Skip to content

Commit

Permalink
add Calico v3.29.1 and remove k8s v1.26
Browse files Browse the repository at this point in the history
  • Loading branch information
niam0522 committed Nov 26, 2024
1 parent 0e9f9d5 commit 1ed554c
Show file tree
Hide file tree
Showing 8 changed files with 6,955 additions and 216 deletions.
12 changes: 10 additions & 2 deletions kubemarine/patches/software_upgrade.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,11 @@
# The order of upgrade of defined by the implementation.

thirdparties:
calicoctl: []
calicoctl:
- v1.28.12
- v1.29.7
- v1.30.3
- v1.31.1
crictl: []
packages:
containerd:
Expand All @@ -28,7 +32,11 @@ packages:
version_rhel9: false
version_debian: false
plugins:
calico: []
calico:
- v1.28.12
- v1.29.7
- v1.30.3
- v1.31.1
nginx-ingress-controller: []
kubernetes-dashboard: []
local-path-provisioner: []
298 changes: 298 additions & 0 deletions kubemarine/plugins/yaml/calico-apiserver-v3.29.1-original.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,298 @@
# This is a tech-preview manifest which installs the Calico API server. Note that this manifest is liable to change
# or be removed in future releases without further warning.
#
# Namespace and namespace-scoped resources.
apiVersion: v1
kind: Namespace
metadata:
labels:
name: calico-apiserver
name: calico-apiserver
spec:

---

# Policy to ensure the API server isn't cut off. Can be modified, but ensure
# that the main API server is always able to reach the Calico API server.
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
name: allow-apiserver
namespace: calico-apiserver
spec:
podSelector:
matchLabels:
apiserver: "true"
ingress:
- ports:
- protocol: TCP
port: 5443

---

apiVersion: v1
kind: Service
metadata:
name: calico-api
namespace: calico-apiserver
spec:
ports:
- name: apiserver
port: 443
protocol: TCP
targetPort: 5443
selector:
apiserver: "true"
type: ClusterIP

---

apiVersion: apps/v1
kind: Deployment
metadata:
labels:
apiserver: "true"
k8s-app: calico-apiserver
name: calico-apiserver
namespace: calico-apiserver
spec:
replicas: 1
selector:
matchLabels:
apiserver: "true"
strategy:
type: Recreate
template:
metadata:
labels:
apiserver: "true"
k8s-app: calico-apiserver
name: calico-apiserver
namespace: calico-apiserver
spec:
containers:
- args:
- --secure-port=5443
- -v=5
env:
- name: DATASTORE_TYPE
value: kubernetes
image: calico/apiserver:v3.29.1
name: calico-apiserver
readinessProbe:
httpGet:
path: /readyz
port: 5443
scheme: HTTPS
timeoutSeconds: 5
periodSeconds: 60
securityContext:
privileged: false
runAsUser: 0
volumeMounts:
- mountPath: /code/apiserver.local.config/certificates
name: calico-apiserver-certs
dnsPolicy: ClusterFirst
nodeSelector:
kubernetes.io/os: linux
restartPolicy: Always
serviceAccount: calico-apiserver
serviceAccountName: calico-apiserver
tolerations:
- effect: NoSchedule
key: node-role.kubernetes.io/master
- effect: NoSchedule
key: node-role.kubernetes.io/control-plane
volumes:
- name: calico-apiserver-certs
secret:
secretName: calico-apiserver-certs

---

apiVersion: v1
kind: ServiceAccount
metadata:
name: calico-apiserver
namespace: calico-apiserver

---

# Cluster-scoped resources below here.
apiVersion: apiregistration.k8s.io/v1
kind: APIService
metadata:
name: v3.projectcalico.org
spec:
group: projectcalico.org
groupPriorityMinimum: 1500
service:
name: calico-api
namespace: calico-apiserver
port: 443
version: v3
versionPriority: 200

---

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: calico-crds
rules:
- apiGroups:
- extensions
- networking.k8s.io
- ""
resources:
- networkpolicies
- nodes
- namespaces
- pods
- serviceaccounts
verbs:
- get
- list
- watch
- apiGroups:
- crd.projectcalico.org
resources:
- globalnetworkpolicies
- networkpolicies
- clusterinformations
- hostendpoints
- globalnetworksets
- networksets
- bgpconfigurations
- bgppeers
- bgpfilters
- felixconfigurations
- kubecontrollersconfigurations
- ippools
- ipreservations
- ipamblocks
- blockaffinities
- caliconodestatuses
- ipamconfigs
- tiers
verbs:
- get
- list
- watch
- create
- update
- delete
- apiGroups:
- policy
resourceNames:
- calico-apiserver
resources:
- podsecuritypolicies
verbs:
- use

---

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: calico-extension-apiserver-auth-access
rules:
- apiGroups:
- ""
resourceNames:
- extension-apiserver-authentication
resources:
- configmaps
verbs:
- list
- watch
- get
- apiGroups:
- rbac.authorization.k8s.io
resources:
- clusterroles
- clusterrolebindings
- roles
- rolebindings
verbs:
- get
- list
- watch

---

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: calico-webhook-reader
rules:
- apiGroups:
- admissionregistration.k8s.io
resources:
- mutatingwebhookconfigurations
- validatingwebhookconfigurations
verbs:
- get
- list
- watch

---

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: calico-apiserver-access-crds
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: calico-crds
subjects:
- kind: ServiceAccount
name: calico-apiserver
namespace: calico-apiserver

---

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: calico-apiserver-delegate-auth
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:auth-delegator
subjects:
- kind: ServiceAccount
name: calico-apiserver
namespace: calico-apiserver

---

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: calico-apiserver-webhook-reader
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: calico-webhook-reader
subjects:
- kind: ServiceAccount
name: calico-apiserver
namespace: calico-apiserver

---

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: calico-extension-apiserver-auth-access
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: calico-extension-apiserver-auth-access
subjects:
- kind: ServiceAccount
name: calico-apiserver
namespace: calico-apiserver
Loading

0 comments on commit 1ed554c

Please sign in to comment.