From 3fec8904b5c8ba486a4f1fd2f9a5675f2f586e7a Mon Sep 17 00:00:00 2001 From: Jayanth Varavani <1111446+jayanthvn@users.noreply.github.com> Date: Thu, 5 Aug 2021 18:06:17 +0000 Subject: [PATCH] Copy generated manifests to master/config folder --- config/master/calico-crs.yaml | 2 + config/master/calico-operator.yaml | 772 +++++++++++++++++++++++++---- scripts/generate-cni-yaml.sh | 2 +- 3 files changed, 688 insertions(+), 88 deletions(-) diff --git a/config/master/calico-crs.yaml b/config/master/calico-crs.yaml index 012b9fdd6b..9bd0b46aa8 100644 --- a/config/master/calico-crs.yaml +++ b/config/master/calico-crs.yaml @@ -1,3 +1,5 @@ +--- +# Source: aws-calico/templates/crs/custom-resources.yaml # This section includes base Calico installation configuration. # For more information, see: https://docs.projectcalico.org/v3.17/reference/installation/api#operator.tigera.io/v1.Installation apiVersion: operator.tigera.io/v1 diff --git a/config/master/calico-operator.yaml b/config/master/calico-operator.yaml index 910302bf93..279645fc55 100644 --- a/config/master/calico-operator.yaml +++ b/config/master/calico-operator.yaml @@ -1,4 +1,5 @@ --- +# Source: aws-calico/templates/crds/crd.projectcalico.org_bgpconfigurations.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -118,6 +119,18 @@ spec: type: string type: object type: array + serviceLoadBalancerIPs: + description: ServiceLoadBalancerIPs are the CIDR blocks for Kubernetes + Service LoadBalancer IPs. Kubernetes Service status.LoadBalancer.Ingress + IPs will only be advertised if they are within one of these blocks. + items: + description: ServiceLoadBalancerIPBlock represents a single allowed + LoadBalancer IP CIDR block. + properties: + cidr: + type: string + type: object + type: array type: object type: object served: true @@ -128,8 +141,8 @@ status: plural: "" conditions: [] storedVersions: [] - --- +# Source: aws-calico/templates/crds/crd.projectcalico.org_bgppeers.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -220,6 +233,12 @@ spec: remote AS number comes from the remote node's NodeBGPSpec.ASNumber, or the global default if that is not set. type: string + sourceAddress: + description: Specifies whether and how to configure a source address + for the peerings generated by this BGPPeer resource. Default value + "UseNodeIP" means to configure the node IP as the source address. "None" + means not to configure a source address. + type: string type: object type: object served: true @@ -230,8 +249,8 @@ status: plural: "" conditions: [] storedVersions: [] - --- +# Source: aws-calico/templates/crds/crd.projectcalico.org_blockaffinities.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -291,8 +310,8 @@ status: plural: "" conditions: [] storedVersions: [] - --- +# Source: aws-calico/templates/crds/crd.projectcalico.org_clusterinformations.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -355,8 +374,8 @@ status: plural: "" conditions: [] storedVersions: [] - --- +# Source: aws-calico/templates/crds/crd.projectcalico.org_felixconfigurations.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -436,6 +455,13 @@ spec: description: 'BPFEnabled, if enabled Felix will use the BPF dataplane. [Default: false]' type: boolean + bpfExtToServiceConnmark: + description: 'BPFExtToServiceConnmark in BPF mode, control a 32bit + mark that is set on connections from an external client to a local + service. This mark allows us to control how packets of that connection + are routed within the host and how is routing intepreted by RPF + check. [Default: 0]' + type: integer bpfExternalServiceMode: description: 'BPFExternalServiceMode in BPF mode, controls how connections from outside the cluster to services (node ports and cluster IPs) @@ -492,11 +518,11 @@ spec: traffic that goes from a workload endpoint to the host itself (after the traffic hits the endpoint egress policy). By default Calico blocks traffic from workload endpoints to the host itself with an - iptables “DROP” action. If you want to allow some or all traffic + iptables "DROP" action. If you want to allow some or all traffic from endpoint to host, set this parameter to RETURN or ACCEPT. Use - RETURN if you have your own rules in the iptables “INPUT” chain; - Calico will insert its rules at the top of that chain, then “RETURN” - packets to the “INPUT” chain once it has completed processing workload + RETURN if you have your own rules in the iptables "INPUT" chain; + Calico will insert its rules at the top of that chain, then "RETURN" + packets to the "INPUT" chain once it has completed processing workload endpoint egress policy. Use ACCEPT to unconditionally accept packets from workloads after processing workload endpoint egress policy. [Default: Drop]' @@ -524,19 +550,21 @@ spec: type: string type: array failsafeInboundHostPorts: - description: 'FailsafeInboundHostPorts is a comma-delimited list of - UDP/TCP ports that Felix will allow incoming traffic to host endpoints + description: 'FailsafeInboundHostPorts is a list of UDP/TCP ports + and CIDRs that Felix will allow incoming traffic to host endpoints on irrespective of the security policy. This is useful to avoid - accidentally cutting off a host with incorrect configuration. Each - port should be specified as tcp: or udp:. - For back-compatibility, if the protocol is not specified, it defaults - to “tcp”. To disable all inbound host ports, use the value none. - The default value allows ssh access and DHCP. [Default: tcp:22, + accidentally cutting off a host with incorrect configuration. For + back-compatibility, if the protocol is not specified, it defaults + to "tcp". If a CIDR is not specified, it will allow traffic from + all addresses. To disable all inbound host ports, use the value + none. The default value allows ssh access and DHCP. [Default: tcp:22, udp:68, tcp:179, tcp:2379, tcp:2380, tcp:6443, tcp:6666, tcp:6667]' items: - description: ProtoPort is combination of protocol and port, both - must be specified. + description: ProtoPort is combination of protocol, port, and CIDR. + Protocol and port must be specified. properties: + net: + type: string port: type: integer protocol: @@ -547,21 +575,23 @@ spec: type: object type: array failsafeOutboundHostPorts: - description: 'FailsafeOutboundHostPorts is a comma-delimited list - of UDP/TCP ports that Felix will allow outgoing traffic from host - endpoints to irrespective of the security policy. This is useful - to avoid accidentally cutting off a host with incorrect configuration. - Each port should be specified as tcp: or udp:. - For back-compatibility, if the protocol is not specified, it defaults - to “tcp”. To disable all outbound host ports, use the value none. - The default value opens etcd''s standard ports to ensure that Felix - does not get cut off from etcd as well as allowing DHCP and DNS. - [Default: tcp:179, tcp:2379, tcp:2380, tcp:6443, tcp:6666, tcp:6667, - udp:53, udp:67]' + description: 'FailsafeOutboundHostPorts is a list of UDP/TCP ports + and CIDRs that Felix will allow outgoing traffic from host endpoints + to irrespective of the security policy. This is useful to avoid + accidentally cutting off a host with incorrect configuration. For + back-compatibility, if the protocol is not specified, it defaults + to "tcp". If a CIDR is not specified, it will allow traffic from + all addresses. To disable all outbound host ports, use the value + none. The default value opens etcd''s standard ports to ensure that + Felix does not get cut off from etcd as well as allowing DHCP and + DNS. [Default: tcp:179, tcp:2379, tcp:2380, tcp:6443, tcp:6666, + tcp:6667, udp:53, udp:67]' items: - description: ProtoPort is combination of protocol and port, both - must be specified. + description: ProtoPort is combination of protocol, port, and CIDR. + Protocol and port must be specified. properties: + net: + type: string port: type: integer protocol: @@ -907,8 +937,8 @@ status: plural: "" conditions: [] storedVersions: [] - --- +# Source: aws-calico/templates/crds/crd.projectcalico.org_globalnetworkpolicies.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -959,7 +989,7 @@ spec: action. Both selector-based security Policy and security Profiles reference rules - separated out as a list of rules for both ingress and egress packet matching. \n Each positive match criteria has - a negated version, prefixed with ”Not”. All the match criteria + a negated version, prefixed with \"Not\". All the match criteria within a rule must be satisfied for a packet to match. A single rule can contain the positive and negative version of a match and both must be satisfied for the rule to match." @@ -1042,9 +1072,9 @@ spec: One negates the set of matched endpoints, the other negates the whole match: \n \tSelector = \"!has(my_label)\" matches packets that are from other Calico-controlled \tendpoints - that do not have the label “my_label”. \n \tNotSelector + that do not have the label \"my_label\". \n \tNotSelector = \"has(my_label)\" matches packets that are not from - Calico-controlled \tendpoints that do have the label “my_label”. + Calico-controlled \tendpoints that do have the label \"my_label\". \n The effect is that the latter will accept packets from non-Calico sources whereas the former is limited to packets from Calico-controlled endpoints." @@ -1247,9 +1277,9 @@ spec: One negates the set of matched endpoints, the other negates the whole match: \n \tSelector = \"!has(my_label)\" matches packets that are from other Calico-controlled \tendpoints - that do not have the label “my_label”. \n \tNotSelector + that do not have the label \"my_label\". \n \tNotSelector = \"has(my_label)\" matches packets that are not from - Calico-controlled \tendpoints that do have the label “my_label”. + Calico-controlled \tendpoints that do have the label \"my_label\". \n The effect is that the latter will accept packets from non-Calico sources whereas the former is limited to packets from Calico-controlled endpoints." @@ -1290,7 +1320,7 @@ spec: action. Both selector-based security Policy and security Profiles reference rules - separated out as a list of rules for both ingress and egress packet matching. \n Each positive match criteria has - a negated version, prefixed with ”Not”. All the match criteria + a negated version, prefixed with \"Not\". All the match criteria within a rule must be satisfied for a packet to match. A single rule can contain the positive and negative version of a match and both must be satisfied for the rule to match." @@ -1373,9 +1403,9 @@ spec: One negates the set of matched endpoints, the other negates the whole match: \n \tSelector = \"!has(my_label)\" matches packets that are from other Calico-controlled \tendpoints - that do not have the label “my_label”. \n \tNotSelector + that do not have the label \"my_label\". \n \tNotSelector = \"has(my_label)\" matches packets that are not from - Calico-controlled \tendpoints that do have the label “my_label”. + Calico-controlled \tendpoints that do have the label \"my_label\". \n The effect is that the latter will accept packets from non-Calico sources whereas the former is limited to packets from Calico-controlled endpoints." @@ -1578,9 +1608,9 @@ spec: One negates the set of matched endpoints, the other negates the whole match: \n \tSelector = \"!has(my_label)\" matches packets that are from other Calico-controlled \tendpoints - that do not have the label “my_label”. \n \tNotSelector + that do not have the label \"my_label\". \n \tNotSelector = \"has(my_label)\" matches packets that are not from - Calico-controlled \tendpoints that do have the label “my_label”. + Calico-controlled \tendpoints that do have the label \"my_label\". \n The effect is that the latter will accept packets from non-Calico sources whereas the former is limited to packets from Calico-controlled endpoints." @@ -1678,8 +1708,8 @@ status: plural: "" conditions: [] storedVersions: [] - --- +# Source: aws-calico/templates/crds/crd.projectcalico.org_globalnetworksets.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -1731,8 +1761,8 @@ status: plural: "" conditions: [] storedVersions: [] - --- +# Source: aws-calico/templates/crds/crd.projectcalico.org_hostendpoints.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -1791,7 +1821,7 @@ spec: is empty - through the specific interface that has one of the IPs in ExpectedIPs. Therefore, when InterfaceName is empty, at least one expected IP must be specified. Only external interfaces (such - as “eth0”) are supported here; it isn't possible for a HostEndpoint + as \"eth0\") are supported here; it isn't possible for a HostEndpoint to protect traffic through a specific local workload interface. \n Note: Only some kinds of policy are implemented for \"*\" HostEndpoints; initially just pre-DNAT policy. Please check Calico documentation @@ -1839,8 +1869,8 @@ status: plural: "" conditions: [] storedVersions: [] - --- +# Source: aws-calico/templates/crds/crd.projectcalico.org_ipamblocks.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -1920,8 +1950,8 @@ status: plural: "" conditions: [] storedVersions: [] - --- +# Source: aws-calico/templates/crds/crd.projectcalico.org_ipamconfigs.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -1976,8 +2006,8 @@ status: plural: "" conditions: [] storedVersions: [] - --- +# Source: aws-calico/templates/crds/crd.projectcalico.org_ipamhandles.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -2032,8 +2062,8 @@ status: plural: "" conditions: [] storedVersions: [] - --- +# Source: aws-calico/templates/crds/crd.projectcalico.org_ippools.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -2131,8 +2161,8 @@ status: plural: "" conditions: [] storedVersions: [] - --- +# Source: aws-calico/templates/crds/crd.projectcalico.org_kubecontrollersconfigurations.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -2241,6 +2271,10 @@ spec: description: 'LogSeverityScreen is the log severity above which logs are sent to the stdout. [Default: Info]' type: string + prometheusMetricsPort: + description: 'PrometheusMetricsPort is the TCP port that the Prometheus + metrics server should bind to. Set to 0 to disable. [Default: 9094]' + type: integer required: - controllers type: object @@ -2341,6 +2375,11 @@ spec: description: 'LogSeverityScreen is the log severity above which logs are sent to the stdout. [Default: Info]' type: string + prometheusMetricsPort: + description: 'PrometheusMetricsPort is the TCP port that the Prometheus + metrics server should bind to. Set to 0 to disable. [Default: + 9094]' + type: integer required: - controllers type: object @@ -2354,8 +2393,8 @@ status: plural: "" conditions: [] storedVersions: [] - --- +# Source: aws-calico/templates/crds/crd.projectcalico.org_networkpolicies.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -2395,7 +2434,7 @@ spec: action. Both selector-based security Policy and security Profiles reference rules - separated out as a list of rules for both ingress and egress packet matching. \n Each positive match criteria has - a negated version, prefixed with ”Not”. All the match criteria + a negated version, prefixed with \"Not\". All the match criteria within a rule must be satisfied for a packet to match. A single rule can contain the positive and negative version of a match and both must be satisfied for the rule to match." @@ -2478,9 +2517,9 @@ spec: One negates the set of matched endpoints, the other negates the whole match: \n \tSelector = \"!has(my_label)\" matches packets that are from other Calico-controlled \tendpoints - that do not have the label “my_label”. \n \tNotSelector + that do not have the label \"my_label\". \n \tNotSelector = \"has(my_label)\" matches packets that are not from - Calico-controlled \tendpoints that do have the label “my_label”. + Calico-controlled \tendpoints that do have the label \"my_label\". \n The effect is that the latter will accept packets from non-Calico sources whereas the former is limited to packets from Calico-controlled endpoints." @@ -2683,9 +2722,9 @@ spec: One negates the set of matched endpoints, the other negates the whole match: \n \tSelector = \"!has(my_label)\" matches packets that are from other Calico-controlled \tendpoints - that do not have the label “my_label”. \n \tNotSelector + that do not have the label \"my_label\". \n \tNotSelector = \"has(my_label)\" matches packets that are not from - Calico-controlled \tendpoints that do have the label “my_label”. + Calico-controlled \tendpoints that do have the label \"my_label\". \n The effect is that the latter will accept packets from non-Calico sources whereas the former is limited to packets from Calico-controlled endpoints." @@ -2726,7 +2765,7 @@ spec: action. Both selector-based security Policy and security Profiles reference rules - separated out as a list of rules for both ingress and egress packet matching. \n Each positive match criteria has - a negated version, prefixed with ”Not”. All the match criteria + a negated version, prefixed with \"Not\". All the match criteria within a rule must be satisfied for a packet to match. A single rule can contain the positive and negative version of a match and both must be satisfied for the rule to match." @@ -2809,9 +2848,9 @@ spec: One negates the set of matched endpoints, the other negates the whole match: \n \tSelector = \"!has(my_label)\" matches packets that are from other Calico-controlled \tendpoints - that do not have the label “my_label”. \n \tNotSelector + that do not have the label \"my_label\". \n \tNotSelector = \"has(my_label)\" matches packets that are not from - Calico-controlled \tendpoints that do have the label “my_label”. + Calico-controlled \tendpoints that do have the label \"my_label\". \n The effect is that the latter will accept packets from non-Calico sources whereas the former is limited to packets from Calico-controlled endpoints." @@ -3014,9 +3053,9 @@ spec: One negates the set of matched endpoints, the other negates the whole match: \n \tSelector = \"!has(my_label)\" matches packets that are from other Calico-controlled \tendpoints - that do not have the label “my_label”. \n \tNotSelector + that do not have the label \"my_label\". \n \tNotSelector = \"has(my_label)\" matches packets that are not from - Calico-controlled \tendpoints that do have the label “my_label”. + Calico-controlled \tendpoints that do have the label \"my_label\". \n The effect is that the latter will accept packets from non-Calico sources whereas the former is limited to packets from Calico-controlled endpoints." @@ -3106,8 +3145,8 @@ status: plural: "" conditions: [] storedVersions: [] - --- +# Source: aws-calico/templates/crds/crd.projectcalico.org_networksets.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -3157,8 +3196,85 @@ status: plural: "" conditions: [] storedVersions: [] - --- +# Source: aws-calico/templates/crds/operator.tigera.io_imagesets_crd.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.3.0 + name: imagesets.operator.tigera.io +spec: + group: operator.tigera.io + names: + kind: ImageSet + listKind: ImageSetList + plural: imagesets + singular: imageset + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + description: ImageSet is used to specify image digests for the images that + the operator deploys. The name of the ImageSet is expected to be in the + format `-`. The `variant` used is `enterprise` if the + InstallationSpec Variant is `TigeraSecureEnterprise` otherwise it is `calico`. + The `release` must match the version of the variant that the operator is + built to deploy, this version can be obtained by passing the `--version` + flag to the operator binary. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ImageSetSpec defines the desired state of ImageSet. + properties: + images: + description: Images is the list of images to use digests. All images + that the operator will deploy must be specified. + items: + properties: + digest: + description: Digest is the image identifier that will be used + for the Image. The field should not include a leading `@` + and must be prefixed with `sha256:`. + type: string + image: + description: Image is an image that the operator deploys and + instead of using the built in tag the operator will use the + Digest for the image identifier. The value should be the image + name without registry or tag or digest. For the image `docker.io/calico/node:v3.17.1` + it should be represented as `calico/node` + type: string + required: + - digest + - image + type: object + type: array + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +# Source: aws-calico/templates/crds/operator.tigera.io_installations_crd.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -3266,6 +3382,16 @@ spec: - cidr type: object type: array + linuxDataplane: + description: 'LinuxDataplane is used to select the dataplane used + for Linux nodes. In particular, it causes the operator to add + required mounts and environment variables for the particular + dataplane. If not specified, iptables mode is used. Default: + Iptables' + enum: + - Iptables + - BPF + type: string mtu: description: MTU specifies the maximum transmission unit to use on the pod network. If not specified, Calico will perform MTU @@ -3342,6 +3468,51 @@ spec: type: string type: object type: object + certificateManagement: + description: CertificateManagement configures pods to submit a CertificateSigningRequest + to the certificates.k8s.io/v1beta1 API in order to obtain TLS certificates. + This feature requires that you bring your own CSR signing and approval + process, otherwise pods will be stuck during initialization. + properties: + caCert: + description: Certificate of the authority that signs the CertificateSigningRequests + in PEM format. + format: byte + type: string + keyAlgorithm: + description: 'Specify the algorithm used by pods to generate a + key pair that is associated with the X.509 certificate request. + Default: RSAWithSize2048' + enum: + - "" + - RSAWithSize2048 + - RSAWithSize4096 + - RSAWithSize8192 + - ECDSAWithCurve256 + - ECDSAWithCurve384 + - ECDSAWithCurve521 + type: string + signatureAlgorithm: + description: 'Specify the algorithm used for the signature of + the X.509 certificate request. Default: SHA256WithRSA' + enum: + - "" + - SHA256WithRSA + - SHA384WithRSA + - SHA512WithRSA + - ECDSAWithSHA256 + - ECDSAWithSHA384 + - ECDSAWithSHA512 + type: string + signerName: + description: 'When a CSR is issued to the certificates.k8s.io + API, the signerName is added to the request in order to accommodate + for clusters with multiple signers. Must be formatted as: `/`.' + type: string + required: + - caCert + - signerName + type: object cni: description: CNI specifies the CNI that will be used by this installation. properties: @@ -3394,7 +3565,8 @@ spec: type: object componentResources: description: ComponentResources can be used to customize the resource - requirements for each component. + requirements for each component. Node, Typha, and KubeControllers + are supported for installations. items: description: The ComponentResource struct associates a ResourceRequirements with a component by name @@ -3443,9 +3615,50 @@ spec: additionalProperties: type: string description: ControlPlaneNodeSelector is used to select control plane - nodes on which to run specific Calico components. This currently - only applies to kube-controllers and the apiserver. + nodes on which to run Calico components. This is globally applied + to all resources created by the operator excluding daemonsets. type: object + controlPlaneTolerations: + description: ControlPlaneTolerations specify tolerations which are + then globally applied to all resources created by the operator. + items: + description: The pod this Toleration is attached to tolerates any + taint that matches the triple using the matching + operator . + properties: + effect: + description: Effect indicates the taint effect to match. Empty + means match all taint effects. When specified, allowed values + are NoSchedule, PreferNoSchedule and NoExecute. + type: string + key: + description: Key is the taint key that the toleration applies + to. Empty means match all taint keys. If the key is empty, + operator must be Exists; this combination means to match all + values and all keys. + type: string + operator: + description: Operator represents a key's relationship to the + value. Valid operators are Exists and Equal. Defaults to Equal. + Exists is equivalent to wildcard for value, so that a pod + can tolerate all taints of a particular category. + type: string + tolerationSeconds: + description: TolerationSeconds represents the period of time + the toleration (which must be of effect NoExecute, otherwise + this field is ignored) tolerates the taint. By default, it + is not set, which means tolerate the taint forever (do not + evict). Zero and negative values will be treated as 0 (evict + immediately) by the system. + format: int64 + type: integer + value: + description: Value is the taint value the toleration matches + to. If the operator is Exists, the value should be empty, + otherwise just a regular string. + type: string + type: object + type: array flexVolumePath: description: FlexVolumePath optionally specifies a custom path for FlexVolume. If not specified, FlexVolume will be enabled by default. @@ -3456,7 +3669,9 @@ spec: description: "ImagePath allows for the path part of an image to be specified. If specified then the specified value will be used as the image path for each image. If not specified or empty, the default - for each image will be used. \n Image format: `//:` + for each image will be used. A special case value, UseDefault, is + supported to explicitly specify the default image path will be used + for each image. \n Image format: `//:` \n This option allows configuring the `` portion of the above format." type: string @@ -3538,10 +3753,124 @@ spec: description: "Registry is the default Docker registry used for component Docker images. If specified, all images will be pulled from this registry. If not specified then the default registries will be used. - \n Image format: `//:` + A special case value, UseDefault, is supported to explicitly specify + the default registries will be used. \n Image format: `//:` \n This option allows configuring the `` portion of the above format." type: string + typhaAffinity: + description: TyphaAffinity allows configuration of node affinity characteristics + for Typha pods. + properties: + nodeAffinity: + description: NodeAffinity describes node affinity scheduling rules + for typha. + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to schedule pods to + nodes that satisfy the affinity expressions specified by + this field, but it may choose a node that violates one or + more of the expressions. + items: + description: An empty preferred scheduling term matches + all objects with implicit weight 0 (i.e. it's a no-op). + A null preferred scheduling term matches no objects (i.e. + is also a no-op). + properties: + preference: + description: A node selector term, associated with the + corresponding weight. + properties: + matchExpressions: + description: A list of node selector requirements + by node's labels. + items: + description: A node selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: The label key that the selector + applies to. + type: string + operator: + description: Represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists, DoesNotExist. Gt, and + Lt. + type: string + values: + description: An array of string values. If + the operator is In or NotIn, the values + array must be non-empty. If the operator + is Exists or DoesNotExist, the values array + must be empty. If the operator is Gt or + Lt, the values array must have a single + element, which will be interpreted as an + integer. This array is replaced during a + strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + description: A list of node selector requirements + by node's fields. + items: + description: A node selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: The label key that the selector + applies to. + type: string + operator: + description: Represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists, DoesNotExist. Gt, and + Lt. + type: string + values: + description: An array of string values. If + the operator is In or NotIn, the values + array must be non-empty. If the operator + is Exists or DoesNotExist, the values array + must be empty. If the operator is Gt or + Lt, the values array must have a single + element, which will be interpreted as an + integer. This array is replaced during a + strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + weight: + description: Weight associated with matching the corresponding + nodeSelectorTerm, in the range 1-100. + format: int32 + type: integer + required: + - preference + - weight + type: object + type: array + type: object + type: object + typhaMetricsPort: + description: TyphaMetricsPort specifies which port calico/typha serves + prometheus metrics on. By default, metrics are not enabled. + format: int32 + type: integer variant: description: 'Variant is the product to install - one of Calico or TigeraSecureEnterprise Default: Calico' @@ -3628,6 +3957,16 @@ spec: - cidr type: object type: array + linuxDataplane: + description: 'LinuxDataplane is used to select the dataplane + used for Linux nodes. In particular, it causes the operator + to add required mounts and environment variables for the + particular dataplane. If not specified, iptables mode is + used. Default: Iptables' + enum: + - Iptables + - BPF + type: string mtu: description: MTU specifies the maximum transmission unit to use on the pod network. If not specified, Calico will perform @@ -3706,6 +4045,53 @@ spec: type: string type: object type: object + certificateManagement: + description: CertificateManagement configures pods to submit a + CertificateSigningRequest to the certificates.k8s.io/v1beta1 + API in order to obtain TLS certificates. This feature requires + that you bring your own CSR signing and approval process, otherwise + pods will be stuck during initialization. + properties: + caCert: + description: Certificate of the authority that signs the CertificateSigningRequests + in PEM format. + format: byte + type: string + keyAlgorithm: + description: 'Specify the algorithm used by pods to generate + a key pair that is associated with the X.509 certificate + request. Default: RSAWithSize2048' + enum: + - "" + - RSAWithSize2048 + - RSAWithSize4096 + - RSAWithSize8192 + - ECDSAWithCurve256 + - ECDSAWithCurve384 + - ECDSAWithCurve521 + type: string + signatureAlgorithm: + description: 'Specify the algorithm used for the signature + of the X.509 certificate request. Default: SHA256WithRSA' + enum: + - "" + - SHA256WithRSA + - SHA384WithRSA + - SHA512WithRSA + - ECDSAWithSHA256 + - ECDSAWithSHA384 + - ECDSAWithSHA512 + type: string + signerName: + description: 'When a CSR is issued to the certificates.k8s.io + API, the signerName is added to the request in order to + accommodate for clusters with multiple signers. Must be + formatted as: `/`.' + type: string + required: + - caCert + - signerName + type: object cni: description: CNI specifies the CNI that will be used by this installation. properties: @@ -3758,7 +4144,8 @@ spec: type: object componentResources: description: ComponentResources can be used to customize the resource - requirements for each component. + requirements for each component. Node, Typha, and KubeControllers + are supported for installations. items: description: The ComponentResource struct associates a ResourceRequirements with a component by name @@ -3809,9 +4196,51 @@ spec: additionalProperties: type: string description: ControlPlaneNodeSelector is used to select control - plane nodes on which to run specific Calico components. This - currently only applies to kube-controllers and the apiserver. + plane nodes on which to run Calico components. This is globally + applied to all resources created by the operator excluding daemonsets. type: object + controlPlaneTolerations: + description: ControlPlaneTolerations specify tolerations which + are then globally applied to all resources created by the operator. + items: + description: The pod this Toleration is attached to tolerates + any taint that matches the triple using + the matching operator . + properties: + effect: + description: Effect indicates the taint effect to match. + Empty means match all taint effects. When specified, allowed + values are NoSchedule, PreferNoSchedule and NoExecute. + type: string + key: + description: Key is the taint key that the toleration applies + to. Empty means match all taint keys. If the key is empty, + operator must be Exists; this combination means to match + all values and all keys. + type: string + operator: + description: Operator represents a key's relationship to + the value. Valid operators are Exists and Equal. Defaults + to Equal. Exists is equivalent to wildcard for value, + so that a pod can tolerate all taints of a particular + category. + type: string + tolerationSeconds: + description: TolerationSeconds represents the period of + time the toleration (which must be of effect NoExecute, + otherwise this field is ignored) tolerates the taint. + By default, it is not set, which means tolerate the taint + forever (do not evict). Zero and negative values will + be treated as 0 (evict immediately) by the system. + format: int64 + type: integer + value: + description: Value is the taint value the toleration matches + to. If the operator is Exists, the value should be empty, + otherwise just a regular string. + type: string + type: object + type: array flexVolumePath: description: FlexVolumePath optionally specifies a custom path for FlexVolume. If not specified, FlexVolume will be enabled @@ -3822,7 +4251,9 @@ spec: description: "ImagePath allows for the path part of an image to be specified. If specified then the specified value will be used as the image path for each image. If not specified or empty, - the default for each image will be used. \n Image format: `//:` + the default for each image will be used. A special case value, + UseDefault, is supported to explicitly specify the default image + path will be used for each image. \n Image format: `//:` \n This option allows configuring the `` portion of the above format." type: string @@ -3905,10 +4336,129 @@ spec: description: "Registry is the default Docker registry used for component Docker images. If specified, all images will be pulled from this registry. If not specified then the default registries - will be used. \n Image format: `//:` + will be used. A special case value, UseDefault, is supported + to explicitly specify the default registries will be used. \n + Image format: `//:` \n This option allows configuring the `` portion of the above format." type: string + typhaAffinity: + description: TyphaAffinity allows configuration of node affinity + characteristics for Typha pods. + properties: + nodeAffinity: + description: NodeAffinity describes node affinity scheduling + rules for typha. + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to schedule pods + to nodes that satisfy the affinity expressions specified + by this field, but it may choose a node that violates + one or more of the expressions. + items: + description: An empty preferred scheduling term matches + all objects with implicit weight 0 (i.e. it's a no-op). + A null preferred scheduling term matches no objects + (i.e. is also a no-op). + properties: + preference: + description: A node selector term, associated with + the corresponding weight. + properties: + matchExpressions: + description: A list of node selector requirements + by node's labels. + items: + description: A node selector requirement is + a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: The label key that the selector + applies to. + type: string + operator: + description: Represents a key's relationship + to a set of values. Valid operators + are In, NotIn, Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: An array of string values. + If the operator is In or NotIn, the + values array must be non-empty. If the + operator is Exists or DoesNotExist, + the values array must be empty. If the + operator is Gt or Lt, the values array + must have a single element, which will + be interpreted as an integer. This array + is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + description: A list of node selector requirements + by node's fields. + items: + description: A node selector requirement is + a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: The label key that the selector + applies to. + type: string + operator: + description: Represents a key's relationship + to a set of values. Valid operators + are In, NotIn, Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: An array of string values. + If the operator is In or NotIn, the + values array must be non-empty. If the + operator is Exists or DoesNotExist, + the values array must be empty. If the + operator is Gt or Lt, the values array + must have a single element, which will + be interpreted as an integer. This array + is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + weight: + description: Weight associated with matching the + corresponding nodeSelectorTerm, in the range 1-100. + format: int32 + type: integer + required: + - preference + - weight + type: object + type: array + type: object + type: object + typhaMetricsPort: + description: TyphaMetricsPort specifies which port calico/typha + serves prometheus metrics on. By default, metrics are not enabled. + format: int32 + type: integer variant: description: 'Variant is the product to install - one of Calico or TigeraSecureEnterprise Default: Calico' @@ -3917,6 +4467,11 @@ spec: - TigeraSecureEnterprise type: string type: object + imageSet: + description: ImageSet is the name of the ImageSet being used, if there + is an ImageSet that is being used. If an ImageSet is not being used + then this will not be set. + type: string mtu: description: MTU is the most recently observed value for pod network MTU. This may be an explicitly configured value, or based on Calico's @@ -3936,11 +4491,19 @@ spec: storage: true subresources: status: {} - +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] --- +# Source: aws-calico/templates/crds/operator.tigera.io_tigerastatuses_crd.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.3.0 name: tigerastatuses.operator.tigera.io spec: group: operator.tigera.io @@ -3977,16 +4540,17 @@ spec: apiVersion: description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object spec: + description: TigeraStatusSpec defines the desired state of TigeraStatus type: object status: description: TigeraStatusStatus defines the observed state of TigeraStatus @@ -4033,8 +4597,14 @@ spec: storage: true subresources: status: {} - +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] --- +# Source: aws-calico/templates/tigera-operator/00-namespace-tigera-operator.yaml apiVersion: v1 kind: Namespace metadata: @@ -4043,6 +4613,9 @@ metadata: labels: name: tigera-operator --- +# Source: aws-calico/templates/tigera-operator/02-podsecuritypolicy-tigera-operator.yaml +# This should not be rendered for an OpenShift install. +# OpenShift uses SecurityContextConstraints instead. apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: @@ -4087,12 +4660,21 @@ spec: max: 65535 readOnlyRootFilesystem: false --- -apiVersion: v1 -kind: ServiceAccount +# Source: aws-calico/templates/tigera-operator/02-rolebinding-tigera-operator.yaml +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 metadata: name: tigera-operator +subjects: +- kind: ServiceAccount + name: tigera-operator namespace: tigera-operator +roleRef: + kind: ClusterRole + name: tigera-operator + apiGroup: rbac.authorization.k8s.io --- +# Source: aws-calico/templates/tigera-operator/02-role-tigera-operator.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -4188,6 +4770,7 @@ rules: - crd.projectcalico.org resources: - ippools + - kubecontrollersconfigurations verbs: - get - list @@ -4228,6 +4811,18 @@ rules: verbs: - list - watch + # Needed for operator lock + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create + - get + - list + - update + - delete + - watch # Add the appropriate pod security policy permissions - apiGroups: - policy @@ -4247,20 +4842,22 @@ rules: - watch - create - update +# Add the permissions to monitor the status of certificatesigningrequests when certificate management is enabled. + - apiGroups: + - certificates.k8s.io + resources: + - certificatesigningrequests + verbs: + - list --- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 +# Source: aws-calico/templates/tigera-operator/02-serviceaccount-tigera-operator.yaml +apiVersion: v1 +kind: ServiceAccount metadata: name: tigera-operator -subjects: -- kind: ServiceAccount - name: tigera-operator namespace: tigera-operator -roleRef: - kind: ClusterRole - name: tigera-operator - apiGroup: rbac.authorization.k8s.io --- +# Source: aws-calico/templates/tigera-operator/02-tigera-operator.yaml apiVersion: apps/v1 kind: Deployment metadata: @@ -4293,6 +4890,7 @@ spec: containers: - name: tigera-operator image: quay.io/tigera/operator:v1.13.2 + imagePullPolicy: IfNotPresent command: - operator volumeMounts: diff --git a/scripts/generate-cni-yaml.sh b/scripts/generate-cni-yaml.sh index ee92c35efb..4acf10bdd6 100755 --- a/scripts/generate-cni-yaml.sh +++ b/scripts/generate-cni-yaml.sh @@ -148,7 +148,7 @@ cd $INDV_RESOURCES_DIR/cni-metrics-helper/ && tar cvf $METRICS_TAR_RESOURCES_FIL cd $INDV_RESOURCES_DIR/aws-calico/ && tar cvf $CALICO_TAR_RESOURCES_FILE templates/* cd $SCRIPTPATH -echo "Generated aws-vpc-cni and cni-metrics-helper kubernetes yaml resources files in:" +echo "Generated aws-vpc-cni, cni-metrics-helper and calico yaml resources files in:" echo " - $CNI_RESOURCES_YAML" echo " - $METRICS_RESOURCES_YAML" echo " - $CALICO_OPERATOR_RESOURCES_YAML"