: object\n properties:\n destIP:\n description: Destination IP of the ERSPAN packet.\n type: string\n flowID:\n description: Unique flow ID of the ERSPAN packet.\n default: 1\n type: integer\n minimum: 1\n maximum: 1023\n required:\n - destIP\n type: object\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: enabledroplogs.aci.droplog\nspec:\n group: aci.droplog\n names:\n kind: EnableDropLog\n listKind: EnableDropLogList\n plural: enabledroplogs\n singular: enabledroplog\n scope: Cluster\n versions:\n - name: v1alpha1\n served: true\n storage: true\n schema:\n # openAPIV3Schema is the schema for validating custom objects.\n openAPIV3Schema:\n type: object\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n spec:\n description: Defines the desired state of EnableDropLog\n type: object\n properties:\n disableDefaultDropLog:\n description: Disables the default droplog enabled by acc-provision.\n default: false\n type: boolean\n nodeSelector:\n type: object\n description: Drop logging is enabled on nodes selected based on labels\n properties:\n labels:\n type: object\n properties:\n additionalProperties:\n type: string\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: prunedroplogs.aci.droplog\nspec:\n group: aci.droplog\n names:\n kind: PruneDropLog\n listKind: PruneDropLogList\n plural: prunedroplogs\n singular: prunedroplog\n scope: Cluster\n versions:\n - name: v1alpha1\n served: true\n storage: true\n schema:\n # openAPIV3Schema is the schema for validating custom objects.\n openAPIV3Schema:\n type: object\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n spec:\n description: Defines the desired state of PruneDropLog\n type: object\n properties:\n nodeSelector:\n type: object\n description: Drop logging filters are applied to nodes selected based on labels\n properties:\n labels:\n type: object\n properties:\n additionalProperties:\n type: string\n dropLogFilters:\n type: object\n properties:\n srcIP:\n type: string\n destIP:\n type: string\n srcMAC:\n type: string\n destMAC:\n type: string\n srcPort:\n type: integer\n destPort:\n type: integer\n ipProto:\n type: integer\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: accprovisioninputs.aci.ctrl\nspec:\n group: aci.ctrl\n names:\n kind: AccProvisionInput\n listKind: AccProvisionInputList\n plural: accprovisioninputs\n singular: accprovisioninput\n scope: Namespaced\n versions:\n - name: v1alpha1\n served: true\n storage: true\n subresources:\n status: {}\n schema:\n openAPIV3Schema:\n description: accprovisioninput defines the input configuration for ACI CNI\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n metadata:\n type: object\n spec:\n description: AccProvisionInputSpec defines the desired spec for accprovisioninput object\n properties:\n acc_provision_input:\n type: object\n properties:\n operator_managed_config:\n type: object\n properties:\n enable_updates:\n type: boolean\n aci_config:\n type: object\n properties:\n sync_login:\n type: object\n properties:\n certfile:\n type: string\n keyfile:\n type: string\n client_ssl:\n type: boolean\n net_config:\n type: object\n properties:\n interface_mtu:\n type: integer\n service_monitor_interval:\n type: integer\n pbr_tracking_non_snat:\n type: boolean\n pod_subnet_chunk_size:\n type: integer\n disable_wait_for_network:\n type: boolean\n duration_wait_for_network:\n type: integer\n registry:\n type: object\n properties:\n image_prefix:\n type: string\n image_pull_secret:\n type: string\n aci_containers_operator_version:\n type: string\n aci_containers_controller_version:\n type: string\n aci_containers_host_version:\n type: string\n acc_provision_operator_version:\n type: string\n aci_cni_operator_version:\n type: string\n cnideploy_version:\n type: string\n opflex_agent_version:\n type: string\n openvswitch_version:\n type: string\n gbp_version:\n type: string\n logging:\n type: object\n properties:\n controller_log_level:\n type: string\n hostagent_log_level:\n type: string\n opflexagent_log_level:\n type: string\n istio_config:\n type: object\n properties:\n install_profile:\n type: string\n multus:\n type: object\n properties:\n disable:\n type: boolean\n drop_log_config:\n type: object\n properties:\n enable:\n type: boolean\n nodepodif_config:\n type: object\n properties:\n enable:\n type: boolean\n sriov_config:\n type: object\n properties:\n enable:\n type: boolean\n kube_config:\n type: object\n properties:\n ovs_memory_limit:\n type: string\n use_privileged_containers:\n type: boolean\n image_pull_policy:\n type: string\n reboot_opflex_with_ovs:\n type: string\n snat_operator:\n type: object\n properties:\n port_range:\n type: object\n properties:\n start:\n type: integer\n end:\n type: integer\n ports_per_node:\n type: integer\n contract_scope:\n type: string\n disable_periodic_snat_global_info_sync:\n type: boolean\n type: object\n status:\n description: AccProvisionInputStatus defines the successful completion of AccProvisionInput\n properties:\n status:\n type: boolean\n type: object\n required:\n - spec\n type: object\n---\napiVersion: v1\nkind: ConfigMap\nmetadata:\n name: aci-containers-config\n namespace: aci-containers-system\n labels:\n aci-containers-config-version: \"{{.Token}}\"\n network-plugin: aci-containers\ndata:\n controller-config: |-\n {\n \"log-level\": \"{{.ControllerLogLevel}}\",\n \"apic-hosts\": {{.ApicHosts}},\n{{- if ne .AciMultipod \"false\" }}\n \"aci-multipod\": {{.AciMultipod}},\n{{- end}}\n{{- if .OpflexDeviceReconnectWaitTimeout }}\n \"opflex-device-reconnect-wait-timeout\": {{.OpflexDeviceReconnectWaitTimeout}},\n{{- end}}\n \"apic-refreshtime\": \"{{.ApicRefreshTime}}\",\n \"apic-subscription-delay\": {{.ApicSubscriptionDelay}},\n \"apic_refreshticker_adjust\": \"{{.ApicRefreshTickerAdjust}}\",\n \"apic-username\": \"{{.ApicUserName}}\",\n \"apic-private-key-path\": \"/usr/local/etc/aci-cert/user.key\",\n \"aci-prefix\": \"{{.SystemIdentifier}}\",\n \"aci-vmm-type\": \"Kubernetes\",\n{{- if ne .VmmDomain \"\"}}\n \"aci-vmm-domain\": \"{{.VmmDomain}}\",\n{{- else}}\n \"aci-vmm-domain\": \"{{.SystemIdentifier}}\",\n{{- end}}\n{{- if ne .VmmController \"\"}}\n \"aci-vmm-controller\": \"{{.VmmController}}\",\n{{- else}}\n \"aci-vmm-controller\": \"{{.SystemIdentifier}}\",\n{{- end}}\n \"aci-policy-tenant\": \"{{.Tenant}}\",\n{{- if ne .CApic \"false\"}}\n \"lb-type\": \"None\",\n{{- end}}\n{{- if ne .HppOptimization \"false\"}}\n \"hpp-optimization\": {{.HppOptimization}},\n{{- end}}\n{{- if ne .DisableHppRendering \"false\"}}\n \"disable-hpp-rendering\": {{.DisableHppRendering}},\n{{- end}}\n{{- if ne .NoWaitForServiceEpReadiness \"false\"}}\n \"no-wait-for-service-ep-readiness\": {{.NoWaitForServiceEpReadiness}},\n{{- end}}\n{{- if ne .ServiceGraphEndpointAddDelay \"0\"}}\n \"service-graph-endpoint-add-delay\" : {\n \"delay\": {{.ServiceGraphEndpointAddDelay}},\n \"services\": [{{- range $index, $item :=.ServiceGraphEndpointAddServices }}{{- if $index}},{{end}}{ {{- range $k, $v := $item }}\"{{ $k }}\": \"{{ $v }}\"{{if eq $k \"name\"}},{{end}}{{- end}}}{{end}}]\n },\n{{- end}}\n{{- if ne .AddExternalSubnetsToRdconfig \"false\"}}\n \"add-external-subnets-to-rdconfig\": {{.AddExternalSubnetsToRdconfig}},\n{{- end}}\n{{- if ne .DisablePeriodicSnatGlobalInfoSync \"false\"}}\n \"disable-periodic-snat-global-info-sync\": {{.DisablePeriodicSnatGlobalInfoSync}},\n{{- end}}\n{{- if .NodeSnatRedirectExclude }}\n \"node-snat-redirect-exclude\": [{{ range $index,$item := .NodeSnatRedirectExclude}}{{- if $index}}, {{end }}{\"group\": \"{{ index $item \"group\" }}\", \"labels\": {{ index $item \"labels\" }}}{{ end }}],\n{{- end }}\n{{- if .ApicConnectionRetryLimit}}\n \"apic-connection-retry-limit\": {{.ApicConnectionRetryLimit}},\n{{- end}}\n \"opflex-device-delete-timeout\": {{.OpflexDeviceDeleteTimeout}},\n \"sleep-time-snat-global-info-sync\": {{.SleepTimeSnatGlobalInfoSync}},\n{{- /* Commenting code to disable the install_istio flag as the functionality\n is disabled to remove dependency from istio.io/istio package.\n Vulnerabilties were detected by quay.io security scan of aci-containers-controller\n and aci-containers-operator images for istio.io/istio package \n \"install-istio\": {{.InstallIstio}},\n \"istio-profile\": \"{{.IstioProfile}}\",\n*/}}\n{{- if ne .CApic \"true\"}}\n \"aci-podbd-dn\": \"uni/tn-{{.Tenant}}/BD-aci-containers-{{.SystemIdentifier}}-pod-bd\",\n \"aci-nodebd-dn\": \"uni/tn-{{.Tenant}}/BD-aci-containers-{{.SystemIdentifier}}-node-bd\",\n{{- end}}\n \"aci-service-phys-dom\": \"{{.SystemIdentifier}}-pdom\",\n \"aci-service-encap\": \"vlan-{{.ServiceVlan}}\",\n \"aci-service-monitor-interval\": {{.ServiceMonitorInterval}},\n \"aci-pbr-tracking-non-snat\": {{.PBRTrackingNonSnat}},\n \"aci-vrf-tenant\": \"{{.VRFTenant}}\",\n \"aci-l3out\": \"{{.L3Out}}\",\n \"aci-ext-networks\": {{.L3OutExternalNetworks}},\n{{- if ne .CApic \"true\"}}\n \"aci-vrf\": \"{{.VRFName}}\",\n{{- else}}\n \"aci-vrf\": \"{{.OverlayVRFName}}\",\n{{- end}}\n \"app-profile\": \"aci-containers-{{.SystemIdentifier}}\",\n{{- if ne .AddExternalContractToDefaultEpg \"false\"}}\n \"add-external-contract-to-default-epg\": {{.AddExternalContractToDefaultEpg}},\n{{- end}} \n \"default-endpoint-group\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-default\"\n{{- else}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}\"\n{{- end}}\n },\n \"max-nodes-svc-graph\": {{.MaxNodesSvcGraph}},\n \"namespace-default-endpoint-group\": {\n \"aci-containers-system\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-system\"\n{{- else}}\n \"name\": \"aci-containers-system\"\n{{- end}}\n },\n \"istio-operator\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-istio\"\n{{- else}}\n \"name\": \"aci-containers-istio\"\n{{- end}}\n },\n \"istio-system\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-istio\"\n{{- else}}\n \"name\": \"aci-containers-istio\"\n{{- end}}\n },\n \"kube-system\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-system\"\n{{- else}}\n \"name\": \"aci-containers-system\"\n{{- end}}\n },\n \"cattle-system\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-system\"\n{{- else}}\n \"name\": \"aci-containers-system\"\n{{- end}}\n },\n \"cattle-prometheus\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-system\"\n{{- else}}\n \"name\": \"aci-containers-system\"\n{{- end}}\n },\n \"cattle-logging\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-system\"\n{{- else}}\n \"name\": \"aci-containers-system\"\n{{- end}}\n } },\n \"service-ip-pool\": [{{- range $index, $item := .ServiceIPPool }}{{- if $index}},{{end}}{ \"start\": \"{{ $item.Start }}\", \"end\": \"{{ $item.End}}\" }{{end}}],\n \"extern-static\": [{{- range $index, $item := .StaticExternalSubnet }}{{- if $index}},{{end}}{{$item}}{{end}}],\n \"extern-dynamic\": [{{- range $index, $item := .DynamicExternalSubnet }}{{- if $index}},{{end}}{{$item}}{{end}}],\n \"snat-contract-scope\": \"{{.SnatContractScope}}\",\n \"static-service-ip-pool\": [{{- range $index, $item := .StaticServiceIPPool }}{{- if $index}},{{end}}{ \"start\": \"{{ $item.Start }}\", \"end\": \"{{ $item.End }}\" }{{end}}],\n{{- if and (ne .TaintNotReadyNode \"false\") (ne .TaintNotReadyNode \"False\") }}\n \"taint-not-ready\": true,\n{{- end}}\n \"pod-ip-pool\": [{{- range $index, $item := .PodIPPool }}{{- if $index}},{{end}}{ \"start\": \"{{ $item.Start }}\", \"end\": \"{{ $item.End}}\" }{{end}}],\n \"pod-subnet\": [{{- range $index, $item := .PodSubnet }}{{- if $index}},{{end}}{{$item}}{{end}}],\n \"pod-subnet-chunk-size\": {{.PodSubnetChunkSize}},\n \"node-service-ip-pool\": [\n {\n \"end\": \"{{.NodeServiceIPEnd}}\",\n \"start\": \"{{.NodeServiceIPStart}}\"\n }\n ],\n \"node-service-subnets\": [\n \"{{.ServiceGraphSubnet}}\"\n ],\n \"enable_endpointslice\": {{.EnableEndpointSlice}}\n }\n host-agent-config: |-\n {\n \"app-profile\": \"aci-containers-{{.SystemIdentifier}}\",\n{{- if ne .EpRegistry \"\"}}\n \"ep-registry\": \"{{.EpRegistry}}\",\n{{- else}}\n \"ep-registry\": null,\n{{- end}}\n{{- if ne .AciMultipod \"false\" }}\n \"aci-multipod\": {{.AciMultipod}},\n{{- end}}\n{{- if ne .DhcpRenewMaxRetryCount \"0\" }}\n \"dhcp-renew-max-retry-count\": {{.DhcpRenewMaxRetryCount}},\n{{- end}}\n{{- if ne .DhcpDelay \"0\" }}\n \"dhcp-delay\": {{.DhcpDelay}},\n{{- end}}\n{{- if ne .EnableOpflexAgentReconnect \"false\"}}\n \"enable-opflex-agent-reconnect\": {{.EnableOpflexAgentReconnect}},\n{{- end}}\n{{- if ne .OpflexMode \"\"}}\n \"opflex-mode\": \"{{.OpflexMode}}\",\n{{- else}}\n \"opflex-mode\": null,\n{{- end}}\n \"log-level\": \"{{.HostAgentLogLevel}}\",\n \"aci-snat-namespace\": \"{{.SnatNamespace}}\",\n \"aci-vmm-type\": \"Kubernetes\",\n{{- if ne .VmmDomain \"\"}}\n \"aci-vmm-domain\": \"{{.VmmDomain}}\",\n{{- else}}\n \"aci-vmm-domain\": \"{{.SystemIdentifier}}\",\n{{- end}}\n{{- if ne .VmmController \"\"}}\n \"aci-vmm-controller\": \"{{.VmmController}}\",\n{{- else}}\n \"aci-vmm-controller\": \"{{.SystemIdentifier}}\",\n{{- end}}\n \"aci-prefix\": \"{{.SystemIdentifier}}\",\n{{- if ne .CApic \"true\"}}\n \"aci-vrf\": \"{{.VRFName}}\",\n{{- else}}\n \"aci-vrf\": \"{{.OverlayVRFName}}\",\n{{- end}}\n \"aci-vrf-tenant\": \"{{.VRFTenant}}\",\n \"service-vlan\": {{.ServiceVlan}},\n \"kubeapi-vlan\": {{.KubeAPIVlan}},\n{{- if ne .HppOptimization \"false\"}}\n \"hpp-optimization\": {{.HppOptimization}},\n{{- end}}\n{{- if ne .DisableHppRendering \"false\"}}\n \"disable-hpp-rendering\": {{.DisableHppRendering}},\n{{- end}}\n \"pod-subnet\": [{{- range $index, $item := .PodSubnet }}{{- if $index}},{{end}}{{$item}}{{end}}],\n \"node-subnet\": [{{- range $index, $item := .NodeSubnet }}{{- if $index}},{{end}}{{$item}}{{end}}],\n \"encap-type\": \"{{.EncapType}}\",\n \"aci-infra-vlan\": {{.InfraVlan}},\n{{- if .MTU}}\n{{- if ne .MTU 0}}\n \"interface-mtu\": {{.MTU}},\n{{- end}}\n{{- end}}\n{{- if .MTUHeadRoom}}\n{{- if ne .MTUHeadRoom \"0\"}}\n \"interface-mtu-headroom\": {{.MTUHeadRoom}},\n{{- end}}\n{{- end}}\n \"cni-netconfig\": [{{- range $index, $item := .PodNetwork }}{{- if $index}},{{end}}{ \"gateway\": \"{{ $item.Gateway }}\", \"subnet\": \"{{ $item.Subnet }}\", \"routes\": [{ \"dst\": \"0.0.0.0/0\", \"gw\": \"{{ $item.Gateway }}\" }]}{{end}}],\n \"default-endpoint-group\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-default\"\n{{- else}}\n \"name\": \"aci-containers-default\"\n{{- end}}\n },\n \"namespace-default-endpoint-group\": {\n \"aci-containers-system\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-system\"\n{{- else}}\n \"name\": \"aci-containers-system\"\n{{- end}}\n },\n \"istio-operator\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-istio\"\n{{- else}}\n \"name\": \"aci-containers-istio\"\n{{- end}}\n },\n \"istio-system\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-istio\"\n{{- else}}\n \"name\": \"aci-containers-istio\"\n{{- end}}\n },\n \"kube-system\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-system\"\n{{- else}}\n \"name\": \"aci-containers-system\"\n{{- end}}\n },\n \"cattle-system\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-system\"\n{{- else}}\n \"name\": \"aci-containers-system\"\n{{- end}}\n },\n \"cattle-prometheus\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-system\"\n{{- else}}\n \"name\": \"aci-containers-system\"\n{{- end}}\n },\n \"cattle-logging\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-system\"\n{{- else}}\n \"name\": \"aci-containers-system\"\n{{- end}}\n } },\n \"enable-drop-log\": {{.DropLogEnable}},\n{{- if and (ne .DropLogDisableEvents \"false\") (ne .DropLogDisableEvents \"False\")}}\n \"packet-event-notification-socket\": \"\",\n{{- end}}\n \"enable_endpointslice\": {{.EnableEndpointSlice}},\n \"enable-nodepodif\": {{.NodePodIfEnable}},\n{{- if and (ne .TaintNotReadyNode \"false\") (ne .TaintNotReadyNode \"False\") }}\n \"taint-not-ready\": true,\n{{- end}} \n \"enable-ovs-hw-offload\": {{.SriovEnable}}\n }\n opflex-agent-config: |-\n {\n \"log\": {\n \"level\": \"{{.OpflexAgentLogLevel}}\"\n },\n \"opflex\": {\n{{- if eq .OpflexClientSSL \"false\"}}\n \"ssl\": { \"mode\": \"disabled\"},\n{{- end}}\n{{- if eq .OpflexAgentStatistics \"false\"}}\n \"statistics\" : { \"mode\" : \"off\" },\n{{- end}}\n \"timers\" : {\n{{- if .OpflexAgentPolicyRetryDelayTimer}}\n \"policy-retry-delay\": {{.OpflexAgentPolicyRetryDelayTimer}},\n{{- end}}\n \"switch-sync-delay\": {{.OpflexSwitchSyncDelay}},\n \"switch-sync-dynamic\": {{.OpflexSwitchSyncDynamic}}\n },\n \"startup\": {\n \"enabled\": \"{{.OpflexStartupEnabled}}\",\n \"policy-file\": \"/usr/local/var/lib/opflex-agent-ovs/startup/pol.json\",\n \"policy-duration\": {{.OpflexStartupPolicyDuration}},\n \"resolve-aft-conn\": \"{{.OpflexStartupResolveAftConn}}\"\n },\n \"notif\" : { \"enabled\" : \"false\" },\n \"asyncjson\": { \"enabled\" : {{.OpflexAgentOpflexAsyncjsonEnabled}} }\n },\n \"ovs\": {\n \"asyncjson\": { \"enabled\" : {{.OpflexAgentOvsAsyncjsonEnabled}} }\n }\n }\n---\napiVersion: v1\nkind: ConfigMap\nmetadata:\n name: snat-operator-config\n namespace: aci-containers-system\n labels:\n aci-containers-config-version: \"{{.Token}}\"\n network-plugin: aci-containers\ndata:\n \"start\": \"{{.SnatPortRangeStart}}\"\n \"end\": \"{{.SnatPortRangeEnd}}\"\n \"ports-per-node\": \"{{.SnatPortsPerNode}}\"\n---\napiVersion: v1\nkind: Secret\nmetadata:\n name: aci-user-cert\n namespace: aci-containers-system\n labels:\n aci-containers-config-version: \"{{.Token}}\"\ndata:\n user.key: {{.ApicUserKey}}\n user.crt: {{.ApicUserCrt}}\n---\n{{- if eq .CApic \"true\"}}\napiVersion: v1\nkind: Secret\nmetadata:\n name: kafka-client-certificates\n namespace: aci-containers-system\n labels:\n aci-containers-config-version: \"{{.Token}}\"\ndata:\n ca.crt: {{.KafkaClientCrt}}\n kafka-client.crt: {{.KafkaClientCrt}}\n kafka-client.key: {{.KafkaClientKey}}\n---\n{{- end}}\napiVersion: v1\nkind: ServiceAccount\nmetadata:\n name: aci-containers-controller\n namespace: aci-containers-system\n labels:\n aci-containers-config-version: \"{{.Token}}\"\n---\napiVersion: v1\nkind: ServiceAccount\nmetadata:\n name: aci-containers-host-agent\n namespace: aci-containers-system\n labels:\n aci-containers-config-version: \"{{.Token}}\"\n---\n{{- if eq .UseClusterRole \"true\"}}\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n labels:\n aci-containers-config-version: \"{{.Token}}\"\n network-plugin: aci-containers\n name: aci-containers-controller\nrules:\n- apiGroups:\n - \"\"\n resources:\n - nodes\n - namespaces\n - pods\n - endpoints\n - services\n - events\n - replicationcontrollers\n - serviceaccounts\n verbs:\n - list\n - watch\n - get\n - patch\n - create\n - update\n - delete\n- apiGroups:\n - \"\"\n resources:\n - configmaps\n verbs:\n - list\n - watch\n - get\n - create\n - update\n - delete\n- apiGroups:\n - \"apiextensions.k8s.io\"\n resources:\n - customresourcedefinitions\n verbs:\n - '*'\n- apiGroups:\n - \"rbac.authorization.k8s.io\"\n resources:\n - clusterroles\n - clusterrolebindings\n verbs:\n - '*'\n{{- /* Commenting code to disable the install_istio flag as the functionality\n is disabled to remove dependency from istio.io/istio package.\n Vulnerabilties were detected by quay.io security scan of aci-containers-controller\n and aci-containers-operator images for istio.io/istio package\n{{- if ne .InstallIstio \"false\"}}\n- apiGroups:\n - \"install.istio.io\"\n resources:\n - istiocontrolplanes\n - istiooperators\n verbs:\n - '*'\n- apiGroups:\n - \"aci.istio\"\n resources:\n - aciistiooperators\n - aciistiooperator\n verbs:\n - '*'\n{{- end}}\n*/}}\n- apiGroups:\n - \"networking.k8s.io\"\n resources:\n - networkpolicies\n verbs:\n - list\n - watch\n - get\n- apiGroups:\n - \"apps\"\n resources:\n - deployments\n - replicasets\n - daemonsets\n - statefulsets\n verbs:\n - '*'\n- apiGroups:\n - \"\"\n resources:\n - nodes\n - services/status\n verbs:\n - update\n- apiGroups:\n - \"monitoring.coreos.com\"\n resources:\n - servicemonitors\n verbs:\n - get\n - create\n- apiGroups:\n - \"aci.snat\"\n resources:\n - snatpolicies/finalizers\n - snatpolicies/status\n - nodeinfos\n verbs:\n - update\n - create\n - list\n - watch\n - get\n - delete\n- apiGroups:\n - \"aci.snat\"\n resources:\n - snatglobalinfos\n - snatpolicies\n - nodeinfos\n - rdconfigs\n verbs:\n - list\n - watch\n - get\n - create\n - update\n - delete\n- apiGroups:\n - \"aci.qos\"\n resources:\n - qospolicies\n verbs:\n - list\n - watch\n - get\n - create\n - update\n - delete\n - patch\n- apiGroups:\n - \"aci.netflow\"\n resources:\n - netflowpolicies\n verbs:\n - list\n - watch\n - get\n - update\n- apiGroups:\n - \"aci.erspan\"\n resources:\n - erspanpolicies\n verbs:\n - list\n - watch\n - get\n - update\n- apiGroups:\n - \"aci.aw\"\n resources:\n - nodepodifs\n verbs:\n - '*'\n- apiGroups:\n - apps.openshift.io\n resources:\n - deploymentconfigs\n verbs:\n - list\n - watch\n - get\n- apiGroups:\n - discovery.k8s.io\n resources:\n - endpointslices\n verbs:\n - get\n - list\n - watch\n- apiGroups:\n - \"aci.netpol\"\n resources:\n - networkpolicies\n verbs:\n - get\n - list\n - watch\n - create\n - update\n - delete\n- apiGroups:\n - \"aci.dnsnetpol\"\n resources:\n - dnsnetworkpolicies\n verbs:\n - get\n - list\n - watch\n - create\n - update\n - delete\n---\n{{- end}}\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n labels:\n aci-containers-config-version: \"{{.Token}}\"\n network-plugin: aci-containers\n name: aci-containers-host-agent\nrules:\n- apiGroups:\n - \"\"\n resources:\n - nodes\n - namespaces\n - pods\n - endpoints\n - services\n - replicationcontrollers\n verbs:\n - list\n - watch\n - get\n{{- if ne .DropLogEnable \"false\"}}\n - update\n- apiGroups:\n - \"\"\n resources:\n - events\n verbs:\n - create\n - patch\n{{- end}}\n- apiGroups:\n - \"apiextensions.k8s.io\"\n resources:\n - customresourcedefinitions\n verbs:\n - list\n - watch\n - get\n- apiGroups:\n - \"networking.k8s.io\"\n resources:\n - networkpolicies\n verbs:\n - list\n - watch\n - get\n- apiGroups:\n - \"apps\"\n resources:\n - deployments\n - replicasets\n verbs:\n - list\n - watch\n - get\n- apiGroups:\n - \"aci.snat\"\n resources:\n - snatpolicies\n - snatglobalinfos\n - rdconfigs\n verbs:\n - list\n - watch\n - get\n- apiGroups:\n - \"aci.qos\"\n resources:\n - qospolicies\n verbs:\n - list\n - watch\n - get\n - create\n - update\n - delete\n - patch\n- apiGroups:\n - \"aci.droplog\"\n resources:\n - enabledroplogs\n - prunedroplogs\n verbs:\n - list\n - watch\n - get\n- apiGroups:\n - \"aci.snat\"\n resources:\n - nodeinfos\n - snatlocalinfos\n verbs:\n - create\n - update\n - list\n - watch\n - get\n - delete\n- apiGroups:\n - discovery.k8s.io\n resources:\n - endpointslices\n verbs:\n - get\n - list\n - watch\n- apiGroups:\n - \"aci.netpol\"\n resources:\n - networkpolicies\n verbs:\n - get\n - list\n - watch\n- apiGroups:\n - \"aci.aw\"\n resources:\n - nodepodifs\n verbs:\n - \"*\"\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRoleBinding\nmetadata:\n name: aci-containers-controller\n labels:\n aci-containers-config-version: \"{{.Token}}\"\nroleRef:\n apiGroup: rbac.authorization.k8s.io\n kind: ClusterRole\n name: aci-containers-controller\nsubjects:\n- kind: ServiceAccount\n name: aci-containers-controller\n namespace: aci-containers-system\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRoleBinding\nmetadata:\n name: aci-containers-host-agent\n labels:\n aci-containers-config-version: \"{{.Token}}\"\nroleRef:\n apiGroup: rbac.authorization.k8s.io\n kind: ClusterRole\n name: aci-containers-host-agent\nsubjects:\n- kind: ServiceAccount\n name: aci-containers-host-agent\n namespace: aci-containers-system\n---\napiVersion: apps/v1\nkind: DaemonSet\nmetadata:\n name: aci-containers-host\n namespace: aci-containers-system\n labels:\n aci-containers-config-version: \"{{.Token}}\"\n network-plugin: aci-containers\nspec:\n updateStrategy:\n type: RollingUpdate\n selector:\n matchLabels:\n name: aci-containers-host\n network-plugin: aci-containers\n template:\n metadata:\n labels:\n name: aci-containers-host\n network-plugin: aci-containers\n annotations:\n prometheus.io/scrape: \"true\"\n prometheus.io/port: \"9612\"\n spec:\n hostNetwork: true\n hostPID: true\n hostIPC: true\n serviceAccountName: aci-containers-host-agent\n{{- if ne .ImagePullSecret \"\"}}\n imagePullSecrets:\n - name: {{.ImagePullSecret}}\n{{- end}}\n tolerations:\n - operator: Exists\n initContainers:\n - name: cnideploy\n image: {{.AciCniDeployContainer}}\n imagePullPolicy: {{.ImagePullPolicy}}\n securityContext:\n{{- if eq .UsePrivilegedContainer \"true\"}}\n privileged: true\n{{- end}}\n capabilities:\n add:\n - SYS_ADMIN\n volumeMounts:\n - name: cni-bin\n mountPath: /mnt/cni-bin\n{{- if ne .UseSystemNodePriorityClass \"false\"}}\n priorityClassName: system-node-critical\n{{- else if .UseAciContainersHostPriorityClass}} \n priorityClassName: aci-containers-host\n{{- else}} \n{{- if ne .NoPriorityClass \"true\"}}\n priorityClassName: system-cluster-critical\n{{- end}}\n{{- if eq .UseAciCniPriorityClass \"true\"}}\n priorityClassName: acicni-priority\n{{- end}}\n{{- end}}\n containers:\n - name: aci-containers-host\n image: {{.AciHostContainer}}\n imagePullPolicy: {{.ImagePullPolicy}}\n{{- if or ( .AciContainersHostMemoryLimit ) ( .AciContainersHostMemoryRequest )}}\n resources:\n limits:\n{{- if .AciContainersHostMemoryLimit }}\n memory: \"{{ .AciContainersHostMemoryLimit }}\"\n{{- else}}\n memory: \"{{ .AciContainersMemoryLimit }}\"\n{{- end}}\n requests:\n{{- if .AciContainersHostMemoryRequest }}\n memory: \"{{ .AciContainersHostMemoryRequest }}\"\n{{- else}}\n memory: \"{{ .AciContainersMemoryRequest }}\"\n{{- end}}\n{{- end}}\n securityContext:\n{{- if eq .UsePrivilegedContainer \"true\"}}\n privileged: true\n{{- end}}\n capabilities:\n add:\n - SYS_ADMIN\n - NET_ADMIN\n - SYS_PTRACE\n - NET_RAW\n env:\n - name: KUBERNETES_NODE_NAME\n valueFrom:\n fieldRef:\n fieldPath: spec.nodeName\n - name: TENANT\n value: \"{{.Tenant}}\"\n{{- if ne .MultusDisable \"true\"}}\n - name: MULTUS\n value: true\n{{- end}}\n{{- if eq .DisableWaitForNetwork \"true\"}}\n - name: DISABLE_WAIT_FOR_NETWORK\n value: true\n{{- else}}\n - name: DURATION_WAIT_FOR_NETWORK\n value: \"{{.DurationWaitForNetwork}}\"\n{{- end}}\n volumeMounts:\n - name: cni-bin\n mountPath: /mnt/cni-bin\n - name: cni-conf\n mountPath: /mnt/cni-conf\n - name: hostvar\n mountPath: /usr/local/var\n - name: hostrun\n mountPath: /run\n - name: hostrun\n mountPath: /usr/local/run\n - name: opflex-hostconfig-volume\n mountPath: /usr/local/etc/opflex-agent-ovs/base-conf.d\n - name: host-config-volume\n mountPath: /usr/local/etc/aci-containers/\n - name: varlogpods\n mountPath: /var/log/pods\n readOnly: true\n - name: varlogcontainers\n mountPath: /var/log/containers\n readOnly: true\n - name: varlibdocker\n mountPath: /var/lib/docker\n readOnly: true\n{{- if eq .AciMultipod \"true\" }}\n - name: dhclient\n mountPath: /var/lib/dhclient\n{{- end}}\n{{- if eq .UseHostNetnsVolume \"true\"}}\n - mountPath: /run/netns\n name: host-run-netns\n readOnly: true\n mountPropagation: HostToContainer\n{{- end}}\n{{- if ne .MultusDisable \"true\"}}\n - name: multus-cni-conf\n mountPath: /mnt/multus-cni-conf\n{{- end}}\n livenessProbe:\n failureThreshold: 10\n httpGet:\n path: /status\n port: 8090\n scheme: HTTP\n initialDelaySeconds: 120\n periodSeconds: 60\n successThreshold: 1\n timeoutSeconds: 30\n - name: opflex-agent\n env:\n - name: REBOOT_WITH_OVS\n value: \"true\"\n{{- if ne .OpflexOpensslCompat \"false\"}}\n - name: OPENSSL_CONF\n value: \"/etc/pki/tls/openssl11.cnf\" \n{{- end}}\n image: {{.AciOpflexContainer}}\n imagePullPolicy: {{.ImagePullPolicy}}\n{{- if or ( .OpflexAgentMemoryLimit ) ( .OpflexAgentMemoryRequest )}}\n resources:\n limits:\n{{- if .OpflexAgentMemoryLimit }}\n memory: \"{{ .OpflexAgentMemoryLimit }}\"\n{{- else}}\n memory: \"{{ .AciContainersMemoryLimit }}\"\n{{- end}}\n requests:\n{{- if .OpflexAgentMemoryRequest }}\n memory: \"{{ .OpflexAgentMemoryRequest }}\"\n{{- else}}\n memory: \"{{ .AciContainersMemoryRequest }}\"\n{{- end}}\n{{- end}} \n securityContext:\n{{- if eq .UsePrivilegedContainer \"true\"}}\n privileged: true\n{{- end}}\n capabilities:\n add:\n - NET_ADMIN\n volumeMounts:\n - name: hostvar\n mountPath: /usr/local/var\n - name: hostrun\n mountPath: /run\n - name: hostrun\n mountPath: /usr/local/run\n - name: opflex-hostconfig-volume\n mountPath: /usr/local/etc/opflex-agent-ovs/base-conf.d\n - name: opflex-config-volume\n mountPath: /usr/local/etc/opflex-agent-ovs/conf.d\n{{- if eq .RunOpflexServerContainer \"true\"}}\n - name: opflex-server\n image: {{.AciOpflexContainer}}\n command: [\"/bin/sh\"]\n args: [\"/usr/local/bin/launch-opflexserver.sh\"]\n imagePullPolicy: {{.ImagePullPolicy}}\n securityContext:\n capabilities:\n add:\n - NET_ADMIN\n ports:\n - containerPort: {{.OpflexServerPort}}\n - name: metrics\n containerPort: 9632\n terminationMessagePath: /dev/termination-log\n terminationMessagePolicy: File\n volumeMounts:\n - name: opflex-server-config-volume\n mountPath: /usr/local/etc/opflex-server\n - name: hostvar\n mountPath: /usr/local/var\n{{- end}}\n{{- if ne .OpflexMode \"overlay\"}}\n - name: mcast-daemon\n image: {{.AciMcastContainer}}\n command: [\"/bin/sh\"]\n args: [\"/usr/local/bin/launch-mcastdaemon.sh\"]\n imagePullPolicy: {{.ImagePullPolicy}}\n{{- if or ( .McastDaemonMemoryLimit ) ( .McastDaemonMemoryRequest )}}\n resources:\n limits:\n{{- if .McastDaemonMemoryLimit }}\n memory: \"{{ .McastDaemonMemoryLimit }}\"\n{{- else}}\n memory: \"{{ .AciContainersMemoryLimit }}\"\n{{- end}}\n requests:\n{{- if .McastDaemonMemoryRequest }}\n memory: \"{{ .McastDaemonMemoryRequest }}\"\n{{- else}}\n memory: \"{{ .AciContainersMemoryRequest }}\"\n{{- end}}\n{{- end}}\n{{- if eq .UsePrivilegedContainer \"true\"}}\n securityContext:\n privileged: true\n{{- end}}\n volumeMounts:\n - name: hostvar\n mountPath: /usr/local/var\n - name: hostrun\n mountPath: /run\n - name: hostrun\n mountPath: /usr/local/run\n{{- end}}\n restartPolicy: Always\n volumes:\n - name: cni-bin\n hostPath:\n path: /opt\n - name: cni-conf\n hostPath:\n path: /etc\n - name: hostvar\n hostPath:\n path: /var\n - name: hostrun\n hostPath:\n path: /run\n - name: host-config-volume\n configMap:\n name: aci-containers-config\n items:\n - key: host-agent-config\n path: host-agent.conf\n - name: opflex-hostconfig-volume\n emptyDir:\n medium: Memory\n - name: varlogpods\n hostPath:\n path: /var/log/pods\n - name: varlogcontainers\n hostPath:\n path: /var/log/containers\n - name: varlibdocker\n hostPath:\n path: /var/lib/docker\n{{- if eq .AciMultipod \"true\" }}\n{{- if eq .AciMultipodUbuntu \"true\" }}\n - name: dhclient\n hostPath:\n path: /var/lib/dhcp\n{{- else}}\n - name: dhclient\n hostPath:\n path: /var/lib/dhclient\n{{- end}}\n{{- end}}\n - name: opflex-config-volume\n configMap:\n name: aci-containers-config\n items:\n - key: opflex-agent-config\n path: local.conf\n{{- if eq .UseOpflexServerVolume \"true\"}}\n - name: opflex-server-config-volume\n{{- end}}\n{{- if eq .UseHostNetnsVolume \"true\"}}\n - name: host-run-netns\n hostPath:\n path: /run/netns\n{{- end}}\n{{- if ne .MultusDisable \"true\" }}\n - name: multus-cni-conf\n hostPath:\n path: /var/run/multus/\n{{- end}}\n---\napiVersion: apps/v1\nkind: DaemonSet\nmetadata:\n name: aci-containers-openvswitch\n namespace: aci-containers-system\n labels:\n aci-containers-config-version: \"{{.Token}}\"\n network-plugin: aci-containers\nspec:\n updateStrategy:\n type: RollingUpdate\n selector:\n matchLabels:\n name: aci-containers-openvswitch\n network-plugin: aci-containers\n template:\n metadata:\n labels:\n name: aci-containers-openvswitch\n network-plugin: aci-containers\n spec:\n hostNetwork: true\n hostPID: true\n hostIPC: true\n serviceAccountName: aci-containers-host-agent\n{{- if ne .ImagePullSecret \"\"}}\n imagePullSecrets:\n - name: {{.ImagePullSecret}}\n{{end}}\n tolerations:\n - operator: Exists \n{{- if ne .UseSystemNodePriorityClass \"false\"}}\n priorityClassName: system-node-critical\n{{- else if .UseAciContainersOpenvswitchPriorityClass}} \n priorityClassName: aci-containers-openvswitch\n{{- else}} \n{{- if ne .NoPriorityClass \"true\"}}\n priorityClassName: system-cluster-critical\n{{- end}}\n{{- if eq .UseAciCniPriorityClass \"true\"}}\n priorityClassName: acicni-priority\n{{- end}}\n{{- end}}\n containers:\n - name: aci-containers-openvswitch\n image: {{.AciOpenvSwitchContainer}}\n imagePullPolicy: {{.ImagePullPolicy}}\n resources:\n limits:\n memory: \"{{.OVSMemoryLimit}}\"\n requests:\n memory: \"{{.OVSMemoryRequest}}\"\n securityContext:\n{{- if eq .UsePrivilegedContainer \"true\"}}\n privileged: true\n{{- end}}\n capabilities:\n add:\n - NET_ADMIN\n - SYS_MODULE\n - SYS_NICE\n - IPC_LOCK\n env:\n - name: OVS_RUNDIR\n value: /usr/local/var/run/openvswitch\n volumeMounts:\n - name: hostvar\n mountPath: /usr/local/var\n - name: hostrun\n mountPath: /run\n - name: hostrun\n mountPath: /usr/local/run\n - name: hostetc\n mountPath: /usr/local/etc\n - name: hostmodules\n mountPath: /lib/modules\n - name: varlogpods\n mountPath: /var/log/pods\n readOnly: true\n - name: varlogcontainers\n mountPath: /var/log/containers\n readOnly: true\n - name: varlibdocker\n mountPath: /var/lib/docker\n readOnly: true\n livenessProbe:\n exec:\n command:\n - /usr/local/bin/liveness-ovs.sh\n restartPolicy: Always\n volumes:\n - name: hostetc\n hostPath:\n path: /etc\n - name: hostvar\n hostPath:\n path: /var\n - name: hostrun\n hostPath:\n path: /run\n - name: hostmodules\n hostPath:\n path: /lib/modules\n - name: varlogpods\n hostPath:\n path: /var/log/pods\n - name: varlogcontainers\n hostPath:\n path: /var/log/containers\n - name: varlibdocker\n hostPath:\n path: /var/lib/docker\n---\napiVersion: apps/v1\nkind: Deployment\nmetadata:\n name: aci-containers-controller\n namespace: aci-containers-system\n labels:\n aci-containers-config-version: \"{{.Token}}\"\n network-plugin: aci-containers\n name: aci-containers-controller\nspec:\n replicas: 1\n strategy:\n type: Recreate\n selector:\n matchLabels:\n name: aci-containers-controller\n network-plugin: aci-containers\n template:\n metadata:\n name: aci-containers-controller\n namespace: aci-containers-system\n labels:\n name: aci-containers-controller\n network-plugin: aci-containers\n spec:\n hostNetwork: true\n serviceAccountName: aci-containers-controller\n{{- if ne .ImagePullSecret \"\"}}\n imagePullSecrets:\n - name: {{.ImagePullSecret}}\n{{- end}}\n{{- if .Tolerations }}\n tolerations:\n{{ toYaml .Tolerations | indent 6}}\n{{- else }}\n tolerations:\n - effect: NoExecute\n key: node.kubernetes.io/unreachable\n operator: Exists\n tolerationSeconds: {{ .TolerationSeconds }}\n - effect: NoExecute\n key: node.kubernetes.io/not-ready\n operator: Exists\n tolerationSeconds: {{ .TolerationSeconds }}\n - effect: NoSchedule\n key: node.kubernetes.io/not-ready\n operator: Exists\n - effect: NoSchedule\n key: node-role.kubernetes.io/master\n operator: Exists\n - effect: NoSchedule\n key: node-role.kubernetes.io/controlplane\n value: \"true\"\n operator: Equal\n - effect: NoExecute\n key: node-role.kubernetes.io/etcd\n value: \"true\"\n operator: Equal\n{{- end }}\n{{- if ne .UseSystemNodePriorityClass \"false\"}}\n priorityClassName: system-node-critical\n{{- else if .UseAciContainersControllerPriorityClass}} \n priorityClassName: aci-containers-controller\n{{- else}} \n{{- if ne .NoPriorityClass \"true\"}}\n priorityClassName: system-node-critical\n{{- end}}\n{{- if eq .UseAciCniPriorityClass \"true\"}}\n priorityClassName: acicni-priority\n{{- end}}\n{{- end}}\n containers:\n - name: aci-containers-controller\n image: {{.AciControllerContainer}}\n imagePullPolicy: {{.ImagePullPolicy}}\n{{- if or ( .AciContainersControllerMemoryLimit ) ( .AciContainersControllerMemoryRequest )}}\n resources:\n limits:\n{{- if .AciContainersControllerMemoryLimit }}\n memory: \"{{ .AciContainersControllerMemoryLimit }}\"\n{{- else}}\n memory: \"{{ .AciContainersMemoryLimit }}\"\n{{- end}}\n requests:\n{{- if .AciContainersControllerMemoryRequest }}\n memory: \"{{ .AciContainersControllerMemoryRequest }}\"\n{{- else}}\n memory: \"{{ .AciContainersMemoryRequest }}\"\n{{- end}}\n{{- end}}\n env:\n - name: WATCH_NAMESPACE\n value: \"\"\n - name: ACI_SNAT_NAMESPACE\n value: \"aci-containers-system\"\n - name: ACI_SNAGLOBALINFO_NAME\n value: \"snatglobalinfo\"\n - name: ACI_RDCONFIG_NAME\n value: \"routingdomain-config\"\n - name: SYSTEM_NAMESPACE\n value: \"aci-containers-system\"\n volumeMounts:\n - name: controller-config-volume\n mountPath: /usr/local/etc/aci-containers/\n - name: varlogpods\n mountPath: /var/log/pods\n readOnly: true\n - name: varlogcontainers\n mountPath: /var/log/containers\n readOnly: true\n - name: varlibdocker\n mountPath: /var/lib/docker\n readOnly: true\n - name: aci-user-cert-volume\n mountPath: /usr/local/etc/aci-cert/\n livenessProbe:\n failureThreshold: 10\n httpGet:\n path: /status\n port: 8091\n scheme: HTTP\n initialDelaySeconds: 120\n periodSeconds: 60\n successThreshold: 1\n timeoutSeconds: 30\n volumes:\n{{- if eq .CApic \"true\"}}\n - name: kafka-certs\n secret:\n secretName: kafka-client-certificates\n{{- end}}\n - name: aci-user-cert-volume\n secret:\n secretName: aci-user-cert\n - name: controller-config-volume\n configMap:\n name: aci-containers-config\n items:\n - key: controller-config\n path: controller.conf\n - name: varlogpods\n hostPath:\n path: /var/log/pods\n - name: varlogcontainers\n hostPath:\n path: /var/log/containers\n - name: varlibdocker\n hostPath:\n path: /var/lib/docker\n{{- if eq .CApic \"true\"}}\n---\napiVersion: aci.aw/v1\nkind: PodIF\nmetadata:\n name: inet-route\n namespace: kube-system\nstatus:\n epg: aci-containers-inet-out\n ipaddr: 0.0.0.0/0\n{{- end}}\n---\napiVersion: v1\nkind: LimitRange\nmetadata:\n name: memory-limit-range\n namespace: aci-containers-system\nspec:\n limits:\n - default:\n memory: {{ .AciContainersMemoryLimit }}\n defaultRequest:\n memory: {{ .AciContainersMemoryRequest }}\n type: Container\n", "calico-v1.13": "\n{{if eq .RBACConfig \"rbac\"}}\n## start rbac here\n\n# Include a clusterrole for the calico-node DaemonSet,\n# and bind it to the calico-node serviceaccount.\nkind: ClusterRole\napiVersion: rbac.authorization.k8s.io/v1beta1\nmetadata:\n name: calico-node\nrules:\n # The CNI plugin needs to get pods, nodes, and namespaces.\n - apiGroups: [\"\"]\n resources:\n - pods\n - nodes\n - namespaces\n verbs:\n - get\n - apiGroups: [\"\"]\n resources:\n - endpoints\n - services\n verbs:\n # Used to discover service IPs for advertisement.\n - watch\n - list\n # Used to discover Typhas.\n - get\n - apiGroups: [\"\"]\n resources:\n - nodes/status\n verbs:\n # Needed for clearing NodeNetworkUnavailable flag.\n - patch\n # Calico stores some configuration information in node annotations.\n - update\n # Watch for changes to Kubernetes NetworkPolicies.\n - apiGroups: [\"networking.k8s.io\"]\n resources:\n - networkpolicies\n verbs:\n - watch\n - list\n # Used by Calico for policy information.\n - apiGroups: [\"\"]\n resources:\n - pods\n - namespaces\n - serviceaccounts\n verbs:\n - list\n - watch\n # The CNI plugin patches pods/status.\n - apiGroups: [\"\"]\n resources:\n - pods/status\n verbs:\n - patch\n # Calico monitors various CRDs for config.\n - apiGroups: [\"crd.projectcalico.org\"]\n resources:\n - globalfelixconfigs\n - felixconfigurations\n - bgppeers\n - globalbgpconfigs\n - bgpconfigurations\n - ippools\n - globalnetworkpolicies\n - globalnetworksets\n - networkpolicies\n - clusterinformations\n - hostendpoints\n verbs:\n - get\n - list\n - watch\n # Calico must create and update some CRDs on startup.\n - apiGroups: [\"crd.projectcalico.org\"]\n resources:\n - ippools\n - felixconfigurations\n - clusterinformations\n verbs:\n - create\n - update\n # Calico stores some configuration information on the node.\n - apiGroups: [\"\"]\n resources:\n - nodes\n verbs:\n - get\n - list\n - watch\n # These permissions are only requried for upgrade from v2.6, and can\n # be removed after upgrade or on fresh installations.\n - apiGroups: [\"crd.projectcalico.org\"]\n resources:\n - bgpconfigurations\n - bgppeers\n verbs:\n - create\n - update\n---\napiVersion: rbac.authorization.k8s.io/v1beta1\nkind: ClusterRoleBinding\nmetadata:\n name: calico-node\nroleRef:\n apiGroup: rbac.authorization.k8s.io\n kind: ClusterRole\n name: calico-node\nsubjects:\n- kind: ServiceAccount\n name: calico-node\n namespace: kube-system\n- apiGroup: rbac.authorization.k8s.io\n kind: Group\n name: system:nodes\n{{end}}\n## end rbac here\n\n---\n# This ConfigMap is used to configure a self-hosted Calico installation.\nkind: ConfigMap\napiVersion: v1\nmetadata:\n name: calico-config\n namespace: kube-system\ndata:\n # To enable Typha, set this to \"calico-typha\" *and* set a non-zero value for Typha replicas\n # below. We recommend using Typha if you have more than 50 nodes. Above 100 nodes it is\n # essential.\n typha_service_name: \"none\"\n # Configure the Calico backend to use.\n calico_backend: \"bird\"\n\n # Configure the MTU to use\n{{- if .MTU }}\n{{- if ne .MTU 0 }}\n veth_mtu: \"{{.MTU}}\"\n{{- end}}\n{{- else }}\n veth_mtu: \"1440\"\n{{- end}}\n\n # The CNI network configuration to install on each node. The special\n # values in this config will be automatically populated.\n cni_network_config: |-\n {\n \"name\": \"k8s-pod-network\",\n \"cniVersion\": \"0.3.0\",\n \"plugins\": [\n {\n \"type\": \"calico\",\n \"log_level\": \"WARNING\",\n \"datastore_type\": \"kubernetes\",\n \"nodename\": \"__KUBERNETES_NODE_NAME__\",\n \"mtu\": __CNI_MTU__,\n \"ipam\": {\n \"type\": \"host-local\",\n \"subnet\": \"usePodCidr\"\n },\n \"policy\": {\n \"type\": \"k8s\"\n },\n \"kubernetes\": {\n \"kubeconfig\": \"{{.KubeCfg}}\"\n }\n },\n {\n \"type\": \"portmap\",\n \"snat\": true,\n \"capabilities\": {\"portMappings\": true}\n }\n ]\n }\n---\n\n# This manifest installs the calico/node container, as well\n# as the Calico CNI plugins and network config on\n# each master and worker node in a Kubernetes cluster.\nkind: DaemonSet\napiVersion: extensions/v1beta1\nmetadata:\n name: calico-node\n namespace: kube-system\n labels:\n k8s-app: calico-node\nspec:\n selector:\n matchLabels:\n k8s-app: calico-node\n updateStrategy:\n{{if .UpdateStrategy}}\n{{ toYaml .UpdateStrategy | indent 4}}\n{{else}}\n type: RollingUpdate\n rollingUpdate:\n maxUnavailable: 1\n{{end}}\n template:\n metadata:\n labels:\n k8s-app: calico-node\n annotations:\n # This, along with the CriticalAddonsOnly toleration below,\n # marks the pod as a critical add-on, ensuring it gets\n # priority scheduling and that its resources are reserved\n # if it ever gets evicted.\n scheduler.alpha.kubernetes.io/critical-pod: ''\n spec:\n affinity:\n nodeAffinity:\n requiredDuringSchedulingIgnoredDuringExecution:\n nodeSelectorTerms:\n - matchExpressions:\n - key: beta.kubernetes.io/os\n operator: NotIn\n values:\n - windows\n hostNetwork: true\n{{if .NodeSelector}}\n nodeSelector:\n {{ range $k, $v := .NodeSelector }}\n {{ $k }}: \"{{ $v }}\"\n {{ end }}\n{{end}}\n tolerations:\n # Make sure calico-node gets scheduled on all nodes.\n - effect: NoSchedule\n operator: Exists\n # Mark the pod as a critical add-on for rescheduling.\n - key: CriticalAddonsOnly\n operator: Exists\n - effect: NoExecute\n operator: Exists\n serviceAccountName: calico-node\n # Minimize downtime during a rolling upgrade or deletion; tell Kubernetes to do a \"force\n # deletion\": https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods.\n terminationGracePeriodSeconds: 0\n initContainers:\n # This container installs the Calico CNI binaries\n # and CNI network config file on each node.\n - name: install-cni\n image: {{.CNIImage}}\n command: [\"/install-cni.sh\"]\n env:\n # Name of the CNI config file to create.\n - name: CNI_CONF_NAME\n value: \"10-calico.conflist\"\n # The CNI network config to install on each node.\n - name: CNI_NETWORK_CONFIG\n valueFrom:\n configMapKeyRef:\n name: calico-config\n key: cni_network_config\n # Set the hostname based on the k8s node name.\n - name: KUBERNETES_NODE_NAME\n valueFrom:\n fieldRef:\n fieldPath: spec.nodeName\n # CNI MTU Config variable\n - name: CNI_MTU\n valueFrom:\n configMapKeyRef:\n name: calico-config\n key: veth_mtu\n # Prevents the container from sleeping forever.\n - name: SLEEP\n value: \"false\"\n volumeMounts:\n - mountPath: /host/opt/cni/bin\n name: cni-bin-dir\n - mountPath: /host/etc/cni/net.d\n name: cni-net-dir\n containers:\n # Runs calico/node container on each Kubernetes node. This\n # container programs network policy and routes on each\n # host.\n - name: calico-node\n image: {{.NodeImage}}\n env:\n # Use Kubernetes API as the backing datastore.\n - name: DATASTORE_TYPE\n value: \"kubernetes\"\n # Typha support: controlled by the ConfigMap.\n - name: FELIX_TYPHAK8SSERVICENAME\n valueFrom:\n configMapKeyRef:\n name: calico-config\n key: typha_service_name\n # Wait for the datastore.\n - name: WAIT_FOR_DATASTORE\n value: \"true\"\n # Set based on the k8s node name.\n - name: NODENAME\n valueFrom:\n fieldRef:\n fieldPath: spec.nodeName\n # Choose the backend to use.\n - name: CALICO_NETWORKING_BACKEND\n valueFrom:\n configMapKeyRef:\n name: calico-config\n key: calico_backend\n # Cluster type to identify the deployment type\n - name: CLUSTER_TYPE\n value: \"k8s,bgp\"\n # Auto-detect the BGP IP address.\n - name: IP\n value: \"autodetect\"\n # Enable IPIP\n - name: CALICO_IPV4POOL_IPIP\n value: \"Always\"\n # Set MTU for tunnel device used if ipip is enabled\n - name: FELIX_IPINIPMTU\n valueFrom:\n configMapKeyRef:\n name: calico-config\n key: veth_mtu\n # The default IPv4 pool to create on startup if none exists. Pod IPs will be\n # chosen from this range. Changing this value after installation will have\n # no effect. This should fall within --cluster-cidr.\n - name: CALICO_IPV4POOL_CIDR\n value: \"{{.ClusterCIDR}}\"\n # Disable file logging so kubectl logs works.\n - name: CALICO_DISABLE_FILE_LOGGING\n value: \"true\"\n # Set Felix endpoint to host default action to ACCEPT.\n - name: FELIX_DEFAULTENDPOINTTOHOSTACTION\n value: \"ACCEPT\"\n # Disable IPv6 on Kubernetes.\n - name: FELIX_IPV6SUPPORT\n value: \"false\"\n # Disable felix logging to file\n - name: FELIX_LOGFILEPATH\n value: \"none\"\n # Disable felix logging for syslog\n - name: FELIX_LOGSEVERITYSYS\n value: \"\"\n # Enable felix logging to stdout\n - name: FELIX_LOGSEVERITYSCREEN\n value: \"Warning\"\n - name: FELIX_HEALTHENABLED\n value: \"true\"\n securityContext:\n privileged: true\n resources:\n requests:\n cpu: 250m\n livenessProbe:\n httpGet:\n path: /liveness\n port: 9099\n host: localhost\n periodSeconds: 10\n initialDelaySeconds: 10\n failureThreshold: 6\n readinessProbe:\n exec:\n command:\n - /bin/calico-node\n - -bird-ready\n - -felix-ready\n periodSeconds: 10\n volumeMounts:\n - mountPath: /lib/modules\n name: lib-modules\n readOnly: true\n - mountPath: /run/xtables.lock\n name: xtables-lock\n readOnly: false\n - mountPath: /var/run/calico\n name: var-run-calico\n readOnly: false\n - mountPath: /var/lib/calico\n name: var-lib-calico\n readOnly: false\n volumes:\n # Used by calico/node.\n - name: lib-modules\n hostPath:\n path: /lib/modules\n - name: var-run-calico\n hostPath:\n path: /var/run/calico\n - name: var-lib-calico\n hostPath:\n path: /var/lib/calico\n - name: xtables-lock\n hostPath:\n path: /run/xtables.lock\n type: FileOrCreate\n # Used to install CNI.\n - name: cni-bin-dir\n hostPath:\n path: /opt/cni/bin\n - name: cni-net-dir\n hostPath:\n path: /etc/cni/net.d\n\n# Create all the CustomResourceDefinitions needed for\n# Calico policy and networking mode.\n---\n\napiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n name: felixconfigurations.crd.projectcalico.org\nspec:\n scope: Cluster\n group: crd.projectcalico.org\n version: v1\n names:\n kind: FelixConfiguration\n plural: felixconfigurations\n singular: felixconfiguration\n\n---\napiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n name: bgppeers.crd.projectcalico.org\nspec:\n scope: Cluster\n group: crd.projectcalico.org\n version: v1\n names:\n kind: BGPPeer\n plural: bgppeers\n singular: bgppeer\n\n---\n\napiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n name: bgpconfigurations.crd.projectcalico.org\nspec:\n scope: Cluster\n group: crd.projectcalico.org\n version: v1\n names:\n kind: BGPConfiguration\n plural: bgpconfigurations\n singular: bgpconfiguration\n\n---\n\napiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n name: ippools.crd.projectcalico.org\nspec:\n scope: Cluster\n group: crd.projectcalico.org\n version: v1\n names:\n kind: IPPool\n plural: ippools\n singular: ippool\n\n---\n\napiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n name: hostendpoints.crd.projectcalico.org\nspec:\n scope: Cluster\n group: crd.projectcalico.org\n version: v1\n names:\n kind: HostEndpoint\n plural: hostendpoints\n singular: hostendpoint\n\n---\n\napiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n name: clusterinformations.crd.projectcalico.org\nspec:\n scope: Cluster\n group: crd.projectcalico.org\n version: v1\n names:\n kind: ClusterInformation\n plural: clusterinformations\n singular: clusterinformation\n\n---\n\napiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n name: globalnetworkpolicies.crd.projectcalico.org\nspec:\n scope: Cluster\n group: crd.projectcalico.org\n version: v1\n names:\n kind: GlobalNetworkPolicy\n plural: globalnetworkpolicies\n singular: globalnetworkpolicy\n\n---\n\napiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n name: globalnetworksets.crd.projectcalico.org\nspec:\n scope: Cluster\n group: crd.projectcalico.org\n version: v1\n names:\n kind: GlobalNetworkSet\n plural: globalnetworksets\n singular: globalnetworkset\n\n---\n\napiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n name: networkpolicies.crd.projectcalico.org\nspec:\n scope: Namespaced\n group: crd.projectcalico.org\n version: v1\n names:\n kind: NetworkPolicy\n plural: networkpolicies\n singular: networkpolicy\n\n---\napiVersion: v1\nkind: ServiceAccount\nmetadata:\n name: calico-node\n namespace: kube-system\n\n\n{{if ne .CloudProvider \"none\"}}\n---\nkind: ConfigMap\napiVersion: v1\nmetadata:\n name: {{.CloudProvider}}-ippool\n namespace: kube-system\ndata:\n {{.CloudProvider}}-ippool: |-\n apiVersion: projectcalico.org/v3\n kind: IPPool\n metadata:\n name: ippool-ipip-1\n spec:\n cidr: {{.ClusterCIDR}}\n ipipMode: Always\n natOutgoing: true\n---\napiVersion: v1\nkind: Pod\nmetadata:\n name: calicoctl\n namespace: kube-system\nspec:\n hostNetwork: true\n restartPolicy: OnFailure\n tolerations:\n - effect: NoExecute\n operator: Exists\n - effect: NoSchedule\n operator: Exists\n containers:\n - name: calicoctl\n image: {{.Calicoctl}}\n command: [\"/bin/sh\", \"-c\", \"calicoctl apply -f {{.CloudProvider}}-ippool.yaml\"]\n env:\n - name: DATASTORE_TYPE\n value: kubernetes\n volumeMounts:\n - name: ippool-config\n mountPath: /root/\n volumes:\n - name: ippool-config\n configMap:\n name: {{.CloudProvider}}-ippool\n items:\n - key: {{.CloudProvider}}-ippool\n path: {{.CloudProvider}}-ippool.yaml\n # Mount in the etcd TLS secrets.\n{{end}}\n", "calico-v1.15": "\n{{if eq .RBACConfig \"rbac\"}}\n---\n# Source: calico/templates/rbac.yaml\n# Include a clusterrole for the kube-controllers component,\n# and bind it to the calico-kube-controllers serviceaccount.\nkind: ClusterRole\napiVersion: rbac.authorization.k8s.io/v1beta1\nmetadata:\n name: calico-kube-controllers\nrules:\n # Nodes are watched to monitor for deletions.\n - apiGroups: [\"\"]\n resources:\n - nodes\n verbs:\n - watch\n - list\n - get\n # Pods are queried to check for existence.\n - apiGroups: [\"\"]\n resources:\n - pods\n verbs:\n - get\n # IPAM resources are manipulated when nodes are deleted.\n - apiGroups: [\"crd.projectcalico.org\"]\n resources:\n - ippools\n verbs:\n - list\n - apiGroups: [\"crd.projectcalico.org\"]\n resources:\n - blockaffinities\n - ipamblocks\n - ipamhandles\n verbs:\n - get\n - list\n - create\n - update\n - delete\n # Needs access to update clusterinformations.\n - apiGroups: [\"crd.projectcalico.org\"]\n resources:\n - clusterinformations\n verbs:\n - get\n - create\n - update\n---\nkind: ClusterRoleBinding\napiVersion: rbac.authorization.k8s.io/v1beta1\nmetadata:\n name: calico-kube-controllers\nroleRef:\n apiGroup: rbac.authorization.k8s.io\n kind: ClusterRole\n name: calico-kube-controllers\nsubjects:\n- kind: ServiceAccount\n name: calico-kube-controllers\n namespace: kube-system\n- apiGroup: rbac.authorization.k8s.io\n kind: Group\n name: system:nodes\n---\n# Include a clusterrole for the calico-node DaemonSet,\n# and bind it to the calico-node serviceaccount.\nkind: ClusterRole\napiVersion: rbac.authorization.k8s.io/v1beta1\nmetadata:\n name: calico-node\nrules:\n # The CNI plugin needs to get pods, nodes, and namespaces.\n - apiGroups: [\"\"]\n resources:\n - pods\n - nodes\n - namespaces\n verbs:\n - get\n - apiGroups: [\"\"]\n resources:\n - endpoints\n - services\n verbs:\n # Used to discover service IPs for advertisement.\n - watch\n - list\n # Used to discover Typhas.\n - get\n - apiGroups: [\"\"]\n resources:\n - nodes/status\n verbs:\n # Needed for clearing NodeNetworkUnavailable flag.\n - patch\n # Calico stores some configuration information in node annotations.\n - update\n # Watch for changes to Kubernetes NetworkPolicies.\n - apiGroups: [\"networking.k8s.io\"]\n resources:\n - networkpolicies\n verbs:\n - watch\n - list\n # Used by Calico for policy information.\n - apiGroups: [\"\"]\n resources:\n - pods\n - namespaces\n - serviceaccounts\n verbs:\n - list\n - watch\n # The CNI plugin patches pods/status.\n - apiGroups: [\"\"]\n resources:\n - pods/status\n verbs:\n - patch\n # Calico monitors various CRDs for config.\n - apiGroups: [\"crd.projectcalico.org\"]\n resources:\n - globalfelixconfigs\n - felixconfigurations\n - bgppeers\n - globalbgpconfigs\n - bgpconfigurations\n - ippools\n - ipamblocks\n - globalnetworkpolicies\n - globalnetworksets\n - networkpolicies\n - networksets\n - clusterinformations\n - hostendpoints\n verbs:\n - get\n - list\n - watch\n # Calico must create and update some CRDs on startup.\n - apiGroups: [\"crd.projectcalico.org\"]\n resources:\n - ippools\n - felixconfigurations\n - clusterinformations\n verbs:\n - create\n - update\n # Calico stores some configuration information on the node.\n - apiGroups: [\"\"]\n resources:\n - nodes\n verbs:\n - get\n - list\n - watch\n # These permissions are only requried for upgrade from v2.6, and can\n # be removed after upgrade or on fresh installations.\n - apiGroups: [\"crd.projectcalico.org\"]\n resources:\n - bgpconfigurations\n - bgppeers\n verbs:\n - create\n - update\n # These permissions are required for Calico CNI to perform IPAM allocations.\n - apiGroups: [\"crd.projectcalico.org\"]\n resources:\n - blockaffinities\n - ipamblocks\n - ipamhandles\n verbs:\n - get\n - list\n - create\n - update\n - delete\n - apiGroups: [\"crd.projectcalico.org\"]\n resources:\n - ipamconfigs\n verbs:\n - get\n # Block affinities must also be watchable by confd for route aggregation.\n - apiGroups: [\"crd.projectcalico.org\"]\n resources:\n - blockaffinities\n verbs:\n - watch\n # The Calico IPAM migration needs to get daemonsets. These permissions can be\n # removed if not upgrading from an installation using host-local IPAM.\n - apiGroups: [\"apps\"]\n resources:\n - daemonsets\n verbs:\n - get\n---\napiVersion: rbac.authorization.k8s.io/v1beta1\nkind: ClusterRoleBinding\nmetadata:\n name: calico-node\nroleRef:\n apiGroup: rbac.authorization.k8s.io\n kind: ClusterRole\n name: calico-node\nsubjects:\n- kind: ServiceAccount\n name: calico-node\n namespace: kube-system\n- apiGroup: rbac.authorization.k8s.io\n kind: Group\n name: system:nodes\n{{end}}\n---\n# Source: calico/templates/calico-config.yaml\n# This ConfigMap is used to configure a self-hosted Calico installation.\nkind: ConfigMap\napiVersion: v1\nmetadata:\n name: calico-config\n namespace: kube-system\ndata:\n # Typha is disabled.\n typha_service_name: \"none\"\n # Configure the backend to use.\n calico_backend: \"bird\"\n\n # Configure the MTU to use\n{{- if .MTU }}\n{{- if ne .MTU 0 }}\n veth_mtu: \"{{.MTU}}\"\n{{- end}}\n{{- else }}\n veth_mtu: \"1440\"\n{{- end}}\n\n # The CNI network configuration to install on each node. The special\n # values in this config will be automatically populated.\n cni_network_config: |-\n {\n \"name\": \"k8s-pod-network\",\n \"cniVersion\": \"0.3.0\",\n \"plugins\": [\n {\n \"type\": \"calico\",\n \"log_level\": \"info\",\n \"datastore_type\": \"kubernetes\",\n \"nodename\": \"__KUBERNETES_NODE_NAME__\",\n \"mtu\": __CNI_MTU__,\n \"ipam\": {\n \"type\": \"calico-ipam\"\n },\n \"policy\": {\n \"type\": \"k8s\"\n },\n \"kubernetes\": {\n \"kubeconfig\": \"{{.KubeCfg}}\"\n }\n },\n {\n \"type\": \"portmap\",\n \"snat\": true,\n \"capabilities\": {\"portMappings\": true}\n }\n ]\n }\n---\n# Source: calico/templates/kdd-crds.yaml\napiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n name: felixconfigurations.crd.projectcalico.org\nspec:\n scope: Cluster\n group: crd.projectcalico.org\n version: v1\n names:\n kind: FelixConfiguration\n plural: felixconfigurations\n singular: felixconfiguration\n---\napiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n name: ipamblocks.crd.projectcalico.org\nspec:\n scope: Cluster\n group: crd.projectcalico.org\n version: v1\n names:\n kind: IPAMBlock\n plural: ipamblocks\n singular: ipamblock\n---\napiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n name: blockaffinities.crd.projectcalico.org\nspec:\n scope: Cluster\n group: crd.projectcalico.org\n version: v1\n names:\n kind: BlockAffinity\n plural: blockaffinities\n singular: blockaffinity\n---\napiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n name: ipamhandles.crd.projectcalico.org\nspec:\n scope: Cluster\n group: crd.projectcalico.org\n version: v1\n names:\n kind: IPAMHandle\n plural: ipamhandles\n singular: ipamhandle\n---\napiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n name: ipamconfigs.crd.projectcalico.org\nspec:\n scope: Cluster\n group: crd.projectcalico.org\n version: v1\n names:\n kind: IPAMConfig\n plural: ipamconfigs\n singular: ipamconfig\n---\napiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n name: bgppeers.crd.projectcalico.org\nspec:\n scope: Cluster\n group: crd.projectcalico.org\n version: v1\n names:\n kind: BGPPeer\n plural: bgppeers\n singular: bgppeer\n---\napiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n name: bgpconfigurations.crd.projectcalico.org\nspec:\n scope: Cluster\n group: crd.projectcalico.org\n version: v1\n names:\n kind: BGPConfiguration\n plural: bgpconfigurations\n singular: bgpconfiguration\n---\napiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n name: ippools.crd.projectcalico.org\nspec:\n scope: Cluster\n group: crd.projectcalico.org\n version: v1\n names:\n kind: IPPool\n plural: ippools\n singular: ippool\n---\napiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n name: hostendpoints.crd.projectcalico.org\nspec:\n scope: Cluster\n group: crd.projectcalico.org\n version: v1\n names:\n kind: HostEndpoint\n plural: hostendpoints\n singular: hostendpoint\n---\napiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n name: clusterinformations.crd.projectcalico.org\nspec:\n scope: Cluster\n group: crd.projectcalico.org\n version: v1\n names:\n kind: ClusterInformation\n plural: clusterinformations\n singular: clusterinformation\n---\napiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n name: globalnetworkpolicies.crd.projectcalico.org\nspec:\n scope: Cluster\n group: crd.projectcalico.org\n version: v1\n names:\n kind: GlobalNetworkPolicy\n plural: globalnetworkpolicies\n singular: globalnetworkpolicy\n---\napiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n name: globalnetworksets.crd.projectcalico.org\nspec:\n scope: Cluster\n group: crd.projectcalico.org\n version: v1\n names:\n kind: GlobalNetworkSet\n plural: globalnetworksets\n singular: globalnetworkset\n---\napiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n name: networkpolicies.crd.projectcalico.org\nspec:\n scope: Namespaced\n group: crd.projectcalico.org\n version: v1\n names:\n kind: NetworkPolicy\n plural: networkpolicies\n singular: networkpolicy\n---\napiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n name: networksets.crd.projectcalico.org\nspec:\n scope: Namespaced\n group: crd.projectcalico.org\n version: v1\n names:\n kind: NetworkSet\n plural: networksets\n singular: networkset\n---\n# Source: calico/templates/calico-node.yaml\n# This manifest installs the calico-node container, as well\n# as the CNI plugins and network config on\n# each master and worker node in a Kubernetes cluster.\nkind: DaemonSet\napiVersion: extensions/v1beta1\nmetadata:\n name: calico-node\n namespace: kube-system\n labels:\n k8s-app: calico-node\nspec:\n selector:\n matchLabels:\n k8s-app: calico-node\n updateStrategy:\n{{if .UpdateStrategy}}\n{{ toYaml .UpdateStrategy | indent 4}}\n{{else}}\n type: RollingUpdate\n rollingUpdate:\n maxUnavailable: 1\n{{end}}\n template:\n metadata:\n labels:\n k8s-app: calico-node\n annotations:\n # This, along with the CriticalAddonsOnly toleration below,\n # marks the pod as a critical add-on, ensuring it gets\n # priority scheduling and that its resources are reserved\n # if it ever gets evicted.\n scheduler.alpha.kubernetes.io/critical-pod: ''\n spec:\n nodeSelector:\n beta.kubernetes.io/os: linux\n {{ range $k, $v := .NodeSelector }}\n {{ $k }}: \"{{ $v }}\"\n {{ end }}\n hostNetwork: true\n tolerations:\n # Make sure calico-node gets scheduled on all nodes.\n - effect: NoSchedule\n operator: Exists\n # Mark the pod as a critical add-on for rescheduling.\n - key: CriticalAddonsOnly\n operator: Exists\n - effect: NoExecute\n operator: Exists\n{{if eq .RBACConfig \"rbac\"}}\n serviceAccountName: calico-node\n{{end}}\n # Minimize downtime during a rolling upgrade or deletion; tell Kubernetes to do a \"force\n # deletion\": https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods.\n terminationGracePeriodSeconds: 0\n initContainers:\n # This container performs upgrade from host-local IPAM to calico-ipam.\n # It can be deleted if this is a fresh installation, or if you have already\n # upgraded to use calico-ipam.\n - name: upgrade-ipam\n image: {{.CNIImage}}\n command: [\"/opt/cni/bin/calico-ipam\", \"-upgrade\"]\n env:\n - name: KUBERNETES_NODE_NAME\n valueFrom:\n fieldRef:\n fieldPath: spec.nodeName\n - name: CALICO_NETWORKING_BACKEND\n valueFrom:\n configMapKeyRef:\n name: calico-config\n key: calico_backend\n volumeMounts:\n - mountPath: /var/lib/cni/networks\n name: host-local-net-dir\n - mountPath: /host/opt/cni/bin\n name: cni-bin-dir\n # This container installs the CNI binaries\n # and CNI network config file on each node.\n - name: install-cni\n image: {{.CNIImage}}\n command: [\"/install-cni.sh\"]\n env:\n # Name of the CNI config file to create.\n - name: CNI_CONF_NAME\n value: \"10-calico.conflist\"\n # The CNI network config to install on each node.\n - name: CNI_NETWORK_CONFIG\n valueFrom:\n configMapKeyRef:\n name: calico-config\n key: cni_network_config\n # Set the hostname based on the k8s node name.\n - name: KUBERNETES_NODE_NAME\n valueFrom:\n fieldRef:\n fieldPath: spec.nodeName\n # CNI MTU Config variable\n - name: CNI_MTU\n valueFrom:\n configMapKeyRef:\n name: calico-config\n key: veth_mtu\n # Prevents the container from sleeping forever.\n - name: SLEEP\n value: \"false\"\n volumeMounts:\n - mountPath: /host/opt/cni/bin\n name: cni-bin-dir\n - mountPath: /host/etc/cni/net.d\n name: cni-net-dir\n containers:\n # Runs calico-node container on each Kubernetes node. This\n # container programs network policy and routes on each\n # host.\n - name: calico-node\n image: {{.NodeImage}}\n env:\n # Use Kubernetes API as the backing datastore.\n - name: DATASTORE_TYPE\n value: \"kubernetes\"\n # Wait for the datastore.\n - name: WAIT_FOR_DATASTORE\n value: \"true\"\n # Set based on the k8s node name.\n - name: NODENAME\n valueFrom:\n fieldRef:\n fieldPath: spec.nodeName\n # Choose the backend to use.\n - name: CALICO_NETWORKING_BACKEND\n valueFrom:\n configMapKeyRef:\n name: calico-config\n key: calico_backend\n # Cluster type to identify the deployment type\n - name: CLUSTER_TYPE\n value: \"k8s,bgp\"\n # Auto-detect the BGP IP address.\n - name: IP\n value: \"autodetect\"\n # Enable IPIP\n - name: CALICO_IPV4POOL_IPIP\n value: \"Always\"\n # Set MTU for tunnel device used if ipip is enabled\n - name: FELIX_IPINIPMTU\n valueFrom:\n configMapKeyRef:\n name: calico-config\n key: veth_mtu\n # The default IPv4 pool to create on startup if none exists. Pod IPs will be\n # chosen from this range. Changing this value after installation will have\n # no effect. This should fall within --cluster-cidr.\n - name: CALICO_IPV4POOL_CIDR\n value: \"{{.ClusterCIDR}}\"\n # Disable file logging so kubectl logs works.\n - name: CALICO_DISABLE_FILE_LOGGING\n value: \"true\"\n # Set Felix endpoint to host default action to ACCEPT.\n - name: FELIX_DEFAULTENDPOINTTOHOSTACTION\n value: \"ACCEPT\"\n # Disable IPv6 on Kubernetes.\n - name: FELIX_IPV6SUPPORT\n value: \"false\"\n # Set Felix logging to \"info\"\n - name: FELIX_LOGSEVERITYSCREEN\n value: \"info\"\n - name: FELIX_HEALTHENABLED\n value: \"true\"\n securityContext:\n privileged: true\n resources:\n requests:\n cpu: 250m\n livenessProbe:\n httpGet:\n path: /liveness\n port: 9099\n host: localhost\n periodSeconds: 10\n initialDelaySeconds: 10\n failureThreshold: 6\n readinessProbe:\n exec:\n command:\n - /bin/calico-node\n - -bird-ready\n - -felix-ready\n periodSeconds: 10\n volumeMounts:\n - mountPath: /lib/modules\n name: lib-modules\n readOnly: true\n - mountPath: /run/xtables.lock\n name: xtables-lock\n readOnly: false\n - mountPath: /var/run/calico\n name: var-run-calico\n readOnly: false\n - mountPath: /var/lib/calico\n name: var-lib-calico\n readOnly: false\n volumes:\n # Used by calico-node.\n - name: lib-modules\n hostPath:\n path: /lib/modules\n - name: var-run-calico\n hostPath:\n path: /var/run/calico\n - name: var-lib-calico\n hostPath:\n path: /var/lib/calico\n - name: xtables-lock\n hostPath:\n path: /run/xtables.lock\n type: FileOrCreate\n # Used to install CNI.\n - name: cni-bin-dir\n hostPath:\n path: /opt/cni/bin\n - name: cni-net-dir\n hostPath:\n path: /etc/cni/net.d\n # Mount in the directory for host-local IPAM allocations. This is\n # used when upgrading from host-local to calico-ipam, and can be removed\n # if not using the upgrade-ipam init container.\n - name: host-local-net-dir\n hostPath:\n path: /var/lib/cni/networks\n---\napiVersion: v1\nkind: ServiceAccount\nmetadata:\n name: calico-node\n namespace: kube-system\n---\n# Source: calico/templates/calico-kube-controllers.yaml\n# See https://github.com/projectcalico/kube-controllers\napiVersion: extensions/v1beta1\nkind: Deployment\nmetadata:\n name: calico-kube-controllers\n namespace: kube-system\n labels:\n k8s-app: calico-kube-controllers\n annotations:\n scheduler.alpha.kubernetes.io/critical-pod: ''\nspec:\n # The controller can only have a single active instance.\n replicas: 1\n strategy:\n type: Recreate\n template:\n metadata:\n name: calico-kube-controllers\n namespace: kube-system\n labels:\n k8s-app: calico-kube-controllers\n spec:\n nodeSelector:\n beta.kubernetes.io/os: linux\n tolerations:\n # Make sure calico-node gets scheduled on all nodes.\n - effect: NoSchedule\n operator: Exists\n # Mark the pod as a critical add-on for rescheduling.\n - key: CriticalAddonsOnly\n operator: Exists\n - effect: NoExecute\n operator: Exists\n{{if eq .RBACConfig \"rbac\"}}\n serviceAccountName: calico-kube-controllers\n{{end}}\n containers:\n - name: calico-kube-controllers\n image: {{.ControllersImage}}\n env:\n # Choose which controllers to run.\n - name: ENABLED_CONTROLLERS\n value: node\n - name: DATASTORE_TYPE\n value: kubernetes\n readinessProbe:\n exec:\n command:\n - /usr/bin/check-status\n - -r\n---\napiVersion: v1\nkind: ServiceAccount\nmetadata:\n name: calico-kube-controllers\n namespace: kube-system\n", "calico-v1.15-privileged": "\n# CalicoTemplateV115Privileged\n{{if eq .RBACConfig \"rbac\"}}\n# Source: calico/templates/rbac.yaml\n# Include a clusterrole for the kube-controllers component,\n# and bind it to the calico-kube-controllers serviceaccount.\nkind: ClusterRole\napiVersion: rbac.authorization.k8s.io/v1\nmetadata:\n name: calico-kube-controllers\nrules:\n # Nodes are watched to monitor for deletions.\n - apiGroups: [\"\"]\n resources:\n - nodes\n verbs:\n - watch\n - list\n - get\n # Pods are queried to check for existence.\n - apiGroups: [\"\"]\n resources:\n - pods\n verbs:\n - get\n # IPAM resources are manipulated when nodes are deleted.\n - apiGroups: [\"crd.projectcalico.org\"]\n resources:\n - ippools\n verbs:\n - list\n - apiGroups: [\"crd.projectcalico.org\"]\n resources:\n - blockaffinities\n - ipamblocks\n - ipamhandles\n verbs:\n - get\n - list\n - create\n - update\n - delete\n # Needs access to update clusterinformations.\n - apiGroups: [\"crd.projectcalico.org\"]\n resources:\n - clusterinformations\n verbs:\n - get\n - create\n - update\n---\nkind: ClusterRoleBinding\napiVersion: rbac.authorization.k8s.io/v1\nmetadata:\n name: calico-kube-controllers\nroleRef:\n apiGroup: rbac.authorization.k8s.io\n kind: ClusterRole\n name: calico-kube-controllers\nsubjects:\n- kind: ServiceAccount\n name: calico-kube-controllers\n namespace: kube-system\n- apiGroup: rbac.authorization.k8s.io\n kind: Group\n name: system:nodes\n---\n# Include a clusterrole for the calico-node DaemonSet,\n# and bind it to the calico-node serviceaccount.\nkind: ClusterRole\napiVersion: rbac.authorization.k8s.io/v1\nmetadata:\n name: calico-node\nrules:\n # The CNI plugin needs to get pods, nodes, and namespaces.\n - apiGroups: [\"\"]\n resources:\n - pods\n - nodes\n - namespaces\n verbs:\n - get\n - apiGroups: [\"\"]\n resources:\n - endpoints\n - services\n verbs:\n # Used to discover service IPs for advertisement.\n - watch\n - list\n # Used to discover Typhas.\n - get\n # Pod CIDR auto-detection on kubeadm needs access to config maps.\n - apiGroups: [\"\"]\n resources:\n - configmaps\n verbs:\n - get\n - apiGroups: [\"\"]\n resources:\n - nodes/status\n verbs:\n # Needed for clearing NodeNetworkUnavailable flag.\n - patch\n # Calico stores some configuration information in node annotations.\n - update\n # Watch for changes to Kubernetes NetworkPolicies.\n - apiGroups: [\"networking.k8s.io\"]\n resources:\n - networkpolicies\n verbs:\n - watch\n - list\n # Used by Calico for policy information.\n - apiGroups: [\"\"]\n resources:\n - pods\n - namespaces\n - serviceaccounts\n verbs:\n - list\n - watch\n # The CNI plugin patches pods/status.\n - apiGroups: [\"\"]\n resources:\n - pods/status\n verbs:\n - patch\n # Calico monitors various CRDs for config.\n - apiGroups: [\"crd.projectcalico.org\"]\n resources:\n - globalfelixconfigs\n - felixconfigurations\n - bgppeers\n - globalbgpconfigs\n - bgpconfigurations\n - ippools\n - ipamblocks\n - globalnetworkpolicies\n - globalnetworksets\n - networkpolicies\n - networksets\n - clusterinformations\n - hostendpoints\n - blockaffinities\n verbs:\n - get\n - list\n - watch\n # Calico must create and update some CRDs on startup.\n - apiGroups: [\"crd.projectcalico.org\"]\n resources:\n - ippools\n - felixconfigurations\n - clusterinformations\n verbs:\n - create\n - update\n # Calico stores some configuration information on the node.\n - apiGroups: [\"\"]\n resources:\n - nodes\n verbs:\n - get\n - list\n - watch\n # These permissions are only requried for upgrade from v2.6, and can\n # be removed after upgrade or on fresh installations.\n - apiGroups: [\"crd.projectcalico.org\"]\n resources:\n - bgpconfigurations\n - bgppeers\n verbs:\n - create\n - update\n # These permissions are required for Calico CNI to perform IPAM allocations.\n - apiGroups: [\"crd.projectcalico.org\"]\n resources:\n - blockaffinities\n - ipamblocks\n - ipamhandles\n verbs:\n - get\n - list\n - create\n - update\n - delete\n - apiGroups: [\"crd.projectcalico.org\"]\n resources:\n - ipamconfigs\n verbs:\n - get\n # Block affinities must also be watchable by confd for route aggregation.\n - apiGroups: [\"crd.projectcalico.org\"]\n resources:\n - blockaffinities\n verbs:\n - watch\n # The Calico IPAM migration needs to get daemonsets. These permissions can be\n # removed if not upgrading from an installation using host-local IPAM.\n - apiGroups: [\"apps\"]\n resources:\n - daemonsets\n verbs:\n - get\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRoleBinding\nmetadata:\n name: calico-node\nroleRef:\n apiGroup: rbac.authorization.k8s.io\n kind: ClusterRole\n name: calico-node\nsubjects:\n- kind: ServiceAccount\n name: calico-node\n namespace: kube-system\n- apiGroup: rbac.authorization.k8s.io\n kind: Group\n name: system:nodes\n{{end}}\n---\n# Source: calico/templates/calico-config.yaml\n# This ConfigMap is used to configure a self-hosted Calico installation.\nkind: ConfigMap\napiVersion: v1\nmetadata:\n name: calico-config\n namespace: kube-system\ndata:\n # Typha is disabled.\n typha_service_name: \"none\"\n # Configure the backend to use.\n calico_backend: \"bird\"\n\n # Configure the MTU to use\n{{- if .MTU }}\n{{- if ne .MTU 0 }}\n veth_mtu: \"{{.MTU}}\"\n{{- end}}\n{{- else }}\n veth_mtu: \"1440\"\n{{- end}}\n\n # The CNI network configuration to install on each node. The special\n # values in this config will be automatically populated.\n cni_network_config: |-\n {\n \"name\": \"k8s-pod-network\",\n \"cniVersion\": \"0.3.1\",\n \"plugins\": [\n {\n \"type\": \"calico\",\n \"log_level\": \"info\",\n \"datastore_type\": \"kubernetes\",\n \"nodename\": \"__KUBERNETES_NODE_NAME__\",\n \"mtu\": __CNI_MTU__,\n \"ipam\": {\n \"type\": \"calico-ipam\"\n },\n \"policy\": {\n \"type\": \"k8s\"\n },\n \"kubernetes\": {\n \"kubeconfig\": \"{{.KubeCfg}}\"\n }\n },\n {\n \"type\": \"portmap\",\n \"snat\": true,\n \"capabilities\": {\"portMappings\": true}\n },\n {\n \"type\": \"bandwidth\",\n \"capabilities\": {\"bandwidth\": true}\n }\n ]\n }\n---\n# Source: calico/templates/kdd-crds.yaml\napiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n name: felixconfigurations.crd.projectcalico.org\nspec:\n scope: Cluster\n group: crd.projectcalico.org\n version: v1\n names:\n kind: FelixConfiguration\n plural: felixconfigurations\n singular: felixconfiguration\n---\napiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n name: ipamblocks.crd.projectcalico.org\nspec:\n scope: Cluster\n group: crd.projectcalico.org\n version: v1\n names:\n kind: IPAMBlock\n plural: ipamblocks\n singular: ipamblock\n---\napiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n name: blockaffinities.crd.projectcalico.org\nspec:\n scope: Cluster\n group: crd.projectcalico.org\n version: v1\n names:\n kind: BlockAffinity\n plural: blockaffinities\n singular: blockaffinity\n---\napiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n name: ipamhandles.crd.projectcalico.org\nspec:\n scope: Cluster\n group: crd.projectcalico.org\n version: v1\n names:\n kind: IPAMHandle\n plural: ipamhandles\n singular: ipamhandle\n---\napiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n name: ipamconfigs.crd.projectcalico.org\nspec:\n scope: Cluster\n group: crd.projectcalico.org\n version: v1\n names:\n kind: IPAMConfig\n plural: ipamconfigs\n singular: ipamconfig\n---\napiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n name: bgppeers.crd.projectcalico.org\nspec:\n scope: Cluster\n group: crd.projectcalico.org\n version: v1\n names:\n kind: BGPPeer\n plural: bgppeers\n singular: bgppeer\n---\napiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n name: bgpconfigurations.crd.projectcalico.org\nspec:\n scope: Cluster\n group: crd.projectcalico.org\n version: v1\n names:\n kind: BGPConfiguration\n plural: bgpconfigurations\n singular: bgpconfiguration\n---\napiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n name: ippools.crd.projectcalico.org\nspec:\n scope: Cluster\n group: crd.projectcalico.org\n version: v1\n names:\n kind: IPPool\n plural: ippools\n singular: ippool\n---\napiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n name: hostendpoints.crd.projectcalico.org\nspec:\n scope: Cluster\n group: crd.projectcalico.org\n version: v1\n names:\n kind: HostEndpoint\n plural: hostendpoints\n singular: hostendpoint\n---\napiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n name: clusterinformations.crd.projectcalico.org\nspec:\n scope: Cluster\n group: crd.projectcalico.org\n version: v1\n names:\n kind: ClusterInformation\n plural: clusterinformations\n singular: clusterinformation\n---\napiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n name: globalnetworkpolicies.crd.projectcalico.org\nspec:\n scope: Cluster\n group: crd.projectcalico.org\n version: v1\n names:\n kind: GlobalNetworkPolicy\n plural: globalnetworkpolicies\n singular: globalnetworkpolicy\n---\napiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n name: globalnetworksets.crd.projectcalico.org\nspec:\n scope: Cluster\n group: crd.projectcalico.org\n version: v1\n names:\n kind: GlobalNetworkSet\n plural: globalnetworksets\n singular: globalnetworkset\n---\napiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n name: networkpolicies.crd.projectcalico.org\nspec:\n scope: Namespaced\n group: crd.projectcalico.org\n version: v1\n names:\n kind: NetworkPolicy\n plural: networkpolicies\n singular: networkpolicy\n---\napiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n name: networksets.crd.projectcalico.org\nspec:\n scope: Namespaced\n group: crd.projectcalico.org\n version: v1\n names:\n kind: NetworkSet\n plural: networksets\n singular: networkset\n---\n# Source: calico/templates/calico-node.yaml\n# This manifest installs the calico-node container, as well\n# as the CNI plugins and network config on\n# each master and worker node in a Kubernetes cluster.\nkind: DaemonSet\napiVersion: apps/v1\nmetadata:\n name: calico-node\n namespace: kube-system\n labels:\n k8s-app: calico-node\nspec:\n selector:\n matchLabels:\n k8s-app: calico-node\n updateStrategy:\n{{if .UpdateStrategy}}\n{{ toYaml .UpdateStrategy | indent 4}}\n{{else}}\n type: RollingUpdate\n rollingUpdate:\n maxUnavailable: 1\n{{end}}\n template:\n metadata:\n labels:\n k8s-app: calico-node\n annotations:\n # This, along with the CriticalAddonsOnly toleration below,\n # marks the pod as a critical add-on, ensuring it gets\n # priority scheduling and that its resources are reserved\n # if it ever gets evicted.\n scheduler.alpha.kubernetes.io/critical-pod: ''\n spec:\n nodeSelector:\n kubernetes.io/os: linux\n {{ range $k, $v := .NodeSelector }}\n {{ $k }}: \"{{ $v }}\"\n {{ end }}\n hostNetwork: true\n tolerations:\n # Make sure calico-node gets scheduled on all nodes.\n - effect: NoSchedule\n operator: Exists\n # Mark the pod as a critical add-on for rescheduling.\n - key: CriticalAddonsOnly\n operator: Exists\n - effect: NoExecute\n operator: Exists\n{{if eq .RBACConfig \"rbac\"}}\n serviceAccountName: calico-node\n{{end}}\n # Minimize downtime during a rolling upgrade or deletion; tell Kubernetes to do a \"force\n # deletion\": https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods.\n terminationGracePeriodSeconds: 0\n # Rancher specific change\n priorityClassName: {{ .CalicoNodePriorityClassName | default \"system-node-critical\" }}\n initContainers:\n # This container performs upgrade from host-local IPAM to calico-ipam.\n # It can be deleted if this is a fresh installation, or if you have already\n # upgraded to use calico-ipam.\n - name: upgrade-ipam\n image: {{.CNIImage}}\n command: [\"/opt/cni/bin/calico-ipam\", \"-upgrade\"]\n env:\n - name: KUBERNETES_NODE_NAME\n valueFrom:\n fieldRef:\n fieldPath: spec.nodeName\n - name: CALICO_NETWORKING_BACKEND\n valueFrom:\n configMapKeyRef:\n name: calico-config\n key: calico_backend\n volumeMounts:\n - mountPath: /var/lib/cni/networks\n name: host-local-net-dir\n - mountPath: /host/opt/cni/bin\n name: cni-bin-dir\n securityContext:\n privileged: true\n # This container installs the CNI binaries\n # and CNI network config file on each node.\n - name: install-cni\n image: {{.CNIImage}}\n command: [\"/install-cni.sh\"]\n env:\n # Name of the CNI config file to create.\n - name: CNI_CONF_NAME\n value: \"10-calico.conflist\"\n # The CNI network config to install on each node.\n - name: CNI_NETWORK_CONFIG\n valueFrom:\n configMapKeyRef:\n name: calico-config\n key: cni_network_config\n # Set the hostname based on the k8s node name.\n - name: KUBERNETES_NODE_NAME\n valueFrom:\n fieldRef:\n fieldPath: spec.nodeName\n # CNI MTU Config variable\n - name: CNI_MTU\n valueFrom:\n configMapKeyRef:\n name: calico-config\n key: veth_mtu\n # Prevents the container from sleeping forever.\n - name: SLEEP\n value: \"false\"\n volumeMounts:\n - mountPath: /host/opt/cni/bin\n name: cni-bin-dir\n - mountPath: /host/etc/cni/net.d\n name: cni-net-dir\n securityContext:\n privileged: true\n # Adds a Flex Volume Driver that creates a per-pod Unix Domain Socket to allow Dikastes\n # to communicate with Felix over the Policy Sync API.\n - name: flexvol-driver\n image: {{.FlexVolImg}}\n volumeMounts:\n - name: flexvol-driver-host\n mountPath: /host/driver\n securityContext:\n privileged: true\n containers:\n # Runs calico-node container on each Kubernetes node. This\n # container programs network policy and routes on each\n # host.\n - name: calico-node\n image: {{.NodeImage}}\n env:\n # Use Kubernetes API as the backing datastore.\n - name: DATASTORE_TYPE\n value: \"kubernetes\"\n # Wait for the datastore.\n - name: WAIT_FOR_DATASTORE\n value: \"true\"\n # Set based on the k8s node name.\n - name: NODENAME\n valueFrom:\n fieldRef:\n fieldPath: spec.nodeName\n # Choose the backend to use.\n - name: CALICO_NETWORKING_BACKEND\n valueFrom:\n configMapKeyRef:\n name: calico-config\n key: calico_backend\n # Cluster type to identify the deployment type\n - name: CLUSTER_TYPE\n value: \"k8s,bgp\"\n # Auto-detect the BGP IP address.\n - name: IP\n value: \"autodetect\"\n # Enable IPIP\n - name: CALICO_IPV4POOL_IPIP\n value: \"Always\"\n # Set MTU for tunnel device used if ipip is enabled\n - name: FELIX_IPINIPMTU\n valueFrom:\n configMapKeyRef:\n name: calico-config\n key: veth_mtu\n # The default IPv4 pool to create on startup if none exists. Pod IPs will be\n # chosen from this range. Changing this value after installation will have\n # no effect. This should fall within --cluster-cidr.\n - name: CALICO_IPV4POOL_CIDR\n value: \"{{.ClusterCIDR}}\"\n # Disable file logging so kubectl logs works.\n - name: CALICO_DISABLE_FILE_LOGGING\n value: \"true\"\n # Set Felix endpoint to host default action to ACCEPT.\n - name: FELIX_DEFAULTENDPOINTTOHOSTACTION\n value: \"ACCEPT\"\n # Disable IPv6 on Kubernetes.\n - name: FELIX_IPV6SUPPORT\n value: \"false\"\n # Set Felix logging to \"info\"\n - name: FELIX_LOGSEVERITYSCREEN\n value: \"info\"\n - name: FELIX_HEALTHENABLED\n value: \"true\"\n securityContext:\n privileged: true\n resources:\n requests:\n cpu: 250m\n livenessProbe:\n exec:\n command:\n - /bin/calico-node\n - -felix-live\n - -bird-live\n periodSeconds: 10\n initialDelaySeconds: 10\n failureThreshold: 6\n readinessProbe:\n exec:\n command:\n - /bin/calico-node\n - -felix-ready\n - -bird-ready\n periodSeconds: 10\n volumeMounts:\n - mountPath: /lib/modules\n name: lib-modules\n readOnly: true\n - mountPath: /run/xtables.lock\n name: xtables-lock\n readOnly: false\n - mountPath: /var/run/calico\n name: var-run-calico\n readOnly: false\n - mountPath: /var/lib/calico\n name: var-lib-calico\n readOnly: false\n - name: policysync\n mountPath: /var/run/nodeagent\n volumes:\n # Used by calico-node.\n - name: lib-modules\n hostPath:\n path: /lib/modules\n - name: var-run-calico\n hostPath:\n path: /var/run/calico\n - name: var-lib-calico\n hostPath:\n path: /var/lib/calico\n - name: xtables-lock\n hostPath:\n path: /run/xtables.lock\n type: FileOrCreate\n # Used to install CNI.\n - name: cni-bin-dir\n hostPath:\n path: /opt/cni/bin\n - name: cni-net-dir\n hostPath:\n path: /etc/cni/net.d\n # Mount in the directory for host-local IPAM allocations. This is\n # used when upgrading from host-local to calico-ipam, and can be removed\n # if not using the upgrade-ipam init container.\n - name: host-local-net-dir\n hostPath:\n path: /var/lib/cni/networks\n # Used to create per-pod Unix Domain Sockets\n - name: policysync\n hostPath:\n type: DirectoryOrCreate\n path: /var/run/nodeagent\n # Used to install Flex Volume Driver\n - name: flexvol-driver-host\n hostPath:\n type: DirectoryOrCreate\n{{- if .FlexVolPluginDir }}\n path: {{.FlexVolPluginDir}}\n{{- else }}\n path: /usr/libexec/kubernetes/kubelet-plugins/volume/exec/nodeagent~uds\n{{- end }}\n---\napiVersion: v1\nkind: ServiceAccount\nmetadata:\n name: calico-kube-controllers\n namespace: kube-system\n---\napiVersion: v1\nkind: ServiceAccount\nmetadata:\n name: calico-node\n namespace: kube-system\n---\n# Source: calico/templates/calico-kube-controllers.yaml\n# See https://github.com/projectcalico/kube-controllers\napiVersion: apps/v1\nkind: Deployment\nmetadata:\n name: calico-kube-controllers\n namespace: kube-system\n labels:\n k8s-app: calico-kube-controllers\nspec:\n # The controllers can only have a single active instance.\n replicas: 1\n selector:\n matchLabels:\n k8s-app: calico-kube-controllers\n strategy:\n type: Recreate\n template:\n metadata:\n name: calico-kube-controllers\n namespace: kube-system\n labels:\n k8s-app: calico-kube-controllers\n annotations:\n scheduler.alpha.kubernetes.io/critical-pod: ''\n spec:\n nodeSelector:\n kubernetes.io/os: linux\n tolerations:\n # Make sure calico-node gets scheduled on all nodes.\n - effect: NoSchedule\n operator: Exists\n # Mark the pod as a critical add-on for rescheduling.\n - key: CriticalAddonsOnly\n operator: Exists\n - effect: NoExecute\n operator: Exists\n{{if eq .RBACConfig \"rbac\"}}\n serviceAccountName: calico-kube-controllers\n{{end}}\n priorityClassName: system-cluster-critical\n containers:\n - name: calico-kube-controllers\n image: {{.ControllersImage}}\n env:\n # Choose which controllers to run.\n - name: ENABLED_CONTROLLERS\n value: node\n - name: DATASTORE_TYPE\n value: kubernetes\n readinessProbe:\n exec:\n command:\n - /usr/bin/check-status\n - -r\n", @@ -14193,7 +14236,7 @@ }, "RKEDefaultK8sVersions": { "0.3": "v1.16.3-rancher1-1", - "default": "v1.27.14-rancher1-1" + "default": "v1.27.15-rancher1-1" }, "K8sVersionDockerInfo": { "1.10": [ @@ -26065,6 +26108,201 @@ } }, "version": "v1.27.14+k3s1" + }, + { + "agentArgs": { + "bind-address": { + "type": "string" + }, + "default-runtime": { + "type": "string" + }, + "disable-apiserver-lb": { + "type": "boolean" + }, + "disable-default-registry-endpoint": { + "type": "boolean" + }, + "docker": { + "default": false, + "type": "boolean" + }, + "enable-pprof": { + "type": "boolean" + }, + "flannel-conf": { + "type": "string" + }, + "flannel-iface": { + "type": "string" + }, + "kube-proxy-arg": { + "type": "array" + }, + "kubelet-arg": { + "type": "array" + }, + "pause-image": { + "type": "string" + }, + "protect-kernel-defaults": { + "default": false, + "type": "boolean" + }, + "resolv-conf": { + "type": "string" + }, + "selinux": { + "default": false, + "type": "boolean" + }, + "snapshotter": { + "type": "string" + }, + "system-default-registry": { + "type": "string" + }, + "vpn-auth": { + "type": "string" + }, + "vpn-auth-file": { + "type": "string" + } + }, + "featureVersions": { + "encryption-key-rotation": "2.0.0" + }, + "maxChannelServerVersion": "v2.7.99", + "minChannelServerVersion": "v2.7.11-alpha1", + "serverArgs": { + "cluster-cidr": { + "type": "string" + }, + "cluster-dns": { + "type": "string" + }, + "cluster-domain": { + "type": "string" + }, + "datastore-cafile": { + "type": "string" + }, + "datastore-certfile": { + "type": "string" + }, + "datastore-endpoint": { + "type": "string" + }, + "datastore-keyfile": { + "type": "string" + }, + "default-local-storage-path": { + "type": "string" + }, + "disable": { + "options": [ + "coredns", + "servicelb", + "traefik", + "local-storage", + "metrics-server" + ], + "type": "array" + }, + "disable-apiserver": { + "default": false, + "type": "boolean" + }, + "disable-cloud-controller": { + "default": false, + "type": "boolean" + }, + "disable-controller-manager": { + "default": false, + "type": "boolean" + }, + "disable-etcd": { + "default": false, + "type": "boolean" + }, + "disable-kube-proxy": { + "default": false, + "type": "boolean" + }, + "disable-network-policy": { + "default": false, + "type": "boolean" + }, + "disable-scheduler": { + "default": false, + "type": "boolean" + }, + "egress-selector-mode": { + "type": "string" + }, + "embedded-registry": { + "type": "boolean" + }, + "etcd-arg": { + "type": "array" + }, + "etcd-expose-metrics": { + "default": false, + "type": "boolean" + }, + "flannel-backend": { + "options": [ + "none", + "vxlan", + "ipsec", + "host-gw", + "wireguard", + "wireguard-native" + ], + "type": "enum" + }, + "helm-job-image": { + "type": "string" + }, + "kine-tls": { + "type": "boolean" + }, + "kube-apiserver-arg": { + "type": "array" + }, + "kube-cloud-controller-manager-arg": { + "type": "array" + }, + "kube-controller-manager-arg": { + "type": "array" + }, + "kube-scheduler-arg": { + "type": "array" + }, + "secrets-encryption": { + "default": false, + "type": "boolean" + }, + "service-cidr": { + "type": "string" + }, + "service-node-port-range": { + "type": "string" + }, + "supervisor-metrics": { + "type": "boolean" + }, + "tls-san": { + "type": "array" + }, + "tls-san-security": { + "type": "boolean" + }, + "write-kubeconfig-group": { + "type": "string" + } + }, + "version": "v1.27.15+k3s2" } ] }, @@ -44383,6 +44621,303 @@ } }, "version": "v1.27.14+rke2r1" + }, + { + "agentArgs": { + "audit-policy-file": { + "type": "string" + }, + "bind-address": { + "type": "string" + }, + "cloud-controller-manager-extra-env": { + "type": "array" + }, + "cloud-controller-manager-extra-mount": { + "type": "array" + }, + "cloud-provider-config": { + "type": "string" + }, + "cloud-provider-name": { + "default": null, + "nullable": true, + "options": [ + "aws", + "azure", + "gcp", + "rancher-vsphere", + "harvester", + "external" + ], + "type": "enum" + }, + "control-plane-resource-limits": { + "type": "string" + }, + "control-plane-resource-requests": { + "type": "string" + }, + "enable-pprof": { + "type": "boolean" + }, + "etcd-extra-env": { + "type": "array" + }, + "etcd-extra-mount": { + "type": "array" + }, + "kube-apiserver-extra-env": { + "type": "array" + }, + "kube-apiserver-extra-mount": { + "type": "array" + }, + "kube-controller-manager-extra-env": { + "type": "array" + }, + "kube-controller-manager-extra-mount": { + "type": "array" + }, + "kube-proxy-arg": { + "type": "array" + }, + "kube-proxy-extra-env": { + "type": "array" + }, + "kube-proxy-extra-mount": { + "type": "array" + }, + "kube-scheduler-extra-env": { + "type": "array" + }, + "kube-scheduler-extra-mount": { + "type": "array" + }, + "kubelet-arg": { + "type": "array" + }, + "profile": { + "nullable": true, + "options": [ + "cis", + "cis-1.23" + ], + "type": "enum" + }, + "protect-kernel-defaults": { + "default": false, + "type": "boolean" + }, + "resolv-conf": { + "type": "string" + }, + "selinux": { + "type": "bool" + }, + "system-default-registry": { + "type": "string" + } + }, + "charts": { + "harvester-cloud-provider": { + "repo": "rancher-rke2-charts", + "version": "0.2.400" + }, + "harvester-csi-driver": { + "repo": "rancher-rke2-charts", + "version": "0.1.1700" + }, + "rancher-vsphere-cpi": { + "repo": "rancher-rke2-charts", + "version": "1.7.001" + }, + "rancher-vsphere-csi": { + "repo": "rancher-rke2-charts", + "version": "3.1.2-rancher400" + }, + "rke2-calico": { + "repo": "rancher-rke2-charts", + "version": "v3.27.300" + }, + "rke2-calico-crd": { + "repo": "rancher-rke2-charts", + "version": "v3.27.002" + }, + "rke2-canal": { + "repo": "rancher-rke2-charts", + "version": "v3.28.0-build2024062503" + }, + "rke2-cilium": { + "repo": "rancher-rke2-charts", + "version": "1.15.500" + }, + "rke2-coredns": { + "repo": "rancher-rke2-charts", + "version": "1.29.002" + }, + "rke2-flannel": { + "repo": "rancher-rke2-charts", + "version": "v0.25.400" + }, + "rke2-ingress-nginx": { + "repo": "rancher-rke2-charts", + "version": "4.10.101" + }, + "rke2-metrics-server": { + "repo": "rancher-rke2-charts", + "version": "3.12.002" + }, + "rke2-multus": { + "repo": "rancher-rke2-charts", + "version": "v4.0.205" + }, + "rke2-snapshot-controller": { + "repo": "rancher-rke2-charts", + "version": "1.7.202" + }, + "rke2-snapshot-controller-crd": { + "repo": "rancher-rke2-charts", + "version": "1.7.202" + }, + "rke2-snapshot-validation-webhook": { + "repo": "rancher-rke2-charts", + "version": "1.7.302" + } + }, + "featureVersions": { + "encryption-key-rotation": "2.0.0" + }, + "maxChannelServerVersion": "v2.8.99", + "minChannelServerVersion": "v2.7.11-alpha1", + "serverArgs": { + "audit-policy-file": { + "type": "string" + }, + "cluster-cidr": { + "type": "string" + }, + "cluster-dns": { + "type": "string" + }, + "cluster-domain": { + "type": "string" + }, + "cni": { + "default": "calico", + "options": [ + "canal", + "cilium", + "calico", + "flannel", + "multus,canal", + "multus,cilium", + "multus,calico" + ], + "type": "array" + }, + "container-runtime-endpoint": { + "type": "string" + }, + "datastore-cafile": { + "type": "string" + }, + "datastore-certfile": { + "type": "string" + }, + "datastore-endpoint": { + "type": "string" + }, + "datastore-keyfile": { + "type": "string" + }, + "disable": { + "options": [ + "rke2-coredns", + "rke2-ingress-nginx", + "rke2-metrics-server" + ], + "type": "array" + }, + "disable-cloud-controller": { + "type": "bool" + }, + "disable-kube-proxy": { + "default": false, + "type": "boolean" + }, + "disable-scheduler": { + "type": "bool" + }, + "egress-selector-mode": { + "type": "string" + }, + "etcd-arg": { + "type": "array" + }, + "etcd-expose-metrics": { + "default": false, + "type": "boolean" + }, + "etcd-image": { + "type": "string" + }, + "kube-apiserver-arg": { + "type": "array" + }, + "kube-apiserver-image": { + "type": "string" + }, + "kube-cloud-controller-manager-arg": { + "type": "array" + }, + "kube-controller-manager-arg": { + "type": "array" + }, + "kube-controller-manager-image": { + "type": "string" + }, + "kube-proxy-arg": { + "type": "array" + }, + "kube-scheduler-arg": { + "type": "array" + }, + "kube-scheduler-image": { + "type": "string" + }, + "kubelet-path": { + "type": "string" + }, + "pause-image": { + "type": "string" + }, + "runtime-image": { + "type": "string" + }, + "service-cidr": { + "type": "string" + }, + "service-node-port-range": { + "type": "string" + }, + "snapshotter": { + "type": "string" + }, + "supervisor-metrics": { + "type": "boolean" + }, + "tls-san": { + "type": "array" + }, + "tls-san-security": { + "type": "boolean" + }, + "write-kubeconfig-group": { + "type": "string" + } + }, + "version": "v1.27.15+rke2r1" } ] } diff --git a/pkg/rke/k8s_rke_system_images.go b/pkg/rke/k8s_rke_system_images.go index fb2c6f876..ee6460bdf 100644 --- a/pkg/rke/k8s_rke_system_images.go +++ b/pkg/rke/k8s_rke_system_images.go @@ -10310,6 +10310,48 @@ func loadK8sRKESystemImages() map[string]v3.RKESystemImages { WindowsPodInfraContainer: "rancher/mirrored-pause:3.7", Nodelocal: "rancher/mirrored-k8s-dns-node-cache:1.22.28", }, + // Out of band post v2.7.14 + "v1.27.15-rancher1-1": { + Etcd: "rancher/mirrored-coreos-etcd:v3.5.10", + Kubernetes: "rancher/hyperkube:v1.27.15-rancher1", + Alpine: "rancher/rke-tools:v0.1.100", + NginxProxy: "rancher/rke-tools:v0.1.100", + CertDownloader: "rancher/rke-tools:v0.1.100", + KubernetesServicesSidecar: "rancher/rke-tools:v0.1.100", + KubeDNS: "rancher/mirrored-k8s-dns-kube-dns:1.22.28", + DNSmasq: "rancher/mirrored-k8s-dns-dnsmasq-nanny:1.22.28", + KubeDNSSidecar: "rancher/mirrored-k8s-dns-sidecar:1.22.28", + KubeDNSAutoscaler: "rancher/mirrored-cluster-proportional-autoscaler:v1.8.9", + Flannel: "rancher/mirrored-flannel-flannel:v0.21.4", + FlannelCNI: "rancher/flannel-cni:v0.3.0-rancher8", + CalicoNode: "rancher/mirrored-calico-node:v3.26.3", + CalicoCNI: "rancher/calico-cni:v3.26.3-rancher1", + CalicoControllers: "rancher/mirrored-calico-kube-controllers:v3.26.3", + CalicoCtl: "rancher/mirrored-calico-ctl:v3.26.3", + CalicoFlexVol: "rancher/mirrored-calico-pod2daemon-flexvol:v3.26.3", + CanalNode: "rancher/mirrored-calico-node:v3.26.3", + CanalCNI: "rancher/calico-cni:v3.26.3-rancher1", + CanalControllers: "rancher/mirrored-calico-kube-controllers:v3.26.3", + CanalFlannel: "rancher/mirrored-flannel-flannel:v0.21.4", + CanalFlexVol: "rancher/mirrored-calico-pod2daemon-flexvol:v3.26.3", + WeaveNode: "weaveworks/weave-kube:2.8.1", + WeaveCNI: "weaveworks/weave-npc:2.8.1", + AciCniDeployContainer: "noiro/cnideploy:6.0.4.2.81c2369", + AciHostContainer: "noiro/aci-containers-host:6.0.4.2.81c2369", + AciOpflexContainer: "noiro/opflex:6.0.4.2.81c2369", + AciMcastContainer: "noiro/opflex:6.0.4.2.81c2369", + AciOpenvSwitchContainer: "noiro/openvswitch:6.0.4.2.81c2369", + AciControllerContainer: "noiro/aci-containers-controller:6.0.4.2.81c2369", + PodInfraContainer: "rancher/mirrored-pause:3.7", + Ingress: "rancher/nginx-ingress-controller:nginx-1.9.4-rancher1", + IngressBackend: "rancher/mirrored-nginx-ingress-controller-defaultbackend:1.5-rancher1", + IngressWebhook: "rancher/mirrored-ingress-nginx-kube-webhook-certgen:v20231011-8b53cabe0", + MetricsServer: "rancher/mirrored-metrics-server:v0.6.3", + CoreDNS: "rancher/mirrored-coredns-coredns:1.10.1", + CoreDNSAutoscaler: "rancher/mirrored-cluster-proportional-autoscaler:v1.8.9", + WindowsPodInfraContainer: "rancher/mirrored-pause:3.7", + Nodelocal: "rancher/mirrored-k8s-dns-node-cache:1.22.28", + }, // k8s version from 2.1.x release with old rke-tools to allow upgrade from 2.1.x clusters // without all clusters being restarted "v1.11.9-rancher1-3": { diff --git a/pkg/rke/k8s_version_info.go b/pkg/rke/k8s_version_info.go index b1c0f7f82..a284f6ad6 100644 --- a/pkg/rke/k8s_version_info.go +++ b/pkg/rke/k8s_version_info.go @@ -61,7 +61,7 @@ func loadRKEDefaultK8sVersions() map[string]string { return map[string]string{ "0.3": "v1.16.3-rancher1-1", // rke will use default if its version is absent - "default": "v1.27.14-rancher1-1", + "default": "v1.27.15-rancher1-1", } } diff --git a/pkg/rke/templates/aci-v6.0.4.2.go b/pkg/rke/templates/aci-v6.0.4.2.go new file mode 100644 index 000000000..942b20dbd --- /dev/null +++ b/pkg/rke/templates/aci-v6.0.4.2.go @@ -0,0 +1,2661 @@ +package templates + +const AciTemplateV6042 = ` +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: acicontainersoperators.aci.ctrl +spec: + group: aci.ctrl + names: + kind: AciContainersOperator + listKind: AciContainersOperatorList + plural: acicontainersoperators + singular: acicontainersoperator + scope: Namespaced + versions: + - name: v1alpha1 + served: true + storage: true + subresources: + status: {} + schema: + openAPIV3Schema: + description: acicontainersoperator owns the lifecycle of ACI objects in the cluster + properties: + apiVersion: + type: string + kind: + type: string + metadata: + type: object + spec: + description: AciContainersOperatorSpec defines the desired spec for ACI Objects + properties: + flavor: + type: string + config: + type: string + type: object + status: + description: AciContainersOperatorStatus defines the successful completion of AciContainersOperator + properties: + status: + type: boolean + type: object + required: + - spec + type: object +--- +apiVersion: v1 +kind: Namespace +metadata: + name: aci-containers-system + labels: + aci-containers-config-version: "{{.Token}}" + network-plugin: aci-containers +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: nodepodifs.aci.aw +spec: + group: aci.aw + names: + kind: NodePodIF + listKind: NodePodIFList + plural: nodepodifs + singular: nodepodif + scope: Namespaced + versions: + - name: v1 + served: true + storage: true + schema: + openAPIV3Schema: + properties: + apiVersion: + type: string + kind: + type: string + metadata: + type: object + spec: + type: object + properties: + podifs: + type: array + items: + type: object + properties: + containerID: + type: string + epg: + type: string + ifname: + type: string + ipaddr: + type: string + macaddr: + type: string + podname: + type: string + podns: + type: string + vtep: + type: string + required: + - spec + type: object +--- +{{- if eq .UseAciCniPriorityClass "true"}} +apiVersion: scheduling.k8s.io/v1beta1 +kind: PriorityClass +metadata: + name: acicni-priority +value: 1000000000 +globalDefault: false +description: "This priority class is used for ACI-CNI resources" +--- +{{- end }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: snatglobalinfos.aci.snat +spec: + group: aci.snat + names: + kind: SnatGlobalInfo + listKind: SnatGlobalInfoList + plural: snatglobalinfos + singular: snatglobalinfo + scope: Namespaced + versions: + - name: v1 + served: true + storage: true + schema: + openAPIV3Schema: + description: SnatGlobalInfo is the Schema for the snatglobalinfos API + properties: + apiVersion: + type: string + kind: + type: string + metadata: + type: object + spec: + properties: + globalInfos: + additionalProperties: + items: + properties: + macAddress: + type: string + portRanges: + items: + properties: + end: + maximum: 65535 + minimum: 1 + type: integer + start: + maximum: 65535 + minimum: 1 + type: integer + type: object + type: array + snatIp: + type: string + snatIpUid: + type: string + snatPolicyName: + type: string + required: + - macAddress + - portRanges + - snatIp + - snatIpUid + - snatPolicyName + type: object + type: array + type: object + required: + - globalInfos + type: object + status: + description: SnatGlobalInfoStatus defines the observed state of SnatGlobalInfo + type: object + type: object +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: snatlocalinfos.aci.snat +spec: + group: aci.snat + names: + kind: SnatLocalInfo + listKind: SnatLocalInfoList + plural: snatlocalinfos + singular: snatlocalinfo + scope: Namespaced + versions: + - name: v1 + served: true + storage: true + schema: + openAPIV3Schema: + properties: + apiVersion: + type: string + kind: + type: string + metadata: + type: object + spec: + description: SnatLocalInfoSpec defines the desired state of SnatLocalInfo + properties: + localInfos: + items: + properties: + podName: + type: string + podNamespace: + type: string + podUid: + type: string + snatPolicies: + items: + properties: + destIp: + items: + type: string + type: array + name: + type: string + snatIp: + type: string + required: + - destIp + - name + - snatIp + type: object + type: array + required: + - podName + - podNamespace + - podUid + - snatPolicies + type: object + type: array + required: + - localInfos + type: object + type: object +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: snatpolicies.aci.snat +spec: + group: aci.snat + names: + kind: SnatPolicy + listKind: SnatPolicyList + plural: snatpolicies + singular: snatpolicy + scope: Cluster + versions: + - name: v1 + served: true + storage: true + subresources: + status: {} + schema: + openAPIV3Schema: + type: object + properties: + apiVersion: + type: string + kind: + type: string + metadata: + type: object + spec: + type: object + properties: + selector: + type: object + properties: + labels: + type: object + description: 'Selection of Pods' + properties: + additionalProperties: + type: string + namespace: + type: string + type: object + snatIp: + type: array + items: + type: string + destIp: + type: array + items: + type: string + type: object + status: + type: object + properties: + additionalProperties: + type: string +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: nodeinfos.aci.snat +spec: + group: aci.snat + names: + kind: NodeInfo + listKind: NodeInfoList + plural: nodeinfos + singular: nodeinfo + scope: Namespaced + versions: + - name: v1 + served: true + storage: true + schema: + openAPIV3Schema: + properties: + apiVersion: + type: string + kind: + type: string + metadata: + type: object + spec: + properties: + macaddress: + type: string + snatpolicynames: + additionalProperties: + type: boolean + type: object + type: object + status: + description: NodeinfoStatus defines the observed state of Nodeinfo + type: object + type: object +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: rdconfigs.aci.snat +spec: + group: aci.snat + names: + kind: RdConfig + listKind: RdConfigList + plural: rdconfigs + singular: rdconfig + scope: Namespaced + versions: + - name: v1 + served: true + storage: true + schema: + openAPIV3Schema: + properties: + apiVersion: + type: string + kind: + type: string + metadata: + type: object + spec: + properties: + discoveredsubnets: + items: + type: string + type: array + usersubnets: + items: + type: string + type: array + type: object + status: + description: NodeinfoStatus defines the observed state of Nodeinfo + type: object + type: object +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: networkpolicies.aci.netpol +spec: + group: aci.netpol + names: + kind: NetworkPolicy + listKind: NetworkPolicyList + plural: networkpolicies + singular: networkpolicy + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + description: Network Policy describes traffic flow at IP address or port level + properties: + apiVersion: + type: string + kind: + type: string + metadata: + type: object + spec: + properties: + appliedTo: + properties: + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + podSelector: + description: allow ingress from the same namespace + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + type: object + egress: + description: Set of egress rules evaluated based on the order in which they are set. + items: + properties: + action: + description: Action specifies the action to be applied on the rule. + type: string + enableLogging: + description: EnableLogging is used to indicate if agent should generate logs default to false. + type: boolean + ports: + description: Set of port and protocol allowed/denied by the rule. If this field is unset or empty, this rule matches all ports. + items: + description: NetworkPolicyPort describes the port and protocol to match in a rule. + properties: + endPort: + description: EndPort defines the end of the port range, being the end included within the range. It can only be specified when a numerical port is specified. + format: int32 + type: integer + port: + anyOf: + - type: integer + - type: string + description: The port on the given protocol. This can be either a numerical or named port on a Pod. If this field is not provided, this matches all port names and numbers. + x-kubernetes-int-or-string: true + protocol: + default: TCP + description: The protocol (TCP, UDP, or SCTP) which traffic must match. If not specified, this field defaults to TCP. + type: string + type: object + type: array + to: + description: Rule is matched if traffic is intended for workloads selected by this field. If this field is empty or missing, this rule matches all destinations. + items: + properties: + ipBlock: + description: IPBlock describes the IPAddresses/IPBlocks that is matched in to/from. IPBlock cannot be set as part of the AppliedTo field. Cannot be set with any other selector. + properties: + cidr: + description: CIDR is a string representing the IP Block Valid examples are "192.168.1.1/24" or "2001:db9::/64" + type: string + except: + description: Except is a slice of CIDRs that should not be included within an IP Block Valid examples are "192.168.1.1/24" or "2001:db9::/64" Except values will be rejected if they are outside the CIDR range + items: + type: string + type: array + required: + - cidr + type: object + namespaceSelector: + description: Select all Pods from Namespaces matched by this selector, as workloads in To/From fields. If set with PodSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + description: operator represents a keys relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + podSelector: + description: Select Pods from NetworkPolicys Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + description: operator represents a keys relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + type: object + type: array + toFqDn: + properties: + matchNames: + items: + type: string + type: array + required: + - matchNames + type: object + required: + - enableLogging + - toFqDn + type: object + type: array + ingress: + description: Set of ingress rules evaluated based on the order in which they are set. + items: + properties: + action: + description: Action specifies the action to be applied on the rule. + type: string + enableLogging: + description: EnableLogging is used to indicate if agent should generate logs when rules are matched. Should be default to false. + type: boolean + from: + description: Rule is matched if traffic originates from workloads selected by this field. If this field is empty, this rule matches all sources. + items: + properties: + ipBlock: + description: IPBlock describes the IPAddresses/IPBlocks that is matched in to/from. IPBlock cannot be set as part of the AppliedTo field. Cannot be set with any other selector. + properties: + cidr: + description: CIDR is a string representing the IP Block Valid examples are "192.168.1.1/24" or "2001:db9::/64" + type: string + except: + description: Except is a slice of CIDRs that should not be included within an IP Block Valid examples are "192.168.1.1/24" or "2001:db9::/64" Except values will be rejected if they are outside the CIDR range + items: + type: string + type: array + required: + - cidr + type: object + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + description: operator represents a keys relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + podSelector: + description: Select Pods from NetworkPolicys Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + properties: + key: + type: string + operator: + description: operator represents a keys relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + type: object + type: array + ports: + description: Set of port and protocol allowed/denied by the rule. If this field is unset or empty, this rule matches all ports. + items: + description: NetworkPolicyPort describes the port and protocol to match in a rule. + properties: + endPort: + description: EndPort defines the end of the port range, being the end included within the range. It can only be specified when a numerical port is specified. + format: int32 + type: integer + port: + anyOf: + - type: integer + - type: string + description: The port on the given protocol. This can be either a numerical or named port on a Pod. If this field is not provided, this matches all port names and numbers. + x-kubernetes-int-or-string: true + protocol: + default: TCP + description: The protocol (TCP, UDP, or SCTP) which traffic must match. If not specified, this field defaults to TCP. + type: string + type: object + type: array + type: object + type: array + policyTypes: + items: + description: Policy Type string describes the NetworkPolicy type This type is beta-level in 1.8 + type: string + type: array + priority: + description: Priority specfies the order of the NetworkPolicy relative to other NetworkPolicies. + type: integer + type: + description: type of the policy. + type: string + required: + - type + type: object + required: + - spec + type: object + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: dnsnetworkpolicies.aci.dnsnetpol +spec: + group: aci.dnsnetpol + names: + kind: DnsNetworkPolicy + listKind: DnsNetworkPolicyList + plural: dnsnetworkpolicies + singular: dnsnetworkpolicy + scope: Namespaced + versions: + - name: v1beta + schema: + openAPIV3Schema: + description: dns network Policy + properties: + apiVersion: + type: string + kind: + type: string + metadata: + type: object + spec: + properties: + appliedTo: + properties: + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + podSelector: + description: allow ingress from the same namespace + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + description: operator represents a keys relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + type: object + egress: + description: Set of egress rules evaluated based on the order in which they are set. + properties: + toFqdn: + properties: + matchNames: + items: + type: string + type: array + required: + - matchNames + type: object + required: + - toFqdn + type: object + type: object + required: + - spec + type: object + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: qospolicies.aci.qos +spec: + group: aci.qos + names: + kind: QosPolicy + listKind: QosPolicyList + plural: qospolicies + singular: qospolicy + scope: Namespaced + preserveUnknownFields: false + versions: + - name: v1 + served: true + storage: true + subresources: + status: {} + schema: + openAPIV3Schema: + type: object + properties: + apiVersion: + type: string + kind: + type: string + spec: + type: object + properties: + podSelector: + description: 'Selection of Pods' + type: object + properties: + matchLabels: + type: object + description: + ingress: + type: object + properties: + policing_rate: + type: integer + minimum: 0 + policing_burst: + type: integer + minimum: 0 + egress: + type: object + properties: + policing_rate: + type: integer + minimum: 0 + policing_burst: + type: integer + minimum: 0 + dscpmark: + type: integer + default: 0 + minimum: 0 + maximum: 63 +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: netflowpolicies.aci.netflow +spec: + group: aci.netflow + names: + kind: NetflowPolicy + listKind: NetflowPolicyList + plural: netflowpolicies + singular: netflowpolicy + scope: Cluster + preserveUnknownFields: false + versions: + - name: v1alpha + served: true + storage: true + schema: + # openAPIV3Schema is the schema for validating custom objects. + openAPIV3Schema: + type: object + properties: + apiVersion: + type: string + kind: + type: string + spec: + type: object + properties: + flowSamplingPolicy: + type: object + properties: + destIp: + type: string + destPort: + type: integer + minimum: 0 + maximum: 65535 + default: 2055 + flowType: + type: string + enum: + - netflow + - ipfix + default: netflow + activeFlowTimeOut: + type: integer + minimum: 0 + maximum: 3600 + default: 60 + idleFlowTimeOut: + type: integer + minimum: 0 + maximum: 600 + default: 15 + samplingRate: + type: integer + minimum: 0 + maximum: 1000 + default: 0 + required: + - destIp + type: object +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: erspanpolicies.aci.erspan +spec: + group: aci.erspan + names: + kind: ErspanPolicy + listKind: ErspanPolicyList + plural: erspanpolicies + singular: erspanpolicy + scope: Cluster + preserveUnknownFields: false + versions: + - name: v1alpha + served: true + storage: true + schema: + openAPIV3Schema: + type: object + properties: + apiVersion: + type: string + kind: + type: string + spec: + type: object + properties: + selector: + type: object + description: 'Selection of Pods' + properties: + labels: + type: object + properties: + additionalProperties: + type: string + namespace: + type: string + source: + type: object + properties: + adminState: + description: Administrative state. + default: start + type: string + enum: + - start + - stop + direction: + description: Direction of the packets to monitor. + default: both + type: string + enum: + - in + - out + - both + destination: + type: object + properties: + destIP: + description: Destination IP of the ERSPAN packet. + type: string + flowID: + description: Unique flow ID of the ERSPAN packet. + default: 1 + type: integer + minimum: 1 + maximum: 1023 + required: + - destIP + type: object +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: enabledroplogs.aci.droplog +spec: + group: aci.droplog + names: + kind: EnableDropLog + listKind: EnableDropLogList + plural: enabledroplogs + singular: enabledroplog + scope: Cluster + versions: + - name: v1alpha1 + served: true + storage: true + schema: + # openAPIV3Schema is the schema for validating custom objects. + openAPIV3Schema: + type: object + properties: + apiVersion: + type: string + kind: + type: string + spec: + description: Defines the desired state of EnableDropLog + type: object + properties: + disableDefaultDropLog: + description: Disables the default droplog enabled by acc-provision. + default: false + type: boolean + nodeSelector: + type: object + description: Drop logging is enabled on nodes selected based on labels + properties: + labels: + type: object + properties: + additionalProperties: + type: string +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: prunedroplogs.aci.droplog +spec: + group: aci.droplog + names: + kind: PruneDropLog + listKind: PruneDropLogList + plural: prunedroplogs + singular: prunedroplog + scope: Cluster + versions: + - name: v1alpha1 + served: true + storage: true + schema: + # openAPIV3Schema is the schema for validating custom objects. + openAPIV3Schema: + type: object + properties: + apiVersion: + type: string + kind: + type: string + spec: + description: Defines the desired state of PruneDropLog + type: object + properties: + nodeSelector: + type: object + description: Drop logging filters are applied to nodes selected based on labels + properties: + labels: + type: object + properties: + additionalProperties: + type: string + dropLogFilters: + type: object + properties: + srcIP: + type: string + destIP: + type: string + srcMAC: + type: string + destMAC: + type: string + srcPort: + type: integer + destPort: + type: integer + ipProto: + type: integer +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: accprovisioninputs.aci.ctrl +spec: + group: aci.ctrl + names: + kind: AccProvisionInput + listKind: AccProvisionInputList + plural: accprovisioninputs + singular: accprovisioninput + scope: Namespaced + versions: + - name: v1alpha1 + served: true + storage: true + subresources: + status: {} + schema: + openAPIV3Schema: + description: accprovisioninput defines the input configuration for ACI CNI + properties: + apiVersion: + type: string + kind: + type: string + metadata: + type: object + spec: + description: AccProvisionInputSpec defines the desired spec for accprovisioninput object + properties: + acc_provision_input: + type: object + properties: + operator_managed_config: + type: object + properties: + enable_updates: + type: boolean + aci_config: + type: object + properties: + sync_login: + type: object + properties: + certfile: + type: string + keyfile: + type: string + client_ssl: + type: boolean + net_config: + type: object + properties: + interface_mtu: + type: integer + service_monitor_interval: + type: integer + pbr_tracking_non_snat: + type: boolean + pod_subnet_chunk_size: + type: integer + disable_wait_for_network: + type: boolean + duration_wait_for_network: + type: integer + registry: + type: object + properties: + image_prefix: + type: string + image_pull_secret: + type: string + aci_containers_operator_version: + type: string + aci_containers_controller_version: + type: string + aci_containers_host_version: + type: string + acc_provision_operator_version: + type: string + aci_cni_operator_version: + type: string + cnideploy_version: + type: string + opflex_agent_version: + type: string + openvswitch_version: + type: string + gbp_version: + type: string + logging: + type: object + properties: + controller_log_level: + type: string + hostagent_log_level: + type: string + opflexagent_log_level: + type: string + istio_config: + type: object + properties: + install_profile: + type: string + multus: + type: object + properties: + disable: + type: boolean + drop_log_config: + type: object + properties: + enable: + type: boolean + nodepodif_config: + type: object + properties: + enable: + type: boolean + sriov_config: + type: object + properties: + enable: + type: boolean + kube_config: + type: object + properties: + ovs_memory_limit: + type: string + use_privileged_containers: + type: boolean + image_pull_policy: + type: string + reboot_opflex_with_ovs: + type: string + snat_operator: + type: object + properties: + port_range: + type: object + properties: + start: + type: integer + end: + type: integer + ports_per_node: + type: integer + contract_scope: + type: string + disable_periodic_snat_global_info_sync: + type: boolean + type: object + status: + description: AccProvisionInputStatus defines the successful completion of AccProvisionInput + properties: + status: + type: boolean + type: object + required: + - spec + type: object +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: aci-containers-config + namespace: aci-containers-system + labels: + aci-containers-config-version: "{{.Token}}" + network-plugin: aci-containers +data: + controller-config: |- + { + "log-level": "{{.ControllerLogLevel}}", + "apic-hosts": {{.ApicHosts}}, +{{- if ne .AciMultipod "false" }} + "aci-multipod": {{.AciMultipod}}, +{{- end}} +{{- if .OpflexDeviceReconnectWaitTimeout }} + "opflex-device-reconnect-wait-timeout": {{.OpflexDeviceReconnectWaitTimeout}}, +{{- end}} + "apic-refreshtime": "{{.ApicRefreshTime}}", + "apic-subscription-delay": {{.ApicSubscriptionDelay}}, + "apic_refreshticker_adjust": "{{.ApicRefreshTickerAdjust}}", + "apic-username": "{{.ApicUserName}}", + "apic-private-key-path": "/usr/local/etc/aci-cert/user.key", + "aci-prefix": "{{.SystemIdentifier}}", + "aci-vmm-type": "Kubernetes", +{{- if ne .VmmDomain ""}} + "aci-vmm-domain": "{{.VmmDomain}}", +{{- else}} + "aci-vmm-domain": "{{.SystemIdentifier}}", +{{- end}} +{{- if ne .VmmController ""}} + "aci-vmm-controller": "{{.VmmController}}", +{{- else}} + "aci-vmm-controller": "{{.SystemIdentifier}}", +{{- end}} + "aci-policy-tenant": "{{.Tenant}}", +{{- if ne .CApic "false"}} + "lb-type": "None", +{{- end}} +{{- if ne .HppOptimization "false"}} + "hpp-optimization": {{.HppOptimization}}, +{{- end}} +{{- if ne .DisableHppRendering "false"}} + "disable-hpp-rendering": {{.DisableHppRendering}}, +{{- end}} +{{- if ne .NoWaitForServiceEpReadiness "false"}} + "no-wait-for-service-ep-readiness": {{.NoWaitForServiceEpReadiness}}, +{{- end}} +{{- if ne .ServiceGraphEndpointAddDelay "0"}} + "service-graph-endpoint-add-delay" : { + "delay": {{.ServiceGraphEndpointAddDelay}}, + "services": [{{- range $index, $item :=.ServiceGraphEndpointAddServices }}{{- if $index}},{{end}}{ {{- range $k, $v := $item }}"{{ $k }}": "{{ $v }}"{{if eq $k "name"}},{{end}}{{- end}}}{{end}}] + }, +{{- end}} +{{- if ne .AddExternalSubnetsToRdconfig "false"}} + "add-external-subnets-to-rdconfig": {{.AddExternalSubnetsToRdconfig}}, +{{- end}} +{{- if ne .DisablePeriodicSnatGlobalInfoSync "false"}} + "disable-periodic-snat-global-info-sync": {{.DisablePeriodicSnatGlobalInfoSync}}, +{{- end}} +{{- if .NodeSnatRedirectExclude }} + "node-snat-redirect-exclude": [{{ range $index,$item := .NodeSnatRedirectExclude}}{{- if $index}}, {{end }}{"group": "{{ index $item "group" }}", "labels": {{ index $item "labels" }}}{{ end }}], +{{- end }} +{{- if .ApicConnectionRetryLimit}} + "apic-connection-retry-limit": {{.ApicConnectionRetryLimit}}, +{{- end}} + "opflex-device-delete-timeout": {{.OpflexDeviceDeleteTimeout}}, + "sleep-time-snat-global-info-sync": {{.SleepTimeSnatGlobalInfoSync}}, +{{- /* Commenting code to disable the install_istio flag as the functionality + is disabled to remove dependency from istio.io/istio package. + Vulnerabilties were detected by quay.io security scan of aci-containers-controller + and aci-containers-operator images for istio.io/istio package + "install-istio": {{.InstallIstio}}, + "istio-profile": "{{.IstioProfile}}", +*/}} +{{- if ne .CApic "true"}} + "aci-podbd-dn": "uni/tn-{{.Tenant}}/BD-aci-containers-{{.SystemIdentifier}}-pod-bd", + "aci-nodebd-dn": "uni/tn-{{.Tenant}}/BD-aci-containers-{{.SystemIdentifier}}-node-bd", +{{- end}} + "aci-service-phys-dom": "{{.SystemIdentifier}}-pdom", + "aci-service-encap": "vlan-{{.ServiceVlan}}", + "aci-service-monitor-interval": {{.ServiceMonitorInterval}}, + "aci-pbr-tracking-non-snat": {{.PBRTrackingNonSnat}}, + "aci-vrf-tenant": "{{.VRFTenant}}", + "aci-l3out": "{{.L3Out}}", + "aci-ext-networks": {{.L3OutExternalNetworks}}, +{{- if ne .CApic "true"}} + "aci-vrf": "{{.VRFName}}", +{{- else}} + "aci-vrf": "{{.OverlayVRFName}}", +{{- end}} + "app-profile": "aci-containers-{{.SystemIdentifier}}", +{{- if ne .AddExternalContractToDefaultEpg "false"}} + "add-external-contract-to-default-epg": {{.AddExternalContractToDefaultEpg}}, +{{- end}} + "default-endpoint-group": { + "policy-space": "{{.Tenant}}", +{{- if ne .CApic "true"}} + "name": "aci-containers-{{.SystemIdentifier}}|aci-containers-default" +{{- else}} + "name": "aci-containers-{{.SystemIdentifier}}" +{{- end}} + }, + "max-nodes-svc-graph": {{.MaxNodesSvcGraph}}, + "namespace-default-endpoint-group": { + "aci-containers-system": { + "policy-space": "{{.Tenant}}", +{{- if ne .CApic "true"}} + "name": "aci-containers-{{.SystemIdentifier}}|aci-containers-system" +{{- else}} + "name": "aci-containers-system" +{{- end}} + }, + "istio-operator": { + "policy-space": "{{.Tenant}}", +{{- if ne .CApic "true"}} + "name": "aci-containers-{{.SystemIdentifier}}|aci-containers-istio" +{{- else}} + "name": "aci-containers-istio" +{{- end}} + }, + "istio-system": { + "policy-space": "{{.Tenant}}", +{{- if ne .CApic "true"}} + "name": "aci-containers-{{.SystemIdentifier}}|aci-containers-istio" +{{- else}} + "name": "aci-containers-istio" +{{- end}} + }, + "kube-system": { + "policy-space": "{{.Tenant}}", +{{- if ne .CApic "true"}} + "name": "aci-containers-{{.SystemIdentifier}}|aci-containers-system" +{{- else}} + "name": "aci-containers-system" +{{- end}} + }, + "cattle-system": { + "policy-space": "{{.Tenant}}", +{{- if ne .CApic "true"}} + "name": "aci-containers-{{.SystemIdentifier}}|aci-containers-system" +{{- else}} + "name": "aci-containers-system" +{{- end}} + }, + "cattle-prometheus": { + "policy-space": "{{.Tenant}}", +{{- if ne .CApic "true"}} + "name": "aci-containers-{{.SystemIdentifier}}|aci-containers-system" +{{- else}} + "name": "aci-containers-system" +{{- end}} + }, + "cattle-logging": { + "policy-space": "{{.Tenant}}", +{{- if ne .CApic "true"}} + "name": "aci-containers-{{.SystemIdentifier}}|aci-containers-system" +{{- else}} + "name": "aci-containers-system" +{{- end}} + } }, + "service-ip-pool": [{{- range $index, $item := .ServiceIPPool }}{{- if $index}},{{end}}{ "start": "{{ $item.Start }}", "end": "{{ $item.End}}" }{{end}}], + "extern-static": [{{- range $index, $item := .StaticExternalSubnet }}{{- if $index}},{{end}}{{$item}}{{end}}], + "extern-dynamic": [{{- range $index, $item := .DynamicExternalSubnet }}{{- if $index}},{{end}}{{$item}}{{end}}], + "snat-contract-scope": "{{.SnatContractScope}}", + "static-service-ip-pool": [{{- range $index, $item := .StaticServiceIPPool }}{{- if $index}},{{end}}{ "start": "{{ $item.Start }}", "end": "{{ $item.End }}" }{{end}}], +{{- if and (ne .TaintNotReadyNode "false") (ne .TaintNotReadyNode "False") }} + "taint-not-ready": true, +{{- end}} + "pod-ip-pool": [{{- range $index, $item := .PodIPPool }}{{- if $index}},{{end}}{ "start": "{{ $item.Start }}", "end": "{{ $item.End}}" }{{end}}], + "pod-subnet": [{{- range $index, $item := .PodSubnet }}{{- if $index}},{{end}}{{$item}}{{end}}], + "pod-subnet-chunk-size": {{.PodSubnetChunkSize}}, + "node-service-ip-pool": [ + { + "end": "{{.NodeServiceIPEnd}}", + "start": "{{.NodeServiceIPStart}}" + } + ], + "node-service-subnets": [ + "{{.ServiceGraphSubnet}}" + ], + "enable_endpointslice": {{.EnableEndpointSlice}} + } + host-agent-config: |- + { + "app-profile": "aci-containers-{{.SystemIdentifier}}", +{{- if ne .EpRegistry ""}} + "ep-registry": "{{.EpRegistry}}", +{{- else}} + "ep-registry": null, +{{- end}} +{{- if ne .AciMultipod "false" }} + "aci-multipod": {{.AciMultipod}}, +{{- end}} +{{- if ne .DhcpRenewMaxRetryCount "0" }} + "dhcp-renew-max-retry-count": {{.DhcpRenewMaxRetryCount}}, +{{- end}} +{{- if ne .DhcpDelay "0" }} + "dhcp-delay": {{.DhcpDelay}}, +{{- end}} +{{- if ne .EnableOpflexAgentReconnect "false"}} + "enable-opflex-agent-reconnect": {{.EnableOpflexAgentReconnect}}, +{{- end}} +{{- if ne .OpflexMode ""}} + "opflex-mode": "{{.OpflexMode}}", +{{- else}} + "opflex-mode": null, +{{- end}} + "log-level": "{{.HostAgentLogLevel}}", + "aci-snat-namespace": "{{.SnatNamespace}}", + "aci-vmm-type": "Kubernetes", +{{- if ne .VmmDomain ""}} + "aci-vmm-domain": "{{.VmmDomain}}", +{{- else}} + "aci-vmm-domain": "{{.SystemIdentifier}}", +{{- end}} +{{- if ne .VmmController ""}} + "aci-vmm-controller": "{{.VmmController}}", +{{- else}} + "aci-vmm-controller": "{{.SystemIdentifier}}", +{{- end}} + "aci-prefix": "{{.SystemIdentifier}}", +{{- if ne .CApic "true"}} + "aci-vrf": "{{.VRFName}}", +{{- else}} + "aci-vrf": "{{.OverlayVRFName}}", +{{- end}} + "aci-vrf-tenant": "{{.VRFTenant}}", + "service-vlan": {{.ServiceVlan}}, + "kubeapi-vlan": {{.KubeAPIVlan}}, +{{- if ne .HppOptimization "false"}} + "hpp-optimization": {{.HppOptimization}}, +{{- end}} +{{- if ne .DisableHppRendering "false"}} + "disable-hpp-rendering": {{.DisableHppRendering}}, +{{- end}} + "pod-subnet": [{{- range $index, $item := .PodSubnet }}{{- if $index}},{{end}}{{$item}}{{end}}], + "node-subnet": [{{- range $index, $item := .NodeSubnet }}{{- if $index}},{{end}}{{$item}}{{end}}], + "encap-type": "{{.EncapType}}", + "aci-infra-vlan": {{.InfraVlan}}, +{{- if .MTU}} +{{- if ne .MTU 0}} + "interface-mtu": {{.MTU}}, +{{- end}} +{{- end}} +{{- if .MTUHeadRoom}} +{{- if ne .MTUHeadRoom "0"}} + "interface-mtu-headroom": {{.MTUHeadRoom}}, +{{- end}} +{{- end}} + "cni-netconfig": [{{- range $index, $item := .PodNetwork }}{{- if $index}},{{end}}{ "gateway": "{{ $item.Gateway }}", "subnet": "{{ $item.Subnet }}", "routes": [{ "dst": "0.0.0.0/0", "gw": "{{ $item.Gateway }}" }]}{{end}}], + "default-endpoint-group": { + "policy-space": "{{.Tenant}}", +{{- if ne .CApic "true"}} + "name": "aci-containers-{{.SystemIdentifier}}|aci-containers-default" +{{- else}} + "name": "aci-containers-default" +{{- end}} + }, + "namespace-default-endpoint-group": { + "aci-containers-system": { + "policy-space": "{{.Tenant}}", +{{- if ne .CApic "true"}} + "name": "aci-containers-{{.SystemIdentifier}}|aci-containers-system" +{{- else}} + "name": "aci-containers-system" +{{- end}} + }, + "istio-operator": { + "policy-space": "{{.Tenant}}", +{{- if ne .CApic "true"}} + "name": "aci-containers-{{.SystemIdentifier}}|aci-containers-istio" +{{- else}} + "name": "aci-containers-istio" +{{- end}} + }, + "istio-system": { + "policy-space": "{{.Tenant}}", +{{- if ne .CApic "true"}} + "name": "aci-containers-{{.SystemIdentifier}}|aci-containers-istio" +{{- else}} + "name": "aci-containers-istio" +{{- end}} + }, + "kube-system": { + "policy-space": "{{.Tenant}}", +{{- if ne .CApic "true"}} + "name": "aci-containers-{{.SystemIdentifier}}|aci-containers-system" +{{- else}} + "name": "aci-containers-system" +{{- end}} + }, + "cattle-system": { + "policy-space": "{{.Tenant}}", +{{- if ne .CApic "true"}} + "name": "aci-containers-{{.SystemIdentifier}}|aci-containers-system" +{{- else}} + "name": "aci-containers-system" +{{- end}} + }, + "cattle-prometheus": { + "policy-space": "{{.Tenant}}", +{{- if ne .CApic "true"}} + "name": "aci-containers-{{.SystemIdentifier}}|aci-containers-system" +{{- else}} + "name": "aci-containers-system" +{{- end}} + }, + "cattle-logging": { + "policy-space": "{{.Tenant}}", +{{- if ne .CApic "true"}} + "name": "aci-containers-{{.SystemIdentifier}}|aci-containers-system" +{{- else}} + "name": "aci-containers-system" +{{- end}} + } }, + "enable-drop-log": {{.DropLogEnable}}, +{{- if and (ne .DropLogDisableEvents "false") (ne .DropLogDisableEvents "False")}} + "packet-event-notification-socket": "", +{{- end}} + "enable_endpointslice": {{.EnableEndpointSlice}}, + "enable-nodepodif": {{.NodePodIfEnable}}, +{{- if and (ne .TaintNotReadyNode "false") (ne .TaintNotReadyNode "False") }} + "taint-not-ready": true, +{{- end}} + "enable-ovs-hw-offload": {{.SriovEnable}} + } + opflex-agent-config: |- + { + "log": { + "level": "{{.OpflexAgentLogLevel}}" + }, + "opflex": { +{{- if eq .OpflexClientSSL "false"}} + "ssl": { "mode": "disabled"}, +{{- end}} +{{- if eq .OpflexAgentStatistics "false"}} + "statistics" : { "mode" : "off" }, +{{- end}} + "timers" : { +{{- if .OpflexAgentPolicyRetryDelayTimer}} + "policy-retry-delay": {{.OpflexAgentPolicyRetryDelayTimer}}, +{{- end}} + "switch-sync-delay": {{.OpflexSwitchSyncDelay}}, + "switch-sync-dynamic": {{.OpflexSwitchSyncDynamic}} + }, + "startup": { + "enabled": "{{.OpflexStartupEnabled}}", + "policy-file": "/usr/local/var/lib/opflex-agent-ovs/startup/pol.json", + "policy-duration": {{.OpflexStartupPolicyDuration}}, + "resolve-aft-conn": "{{.OpflexStartupResolveAftConn}}" + }, + "notif" : { "enabled" : "false" }, + "asyncjson": { "enabled" : {{.OpflexAgentOpflexAsyncjsonEnabled}} } + }, + "ovs": { + "asyncjson": { "enabled" : {{.OpflexAgentOvsAsyncjsonEnabled}} } + } + } +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: snat-operator-config + namespace: aci-containers-system + labels: + aci-containers-config-version: "{{.Token}}" + network-plugin: aci-containers +data: + "start": "{{.SnatPortRangeStart}}" + "end": "{{.SnatPortRangeEnd}}" + "ports-per-node": "{{.SnatPortsPerNode}}" +--- +apiVersion: v1 +kind: Secret +metadata: + name: aci-user-cert + namespace: aci-containers-system + labels: + aci-containers-config-version: "{{.Token}}" +data: + user.key: {{.ApicUserKey}} + user.crt: {{.ApicUserCrt}} +--- +{{- if eq .CApic "true"}} +apiVersion: v1 +kind: Secret +metadata: + name: kafka-client-certificates + namespace: aci-containers-system + labels: + aci-containers-config-version: "{{.Token}}" +data: + ca.crt: {{.KafkaClientCrt}} + kafka-client.crt: {{.KafkaClientCrt}} + kafka-client.key: {{.KafkaClientKey}} +--- +{{- end}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: aci-containers-controller + namespace: aci-containers-system + labels: + aci-containers-config-version: "{{.Token}}" +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: aci-containers-host-agent + namespace: aci-containers-system + labels: + aci-containers-config-version: "{{.Token}}" +--- +{{- if eq .UseClusterRole "true"}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + aci-containers-config-version: "{{.Token}}" + network-plugin: aci-containers + name: aci-containers-controller +rules: +- apiGroups: + - "" + resources: + - nodes + - namespaces + - pods + - endpoints + - services + - events + - replicationcontrollers + - serviceaccounts + verbs: + - list + - watch + - get + - patch + - create + - update + - delete +- apiGroups: + - "" + resources: + - configmaps + verbs: + - list + - watch + - get + - create + - update + - delete +- apiGroups: + - "apiextensions.k8s.io" + resources: + - customresourcedefinitions + verbs: + - '*' +- apiGroups: + - "rbac.authorization.k8s.io" + resources: + - clusterroles + - clusterrolebindings + verbs: + - '*' +{{- /* Commenting code to disable the install_istio flag as the functionality + is disabled to remove dependency from istio.io/istio package. + Vulnerabilties were detected by quay.io security scan of aci-containers-controller + and aci-containers-operator images for istio.io/istio package +{{- if ne .InstallIstio "false"}} +- apiGroups: + - "install.istio.io" + resources: + - istiocontrolplanes + - istiooperators + verbs: + - '*' +- apiGroups: + - "aci.istio" + resources: + - aciistiooperators + - aciistiooperator + verbs: + - '*' +{{- end}} +*/}} +- apiGroups: + - "networking.k8s.io" + resources: + - networkpolicies + verbs: + - list + - watch + - get +- apiGroups: + - "apps" + resources: + - deployments + - replicasets + - daemonsets + - statefulsets + verbs: + - '*' +- apiGroups: + - "" + resources: + - nodes + - services/status + verbs: + - update +- apiGroups: + - "monitoring.coreos.com" + resources: + - servicemonitors + verbs: + - get + - create +- apiGroups: + - "aci.snat" + resources: + - snatpolicies/finalizers + - snatpolicies/status + - nodeinfos + verbs: + - update + - create + - list + - watch + - get + - delete +- apiGroups: + - "aci.snat" + resources: + - snatglobalinfos + - snatpolicies + - nodeinfos + - rdconfigs + verbs: + - list + - watch + - get + - create + - update + - delete +- apiGroups: + - "aci.qos" + resources: + - qospolicies + verbs: + - list + - watch + - get + - create + - update + - delete + - patch +- apiGroups: + - "aci.netflow" + resources: + - netflowpolicies + verbs: + - list + - watch + - get + - update +- apiGroups: + - "aci.erspan" + resources: + - erspanpolicies + verbs: + - list + - watch + - get + - update +- apiGroups: + - "aci.aw" + resources: + - nodepodifs + verbs: + - '*' +- apiGroups: + - apps.openshift.io + resources: + - deploymentconfigs + verbs: + - list + - watch + - get +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - list + - watch +- apiGroups: + - "aci.netpol" + resources: + - networkpolicies + verbs: + - get + - list + - watch + - create + - update + - delete +- apiGroups: + - "aci.dnsnetpol" + resources: + - dnsnetworkpolicies + verbs: + - get + - list + - watch + - create + - update + - delete +--- +{{- end}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + aci-containers-config-version: "{{.Token}}" + network-plugin: aci-containers + name: aci-containers-host-agent +rules: +- apiGroups: + - "" + resources: + - nodes + - namespaces + - pods + - endpoints + - services + - replicationcontrollers + verbs: + - list + - watch + - get +{{- if ne .DropLogEnable "false"}} + - update +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +{{- end}} +- apiGroups: + - "apiextensions.k8s.io" + resources: + - customresourcedefinitions + verbs: + - list + - watch + - get +- apiGroups: + - "networking.k8s.io" + resources: + - networkpolicies + verbs: + - list + - watch + - get +- apiGroups: + - "apps" + resources: + - deployments + - replicasets + verbs: + - list + - watch + - get +- apiGroups: + - "aci.snat" + resources: + - snatpolicies + - snatglobalinfos + - rdconfigs + verbs: + - list + - watch + - get +- apiGroups: + - "aci.qos" + resources: + - qospolicies + verbs: + - list + - watch + - get + - create + - update + - delete + - patch +- apiGroups: + - "aci.droplog" + resources: + - enabledroplogs + - prunedroplogs + verbs: + - list + - watch + - get +- apiGroups: + - "aci.snat" + resources: + - nodeinfos + - snatlocalinfos + verbs: + - create + - update + - list + - watch + - get + - delete +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - list + - watch +- apiGroups: + - "aci.netpol" + resources: + - networkpolicies + verbs: + - get + - list + - watch +- apiGroups: + - "aci.aw" + resources: + - nodepodifs + verbs: + - "*" +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: aci-containers-controller + labels: + aci-containers-config-version: "{{.Token}}" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: aci-containers-controller +subjects: +- kind: ServiceAccount + name: aci-containers-controller + namespace: aci-containers-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: aci-containers-host-agent + labels: + aci-containers-config-version: "{{.Token}}" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: aci-containers-host-agent +subjects: +- kind: ServiceAccount + name: aci-containers-host-agent + namespace: aci-containers-system +--- +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: aci-containers-host + namespace: aci-containers-system + labels: + aci-containers-config-version: "{{.Token}}" + network-plugin: aci-containers +spec: + updateStrategy: + type: RollingUpdate + selector: + matchLabels: + name: aci-containers-host + network-plugin: aci-containers + template: + metadata: + labels: + name: aci-containers-host + network-plugin: aci-containers + annotations: + prometheus.io/scrape: "true" + prometheus.io/port: "9612" + spec: + hostNetwork: true + hostPID: true + hostIPC: true + serviceAccountName: aci-containers-host-agent +{{- if ne .ImagePullSecret ""}} + imagePullSecrets: + - name: {{.ImagePullSecret}} +{{- end}} + tolerations: + - operator: Exists + initContainers: + - name: cnideploy + image: {{.AciCniDeployContainer}} + imagePullPolicy: {{.ImagePullPolicy}} + securityContext: +{{- if eq .UsePrivilegedContainer "true"}} + privileged: true +{{- end}} + capabilities: + add: + - SYS_ADMIN + volumeMounts: + - name: cni-bin + mountPath: /mnt/cni-bin +{{- if ne .UseSystemNodePriorityClass "false"}} + priorityClassName: system-node-critical +{{- else if .UseAciContainersHostPriorityClass}} + priorityClassName: aci-containers-host +{{- else}} +{{- if ne .NoPriorityClass "true"}} + priorityClassName: system-cluster-critical +{{- end}} +{{- if eq .UseAciCniPriorityClass "true"}} + priorityClassName: acicni-priority +{{- end}} +{{- end}} + containers: + - name: aci-containers-host + image: {{.AciHostContainer}} + imagePullPolicy: {{.ImagePullPolicy}} +{{- if or ( .AciContainersHostMemoryLimit ) ( .AciContainersHostMemoryRequest )}} + resources: + limits: +{{- if .AciContainersHostMemoryLimit }} + memory: "{{ .AciContainersHostMemoryLimit }}" +{{- else}} + memory: "{{ .AciContainersMemoryLimit }}" +{{- end}} + requests: +{{- if .AciContainersHostMemoryRequest }} + memory: "{{ .AciContainersHostMemoryRequest }}" +{{- else}} + memory: "{{ .AciContainersMemoryRequest }}" +{{- end}} +{{- end}} + securityContext: +{{- if eq .UsePrivilegedContainer "true"}} + privileged: true +{{- end}} + capabilities: + add: + - SYS_ADMIN + - NET_ADMIN + - SYS_PTRACE + - NET_RAW + env: + - name: KUBERNETES_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: TENANT + value: "{{.Tenant}}" +{{- if ne .MultusDisable "true"}} + - name: MULTUS + value: true +{{- end}} +{{- if eq .DisableWaitForNetwork "true"}} + - name: DISABLE_WAIT_FOR_NETWORK + value: true +{{- else}} + - name: DURATION_WAIT_FOR_NETWORK + value: "{{.DurationWaitForNetwork}}" +{{- end}} + volumeMounts: + - name: cni-bin + mountPath: /mnt/cni-bin + - name: cni-conf + mountPath: /mnt/cni-conf + - name: hostvar + mountPath: /usr/local/var + - name: hostrun + mountPath: /run + - name: hostrun + mountPath: /usr/local/run + - name: opflex-hostconfig-volume + mountPath: /usr/local/etc/opflex-agent-ovs/base-conf.d + - name: host-config-volume + mountPath: /usr/local/etc/aci-containers/ + - name: varlogpods + mountPath: /var/log/pods + readOnly: true + - name: varlogcontainers + mountPath: /var/log/containers + readOnly: true + - name: varlibdocker + mountPath: /var/lib/docker + readOnly: true +{{- if eq .AciMultipod "true" }} + - name: dhclient + mountPath: /var/lib/dhclient +{{- end}} +{{- if eq .UseHostNetnsVolume "true"}} + - mountPath: /run/netns + name: host-run-netns + readOnly: true + mountPropagation: HostToContainer +{{- end}} +{{- if ne .MultusDisable "true"}} + - name: multus-cni-conf + mountPath: /mnt/multus-cni-conf +{{- end}} + livenessProbe: + failureThreshold: 10 + httpGet: + path: /status + port: 8090 + scheme: HTTP + initialDelaySeconds: 120 + periodSeconds: 60 + successThreshold: 1 + timeoutSeconds: 30 + - name: opflex-agent + env: + - name: REBOOT_WITH_OVS + value: "true" +{{- if ne .OpflexOpensslCompat "false"}} + - name: OPENSSL_CONF + value: "/etc/pki/tls/openssl11.cnf" +{{- end}} + image: {{.AciOpflexContainer}} + imagePullPolicy: {{.ImagePullPolicy}} +{{- if or ( .OpflexAgentMemoryLimit ) ( .OpflexAgentMemoryRequest )}} + resources: + limits: +{{- if .OpflexAgentMemoryLimit }} + memory: "{{ .OpflexAgentMemoryLimit }}" +{{- else}} + memory: "{{ .AciContainersMemoryLimit }}" +{{- end}} + requests: +{{- if .OpflexAgentMemoryRequest }} + memory: "{{ .OpflexAgentMemoryRequest }}" +{{- else}} + memory: "{{ .AciContainersMemoryRequest }}" +{{- end}} +{{- end}} + securityContext: +{{- if eq .UsePrivilegedContainer "true"}} + privileged: true +{{- end}} + capabilities: + add: + - NET_ADMIN + volumeMounts: + - name: hostvar + mountPath: /usr/local/var + - name: hostrun + mountPath: /run + - name: hostrun + mountPath: /usr/local/run + - name: opflex-hostconfig-volume + mountPath: /usr/local/etc/opflex-agent-ovs/base-conf.d + - name: opflex-config-volume + mountPath: /usr/local/etc/opflex-agent-ovs/conf.d +{{- if eq .RunOpflexServerContainer "true"}} + - name: opflex-server + image: {{.AciOpflexContainer}} + command: ["/bin/sh"] + args: ["/usr/local/bin/launch-opflexserver.sh"] + imagePullPolicy: {{.ImagePullPolicy}} + securityContext: + capabilities: + add: + - NET_ADMIN + ports: + - containerPort: {{.OpflexServerPort}} + - name: metrics + containerPort: 9632 + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - name: opflex-server-config-volume + mountPath: /usr/local/etc/opflex-server + - name: hostvar + mountPath: /usr/local/var +{{- end}} +{{- if ne .OpflexMode "overlay"}} + - name: mcast-daemon + image: {{.AciMcastContainer}} + command: ["/bin/sh"] + args: ["/usr/local/bin/launch-mcastdaemon.sh"] + imagePullPolicy: {{.ImagePullPolicy}} +{{- if or ( .McastDaemonMemoryLimit ) ( .McastDaemonMemoryRequest )}} + resources: + limits: +{{- if .McastDaemonMemoryLimit }} + memory: "{{ .McastDaemonMemoryLimit }}" +{{- else}} + memory: "{{ .AciContainersMemoryLimit }}" +{{- end}} + requests: +{{- if .McastDaemonMemoryRequest }} + memory: "{{ .McastDaemonMemoryRequest }}" +{{- else}} + memory: "{{ .AciContainersMemoryRequest }}" +{{- end}} +{{- end}} +{{- if eq .UsePrivilegedContainer "true"}} + securityContext: + privileged: true +{{- end}} + volumeMounts: + - name: hostvar + mountPath: /usr/local/var + - name: hostrun + mountPath: /run + - name: hostrun + mountPath: /usr/local/run +{{- end}} + restartPolicy: Always + volumes: + - name: cni-bin + hostPath: + path: /opt + - name: cni-conf + hostPath: + path: /etc + - name: hostvar + hostPath: + path: /var + - name: hostrun + hostPath: + path: /run + - name: host-config-volume + configMap: + name: aci-containers-config + items: + - key: host-agent-config + path: host-agent.conf + - name: opflex-hostconfig-volume + emptyDir: + medium: Memory + - name: varlogpods + hostPath: + path: /var/log/pods + - name: varlogcontainers + hostPath: + path: /var/log/containers + - name: varlibdocker + hostPath: + path: /var/lib/docker +{{- if eq .AciMultipod "true" }} +{{- if eq .AciMultipodUbuntu "true" }} + - name: dhclient + hostPath: + path: /var/lib/dhcp +{{- else}} + - name: dhclient + hostPath: + path: /var/lib/dhclient +{{- end}} +{{- end}} + - name: opflex-config-volume + configMap: + name: aci-containers-config + items: + - key: opflex-agent-config + path: local.conf +{{- if eq .UseOpflexServerVolume "true"}} + - name: opflex-server-config-volume +{{- end}} +{{- if eq .UseHostNetnsVolume "true"}} + - name: host-run-netns + hostPath: + path: /run/netns +{{- end}} +{{- if ne .MultusDisable "true" }} + - name: multus-cni-conf + hostPath: + path: /var/run/multus/ +{{- end}} +--- +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: aci-containers-openvswitch + namespace: aci-containers-system + labels: + aci-containers-config-version: "{{.Token}}" + network-plugin: aci-containers +spec: + updateStrategy: + type: RollingUpdate + selector: + matchLabels: + name: aci-containers-openvswitch + network-plugin: aci-containers + template: + metadata: + labels: + name: aci-containers-openvswitch + network-plugin: aci-containers + spec: + hostNetwork: true + hostPID: true + hostIPC: true + serviceAccountName: aci-containers-host-agent +{{- if ne .ImagePullSecret ""}} + imagePullSecrets: + - name: {{.ImagePullSecret}} +{{end}} + tolerations: + - operator: Exists +{{- if ne .UseSystemNodePriorityClass "false"}} + priorityClassName: system-node-critical +{{- else if .UseAciContainersOpenvswitchPriorityClass}} + priorityClassName: aci-containers-openvswitch +{{- else}} +{{- if ne .NoPriorityClass "true"}} + priorityClassName: system-cluster-critical +{{- end}} +{{- if eq .UseAciCniPriorityClass "true"}} + priorityClassName: acicni-priority +{{- end}} +{{- end}} + containers: + - name: aci-containers-openvswitch + image: {{.AciOpenvSwitchContainer}} + imagePullPolicy: {{.ImagePullPolicy}} + resources: + limits: + memory: "{{.OVSMemoryLimit}}" + requests: + memory: "{{.OVSMemoryRequest}}" + securityContext: +{{- if eq .UsePrivilegedContainer "true"}} + privileged: true +{{- end}} + capabilities: + add: + - NET_ADMIN + - SYS_MODULE + - SYS_NICE + - IPC_LOCK + env: + - name: OVS_RUNDIR + value: /usr/local/var/run/openvswitch + volumeMounts: + - name: hostvar + mountPath: /usr/local/var + - name: hostrun + mountPath: /run + - name: hostrun + mountPath: /usr/local/run + - name: hostetc + mountPath: /usr/local/etc + - name: hostmodules + mountPath: /lib/modules + - name: varlogpods + mountPath: /var/log/pods + readOnly: true + - name: varlogcontainers + mountPath: /var/log/containers + readOnly: true + - name: varlibdocker + mountPath: /var/lib/docker + readOnly: true + livenessProbe: + exec: + command: + - /usr/local/bin/liveness-ovs.sh + restartPolicy: Always + volumes: + - name: hostetc + hostPath: + path: /etc + - name: hostvar + hostPath: + path: /var + - name: hostrun + hostPath: + path: /run + - name: hostmodules + hostPath: + path: /lib/modules + - name: varlogpods + hostPath: + path: /var/log/pods + - name: varlogcontainers + hostPath: + path: /var/log/containers + - name: varlibdocker + hostPath: + path: /var/lib/docker +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: aci-containers-controller + namespace: aci-containers-system + labels: + aci-containers-config-version: "{{.Token}}" + network-plugin: aci-containers + name: aci-containers-controller +spec: + replicas: 1 + strategy: + type: Recreate + selector: + matchLabels: + name: aci-containers-controller + network-plugin: aci-containers + template: + metadata: + name: aci-containers-controller + namespace: aci-containers-system + labels: + name: aci-containers-controller + network-plugin: aci-containers + spec: + hostNetwork: true + serviceAccountName: aci-containers-controller +{{- if ne .ImagePullSecret ""}} + imagePullSecrets: + - name: {{.ImagePullSecret}} +{{- end}} +{{- if .Tolerations }} + tolerations: +{{ toYaml .Tolerations | indent 6}} +{{- else }} + tolerations: + - effect: NoExecute + key: node.kubernetes.io/unreachable + operator: Exists + tolerationSeconds: {{ .TolerationSeconds }} + - effect: NoExecute + key: node.kubernetes.io/not-ready + operator: Exists + tolerationSeconds: {{ .TolerationSeconds }} + - effect: NoSchedule + key: node.kubernetes.io/not-ready + operator: Exists + - effect: NoSchedule + key: node-role.kubernetes.io/master + operator: Exists + - effect: NoSchedule + key: node-role.kubernetes.io/controlplane + value: "true" + operator: Equal + - effect: NoExecute + key: node-role.kubernetes.io/etcd + value: "true" + operator: Equal +{{- end }} +{{- if ne .UseSystemNodePriorityClass "false"}} + priorityClassName: system-node-critical +{{- else if .UseAciContainersControllerPriorityClass}} + priorityClassName: aci-containers-controller +{{- else}} +{{- if ne .NoPriorityClass "true"}} + priorityClassName: system-node-critical +{{- end}} +{{- if eq .UseAciCniPriorityClass "true"}} + priorityClassName: acicni-priority +{{- end}} +{{- end}} + containers: + - name: aci-containers-controller + image: {{.AciControllerContainer}} + imagePullPolicy: {{.ImagePullPolicy}} +{{- if or ( .AciContainersControllerMemoryLimit ) ( .AciContainersControllerMemoryRequest )}} + resources: + limits: +{{- if .AciContainersControllerMemoryLimit }} + memory: "{{ .AciContainersControllerMemoryLimit }}" +{{- else}} + memory: "{{ .AciContainersMemoryLimit }}" +{{- end}} + requests: +{{- if .AciContainersControllerMemoryRequest }} + memory: "{{ .AciContainersControllerMemoryRequest }}" +{{- else}} + memory: "{{ .AciContainersMemoryRequest }}" +{{- end}} +{{- end}} + env: + - name: WATCH_NAMESPACE + value: "" + - name: ACI_SNAT_NAMESPACE + value: "aci-containers-system" + - name: ACI_SNAGLOBALINFO_NAME + value: "snatglobalinfo" + - name: ACI_RDCONFIG_NAME + value: "routingdomain-config" + - name: SYSTEM_NAMESPACE + value: "aci-containers-system" + volumeMounts: + - name: controller-config-volume + mountPath: /usr/local/etc/aci-containers/ + - name: varlogpods + mountPath: /var/log/pods + readOnly: true + - name: varlogcontainers + mountPath: /var/log/containers + readOnly: true + - name: varlibdocker + mountPath: /var/lib/docker + readOnly: true + - name: aci-user-cert-volume + mountPath: /usr/local/etc/aci-cert/ + livenessProbe: + failureThreshold: 10 + httpGet: + path: /status + port: 8091 + scheme: HTTP + initialDelaySeconds: 120 + periodSeconds: 60 + successThreshold: 1 + timeoutSeconds: 30 + volumes: +{{- if eq .CApic "true"}} + - name: kafka-certs + secret: + secretName: kafka-client-certificates +{{- end}} + - name: aci-user-cert-volume + secret: + secretName: aci-user-cert + - name: controller-config-volume + configMap: + name: aci-containers-config + items: + - key: controller-config + path: controller.conf + - name: varlogpods + hostPath: + path: /var/log/pods + - name: varlogcontainers + hostPath: + path: /var/log/containers + - name: varlibdocker + hostPath: + path: /var/lib/docker +{{- if eq .CApic "true"}} +--- +apiVersion: aci.aw/v1 +kind: PodIF +metadata: + name: inet-route + namespace: kube-system +status: + epg: aci-containers-inet-out + ipaddr: 0.0.0.0/0 +{{- end}} +--- +apiVersion: v1 +kind: LimitRange +metadata: + name: memory-limit-range + namespace: aci-containers-system +spec: + limits: + - default: + memory: {{ .AciContainersMemoryLimit }} + defaultRequest: + memory: {{ .AciContainersMemoryRequest }} + type: Container +` diff --git a/pkg/rke/templates/templates.go b/pkg/rke/templates/templates.go index 432f30b99..20baeeb81 100644 --- a/pkg/rke/templates/templates.go +++ b/pkg/rke/templates/templates.go @@ -95,6 +95,7 @@ const ( aciv6032 = "aci-v6.0.3.2" aciv6033 = "aci-v6.0.3.3" aciv6041 = "aci-v6.0.4.1" + aciv6042 = "aci-v6.0.4.2" nginxIngressv18 = "nginxingress-v1.8" nginxIngressV115 = "nginxingress-v1.15" @@ -267,7 +268,8 @@ func LoadK8sVersionedTemplates() map[string]map[string]string { ">=1.27.8-rancher2-1 <1.27.8-rancher2-2": aciv6031, ">=1.27.8-rancher2-2 <1.27.10-rancher1-2": aciv6032, ">=1.27.10-rancher1-2 <1.27.11-rancher1-1": aciv6033, - ">=1.27.11-rancher1-1": aciv6041, + ">=1.27.11-rancher1-1 <1.27.15-rancher1-1": aciv6041, + ">=1.27.15-rancher1-1": aciv6042, }, kdm.NginxIngress: { ">=1.8.0-rancher0 <1.13.10-rancher1-3": nginxIngressv18, @@ -404,6 +406,7 @@ func getTemplates() map[string]string { aciv6032: AciTemplateV6032, aciv6033: AciTemplateV6033, aciv6041: AciTemplateV6041, + aciv6042: AciTemplateV6042, nginxIngressv18: NginxIngressTemplate, nginxIngressV115: NginxIngressTemplateV0251Rancher1, diff --git a/regsync.yaml b/regsync.yaml index f8ecd53fa..e8c1f3b9e 100644 --- a/regsync.yaml +++ b/regsync.yaml @@ -51,6 +51,7 @@ sync: - v3.27.0-build20240206 - v3.27.2-build20240308 - v3.27.3-build20240423 + - v3.28.0-build20240625 - source: docker.io/rancher/hardened-cluster-autoscaler target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/hardened-cluster-autoscaler' type: repository @@ -73,6 +74,7 @@ sync: - v1.2.0-build20231009 - v1.4.0-build20240122 - v1.4.1-build20240325 + - v1.4.1-build20240430 - source: docker.io/rancher/hardened-coredns target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/hardened-coredns' type: repository @@ -101,6 +103,7 @@ sync: type: repository tags: allow: + - v3.5.13-k3s1-build20240531 - v3.5.4-k3s1-build20220504 - v3.5.4-k3s1-build20221011 - v3.5.7-k3s1-build20230406 @@ -123,6 +126,7 @@ sync: - v0.24.2-build20240122 - v0.24.3-build20240307 - v0.25.1-build20240423 + - v0.25.4-build20240610 - source: docker.io/rancher/hardened-ib-sriov-cni target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/hardened-ib-sriov-cni' type: repository @@ -132,6 +136,7 @@ sync: - v1.0.2-build20221014 - v1.0.2-build20230607 - v1.0.2-build20231009 + - v1.0.3-build20240327 - source: docker.io/rancher/hardened-k8s-metrics-server target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/hardened-k8s-metrics-server' type: repository @@ -188,6 +193,7 @@ sync: - v1.27.12-rke2r1-build20240315 - v1.27.13-rke2r1-build20240416 - v1.27.14-rke2r1-build20240515 + - v1.27.15-rke2r1-build20240619 - v1.27.5-rke2r1-build20230824 - v1.27.7-rke2r2-build20231102 - v1.27.8-rke2r1-build20231115 @@ -204,6 +210,13 @@ sync: - v4.0.2-build20230811 - v4.0.2-build20231009 - v4.0.2-build20240208 + - v4.0.2-build20240418 + - source: docker.io/rancher/hardened-node-feature-discovery + target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/hardened-node-feature-discovery' + type: repository + tags: + allow: + - v0.15.4-build20240513 - source: docker.io/rancher/hardened-sriov-cni target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/hardened-sriov-cni' type: repository @@ -213,6 +226,7 @@ sync: - v2.6.3-build20221014 - v2.6.3-build20230607 - v2.6.3-build20231009 + - v2.7.0-build20240327 - source: docker.io/rancher/hardened-sriov-network-config-daemon target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/hardened-sriov-network-config-daemon' type: repository @@ -222,6 +236,7 @@ sync: - v1.2.0-build20221014 - v1.2.0-build20230607 - v1.2.0-build20231010 + - v1.2.0-build20240327 - source: docker.io/rancher/hardened-sriov-network-device-plugin target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/hardened-sriov-network-device-plugin' type: repository @@ -231,6 +246,7 @@ sync: - v3.5.1-build20221014 - v3.5.1-build20230607 - v3.5.1-build20231009 + - v3.6.2-build20240327 - source: docker.io/rancher/hardened-sriov-network-operator target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/hardened-sriov-network-operator' type: repository @@ -240,6 +256,7 @@ sync: - v1.2.0-build20221014 - v1.2.0-build20230607 - v1.2.0-build20231010 + - v1.2.0-build20240327 - source: docker.io/rancher/hardened-sriov-network-resources-injector target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/hardened-sriov-network-resources-injector' type: repository @@ -249,6 +266,7 @@ sync: - v1.5-build20221014 - v1.5-build20230607 - v1.5-build20231009 + - v1.5-build20240327 - source: docker.io/rancher/hardened-sriov-network-webhook target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/hardened-sriov-network-webhook' type: repository @@ -258,6 +276,7 @@ sync: - v1.2.0-build20221014 - v1.2.0-build20230607 - v1.2.0-build20231010 + - v1.2.0-build20240327 - source: docker.io/rancher/hardened-whereabouts target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/hardened-whereabouts' type: repository @@ -270,6 +289,7 @@ sync: - v0.6.2-build20230717 - v0.6.3-build20240109 - v0.6.3-build20240208 + - v0.7.0-build20240429 - source: docker.io/rancher/harvester-cloud-provider target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/harvester-cloud-provider' type: repository @@ -335,6 +355,7 @@ sync: - v1.27.12-rancher1 - v1.27.13-rancher1 - v1.27.14-rancher1 + - v1.27.15-rancher1 - v1.27.6-rancher1 - v1.27.8-rancher2 - source: docker.io/rancher/k3s-upgrade @@ -381,6 +402,7 @@ sync: - v1.27.12-k3s1 - v1.27.13-k3s1 - v1.27.14-k3s1 + - v1.27.15-k3s2 - v1.27.5-k3s1 - v1.27.7-k3s2 - v1.27.8-k3s2 @@ -396,6 +418,7 @@ sync: - v0.8.0-build20230510 - v0.8.2-build20230815 - v0.8.3-build20240228 + - v0.8.4-build20240523 - source: docker.io/rancher/klipper-lb target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/klipper-lb' type: repository @@ -416,6 +439,7 @@ sync: - v0.0.23 - v0.0.24 - v0.0.26 + - v0.0.27 - source: docker.io/rancher/longhornio-csi-attacher target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/longhornio-csi-attacher' type: repository @@ -1027,6 +1051,7 @@ sync: - nginx-1.9.3-hardened1 - nginx-1.9.4-rancher1 - nginx-1.9.6-hardened1 + - v1.10.1-hardened1 - source: docker.io/rancher/pause target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/pause' type: repository @@ -1040,6 +1065,7 @@ sync: type: repository tags: allow: + - v0.1.100 - v0.1.80 - v0.1.87 - v0.1.88 @@ -1058,6 +1084,7 @@ sync: - v1.26.3-build20230608 - v1.28.2-build20231016 - v1.29.3-build20240412 + - v1.29.3-build20240515 - source: docker.io/rancher/rke2-runtime target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/rke2-runtime' type: repository @@ -1141,6 +1168,8 @@ sync: - v1.27.13-rke2r1-windows-amd64 - v1.27.14-rke2r1 - v1.27.14-rke2r1-windows-amd64 + - v1.27.15-rke2r1 + - v1.27.15-rke2r1-windows-amd64 - v1.27.5-rke2r1 - v1.27.5-rke2r1-windows-amd64 - v1.27.7-rke2r2 @@ -1191,6 +1220,7 @@ sync: - v1.27.12-rke2r1 - v1.27.13-rke2r1 - v1.27.14-rke2r1 + - v1.27.15-rke2r1 - v1.27.5-rke2r1 - v1.27.7-rke2r2 - v1.27.8-rke2r1 @@ -1238,6 +1268,7 @@ sync: - v1.27.12-k3s1 - v1.27.13-k3s1 - v1.27.14-k3s1 + - v1.27.15-k3s2 - v1.27.5-k3s1 - v1.27.7-k3s2 - v1.27.8-k3s2 @@ -1285,6 +1316,7 @@ sync: - v1.27.12-rke2r1 - v1.27.13-rke2r1 - v1.27.14-rke2r1 + - v1.27.15-rke2r1 - v1.27.5-rke2r1 - v1.27.7-rke2r2 - v1.27.8-rke2r1 diff --git a/scripts/dispatch b/scripts/dispatch deleted file mode 100755 index c7916c6d9..000000000 --- a/scripts/dispatch +++ /dev/null @@ -1,25 +0,0 @@ -#!/bin/bash -set -e -set -x - -REPO="https://api.github.com/repos/rancher/rke/actions/workflows/git-actions-go-generate.yml/dispatches" - -case $DRONE_BRANCH in - dev-v2.7|release-v2.7) - ACTION_TARGET_BRANCH="release/v1.4" - ;; - *) - echo "Not a valid branch, not dispatching event" - exit 0 -esac - -echo "DRONE_BRANCH: $DRONE_BRANCH" -echo "DRONE_COMMIT_AUTHOR: $DRONE_COMMIT_AUTHOR" - -echo "Dispatching to branch ${ACTION_TARGET_BRANCH}" - -# send dispatch event to workflow -curl -XPOST -u "${PAT_USERNAME}:${PAT_TOKEN}" \ - -H "Accept: application/vnd.github.v3+json" \ - -H "Content-Type: application/json" $REPO \ - --data '{"ref": "'"$ACTION_TARGET_BRANCH"'","inputs":{"source_author":"'"$DRONE_COMMIT_AUTHOR"'"}}' diff --git a/scripts/provisioning-tests b/scripts/provisioning-tests index 0e226125f..bc79a495f 100755 --- a/scripts/provisioning-tests +++ b/scripts/provisioning-tests @@ -26,6 +26,16 @@ if [ -z "${CHANNELS_FILE}" ]; then esac fi +# Set previous commit SHA +if [ "${GITHUB_EVENT_NAME}" == "push" ]; then + export PREV_COMMIT_SHA=${PREV_COMMIT_PUSH_SHA} +elif [ "${GITHUB_EVENT_NAME}" == "pull_request" ]; then + export PREV_COMMIT_SHA=${PREV_COMMIT_PR_SHA} +fi + +# To be removed/changed once drone setup is removed from rancher/rancher repo. +export DRONE_BUILD_NUMBER=${GITHUB_RUN_NUMBER} + if ! ./scripts/test-run-required.sh; then exit fi @@ -64,7 +74,7 @@ if [ -z "${SOME_K8S_VERSION}" ]; then # Get git diff in relevant channel file, find all added versions matching k8s minor, and get the last one # There should never be a version of a given distro with multiple patches on the same minor added at the same time # This command should be in sync with the one in test-run-required.sh - SOME_K8S_VERSION=$(git --no-pager diff --no-color -G "^ - version:" $DRONE_COMMIT_BEFORE -- "$CHANNELS_FILE" | grep -P "(^\+\s+- version: v1.$KDM_TEST_K8S_MINOR)" | sed 's/\(^\+\s\+- version: \)//' | tail -n 1) + SOME_K8S_VERSION=$(git --no-pager diff --no-color -G "^ - version:" $PREV_COMMIT_SHA -- "$CHANNELS_FILE" | grep -P "(^\+\s+- version: v1.$KDM_TEST_K8S_MINOR)" | sed 's/\(^\+\s\+- version: \)//' | tail -n 1) else # Only possible when not running in CI and env var is not provided, in this case just use latest from data.json SOME_K8S_VERSION=$(jq -r ".$V2PROV_TEST_DIST.releases[-1].version" <"$METADATA_DIR/data.json") @@ -80,7 +90,7 @@ cd "$RANCHER_DIR" # Uncomment to get provisioning tests to write commands being run to stdout #sed -i '2s/set -e/set -ex/' ./scripts/provisioning-tests -# Uncomment to get startup logs. Don't leave them on because it slows drone down too much +# Uncomment to get startup logs. Don't leave them on because it slows github actions down too much #sed -i '110s/#//' ./scripts/provisioning-tests #sed -i '111s/#//' ./scripts/provisioning-tests #sed -i '141s/#//' ./scripts/provisioning-tests diff --git a/scripts/test-run-required.sh b/scripts/test-run-required.sh index e8dba7dd0..28906fe5b 100755 --- a/scripts/test-run-required.sh +++ b/scripts/test-run-required.sh @@ -2,7 +2,7 @@ set -ex echo "Checking if rancher integration testing is required" -echo "Environment variable DRONE_BUILD_EVENT is ${DRONE_BUILD_EVENT}" +echo "Environment variable GITHUB_EVENT_NAME is ${GITHUB_EVENT_NAME}" if [ -z "$CI" ]; then echo "Not running in CI, rancher integration testing is required" @@ -14,15 +14,15 @@ if [ -z "$KDM_TEST_K8S_MINOR" ]; then exit 1 fi -if [ -z "$DRONE_COMMIT_BEFORE" ]; then - echo "Error: DRONE_COMMIT_BEFORE not defined. This should not be happening in CI" +if [ -z "$PREV_COMMIT_SHA" ]; then + echo "Error: PREV_COMMIT_SHA not defined. This should not be happening in CI" exit 1 fi -# Only run check if Drone build event is 'push' or 'pull_request' -if [ "${DRONE_BUILD_EVENT}" = "push" ] || [ "${DRONE_BUILD_EVENT}" = "pull_request" ]; then +# Only run check if Github build event is 'push' or 'pull_request' +if [ "${GITHUB_EVENT_NAME}" = "push" ] || [ "${GITHUB_EVENT_NAME}" = "pull_request" ]; then # Check if the channels file contains changes to versions from the minor version - if [ "$(git --no-pager diff --no-color -G "^ - version:" $DRONE_COMMIT_BEFORE -- "$CHANNELS_FILE" | grep -c -P "(^\+\s+- version: v1.$KDM_TEST_K8S_MINOR)")" -ne 0 ]; then + if [ "$(git --no-pager diff --no-color -G "^ - version:" $PREV_COMMIT_SHA -- "$CHANNELS_FILE" | grep -c -P "(^\+\s+- version: v1.$KDM_TEST_K8S_MINOR)")" -ne 0 ]; then exit 0 fi fi diff --git a/scripts/validate-ci b/scripts/validate-ci index 0f2cf25ff..cf5bb3f5f 100755 --- a/scripts/validate-ci +++ b/scripts/validate-ci @@ -25,6 +25,3 @@ fi echo Checking if released versions are not changed go run ./pkg/validation/validation.go release-v2.7 - -echo Checking the generated regsync.yaml file -regsync check --config ./regsync.yaml diff --git a/scripts/version b/scripts/version index 41a617373..979b3574a 100644 --- a/scripts/version +++ b/scripts/version @@ -5,7 +5,11 @@ if [ -n "$(git status --porcelain --untracked-files=no)" ]; then fi COMMIT=$(git rev-parse --short HEAD) -GIT_TAG=${DRONE_TAG:-$(git tag -l --contains HEAD | head -n 1)} + +GIT_TAG=$(git tag -l --contains HEAD | head -n 1) +if [[ "$GITHUB_EVENT_NAME" = "push" && "$GITHUB_REF_TYPE" = "tag" ]]; then + GIT_TAG=$GITHUB_REF_NAME +fi if [[ -z "$DIRTY" && -n "$GIT_TAG" ]]; then VERSION=$GIT_TAG