bluecmd · December 19, 2016 19:02
diff --git a/gistfile1.txt b/gistfile1.txt
 # This ConfigMap is used to configure a self-hosted Calico installation.
 kind: ConfigMap
 apiVersion: v1
 metadata:
  name: calico-config 
  namespace: kube-system
 data:
  # The location of your etcd cluster.  This uses the Service clusterIP
  # defined below.
  etcd_endpoints: "https://127.0.0.1:2379"

  # Configure the Calico backend to use.
  calico_backend: "bird"

  # The CNI network configuration to install on each node.
  cni_network_config: |-
    {
        "name": "k8s-pod-network",
        "type": "calico",
        "etcd_endpoints": "__ETCD_ENDPOINTS__",
        "etcd_key_file": "__ETCD_KEY_FILE__",
        "etcd_cert_file": "__ETCD_CERT_FILE__",
        "etcd_ca_cert_file": "__ETCD_CA_CERT_FILE__",
        "log_level": "info",
        "ipam": {
            "type": "calico-ipam"
        },
        "policy": {
            "type": "k8s",
             "k8s_api_root": "https://__KUBERNETES_SERVICE_HOST__:__KUBERNETES_SERVICE_PORT__",
             "k8s_auth_token": "__SERVICEACCOUNT_TOKEN__",
             "k8s_certificate_authority": "/etc/kubernetes/ssl/ca.pem"
        },
        "kubernetes": {
            "kubeconfig": "/etc/cni/net.d/__KUBECONFIG_FILENAME__-cmd"
        }
    }

  # The default IP Pool to be created for the cluster.
  # Pod IP addresses will be assigned from this pool
  ippool.yaml: |
      apiVersion: v1
      kind: ipPool
      metadata:
        cidr: 10.188.16.0/20
      spec:
        nat-outgoing: true

  etcd_ca: "/etc/kubernetes/ssl/ca.pem"
  etcd_cert: "/etc/kubernetes/ssl/host.pem"
  etcd_key: "/etc/kubernetes/ssl/host-key.pem"

 ---

 # This manifest installs the calico/node container, as well
 # as the Calico CNI plugins and network config on 
 # each master and worker node in a Kubernetes cluster.
 kind: DaemonSet
 apiVersion: extensions/v1beta1
 metadata:
  name: calico-node
  namespace: kube-system
  labels:
    k8s-app: calico-node
 spec:
  selector:
    matchLabels:
      k8s-app: calico-node
  template:
    metadata:
      labels:
        k8s-app: calico-node
      annotations:
        scheduler.alpha.kubernetes.io/critical-pod: ''
        scheduler.alpha.kubernetes.io/tolerations: |
          [{"key": "dedicated", "value": "master", "effect": "NoSchedule" },
           {"key":"CriticalAddonsOnly", "operator":"Exists"}]
    spec:
      hostNetwork: true
      containers:
        # Runs calico/node container on each Kubernetes node.  This 
        # container programs network policy and routes on each
        # host.
        - name: calico-node
          image: quay.io/calico/node:v1.0.0
          env:
            # The location of the Calico etcd cluster.
            - name: ETCD_ENDPOINTS
              valueFrom:
                configMapKeyRef:
                  name: calico-config
                  key: etcd_endpoints
            # Choose the backend to use.
            - name: CALICO_NETWORKING_BACKEND
              valueFrom:
                configMapKeyRef:
                  name: calico-config
                  key: calico_backend
            # Disable file logging so `kubectl logs` works.
            - name: CALICO_DISABLE_FILE_LOGGING
              value: "true"
            # Don't configure a default pool.  This is done by the Job
            # below.
            - name: NO_DEFAULT_POOLS
              value: "true"
            - name: FELIX_LOGSEVERITYSCREEN
              value: "info"
            # Location of the CA certificate for etcd.
            - name: ETCD_CA_CERT_FILE
              valueFrom:
                configMapKeyRef:
                  name: calico-config
                  key: etcd_ca
            # Location of the client key for etcd.
            - name: ETCD_KEY_FILE
              valueFrom:
                configMapKeyRef:
                  name: calico-config
                  key: etcd_key
            # Location of the client certificate for etcd.
            - name: ETCD_CERT_FILE
              valueFrom:
                configMapKeyRef:
                  name: calico-config
                  key: etcd_cert
            # Auto-detect the BGP IP address.
            - name: IP
              value: ""
          securityContext:
            privileged: true
          volumeMounts:
            - mountPath: /lib/modules
              name: lib-modules
              readOnly: true
            - mountPath: /var/run/calico
              name: var-run-calico
              readOnly: false
            - mountPath: /etc/kubernetes/ssl
              name: k8s-certs
        # This container installs the Calico CNI binaries
        # and CNI network config file on each node.
        - name: install-cni
          image: calico/cni:v1.5.5
          imagePullPolicy: Always
          command: ["/install-cni.sh"]
          env:
            # The location of the Calico etcd cluster.
            - name: ETCD_ENDPOINTS
              valueFrom:
                configMapKeyRef:
                  name: calico-config
                  key: etcd_endpoints
            # The CNI network config to install on each node.
            - name: CNI_NETWORK_CONFIG
              valueFrom:
                configMapKeyRef:
                  name: calico-config
                  key: cni_network_config
            # Location of the CA certificate for etcd.
            - name: CNI_CONF_ETCD_CA
              valueFrom:
                configMapKeyRef:
                  name: calico-config
                  key: etcd_ca
            # Location of the client key for etcd.
            - name: CNI_CONF_ETCD_KEY
              valueFrom:
                configMapKeyRef:
                  name: calico-config
                  key: etcd_key
            # Location of the client certificate for etcd.
            - name: CNI_CONF_ETCD_CERT
              valueFrom:
                configMapKeyRef:
                  name: calico-config
                  key: etcd_cert
          volumeMounts:
            - mountPath: /host/opt/cni/bin
              name: cni-bin-dir
            - mountPath: /host/etc/cni/net.d
              name: cni-net-dir
            - mountPath: /etc/kubernetes/ssl
              name: k8s-certs
      volumes:
        # Used by calico/node.
        - name: lib-modules
          hostPath:
            path: /lib/modules
        - name: var-run-calico
          hostPath:
            path: /var/run/calico
        # Used to install CNI.
        - name: cni-bin-dir
          hostPath:
            path: /opt/cni/bin
        - name: cni-net-dir
          hostPath:
            path: /etc/cni/net.d
        - name: k8s-certs
          hostPath:
            path: /etc/kubernetes/ssl

 ---
 # This manifest deploys the Calico policy controller on Kubernetes.
 # See https://github.com/projectcalico/k8s-policy
 apiVersion: extensions/v1beta1
 kind: Deployment
 metadata:
  name: calico-policy-controller
  namespace: kube-system
  labels:
    k8s-app: calico-policy
  annotations:
    scheduler.alpha.kubernetes.io/critical-pod: ''
    scheduler.alpha.kubernetes.io/tolerations: |
      [{"key": "dedicated", "value": "master", "effect": "NoSchedule" },
       {"key":"CriticalAddonsOnly", "operator":"Exists"}]
 spec:
  # The policy controller can only have a single active instance.
  replicas: 1
  strategy:
    type: Recreate
  template:
    metadata:
      name: calico-policy-controller
      namespace: kube-system
      labels:
        k8s-app: calico-policy
    spec:
      # The policy controller must run in the host network namespace so that
      # it isn't governed by policy that would prevent it from working.
      hostNetwork: true
      containers:
        - name: calico-policy-controller
          image: calico/kube-policy-controller:v0.5.1
          env:
            # The location of the Calico etcd cluster.
            - name: ETCD_ENDPOINTS
              valueFrom:
                configMapKeyRef:
                  name: calico-config
                  key: etcd_endpoints
            # Location of the CA certificate for etcd.
            - name: ETCD_CA_CERT_FILE
              valueFrom:
                configMapKeyRef:
                  name: calico-config
                  key: etcd_ca
            # Location of the client key for etcd.
            - name: ETCD_KEY_FILE
              valueFrom:
                configMapKeyRef:
                  name: calico-config
                  key: etcd_key
            # Location of the client certificate for etcd.
            - name: ETCD_CERT_FILE
              valueFrom:
                configMapKeyRef:
                  name: calico-config
                  key: etcd_cert
            # The location of the Kubernetes API.  Use the default Kubernetes
            # service for API access.
            - name: K8S_API
              value: "https://kubernetes.default:443"
            # Since we're running in the host namespace and might not have KubeDNS
            # access, configure the container's /etc/hosts to resolve
            # kubernetes.default to the correct service clusterIP.
            - name: CONFIGURE_ETC_HOSTS
              value: "true"
          volumeMounts:
            # Mount in the etcd TLS secrets.
            - mountPath: /etc/kubernetes/ssl
              name: k8s-certs
      volumes:
        # Mount in the etcd TLS secrets.
        - name: k8s-certs
          hostPath:
            path: /etc/kubernetes/ssl

 ---

 ## This manifest deploys a Job which performs one time 
 # configuration of Calico 
 apiVersion: batch/v1
 kind: Job
 metadata:
  name: configure-calico
  namespace: kube-system
  labels:
    k8s-app: calico 
 spec:
  template:
    metadata:
      name: configure-calico
      annotations:
        scheduler.alpha.kubernetes.io/critical-pod: ''
        scheduler.alpha.kubernetes.io/tolerations: |
          [{"key": "dedicated", "value": "master", "effect": "NoSchedule" },
           {"key":"CriticalAddonsOnly", "operator":"Exists"}]
    spec:
      hostNetwork: true
      restartPolicy: OnFailure 
      containers:
        # Writes basic configuration to datastore. 
        - name: configure-calico
          image: calico/ctl:v1.0.0
          args:
          - apply
          - -f
          - /etc/config/calico/ippool.yaml
          env:
            # The location of the etcd cluster.
            - name: ETCD_ENDPOINTS
              valueFrom:
                configMapKeyRef:
                  name: calico-config
                  key: etcd_endpoints
            # Location of the CA certificate for etcd.
            - name: ETCD_CA_CERT_FILE
              valueFrom:
                configMapKeyRef:
                  name: calico-config
                  key: etcd_ca
            # Location of the client key for etcd.
            - name: ETCD_KEY_FILE
              valueFrom:
                configMapKeyRef:
                  name: calico-config
                  key: etcd_key
            # Location of the client certificate for etcd.
            - name: ETCD_CERT_FILE
              valueFrom:
                configMapKeyRef:
                  name: calico-config
                  key: etcd_cert
          volumeMounts:
            - name: config-volume
              mountPath: /etc/config
            # Mount in the etcd TLS secrets.
            - mountPath: /etc/kubernetes/ssl
              name: k8s-certs
      volumes:
        # Mount in the etcd TLS secrets.
        - name: k8s-certs
          hostPath:
            path: /etc/kubernetes/ssl
        - name: config-volume
          configMap:
            name: calico-config
            items:
            - key: ippool.yaml
              path: calico/ippool.yaml
	# This ConfigMap is used to configure a self-hosted Calico installation.
	kind: ConfigMap
	apiVersion: v1
	metadata:
	name: calico-config
	namespace: kube-system
	data:
	# The location of your etcd cluster. This uses the Service clusterIP
	# defined below.
	etcd_endpoints: "https://127.0.0.1:2379"

	# Configure the Calico backend to use.
	calico_backend: "bird"

	# The CNI network configuration to install on each node.
	cni_network_config: \|-
	{
	"name": "k8s-pod-network",
	"type": "calico",
	"etcd_endpoints": "__ETCD_ENDPOINTS__",
	"etcd_key_file": "__ETCD_KEY_FILE__",
	"etcd_cert_file": "__ETCD_CERT_FILE__",
	"etcd_ca_cert_file": "__ETCD_CA_CERT_FILE__",
	"log_level": "info",
	"ipam": {
	"type": "calico-ipam"
	},
	"policy": {
	"type": "k8s",
	"k8s_api_root": "https://__KUBERNETES_SERVICE_HOST__:__KUBERNETES_SERVICE_PORT__",
	"k8s_auth_token": "__SERVICEACCOUNT_TOKEN__",
	"k8s_certificate_authority": "/etc/kubernetes/ssl/ca.pem"
	},
	"kubernetes": {
	"kubeconfig": "/etc/cni/net.d/__KUBECONFIG_FILENAME__-cmd"
	}
	}

	# The default IP Pool to be created for the cluster.
	# Pod IP addresses will be assigned from this pool
	ippool.yaml: \|
	apiVersion: v1
	kind: ipPool
	metadata:
	cidr: 10.188.16.0/20
	spec:
	nat-outgoing: true

	etcd_ca: "/etc/kubernetes/ssl/ca.pem"
	etcd_cert: "/etc/kubernetes/ssl/host.pem"
	etcd_key: "/etc/kubernetes/ssl/host-key.pem"

	---

	# This manifest installs the calico/node container, as well
	# as the Calico CNI plugins and network config on
	# each master and worker node in a Kubernetes cluster.
	kind: DaemonSet
	apiVersion: extensions/v1beta1
	metadata:
	name: calico-node
	namespace: kube-system
	labels:
	k8s-app: calico-node
	spec:
	selector:
	matchLabels:
	k8s-app: calico-node
	template:
	metadata:
	labels:
	k8s-app: calico-node
	annotations:
	scheduler.alpha.kubernetes.io/critical-pod: ''
	scheduler.alpha.kubernetes.io/tolerations: \|
	[{"key": "dedicated", "value": "master", "effect": "NoSchedule" },
	{"key":"CriticalAddonsOnly", "operator":"Exists"}]
	spec:
	hostNetwork: true
	containers:
	# Runs calico/node container on each Kubernetes node. This
	# container programs network policy and routes on each
	# host.
	- name: calico-node
	image: quay.io/calico/node:v1.0.0
	env:
	# The location of the Calico etcd cluster.
	- name: ETCD_ENDPOINTS
	valueFrom:
	configMapKeyRef:
	name: calico-config
	key: etcd_endpoints
	# Choose the backend to use.
	- name: CALICO_NETWORKING_BACKEND
	valueFrom:
	configMapKeyRef:
	name: calico-config
	key: calico_backend
	# Disable file logging so `kubectl logs` works.
	- name: CALICO_DISABLE_FILE_LOGGING
	value: "true"
	# Don't configure a default pool. This is done by the Job
	# below.
	- name: NO_DEFAULT_POOLS
	value: "true"
	- name: FELIX_LOGSEVERITYSCREEN
	value: "info"
	# Location of the CA certificate for etcd.
	- name: ETCD_CA_CERT_FILE
	valueFrom:
	configMapKeyRef:
	name: calico-config
	key: etcd_ca
	# Location of the client key for etcd.
	- name: ETCD_KEY_FILE
	valueFrom:
	configMapKeyRef:
	name: calico-config
	key: etcd_key
	# Location of the client certificate for etcd.
	- name: ETCD_CERT_FILE
	valueFrom:
	configMapKeyRef:
	name: calico-config
	key: etcd_cert
	# Auto-detect the BGP IP address.
	- name: IP
	value: ""
	securityContext:
	privileged: true
	volumeMounts:
	- mountPath: /lib/modules
	name: lib-modules
	readOnly: true
	- mountPath: /var/run/calico
	name: var-run-calico
	readOnly: false
	- mountPath: /etc/kubernetes/ssl
	name: k8s-certs
	# This container installs the Calico CNI binaries
	# and CNI network config file on each node.
	- name: install-cni
	image: calico/cni:v1.5.5
	imagePullPolicy: Always
	command: ["/install-cni.sh"]
	env:
	# The location of the Calico etcd cluster.
	- name: ETCD_ENDPOINTS
	valueFrom:
	configMapKeyRef:
	name: calico-config
	key: etcd_endpoints
	# The CNI network config to install on each node.
	- name: CNI_NETWORK_CONFIG
	valueFrom:
	configMapKeyRef:
	name: calico-config
	key: cni_network_config
	# Location of the CA certificate for etcd.
	- name: CNI_CONF_ETCD_CA
	valueFrom:
	configMapKeyRef:
	name: calico-config
	key: etcd_ca
	# Location of the client key for etcd.
	- name: CNI_CONF_ETCD_KEY
	valueFrom:
	configMapKeyRef:
	name: calico-config
	key: etcd_key
	# Location of the client certificate for etcd.
	- name: CNI_CONF_ETCD_CERT
	valueFrom:
	configMapKeyRef:
	name: calico-config
	key: etcd_cert
	volumeMounts:
	- mountPath: /host/opt/cni/bin
	name: cni-bin-dir
	- mountPath: /host/etc/cni/net.d
	name: cni-net-dir
	- mountPath: /etc/kubernetes/ssl
	name: k8s-certs
	volumes:
	# Used by calico/node.
	- name: lib-modules
	hostPath:
	path: /lib/modules
	- name: var-run-calico
	hostPath:
	path: /var/run/calico
	# Used to install CNI.
	- name: cni-bin-dir
	hostPath:
	path: /opt/cni/bin
	- name: cni-net-dir
	hostPath:
	path: /etc/cni/net.d
	- name: k8s-certs
	hostPath:
	path: /etc/kubernetes/ssl

	---
	# This manifest deploys the Calico policy controller on Kubernetes.
	# See https://github.com/projectcalico/k8s-policy
	apiVersion: extensions/v1beta1
	kind: Deployment
	metadata:
	name: calico-policy-controller
	namespace: kube-system
	labels:
	k8s-app: calico-policy
	annotations:
	scheduler.alpha.kubernetes.io/critical-pod: ''
	scheduler.alpha.kubernetes.io/tolerations: \|
	[{"key": "dedicated", "value": "master", "effect": "NoSchedule" },
	{"key":"CriticalAddonsOnly", "operator":"Exists"}]
	spec:
	# The policy controller can only have a single active instance.
	replicas: 1
	strategy:
	type: Recreate
	template:
	metadata:
	name: calico-policy-controller
	namespace: kube-system
	labels:
	k8s-app: calico-policy
	spec:
	# The policy controller must run in the host network namespace so that
	# it isn't governed by policy that would prevent it from working.
	hostNetwork: true
	containers:
	- name: calico-policy-controller
	image: calico/kube-policy-controller:v0.5.1
	env:
	# The location of the Calico etcd cluster.
	- name: ETCD_ENDPOINTS
	valueFrom:
	configMapKeyRef:
	name: calico-config
	key: etcd_endpoints
	# Location of the CA certificate for etcd.
	- name: ETCD_CA_CERT_FILE
	valueFrom:
	configMapKeyRef:
	name: calico-config
	key: etcd_ca
	# Location of the client key for etcd.
	- name: ETCD_KEY_FILE
	valueFrom:
	configMapKeyRef:
	name: calico-config
	key: etcd_key
	# Location of the client certificate for etcd.
	- name: ETCD_CERT_FILE
	valueFrom:
	configMapKeyRef:
	name: calico-config
	key: etcd_cert
	# The location of the Kubernetes API. Use the default Kubernetes
	# service for API access.
	- name: K8S_API
	value: "https://kubernetes.default:443"
	# Since we're running in the host namespace and might not have KubeDNS
	# access, configure the container's /etc/hosts to resolve
	# kubernetes.default to the correct service clusterIP.
	- name: CONFIGURE_ETC_HOSTS
	value: "true"
	volumeMounts:
	# Mount in the etcd TLS secrets.
	- mountPath: /etc/kubernetes/ssl
	name: k8s-certs
	volumes:
	# Mount in the etcd TLS secrets.
	- name: k8s-certs
	hostPath:
	path: /etc/kubernetes/ssl

	---

	## This manifest deploys a Job which performs one time
	# configuration of Calico
	apiVersion: batch/v1
	kind: Job
	metadata:
	name: configure-calico
	namespace: kube-system
	labels:
	k8s-app: calico
	spec:
	template:
	metadata:
	name: configure-calico
	annotations:
	scheduler.alpha.kubernetes.io/critical-pod: ''
	scheduler.alpha.kubernetes.io/tolerations: \|
	[{"key": "dedicated", "value": "master", "effect": "NoSchedule" },
	{"key":"CriticalAddonsOnly", "operator":"Exists"}]
	spec:
	hostNetwork: true
	restartPolicy: OnFailure
	containers:
	# Writes basic configuration to datastore.
	- name: configure-calico
	image: calico/ctl:v1.0.0
	args:
	- apply
	- -f
	- /etc/config/calico/ippool.yaml
	env:
	# The location of the etcd cluster.
	- name: ETCD_ENDPOINTS
	valueFrom:
	configMapKeyRef:
	name: calico-config
	key: etcd_endpoints
	# Location of the CA certificate for etcd.
	- name: ETCD_CA_CERT_FILE
	valueFrom:
	configMapKeyRef:
	name: calico-config
	key: etcd_ca
	# Location of the client key for etcd.
	- name: ETCD_KEY_FILE
	valueFrom:
	configMapKeyRef:
	name: calico-config
	key: etcd_key
	# Location of the client certificate for etcd.
	- name: ETCD_CERT_FILE
	valueFrom:
	configMapKeyRef:
	name: calico-config
	key: etcd_cert
	volumeMounts:
	- name: config-volume
	mountPath: /etc/config
	# Mount in the etcd TLS secrets.
	- mountPath: /etc/kubernetes/ssl
	name: k8s-certs
	volumes:
	# Mount in the etcd TLS secrets.
	- name: k8s-certs
	hostPath:
	path: /etc/kubernetes/ssl
	- name: config-volume
	configMap:
	name: calico-config
	items:
	- key: ippool.yaml
	path: calico/ippool.yaml