diff --git a/.gitignore b/.gitignore index 44f81bdd468..f23ccfec065 100644 --- a/.gitignore +++ b/.gitignore @@ -16,7 +16,6 @@ kubectl-ko-log.tar.gz kube-apiserver-audit.log kube-apiserver-audit.json kube-ovn.yaml -kube-ovn-crd.yaml ovn.yaml ovn-ic-controller.yaml ovn-ic-server.yaml diff --git a/charts/kube-ovn/Chart.yaml b/charts/kube-ovn/Chart.yaml index 0978817b6fc..e26e572710a 100644 --- a/charts/kube-ovn/Chart.yaml +++ b/charts/kube-ovn/Chart.yaml @@ -15,12 +15,12 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 1.13.0 +version: 2.0.0 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to # follow Semantic Versioning. They should reflect the version the application is using. # It is recommended to use it with quotes. -appVersion: "1.13.0" +appVersion: "1.14.0" -kubeVersion: ">= 1.23.0-0" +kubeVersion: ">= 1.29.0-0" diff --git a/charts/kube-ovn/templates/kube-ovn-crd.yaml b/charts/kube-ovn/crds/kube-ovn-crd.yaml similarity index 76% rename from charts/kube-ovn/templates/kube-ovn-crd.yaml rename to charts/kube-ovn/crds/kube-ovn-crd.yaml index 7384e9a17d9..76a5fba6d22 100644 --- a/charts/kube-ovn/templates/kube-ovn-crd.yaml +++ b/charts/kube-ovn/crds/kube-ovn-crd.yaml @@ -823,6 +823,302 @@ spec: --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition +metadata: + name: vpc-egress-gateways.kubeovn.io +spec: + group: kubeovn.io + names: + plural: vpc-egress-gateways + singular: vpc-egress-gateway + shortNames: + - vpc-egress-gw + - veg + kind: VpcEgressGateway + listKind: VpcEgressGatewayList + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.vpc + name: VPC + type: string + - jsonPath: .spec.replicas + name: REPLICAS + type: integer + - jsonPath: .spec.bfd.enabled + name: BFD ENABLED + type: boolean + - jsonPath: .spec.externalSubnet + name: EXTERNAL SUBNET + type: string + - jsonPath: .status.phase + name: PHASE + type: string + - jsonPath: .status.ready + name: READY + type: boolean + - jsonPath: .status.internalIPs + name: INTERNAL IPS + priority: 1 + type: string + - jsonPath: .status.externalIPs + name: EXTERNAL IPS + priority: 1 + type: string + - jsonPath: .status.workload.nodes + name: WORKING NODES + priority: 1 + type: string + - jsonPath: .metadata.creationTimestamp + name: AGE + type: date + name: v1 + served: true + storage: true + subresources: + status: {} + schema: + openAPIV3Schema: + type: object + properties: + status: + properties: + conditions: + items: + properties: + lastTransitionTime: + format: date-time + type: string + lastUpdateTime: + format: date-time + type: string + message: + maxLength: 32768 + type: string + observedGeneration: + format: int64 + minimum: 0 + type: integer + reason: + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + enum: + - "True" + - "False" + - Unknown + type: string + type: + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - lastUpdateTime + - observedGeneration + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + internalIPs: + items: + type: string + type: array + externalIPs: + items: + type: string + type: array + phase: + type: string + default: Pending + enum: + - Pending + - Processing + - Completed + ready: + type: boolean + default: false + workload: + type: object + properties: + apiVersion: + type: string + kind: + type: string + name: + type: string + nodes: + type: array + items: + type: string + required: + - conditions + - phase + type: object + spec: + type: object + required: + - externalSubnet + - policies + x-kubernetes-validations: + - rule: "!has(self.prefix) || self.prefix == '' || self.prefix == oldSelf.prefix" + message: 'Size of Internal IPs MUST be equal to or greater than Replicas' + fieldPath: ".prefix" + - rule: "!has(self.internalIPs) || size(self.internalIPs) == 0 || size(self.internalIPs) >= self.replicas" + message: 'Size of Internal IPs MUST be equal to or greater than Replicas' + fieldPath: ".internalIPs" + - rule: "!has(self.externalIPs) || size(self.externalIPs) == 0 || size(self.externalIPs) >= self.replicas" + message: 'Size of External IPs MUST be equal to or greater than Replicas' + fieldPath: ".externalIPs" + properties: + replicas: + type: integer + default: 1 + minimum: 1 + maximum: 10 + prefix: + type: string + anyOf: + - pattern: ^$ + - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*[-\.]?$ + x-kubernetes-validations: + - rule: "self == oldSelf" + message: "This field is immutable." + vpc: + type: string + internalSubnet: + type: string + externalSubnet: + type: string + internalIPs: + items: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + - pattern: ^(?:(?:[01]?\d{1,2}|2[0-4]\d|25[0-5])\.){3}(?:[01]?\d{1,2}|2[0-4]\d|25[0-5]),((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|:)))$ + - pattern: ^((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|:))),(?:(?:[01]?\d{1,2}|2[0-4]\d|25[0-5])\.){3}(?:[01]?\d{1,2}|2[0-4]\d|25[0-5])$ + type: array + x-kubernetes-list-type: set + externalIPs: + items: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + - pattern: ^(?:(?:[01]?\d{1,2}|2[0-4]\d|25[0-5])\.){3}(?:[01]?\d{1,2}|2[0-4]\d|25[0-5]),((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|:)))$ + - pattern: ^((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|:))),(?:(?:[01]?\d{1,2}|2[0-4]\d|25[0-5])\.){3}(?:[01]?\d{1,2}|2[0-4]\d|25[0-5])$ + type: array + x-kubernetes-list-type: set + image: + type: string + bfd: + type: object + properties: + enabled: + type: boolean + default: false + minRX: + type: integer + default: 1000 + minTX: + type: integer + default: 1000 + multiplier: + type: integer + default: 3 + policies: + type: array + minItems: 1 + items: + type: object + properties: + snat: + type: boolean + default: false + ipBlocks: + type: array + x-kubernetes-list-type: set + items: + type: string + anyOf: + - format: ipv4 + - format: ipv6 + - format: cidr + subnets: + type: array + x-kubernetes-list-type: set + items: + type: string + minLength: 1 + x-kubernetes-validations: + - rule: "size(self.ipBlocks) != 0 || size(self.subnets) != 0" + message: 'Each policy MUST have at least one ipBlock or subnet' + nodeSelector: + type: array + items: + type: object + properties: + matchLabels: + additionalProperties: + type: string + type: object + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + type: string + enum: + - In + - NotIn + - Exists + - DoesNotExist + - Gt + - Lt + values: + type: array + x-kubernetes-list-type: set + items: + type: string + required: + - key + - operator + matchFields: + type: array + items: + type: object + properties: + key: + type: string + operator: + type: string + enum: + - In + - NotIn + - Exists + - DoesNotExist + - Gt + - Lt + values: + type: array + x-kubernetes-list-type: set + items: + type: string + required: + - key + - operator +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition metadata: name: iptables-eips.kubeovn.io spec: @@ -842,21 +1138,21 @@ spec: subresources: status: {} additionalPrinterColumns: - - jsonPath: .status.ip - name: IP - type: string - - jsonPath: .spec.macAddress - name: Mac - type: string - - jsonPath: .status.nat - name: Nat - type: string - - jsonPath: .spec.natGwDp - name: NatGwDp - type: string - - jsonPath: .status.ready - name: Ready - type: boolean + - jsonPath: .status.ip + name: IP + type: string + - jsonPath: .spec.macAddress + name: Mac + type: string + - jsonPath: .status.nat + name: Nat + type: string + - jsonPath: .spec.natGwDp + name: NatGwDp + type: string + - jsonPath: .status.ready + name: Ready + type: boolean schema: openAPIV3Schema: type: object @@ -928,24 +1224,24 @@ spec: subresources: status: {} additionalPrinterColumns: - - jsonPath: .spec.eip - name: Eip - type: string - - jsonPath: .status.v4ip - name: V4ip - type: string - - jsonPath: .spec.internalIp - name: InternalIp - type: string - - jsonPath: .status.v6ip - name: V6ip - type: string - - jsonPath: .status.ready - name: Ready - type: boolean - - jsonPath: .status.natGwDp - name: NatGwDp - type: string + - jsonPath: .spec.eip + name: Eip + type: string + - jsonPath: .status.v4ip + name: V4ip + type: string + - jsonPath: .spec.internalIp + name: InternalIp + type: string + - jsonPath: .status.v6ip + name: V6ip + type: string + - jsonPath: .status.ready + name: Ready + type: boolean + - jsonPath: .status.natGwDp + name: NatGwDp + type: string schema: openAPIV3Schema: type: object @@ -1011,33 +1307,33 @@ spec: subresources: status: {} additionalPrinterColumns: - - jsonPath: .spec.eip - name: Eip - type: string - - jsonPath: .spec.protocol - name: Protocol - type: string - - jsonPath: .status.v4ip - name: V4ip - type: string - - jsonPath: .status.v6ip - name: V6ip - type: string - - jsonPath: .spec.internalIp - name: InternalIp - type: string - - jsonPath: .spec.externalPort - name: ExternalPort - type: string - - jsonPath: .spec.internalPort - name: InternalPort - type: string - - jsonPath: .status.natGwDp - name: NatGwDp - type: string - - jsonPath: .status.ready - name: Ready - type: boolean + - jsonPath: .spec.eip + name: Eip + type: string + - jsonPath: .spec.protocol + name: Protocol + type: string + - jsonPath: .status.v4ip + name: V4ip + type: string + - jsonPath: .status.v6ip + name: V6ip + type: string + - jsonPath: .spec.internalIp + name: InternalIp + type: string + - jsonPath: .spec.externalPort + name: ExternalPort + type: string + - jsonPath: .spec.internalPort + name: InternalPort + type: string + - jsonPath: .status.natGwDp + name: NatGwDp + type: string + - jsonPath: .status.ready + name: Ready + type: boolean schema: openAPIV3Schema: type: object @@ -1115,24 +1411,24 @@ spec: subresources: status: {} additionalPrinterColumns: - - jsonPath: .spec.eip - name: EIP - type: string - - jsonPath: .status.v4ip - name: V4ip - type: string - - jsonPath: .status.v6ip - name: V6ip - type: string - - jsonPath: .spec.internalCIDR - name: InternalCIDR - type: string - - jsonPath: .status.natGwDp - name: NatGwDp - type: string - - jsonPath: .status.ready - name: Ready - type: boolean + - jsonPath: .spec.eip + name: EIP + type: string + - jsonPath: .status.v4ip + name: V4ip + type: string + - jsonPath: .status.v6ip + name: V6ip + type: string + - jsonPath: .spec.internalCIDR + name: InternalCIDR + type: string + - jsonPath: .status.natGwDp + name: NatGwDp + type: string + - jsonPath: .status.ready + name: Ready + type: boolean schema: openAPIV3Schema: type: object @@ -1198,27 +1494,27 @@ spec: subresources: status: {} additionalPrinterColumns: - - jsonPath: .status.v4Ip - name: V4IP - type: string - - jsonPath: .status.v6Ip - name: V6IP - type: string - - jsonPath: .status.macAddress - name: Mac - type: string - - jsonPath: .status.type - name: Type - type: string - - jsonPath: .status.nat - name: Nat - type: string - - jsonPath: .status.ready - name: Ready - type: boolean - - jsonPath: .spec.externalSubnet - name: ExternalSubnet - type: string + - jsonPath: .status.v4Ip + name: V4IP + type: string + - jsonPath: .status.v6Ip + name: V6IP + type: string + - jsonPath: .status.macAddress + name: Mac + type: string + - jsonPath: .status.type + name: Type + type: string + - jsonPath: .status.nat + name: Nat + type: string + - jsonPath: .status.ready + name: Ready + type: boolean + - jsonPath: .spec.externalSubnet + name: ExternalSubnet + type: string schema: openAPIV3Schema: type: object @@ -1290,30 +1586,30 @@ spec: subresources: status: {} additionalPrinterColumns: - - jsonPath: .status.vpc - name: Vpc - type: string - - jsonPath: .status.v4Eip - name: V4Eip - type: string - - jsonPath: .status.v6Eip - name: V6Eip - type: string - - jsonPath: .status.v4Ip - name: V4Ip - type: string - - jsonPath: .status.v6Ip - name: V6Ip - type: string - - jsonPath: .status.ready - name: Ready - type: boolean - - jsonPath: .spec.ipType - name: IpType - type: string - - jsonPath: .spec.ipName - name: IpName - type: string + - jsonPath: .status.vpc + name: Vpc + type: string + - jsonPath: .status.v4Eip + name: V4Eip + type: string + - jsonPath: .status.v6Eip + name: V6Eip + type: string + - jsonPath: .status.v4Ip + name: V4Ip + type: string + - jsonPath: .status.v6Ip + name: V6Ip + type: string + - jsonPath: .status.ready + name: Ready + type: boolean + - jsonPath: .spec.ipType + name: IpType + type: string + - jsonPath: .spec.ipName + name: IpName + type: string schema: openAPIV3Schema: type: object @@ -1387,24 +1683,24 @@ spec: subresources: status: {} additionalPrinterColumns: - - jsonPath: .status.vpc - name: Vpc - type: string - - jsonPath: .status.v4Eip - name: V4Eip - type: string - - jsonPath: .status.v6Eip - name: V6Eip - type: string - - jsonPath: .status.v4IpCidr - name: V4IpCidr - type: string - - jsonPath: .status.v6IpCidr - name: V6IpCidr - type: string - - jsonPath: .status.ready - name: Ready - type: boolean + - jsonPath: .status.vpc + name: Vpc + type: string + - jsonPath: .status.v4Eip + name: V4Eip + type: string + - jsonPath: .status.v6Eip + name: V6Eip + type: string + - jsonPath: .status.v4IpCidr + name: V4IpCidr + type: string + - jsonPath: .status.v6IpCidr + name: V6IpCidr + type: string + - jsonPath: .status.ready + name: Ready + type: boolean schema: openAPIV3Schema: type: object @@ -1665,6 +1961,51 @@ spec: type: string type: object type: array + bfdPort: + properties: + enabled: + type: boolean + default: false + ip: + type: string + anyOf: + - pattern: ^$ + - pattern: ^(?:(?:[01]?\d{1,2}|2[0-4]\d|25[0-5])\.){3}(?:[01]?\d{1,2}|2[0-4]\d|25[0-5])$ + - pattern: ^((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|:)))$ + - pattern: ^(?:(?:[01]?\d{1,2}|2[0-4]\d|25[0-5])\.){3}(?:[01]?\d{1,2}|2[0-4]\d|25[0-5]),((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|:)))$ + - pattern: ^((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|:))),(?:(?:[01]?\d{1,2}|2[0-4]\d|25[0-5])\.){3}(?:[01]?\d{1,2}|2[0-4]\d|25[0-5])$ + nodeSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + enum: + - In + - NotIn + - Exists + - DoesNotExist + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + type: object + x-kubernetes-validations: + - rule: "self.enabled == false || self.ip != ''" + message: 'Port IP must be set when BFD Port is enabled' type: object status: properties: @@ -1721,6 +2062,17 @@ spec: type: string sctpSessionLoadBalancer: type: string + bfdPort: + type: object + properties: + ip: + type: string + name: + type: string + nodes: + type: array + items: + type: string type: object type: object served: true @@ -1747,21 +2099,21 @@ spec: served: true storage: true additionalPrinterColumns: - - name: V4IP - type: string - jsonPath: .spec.v4IpAddress - - name: V6IP - type: string - jsonPath: .spec.v6IpAddress - - name: Mac - type: string - jsonPath: .spec.macAddress - - name: Node - type: string - jsonPath: .spec.nodeName - - name: Subnet - type: string - jsonPath: .spec.subnet + - name: V4IP + type: string + jsonPath: .spec.v4IpAddress + - name: V6IP + type: string + jsonPath: .spec.v6IpAddress + - name: Mac + type: string + jsonPath: .spec.macAddress + - name: Node + type: string + jsonPath: .spec.nodeName + - name: Subnet + type: string + jsonPath: .spec.subnet schema: openAPIV3Schema: type: object @@ -1828,27 +2180,27 @@ spec: served: true storage: true additionalPrinterColumns: - - name: V4IP - type: string - jsonPath: .status.v4ip - - name: V6IP - type: string - jsonPath: .status.v6ip - - name: Mac - type: string - jsonPath: .status.mac - - name: PMac - type: string - jsonPath: .spec.parentMac - - name: Subnet - type: string - jsonPath: .spec.subnet - - jsonPath: .status.ready - name: Ready - type: boolean - - jsonPath: .status.type - name: Type - type: string + - name: V4IP + type: string + jsonPath: .status.v4ip + - name: V6IP + type: string + jsonPath: .status.v6ip + - name: Mac + type: string + jsonPath: .status.mac + - name: PMac + type: string + jsonPath: .spec.parentMac + - name: Subnet + type: string + jsonPath: .spec.subnet + - jsonPath: .status.ready + name: Ready + type: boolean + - jsonPath: .status.type + name: Type + type: string schema: openAPIV3Schema: type: object @@ -1936,51 +2288,51 @@ spec: subresources: status: {} additionalPrinterColumns: - - name: Provider - type: string - jsonPath: .spec.provider - - name: Vpc - type: string - jsonPath: .spec.vpc - - name: Vlan - type: string - jsonPath: .spec.vlan - - name: Protocol - type: string - jsonPath: .spec.protocol - - name: CIDR - type: string - jsonPath: .spec.cidrBlock - - name: Private - type: boolean - jsonPath: .spec.private - - name: NAT - type: boolean - jsonPath: .spec.natOutgoing - - name: Default - type: boolean - jsonPath: .spec.default - - name: GatewayType - type: string - jsonPath: .spec.gatewayType - - name: V4Used - type: number - jsonPath: .status.v4usingIPs - - name: V4Available - type: number - jsonPath: .status.v4availableIPs - - name: V6Used - type: number - jsonPath: .status.v6usingIPs - - name: V6Available - type: number - jsonPath: .status.v6availableIPs - - name: ExcludeIPs - type: string - jsonPath: .spec.excludeIps - - name: U2OInterconnectionIP - type: string - jsonPath: .status.u2oInterconnectionIP + - name: Provider + type: string + jsonPath: .spec.provider + - name: Vpc + type: string + jsonPath: .spec.vpc + - name: Vlan + type: string + jsonPath: .spec.vlan + - name: Protocol + type: string + jsonPath: .spec.protocol + - name: CIDR + type: string + jsonPath: .spec.cidrBlock + - name: Private + type: boolean + jsonPath: .spec.private + - name: NAT + type: boolean + jsonPath: .spec.natOutgoing + - name: Default + type: boolean + jsonPath: .spec.default + - name: GatewayType + type: string + jsonPath: .spec.gatewayType + - name: V4Used + type: number + jsonPath: .status.v4usingIPs + - name: V4Available + type: number + jsonPath: .status.v4availableIPs + - name: V6Used + type: number + jsonPath: .status.v6usingIPs + - name: V6Available + type: number + jsonPath: .status.v6availableIPs + - name: ExcludeIPs + type: string + jsonPath: .spec.excludeIps + - name: U2OInterconnectionIP + type: string + jsonPath: .status.u2oInterconnectionIP schema: openAPIV3Schema: type: object @@ -2014,6 +2366,10 @@ spec: type: string u2oInterconnectionVPC: type: string + mcastQuerierIP: + type: string + mcastQuerierMAC: + type: string v4usingIPrange: type: string v4availableIPrange: @@ -2194,6 +2550,28 @@ spec: type: boolean routeTable: type: string + namespaceSelectors: + type: array + items: + type: object + properties: + matchLabels: + type: object + additionalProperties: + type: string + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + type: string + values: + type: array + items: + type: string scope: Cluster names: plural: subnets @@ -2215,24 +2593,24 @@ spec: subresources: status: {} additionalPrinterColumns: - - name: Subnet - type: string - jsonPath: .spec.subnet - - name: IPs - type: string - jsonPath: .spec.ips - - name: V4Used - type: number - jsonPath: .status.v4UsingIPs - - name: V4Available - type: number - jsonPath: .status.v4AvailableIPs - - name: V6Used - type: number - jsonPath: .status.v6UsingIPs - - name: V6Available - type: number - jsonPath: .status.v6AvailableIPs + - name: Subnet + type: string + jsonPath: .spec.subnet + - name: IPs + type: string + jsonPath: .spec.ips + - name: V4Used + type: number + jsonPath: .status.v4UsingIPs + - name: V4Available + type: number + jsonPath: .status.v4AvailableIPs + - name: V6Used + type: number + jsonPath: .status.v6UsingIPs + - name: V6Available + type: number + jsonPath: .status.v6AvailableIPs schema: openAPIV3Schema: type: object @@ -2350,12 +2728,12 @@ spec: items: type: string additionalPrinterColumns: - - name: ID - type: string - jsonPath: .spec.id - - name: Provider - type: string - jsonPath: .spec.provider + - name: ID + type: string + jsonPath: .spec.id + - name: Provider + type: string + jsonPath: .spec.provider scope: Cluster names: plural: vlans @@ -2454,12 +2832,12 @@ spec: lastTransitionTime: type: string additionalPrinterColumns: - - name: DefaultInterface - type: string - jsonPath: .spec.defaultInterface - - name: Ready - type: boolean - jsonPath: .status.ready + - name: DefaultInterface + type: string + jsonPath: .spec.defaultInterface + - name: Ready + type: boolean + jsonPath: .status.ready scope: Cluster names: plural: provider-networks @@ -2581,12 +2959,12 @@ spec: subresources: status: {} additionalPrinterColumns: - - jsonPath: .spec.shared - name: Shared - type: string - - jsonPath: .spec.bindingType - name: BindingType - type: string + - jsonPath: .spec.shared + name: Shared + type: string + - jsonPath: .spec.bindingType + name: BindingType + type: string schema: openAPIV3Schema: type: object diff --git a/charts/kube-ovn/templates/_helpers.tpl b/charts/kube-ovn/templates/_helpers.tpl index 1b9a0575479..0b203bed24a 100644 --- a/charts/kube-ovn/templates/_helpers.tpl +++ b/charts/kube-ovn/templates/_helpers.tpl @@ -1,3 +1,59 @@ +{/* +Expand the name of the chart. +*/}} +{{- define "kubeovn.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "kubeovn.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "kubeovn.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "kubeovn.labels" -}} +helm.sh/chart: {{ include "kubeovn.chart" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + + +{{/* +Create the name of the service account to use +*/}} +{{- define "kubeovn.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "kubeovn.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} + + {{/* Get IP-addresses of master nodes */}} diff --git a/charts/kube-ovn/templates/agent/agent-clusterrole.yaml b/charts/kube-ovn/templates/agent/agent-clusterrole.yaml new file mode 100644 index 00000000000..cc0ada5f36e --- /dev/null +++ b/charts/kube-ovn/templates/agent/agent-clusterrole.yaml @@ -0,0 +1,89 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + annotations: + rbac.authorization.k8s.io/system-only: "true" + {{- with .Values.agent.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.agent.labels }} + labels: + {{- toYaml . | nindent 4 }} + {{- end }} + name: system:kube-ovn-cni +rules: + - apiGroups: + - "kubeovn.io" + resources: + - subnets + - vlans + - provider-networks + verbs: + - get + - list + - watch + - apiGroups: + - "" + - "kubeovn.io" + resources: + - ovn-eips + - ovn-eips/status + - nodes + - pods + verbs: + - get + - list + - patch + - watch + - apiGroups: + - "kubeovn.io" + resources: + - ips + verbs: + - get + - update + - apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + - update + - apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create + - apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create + - apiGroups: + - "certificates.k8s.io" + resources: + - "certificatesigningrequests" + verbs: + - "create" + - "get" + - "list" + - "watch" + - "delete" + - apiGroups: + - "" + resources: + - "secrets" + verbs: + - "get" \ No newline at end of file diff --git a/charts/kube-ovn/templates/agent/agent-clusterrolebinding.yaml b/charts/kube-ovn/templates/agent/agent-clusterrolebinding.yaml new file mode 100644 index 00000000000..319327cfc0c --- /dev/null +++ b/charts/kube-ovn/templates/agent/agent-clusterrolebinding.yaml @@ -0,0 +1,21 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: kube-ovn-cni + {{- with .Values.agent.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.agent.labels }} + labels: + {{- toYaml . | nindent 4 }} + {{- end }} +roleRef: + name: system:kube-ovn-cni + kind: ClusterRole + apiGroup: rbac.authorization.k8s.io +subjects: + - kind: ServiceAccount + name: kube-ovn-cni + namespace: {{ .Values.namespace }} \ No newline at end of file diff --git a/charts/kube-ovn/templates/ovncni-ds.yaml b/charts/kube-ovn/templates/agent/agent-daemonset.yaml similarity index 92% rename from charts/kube-ovn/templates/ovncni-ds.yaml rename to charts/kube-ovn/templates/agent/agent-daemonset.yaml index 6537d225370..b7a903f90d3 100644 --- a/charts/kube-ovn/templates/ovncni-ds.yaml +++ b/charts/kube-ovn/templates/agent/agent-daemonset.yaml @@ -1,21 +1,33 @@ -kind: DaemonSet apiVersion: apps/v1 +kind: DaemonSet metadata: name: kube-ovn-cni namespace: {{ .Values.namespace }} + {{- with .Values.agent.annotations }} annotations: - kubernetes.io/description: | - This daemon set launches the kube-ovn cni daemon. + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.agent.labels }} + labels: + {{- toYaml . | nindent 4 }} + {{- end }} spec: selector: matchLabels: - app: kube-ovn-cni + app.kubernetes.io/name: kube-ovn-cni + app.kubernetes.io/part-of: kube-ovn template: metadata: + {{- with .Values.agent.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} labels: - app: kube-ovn-cni - component: network - type: infra + app.kubernetes.io/name: kube-ovn-cni + app.kubernetes.io/part-of: kube-ovn + {{- with .Values.agent.podLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} spec: tolerations: - effect: NoSchedule @@ -39,9 +51,7 @@ spec: chown -R nobody: /var/log/kube-ovn chmod g+r /run/xtables.lock chmod g+w /var/run/netns - {{- if not .Values.DISABLE_MODULES_MANAGEMENT }} iptables -V - {{- end }} securityContext: allowPrivilegeEscalation: true capabilities: @@ -130,9 +140,6 @@ spec: - NET_RAW - SYS_ADMIN - CAP_SYS_PTRACE - {{- if not .Values.DISABLE_MODULES_MANAGEMENT }} - - SYS_MODULE - {{- end }} - SYS_NICE env: - name: ENABLE_SSL @@ -216,13 +223,10 @@ spec: - --port=10665 - --tls={{- .Values.func.SECURE_SERVING }} timeoutSeconds: 5 + {{- with .Values.agent.resources }} resources: - requests: - cpu: {{ index .Values "kube-ovn-cni" "requests" "cpu" }} - memory: {{ index .Values "kube-ovn-cni" "requests" "memory" }} - limits: - cpu: {{ index .Values "kube-ovn-cni" "limits" "cpu" }} - memory: {{ index .Values "kube-ovn-cni" "limits" "memory" }} + {{- toYaml . | trim | nindent 10 }} + {{- end }} nodeSelector: kubernetes.io/os: "linux" volumes: diff --git a/charts/kube-ovn/templates/agent/agent-rolebinding.yaml b/charts/kube-ovn/templates/agent/agent-rolebinding.yaml new file mode 100644 index 00000000000..0e91181e159 --- /dev/null +++ b/charts/kube-ovn/templates/agent/agent-rolebinding.yaml @@ -0,0 +1,22 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: kube-ovn-cni + namespace: {{ .Values.namespace }} + {{- with .Values.agent.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.agent.labels }} + labels: + {{- toYaml . | nindent 4 }} + {{- end }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: extension-apiserver-authentication-reader +subjects: + - kind: ServiceAccount + name: kube-ovn-cni + namespace: {{ .Values.namespace }} \ No newline at end of file diff --git a/charts/kube-ovn/templates/agent/agent-service.yaml b/charts/kube-ovn/templates/agent/agent-service.yaml new file mode 100644 index 00000000000..f838f0a2210 --- /dev/null +++ b/charts/kube-ovn/templates/agent/agent-service.yaml @@ -0,0 +1,23 @@ +kind: Service +apiVersion: v1 +metadata: + name: kube-ovn-cni + namespace: {{ .Values.namespace }} + {{- with .Values.agent.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.agent.labels }} + labels: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + selector: + app.kubernetes.io/name: kube-ovn-cni + app.kubernetes.io/part-of: kube-ovn + ports: + - port: {{ .Values.agent.metrics.port }} + name: metrics + {{- if eq .Values.networking.NET_STACK "dual_stack" }} + ipFamilyPolicy: PreferDualStack + {{- end }} diff --git a/charts/kube-ovn/templates/agent/agent-serviceaccount.yaml b/charts/kube-ovn/templates/agent/agent-serviceaccount.yaml new file mode 100644 index 00000000000..1caecb5159a --- /dev/null +++ b/charts/kube-ovn/templates/agent/agent-serviceaccount.yaml @@ -0,0 +1,22 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: kube-ovn-cni + namespace: {{ .Values.namespace }} + {{- with .Values.agent.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.agent.labels }} + labels: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- if .Values.global.registry.imagePullSecrets }} +imagePullSecrets: +{{- range $index, $secret := .Values.global.registry.imagePullSecrets }} +{{- if $secret }} + - name: {{ $secret | quote}} +{{- end }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/kube-ovn/templates/api-nad/apiNad.yaml b/charts/kube-ovn/templates/api-nad/apiNad.yaml new file mode 100644 index 00000000000..f2e9cf26af9 --- /dev/null +++ b/charts/kube-ovn/templates/api-nad/apiNad.yaml @@ -0,0 +1,14 @@ +{{- if .Values.apiNad.enabled }} +apiVersion: "k8s.cni.cncf.io/v1" +kind: NetworkAttachmentDefinition +metadata: + name: {{ .Values.apiNad.name }} + namespace: {{ .Values.namespace }} +spec: + config: '{ + "cniVersion": "0.3.0", + "type": "kube-ovn", + "server_socket": "/run/openvswitch/kube-ovn-daemon.sock", + "provider": "{{ tpl .Values.apiNad.provider . }}" + }' +{{- end }} \ No newline at end of file diff --git a/charts/kube-ovn/templates/api-nad/apiSubnet.yaml b/charts/kube-ovn/templates/api-nad/apiSubnet.yaml new file mode 100644 index 00000000000..872f13482e5 --- /dev/null +++ b/charts/kube-ovn/templates/api-nad/apiSubnet.yaml @@ -0,0 +1,11 @@ +{{- if .Values.apiNad.enabled }} +apiVersion: kubeovn.io/v1 +kind: Subnet +metadata: + name: {{ .Values.apiNad.subnet.name }} + namespace: {{ .Values.namespace }} +spec: + protocol: {{ .Values.apiNad.subnet.protocol }} + cidrBlock: {{ .Values.apiNad.subnet.cidrBlock }} + provider: {{ tpl .Values.apiNad.provider . }} +{{- end }} \ No newline at end of file diff --git a/charts/kube-ovn/templates/central-deploy.yaml b/charts/kube-ovn/templates/central/central-deployment.yaml similarity index 87% rename from charts/kube-ovn/templates/central-deploy.yaml rename to charts/kube-ovn/templates/central/central-deployment.yaml index bbc1e09d316..2e486335bdb 100644 --- a/charts/kube-ovn/templates/central-deploy.yaml +++ b/charts/kube-ovn/templates/central/central-deployment.yaml @@ -2,10 +2,14 @@ kind: Deployment apiVersion: apps/v1 metadata: name: ovn-central - namespace: {{ .Values.namespace }} + {{- with .Values.central.annotations }} annotations: - kubernetes.io/description: | - OVN components: northd, nb and sb. + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.central.labels }} + labels: + {{- toYaml . | nindent 4 }} + {{- end }} spec: replicas: {{ include "kubeovn.nodeCount" . }} strategy: @@ -15,13 +19,20 @@ spec: type: RollingUpdate selector: matchLabels: - app: ovn-central + app.kubernetes.io/name: ovn-central + app.kubernetes.io/part-of: kube-ovn template: metadata: + {{- with .Values.central.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} labels: - app: ovn-central - component: network - type: infra + app.kubernetes.io/name: ovn-central + app.kubernetes.io/part-of: kube-ovn + {{- with .Values.central.podLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} spec: tolerations: - effect: NoSchedule @@ -35,7 +46,7 @@ spec: requiredDuringSchedulingIgnoredDuringExecution: - labelSelector: matchLabels: - app: ovn-central + app.kubernetes.io/name: ovn-central topologyKey: kubernetes.io/hostname priorityClassName: system-cluster-critical serviceAccountName: ovn-ovs @@ -111,13 +122,10 @@ spec: value: "{{ .Values.networking.ENABLE_COMPACT }}" - name: OVN_VERSION_COMPATIBILITY value: '{{ include "kubeovn.ovn.versionCompatibility" . }}' + {{- with .Values.central.resources }} resources: - requests: - cpu: {{ index .Values "ovn-central" "requests" "cpu" }} - memory: {{ index .Values "ovn-central" "requests" "memory" }} - limits: - cpu: {{ index .Values "ovn-central" "limits" "cpu" }} - memory: {{ index .Values "ovn-central" "limits" "memory" }} + {{- toYaml . | trim | nindent 12 }} + {{- end }} volumeMounts: - mountPath: /var/run/ovn name: host-run-ovn diff --git a/charts/kube-ovn/templates/nb-svc.yaml b/charts/kube-ovn/templates/central/northbound-service.yaml similarity index 57% rename from charts/kube-ovn/templates/nb-svc.yaml rename to charts/kube-ovn/templates/central/northbound-service.yaml index 43992e91c6a..f0c37b0e7fe 100644 --- a/charts/kube-ovn/templates/nb-svc.yaml +++ b/charts/kube-ovn/templates/central/northbound-service.yaml @@ -3,6 +3,14 @@ apiVersion: v1 metadata: name: ovn-nb namespace: {{ .Values.namespace }} + {{- with .Values.central.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.central.labels }} + labels: + {{- toYaml . | nindent 4 }} + {{- end }} spec: ports: - name: ovn-nb @@ -14,6 +22,7 @@ spec: ipFamilyPolicy: PreferDualStack {{- end }} selector: - app: ovn-central + app.kubernetes.io/name: ovn-central + app.kubernetes.io/part-of: kube-ovn ovn-nb-leader: "true" sessionAffinity: None diff --git a/charts/kube-ovn/templates/northd-svc.yaml b/charts/kube-ovn/templates/central/northd-service.yaml similarity index 58% rename from charts/kube-ovn/templates/northd-svc.yaml rename to charts/kube-ovn/templates/central/northd-service.yaml index cec072330b0..571bc5542ae 100644 --- a/charts/kube-ovn/templates/northd-svc.yaml +++ b/charts/kube-ovn/templates/central/northd-service.yaml @@ -3,6 +3,14 @@ apiVersion: v1 metadata: name: ovn-northd namespace: {{ .Values.namespace }} + {{- with .Values.central.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.central.labels }} + labels: + {{- toYaml . | nindent 4 }} + {{- end }} spec: ports: - name: ovn-northd @@ -14,6 +22,7 @@ spec: ipFamilyPolicy: PreferDualStack {{- end }} selector: - app: ovn-central + app.kubernetes.io/name: ovn-central + app.kubernetes.io/part-of: kube-ovn ovn-northd-leader: "true" sessionAffinity: None diff --git a/charts/kube-ovn/templates/sb-svc.yaml b/charts/kube-ovn/templates/central/southbound-service.yaml similarity index 57% rename from charts/kube-ovn/templates/sb-svc.yaml rename to charts/kube-ovn/templates/central/southbound-service.yaml index 36a4a27ab0c..87f726f5e8d 100644 --- a/charts/kube-ovn/templates/sb-svc.yaml +++ b/charts/kube-ovn/templates/central/southbound-service.yaml @@ -3,6 +3,14 @@ apiVersion: v1 metadata: name: ovn-sb namespace: {{ .Values.namespace }} + {{- with .Values.central.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.central.labels }} + labels: + {{- toYaml . | nindent 4 }} + {{- end }} spec: ports: - name: ovn-sb @@ -14,6 +22,7 @@ spec: ipFamilyPolicy: PreferDualStack {{- end }} selector: - app: ovn-central + app.kubernetes.io/name: ovn-central + app.kubernetes.io/part-of: kube-ovn ovn-sb-leader: "true" sessionAffinity: None diff --git a/charts/kube-ovn/templates/controller-svc.yaml b/charts/kube-ovn/templates/controller-svc.yaml deleted file mode 100644 index b4d39619d94..00000000000 --- a/charts/kube-ovn/templates/controller-svc.yaml +++ /dev/null @@ -1,16 +0,0 @@ -kind: Service -apiVersion: v1 -metadata: - name: kube-ovn-controller - namespace: {{ .Values.namespace }} - labels: - app: kube-ovn-controller -spec: - selector: - app: kube-ovn-controller - ports: - - port: 10660 - name: metrics - {{- if eq .Values.networking.NET_STACK "dual_stack" }} - ipFamilyPolicy: PreferDualStack - {{- end }} diff --git a/charts/kube-ovn/templates/controller-deploy.yaml b/charts/kube-ovn/templates/controller/controller-deployment.yaml similarity index 87% rename from charts/kube-ovn/templates/controller-deploy.yaml rename to charts/kube-ovn/templates/controller/controller-deployment.yaml index eaa4c3dc5a0..eaa101bcdde 100644 --- a/charts/kube-ovn/templates/controller-deploy.yaml +++ b/charts/kube-ovn/templates/controller/controller-deployment.yaml @@ -1,16 +1,22 @@ -kind: Deployment apiVersion: apps/v1 +kind: Deployment metadata: name: kube-ovn-controller namespace: {{ .Values.namespace }} + {{- with .Values.controller.annotations }} annotations: - kubernetes.io/description: | - kube-ovn controller + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.controller.labels }} + labels: + {{- toYaml . | nindent 4 }} + {{- end }} spec: replicas: {{ include "kubeovn.nodeCount" . }} selector: matchLabels: - app: kube-ovn-controller + app.kubernetes.io/name: kube-ovn-controller + app.kubernetes.io/part-of: kube-ovn strategy: rollingUpdate: maxSurge: 0% @@ -18,10 +24,16 @@ spec: type: RollingUpdate template: metadata: + {{- with .Values.controller.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} labels: - app: kube-ovn-controller - component: network - type: infra + app.kubernetes.io/name: kube-ovn-controller + app.kubernetes.io/part-of: kube-ovn + {{- with .Values.controller.podLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} spec: tolerations: - effect: NoSchedule @@ -42,7 +54,7 @@ spec: requiredDuringSchedulingIgnoredDuringExecution: - labelSelector: matchLabels: - app: kube-ovn-controller + app.kubernetes.io/name: kube-ovn-controller topologyKey: kubernetes.io/hostname priorityClassName: system-cluster-critical serviceAccountName: ovn @@ -136,6 +148,11 @@ spec: - --node-local-dns-ip={{- .Values.networking.NODE_LOCAL_DNS_IP }} - --secure-serving={{- .Values.func.SECURE_SERVING }} - --enable-ovn-ipsec={{- .Values.func.ENABLE_OVN_IPSEC }} + - --enable-anp={{- .Values.func.ENABLE_ANP }} + - --ovsdb-con-timeout={{- .Values.func.OVSDB_CON_TIMEOUT }} + - --ovsdb-inactivity-timeout={{- .Values.func.OVSDB_INACTIVITY_TIMEOUT }} + - --enable-live-migration-optimize={{- .Values.func.ENABLE_LIVE_MIGRATION_OPTIMIZE }} + - --image={{ .Values.global.registry.address }}/{{ .Values.global.images.kubeovn.repository }}:{{ .Values.global.images.kubeovn.tag }} securityContext: runAsUser: {{ include "kubeovn.runAsUser" . }} privileged: false @@ -202,13 +219,10 @@ spec: periodSeconds: 7 failureThreshold: 5 timeoutSeconds: 5 + {{- with .Values.controller.resources }} resources: - requests: - cpu: {{ index .Values "kube-ovn-controller" "requests" "cpu" }} - memory: {{ index .Values "kube-ovn-controller" "requests" "memory" }} - limits: - cpu: {{ index .Values "kube-ovn-controller" "limits" "cpu" }} - memory: {{ index .Values "kube-ovn-controller" "limits" "memory" }} + {{- toYaml . | trim | nindent 12 }} + {{- end }} nodeSelector: kubernetes.io/os: "linux" volumes: diff --git a/charts/kube-ovn/templates/controller/controller-service.yaml b/charts/kube-ovn/templates/controller/controller-service.yaml new file mode 100644 index 00000000000..0027bd8e4d8 --- /dev/null +++ b/charts/kube-ovn/templates/controller/controller-service.yaml @@ -0,0 +1,23 @@ +kind: Service +apiVersion: v1 +metadata: + name: kube-ovn-controller + namespace: {{ .Values.namespace }} + {{- with .Values.controller.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.controller.labels }} + labels: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + selector: + app.kubernetes.io/name: kube-ovn-controller + app.kubernetes.io/part-of: kube-ovn + ports: + - port: {{ .Values.controller.metrics.port }} + name: metrics + {{- if eq .Values.networking.NET_STACK "dual_stack" }} + ipFamilyPolicy: PreferDualStack + {{- end }} diff --git a/charts/kube-ovn/templates/pre-delete-hook.yaml b/charts/kube-ovn/templates/hooks/pre-delete-hook.yaml similarity index 100% rename from charts/kube-ovn/templates/pre-delete-hook.yaml rename to charts/kube-ovn/templates/hooks/pre-delete-hook.yaml diff --git a/charts/kube-ovn/templates/upgrade-ovs-ovn.yaml b/charts/kube-ovn/templates/hooks/upgrade-ovs-ovn.yaml similarity index 100% rename from charts/kube-ovn/templates/upgrade-ovs-ovn.yaml rename to charts/kube-ovn/templates/hooks/upgrade-ovs-ovn.yaml diff --git a/charts/kube-ovn/templates/ic-controller-deploy.yaml b/charts/kube-ovn/templates/ic-controller-deploy.yaml index acb446ddd42..4dec76ee163 100644 --- a/charts/kube-ovn/templates/ic-controller-deploy.yaml +++ b/charts/kube-ovn/templates/ic-controller-deploy.yaml @@ -88,7 +88,7 @@ spec: fieldRef: fieldPath: metadata.namespace - name: OVN_DB_IPS - value: "{{ .Values.MASTER_NODES }}" + value: "{{ .Values.MASTER_NODES | default (include "kubeovn.nodeIPs" .) }}" resources: requests: cpu: 300m diff --git a/charts/kube-ovn/templates/misc/extra-objects.yaml b/charts/kube-ovn/templates/misc/extra-objects.yaml new file mode 100644 index 00000000000..955c306e893 --- /dev/null +++ b/charts/kube-ovn/templates/misc/extra-objects.yaml @@ -0,0 +1,8 @@ +{{ range .Values.extraObjects }} +--- +{{ if typeIs "string" . }} + {{- tpl . $ }} +{{- else }} + {{- tpl (toYaml .) $ }} +{{- end }} +{{ end }} diff --git a/charts/kube-ovn/templates/monitor-svc.yaml b/charts/kube-ovn/templates/monitor-svc.yaml deleted file mode 100644 index 1ad1800d84b..00000000000 --- a/charts/kube-ovn/templates/monitor-svc.yaml +++ /dev/null @@ -1,18 +0,0 @@ -kind: Service -apiVersion: v1 -metadata: - name: kube-ovn-monitor - namespace: {{ .Values.namespace }} - labels: - app: kube-ovn-monitor -spec: - ports: - - name: metrics - port: 10661 - type: ClusterIP - selector: - app: kube-ovn-monitor - sessionAffinity: None - {{- if eq .Values.networking.NET_STACK "dual_stack" }} - ipFamilyPolicy: PreferDualStack - {{- end }} diff --git a/charts/kube-ovn/templates/monitor-deploy.yaml b/charts/kube-ovn/templates/monitor/monitor-deployment.yaml similarity index 86% rename from charts/kube-ovn/templates/monitor-deploy.yaml rename to charts/kube-ovn/templates/monitor/monitor-deployment.yaml index 0bb2f4d4be7..58d6832e93c 100644 --- a/charts/kube-ovn/templates/monitor-deploy.yaml +++ b/charts/kube-ovn/templates/monitor/monitor-deployment.yaml @@ -3,9 +3,14 @@ apiVersion: apps/v1 metadata: name: kube-ovn-monitor namespace: {{ .Values.namespace }} + {{- with .Values.monitor.annotations }} annotations: - kubernetes.io/description: | - Metrics for OVN components: northd, nb and sb. + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.monitor.labels }} + labels: + {{- toYaml . | nindent 4 }} + {{- end }} spec: replicas: 1 strategy: @@ -15,13 +20,20 @@ spec: type: RollingUpdate selector: matchLabels: - app: kube-ovn-monitor + app.kubernetes.io/name: kube-ovn-monitor + app.kubernetes.io/part-of: kube-ovn template: metadata: + {{- with .Values.monitor.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} labels: - app: kube-ovn-monitor - component: network - type: infra + app.kubernetes.io/name: kube-ovn-monitor + app.kubernetes.io/part-of: kube-ovn + {{- with .Values.monitor.podLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} spec: tolerations: - effect: NoSchedule @@ -33,7 +45,7 @@ spec: requiredDuringSchedulingIgnoredDuringExecution: - labelSelector: matchLabels: - app: kube-ovn-monitor + app.kubernetes.io/name: kube-ovn-monitor topologyKey: kubernetes.io/hostname priorityClassName: system-cluster-critical serviceAccountName: kube-ovn-app @@ -98,13 +110,10 @@ spec: fieldPath: status.podIPs - name: ENABLE_BIND_LOCAL_IP value: "{{- .Values.func.ENABLE_BIND_LOCAL_IP }}" + {{- with .Values.monitor.resources }} resources: - requests: - cpu: {{ index .Values "kube-ovn-monitor" "requests" "cpu" }} - memory: {{ index .Values "kube-ovn-monitor" "requests" "memory" }} - limits: - cpu: {{ index .Values "kube-ovn-monitor" "limits" "cpu" }} - memory: {{ index .Values "kube-ovn-monitor" "limits" "memory" }} + {{- toYaml . | trim | nindent 12 }} + {{- end }} volumeMounts: - mountPath: /var/run/ovn name: host-run-ovn diff --git a/charts/kube-ovn/templates/monitor/monitor-service.yaml b/charts/kube-ovn/templates/monitor/monitor-service.yaml new file mode 100644 index 00000000000..d8431543b23 --- /dev/null +++ b/charts/kube-ovn/templates/monitor/monitor-service.yaml @@ -0,0 +1,25 @@ +kind: Service +apiVersion: v1 +metadata: + name: kube-ovn-monitor + namespace: {{ .Values.namespace }} + {{- with .Values.monitor.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.monitor.labels }} + labels: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + ports: + - name: metrics + port: {{ .Values.monitor.metrics.port }} + type: ClusterIP + selector: + app.kubernetes.io/name: kube-ovn-monitor + app.kubernetes.io/part-of: kube-ovn + sessionAffinity: None + {{- if eq .Values.networking.NET_STACK "dual_stack" }} + ipFamilyPolicy: PreferDualStack + {{- end }} diff --git a/charts/kube-ovn/templates/nat-gw/rbac.yaml b/charts/kube-ovn/templates/nat-gw/rbac.yaml new file mode 100644 index 00000000000..14d8ec6421d --- /dev/null +++ b/charts/kube-ovn/templates/nat-gw/rbac.yaml @@ -0,0 +1,47 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + kubernetes.io/bootstrapping: rbac-defaults + name: system:vpc-nat-gw +rules: + - apiGroups: + - "" + resources: + - services + - pods + verbs: + - list + - watch + - apiGroups: + - kubeovn.io + resources: + - iptables-eips + - subnets + - vpc-nat-gateways + verbs: + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + annotations: + rbac.authorization.kubernetes.io/autoupdate: "true" + labels: + kubernetes.io/bootstrapping: rbac-defaults + name: vpc-nat-gw +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:vpc-nat-gw +subjects: + - kind: ServiceAccount + name: vpc-nat-gw + namespace: {{ .Values.namespace }} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: vpc-nat-gw + namespace: {{ .Values.namespace }} \ No newline at end of file diff --git a/charts/kube-ovn/templates/vpc-nat-config.yaml b/charts/kube-ovn/templates/nat-gw/vpc-nat-config.yaml similarity index 52% rename from charts/kube-ovn/templates/vpc-nat-config.yaml rename to charts/kube-ovn/templates/nat-gw/vpc-nat-config.yaml index c005bec1d3b..9ff4d8ebedf 100755 --- a/charts/kube-ovn/templates/vpc-nat-config.yaml +++ b/charts/kube-ovn/templates/nat-gw/vpc-nat-config.yaml @@ -3,17 +3,23 @@ apiVersion: v1 metadata: name: ovn-vpc-nat-config namespace: {{ .Values.namespace }} - annotations: - kubernetes.io/description: | - kube-ovn vpc-nat common config data: image: {{ .Values.global.registry.address }}/{{ .Values.global.images.kubeovn.vpcRepository }}:{{ .Values.global.images.kubeovn.tag }} + {{- with .Values.natGw.bgpSpeaker.image }} + bgpSpeakerImage: {{ .repository }}:{{ .tag }} + {{- end }} + {{- with .Values.natGw.bgpSpeaker.apiNadProvider }} + apiNadProvider: {{ tpl . $ }} + {{- end }} + {{- with .Values.natGw.namePrefix }} + natGwNamePrefix: {{ . | quote }} + {{- end }} --- kind: ConfigMap apiVersion: v1 metadata: name: ovn-vpc-nat-gw-config - namespace: kube-system + namespace: {{ .Values.namespace }} data: enable-vpc-nat-gw: "{{ .Values.func.ENABLE_NAT_GW }}" \ No newline at end of file diff --git a/charts/kube-ovn/templates/ovn-CR.yaml b/charts/kube-ovn/templates/ovn-CR.yaml index 856c9cd5b86..bde9e248d8b 100644 --- a/charts/kube-ovn/templates/ovn-CR.yaml +++ b/charts/kube-ovn/templates/ovn-CR.yaml @@ -13,6 +13,8 @@ rules: - vpcs/status - vpc-nat-gateways - vpc-nat-gateways/status + - vpc-egress-gateways + - vpc-egress-gateways/status - subnets - subnets/status - ippools @@ -98,6 +100,18 @@ rules: - daemonsets verbs: - get + - apiGroups: + - apps + resources: + - deployments + - deployments/scale + verbs: + - get + - list + - watch + - create + - update + - delete - apiGroups: - "" resources: @@ -124,8 +138,6 @@ rules: - apps resources: - statefulsets - - deployments - - deployments/scale verbs: - get - list @@ -175,149 +187,81 @@ rules: - subjectaccessreviews verbs: - create - - apiGroups: + - apiGroups: - "certificates.k8s.io" - resources: + resources: - "certificatesigningrequests" - verbs: + verbs: - "get" - "list" - "watch" - apiGroups: - - certificates.k8s.io + - certificates.k8s.io resources: - - certificatesigningrequests/status - - certificatesigningrequests/approval + - certificatesigningrequests/status + - certificatesigningrequests/approval verbs: - - update + - update - apiGroups: - - "" + - "" resources: - - secrets + - secrets verbs: - - get - - create + - get + - create - apiGroups: - - certificates.k8s.io + - certificates.k8s.io resourceNames: - - kubeovn.io/signer + - kubeovn.io/signer resources: - - signers + - signers verbs: - - approve - - sign ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - annotations: - rbac.authorization.k8s.io/system-only: "true" - name: system:ovn-ovs -rules: + - approve + - sign - apiGroups: - - "" + - kubevirt.io resources: - - pods + - virtualmachineinstancemigrations verbs: - - get - - patch - - apiGroups: - - "" - resources: - - services - - endpoints - verbs: - - get + - "list" + - "watch" + - "get" - apiGroups: - - apps + - apiextensions.k8s.io resources: - - controllerrevisions + - customresourcedefinitions verbs: - get - - list - --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: annotations: rbac.authorization.k8s.io/system-only: "true" - name: system:kube-ovn-cni + name: system:ovn-ovs rules: - - apiGroups: - - "kubeovn.io" - resources: - - subnets - - vlans - - provider-networks - verbs: - - get - - list - - watch - apiGroups: - "" - - "kubeovn.io" resources: - - ovn-eips - - ovn-eips/status - - nodes - pods verbs: - get - - list - patch - - watch - - apiGroups: - - "kubeovn.io" - resources: - - ips - verbs: - - get - - update - apiGroups: - "" resources: - - events + - services + - endpoints verbs: - - create - - patch - - update + - get - apiGroups: - - "" + - apps resources: - - configmaps + - controllerrevisions verbs: - get - list - - watch - - apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create - - apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create - - apiGroups: - - "certificates.k8s.io" - resources: - - "certificatesigningrequests" - verbs: - - "create" - - "get" - - "list" - - "watch" - - "delete" - - apiGroups: - - "" - resources: - - "secrets" - verbs: - - "get" + --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole diff --git a/charts/kube-ovn/templates/ovn-CRB.yaml b/charts/kube-ovn/templates/ovn-CRB.yaml index 7cc43d84e51..1b7d706b7f7 100644 --- a/charts/kube-ovn/templates/ovn-CRB.yaml +++ b/charts/kube-ovn/templates/ovn-CRB.yaml @@ -41,33 +41,6 @@ subjects: --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding -metadata: - name: kube-ovn-cni -roleRef: - name: system:kube-ovn-cni - kind: ClusterRole - apiGroup: rbac.authorization.k8s.io -subjects: - - kind: ServiceAccount - name: kube-ovn-cni - namespace: {{ .Values.namespace }} ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: kube-ovn-cni - namespace: {{ .Values.namespace }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: extension-apiserver-authentication-reader -subjects: - - kind: ServiceAccount - name: kube-ovn-cni - namespace: {{ .Values.namespace }} ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding metadata: name: kube-ovn-app roleRef: diff --git a/charts/kube-ovn/templates/ovn-sa.yaml b/charts/kube-ovn/templates/ovn-sa.yaml index 17b4a92f784..95d8f9e492e 100644 --- a/charts/kube-ovn/templates/ovn-sa.yaml +++ b/charts/kube-ovn/templates/ovn-sa.yaml @@ -18,13 +18,14 @@ kind: ServiceAccount metadata: name: ovn-ovs namespace: {{ .Values.namespace }} - ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: kube-ovn-cni - namespace: {{ .Values.namespace }} +{{- if .Values.global.registry.imagePullSecrets }} +imagePullSecrets: +{{- range $index, $secret := .Values.global.registry.imagePullSecrets }} +{{- if $secret }} + - name: {{ $secret | quote}} +{{- end }} +{{- end }} +{{- end }} --- apiVersion: v1 @@ -32,3 +33,11 @@ kind: ServiceAccount metadata: name: kube-ovn-app namespace: {{ .Values.namespace }} +{{- if .Values.global.registry.imagePullSecrets }} +imagePullSecrets: +{{- range $index, $secret := .Values.global.registry.imagePullSecrets }} +{{- if $secret }} + - name: {{ $secret | quote}} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/kube-ovn/templates/ovncni-svc.yaml b/charts/kube-ovn/templates/ovncni-svc.yaml deleted file mode 100644 index e1c47c806f8..00000000000 --- a/charts/kube-ovn/templates/ovncni-svc.yaml +++ /dev/null @@ -1,16 +0,0 @@ -kind: Service -apiVersion: v1 -metadata: - name: kube-ovn-cni - namespace: {{ .Values.namespace }} - labels: - app: kube-ovn-cni -spec: - selector: - app: kube-ovn-cni - ports: - - port: 10665 - name: metrics - {{- if eq .Values.networking.NET_STACK "dual_stack" }} - ipFamilyPolicy: PreferDualStack - {{- end }} diff --git a/charts/kube-ovn/templates/ovsovn-ds.yaml b/charts/kube-ovn/templates/ovs-ovn/ovs-ovn-daemonset.yaml similarity index 81% rename from charts/kube-ovn/templates/ovsovn-ds.yaml rename to charts/kube-ovn/templates/ovs-ovn/ovs-ovn-daemonset.yaml index 33fa06d3685..6e9faeb9575 100644 --- a/charts/kube-ovn/templates/ovsovn-ds.yaml +++ b/charts/kube-ovn/templates/ovs-ovn/ovs-ovn-daemonset.yaml @@ -3,14 +3,19 @@ apiVersion: apps/v1 metadata: name: ovs-ovn namespace: {{ .Values.namespace }} + {{- with .Values.ovsOvn.annotations }} annotations: - kubernetes.io/description: | - This daemon set launches the openvswitch daemon. - chart-version: "{{ .Chart.Name }}-{{ .Chart.Version }}" + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.ovsOvn.labels }} + labels: + {{- toYaml . | nindent 4 }} + {{- end }} spec: selector: matchLabels: - app: ovs + app.kubernetes.io/name: kube-ovn-ovs + app.kubernetes.io/part-of: kube-ovn updateStrategy: type: {{ include "kubeovn.ovs-ovn.updateStrategy" . }} rollingUpdate: @@ -18,12 +23,16 @@ spec: maxUnavailable: 0 template: metadata: - labels: - app: ovs - component: network - type: infra + {{- with .Values.ovsOvn.podAnnotations }} annotations: - chart-version: "{{ .Chart.Name }}-{{ .Chart.Version }}" + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + app.kubernetes.io/name: kube-ovn-ovs + app.kubernetes.io/part-of: kube-ovn + {{- with .Values.ovsOvn.podLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} spec: tolerations: - effect: NoSchedule @@ -38,8 +47,8 @@ spec: hostPID: true initContainers: - name: hostpath-init - {{- if .Values.DPDK }} - image: {{ .Values.global.registry.address }}/{{ .Values.global.images.kubeovn.dpdkRepository }}:{{ .Values.DPDK_VERSION }}-{{ .Values.global.images.kubeovn.tag }} + {{- if .Values.ovsOvn.dpdk.enabled }} + image: {{ .Values.global.registry.address }}/{{ .Values.global.images.kubeovn.dpdkRepository }}:{{ .Values.ovsOvn.dpdk.version }}-{{ .Values.global.images.kubeovn.tag }} {{- else }} image: {{ .Values.global.registry.address }}/{{ .Values.global.images.kubeovn.repository }}:{{ .Values.global.images.kubeovn.tag }} {{- end }} @@ -49,8 +58,9 @@ spec: - -xec - | chown -R nobody: /var/run/ovn /var/log/ovn /etc/openvswitch /var/run/openvswitch /var/log/openvswitch - {{- if not .Values.DISABLE_MODULES_MANAGEMENT }} iptables -V + {{- if not .Values.DISABLE_MODULES_MANAGEMENT }} + /usr/share/openvswitch/scripts/ovs-ctl load-kmod {{- else }} ln -sf /bin/true /usr/local/sbin/modprobe ln -sf /bin/true /usr/local/sbin/modinfo @@ -64,6 +74,9 @@ spec: privileged: true runAsUser: 0 volumeMounts: + - mountPath: /lib/modules + name: host-modules + readOnly: true - mountPath: /usr/local/sbin name: usr-local-sbin - mountPath: /var/log/ovn @@ -78,13 +91,13 @@ spec: name: host-log-ovs containers: - name: openvswitch - {{- if .Values.DPDK }} - image: {{ .Values.global.registry.address }}/{{ .Values.global.images.kubeovn.dpdkRepository }}:{{ .Values.DPDK_VERSION }}-{{ .Values.global.images.kubeovn.tag }} + {{- if .Values.ovsOvn.dpdk.enabled }} + image: {{ .Values.global.registry.address }}/{{ .Values.global.images.kubeovn.dpdkRepository }}:{{ .Values.ovsOvn.dpdk.version }}-{{ .Values.global.images.kubeovn.tag }} {{- else }} image: {{ .Values.global.registry.address }}/{{ .Values.global.images.kubeovn.repository }}:{{ .Values.global.images.kubeovn.tag }} {{- end }} imagePullPolicy: {{ .Values.image.pullPolicy }} - {{- if .Values.DPDK }} + {{- if .Values.ovsOvn.dpdk.enabled }} command: ["/kube-ovn/start-ovs-dpdk.sh"] {{- else }} command: ["/kube-ovn/start-ovs.sh"] @@ -96,9 +109,7 @@ spec: add: - NET_ADMIN - NET_BIND_SERVICE - {{- if not .Values.DISABLE_MODULES_MANAGEMENT }} - - SYS_MODULE - {{- end }} + - NET_RAW - SYS_NICE - SYS_ADMIN env: @@ -154,7 +165,7 @@ spec: - mountPath: /var/run/containerd name: cruntime readOnly: true - {{- if .Values.DPDK }} + {{- if .Values.ovsOvn.dpdk.enabled }} - mountPath: /opt/ovs-config name: host-config-ovs - mountPath: /dev/hugepages @@ -162,7 +173,7 @@ spec: {{- end }} readinessProbe: exec: - {{- if .Values.DPDK }} + {{- if .Values.ovsOvn.dpdk.enabled }} command: - bash - /kube-ovn/ovs-dpdk-healthcheck.sh @@ -176,7 +187,7 @@ spec: timeoutSeconds: 45 livenessProbe: exec: - {{- if .Values.DPDK }} + {{- if .Values.ovsOvn.dpdk.enabled }} command: - bash - /kube-ovn/ovs-dpdk-healthcheck.sh @@ -189,24 +200,15 @@ spec: periodSeconds: 5 failureThreshold: 5 timeoutSeconds: 45 + {{- if and .Values.ovsOvn.dpdk.enabled .Values.ovsOvn.resources }} resources: - requests: - {{- if .Values.DPDK }} - cpu: {{ .Values.DPDK_CPU }} - memory: {{ .Values.DPDK_MEMORY }} - {{- else }} - cpu: {{ index .Values "ovs-ovn" "requests" "cpu" }} - memory: {{ index .Values "ovs-ovn" "requests" "memory" }} - {{- end }} - limits: - {{- if .Values.DPDK }} - cpu: {{ .Values.DPDK_CPU }} - memory: {{ .Values.DPDK_MEMORY }} - hugepages-1Gi: 1Gi - {{- else }} - cpu: {{ index .Values "ovs-ovn" "limits" "cpu" }} - memory: {{ index .Values "ovs-ovn" "limits" "memory" }} - {{- end }} + {{- toYaml .Values.ovsOvn.dpdk.resources | trim | nindent 12 }} + {{- else }} + {{- with .Values.ovsOvn.resources }} + resources: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + {{- end }} nodeSelector: kubernetes.io/os: "linux" volumes: @@ -240,7 +242,7 @@ spec: - hostPath: path: /var/run/containerd name: cruntime - {{- if .Values.DPDK }} + {{- if .Values.ovsOvn.dpdk.enabled }} - name: host-config-ovs hostPath: path: /opt/ovs-config diff --git a/charts/kube-ovn/templates/ovn-dpdk-ds.yaml b/charts/kube-ovn/templates/ovs-ovn/ovs-ovn-dpdk-daemonset.yaml similarity index 86% rename from charts/kube-ovn/templates/ovn-dpdk-ds.yaml rename to charts/kube-ovn/templates/ovs-ovn/ovs-ovn-dpdk-daemonset.yaml index c46e3389fce..7ebd2dc5555 100644 --- a/charts/kube-ovn/templates/ovn-dpdk-ds.yaml +++ b/charts/kube-ovn/templates/ovs-ovn/ovs-ovn-dpdk-daemonset.yaml @@ -1,16 +1,22 @@ -{{- if .Values.HYBRID_DPDK }} +{{- if .Values.ovsOvn.dpdkHybrid.enabled }} kind: DaemonSet apiVersion: apps/v1 metadata: name: ovs-ovn-dpdk namespace: {{ .Values.namespace }} + {{- with .Values.ovsOvn.annotations }} annotations: - kubernetes.io/description: | - This daemon set launches the openvswitch daemon. + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.ovsOvn.labels }} + labels: + {{- toYaml . | nindent 4 }} + {{- end }} spec: selector: matchLabels: - app: ovs-dpdk + app.kubernetes.io/name: kube-ovnOvs-dpdk + app.kubernetes.io/part-of: kube-ovn updateStrategy: type: RollingUpdate rollingUpdate: @@ -18,10 +24,16 @@ spec: maxUnavailable: 0 template: metadata: + {{- with .Values.ovsOvn.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} labels: - app: ovs-dpdk - component: network - type: infra + app.kubernetes.io/name: kube-ovn-ovs + app.kubernetes.io/part-of: kube-ovn + {{- with .Values.ovsOvn.podLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} spec: tolerations: - operator: Exists @@ -106,14 +118,10 @@ spec: periodSeconds: 5 failureThreshold: 5 timeoutSeconds: 45 + {{- with .Values.ovsOvn.dpdkHybrid.resources }} resources: - requests: - cpu: {{ index .Values "ovs-ovn" "requests" "cpu" }} - memory: {{ index .Values "ovs-ovn" "requests" "memory" }} - limits: - cpu: {{ index .Values "ovs-ovn" "limits" "cpu" }} - {{.Values.HUGEPAGE_SIZE_TYPE}}: {{.Values.HUGEPAGES}} - memory: {{ index .Values "ovs-ovn" "limits" "memory" }} + {{- toYaml . | trim | nindent 12 }} + {{- end }} nodeSelector: kubernetes.io/os: "linux" ovn.kubernetes.io/ovs_dp_type: "userspace" diff --git a/charts/kube-ovn/templates/pinger-svc.yaml b/charts/kube-ovn/templates/pinger-svc.yaml deleted file mode 100644 index ef169e8e91c..00000000000 --- a/charts/kube-ovn/templates/pinger-svc.yaml +++ /dev/null @@ -1,16 +0,0 @@ -kind: Service -apiVersion: v1 -metadata: - name: kube-ovn-pinger - namespace: {{ .Values.namespace }} - labels: - app: kube-ovn-pinger -spec: - selector: - app: kube-ovn-pinger - ports: - - port: 8080 - name: metrics - {{- if eq .Values.networking.NET_STACK "dual_stack" }} - ipFamilyPolicy: PreferDualStack - {{- end }} diff --git a/charts/kube-ovn/templates/pinger-ds.yaml b/charts/kube-ovn/templates/pinger/pinger-daemonset.yaml similarity index 87% rename from charts/kube-ovn/templates/pinger-ds.yaml rename to charts/kube-ovn/templates/pinger/pinger-daemonset.yaml index a69a13ffbd8..90983c1caca 100644 --- a/charts/kube-ovn/templates/pinger-ds.yaml +++ b/charts/kube-ovn/templates/pinger/pinger-daemonset.yaml @@ -3,21 +3,33 @@ apiVersion: apps/v1 metadata: name: kube-ovn-pinger namespace: {{ .Values.namespace }} + {{- with .Values.pinger.annotations }} annotations: - kubernetes.io/description: | - This daemon set launches the openvswitch daemon. + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.pinger.labels }} + labels: + {{- toYaml . | nindent 4 }} + {{- end }} spec: selector: matchLabels: - app: kube-ovn-pinger + app.kubernetes.io/name: kube-ovn-pinger + app.kubernetes.io/part-of: kube-ovn updateStrategy: type: RollingUpdate template: metadata: + {{- with .Values.pinger.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} labels: - app: kube-ovn-pinger - component: network - type: infra + app.kubernetes.io/name: kube-ovn-pinger + app.kubernetes.io/part-of: kube-ovn + {{- with .Values.pinger.podLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} spec: priorityClassName: system-node-critical tolerations: @@ -122,13 +134,10 @@ spec: readOnly: true - mountPath: /var/run/tls name: kube-ovn-tls + {{- with .Values.pinger.resources }} resources: - requests: - cpu: {{ index .Values "kube-ovn-pinger" "requests" "cpu" }} - memory: {{ index .Values "kube-ovn-pinger" "requests" "memory" }} - limits: - cpu: {{ index .Values "kube-ovn-pinger" "limits" "cpu" }} - memory: {{ index .Values "kube-ovn-pinger" "limits" "memory" }} + {{- toYaml . | trim | nindent 12 }} + {{- end }} nodeSelector: kubernetes.io/os: "linux" volumes: diff --git a/charts/kube-ovn/templates/pinger/pinger-service.yaml b/charts/kube-ovn/templates/pinger/pinger-service.yaml new file mode 100644 index 00000000000..75801bb0207 --- /dev/null +++ b/charts/kube-ovn/templates/pinger/pinger-service.yaml @@ -0,0 +1,23 @@ +kind: Service +apiVersion: v1 +metadata: + name: kube-ovn-pinger + namespace: {{ .Values.namespace }} + {{- with .Values.pinger.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.pinger.labels }} + labels: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + selector: + app.kubernetes.io/name: kube-ovn-pinger + app.kubernetes.io/part-of: kube-ovn + ports: + - name: metrics + port: {{ .Values.pinger.metrics.port }} + {{- if eq .Values.networking.NET_STACK "dual_stack" }} + ipFamilyPolicy: PreferDualStack + {{- end }} diff --git a/charts/kube-ovn/templates/speaker/speaker.yaml b/charts/kube-ovn/templates/speaker/speaker.yaml new file mode 100644 index 00000000000..3ecce4ca008 --- /dev/null +++ b/charts/kube-ovn/templates/speaker/speaker.yaml @@ -0,0 +1,70 @@ +{{- if .Values.speaker.enabled }} +kind: DaemonSet +apiVersion: apps/v1 +metadata: + name: kube-ovn-speaker + namespace: {{ .Values.namespace }} + {{- with .Values.speaker.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.speaker.labels }} + labels: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + selector: + matchLabels: + app.kubernetes.io/name: kube-ovn-speaker + app.kubernetes.io/part-of: kube-ovn + template: + metadata: + {{- with .Values.speaker.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + app.kubernetes.io/name: kube-ovn-speaker + app.kubernetes.io/part-of: kube-ovn + {{- with .Values.speaker.podLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + tolerations: + - operator: Exists + effect: NoSchedule + affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: + app.kubernetes.io/name: kube-ovn-speaker + app.kubernetes.io/part-of: kube-ovn + topologyKey: kubernetes.io/hostname + priorityClassName: system-node-critical + serviceAccountName: ovn + hostNetwork: true + containers: + - name: kube-ovn-speaker + image: {{ .Values.global.registry.address }}/{{ .Values.global.images.kubeovn.repository }}:{{ .Values.global.images.kubeovn.tag }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + command: + - /kube-ovn/kube-ovn-speaker + {{- with .Values.speaker.args }} + args: + {{- toYaml . | trim | nindent 14 }} + {{- end }} + env: + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + {{- with .Values.speaker.resources }} + resources: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + {{- with .Values.speaker.nodeSelector }} + nodeSelector: + {{- toYaml . | trim | nindent 8 }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/kube-ovn/templates/webhook/certificate.yaml b/charts/kube-ovn/templates/webhook/certificate.yaml new file mode 100644 index 00000000000..ec6bc9a43a5 --- /dev/null +++ b/charts/kube-ovn/templates/webhook/certificate.yaml @@ -0,0 +1,41 @@ +{{- if .Values.validatingWebhook.enabled }} +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: kube-ovn-webhook-serving-cert + namespace: {{ .Values.namespace }} + {{- with .Values.validatingWebhook.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.validatingWebhook.labels }} + labels: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + dnsNames: + - kube-ovn-webhook.kube-system + - kube-ovn-webhook.kube-system.svc + - kube-ovn-webhook.kube-system.svc.cluster.local + issuerRef: + kind: Issuer + name: kube-ovn-webhook-selfsigned-issuer + group: cert-manager.io + secretName: kube-ovn-webhook-secret +--- +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: kube-ovn-webhook-selfsigned-issuer + namespace: {{ .Values.namespace }} + {{- with .Values.validatingWebhook.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.validatingWebhook.labels }} + labels: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + selfSigned: {} +{{- end }} \ No newline at end of file diff --git a/charts/kube-ovn/templates/webhook/service.yaml b/charts/kube-ovn/templates/webhook/service.yaml new file mode 100644 index 00000000000..516be6a9133 --- /dev/null +++ b/charts/kube-ovn/templates/webhook/service.yaml @@ -0,0 +1,26 @@ +{{- if .Values.validatingWebhook.enabled }} +kind: Service +apiVersion: v1 +metadata: + name: kube-ovn-webhook + namespace: {{ .Values.namespace }} + {{- with .Values.validatingWebhook.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.validatingWebhook.labels }} + labels: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + ports: + - name: kube-ovn-webhook + protocol: TCP + port: 443 + targetPort: 8443 + type: ClusterIP + selector: + app.kubernetes.io/name: kube-ovn-webhook + app.kubernetes.io/part-of: kube-ovn + sessionAffinity: None +{{- end }} \ No newline at end of file diff --git a/charts/kube-ovn/templates/webhook/webhook-deployment.yaml b/charts/kube-ovn/templates/webhook/webhook-deployment.yaml new file mode 100644 index 00000000000..14bcc0ee481 --- /dev/null +++ b/charts/kube-ovn/templates/webhook/webhook-deployment.yaml @@ -0,0 +1,98 @@ +{{- if .Values.validatingWebhook.enabled }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: kube-ovn-webhook + namespace: {{ .Values.namespace }} + {{- with .Values.validatingWebhook.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.validatingWebhook.labels }} + labels: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: kube-ovn-webhook + app.kubernetes.io/part-of: kube-ovn + template: + metadata: + {{- with .Values.validatingWebhook.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + app.kubernetes.io/name: kube-ovn-webhook + app.kubernetes.io/part-of: kube-ovn + {{- with .Values.validatingWebhook.podLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + tolerations: + - operator: Exists + effect: NoSchedule + affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: + app.kubernetes.io/name: kube-ovn-webhook + app.kubernetes.io/part-of: kube-ovn + topologyKey: kubernetes.io/hostname + serviceAccountName: ovn + containers: + - name: kube-ovn-webhook + image: {{ .Values.global.registry.address }}/{{ .Values.global.images.kubeovn.repository }}:{{ .Values.global.images.kubeovn.tag }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + command: + - /kube-ovn/kube-ovn-webhook + args: + - --port=8443 + - --health-probe-port=8080 + - --v=3 + env: + - name: POD_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.podIP + volumeMounts: + - mountPath: /tmp/k8s-webhook-server/serving-certs + name: cert + readOnly: true + ports: + - containerPort: 8443 + name: https + protocol: TCP + - containerPort: 8080 + name: health-probe + protocol: TCP + livenessProbe: + failureThreshold: 3 + httpGet: + path: /healthz + port: 8080 + initialDelaySeconds: 60 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + readinessProbe: + failureThreshold: 3 + httpGet: + path: /readyz + port: 8080 + initialDelaySeconds: 5 + periodSeconds: 5 + successThreshold: 1 + timeoutSeconds: 1 + volumes: + - name: cert + secret: + defaultMode: 420 + secretName: kube-ovn-webhook-secret + nodeSelector: + kubernetes.io/os: "linux" +{{- end }} \ No newline at end of file diff --git a/charts/kube-ovn/templates/webhook/webhook.yaml b/charts/kube-ovn/templates/webhook/webhook.yaml new file mode 100644 index 00000000000..4891993ebab --- /dev/null +++ b/charts/kube-ovn/templates/webhook/webhook.yaml @@ -0,0 +1,72 @@ +{{- if .Values.validatingWebhook.enabled }} +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: kube-ovn-webhook + annotations: + cert-manager.io/inject-ca-from: {{ .Values.namespace }}/kube-ovn-webhook-serving-cert + {{- with .Values.validatingWebhook.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.validatingWebhook.labels }} + labels: + {{- toYaml . | nindent 4 }} + {{- end }} +webhooks: + - name: pod-ip-validating.kube-ovn.io + rules: + - operations: + - CREATE + apiGroups: + - "apps" + apiVersions: + - v1 + resources: + - deployments + - statefulsets + - daemonsets + - operations: + - CREATE + apiGroups: + - "batch" + apiVersions: + - v1 + resources: + - jobs + - cronjobs + - operations: + - CREATE + apiGroups: + - "" + apiVersions: + - v1 + resources: + - pods + - operations: + - CREATE + - UPDATE + - DELETE + apiGroups: + - "kubeovn.io" + apiVersions: + - v1 + resources: + - subnets + - vpcs + - vips + - vpc-nat-gateways + - iptables-eips + - iptables-dnat-rules + - iptables-snat-rules + - iptables-fip-rules + failurePolicy: Ignore + admissionReviewVersions: ["v1", "v1beta1"] + sideEffects: None + timeoutSeconds: 5 + clientConfig: + service: + namespace: {{ .Values.namespace }} + name: kube-ovn-webhook + path: /validating + port: 443 +{{- end }} \ No newline at end of file diff --git a/charts/kube-ovn/values.yaml b/charts/kube-ovn/values.yaml index 1df4bdb9e59..a0788127e01 100644 --- a/charts/kube-ovn/values.yaml +++ b/charts/kube-ovn/values.yaml @@ -10,7 +10,7 @@ global: repository: kube-ovn dpdkRepository: kube-ovn-dpdk vpcRepository: vpc-nat-gateway - tag: v1.13.0 + tag: v1.14.0 support_arm: true thirdparty: true @@ -58,7 +58,6 @@ networking: func: ENABLE_LB: true ENABLE_NP: true - ENABLE_EIP_SNAT: true ENABLE_EXTERNAL_VPC: true HW_OFFLOAD: false ENABLE_LB_SVC: false @@ -74,6 +73,11 @@ func: ENABLE_IC: false ENABLE_NAT_GW: true ENABLE_OVN_IPSEC: false + ENABLE_ANP: false + SET_VXLAN_TX_OFF: false + OVSDB_CON_TIMEOUT: 3 + OVSDB_INACTIVITY_TIMEOUT: 10 + ENABLE_LIVE_MIGRATION_OPTIMIZE: true ipv4: POD_CIDR: "10.16.0.0/16" @@ -126,60 +130,300 @@ OPENVSWITCH_DIR: "/etc/origin/openvswitch" OVN_DIR: "/etc/origin/ovn" DISABLE_MODULES_MANAGEMENT: false -imagePullSecrets: [] nameOverride: "" fullnameOverride: "" -# hybrid dpdk -HYBRID_DPDK: false -HUGEPAGE_SIZE_TYPE: hugepages-2Mi # Default -HUGEPAGES: 1Gi - -# DPDK -DPDK: false -DPDK_VERSION: "19.11" -DPDK_CPU: "1000m" # Default CPU configuration -DPDK_MEMORY: "2Gi" # Default Memory configuration - -ovn-central: - requests: - cpu: "300m" - memory: "200Mi" - limits: - cpu: "3" - memory: "4Gi" -ovs-ovn: - requests: - cpu: "200m" - memory: "200Mi" - limits: - cpu: "2" - memory: "1000Mi" -kube-ovn-controller: - requests: - cpu: "200m" - memory: "200Mi" - limits: - cpu: "1000m" - memory: "1Gi" -kube-ovn-cni: - requests: - cpu: "100m" - memory: "100Mi" - limits: - cpu: "1000m" - memory: "1Gi" -kube-ovn-pinger: - requests: - cpu: "100m" - memory: "100Mi" - limits: - cpu: "200m" - memory: "400Mi" -kube-ovn-monitor: - requests: - cpu: "200m" - memory: "200Mi" - limits: - cpu: "200m" - memory: "200Mi" +# -- Configuration of the validating webhook used to verify custom resources before they are pushed to Kubernetes. +# Make sure cert-manager is installed for the generation of certificates for the webhook. +# See https://kubeovn.github.io/docs/stable/en/guide/webhook/ +validatingWebhook: + # -- Enable the deployment of the validating webhook + enabled: false + # -- Annotations to be added to all top-level kube-ovn-webhook objects (resources under templates/webhook) + annotations: {} + # -- Labels to be added to all top-level kube-ovn-webhook objects (resources under templates/webhook) + labels: {} + # -- Annotations to be added to kube-ovn-webhook pods + podAnnotations: {} + # -- Labels to be added to kube-ovn-webhook pods + podLabels: {} + +# -- Configuration for the NAT gateway +natGw: + # -- Prefix appended to the name of the NAT gateways when generating the Pods + # If this value is changed after NAT GWs have been provisioned, every NAT gateway will need to be + # manually destroyed and recreated. + namePrefix: "vpc-nat-gw" + # -- Configuration of the BGP sidecar for when a NAT gateway is running in BGP mode + bgpSpeaker: + # -- Image used by the NAT gateway sidecar + image: + repository: docker.io/kubeovn/kube-ovn + tag: v1.14.0 + pullPolicy: IfNotPresent + # -- Network attachment definition used to reach the API server when running on BGP mode + # See https://kubeovn.github.io/docs/stable/en/advance/with-bgp/ + apiNadProvider: "{{ .Values.apiNad.name }}.{{ .Values.namespace }}.ovn" + +# -- API NetworkAttachmentDefinition to give some pods (CoreDNS, NAT GW) in custom VPCs access to the K8S API +# This requires Multus to be installed +apiNad: + # -- Enable the creation of the API NAD + enabled: false + # -- Name of the NAD + name: ovn-kubernetes-api + # -- Name of the provider, must be in the form "nadName.nadNamespace.ovn" + provider: "{{ .Values.apiNad.name }}.{{ .Values.namespace }}.ovn" + # -- Subnet associated with the NAD, it will have full access to the API server + subnet: + # -- Name of the subnet + name: ovn-kubernetes-api + # -- Protocol for the API subnet + protocol: Dual + # -- CIDR block used by the API subnet + cidrBlock: 100.100.0.0/16,fd00:100:100::/112 + +# -- Configuration for ovs-ovn, the Open vSwitch daemon +ovsOvn: + # -- Annotations to be added to all top-level ovs-ovn objects (resources under templates/ovs-ovn) + annotations: {} + # -- Labels to be added to all top-level ovs-ovn objects (resources under templates/ovs-ovn) + labels: {} + # -- Annotations to be added to ovs-ovn pods + podAnnotations: {} + # -- Labels to be added to ovs-ovn pods + podLabels: {} + + # -- ovs-ovn resource limits & requests, overridden if DPDK is enabled + # ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + resources: + requests: + cpu: "200m" + memory: "200Mi" + limits: + cpu: "2" + memory: "1000Mi" + + # -- DPDK support for OVS + # ref: https://kubeovn.github.io/docs/v1.12.x/en/advance/dpdk/ + dpdk: + # -- Enables DPDK support on OVS + enabled: false + # -- Version of the DPDK image + version: "19.11" + + # -- ovs-ovn resource limits & requests when DPDK is enabled + # ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + resources: + requests: + cpu: "1000m" + memory: "200Mi" + limits: + hugepages-1Gi: 1Gi + cpu: "1000m" + memory: "1000Mi" + + # -- DPDK-hybrid support for OVS + # ref: https://kubeovn.github.io/docs/v1.12.x/en/advance/dpdk/ + dpdkHybrid: + # -- Enables DPDK-hybrid support on OVS + enabled: false + # -- ovs-ovn resource limits & requests when DPDK-hybrid is enabled + # ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + resources: + requests: + cpu: "200m" + memory: "200Mi" + limits: + hugepages-2Mi: 1Gi + cpu: "2" + memory: "1000Mi" + +# -- Configuration for kube-ovn-speaker, the BGP speaker announcing routes to the external world +speaker: + # -- Enable the kube-ovn-speaker + enabled: false + # -- Annotations to be added to all top-level kube-ovn-speaker objects (resources under templates/speaker) + annotations: {} + # -- Labels to be added to all top-level kube-ovn-speaker objects (resources under templates/speaker) + labels: {} + # -- Annotations to be added to kube-ovn-speaker pods + podAnnotations: {} + # -- Labels to be added to kube-ovn-speaker pods + podLabels: {} + + # -- kube-ovn-speaker resource limits & requests + # ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + resources: + requests: + cpu: "500m" + memory: "300Mi" + limits: {} + + # -- Node selector to restrict the deployment of the speaker to specific nodes + nodeSelector: {} + # kubernetes.io/os: "linux" + # ovn.kubernetes.io/bgp: "true" + + # Args passed to the kube-ovn-speaker pod + args: [] + # - --neighbor-address=10.32.32.1 + # - --neighbor-as=65030 + # - --cluster-as=65000 + +# -- Configuration for kube-ovn-pinger, the agent monitoring and returning metrics for OVS/external connectivity +pinger: + # -- Annotations to be added to all top-level kube-ovn-pinger objects (resources under templates/pinger) + annotations: {} + # -- Labels to be added to all top-level kube-ovn-pinger objects (resources under templates/pinger) + labels: {} + # -- Annotations to be added to kube-ovn-pinger pods + podAnnotations: {} + # -- Labels to be added to kube-ovn-pinger pods + podLabels: {} + + # -- kube-ovn-pinger resource limits & requests + # ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + resources: + requests: + cpu: "100m" + memory: "100Mi" + limits: + cpu: "200m" + memory: "400Mi" + + # -- kube-ovn-pinger metrics configuration + metrics: + # -- Configure the port on which the kube-ovn-monitor service will serve metrics + port: 8080 + +# -- Configuration for kube-ovn-monitor, the agent monitoring and returning metrics for the northbound/southbound DBs and northd +monitor: + # -- Annotations to be added to all top-level kube-ovn-monitor objects (resources under templates/monitor) + annotations: {} + # -- Labels to be added to all top-level kube-ovn-monitor objects (resources under templates/monitor) + labels: {} + # -- Annotations to be added to kube-ovn-monitor pods + podAnnotations: {} + # -- Labels to be added to kube-ovn-monitor pods + podLabels: {} + + # -- kube-ovn-monitor resource limits & requests + # ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + resources: + requests: + cpu: "200m" + memory: "200Mi" + limits: + cpu: "200m" + memory: "200Mi" + + # -- kube-ovn-monitor metrics configuration + metrics: + # -- Configure the port on which the kube-ovn-monitor service will serve metrics + port: 10661 + +# -- Configuration for kube-ovn-controller, the controller responsible for syncing K8s with OVN +controller: + # -- Annotations to be added to all top-level kube-ovn-controller objects (resources under templates/controller) + annotations: {} + # -- Labels to be added to all top-level kube-ovn-controller objects (resources under templates/controller) + labels: {} + # -- Annotations to be added to kube-ovn-controller pods + podAnnotations: {} + # -- Labels to be added to kube-ovn-controller pods + podLabels: {} + + # -- kube-ovn-controller resource limits & requests + # ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + resources: + requests: + cpu: "200m" + memory: "200Mi" + limits: + cpu: "1000m" + memory: "1Gi" + + # -- Controller metrics configuration + metrics: + # -- Configure the port on which the controller service will serve metrics + port: 10660 + +# -- Configuration for ovn-central, the daemon containing the northbound/southbound DBs and northd +central: + # -- Annotations to be added to all top-level ovn-central objects (resources under templates/central) + annotations: {} + # -- Labels to be added to all top-level ovn-central objects (resources under templates/central) + labels: {} + # -- Annotations to be added to ovn-central pods + podAnnotations: {} + # -- Labels to be added to ovn-central pods + podLabels: {} + + # -- ovn-central resource limits & requests + # ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + resources: + requests: + cpu: "300m" + memory: "200Mi" + limits: + cpu: "3" + memory: "4Gi" + +# -- Configuration for kube-ovn-cni, the agent responsible for handling CNI requests from the CRI +agent: + # -- Annotations to be added to all top-level agent objects (resources under templates/agent) + annotations: {} + # -- Labels to be added to all top-level agent objects (resources under templates/agent) + labels: {} + # -- Annotations to be added to the agent pods (kube-ovn-cni) + podAnnotations: {} + # -- Labels to be added to the agent pods (kube-ovn-cni) + podLabels: {} + + # -- Agent daemon resource limits & requests + # ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + resources: + requests: + cpu: "100m" + memory: "100Mi" + limits: + cpu: "1000m" + memory: "1Gi" + + # -- Agent metrics configuration + metrics: + # -- Configure the port on which the agent service will serve metrics + port: 10665 + +# -- Array of extra K8s manifests to deploy +## Note: Supports use of custom Helm templates (Go templating) +extraObjects: [] +# - apiVersion: v1 +# kind: ConfigMap +# metadata: +# name: cni-config +# data: +# cni-config: |- +# { +# "name": "generic-veth", +# "cniVersion": "0.3.1", +# "plugins": [ +# { +# "type": "kube-ovn", +# "server_socket": "/run/openvswitch/kube-ovn-daemon.sock", +# "ipam": { +# "type": "kube-ovn", +# "server_socket": "/run/openvswitch/kube-ovn-daemon.sock" +# } +# }, +# { +# "type": "portmap", +# "snat": true, +# "capabilities": {"portMappings": true} +# }, +# { +# "type": "cilium-cni" +# } +# ] +# }